Friday Squid Blogging: 1,057 Squid T-Shirts

That's a lot.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Commenting has been broken for the past few days. We hope to get it fixed on Monday.

Posted on October 17, 2014 at 5:17 PM • 45 Comments

Comments

AlanSOctober 19, 2014 6:39 PM

New and forthcoming books that look intersting:

Michael J. Glennon: National Security and Double Government. Article with the same title by the author in the Harvard National Security Journal (PDF). Inreview with the author: Vote all you want. The secret government won’t change..

The presidency itself is not a top-down institution, as many people in the public believe, headed by a president who gives orders and causes the bureaucracy to click its heels and salute. National security policy actually bubbles up from within the bureaucracy. Many of the more controversial policies, from the mining of Nicaragua’s harbors to the NSA surveillance program, originated within the bureaucracy. John Kerry was not exaggerating when he said that some of those programs are “on autopilot.”...The ultimate problem is the pervasive political ignorance on the part of the American people. And indifference to the threat that is emerging from these concealed institutions. That is where the energy for reform has to come from: the American people. Not from government. Government is very much the problem here.

Frank Pasquale: The Black Box Society: The Secret Algorithms That Control Money and Information. Link to Interview on the Black Box Society .

The Black Box Society’s central subject--agnotology, the suppression or destruction of knowledge--is a particularly difficult topic to interpret methodically. But I’ve tried to highlight some very important disputes, show their broader relevance, and explain what laws would need to change for us to really understand the value of what data brokers, search engines, financiers, or homeland security contractors are doing.

AlanSOctober 19, 2014 7:15 PM

Susan Landau: Under the Radar: NSA’s Efforts to Secure Private-Sector Telecommunications Infrastructure, Journal of National Security Law and Policy. September 29, 2014.

Abstract: Landau explains the National Security Agency’s little-known function of providing communications security (COMSEC) to private companies, which has involved an improvement of security and privacy of the domestic communications infrastructure. She examines the history of the program and how the NSA’s behavior towards the private sector has shifted since the 1950’s, as well as the rationale behind these radical changes. Ultimately, Landau argues that providing national security tools to the private sector is outside the mission of the NSA and should be done by an entity more in sync with the private sector and international community.

SoWhatDidYouExpectOctober 19, 2014 7:43 PM

More fear mongoring...

http://www.majorgeeks.com/news/story/the_fbi_wants_direct_access_to_your_phone.html

The FBI wants direct access to your phone

FBI director James Comey is urging tech giants to do more to help the agency monitor people.

Comey said at a speech at the Brookings Institute that Apple and Google are hampering cops and gmen from protecting the public by turning on file encryption by default in iOS and Android.

Comey went on to say: "There is a misconception that building a lawful intercept solution into a system requires a so-called 'back door,' one that foreign adversaries and hackers may try to exploit. But that isn't true. We aren't seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely comfortable with court orders and legal process - front doors that provide the evidence and information we need to investigate crime and prevent terrorist attacks."

It seems he is concerned that not all carriers are complying with the Communications Assistance for Law Enforcement Act which requires manufacturers to build security holes into devices for Uncle Sam to exploit to intercept communications.

Comey said that unless such front-door access was granted to the Feds then "homicide cases could be stalled, suspects could walk free, and child exploitation might not be discovered or prosecuted."
---
Wait, they didn't have that access before smartphones and were still able to do their prosecution. By the way, the FBI is no longer about law enforcement, but Security, according to their own web site. So WHY do they need this since that last paragraph did not address security.

A "save the children" ploy should not be invoked here. They are not about the children.

AlanSOctober 19, 2014 7:46 PM

Glennon is work cited above states:

"Few who follow world events can doubt that the Obama Administration’s approach to multiple national security issues has been essentially the same as that of the Bush Administration....The Obama Administration, beyond ending torture, has changed “virtually none” of the Bush Administration’s Central Intelligence Agency (“CIA”) programs and operations"

They may be walking their position on torture back according to the NYT yesterday: Obama Could Reaffirm a Bush-Era Reading of a Treaty on Torture.

Nick POctober 19, 2014 9:20 PM

@ AlanS

Thanks for sharing that. My first read gives me the feeling that it's quite selective and deliberately misleading. I hope that's not the case. Even better we get it and the CIA crypto document around the same time which aren't quite compatible either. One implies they were making everything harder to break, while another implies they had backdoors in most of what SIGINT *and* IAD produced. CIA document is corroborated by leaked NSA documents on both ends. Bell's Looking Back Addendum corroborates it on IAD's end.

I'm going to have to give this a more thorough treatment. Gotta save that for after some sleep, though.

Mike the goatOctober 19, 2014 10:41 PM

SoWhatDidYouExpect: well, I guess the FBI *already* has pretty much direct access to your cell phone, in that they can examine data in and data out and come to probably the same or similar conclusion as they would with local access. But I guess this is all about cementing the privileges that they already have via shady deals in legislation so they can better use it in the court room without relying on parallell construction.

Nick P: Good to see you again :-). I think it is misleading by design, but then that is what we've come to expect, no?

FigureitoutOctober 20, 2014 12:54 AM

Bruce RE: latest talk
--Great hearing you in person, glad you took a different route in your talk instead of just IR. By the way you shouldn't have drank that coke...Kidding! lol. Glad the ceiling didn't collapse on us either, I didn't verify it. The talk itself didn't seem real optimistic to me though, and I'll try to expand on my question (I had a bunch, and narrowed it down, didn't expand as I didn't want to be "that guy" hogging the mic).

But first, hey, talked w/ the event organizer to give you crap about sneaking out to a plane even when you said you were opening a bar tab and I was going to drink you under the table and "open your vault" using Jerry Seinfeld's "schnapping" technique w/ peach schnapps on Elaine lol...It was open bar anyway and I took full advantage of that haha.

One thing that I really didn't like to hear, is the idea of all our devices being a "utility". As in, plumbing, electricity, internet connection...basically we call technicians and we have no clue how to administer it ourselves totally, they do the job, we pay them, and we don't have control over our devices. All of which will be centrally monitored and controlled (you can really hurt someone shutting off their power or water).

Ok, so to expand on my question "Do you prefer the 90's taking care of your mom's PC, or this age of having no clue and delegating near total control to someone else?"--I tried to emphasize YOU as an individual, and security people, not the people w/ every botnet on the planet running on their PC. Do you really feel comfortable having nearly no control or visibility, doesn't seem conducive to "trust". To me it seems pretty clear this is a loss for security, how can you say anything is secure if you don't know how it works and can't shut things down if needed?! Back in the 90's, even fresh after the Clipper chip, [I assume based off observations] you'd get laughed down even by security people at some of the known capabilities today; in particular hidden RF, malware becoming scary sophisticated carving out chunks of space in chips that are getting way to small to secure or even see what's there(!), encrypted, and mutating to avoid simple signature blocking. Frickin' gross.

It's going to get even more out of control, and I'm not sure now how I'm going to go about having a credit card and not have to cancel it weekly; even though I need one to order parts b/c I can't go to a store anywhere near me!

Internet continues to become owned by what will eventually be one company, probably Google. The wifi/bluetooth won't be separate removable modules, as in a choice for the user for their PC, it'll be encapsulated in the CPU or maybe sound chips like some hacks are already showing is possible, meaning you destroy it, you destroy some handy DSP applications or some other important I/O. It can be switched on and off at will. Including your most vulnerable moments...No computing allowed if you aren't on the 'Net; no offline computing. All crypto can be side-stepped by a simple internet-keylogger tucked away in some turd of a file in a computer that simply isn't possible to analyze by one person.

Most importantly, make sure to make it a law for the evolving internet/technology to run something equivalent in big areas like javascript, so simpler computers can't be connected. So those that choose to not go along w/ the plan, feel increasingly isolated until they succumb to the isolation and lack of money. Unless they create their own network and movement. Due to wealth gap increasing, we'll all be too poor anyway to stand up for any individuality and human rights. Be too drained from trying to live.

After a generation or 2, all the previous skills of building/administering a computer "from ground up" are mostly lost. We won't be able to differiate malware from legit software, "trust the machines"; the malware will blend in. Manually reviewing logs won't even be worth it as all the metadata crude just overwhelms you; especially if they can be falsified too.

I don't like that future Bruce, let's see how it plays out though. A simple counter to my argument, is OK how much does one even think they have control over simpler devices right now? Embedded development, involving low-level software but not actual fabbing, is damn hard; and that's just for simpler devices than something like a full-blown desktop PC. I work on chips where I have to trust documentation and compilers I can't write or fully understand on my own. Any encapsulated chip/component could simply have what it's supposed to have and more...Be kind of dumb for a million trillion capacitors/resistors; but those could all be potentially unverified by someone who'll call them "secure". Your test equipment itself could be hosed, and it's around this point my head tenses up, feels like the grounds caving in on itself, and I think about something else for my own good. It's the sense of "starting from fail" I have a hard time shaking.

Also, you mentioned automatic patching as just 'Good'. Well, assuming you can actually authenticate the patch and it's way different than what is default behavior in something like a smartphone. Let's user know an update happened and gives better documentation of the update, not the meaningless crap they do now. Is a BadUSB firmware patch good? What about the router firmware upgrade from the NSA that bricked the router? It's already happening, like in Windows Update w/ all its KB*&^$@&%^%$ crap, don't even know what's updating anymore! Could just be malware install...And here we go again, no certainty at all. Never. It kills me.

OT: Simplistic Way Around Google and Other Sites Phone # Requirements for Making an Account

One of my friends is notorious for losing cell phones. Then I would get an SMS that had to originate from a PC, not a phone. Little nervewracking for data to be crossing networks like internet and GSM; but it's mostly hopeless anyway from the start.

But, let's say a site like...oh I don't know AMAZON won't let you make an order w/o providing them your email address, as if credit card info and a physical location for delivery isn't enough. So you go to GMAIL for signing up for throwaway accounts, let's say a site like Google doesn't believe your name is ButtF8ck McGee and wants to verify you w/ a 6-digit code via text-message.

Turns out there's sites that give you a free # to use. Mostly common sense or can be found easily, but here's some useful sites:

http://receivesmsonline.com/

http://receive-sms-online.com/

http://www.pinger.com/tfw/ (requires Adobe Flash, so...)

There's more if you search, and of course other methods that are stronger depending on how much time you want to waste making something very annoying to follow. Also, of course you're posting the authenticating code on the internet so make sure you do your business and take common sense precautions (credit card info). Also, it's another "covert comms" channel in the sense that it's just another spewing of data and so long as you put some thought/effort into originating device sending data, you can have a little fun jumping around and sending pre-encrypted data (looks like already happening of course).

OT
--Smartphone SDR build coming, wow, if you don't have one of those SUPER cheap RTL-SDR dongles, and you have a slight interest in radio, pick one up. That combined w/ just GQRX and the dinky little antenna, you can receive FM radio stations literally plug and play and no reading Man pages. Mind explodes w/ more covert comms possibilities, amazing. I just need a solution to powering the phone and using the USB port for the dongle for extended operation, but mobile, maybe even 'fox-hunting' it'd work great. Already tried what worked for an older PDA simply hooking up a DC powersupply, but there's something more needed; whether specific current or some other signal, I don't know yet and I've heard "it's not possible". On one phone I have a micro-HDMI port, but that could get hairy real quick and I don't want to break it.

OT RE: latest schneier.com outage
--See what happens..? There needs to be a back-up site in case the outage is more permanent in the event of a freak accident to Bruce or the Mod. Otherwise we get all blown out like dust in the wind. It's like Truecrypt, when it fell apart. Still hasn't sunk in, WTF such a trusted work has just blown up like that, *boom* gone. And then freak out and scramble later.

Andrew_KOctober 20, 2014 3:33 AM

Regarding AlanS' first post, it made me think of something I heard a person from state administration say years ago: "Three secretaries have been working for me."
That's the problem. Not the buerocrats adopt to new politicians in charge, they make the politicians adopt to their business as usual.

Clive RobinsonOctober 20, 2014 4:08 AM

@ Figureitout,

With regards,

Your test equipment itself could be hosed and it's around this point my head tenses up, feels like the grounds caving in on itself, and I think about something else for my own good. It's the sense of "starting from fail" I have a hard time shaking.

You are not alone in thinking that way, however there are things you can do if you are prepared to build your own test sources etc, because unlike the laws of the land the laws of physics can not be got around ( it's one of the reasons I keep mentioning first/basic principles in higher level education and training ).

Also as I've indicated before there are ways you can get "traitors" to do usefull work. This goes back to the ancient riddle about two doors, where one leads to death and the other access to where you want to go, these doors are guarded by two guards, one that always tells the truth and one that always lies, and you get one question. The trick is framing the question such that it goes through both guards, this is the first "mitigation stratagem", and for various reasons mankind did not progress much beyond it untill the Victorian era [1].

However early digital communications were unreliable and various ways of detecting transmission errors were invented the simplest to understand being "parity checking" which would reliably catch one error in a sent string of bits, other encoding methods including FEC do far better. A while later the NY telephone company had problems with reliability of equipment and they realised that you could use the likes of the "parity" idea in systems to detect unreliability in what became known as "Voting Systems" that NASA used to good effect and made the knowledge more "general" in the process. Importantly these systems can detect when subsystems start to fail or "turn traitor" which enables you to "mitigate" them. NASA took it a step further by having the multiple subsystems built by different people using different hardware.

Obviously you don't have to stick with a system based on parity when there are better Error Correcting Code systems out there which can also be used to smoke out a failing or traitorous subsystem.

By using certain "first principle" tricks you can detect if a sub system is behaving honestly or not, and as it turns out you can use cryptography to hide the tests from the sub system so it cannot fake the results of such tests. One such trick you can do with computers is to randomly supply input data to them for which you already know the answer, if the result is incorrect then you know that the subsystem tested has failed and can nolonger be trusted.

Thus combining the random tests and the likes of voting protocols across multiple subsystems using different hardware you can build systems that you can usefully use even when they are based on untrusted hardware.

Thus providing you can mitigate in some way you can stay ahead of the game.

When you analyze the ideas of Nick P and RobertT in essence this is what they were doing. Nick P's using two non cooperating Governments jurisdictions is just a variation of the old two guards riddle.

But it gets better another set of tricks are those based around "incomplete knowledge". To see this you need to know that you need a minimum of three points to describe a circle located on a two dimensional surface. However you can apply transforms on the individual points to move the circle on the surface. If you use three different entities to process one point each they never know enough information to give either of the other two points thus knowledge of the circles radius and center cannot be known to any of the individual entities. Obviously this works in higher dimensions as well and is the idea behind M of N secret sharing schemes.

When you combine these "incomplete knowledge" systems with "mitigation protocol" systems you discover surprising posibilities that will make the likes of the NSA and GCHQ scratch their heads.

So don't get stressed and depressed, get inventive instead, after all lemonade is refreshing :-)

[1] Even though scholars are now finding bits and pieces that indicate that ancient Arab and other scholars had progressed further it was not at the time of much practical use, and as with many "before it's time" ideas it did not become "general knowledge" and effectivly became "lost knowledge".

ThothOctober 20, 2014 4:21 AM

@FBI asking for more access and stuff
A common pattern is they try to predict what scares us (the bogeyman in the toilet) and use it to solicit whatever they want as their first line of action (getting attention). It is just how bullies work. They try to go about making noise and if someone responds, they try to figure another way around defense. In the context of TLAs wanting backdoors and golden keys, give them none at all, stand your ground, give no room to them and defend yourself.

The golden rule for those who have strong motivation for the good of others is if you are compromised, you will be a pawn in their hands for their other games and so by all means, you sink or float with your secrets as yours only.

The technical response is to make encryption even more ubiquitious and high assurance security as a part of the norm whenever possible. This will make them realize that they are not going to get what they want so easily (as a statement to them).

A few topics the high assurance security tech people might want to look into:
- Identity and trust preserving technologies.
- Better anonymity and reducing data footprints technologies.
- High assurance secure computing technologies.
- Simple to use plausible deniability technologies.
- Oblivious and forgetful technologies.
- Simple to use exfiltration prevention technologies.

vas pupOctober 20, 2014 11:47 AM

Issue of public security versus 'rights' of dead person properly handled by Germans: http://www.dw.de/is-it-acceptable-to-cremate-the-ebola-dead-if-it-goes-against-their-human-rights/a-17998033.
@Daniel: all empty prisons could be utilized by Immigration Enforcement to detain those in deportation and guarantee their timely removal outside US borders.
@ALL: Due process (court approval) applies to enforcement activity for collection of admissible evidence in the court. Criminal Intel activity (counter terrorism, prevention serious crime in progress, undercover operations, information collection) is not regulated by Law to the level it could be trusted without strong oversight. Mechanism should developed if you want LEAs serve interests of society, not other way around. And finally, let say you have minor headache versus tumor in a brain. Will doctors drill your skull in both case? Meaning, more intrusive methods for LEAs should have stronger safeguards and oversight and used for the mosr dangerous crime only. If LEAs could intimidate you with Gitmo prospective in case absolutely have nothing to do with terrorism or RICO changes in cases have nothing to do with organize crime, then safeguards are not properly setup.

BenniOctober 20, 2014 6:37 PM

After the Chinese have heard from the capabilities of the NSA, with NSA doing man in the middle against google and yahoo in Project "Flying Pig", the Chinese were eager to replicate that.

First they launched a test balloon, doing man in the middle on Chinese students and researchers who tried to connect to google: https://en.greatfire.org/blog/2014/sep/authorities-launch-man-middle-attack-google After that was finished, they thought, well thats great, now do that with every Iphone user who tries to connect over a chinese provider to apples icloud

https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-attack-coincides-launch-new-iphone

They try to grab passwords, contact lists, messages, photos and so on...

ProCon5October 20, 2014 10:11 PM


Australian government warrantless data requests pass 500,000
http://www.zdnet.com/australian-government-warrantless-data-requests-pass-500000-7000034890/

Requests from government agencies for Australian telecommunications customers' phone, internet, and address data surpassed 500,000 in the last financial year, according to the Australian Communications and Media Authority (ACMA).

The figure was revealed in the ACMA's annual report (PDF) released this month. It says that there were 563,012 authorisations granted to government agencies for access to telecommunications "metadata" in the 2013-14 financial year.

Under the Telecommunications (Interception and Access) Act, government agencies can force telecommunications companies to hand over details about their customers, including address, phone number, IP address, call data, SMS data, and other held information without a warrant for the purpose of enforcing the law.

JacobOctober 21, 2014 12:02 AM

For a reality check on the limits of some intelligence agencies in collecting mass data, see here:
http://www.investigativeproject.org/4613/comment-how-the-us-first-agreed-and-then-refused

In short: During the latest operation in Gaza, the IDF was extremely interested to discover the source of one Facebook post. Although Israel has a very advanced telecommunication tapping system in place, and Gaza, especially during a military campaign, will get a special attention, still Israel had to ask the FBI to get the posting source from Facebook.

Note: The fact that Pres. Obama refused to the request is besides the point. The reporter is known to hold strong anti-Obama sentiments, so from his POV that was the big issue worth reporting. USG denied the refusal allegations).

Clive RobinsonOctober 21, 2014 2:47 AM

@ Moderator / Bruce,

It appears (from my end) that the new comments page has not updated after "October 20, 2014 4:26 PM".

Regards, CR.

FigureitoutOctober 21, 2014 3:19 AM

Clive Robinson
--Where to begin...And before I begin, I'm not whining like a b*tch just to whine. These are problems EVERYONE faces and I don't know how to mitigate them and actually have any deliverable that I can stand by and say w/ confidence "No malware, clean build". No, I'm not ready to make my own test equipment, am looking but no not ready; still a user there. And physics get real messy in RF, which is my focus. Everyone has a focus, a threat they want to mitigate most. Mine is RF data leaking and any coming in manipulating computing w/ some creepy signal.

Evaluating even something dumb like a damn cheap multimeter I got now...it's this one: http://mrmodemhead.com/blog/gallery/cen-tech-92020-dmm/

It's got a chip of course! From China, frickin' could have malware! Why would someone put a malware in multimeter chips, I don't know; kill yourself if you do. ADC too and nice circuit board, could have an antenna if I don't bust it open and really inspect it. And...I'm gonna say it again...what do I check my untrusted multimeter w/?! My fingers?! Another multimeter? Why don't I check that one too again? Noo...down the rabbit hole we go...

Digital powersupply, cheap again. Probably needs a chip for the LCD display, switching PS for sure.

Solder iron, just heat up; always could be something hidden...ugh!

It's my fault for using cheap equipment, can't afford better yet and I'm stuck at the moment which I'll touch on later.

Main thing I trust on my bench now is an old scope, still bet it's noisy and I'm not sure about its accuracy anymore. Meaning RF noise giving me false readings even w/ probes pushed on leads.

Then programming my chips from a highly untrusted computer b/c I'm not about to build a ROM w/ fuses and truly reinvent sliced bread; even though that's the ultimate. Of all concerns, this is my worst. Transferring a file from the internet to my flashing PC...So much faster than manually re-typing it all...For this, I'm looking into potentially buildroot ( http://buildroot.uclibc.org/ ) for second stage. Before, I have to image this old hardrive for backup and it's going to start on Windows...All files coming in are going to need to be 1-way, preferably via CD's; malware could still kill this though, for no damn reason than to destroy the PC.

Grrr, so much work for things that shouldn't be problems anymore! And all that clouds my head and makes me really angry. So many holes. Whatever.

FEC (forward error correction if your interested) was good read. Redundancy means protocol can be gamed to repeat info right?

Nick P and RobertT haven't really explained what they're doing, or which vendors they're going to use.

And I got nothing else, I'm angry, sorry.

Simple Method to Protect from Stolen Financial Info

Common sense again that requires busywork on your part, lots of people here probably have a similar system already set up. I know Clive Robinson has mentioned a very similar set up way back probably 2-3 years at least, and more likely 20-30 when he did it. I didn't b/c I hadn't been attacked yet, and now I have been and I don't have a credit card I can use to order parts or even an app I need now.

To get a sense of how badly we're getting f*cking owned right now, 500 million records stolen: http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/

Make a completely separate account for any exterior financial transactions. Go to a credit union instead of a bank too! Banks suck, credit unions are so much nicer to their customers! Trust me. http://www.thesimpledollar.com/credit-union-vs-banks/ Try to make a different one for each thing, like mortgage, utility bills, car bills, food, etc. You could probably split those into 2 or 3; but it needs to be separate from your savings account.

My credit union won't give me text messages for each charge on the card, instead pushes me towards the online banking. If you're forced there, like so many people have said, use a Linux LiveCD on a preferably dedicated laptop, long password on an encrypted USB stick that is only plugged into that PC, yata-yata...Make another annoying habit. Catch the fraud early.

In fact, I'm thinking I should find out what exactly credit cards are made of and who makes them; I feel like they're going to be making a lot of money soon from constantly giving out and canceling cards...

FigureitoutOctober 21, 2014 3:32 AM

*EDIT TO ADD RE: bank accounts
--Banks and credit card companies should offer a service where you merely LOOK at the bills, there can be no touching money from it. That wouldn't even be hard I think. They could do that. And who cares if someone could look at your account, as long as they can't drain it!

Clive RobinsonOctober 21, 2014 3:44 AM

@ Jacob,

The "technical limitation" might simply be a lack of "up stream monitoring", the USA has a real advantage here due to the principle of "All roads lead to Rome".

However the article only mentions somebody senior in the administration, which may or may not be the current US president. And personaly I think it may not have been for the following reasons,

The underlying problem is that Israel has "made a rod for it's own back" over it's repatriation policy, and this has as the article notes given rise to problems in the past that have given rise to other issues not just for Israel but the US Government as well.

For instance the US politicos have a "We do not negotiate with terrorists" stance which can be easily seen as in conflict with the Israeli repatriation policy.

Thus looking from the flip side, what would have happened if the US had provided the information and Israel then sent in a large strike force to repatriate and in the process killed many civilians and destroyed many homes etc, whilst in all probability failing to find either the body or the mobile phone?

On the Israeli side almost certainly the IDF would receive further casualties and deaths as Hamas would almost certainly use it as a trap to get more hostages. Which would not only be counter productive but also bad news internationaly as would the collateral damage to civilians and their property (it would be yet another war crime).

And from the US side two things that would be likely, is that firstly the current US administration would be compromised, as it would provide it's political opponents with a massive political "rod to beat it's back" with. Secondly it would make a second rod for the backs of the US Government when it comes to international peace talks. You may remember that at the end of the GWB administration they did some very strange things in support of Israel and it has cost the USG dearly, thus I'm surprised the request got as far as it did before it was rejected.

Such is the reality of "real politic".

It also possibly calls into question the authors unnamed sources, do they actually exist and if so did they actually say what the author appears to be claiming? Afterall it would not be the first time a journalist misinterpreted what they were told, or even invented an unnamed source, nor for that matter is it unknown for unnamed sources to have their own political agenda.

sena kavoteOctober 21, 2014 4:06 PM

[OCAI]

I m not clear what it is and what it is supposed to do.

How much or how would it save:

-data transfer
-learning burden for programmers & others
-memory and disk space
-computation

Other things too...

Maybe an example is in order. How would OCAI be used with the TOR network or bitcoin or encrypting game chat between players of an online multiplayer game or transaction with a bank or Linux software repository or shortwave radio communication?

From what I can gather, seems like it might be awesome, but other alternative is that it might be too small improvement to bother.

BenniOctober 21, 2014 6:50 PM

The German government explicitly allows NSA contractor companies to operate from German ground and to spy on social networks and emails here. The secret treaty between Germany and the US say that these companies are "collecting signals intelligence by mapping the population with methods from social science". So that is the euphemism of the German government for mass surveillance. I wonder how more disgusting will it get? https://netzpolitik.org/2014/zdf-frontal21-horchposten-in-deutschland-bundesregierung-duldet-us-spione/

BenniOctober 21, 2014 6:58 PM

Sorry, I made misleading statements above. The sentence " "collecting signals intelligence by mapping the population with methods from social science" means in fact the work of a company who compiles target lists for drones.

Furthermore, Booz Allen Hamilton got 8 million euros for analyzing the market of german encryption products in the middle and eastern europe, the near and middle east and in southeast asia...

And CIC got 100 million for a contract with the german navy.

sena kavoteOctober 22, 2014 3:08 AM

VPS / cloud server geopolitics

This is one rare thing where geopolitics gets personal. From what country people should rent a virtual private server, if the use and content is sensitive in some way? Other angle to this is to ask where should hosting companies like digitalocean put a new datacenter if they want to take these things into account?

Clive RobinsonOctober 22, 2014 4:10 AM

@ Buck,

With regards "Perfect citizen",

http://www.cnet.com/news/revealed-nsa-targeting-domestic-computer-systems-in-secret-test/

I did at the time wonder "As energy is the new money" if they were attacking energy networks to probe out vulnerabilities, had they attacked banks and finance houses as well to probe for vulnerabilities...

Well the recent defection of an NSA Senior to set up his own "million / month" vulnerability service to banks and finance houses probably answers that question.

As for "Perfect Citizen" it's self it appears to have become "lost in the noise" of the Ed Snowden revelations as far as news outlets are concerned with the last burst being the first couple of weeks of 2013.

That said, it's been sugested more than once that if it was to do with just energy then it would be called "Perfect Power" or similar not "Perfect Citizen" and an internal EMail at the prime contractor Raytheon Corp --who have had well over 100million USD for it so far-- described the project as "Big Brother". This has caused speculation in a number of places that it's actually about "Smart Meters" at the individual "citizen" end not the supplier end.

http://smartgridawareness.org/2013/09/28/operation-perfect-citizen/

If you search back over this blog you will find one or two technical discussions between RobertT myself and one or two others over just how much activity inside a house could be revealed by "power signitures" of equipment in use. I've run a few experiments "at home" and found that many of my appliances do indead reveal quite a lot of information down at the bottom end of the spectrum (apox 500Hz and below).

For instance the TV produces a signal proportional to activity on the screen sufficiently well to tell what channel you are watching, likewise portable radios/cd players with "figure of eight" power leads give a signiture that can be easily seen to be the "sound envelope" of what is being played. More worryingly if your smart phone is charging and you use it in hands free then the change in Switch Mode PSU pulses correlate to the speech envelope... Likewise laptop screens changing with windows opening and closing.

I've observed this using ordinary test equipment you would expect to find in a "home constructor" Ham/amateur radio enthusiasts shack/workshop. So have a think on what would be possible to much more specialised equipment that the likes of Raytheon with 100Million and a couple of years could develop. As Bruce has observed on more than one occasion "attacks only get better" with time...

Some years ago one or two of the readers on this blog myself included, were warning Bruce about the vulnarability of industrial control systems like RTUs and SCADA equipment that was just starting to be hooked up to the Internet.

Back then we kind of sounded like conspiracy nuts, well history has since shown otherwise and that is what the "public face" of "Perfect Citizen" appeared to be about back in 2010. However the NSA is known to have "covers within covers" as recently discussed on this blog with regards ECI, could the power supply side have been a cover for something like smart meter monitoring?

Well let's just say the NSA has form and be cautious, thus I think it's time we issued the same warnings about "smart meters" and what they can reveal about what is going on inside your home that we did about Industrial Control Systems like SCADA.

Clive RobinsonOctober 22, 2014 4:38 AM

@ Sena Kavote,

From what country people should rent a virtual private server, if the use and content is sensitive in some way?

Oh if only it were that simple...

There is an old saying that "All roads lead to Rome" and the modern Internet equivalent is "All pipes lead to Langley". That is even though the Cloud Servers are in your country, the traffic may well go via the US or some other eXchange.

Further you have little or no control neither does the cloud provider, due to the Border Gateway Protocol and later variants used to route traffic from one gateway to another being rediculously easy to spoof and thus the NSA, GCHQ, BND et all could fairly trivialy cause traffic to your chosen cloud provider to be re-routed through a node where they have a data tee/tap.

One of the things I keep pointing out is that people should look at a map of the Internet --not geopolitical boundries--, and should see where the "choke points" are, because that is where the likes of the NSA will be listening. You should also look at the physical path of undersea cables and satellite footprints, it the becomes very clear why the "Five Eyes" are so important, especially Australia.

Clive RobinsonOctober 22, 2014 4:58 AM

@ Scott Arciszewski,

He is a political wonk, who positivly revels in his lack of technical ability, to the point some people wonder how he manages to get into his office without assistance (if indeed he actual does ;-)

His main claim to his position appears to be that he is so usless he would never ever have been trusted by any "shady operators" so it's extreamly unlikely he will have "skeletons in his cupboard" that will come out and embarrass or "barrack the control freak" Obama.

Further as Douglas Adams so notably pointed out in Hitchhikers, "the real job of galactic president is to attract attention away from power"... Thus this usless political wonk gets the media attention whilst the real --presumably-- nasty people sneak about in the shadows unobserved...

FigureitoutOctober 22, 2014 6:54 PM

*EDIT TO ADD RE: FTDI chips
--I'd read most of the hackaday thread so I was speaking from context. To clarify, I absolutely have no problems w/ companies going after stealers of IP and I applaud the manufacturers trying to clean up our current electronic supply chain which is absolutely shameful and embarrassing. The way this company decided to was incredibly reckless (even for my low standards) and they're straight attacking consumers who won't have a clue whether or not they have fake chips in their devices. Innocent consumers absorbing the cost for their failures of protecting their products.

On the thread, one guy mentions hospitals have life support systems running on Windows pc's and they update immediately. Besides that being f*cking terrifying, there could be some even more serious bad things happen from this firmware flash. Stay tuned.

Nick POctober 22, 2014 7:15 PM

@ Figureitout

"one guy mentions hospitals have life support systems running on Windows pc's and they update immediately. Besides that being f*cking terrifying"

I hope that's not true cuz it would be fucking terrifying.

BuckOctober 22, 2014 10:12 PM

@Clive re: "Perfect citizen"

Thank you! Yes, the smart meter connection makes perfect sense. I was also wondering about the naming... Of course, codenames should be completely unrelated to the operations, but we must also presume that the codename may have many different meanings to multiple different compartments!

If that is the case, it'd be one way to leverage the new printer/scanner/lighting airgap hopping. ;-)

I also tracked down the July 8, 2010 WSJ article that the others referred to, in case anyone else is interested: U.S. Plans Cyber Shield for Utilities, Companies

Never found the full source of the supposed "Perfect Citizen is Big Brother" internal Raytheon email though...

Clive RobinsonOctober 23, 2014 3:56 AM

@ Figureitout,

With regards the FTDI chip issue, it's a "bet the farm" gamble to try to maintain profit margin on perhaps their highest volume part, and I'm reasonably sure they did not talk to their shareholders about it first... Which may mean "Good bye FTDI" execs or even company.

Two examples of similar stupid behaviour is Sony and it's RootKit on CDs and SCO -v- Linux. Admitedly both Sony and SCO tried to "pass off" by claiming rights they did not have, not sure FTDI are doing the same, but their defensive behaviour suggests it's a very deliberate ploy by them.

Which brings into question which strand of law will take precedence, "IP", "Anti-competitive", "Criminal Damage" etc etc. Only one of the very many will be in FTDI's favour. If somebody starts a class action then the chances are "bye bye FTDI".

Then there is the question of Malware and Computer abuse, as FTDI put their driver through Microsoft and their autoupdate, they have efectivly made MS complicit. Thus MS legals are probably flapping their vulture like wings, in either "feed or flight mode" depending on where they think they stand legaly. This could result in MS pulling FTDI's status and drivers, in which case "bye bye FTDI".

I could carry on down a long list but most come to "Bye Bye FTDI", as we know Sony managed to hang in, but SCO went glug glug glug.

If I were a sensible shareholder of FTDI stock I would not take a gamble, and thus sell whilst they still had residual value, a 90% financial loss is still better than holding 100% worthless paper.

What FTDI has done is mind bogglingly stupid, even if they don't get embroiled in legal action, then they have hurt their own reputation. And like others I'm not reliant on them, as other manufactures make similar product I can swap to, so they are off the supplier list of designs I make from now on, because like a sensible investor I would be very unwise betting on their continued existance or ability to supply a product with minimal user intervention.

As for where you will find both MS Windows and FTDI or other manufactures USB-serial bridges, simple answer just about everywhere. Such as medical equipment, industrial control equipment, high end test equipment, military equipment, ship control and navigation equipment, GPS equipment, telecommunications equipment, the list goes on and on and on... Thankfully though most will not be either internet connected or have MS autoupdate enabled.

The reason for this ubiquity goes back to the early days of MS Visual Basic, and the ease of use of the RS232 protocol for low cost long range coms, made it simple to put fancy front ends on nearly bespoke backends. So many many engineers went that way and MS activly encoraged it (even though they themselves could not write a working USB serial driver...). MS even developed striped down versions of windows to make it more atractive (and along the way WinCE sort of happened as well but died, but that's another story).

This Windoz front end serial comms backend model is so engrained in industry that it's not going to go away any time soon which is why those serial bridges are big money makers along with hub chips. I know of full hight 19" equipment racks used in quite a number of diferent industries where a 1U or 3U computer feeds between four and six USB hubs and these in turn have between four and eight USB ports that go off to all the other equipment in the rack either directly in newer equipment or via USB-Serial converters in older equipment to run their consoles / engineering interfaces / logging.

Often when you look in the not so new equipment you actually find the USB port on the back connects to an internal USB-Serial converter that then connects to the old serial port on the still current but much older designed main control board.

Even in the latest low production run equipment that has both ethernet and USB "control ports" on the back, they often end up in some single chip Linux or similar embedded controler that then uses a USB-Serial converter to talk to the main board via a serial protocol. The front panel controls end up in a cheap (~1$) single chip microcontroller from the likes of MicroChip that also feeds a two or four line LCD controler that talks via a serial RS232 or equivalent comms protocol and consiquently talks back to the main control board via serial comms... one big advantage that serial comms has over higher speed comms is it's dead easy to EMC proof it and still use cheap cables and labour during manufacturing, it also means no real "redesign" as the old working main board gets reused in new product with little or no modification at all. I even know of one company that realised it was cheaper to buy in a quantity of pocket games consoles and strip the case, remount the boards and LCDs behind their front panel and just flash it with Linux and write their own display code using a standard tool chain than it was to even think out let alone design and prototype the required hardware...

There is also the question of distance of use, which is important in situations where not everything sits on your desk. In the past I've run 300meters of shielded four core audio cable between buildings to carry serial console data at 1200baud and it was still in use over ten years later. The drum of cable would be around $20 these days, much cheaper than Cat5 or above And a lot less problematic. Could you get any other comms protocol to work that distance that cheaply and easily, probably not which is why simple serial comms still has a valid place.

The economics of engineering and support time and associated costs make it uneconomical to do things other ways so serial comms is here to stay for a long time yet on that score alone.

But the simplicity of the 232 protocol means it's easy to work with and monitor when you start to develop high security equipment for such things as Data Diodes, Pumps and Sluices. Which means it is much easier to detect and remove covert side channels and the like, which arguably could have been "built in" in SoCs and the like manufactured abroad.

BoppingAroundOctober 23, 2014 8:55 AM

Nick P,

re: Life support systems

That is probably true. Someone posted the results of internet-wide public VNC scan in one of the squid threads. There were a lot of pictures, with one of them being exactly
some kind of medical device. Not sure if that was a life support system.

FigureitoutOctober 24, 2014 1:58 AM

Clive Robinson
--I can't help but get the image of that "dick-head middle manager" Mr. Head from Microchip and EEVblog and PIC-kit 3 that thought this was a good idea lol. It's scary when these companies that have big market share on certain sectors of components do these things. Surely I'm not alone thinking I want to see this code and now we've got a software patch that can temporary "brick" any device w/ this chip; still a decent remote attack. USB-RS232 cables at my work are CRUCIAL, use them practically everyday as new computers lose the real serial ports...and we're starting to get Win8 (I f*cking hate that OS, so many D. Head moves I can't wrap my head around; besides surburban soccer moms taken over engineering).

More links:

Coverage on Ars Technica w/ a statement from Microsoft:

Yesterday FTDI removed two driver versions from Windows Update. Our engineering team is engaging with FTDI to prevent these problems with their future driver updates via Windows Update.

http://arstechnica.com/information-technology/2014/10/windows-update-drivers-bricking-usb-serial-chips-beloved-of-hardware-hackers/

Nice breakdown of Fake Vs. Real:

http://zeptobars.ru/en/read/FTDI-FT232RL-real-vs-fake-supereal

Fix to affected devices:

http://www.reddit.com/r/arduino/comments/2k0i7x/watch_that_windows_update_ftdi_drivers_are/clgviyl

Hacker News thread:

https://news.ycombinator.com/item?id=8493849

Roland AspieOctober 24, 2014 4:10 PM

Received a fishy phishing email from some margaret-loughrey@techie.com.

Email says:

My name is Jason Scott Bowen legal adviser to Mrs.Margaret Loughrey a British lottery winner of 27million pounds.
After all necessary paperwork, She has finally decided to give some of her winnings via the internet to randomly selected email addresses. If this is a valid email address then you are entitled to receive a donation from her winnings.
You can read her report from the weblink ...
Reply this message for more information on disbursement of your funds.
CONGRATULATIONS.

I moved the link from above email to down below (to minimize anyone clicking on it "accidentally"). It contained this URL:

https://3c-lxa.mail.com/mail/client/dereferrer?redirectUrl=http%3A%2F%2Fwww.bbc.com%2Fnews%2Fuk-northern-ireland-25178018

(The link was masked to only display the BBC URL)

Since the link takes you to BBC through a referrer, could this be used to run an exploit on the victims machine?

CallMeLateForSupperOctober 26, 2014 5:28 PM

@Roland Aspie

That is one ugly URL. So ugly that I would not even think about clicking it.

According to an article in the Irish Mirror (news organ)
http://www.irishmirror.ie
"Online criminals use lottery winner's name in scam bid"

The scam described in that article sounds different from the scam in your email. Nevertheless...

Interesting that the "legal advisor" in your email has exactly the same name as the alias of a man who was wanted in Louisiana for child molestation. Apparently he was apprehended.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.