Friday Squid Blogging: Large Squid Washes up on Greek Beach

No mention of the species, but the photo is a depressing one.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on January 30, 2015 at 4:15 PM • 247 Comments

Comments

GrauhutJanuary 30, 2015 5:04 PM

"Security certification" process by BSI, the German federal agency for IT Security, this is incredible funny, as told by a BSI "egineer" in a congressional hearing in Germany, 01/29! :)

"Hahn: I ask therefore a bit steep, because it is here about
fundamental rights. Why was there no test run with data? You have not made a test run, correct, why?

BSI "Golke": That's expense. The manufacturer tests this.

Hahn: But you certify it. How can they do that if do not test what the device does?

Golke: I have checked the papers. This is the depth that is useful for me. For distrust I have too little lever, since I lack the mandate to test. ...

Kiesewetter: Was the control software for the (surveillance filter system) separator from the BND, develop by its own?

Golke: Was not important to me. Even if a Trojan horse of a foreign agency is in it, those are not enemies. Which could destroy the make, which makes no sense for friends. That is encapsulated. Even if the NSA is in the separator, which makes me not Difference because the Trojans can not phone home."


So BSI certifies that NSA-TAO is not able to communicate on sidebands! This is so incedibly funny! :)

albertJanuary 30, 2015 6:27 PM

The squid is a metaphor for the Greek economy.
.
I'm sure there are millions of Greeks who feel the same way. Here's hoping they finally take control of their government.
.
...

SamJanuary 30, 2015 6:48 PM

Re: Verizon cookies

If we believe "secrecy is wrong," then opting out means extra super-charged tracking.

LessThanObviousJanuary 30, 2015 7:17 PM

@Anura That is great news. I was quite certainly going to change carriers if they did not remedy that issue. I'm still extremely annoyed that they ever thought it was acceptable to treat their customers like that. I hope they understand it isn't just unpopular, it is unethical and I'd have been proud to add my name to any class action suit to make that clear.

BuckJanuary 30, 2015 8:29 PM

@Sam
Re: Verizon cookies

'Opting-out' serves only to cater to the illusion of choice... Just because your personal identifier isn't publically broadcast to anybody with a webserver, it doesn't mean that those with widespread web-coverage can't ask [your ISP here] for a price quote! ;-)

ThothJanuary 30, 2015 8:38 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@Grahut
I would agree and say that most certifications for security products are simply a theater show and are at best mild obstacles to HSAs or even MSAs. Nationalistic feelings and ideologies like (Made in Germany - the Privacy Nation so-called) or (Made in UK/USA/FiveEyes - because of high quality so-called) or (Made in Eindhoven by NXP - because NXP is one of the largest chip makers) and so on self-serving titles and marketing nonsense. I have nothing against these nations personally but I have something against Nationalistic Ideologies that cloud sound judgment.

Let's look at everyone chip maker's favourite FIPS 140-1/2. It describes levels of protection to prevent keys from leaking. In my previous posts somewhere in this commentaries, I have shown why FIPS 140-1/2 is simply a joke. Let's call it FIPS standard for short. FIPS Level 2 states that the keys must be held in a tamper evident manner and resist tampering which includes hardware and software. Let's assume software are mostly quite well done, the hardware has always posed a direct problem to all crypto-chip makers. Security sensors are expensive and tough to design and most makers use pretty default industry choices and one of the default industry choices is to use epoxy glue to "pot" the chip which means encapsulate the chip in a glue ..... so that achieves tamper evident because if someone removes the glue blob on the chip, you will know it has been tampered.

What happens if I remove the glue blob, tamper the chips, have the luxury of replacing an identical chip or even re-encasing the chip again and drop a blob of glue ... I would still be awarded with FIPS Level 2 with a high certainty.

Tamper resistance methodologies include light sensors (so that someone pops the chip casing, it will detect the rooms light) which I believe HSAs would have special facilities to work in controlled light environment. Mesh serpentine circuit wiring to force attackers to peel through your circuit mesh to break the wires and trigger a reaction from the security processor have shown to be futile in Ross Anderson's research on security processors. Ion beams would simply poke just enough holes to allow you to probe the circuit and metal if you have the skills and cash (at most a couple hundred thousand USDs to get the equipments). Prior to probing, you could radiate the chip and map the internals and use techniques to map the metal contents for circuitry and that will give you a good idea where to put your probes and drill your ion beam holes. Ciruit electricial detection circuits and temperature circuits to detect probes and heating of chip covers to remove the covers or induce faults and carry out probing sounds nice but Ross Anderson have already posted much tampering techniques into the public long time ago.

The worse part of these anti-tamper measures is that they rely on having a power source to wipe the secret keys whenever a tamper is detected but the fact is a lot of cheap crypto-processors (smart cards and tokens) don't have power sources or backup power sources so all you need is bring it offline, dismember the chip package, probe the circuits and copy the data out into another chip by some means or analyse the keys and would still be there without electricity to do the wiping. It's like having a bunch of traps with no teeth.

FIPS is simply too ambiguous and leaves much to be imagined for the vettor and the vettee and don't forget it's NSA behind it (with NIST as the front).

Next, we will take a look at CC EAL stuff. It's again the NSA in the backroom and NIST as the front to take the hits for NSA. I wouldn't say I am very familiar with CC EAL stuff which Nick P have more knowledge there than me since he loves the Orange Book. One of the clause of CC EAL requires applicants to have NDA and security by obscurity as part of it's requirements. I won't say it's completely unreasonable but it's also not a good security strategy either. That one would mean if you are going to request for whitepapers on crypto-chips or security products in more details, you MUST sign an NDA on the internals. I believe and am assured that most smart card issuers or security hardware designers or middleman would have to sign NDAs with NXP, Freescale, Atmel and the likes and these people who sign NDAs must ask the rest down the chain to sign NDAs for more details if their customer wants more knowledge. That is nonsense security.

A lot of "high security" hardware are rated with CC EAL 3+/4+ which is a low security product and these stuff are powering your everyday financial and government servers. To my knowledge, countries who have joined the CC membership have a base guideline and also their own interpretation of the loosely created guide that is open for interpretations. CC certifications are acknowledged among the member countries and to add on top of that, a contractor with certification to be a CC lab testor would do the rating for you and you will get your ratings and certifications. How much can a lab testor do extensively to provide the "rigidness" of CC or let's put it ... the looseness of CC. It is too subjective. The country\s representation body to the CC club (BSI for the Germans and NSA for the USA).... errr... NSA as CC front and back for USA ???

I wouldn't be surprise the bulk of CC certified stuff are simply just "glance and certified" with a little probing and no more.

So how do I make a minimal CC + FIPS certified chip ? I will simply use software in the chip (SoC chips are too expensive and powerful for national operatives :) ) to do the flow control, MMU and implement DPA and SPA defense algorithms bought from Cryptography Research company controlling the DPA and SPA patents. For the potting I will simply use the good old drip of epoxy glue for tamper evident (FIPS Level 2), use a security mesh circuit for just that extra bite, add a temperature sensor and the DPA and SPA algos (FIPS Level 4) and write a "formal" document on the design choices and some fanciful write-up on threat modelling ... I will likely be getting not only FIPS Level 4 but with a well written document I might have a chance of CC EAL 5+ (smart card level ... which is so easy and chip to hack ... say USD 50000 to USD 10000 for the workbench). I give it a cool name and label like "XtremSec Chip M1010" and market it as a high security chip and put it into a MicroSD card for use as a HSM device on smartphones and get USD150 per piece because it's FIPS Level 4, CC EAL 5+ or even 6 (due to the FIPS 4 level) ... oh and I didn't back the chipset with a tamper battery so all my traps are ... paper tiger / teethless traps.

To the NIST/NSA/GCHQ/CESG/BSI/BND ... CC representative lurking here, you might love to refute my claims by saying the standards are sound and just but fact is look at the security hardware around you and take a moment to dismantle that old credit card in your wallet that have already been sitting for many years and is useless ... give a try at popping it.

The standards are close to worthless if people were to use it as a benchmark to make market-accpetable security products. These standards would only be useful if they are used as a reference to build a strong security product from these standards by using them as the most basic benchmark and then stepping up beyond what the standards have. Most security products simply meet the standards just for compliance and may well be close to doing half-hearted jobs.

Have fun inventing and making your own teethless/clawless paper tiger crypto-chip :) .
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUzEADAAoJEIiF+ZVvv8Gdan4IAKSdCYsubi+Ijc18ZAPAyZ7l
hX5v9e34QYkcCit9w6/jAt2gDQZgYrP7NDSZH44JjrJokN5MxE/a4pGECjqIcoJS
QlhmUlWHZH7pdtNs3fFxvDA7oFQuteyn4LeKEqir+raUbxIvha9YP6kmJkmEOENK
DJHeJozI1qhnY5edqsa9GPsxKiOIMGCBCi9TDY2GoP2jT0D1gJcmIIhm1OsgAnAy
pz9Y/KcbEJydvGD/R5bEELRA470pPwkYSG1Z5I6tRosM7dKOYxO00ZdSeVUVgNBD
c2l856Ifkz8STXvAf0xvE/noQajJXPcssAPpyrO/CB3Tl+RD+l4AwW/ptC6tI8E=
=L1TY
-----END PGP SIGNATURE-----

BuckJanuary 30, 2015 9:25 PM

@Move Plots rule

From a linked article (David Cameron wants fresh push on communications data):

"In the most serious crimes [such as] child abduction communications data... is absolutely vital. I love watching, as I probably should stop telling people, crime dramas on the television. There's hardly a crime drama where a crime is solved without using the data of a mobile communications device."
"What we have to explain to people is that... if we don't modernise the practice and the law, over time we will have the communications data to solve these horrible crimes on a shrinking proportion of the total use of devices and that is a real problem for keeping people safe.
"We have got to make this explanation very clearly, really get it out to people and then build, perhaps at the start of the next Parliament, a cross party case for sensible legislation to deal with this issue."
Is this for real, or is this some twisted mind's idea of a joke..?

AnuraJanuary 30, 2015 9:56 PM

@LessThanObvious

Same here, except AT&T was doing the same thing when it broke (although they dropped it completely), and I had no reason to believe Sprint or T-Mobile wouldn't do the same. Unfortunately, it's not like we have a large selection of carriers here, especially if you want decent coverage. I'm still annoyed that it's opt-out, since it means the vast majority of people will still be tracked. I'm also pissed that AT&T and Verizon didn't communicate this to their customers first.

@Frank En Stein

I would quit if that was forced on me. I may be a transhumanist, and I'd happily take an open-source computer chip with an interface to my brain that allows me to do wireless communication, but only if I have 100% control of all information that is sent.

VJanuary 30, 2015 10:25 PM

@Buck
Maybe someone can get David Cameron hooked on Sherlock Holmes novels. Then he could push for a national bootprint registry.

GodelJanuary 30, 2015 10:31 PM

Any inside word on the remainder of the TrueCrypt audit?

I think the initial report on the boot process came out last April, or 9 months ago. I can't see anything in their Twitter account where they were supposed to be posting updates.

Have they converted all the remaining audit money to Bitcoins and scampered to South America?

BuckJanuary 30, 2015 10:52 PM

@V
Re: Bootprint Registry

You mean to say, this doesn't already exist!? Then what on earth have all these anti-terrorist-pedestrian bills been funding..?

FigureitoutJanuary 30, 2015 11:11 PM

Godel
--Would like to know too (f*ckin' why!?); and just like that one of the best multi-platform and most used FDE tools gets abandoned. In addition to taking the money and running, probably code too dense for them or just taken by shock of devs lighting fire to it in the middle of the audit. These guys must practice damn good OPSEC since no one knows who they are and they just keep their mouths shut and move on.

LeonardoJanuary 30, 2015 11:17 PM

= Attorney General Holder Announces Charges Against Russian Spy Ring in New York City

http://www.justice.gov/opa/pr/attorney-general-holder-announces-charges-against-russian-spy-ring-new-york-city

= FBI: We Busted A Russian Spy Ring In New York City

http://www.businessinsider.com/fbi-we-arrested-a-russian-spy-in-the-bronx-2015-1

= FBI Arrests Russian Spy Allegedly Collecting Intel In The Bronx

http://www.huffingtonpost.com/2015/01/26/fbi-arrests-russian-spy_n_6548932.html

= FBI Agent Explains How Russia's Foreign Spy Operations Work

http://www.businessinsider.com/fbi-agent-how-russias-foreign-intelligence-service-works-2015-1

GrauhutJanuary 30, 2015 11:48 PM

@Leonardo: The Zerohedge version is a lot funnier! Strange spies! :)

Citations from the recorded conversations:


"On or about May 21, 2013, IGOR SPORYSHEV, the defendant, called EVGENY BURYAKOV, a/k/a "Zhenya," the defendant, to ask for BURYAKOV's help in formulating questions to be used for intelligence-gathering purposes by others associated with a leading Russian state-owned news organization (the "News Organization").

From my training and experience, I know that the News Organization has been publicly identified by former SVR agents as an organization that is sometimes used by Russian intelligence to gain access to and gather intelligence under the cover of the news media.

During the May 21, 2013 telephone call between EVGENY BURYAKOV, a/k/a "Zhenya," and IGOR SPORYSHEV, the defendants, which was intercepted by the FBI, the following exchange occurred:

EVGENY BURYAKOV ("EB"): Hello?

IS: Hello Evgeny.

EB: Hey.

IS: Can you talk? . . I need help.

EB: Aha.

IS: [The News Organization] wants very much, I don't know how it came down from the top, but they need three questions with regard to the New York Exchange. What would be interesting to us. Can you help write something?

EB: It's a difficult question. . I need to think.

IS: Can you think of something in fifteen minutes?

EB: Fifteen minutes?

IS: Yes.

EB: I'll try. . . . Should I call you?

IS: Yes, call me.

EB: If you will not pass by me?

IS: No, I will not.

* * *

Approximately 20 minutes later, IGOR SPORYSHEV, the defendant, called EVGENY BURYAKOV, a/k/a "Zhenya,"the defendant, and the following conversation, which was intercepted by the FBI, occurred:

EB: Well, I thought about it. I don' t know whether it will work for you but you can ask about ETF. . . . E-T-F. E, exchange.

IS: Yes, got it.

EB: How they are used, the mechanisms of use for destabilization of the markets.

IS: Mechanism - of - use - for - market - stabilization in modern conditions.

EB: For destabilization.

IS: Aha.

EB: Then you can ask them what they think about limiting the use of trading robots. . . . You can also ask about the potential interest of the participants of the exchange to the products tied to the Russian Federation."

http://www.zerohedge.com/news/2015-01-27/us-preparing-blame-next-market-crash-russian-spies


For me this sounds like a reporter who wants expertise from a friend in order to have some questions for a future interview partner.

Of cause, if the FBI says they are spies... but maybe they simply didnt like the idea of an interviewer asking the offered possible questions about ETFs and destabilization mechanisms. :)

Clive RobinsonJanuary 31, 2015 7:23 AM

@ Wael,

Whilst having a quick flick through the RetroBSD site[1], I happened to notice something that might be of interest to you.

It's a single pass C compiler that is more modern than Small-C and is currently being developed,

https://github.com/alexfru/SmallerC/

[1] Retro BSD is of interest to me because it runs quite well on a dirt cheap Microchip PIC32 (MIPS) chips. A friend has a little board they designed for a plant control job that uses a PIC32 with four serial ports a 10/100 eth. For fun they ported Retro and added a USB HD. Running it in full multi-user mode it gives an experiance of being back in the 80's on a MicroVAX with the "green glow" of VT100 terminals, back when Unix did not have the bloat it has today :-) you can read more about Retro at http://retrobsd.org/ it appears to run on quite a bit of easily available hardware and porting to other platforms is not difficult.

Clive RobinsonJanuary 31, 2015 7:46 AM

@ Grauhut, Leonardo,

I suspect this is as you note not a real spy case, but a "tit for tat" response to something else.

For instance the UK has started a public enquiry into the death of an Ex KGB defector who was poisoned by two Russians very close to Putin, who slipped Polunium210 alpha partical emitter into a pot of tea in a public restaurant they had gone to see the defector in and as a witness at the enquiry testified put the lives of thousands of Londoners at risk.

Putin's response (he knows he's guilty) was to "rattle the cage" by sending across some old Russian Air Force bombers into UK airspace with their transponders turned of thus causing various problems (I just wish the RAF had shot them down as "terrorist attack", but diplomats tend to get mealy mouthed about such things).

The simple fact is Putin is in a bit of a bind currently, the world oil price is half what it was just a short time ago and this realy puts the screws on the Russian economy. Due to what has happened and continues to happen in the Ukraine many suspect that Putin is going to start further hostilities in Eastern Europe and go back to the bad old days prior to the Cold War...

So I would expect quite a few more saber rattling events in the very near future including a significant step up in Cyber-Crime --or war depending on your viewpoint-- in support of Putin's activities. Oh and remember who is dropping in to see Vlad all the way from NK...

8January 31, 2015 8:50 AM

@ Clive re "many suspect that Putin is going to start further hostilities in Eastern Europe"

NATO already lost without the trouble of hostilities. Russia's response to NATO's Charter-illegal economic coercion was mate in one move Without a shot fired. Through the miracle of competent diplomacy Russia stuck a chisel in NATO, put an end to Ukrainian oil theft, and tightened its control over Europe's energy.

Spies spying on stuff that isn't secret is pretty hilarious, but the USG needs something to replace terror hysteria. Nobody takes that seriously anymore except inbred redneck sheriffs.

SkepticalJanuary 31, 2015 9:38 AM


No, that's a real espionage case. I'm not sure why Zerohedge would only quote that one portion if it did.

Other recordings detail the three individuals complaining that they were not given new identities when being sent abroad by the SVR, among other things. One of them notes the difficulty of conducting espionage in the US, remarking that "S department" has not had much success either. They went to considerable effort to avoid detection and monitoring by the FBI.

As to Putin and the Ukraine... Russia's economy is forecast to contract by 3% this year, and Europe has considerably reduced Russia's leverage in the energy department. It's hard to see Putin's involvement of Russian forces in Ukraine as anything other than a gross strategic error. He's crippling the Russian economy, and poisoning relations with the outside world, for no apparent purpose other than his own hold on power. Crimea had true strategic significance to Russia, but at this point I'm not really sure why he presses on in the rest of Ukraine.

I do know that the Russian and Ukrainian people are paying the price for his adventures, and frankly I think they've suffered quite enough over the last 70 years. There is enormous potential in both countries which is going sadly unrealized.

I view Russia's increased air patrols as more about training and morale than anything else, though they're slightly bizarre at this point. Russia and the West have almost no good reason to be hostile towards one another, though I understand the sources of the mutual distrust that has accumulated between the US (and other Western) and Russian Governments.

BoppingAroundJanuary 31, 2015 10:10 AM

Buck,
> I love watching, as I probably should stop telling people, **crime dramas on the television.**
> There's hardly a crime drama where a crime is solved without using the data of a mobile communications device."
Yes, his sense of reality might be somewhat warped. I hope he hasn't watched Person of Interest and Minority Report yet.

Anura,
> but only if I have 100% control of all information that is sent.
You might want to be extra careful there and consider 100% control of all information that is received. Unless you want to be bugged with tonnes of advertisements.

Off-topic.
Stumbled upon Snowden disclosures articles in Wikipedia. It is a goddamn gem.

> In July 2013, Chancellor Angela Merkel defended the surveillance practices of the NSA, and described the United States as "our truest ally throughout the decades".[446][447] After the NSA's surveillance on Merkel was revealed, however, the Chancellor compared the NSA with the Stasi.
> The Danish Prime Minister Helle Thorning Schmidt has praised the American intelligence agencies, claiming they have prevented terrorist attacks in Denmark, and expressed her personal belief that the Danish people "should be grateful" for the Americans' surveillance.

...

FEDJanuary 31, 2015 10:32 AM

Speaking of Europe, the new Greek government announced something like how the economy will kickstart with a new id card that will also serve as an electronic wallet.

There is something crazy about those Europeans.

8January 31, 2015 10:37 AM

Lots of shit to shovel today!

Ha ha, "crippling the Russian economy," that's the kind of economic baby talk you say if you live off taxes and you never had to meet a payroll and you know jack shit about macro or finance or commerce. Russian debt to GDP is 11%. US debt obligations to Russia cover two thirds of that.

"poisoning relations with the outside world," Skep can't tell the difference between the outside world and the weakling NATO vassal states. Putin is losing interest in the Western bloc. So are the Swiss, who just agreed to trade RMB, reinforcing ruble/RMB settlement agreements - and Eurasian integration - as NATO and the EU cracks.

"Hostile to each other," more statist brainwashing. Russia is indifferent, not hostile. Russia incurred US government hostility by articulating international law.

GrauhutJanuary 31, 2015 12:21 PM

@Skep: Sorry, but i dont buy it!

Poor Skep, do you really still believe your are fighting for a peoples freedom? You dont. You fight for the interests of your 1% capitalist elite and you only get what falls from their tables.

Zerohedge published a copy the full complaint in the case of "Attorney General Holder Announces Charges Against Russian Spy Ring in New York City" on Scribd, read it. Funny conspiracy theory! :)

https://www.scribd.com/document_downloads/253887693?extension=pdf&from=embed&source=embed


"Russia and the West have almost no good reason to be hostile towards one another"

Of cause they have, the destabilization of the Ukraine was financed by the US.

"We have invested more than 5 billion dollars to help Ukraine to achieve these and other goals.” Nuland


Your bosses want the siberian resources, not your freedom. Thats all this is about. :)

"His (Putins) fierce defiance toward the United States flared throughout as he insisted the West was trying to destroy Russia to grab Siberia’s great natural resources. ... Putin struck a defiant note against the United States and the 28-nation European Union, saying the sanctions they slapped on Russia after it seized the Black Sea region of Crimea in March were part of a historical campaign to weaken Russia. He accused the West of trying to infringe on Russia’s sovereignty, saying the Ukrainian crisis was just a pretext for Western action."

timesofisrael.com/iran-nuke-talks-very-close-to-resolution-says-putin/


Is Putin paranoid or is this a true risk? ;)

google.com/search?q=US-Siberian+Department+for+Management+and+Regionalistic+Alternative+to+Siberia

WaelJanuary 31, 2015 12:23 PM

@Clive Robinson,

Whilst having a quick flick through the RetroBSD site...

I played with FreeBSD -- my favorite among them, so far, NetBSD, OpenBSD, PC-BSD which the easiest of them to setup, especially on a Virtual Machine. I also tried to play with nanoBSD but didn't get to spend much time with it. Never got a chance to mess with miniBSD that has been on my radar screen for some time. With all these BSD exposure, I haven't seen RetroBSD before. I'll give it a try one of these days after I make sure I get a suitable piece of embedded hardware for it. The links included were also interesting (Supported Hardware.) Thanks :)

JonKnowsNothingJanuary 31, 2015 12:31 PM

Sock Puppets of the World United.

British army creates team of Facebook warriors

ht tp://www.theguardian.com/uk-news/2015/jan/31/british-army-facebook-warriors-77th-brigade
(url fractured to prevent auto-run. remove space from the header)

The British Army is building an 1,500 person dedicated Sock Puppet Brigade. The Special Operations Force (SOF) will be working closely with NATO and "other" agencies.

The Israeli Defense Force (IDF) has one that works on 30 different social media sites including Twitter, Facebook, YouTube and Instagram and posts in six languages.

While it's no big loss about Twitter or Facebook et al, as they already alter your "view" based on their own internal algorithms and marketing decisions (we'll only show you what you LIKE and what we want you to buy), but it will be interesting if anyone picks up that in order for the SOF views to remain "high/visible" that these "corporate" algorithms must have a setting that prevents designated SOF views from falling and another that drops "popular" views into the dust bin like Reddit did with Glenn Greenwald threads. The Reddit/Greenwald thread drop appeared to be manually done by moderators at Reddit.

ex: The Reddit/Greenwald threads were very popular and top of the heap, so the moderators closed those threads and opened new "empty" ones so their view rating would be low. When the new view rose too high, they repeated the process.

It's clear these SOF type posts won't be manually maintained "on top" as there will be way too many and they won't want these views to drop at all but retain "most viewed" status.

Additionally, Google Analytics and similar data collectors/trackers can tell if clicks/LIKEs come from the same IPs, so there must be a rotating IP Address scheme to prevent auto-clicking which for many platforms will lead to discounted scoring/ban.

Prof ForkingsJanuary 31, 2015 12:34 PM

"Through the miracle of competent diplomacy Russia stuck a chisel in NATO, put an end to Ukrainian oil theft, and tightened its control over Europe's energy."

Wow, is that how they're spinning it in Russia?

GrauhutJanuary 31, 2015 1:24 PM

@Clive: "So I would expect quite a few more saber rattling events in the very near future including a significant step up in Cyber-Crime --or war depending on your viewpoint-- in support of Putin's activities."

Linking Russia to Cybercrime is as chrystal clear as the case of Litvinenko. Clive, this is muddy water and you know this.

en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvinenko#Polonium-210
en.wikipedia.org/wiki/Boris_Berezovsky_%28businessman%29#Apology_to_Putin

How many killed innocent civilians does the NATO accept per Hellfire shot? 10?
NATO drones put afpak civilians at a real risk.


Keith Alexander wants to make a living from protecting banksters from cyber threats and coordinate this with the new NSA job to protect these elites.

Tell us if you have some good evidence for russian state sponsored cyber, as good as the Regin evidence. I think a lot of cyber threats come from those making money from selling cyber security. Old standard mafia game. Not to forget someone needs to hedge the US-NATO three letter agency coup in 10/04/2001. ;)

"enhance intelligence sharing and co-operation, both bilaterally and in the appropriate NATO bodies"
nato.int/docu/speech/2001/s011004b.htm

Nick PJanuary 31, 2015 1:44 PM

A BSD magazine subscription sent you an issue about a BSD. Im missing the synchronicity or weirdness. Unless it's the timing. And for that, we must look at timing range of other issues you received to see if timing is unusual. So, is it?

GrauhutJanuary 31, 2015 1:49 PM

BS:D... If someone wants to test an Iranian BSD kind of fork: jabirproject.org/news

65535January 31, 2015 2:05 PM

Clive, I have a question RF question.

How thick should a low cost stainless steel cooking pot be to stop a mobile phone signal?

I did a quick test on a .41mm inch stainless steel pot by putting a 3G cell phone in it with the top on. The phone can ring when dialed from another person. The signal is penetrating the steel.

What would be the stainless steel thickness to stop the cell phone for getting a signal?

I know you are busy so I’ll check back in later. Thanks.

WaelJanuary 31, 2015 2:06 PM

@Nick P,

Reg: BSD...

@Clive Robinson mentioned RetroBSD and "C", a few minutes after I respond, I get the latest issue with the title: "The Journey of a C Developer in the FreeBSD World". So it's timing, OS, and title -- three things.

GrauhutJanuary 31, 2015 2:13 PM

@Skeptikal, have a look, this is real financial espionage:

"The expansion of U.S. financial intelligence efforts is a striking development in recent years, said a U.S. intelligence official who discussed the topic on the condition of anonymity. The driver has been the need to thwart terrorist financing networks and to develop more sophisticated ways of imposing economic sanctions, he said.

Financial intelligence has come into its own as the U.S. increasingly turns to sanctions, asset freezes and other financial actions to thwart adversaries from al-Qaida operatives to Russian President Vladimir Putin. It's a tactic that Ian Bremmer, the president of New York-based Eurasia Group, recently called the "weaponization of finance."

The U.S. strategy is "premised on the simple reality that all of our adversaries, to one degree or another, need money to operate, and that by cutting off their financial lifelines, we can significantly impair their ability to function," Cohen said at a conference in London in June."

chicagotribune.com/news/sns-wp-blm-news-bc-intel-finance20-20150120-story.html


Seems the russians were kicked out because nobody wants a discussion about the "weapons of finance", the mechanisms of using ETFs and trading bots for destabilization of the markets. :)

Q-bertJanuary 31, 2015 2:17 PM

Google didn't tell WikiLeaks it gave data to officials until almost 3 years later
http://mashable.com/2015/01/26/wikileaks-google-data-requests/

WikiLeaks is criticizing Google for taking nearly three years to disclose that it surrendered data belonging to three WikiLeaks employees and handed it over to federal law-enforcement officials.

Google alerted WikiLeaks on Dec. 24, 2014, that it had handed over Gmail content, subscriber information, metadata and other content of the three staffers only after the company was served with federal search warrants, according to a letter addressed to Google executive chairman Eric Schmidt.

The search warrants, which were issued in secret, were related to concerns of espionage and theft of U.S. government property.

"We are astonished and disturbed that Google waited over two and a half years to notify its subscribers that a search warrant was issued for their records," reads the letter, which was composed by WikiLeaks lawyers.

WikiLeaks is demanding that Google provide a list of all of the materials that it provided to law enforcement.

Other companies — namely, Twitter — have pushed back against the U.S. government so that it could notify its users of these kinds of court orders. WikiLeaks also wants to know whether Google issued any challenged to the search warrants before complying to them.

Twitter's policy, for example, has stated that it will always notify the user if it receives a government subpoena for information.

WaelJanuary 31, 2015 2:27 PM

@65535,

Sorry, I'm not Clive, but until he answers, I can say something -- if you don't mind...

I did a quick test on a .41mm inch stainless steel pot by putting a 3G cell phone in it with the top on. The phone can ring when dialed from another person. The signal is penetrating the steel.

The signal didn't penetrate the steel. It went through some "hole". Try the experiment with this variation: get your stainless steel pot, put a small non metallic plate inside it, put your cell phone on top of the plate, then get a piece of aluminum foil and cover the top of the pot with it. Make sure the aluminum foil isn't leaving any gaps and touching the rim of the pot everywhere. You won't get a signal. Thickness of the steel is not important. If it still works, then your pot is made in China -- lol.

Shielded enclosures used for various cell phone tests have walls that aren't "that thick", some of them have walls as thick as heavy duty aluminum foil.

The fighting sock puppets of FarmvilleJanuary 31, 2015 2:28 PM

Thanks for the link at 12:31. Nonlethal warfare, that's rich. At least that way they won't get their parts blown off when they lose again. Especially humorous that they're turning to Israel, the most successful of the world's disgraced geocidaires. Because when you're the subject of 42 admonitory UN resolutions in the past two years, you really learn to put your best foot forward!

albertJanuary 31, 2015 3:20 PM

@8
"Lots of shit to shovel today!" Indeed. You forgot to mention the US-installed oligarchs in Kiev, the US-engineered Saudi oil 'crisis', the slow but sure economic crisis in the EU (and the US as well). Yeah, let's make Ukraine part of NATO, and install nuclear missles on the Russian border.
.
I sincerely hope that Greece, with Spain, Italy, and Portugal sort out their economies, tell the ECB and the IMF to go ... themselves, and get away from the banksters poisoned well, and the US/EU insane foreign policies. Geez, you'd think Germany would grow a pair, by now.
.
Skeptical _does_ save us from having to watch/read the US MSM, as he does articulate the party line in a non-disgusting sort of way.
.
'Russian spies'? Gimme a break! How about FBI recruited 'terrorists', social media cyber terrorism, industrial cyber espionage,.....
.
The sky is falling, the wolf is here, and who will save us?
.
It's all BS, but the political BS is the hardest to take. If you could remove all the pundits, PR flacks, propagandists, commentators, blow-dried meat puppets, reporters and 'journalists' who knew what they were talking about, the world would be a very quiet place indeed.
.
I gotta go...

Nick PJanuary 31, 2015 3:25 PM

@ Q-bert

Given its rep, Wikileaks should be greatful for *any* assistance it gets given how much of a target that paints on the giver's back. I also think it's laughable to expect people hit with FISA warrants, etc to inform the people being intercepted.

Sensible position is to assume any data going to companies or systems in surveillance states is under surveillance. Then, use methods to reduce or nullify such risks. Given secure endpoints and traffic, the weakest link will be the people using the systems targeted by legal threats.

Clive RobinsonJanuary 31, 2015 6:06 PM

@ Nick P, Q-bert,

I also think it's laughable to expect people hit with FISA warrants, etc to inform the people being intercepted.

Well it all depends on how you view things.

If we go back fifty years --or just yesterday in legal terms-- papers in a filing cabinet in an office or other private premises were the norm. And as such in the US protected under the constitution.

Now to get access to them an LEO would have to get a warrant in a non secret court, by showing acceptable "reasonable suspicion", then serve the warrent either on the owner of the filing cabinet orq the office building owner/operator and ship the file cabinets out the door giving a recipt etc.

All of which would "be obvious to the owner" of the file cabinets, by their loss or loss of their contents. Thus they would have a way to get redress if the LEO had not got evidence of a crime etc.

The only other way would be an illegal approach like an overnight "black bag" job, or recruit an agent by blackmail etc, which would not only be impractical but importantly not usable in a court or to obtain a warrant due to the principle of "fruit of the poisoned vine" (although illegal parallel construction would still be available). This secretive attack would not allow the file owner to seek redress and this is generally considered bad for democracy as it encorages further illegal acts.

Thus the judiciary used to take a very dim view on spying, and much case law was predicated on it not being available to LEOs which is why the wire tap laws were the way they were.

Thus arguably under the usual legal norms the LEO would only be entitled to know who email had been sent to and at the time of it being sent within the duration of the warrant. But not know who an email had come from, or the contents of any email, nor any thing about previous emails sent or received prior to the time and date of the issue of the warrant.

Working outside of those legal norms with a secret court to rubber stamp a "hover everything past and present" policy is a major change and opens questions about such things as illegal "entrapment" and "provocation" etc.

Moving from a LEO and legal norm view point, to one that an agent or criminal would be advised to follow, then yes it is perhaps something you would take into practical consideration. But these people believed themselves to be investigative journalists and thus had the same rights as journalists in say the NY Times or Washington Post...

Well we now know that such rights --even if enshrined in law-- nolonger exist in practice under the current US administration in it's atempts to kill whistleblowing. Thus cover up the administration and their agencies questionable and illegal activities, including amongst other things torture, murder, war crimes and worse. Activities the public should be aware of as it is they, their sons daughters and other loved ones that suffer the blow back of such activities carried out in their name but without their knowledge or consent.

Personally I think that nobody in power should be above the law, nor should they ever be, they must always be accountable to those who elect them into a position of trust. Because as history has proved time and time again such people who hold themselves above the law will only bring down society, and usually the end will involve considerable blood shed, death and destruction. Further from a moral perspective, if as a person in power you feel you should keep your actions secret from those who elect you, then you should be questioning why you need to take such actions, after all if you can not trust them, why on earth should they trust you...

Society only works by the balance of power, the legal norms are an essential part of this balance. History shows going outside the norms always effects the balance of society, usually negatively. Thus a viewpoint that ignores the balance is in significant danger of not just destabilizing society but actually bring it crashing down, which all things considered is probably not a good idea, thus neither is the accompanying viewpoint a good idea.

dannyJanuary 31, 2015 6:40 PM

@ JonKnowsNothing

Re: Sockpuppets of the World Government

reddit is apparent on this policy with their 'ghosting' posts of targeted users. when a post is ghosted, nobody else but its author can see it.

the site is also obviously infested by armies of posters who alter the perception of public views to suit their missions.

DanJanuary 31, 2015 7:11 PM

@ Clive Robinson said, "Society only works by the balance of power, the legal norms are an essential part of this balance. History shows going outside the norms always effects the balance of society, usually negatively. Thus a viewpoint that ignores the balance is in significant danger of not just destabilizing society but actually bring it crashing down, which all things considered is probably not a good idea, thus neither is the accompanying viewpoint a good idea."

Balance of power is also a two-edged sword, making the case for invisible hand. Some call it an ancient martial art, honed thru the test of times. Bits have been erased from history but the trail. Norms and morality are but an arbiter to be progressed periodically, by the ministry of truth.

@ albert said, "'Russian spies'? Gimme a break! How about FBI recruited 'terrorists', social media cyber terrorism, industrial cyber espionage,....."

World leaders hate talking about espionage because it exposes them for the hypocrites that they are.

@ Q-bert said, "Google alerted WikiLeaks on Dec. 24, 2014, that it had handed over Gmail content, subscriber information, metadata and other content of the three staffers only after the company was served with federal search warrants, according to a letter addressed to Google executive chairman Eric Schmidt. "

This is quite interesting that they were alerted after wikileak's recent book about google's eric schmidt and co. Couldn't they have told him when they had met? an implied threat of something more to it?

samJanuary 31, 2015 8:23 PM

@ Grauhut, all

Twitter's policy, for example, has stated that it will always notify the user if it receives a government subpoena for information.

Never thought about htis before. How does Twitter notify? via certified postal mail or some sort of tweet?

Google can make the courtesy 2factor call, but Twitter is rather ephemeral to most users.

Clive RobinsonJanuary 31, 2015 8:38 PM

@ Nick P, Wael,

This design of a TRNG might be of interest,

https://www.tindie.com/products/WaywardGeek/infinite-noise/

However if you are going to build one, providing an RF tight case around the Caps and electronic switches in the FireBug circuitry might be advisable (because the protective diodes in the input and output circuits of the switches can act as envelope demodulators).

For those curious about how the FireBug works, it's fairly simple. In essence you have a voltage less than half the supply value on a capacitor, you double this and put it on a second capacitor, unless it's more than half supply, in which case you subtract half the supply voltage and store the resulting voltage. If you have to subtract half the supply voltage then the output is one, otherwise it's zero. You then take the voltage from cap two, and double it in the same way and store it back on the first capacitor. If viewed on an oscilloscope the voltages on the caps look like either exponential ramps or random jumps depending on how small the result is after the subtraction of the half supply.

I've used the FireBug circuit as a noise source to replace a zenner noise source in a "roulet wheel" type TRNG, by taking the difference voltage between the two capacitors and feeding it through a lowpass filter prior to driving the varicap on the free running oscillator. There are some "bitwise correlation" issues but they are very easily removed with a simple logic circuit. The overall circuit has the advantage that it does not require much in the way of processing power in a microcontroler to spot issues with the noise source.

Nick PJanuary 31, 2015 8:52 PM

@ Clive Robinson

Interesting. The best part is that it's from WaywardGeek. He's the CipherShed team member that responded to my post on SCM security. Pretty cool and smart guy.

Clive RobinsonJanuary 31, 2015 9:15 PM

@ danny,

I wonder what provoked recent belligerent actions from Russia?

The quick answer is "does it matter?"

The longer answer, is such things are generally caused by the action of an individual who is in all other respects a nonentity, which like the "thrown snowball that starts the avalanche" acts as the catalyst or trigger to release the tension that has been building up. An example is Arab Spring that was supposadly started by an individual setting fire to themselves in protest.

Some people assume that the rise in such tensions is "a fact of life" however I've long suspected it is a side effect of greed/envy. That is it is the result of people assuming they can take/cheat/swindle the resources of others by way of trade or crime and profit by it (slavery being just on example of many). There are quite a few historical examples of cultures that did not try to either steel or chorale entire resources to individuals, to the beggerment of others where such tensions did not arise and erupt in the way the World currently does. Unfortunately most did not survive first contact with "european adventurers" hell bent on taking what they wanted by deception, theft or force.

We still see such unethical behaviour in the likes of international trade agreements, so I doubt we will see the end to such tensions for quite some time.

The question then becomes how will such tensions be released and will they be like earthquakes, all the more devistating for having not occured as frequently as they might once have done. It is this fear that has led, some belive, to the super powers fighting proxie wars, like an endless chess tournament.

WaelJanuary 31, 2015 11:04 PM

@Clive Robinson, @Nick P,

However if you are going to build one

For someone paranoid enough, building it is the only option. Otherwise subversion would be a possibility. Good link :)

WaelJanuary 31, 2015 11:14 PM

@65535, @Clive Robinson,

So why aren't you answering your phone? :) Did you not get a signal or did you return the pot for a refund? When I said thickness isn't important, it was for the frequency band of cell phones and the typical thickness of metals in a household. For some more info, here are some links...

Skin effect and skin depth

Radio world

Cold fusion

Reflection of Radionwaves

Frequency spectrum

Shielding of gamma radiation is not as easy. It'll go through several inches of lead.

ER shielding and protection

General radiation shielding intro

Thyroid protection

EHF shielding research

ThothFebruary 1, 2015 12:51 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@Clive Robinson, Wael, Nick P
Do you have something more detailed on making the FireBug more random whichyou mention (logic circuit) and how to roll into the FireBug and sample it's randomness. It would be helpful for the TFC project to use it in the TFC project as well.

Also, it there a way to fingerprint a particular circuit design like delays and voltages so that any circuit with suspicious properties like a hardware trojan could be flagged ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUzczlAAoJEIiF+ZVvv8GdzBsIAILXeXfeXD0dyT14m1IiedQN
3p/gRBy3X9ExjmTSM0tHwk12rGJCDkWg/4vkUti+SJyZAVyz2sjy3g6aWa2NIfT3
G8OoHXDWvap9n3wfaGxm2DWDjxddKOPVKBWXF0oxl61xrDs7OTJEo43+Nu/fN7J8
iTdspOKTmRdeztQ4e8Q58bjSjgCBD8QTs1LnUoPVUiwv0OKl7LtgnZiPGCCpYd4f
PAuomNatb1xRRPZnJpQNTYT8cT1L0fgEma5AbEc1kJ/KzE3LoQxsI7Q20HXmfXLV
VT72EyakzYbGdwnuJor6qysOkjlWdj+mXGbGhslLBX93Q5iBUQD7Z4HCGLtNe50=
=UtEw
-----END PGP SIGNATURE-----

WaelFebruary 1, 2015 1:22 AM

@Thoth,

Do you have something more detailed on making the FireBug more random

I think that's a difficult question to answer. How do you compare two random outputs? Once upon a time, in a thread not too far away, @Clive Robinson posted a paper (in German) for entropy estimation. I never got to read it, it's stored somewhere on my list of things to do. I tried once to use Metric spaces to measure the "distance" between two random sequences, but got lost somewhere... Gave up on it.

Also, it there a way to fingerprint a particular circuit design like delays and voltages so that any circuit with suspicious properties like a hardware trojan could be flagged

In the analog world, you can't easily differentiate between a clever design that works and an intentionally hidden feature. And as the circuitry becomes more complex, this task becomes more difficult faster -- a lot faster.

Honestly, I don't think worrying about the strength of the random number generation is where one should focus. The weakest links are the end points...

65535February 1, 2015 1:53 AM

@ Wael

Wael, I tried your idea. I put the cell phone on glass plate. I covered the top of the pot with tin foil but no cooking top. The cell phone still rang.

I did look at the pot. The side handle is fastened on by steel rivets which could provide some leakage [but no water leaks out]. Also, the top of the pot has a ceramic type of handle fastened to it by metal screw through a hole in the top [so some gap may be present].

I repeated the test by wrapping the cell phone in tinfoil. I did not use a pot. The cell phone call still ring [and yes I can answer it after unwrapping the phone].

The only cause I can think of is some how the cell phone antenna is interacting with the metal of the pot [or tinfoil] to provide a connection to the metal surrounding it [sort of like a grazing fuse (or proximity fuse) uses the metal of the shell as the antenna.

samFebruary 1, 2015 2:41 AM

@ 65535

have you tried wrapping the cell with tinfoil (shiny metallic side face outward), and then place it inside a pot?

why wouldn't i try this with mine...

WaelFebruary 1, 2015 3:45 AM

@65535,

The only cause I can think of is some how the cell phone antenna is interacting with the metal of the pot

Unlikely. That's also the reason for the plate: to insulate the interaction. Have you tried different pots? What kind of a phone is it? It works for me (and I worked in that field for some years, so I'm aware of the different bands used) Maybe @Clive Robinson has a better explanation.

YouHaveGotToBeKiddingFebruary 1, 2015 4:46 AM

Police Stations Increasingly Offer Safe Haven For Craigslist Transactions

http://tech.slashdot.org/story/15/02/01/0528249/police-stations-increasingly-offer-safe-haven-for-craigslist-transactions

Is this for real? It seems more like a way for the police to monitor ALL such transactions processed through their terminal or receiving location. I am prety sure that additional data is collected and maintained on both the seller and buyer. Who knows what they plan to do with that data...

Clive RobinsonFebruary 1, 2015 5:20 AM

@ Grauhut thanks for the link,

http://github.com/pwarren/rtl-entropy

It's software test methods would be a usefull augmentation to most low cost TRNG sorces.

@ Thoth,

Do you have something more detailed on making the FireBug more random

Whilst it is possible to use FireBug as part of another circuit to increase "real entropy" I think you are talking about doing two things, firstly extracting the real entropy from bias, correlation and other predictable noise, and secondly checking the noise source is functioning correctly.

You need to treat them seperatly and only some of it can be done in simple logic such as a von neumann de-bias circuit which boils down to a two bit shift register and an XOR gate and a counter to drive a latch to get the right output from the XOR gate. Back when I did this back in the 90's micro controlers were a lot less powerfull than they are today and also a lot lot slower. Thus putting some functions into logic to take some heavy lift off of the micro made considerable sense, and importantly financial sense, the same is not as true today.

However I need to sound a word of caution about logic gates, they have equivalent functions to analogue circuits, and thus can and do suffer from the same problems but less obviously so. For instance a shift register is not just a "delay line" if you take taps along it and put them into another gate, then it can act as a filter, or integrator... Likewise counters make good integrators and A-D converters... More commonly known is the XOR gate is a one bit "half adder", but less well known is that it is also a phase detector... Few people know that the D-Type is also the equivalent of a frequency mixer, and with some kind of integrator --analogue or digital-- it produces a very clean output. Thus with just that knowledge you can see how a few logic gates and a very high speed ROM can make a Digital IF and FM demodulator of very high specification for instrumentation and test equipment. But also how you can be led astray, if you have two high stability oscillators feeding a D-type one on the clock input and one on the data input "close in" on an oscilloscope the data out looks very random. It's not, if you adjust the time base you will see that the pulse widths on the output appear to bunch up and open out cyclically if you look sufficiently far out you will see the bunching is strongly correlated to the difference frequency between the two oscilators. To see this more easily feed the data out signal through a simple RC lowpass filter / integrator and put it into the second oscilloscop input, you get a very good sinewave output and can see easily how it correlats with the D-Type data output.

So you will see the only "real entropy" in the signal from the data out of the latch is "phase noise" caused by the frequency drift of the oscillators. And if you could extract that you would find it correlates significantly to environmental factors such as temprature variation, supply noise and incident EM signals that the oscillators are subject to (there is also the problem of harmonic and sub harmonic "injection locking" to deal with as well).

So not at all random, even though it looks like it... And guess what, we see these problems occuring in the internals of chips where the oscilators are gate "ring oscillators" and three or more get "gated together" and the output then drives some kind of entropy pool that then gets hashed or encrypted to hide the crap quality of the noise source. Which is why you must check the noise source entropy "at source" not after the "magic pixie dust" of an entropy pool and hashing. It's this lack of "at source" access that has made me say publicaly for over a decade "I don't trust Intel's on chip TRNG". And it would appear that my caution has been justified in that some tests indicate that the output of chip TRNGs can be influanced measurably by other functions on the chip such as software....

Which brings us on to testing the noise source at it's output, there is no difinitive tests of "good" just probablistic tests of "bad" and comparative tests that indicate "change". What you can do is very much dependant on the grunt in your testing CPU and your ability to code the test software tightly. The usual suspects for "bad" are the Die Hard and Die Harder tests and those in various standards such as FIPS, they are all usless if used after an entropy pool or "magic pixie dust" hash/encryption, which is why you must apply them to the raw "at source" output of the noise generator. Nearly all noise generators will fail one or more of the Die Harder tests in some characteristic way, this is actually "OK" because the raw output of all noise generators contain bias etc. What is important is if the charecteristics change for some reason, this could be due to a failure or to external influance, thus the comparative tests over time are your best tests. Likewise you should also test after the various stages of entropy extraction, such as after a von neumann de-bias etc. Even though it's pointless looking for signs of external influance after any "magic pixie dust" hash/encryption testing it will tell you if it has failed in some way such as pushing out the same value repeatedly.

If the noise source you are using can be got at then it's worth subjecting it to frequency (FFT) and sequency (FWT) analysis as a primary comparative test for "external influence". In the past I used "waterfall displays" to show any changes and their charecteristics. As "external influance" by an attacker is usually going to involve a strong signal it shows up on such displays of the environment the noise source is subject to. However you need to excercise caution as "test points" are also "routes in" if not thought about correctly.

Further when it comes to "magic pixie dust" I prefere a reversable encryption rather than a hash. The reason for this is that I can, --if I know the key and I should-- as part of the testing process decrypt the output and "see back" to what is going on prior to it. Likewise consider making entropy pools reversable in some way for the same reason. Remember any "one way" function is a brick wall behind which all manner of nasties can hide.

Any way have a read through the stuff at the link @ Grauhut has provided to see how the likes of "bad" testing is done, and think how you would augment it for "comparative" testing etc.

GrauhutFebruary 1, 2015 6:43 AM

@Clive Your welcome, if you use method number two based on the thermal noise of the amplifiers in the rtl-sdr usb stick this is imho "secure for advanced home use".

And rtl-sdrs are funny toys to play with.

sdr.osmocom.org/trac/wiki/rtl-sdr

Clive RobinsonFebruary 1, 2015 7:08 AM

@ 65535,

There are a couple of problems.

The first is the sensitivity of the phones receiver, it almost certainly gets down to -90dBm and may be down past -120dBm when you take the inbuilt antenna design into account. A single layer of foil or aluminium is probably only good for between 20-70dB antenuation of the E field depending on the care of construction. Just "folding" aluminium foil around the phone which works in the low microwave bands is going to be nearer 20dB antenuation not 70dB of the E field thus if you are testing in an urban environment you are probably to close to the cell mast for the antenuation to be sufficient. This is why most RF cages have two carefully constructed layers seperated by a reasonable quality insulator (wood is generaly considered insufficient due to it's moisture content).

The other issue is conductivity of the E and M fields, what may be good at DC through to UHF may well not be any good at microwaves due to a number of issues.

For a Faraday Shield to be effective it needs good electrical conductivity in all polarizations of the E and M fields. If you do the math you will find that even at mains frequency "skin depth" can be an issue (IIRC it's around 60-80millimeters) such that making a cable any thicker will not result in a resistance drop proportional to the CSA of the cable as would be the case at DC. That is the magnetic field induced in the conductor forces the conduction of current away from the center and thus the center carries no current.

Up at microwave frequencies the skin effect is such that it uses the conductor just a few microns deep just below the high impedence oxide surface, thus the conductor realy needs to be high quality like a coating of non oxide coated copper, silver or gold, aluminium just does not "cut the mustard" unless very specificaly treated. Even then at microwaves less loss is involved if you don't use a conductor at all but a dielectric which is why waveguides start to be used at low microwaves, where the induced magnetic field in the waveguide wall causes the EM energy to be reflectec back into the waveguide dielectric (usually but not always dry air or nitrogen, but can be expanded plastic foam of various types ).

Which brings up another issue, EM shielding is rarely just a low impedence conductor, it usually includes a magnetic component as well because magnetic fields will relativly happily go through the likes of aluminium as holding a magnet on either side will demonstrate. Thus copper coated soft iron is more effective than a simillar thickness of copper or aluminium, unless the aluminium has other elements in it like chromium. Years ago when valves were still common for medium power RF generation it was common to find silver or tin plated soft iron shields around them. In part for EM shielding, in part Soft X-Ray shielding and in part for ducting airflow.

Further you also need to consider holes, slots and fractals, any sufficiently large hole will alow high frequency EM signals through, and could actually amplify them in the process. But it's not the area of the hole that is as important as it's dimensions, there are high gain antennas made with "slot radiators" early IFF systems used waveguide with slots cut in appropriate places rather than dishes or corner reflectors as they gave torous like omnidirectional gain. Avoiding slots where conductors butt up is difficult, especially if oxide or other layers make a suitably high dielectric insulator to act like a transmission line. The other problem is collections of small slots combining to make broadband radiators, this can happen with "fractal patterns" and the explanation of how they work can be found by searching for "fractal antennas", and is currently quite an active research area.

So back to your mobile phone, try the following, cut two sheets of aluminium foil of sufficiently large dimensions to provide two screening layers seperated by a paper or plastic layer to prevent the foil layers touching. To wrap a foil layer first ensure the foil is flat and not cumpled fold it over the phone so that when pressed flat --like the pastry of a pastie-- the overlap is two or three CM on the three open sides. Starting with the longest side fold over the outer edges by a little under a CM, then do the same for the two short edges. Then starting with the long edge fold again in the sam direction as before and then do it with the short edges in the same order. Then again starting with the long side make another fold. If you do this right what you are doing is making a "rolled" flat seam which ensures reasonable conductivity and importantly no slots or gaps. Put this in a plastic bag and fold it carefully so it covers the foil fairly tightly, use sticky tape to hold it in place. Then with the second piece of foil repeate the folding process of the first foil layer.

Test this if it works then all well and good, if it does not work put it in a second plastic bag and then put it in a "tin box" or stainless steel sauce pan with a tight fitting lid and test again.

A few years ago I built a "test rig" for doing RF measurments on mobile phones because the "proffesional" ones had an eye watering price. I used a metal "family selection" biscuit tin into which I made holes for N-type connectors which I both bolted and fully edge soldered into place and used EMC "feed through" for the power and audio signal and data cables. The lid once in place was spot soldered with wire straps. It provided the extra shielding I needed to use it with test instruments inside of a normal RF cage....

DreshFebruary 1, 2015 8:03 AM

@Wael
I just tried wrapping my phone in one layer of regular tinfoil (shiny layer facing out) and the thing goes dead as a brick. No signal (phone signal or wifi).

I am on 3G. Are you on LTE/4G (and, not knowing much about the field, should it make any difference?)

Vox capitisFebruary 1, 2015 8:22 AM

@Clive 9:15, What's interesting is how the existential threat du jour, in this case Russia, seeps into a technically-focused weblog. People are conditioned to use fabricated current events - in the form of catchy little turns of phrase - as cultural capital in Bourdieu's sense. The implication of the things we're taught to say by statist talking heads is WAR WAR WAR. CIA exerts precise control over the content and therefore the mental background noise of couch potatoes, NPR sophisticates, voters, and other tools.

65535February 1, 2015 9:07 AM

@ Clive, Wael, and Sam


Clive, you are indicating two layers of non-crumpled foil [possibly separated by plastic]. I’ll give that a try. Thank you for your explanation.

Sam, I did not use the shiny side outward. And, the foil was paper thin.

Wael, yes, I will try a different pot. I try a thicker one with an iron top.

What my first experiment failed to catch was that I called a friend and ask her to call my cell phone. I then put the cell in the pot and put the lid on. I am thinking that my friend, hit redial quickly. There may have been some latency [buffering or queue of the dialing progress indicators on my end – but she had effective connected to my line as I put the phone in the pot. Thus, I thought the signal pierced the pot.

I am fairly sure, that the foil test indicated that the signal traveled through the foil. I had a longer time to wrap the cell phone – but again it is possible that the connection was already made before the foil was sealed around the phone.

I’ll test again when I have more time.

The main idea of my experiment to find a low cost signal blocking item [cheap common item]. A pot seemed like a good idea – plus it conceals well with other pots. I am planning to institute a no-cell phone policy at my place [the mic and camera on most cell phones can be turned on any time – which is not real privacy].

WaelFebruary 1, 2015 10:04 AM

@65535, @Clive Robinson, @sam, @Herman,

@Herman brought a good point that helps.

@Clive Robinson's explanation sounds right. Part of the problem is that aluminum isn't the best conductor of electricity. Copper is normally used for thin shielding enclosures. The way a metal reflects the Electromagnetic wave is described in one of the links I posted, and I hate to repeat it. At one point, Mike the goat brought up a similar issue. These "insulating" pouches are commercially sold and are fairly cheap. Perhaps that's a better (and more portable) choice, unless you want to share the insulation with your head (a metallic salad bowl.) You'll still have to test it under different conditions.

60 db shield, Detractor. And a $75.00 Kick starter project seems a lot of people have a concern.

Then there is this Amazon sold product. If you look at the reviews, you'll see a mixture of opinions. An RF engineer says it works, and some others say it doesn't...

WaelFebruary 1, 2015 10:34 AM

@Dresh,

I am on 3G. Are you on LTE/4G (and, not knowing much about the field, should it make any difference?)

I worked in the field for a few years, so I was on all bands. Some tests, for example, have to do with battery performance under signal loss conditions. Other certification tests with equipment like Rhode & Schwartz, Anritsu, Agilent, etc... are conducted in completely shielded enclosures for all bands (3G, LTE,...) There were also the portable enclosures that didn't shield the phone, but were good "enough" for some tests. Shielding is a complex subject. Maybe I'll get one of my "practicing" RF engineer ex-collegue to comment here -- haven't spoken to him in a year or so.

Would be fun to get him onboarded on this blog. He knows something about everything :) I had a lot of fun discussions with him... If he ever shows up, don't be nice to him, he loves challenges ;)

CallMeLateForSupperFebruary 1, 2015 10:36 AM

The term "security theatre" pops up here often. An article in The Guardian exposes the *other* side of the them-versus-us dynamic, i.e. terrorism, as "terror theatre".

"Provoking the enemy to action without eliminating any of its weapons or options is an act of desperation, taken only when there is no other way. Whenever it is possible to inflict serious material damage, nobody gives that up in favour of mere terrorism.

"People turn to terrorism because they know they cannot wage war, so they opt instead to produce a theatrical spectacle. Terrorists don’t think like army generals; they think like theatre producers. The public memory of the 9/11 attacks is evidence of that: if you ask people what happened on 11 September 2001, they are likely to say that al-Qaida destroyed the twin towers of the World Trade Center. Yet the attack involved not merely the towers, but two other actions, in particular a successful attack on the Pentagon. Why is it that only a few people take proper notice of that?

"Like terrorists, those combating terrorism should also think more like theatre producers and less like army generals. Above all, if we want to fight terrorism effectively we must realise that nothing the terrorists do can defeat us. We are the only ones who can defeat ourselves, if we overreact in a misguided way to terrorist provocations."


http://www.theguardian.com/books/2015/jan/31/terrorism-spectacle-how-states-respond-yuval-noah-harari-sapiens

The author wonders why most people remember 9/11 as the day the Trade Center towers fell, not the day that the Pentagon was struck. He chalks that up to the drama of tall, phallic towers pancaking into rubble. I think it probably has more to do with the fact that many, many more people died in the towers than in the Pentagon.

Nick PFebruary 1, 2015 10:47 AM

@ Wael

Poor RNG's have led to vulnerabilities before, nation-states are hunting for weaknesses like that, and NSA's Type 1 process mentions the RNG. So, RNG's are worth worrying about. That said, you can just implement a decent TRNG with whitener, a user-supplied random seed with CRNG like ISAAC, or a TRNG + user supplied seed + CRNG. I always used the middle option with cards or dice.

Regardless, the worrying on randomness should be short lived because other issues (esp endpoint) will require *much more time*.

65535February 1, 2015 10:51 AM

@ Herman

"You got to ground the pot." -Herman

That’s sound like a reasonable idea. I didn’t think of it.

@ Wael, Clive Robinson, sam

Thanks for the information.

The pouch is “good” for one phone, but I have guests and children so the cell phone shield should be able to hold a a number phones. At $10 to $20 a pouch that could get expensive.

Are there any household items that could be used as a cell phone shield?

I’ll do some more tests with Clive’s advice and Herman’s grounding idea.

pathfinder8February 1, 2015 11:12 AM

Anyone tried the trick from Citizenfour when Snowden advises Poitras et a'l to put their mobiles in the fridge ?

dighanFebruary 1, 2015 11:16 AM

@pathfinder It's not Snowden to Poitras, it's one of the lawyers to a PA in the lawyers meeting in Berlin.

mortimerFebruary 1, 2015 11:24 AM

@65535
My 2c: What you're trying to do is way overkill. Switching the phones off should be more than enough. If you're especially paranoid, take the batteries out as well. Bad news: unless you use an analogue (i.e. pre-1990s) phone, every handset in your house can be activated remotely to become a listening device. More bad news: do you have a smart tv connected to the internet? Any bluetooth devices (even if the bluetooth is switched off)? Have you ripped the battery out of your car (think GPS, hands-free, voice commands...)?

65535February 1, 2015 11:35 AM

“Anyone tried the trick from Citizenfour when Snowden advises Poitras et a'l to put their mobiles in the fridge ?” -pathfinder8

I did. The screen fogs over so you can’t see much. Guests would not be happy with that. But, I did not hear it ring.

Clive RobinsonFebruary 1, 2015 11:35 AM

@ CallMeLateForSupper,

He chalks that up to the drama of tall, phallic towers pancaking into rubble. I think it probably has more to do with the fact that many, many more people died in the towers than in the Pentagon.

It maybe simpler than that, in the UK all we saw for several hours or so of TV pictures was the Twin Towers. To be honest whilst I can mentaly recall the Twin Towers quite vividly I have no visual memory of the other tower or the Pentagon, none what so ever.

I don't know if that is the same for other people, but that is what I remember from the day (along with trying to explain to shocked work colleagues that it was a terrorist attack not a tragic accident and why the towers had collapsed the way they did).

I certainly don't think it was due to "phallic technobable", the twin towers were an easily recognised landmark seen around the world in films and televison series as a way of saying "welcome to NY" visually.

As for the Pentagon, I think the only pictures I have ever seen of it are from the sky. Whilst I may have seen a street level photo I have no recollection of it. In that respect it's like the GCHQ doughnut / spaceship, all you get to see are pictures from above, and they stick in your mind like that.

Nick PFebruary 1, 2015 11:37 AM

re cell phones

We managed to get by for thousands of years without being reachable 24/7 by cellphone. Industrial society with telecom got by for decades. So, just take the battery out of it unless you absolutely have to be reachable. You might also select a phone where that's easy plus a case (or pouch) that can fit both phone and battery. I just threw it in part of my briefcase or backpack. Knowing how I pick them, always plenty of compartments to choose from. :)

GrauhutFebruary 1, 2015 11:54 AM

@Nick Many dumbphones today have a non detachable battery.

A butter cookies metal box and some copper tape fix this easyly. :)

65535February 1, 2015 11:56 AM

“…just take the battery out of it unless you absolutely have to be reachable.” – Nick P

I do that. But, I was trying to think of a simple and not so invasive method of enforcing my new “no-cell phones in here” policy. That would include guests and children.

“Switching the phones off should be more than enough. If you're especially paranoid, take the batteries out as well. Bad news: unless you use an analogue (i.e. pre-1990s) phone, every handset in your house can be activated remotely to become a listening device.” –mortimer

I know that.

And, that is the idea behind my “no-cell phone” policy.

I was looking for cheap, easy, and preferably household, quasi Faraday cage to hold multiple internet enabled [and Bluetooth] devices.

There has to be alternative in a house to block RF communication devices that can be switched on secretly [or silent ring’d] among all of the junk around.

pathfinder8February 1, 2015 11:59 AM

@Nick P

Totally agree in taking out the battery being the best move and most reliable one at that.

Never owned a phone and never will if the battery cannot be taken out simply.
Though some people might have iphones and what have you where you would need to take the whole thing apart to actually know for sure that it is powered down for certain.

65535February 1, 2015 12:07 PM

“…get one of those smaller beverage fridges that fits a few six-packs, it need not even work, just unplug it from electricity… “ -pathfinder8

That is a good idea.

WaelFebruary 1, 2015 12:12 PM

@Nick P,

Poor RNG's have led to vulnerabilities before

True! You know that, the bloggers know that, and even I know that. But is RNG the weakest ring in the link? Short of this sort of "Cryptography", we've got a lot more serious issues. Then, even if you have a Truely "random" generator, other weaknesses at the end points would nullify that. TRNG are good for data in transit given that your end points are "Secure". Cryptographers should worry about 'randomness". "Security engineers" look at "other things" as well -- the complete end to end security, and "randomness" pales compared to "other things"...

65535February 1, 2015 12:19 PM

"A butter cookies metal box and some copper tape fix this easyly. :)" –Grauhut

Wow, that sounds good.

WaelFebruary 1, 2015 12:36 PM

@Clive Robinson, @CallMeLateForSupper,

It maybe simpler than that, in the UK all we saw for several...

That's my take as well.

Nick PFebruary 1, 2015 1:44 PM

@ Wael

Oh, I agree. The point was that we have to worry about each and every part of the security scheme, including RNG. Enemies are counting on us to forget about something. For practical reasons, I advocate coming up with reusable solutions like my manual seed + CRNG option. That way, we worry once about the scheme, are done with that, and then just do a tiny bit of worrying during integration with next project. We can do this for many pieces of the problem.

@ Wael, Clive

Back to security engineering. Closest, practical thing to Clive's prison concept are the distributed information flow tracking (DIFT) architectures. They typically tag data base on provenance (esp risky I/O) and/or type. Security features kick in if certain operations (eg pointer manipulation) happen with "tainted" data. There's usually quite a bit of overhead and modification to various parts of the system. Then there's this scheme.

It's clear to readers that, although flexible about approaches, I'm mostly focusing on schemes that make leaks or code injection flat out impossible with decent performance. However, I couldn't help but admire the pointer policy used in this scheme [but developed elsewhere]. Pointers have two tag bits: one to represent any legitimate pointers, another to represent tainted/risky data. If both bits are 1, dereferencing isn't allowed unless a trusted program declares the data legitimate. Simple trick stops many attacks like overflows with only two bits of overhead. Nice. Their overall scheme also has nice performance, hardware dev/resource properties, and runs legacy Linux code.

What I still think is we need some talented security engineers coming up with a checklist of about every type of code injection attack (or invariant to ensure), reviewing each of these clean slate designs against the criteria, assessing the assurance of their claims, and turning that into a technical report for various stakeholders. The report might also include things such as legacy compatibility, performance hit, amount of chip modification, intellectual property rights, and so on. This could help those designing or funding chips (plus research) to focus on what has most value.

Sadly, I've seen little activity like this so far outside a "Survey of" paper here and there along with "related work" section of papers. Those are *great* papers and sections for sure. Yet, I'd like to see more detail and empirical data from people experienced in both sides of the game. Last chips standing that are also practical all get funded and brought to market somehow.

FigureitoutFebruary 1, 2015 1:50 PM

Wow, that sounds good.
65535
--Mentioned before, most every RF engineer probably has a roll of it somewhere. 3M has some: http://solutions.3m.com/wps/portal/3M/en_US/ElectricalOEM/Home/Products/ProductCatalog/?N=5430708+5006101&rt=r3

I would go the copper route too. Check out a hamfest too if you're really serious, you can probably get some EMI-stuff for good prices. And I would *at bare minimum*, again if you're serious, do nothing less than double shield w/ insulation of course (otherwise it's a single layer).

Word of caution, shielding can become an obsessive pursuit if you're susceptible to OCD-tendencies. For instance I've heard multiple times the high shrill of I believe an inductor on a few PC boards and phone chargers and also *I think* powersupply noise somehow being audible to me when I move windows on the screen and plug in USB sticks (I imagine any I/O and processing, I'll hear it). If I can hear it, you damn well know a tuned radio can hear the harmonics, probably from much further away. Doesn't make me feel good when I see wires going across the entire motherboard and outwards (like LED power lights, or headphone jacks); nor seeing the effectiveness of PCB antennas.

I would take battery out be done w/ it. Something I just stumbled across yesterday, found yet more phones in my house, this ones been sitting for years, and had its battery in mind you...yet they tend to lose their charge (at least one would think and reason from experience). Power it up and apparently has been able to retain enough charge to supply some RTC as it brought up the correct day and was off-time by an hour (daylight savings thing probably).

Bong-smoking Primitive Monkey-Brained SockpuppetFebruary 1, 2015 1:54 PM

@mortimer,

What you're trying to do is way overkill

This would be an overkill.

My 2c:

Oh, no! It's $1.00 , Mortimer :)

Dirk PraetFebruary 1, 2015 1:55 PM

@ 65532, @ pathfinder8 , @ Grauhut, @ Nick P

I was looking for cheap, easy, and preferably household, quasi Faraday cage to hold multiple internet enabled [and Bluetooth] devices.

What you need is a standard US military aluminum electronics storage box. A friend of mine has one like these. With a little luck, you can find them for about $25,95 plus shipping.

Functional MRIFebruary 1, 2015 2:06 PM

@Vox capitis "CIA exerts precise control over the content and therefore the mental background noise of couch potatoes, NPR sophisticates, voters, and other tools."

That would explain the stereotypical Republican/Democrat constructions. Two false alternatives dialectically balanced to cancel the power of the other.

In this scenario, mass surveillance is used to regulate the spin.

Words from the government would not be information bearing, but rather designed to be instruments of control.

The manner in which the CIA addresses people would naturally be guided by a scientific analysis of words hitting the mind. By bypassing the rational center of the brain, they could shape emotions at the brain stem.

FigureitoutFebruary 1, 2015 2:13 PM

Nick P
focusing on schemes that make leaks or code injection flat out impossible
--I don't believe it. I'm not sure how long "tagging" will hold up either, sounds pretty weak to be quite honest, like a "hack-n-patch"; almost like assigning a "pointer" to data as well or just adding data (metadata). And how was the PC made to establish this root is always a question. The problem's too hard and there's too much room to hide and too much deception possible.

If I'm bringing in a file from an untrusted area (internet, always the internet), and even checking it on another "goner" testing PC running a VM watching for infection; I'm still relying on software checking software when I eventually run it thru my one-way cable to my developing PC which must remain clean; the infection always cascades to the next one.

WaelFebruary 1, 2015 2:37 PM

@Nick P, @Clive Robinson,

Closest, practical thing to Clive's prison concept are the distributed information flow tracking (DIFT) architectures

That, and Bromium. Thing is the delineation of C-v-P isn't crystal clear (in my mind) yet -- it can have a frame of reference dependency. Getting closer, though...

Closest, practical thing to Clive's prison concept are the distributed information flow tracking (DIFT) architectures.

I agree with your assessment! At a more advanced level, we'll not only "imprison" data, but components, pieces of code, and subsystems as well... There is the "who" guards the "guard" problem, and @Clive Robinson's voting, predictive, and probabilistic security schemes are a few possibilities that haven't been detailed to an implementable ilevel as of yet; some elements are implemented today, but not the whole idea. DIFT and the "Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor" are worth reading.

What I still think is we need some talented security engineers coming up with a checklist of about every type of code injection attack

This is a moving target (expanding.) At what point will we be able to say: Here is a complete list of injection attacks? However, I do agree that this list can serve as a validation or "smoke screen test" vector for systems.

Sadly, I've seen little activity like this so far outside a "Survey of" paper here and there along with "related work" section of papers

True, and I won't venture into divining the reasons. Too speculative, subjective, and debatable, but it has to do with money, academia, and industry -- and "smoke and mirrors" as well as "dog and pony shows", etc...

tinfoil homburgFebruary 1, 2015 3:31 PM

@Wael, @Clive Robinson, @CallMeLateForSupper

Re Pentagon memory hole: from the reporting and pictures I've seen, it's not at all clear what went on at the Pentagon. The event itself was not as visible or memorable, but it's also a military structure, so secrecy and obfuscation are bound to be involved.

Nick PFebruary 1, 2015 3:51 PM

@ Figureitout

Many evaluations, arguments, and sometimes mathematical proofs have backed such architectures. Flaws were never found in some. Then, you say without evidence that such approaches are weak, hack n' patch, and so on. Then you give an alternative setup that has those exact properties. Why the double standard?

@ Wael

"That, and Bromium. Thing is the delineation of C-v-P isn't crystal clear (in my mind) yet -- it can have a frame of reference dependency. Getting closer, though..."

That's why I don't like the metaphors regardless of how good they sound. The trouble they cause leads to effort wasted. Better to focus on the proposals themselves: TCB, design, security policy, security mechanisms, how they correspond, and assurance of each. Bromium I wouldn't compare to Prison as it's really just a Qubes-style virtualization security scheme with some AV/NIDS/HIDS type tech integrated. (My guess, that is.) It's granularity is at practically the OS and app level. Prison architecture works at the "function" or task level across the entire system with mediation kicking in upon changes to main system state.

So, separation kernel architectures with message routers, hardware functional programming with mediation, system wide inline software monitors, DIFT/tainting... these techniques seem to fit his model better than others. One of the reasons for requiring small granularity is that it's easier to analyze along many lines. Virtualization schemes usually have whole OS's and app's worth of data moving around. At best, as with Flicker and SKPP, we can argue the properties of an isolate app outside the main systems. That's useful but nothing like claims by clean slate or prison architectures.

"we'll not only "imprison" data, but components, pieces of code, and subsystems as well... "

Sort of. Many schemes are isolation based. The SAFE-style tagging schemes seem to be about tying together a type of data with permitted operations. So, it's more about permissible operations than really imprisoning things. The system architect could make a system with no security at all. Example: a Python interpreter with access to system routines/data and a web front end for user submitted scripts. The interpreter won't be compromised, but it can compromise everything else. So, the proper concept for security architectures is a superset of all of it: control of data or operations to enforce a specific requirement.

" @Clive Robinson's voting, predictive, and probabilistic security schemes are a few possibilities that haven't been detailed to an implementable ilevel as of yet; some elements are implemented today, but not the whole idea. "

There could definitely be work in that area. Fortunately, recovery-oriented architectures, availability architectures, and security through diversity work keeps innovating on such techniques. Byzantine failure research alone has reinvented and revised the concepts repeatedly. So, I'm sure we'll get to read (and maybe use) plenty more good work in that area in the future. In some*, the voter itself is distributed and attempted to be fail safe. I'd especially like to see more research like that.

* Note: That was just the first search result and is for illustration of the principle only.

"This is a moving target (expanding.) At what point will we be able to say: Here is a complete list of injection attacks?"

There's two ways of doing it: argue that it stops specific attack vectors; show that it, in all cases, maintains an invariant that makes attack vectors irrelevant. As you said, the first is a "moving target" or as I say a "perpetual backdoor generating machine." Second strategy is what I advocate where possible with first just a check against it or an interim approach to problems not solved by strong methods yet.

The simplest example is a control flow integrity scheme where every jump is mediated against a whitelist of allowed jumps. Come up with a hundred types of data to use or ways to put it in the jump. Still fail in the attack because the jump doesn't meet the criteria. Another is capability hardware that treats pointers as special, limits their memory access, restricts their creation to approved processes, and enforces security policies (eg read/write/execute/propagation) on them. Many key attacks smash or abuse pointers directly, which is provably impossible in such a system. In each of these systems, attackers will likely have to string a bunch of flaws together in a smart combination to breach the system. Much like Chrome sandbox attackers often do. Strong mechanisms are developed over time to give attackers more duck tape, shackles, scrutiny, and so on.

"but it has to do with money, academia, and industry -- and "smoke and mirrors" as well as "dog and pony shows", etc..."

I'll take a guess: all three are better off *creating* rather than *reviewing* things. We know industry doesn't like security, much less rigorous evaluations. They make more money by promoting faux security and reducing the real thing. Easy. Academia, on other hand, *does* regularly evaluate others' work if only because schools seem to require it. Why not regular and thorough examinations of a whole subfield, though? My hypothesis is that they get more fame, citations, and I.P. licensing fees by creating more usable results. Creating significantly less tech to review existing tech detracts from all those and so it's not in their incentive to do that.

I mean, I've been doing it for years. Result: no splendid office, salary, or academic title. Academics' response might be that simple. It might be other things. Open for debate like you said.

re your old advice

You said the best approach will probably be the cheapest to implement. I've kept it in consideration. One thing I've noticed, more intuitively than measured, is that academics have come up with a great many ways to enforce strong security with seemingly similar amounts of effort. Might indicate that development cost is similar across projects that don't have to make substantial modifications to, say, whole CPU's. If so, then the cost model is that being able to afford to develop a solution at all = being able to afford to develop a really good one. That's some good news in a field without much of it.

Now, the unit costs are a *totally different story.* Ignoring process node costs, the extra cost of a secure chip is how much stuff you put in the chip (individual chip cost) and how many chips are needed to make up for performance disadvantage. Naturally, the less a scheme does on the chip, the cheaper the unit cost will be. The optimization here is (1) to put an upper bound on price based off what market will usually pay for semi-premium stuff, (2) determine which approaches can be made for under that amount, and (3) pick the best of them.

It's helpful that the individual papers offer plenty of measurements on performance and chip area. Some even do power consumption. Plenty to draw on.

SkepticalFebruary 1, 2015 4:43 PM


@Grauhut: Poor Skep, do you really still believe your are fighting for a peoples freedom? You dont. You fight for the interests of your 1% capitalist elite and you only get what falls from their tables.

I'm simply someone who enjoys discussion. My views are quite mainstream and moderate, and if I had any connection to the subjects I discuss then I wouldn't be discussing them. Let's dispense with the silly accusations.

But as far as the US economy, the 1% certainly benefit more than the rest (as is the case the world over). However, the American economy is doing quite well relative to the rest of the developed world. Each month somewhere around 260,000 new jobs are added, and overall the economy has grown somewhere around 13% in total since the recession in 2009.

Europe has had more difficulty, due to the political structure of the EU, but one hopes for the best.

I'm puzzled as to why the indictment of the SVR officer would be so rousing to you. The complaint spells out the case rather clearly. It's hardly surprising that the SVR would have officers in New York City. Why shouldn't they? There are Russian patriots just as there are American patriots who are willing to work for their respective intelligence services abroad.

Zerohedge published a copy the full complaint in the case of "Attorney General Holder Announces Charges Against Russian Spy Ring in New York City" on Scribd, read it. Funny conspiracy theory! :)

The complaint is open to the public, Grauhut. It was published by the US Justice Department on their website as well, here. No need to rely on Scribd or Zerohedge. The US legal system is quite open about these things.

There are recorded conversations from inside the SVR's NY office, intercepted telecommunications, conversations with confidential informants, and interviews of potential assets that the SVR attempted to recruit.

Not really a conspiracy theory at all. Quite dry stuff. And a very clear case.

Of cause they have, the destabilization of the Ukraine was financed by the US.

A rather humorous remark given the involvement of Russia's military in Ukrainian rebel groups.

But if you jettison Putin's desire to dominate Eastern Europe as though the Soviet Union still existed, Russia and the US have many interests in common. It's curious, and sad, that two nations with so much to gain from cooperation and friendship should be at odds with one another.

Your bosses want the siberian resources, not your freedom. Thats all this is about. :)

Now we've entered the realm of conspiracy theories. :)

The US didn't even take the resources of Iraq, and did not oppose the involvement of companies of all nations in bidding for contracts with the Iraqi Government (and China's oil company did quite well in this). So to claim that the US has designs on Siberia... seriously, it's a bizarre claim. One should take it as seriously as the notion that the US is preparing to invade Antarctica.

When it comes to resources, the US believes in investment and free trade, not conquest and theft. As with all nations, this was not always the case, but it has been the case now for many decades.

Is Putin paranoid or is this a true risk? ;)

I don't think Putin believes a word of it. Do you?

Seems the russians were kicked out because nobody wants a discussion about the "weapons of finance", the mechanisms of using ETFs and trading bots for destabilization of the markets.

Whether high-frequency algorithmic trading can destabilize the markets has been a robust subject of discussion throughout the world, and certainly the US, for years now. Google "flash crash" for the event that sparked that discussion.

The SVR officer wasn't indicted merely for being a foreign agent, mind you. That would have been entirely legal. He was indicted for failing to register as a foreign agent. Put differently he was operating under non-official cover. But it appears to me that he's being treated quite well. No one has paraded him before cameras for the media, and the US seems to have been professional about the affair, going so far as to omit from the complaint the names of other SVR officers recorded in conversations with the arrested officer. One imagines Russia will trade something for him, and that he'll be home and rewarded suitably for his sacrifices as an officer of the SVR, as he should be. He seems to have been in the service of the SVR for some time now, and in nations other than the United States.

WaelFebruary 1, 2015 5:03 PM

@Nick P,

That's why I don't like the metaphors regardless of how good they sound. The trouble they cause leads to effort wasted.

If it were just a metaphor that sounds cool, then you're absolutely correct. I'll completely drop the subject if I ever see it that way.

The simplest example is a control flow integrity scheme where every jump is mediated against a whitelist of allowed jumps

Who performs mediation, is it a functionality of a TCB residing component? Using "passive voice" simplifies and hides a lot of the details. I had this request before! Remember? I more or less agree with the rest of what you said.

I mean, I've been doing it for years. Result: no splendid office, salary, or academic title

The image I have of you is that of a researcher sitting in a cube working on a dissertation, is that close? Shed some light on what you do :)

AndrewFebruary 1, 2015 5:27 PM

Anyone has a deeper knowledge of how far digital communication over power lines got?

I'm thinking at things like triggering a built-in processor kill switch with a certain variation of electricity (a sequence) from a device attached to power lines, or something bigger, for example at a country level.
Or extracting data from a computer by performing commands in a similar way, to some backdoor-ed components?

An interesting map of Crimea region in exchange:
http://static1.businessinsider.com/image/545a6f18eab8ead4588b456c-876-597/screen%20shot%202014-11-05%20at%201.39.28%20pm.png

SkepticalFebruary 1, 2015 5:59 PM


@ Shifting-Pseudonym: Ha ha, "crippling the Russian economy," that's the kind of economic baby talk you say if you live off taxes and you never had to meet a payroll and you know jack shit about macro or finance or commerce. Russian debt to GDP is 11%. US debt obligations to Russia cover two thirds of that.

Some of us understand what it means when the Russian Central Bank has interest rates at 15%, what it means when Russian Government bonds yield 15%, and what it means when the ruble trades at 70 to the dollar. Some of us understand the implications of Russian banks and companies being shut out of international debt markets, of foreign currency flows from oil sales being suddenly cut in half, and of what it means for much of the debt of Russian banks and companies, including state owned companies, to be denominated in dollars or euros.

Some of us understand, and were not surprised, when S&P downgraded Russian Federation debt to junk status last week, and why the other two major ratings agencies have that debt on review (and currently rated a notch above junk status) and are likely to follow suit.

Some of us understand what it means when Moody's estimates that Russia's economy will contract more than 6% in 2015, and another 3% after, leading to a state of zero growth in the 2010-2018 period.

Some of us understand what it means when Russian real wages were down nearly 5% year over year in December, and what it means when Russian disposable income was down nearly 7% year over year in December.

And then some of us don't.

Do we need to wonder which basket you fall into? Probably not.

This is serious business, not a football to be kicked around in a propaganda. If you're not going to take it seriously, and if you don't understand the gravity of the challenges facing the Russian economy, among others, then perhaps you should read more before you comment, or perhaps you should comment in a more honest way.

"poisoning relations with the outside world," Skep can't tell the difference between the outside world and the weakling NATO vassal states. Putin is losing interest in the Western bloc. So are the Swiss, who just agreed to trade RMB, reinforcing ruble/RMB settlement agreements - and Eurasian integration - as NATO and the EU cracks.

Where is trading RMB disallowed? You're merely demonstrating your ignorance of these matters by making such remarks. As to the idea of the Swiss "losing interest in the Western bloc"... wow. Did you shop that idea around at Davos a few weeks ago?

"Hostile to each other," more statist brainwashing. Russia is indifferent, not hostile. Russia incurred US government hostility by articulating international law.

Yes, of course, the renowned Russian respect and stalwart support for international law. As evidenced by the fact that sanctions have been levied against them by the entire developed world. Thanks for clearing that up.

@albert: I sincerely hope that Greece, with Spain, Italy, and Portugal sort out their economies, tell the ECB and the IMF to go ... themselves, and get away from the banksters poisoned well, and the US/EU insane foreign policies. Geez, you'd think Germany would grow a pair, by now.

Yes... adopting a policy of withdrawing from the eurozone (that's what is involved in telling the ECB to screw off) is certainly likely to help sort their economies. But you know, on second thought, perhaps a massive financial collapse isn't likely to be the best thing for anyone?

In any case, Germany has actually acted against what most of the US advised with respect to the eurozone periphery. This is why you only see the ECB enacting quantitative easing today (something resolutely opposed by Germany), while the US Federal Reserve did so years ago and has just ended it. But there is no easy answer to the eurozone's problems. They won't be solved by telling anyone to "go ... themselves", as even Syriza knows.

Where the US and Germany and France and most of Europe, especially Eastern Europe, are in agreement is Russian aggression in Ukraine. It's simply unacceptable conduct in Eastern Europe, it threatens other Eastern European states, and for obvious reasons no one is going to acquiesce to Russia's attempt to re-institute a Soviet order in Eastern Europe. Putin pushed things about as far as he could when he took Crimea. No one is going to sit still for anything beyond that.

There is enormous potential in Russia, in Ukraine, and in other countries that is going to waste because of what is ultimately a pointless confrontation which serves the long-term interests of no one. Huge economic opportunities are being missed in those countries, which are filled with talented and eager people who can take advantage of those opportunities, because of this confrontation.

What I hope for, above all, is peace and cooperation among all of these countries, from which prosperity and progress can emerge with renewed promise for future generations.

Clive RobinsonFebruary 1, 2015 6:14 PM

@ Wael,

The "Butter Cookie" tin you provide a link to, looks about the same size as a UK "family selection" tin.

But be warned, in the UK these "tin boxes" are going the way of the old 1once "tobacco tin" that radio hams used to use... that is they are being replaced by plastic :-(

So stock up whilst you "can"...

@ 65535, and others interested in fridges,

The fact that Ed Snowden made the journos put their phones in the minibar, may have absolutly nothing to do with EM shielding, and everything to do with shielding sound and light.

Sometimes OpSec is pragmatic and the underlying reason for doing something may not be obvious. One such is field training that tells people to write messages on single sheets of paper on the front of a photo frame. The real reason is that glass does not take an impression from a pen or pencil, and a wipe down with a cloth will stop an esda test showing what has been written. The pragmatic reason is --nearly-- all photo frames use glass, they are expected items on desks and in homes, hotels etc, people carry them with them when traveling just like travel alarm clocks, that is they fit in without question just about any where you might want to write a confidential note. Also they are usually of a convenient size to use as a flat surface to write on your knee with, and being caught holding one is not much more suspicious than holding a cup.

On the assumption Ed Snowden suspected that the journalists were being actively monitored via their mobiles. Just turning off a mobile phone would be suspicious (they send a message to the network before powering down). Likewise going "fully out of range" in a hotel room is also suspicious. However getting a much weaker signal is not suspicious, it's what happens in many hotels when you go into the passage from the bed room to the room door into the corridor, that also has the door to the bathroom, and a place to store suitcases and often a shelf for a kettle and minibar etc.

So whilst putting the phone in a minibar fridge would reduce it's radio signal it would in no way guarantee that the RF signal would be blocked entirely. In fact it's probably quite unlikely, thus there is probably another reason. What would probably happen is that the door seals and thernal insulation on many minibars or small fridges acts as a very effective sound and often light insulation as well. Strange as it might seem people often pop valuables in strange places in hotel rooms when they sleep/rest/bath or pop out for a short while, on the assumption that if the valuables are not visable they won't get stolen... thus putting your phone in the back of a minibar close to the cooling pipes, whilst odd, is not odd enough to be suspicious in it's own right, even if there is a "room safe" (as is so often the case "the smarter the person, the dummer the action").

As for anyone listening in on a weak mobile phone signal, they are going to get the reward of hearing the noise of the "freon"* circulating, and the pump noise and the rattle of stuff moving due to the pump vibration.

Thus if you open a minibar door for a couple of minutes, it will definatly kick off the cooling system, then pop the phones in and shut the door, it will take the minibar anything upto five minutes to drop the temprature back down, this gives you five minutes of private chat time, whilst the cooling system gurgles and hums in a very random way.

* yes I know it's no longer freon used in fridges, but do most people know or care what the various gases are actually called these days?

AnuraFebruary 1, 2015 6:29 PM

yes I know it's no longer freon used in fridges, but do most people know or care what the various gases are actually called these days?

Refrigerant?

BuckFebruary 1, 2015 6:33 PM

So, (and please pardon my metaphor here, Wael) if the U.S and Russia are facing off against each other in the Super Bowl - who will play the role of the Patriots, and who will play the Seahawks? Does this most epic battle also happen to have anything to do with Democrats/Republicans..?

Clive RobinsonFebruary 1, 2015 7:13 PM

@ Anura,

Refrigerant?

Ouch, I guess I deserved that, for "trying to be to smart" :-)

@ Nick P, Wael,

I am not keen on tagging data, for a whole heap of reasons, even though it does move part of a very difficult software issue into a fairly simple hardware issue.

The "big" problem is "How many bits do you need?" Whilst a couple of bits for a pointer might sound good, what about other data types? Especialy those variously sized ints that get promoted to pointers when doing pointer arithmetic.

Bit tags are a constraint on data types because you have to find a reliable and secure way to ensure they are used properly. The simple and most constraining and inefficient storage wise way is to use fixed container widths of say 64bits for all data types, but this still falls foul of other issues such as arrays of data. It also ignores the very complex issue of how the flags are set/cleared/used/ignored and when and why, and most importantly by whom.

More importantly do you have tags for char,int,long long etc and do you also have a tag for if they are signed or not, also what about null data or unset values? As we know many many bugs happen due to casting types or using signed types as unsigned types.

You quickly start to realise that your 64bit data container might need more than 32bits for tagging, even in a data type poor language such as C. And that's before the big question of memory managment, how do you allocate or deallocate memory such that it can be used effectivly and efficiently...

It's why for "prisons" I went for memory control in regions via MMU not tagging. Whilst it does not stop bugs due to data type convertions it does not constrain the data types available in high level languages.

On balance I find the lack of tagging less secure but more efficient as well as more programer friendly thus market friendly than tagged systems which with a very limited and fixed data type set are more secure. The trade off is complex but I just don't think the general computing market is going to accept the significant limitations of tagging for what will be seen as a marginal increase in security.

However I'm quite open to persuasion especially as I suspect the pragmatic result will be a hybrid solution.

WaelFebruary 1, 2015 7:26 PM

@Clive Robinson,

looks about the same size as a UK "family selection" tin.

In the Land of Plenty, this would be the family size version. One of my favorite cookies, if only they reduce the amount of salt they use... I have a few empty ones stored. Will try to see how effective this weapon is when I get a chance...

samFebruary 1, 2015 7:36 PM

@ Clive Robinson "I don't know if that is the same for other people, but that is what I remember from the day (along with trying to explain to shocked work colleagues that it was a terrorist attack not a tragic accident and why the towers had collapsed the way they did)."

Err, you must not have been an American. Within 30 minutes of impact, bin laden's photo and burning towers were shown on tv. Some stations overlayed his mugshot with the burning towers, it's a mental image that sticks for most of us.

@ 65535 "I do that. But, I was trying to think of a simple and not so invasive method of enforcing my new “no-cell phones in here” policy. That would include guests and children."

You have a group of people converging on a loc, battery out, lol... say hello to Fred

Dirk PraetFebruary 1, 2015 8:04 PM

@ Shifting-Pseudonym

Skep just kicked your *ss bigtime. It just goes to show that there really is no point in throwing around platitudes. You may not like his opinions, but he certainly isn't the idiot you take him for so you may wish to consider posting yours too in a bit more articulate and informed way than you have been doing sofar.

@ Clive

But be warned, in the UK these "tin boxes" are going the way of the old 1once "tobacco tin" that radio hams used to use... that is they are being replaced by plastic

Let's get one thing straight: any half-wit manager discontinuing the traditional Altoids tin will be dealt with severely. They can be reused in so many ways. Some folks are even said to house Beaglebones in them.

@ albert:

I sincerely hope that Greece, with Spain, Italy, and Portugal sort out their economies, tell the ECB and the IMF to go ... themselves

We all do, but telling the Troika to go sod themselves will just lead to bankrupcy and destabilisation of the entire Euro-zone. The best thing the new Greek government can do is try and renegotiate the spread of debt payments over a longer period of time. The ECB will never agree to any other form of debt relief as this will encourage Spain, Portugal and others to do the same. Syriza knows that only too well, and they desperately need the next payment somewhere in February to avoid default.

What the ECB, IMF and others fail to see however is that they only have themselves to blame for the rise of Syriza and its Spanish counterpart Podemos. The horrible austerity measures that were imposed had and continue to have devastating consequences for the general populace whereas the parties responsible for the financial crisis - and as usual - got away. That includes national politicians, EU politicians and banksters like Goldman Sachs who cooked the Greek books to get them into the Euro-zone.

As to Ukraine, the US and EU in pursuit of their own geo-political and economic interests completely underestimated Putin's resolve to keep the country in Russia's influence sphere. Any politician with half a brain could have foreseen what would result from an acute clash of interests in this particular region. I don't condone what Russia is doing, but the outcome of civil war and yet another totally destabilised country was as predictable as the sun rising in the morning.

tyrFebruary 1, 2015 8:23 PM


@Clive Robinson et al

You might look for a military surplus ammo can, Fairly
cheap in USA, made of steel, and designed to minimize
RF inside. Replace the gasket with steel wool for a
bit more overkill. Come in various sizes as well. 50
BMG cans are big enough to hold a decent homebrew
comp.

If you think about it you'll see why you don't want
RF inside them.

For the truly paranoid a surplus helmet makes a lot
more stylish lid than the homemade tinfoil job.

You might want to exercise your neck muscles first.

SamFebruary 1, 2015 8:27 PM

@ Dirk Praet

"The best thing the new Greek government can do is try and renegotiate the spread of debt payments over a longer period of time. "

They've been down this road numerous times in the past. The Greeks have chosen to go down the road of bankrupcy when they voted to repeal austerity.

It's a recurring problem that periodically surfaces whenever the market needs a little bit of correction.

When Muppets AttackFebruary 1, 2015 8:30 PM

☻ "Some of us understand."

This is great. skep still believes S&P, even after they swallowed the banker's CDO assumptions hook line & sinker and totally discredited their sorry bought asses. Speaking of hook line & sinker,

☻☻ "Doing quite well."

Now doesn't that warm the cockles of your avaricious heart?

An economy scrabbling by its fingernails at the brink of recession, self-destructively goosed by official crime in breach of prompt corrective action statutes and Federal Reserve Act Section 14(2), and now, despite the Fed's desperate atropine shots, poised to whipsaw the most volatile component of GDP, investment, as the suckers who levered up to frack get ruined, along with banks and retail investors stuffed with cast-off spread product and beta. And why? Because they're tools, immolated by CIA to spite Russia in a loony plan to warp the terms of trade by diverting water from agriculture to extractive industries. Don't laugh, it's not funny. Stop smirking.

☻☻☻☻☻☻☻☻"Serious business," complete with finger-wagging lecture! Ach, die Freude! When the mainstream and moderate muppets like skep get creamed for their patriotic but innumerate investment notions, some of the money he loses will be mine. Again. Like in 01 and 08.

Woo-hoo, the hookers and blow are on skep!

☻☻ "entire developed world." and not, as required by the supreme law of the land that skep never heard of, by the security council. He doesn't even know which article of which instrument he's ignorant of this time. Putin's foreskin knows more international law than skep + DoS. And Putin enforces it too. That's why he drives you losers apeshit.

GrauhutFebruary 1, 2015 9:05 PM

@Skeptical: "So to claim that the US has designs on Siberia... seriously, it's a bizarre claim. One should take it as seriously as the notion that the US is preparing to invade Antarctica.

When it comes to resources, the US believes in investment and free trade, not conquest and theft. As with all nations, this was not always the case, but it has been the case now for many decades."

Skep, you just renamed conquest and theft to investment and free trade. Remember the 90s "privatizations" in Russia. :)

There will be a race for Siberia and everyone knows this. The western economy can not afford to loose this potential to China.

"The Great Siberian War Of 2030"

http://www.dod.gov/pubs/foi/International_security_affairs/china/09-F-0759theGreatSiberianWarOf2030.pdf

SamFebruary 1, 2015 9:33 PM

Iraq took the big stomp when it fancied an oil bourse in euros, so I wouldn't be surprsied if there's something funky going on with RMB/RUB and htis whole Siberia, Eurasia alliance with highspeed rails to boot.

Not so fun when somebody put the wrong tag on your back. goes for both sides...

WaelFebruary 1, 2015 10:41 PM

@Grauhut, @Skeptiical,

The Great Siberian War Of 2030

Very interesting paper. I got to finish about 14 pages of it (the font sucks on my "smart" device.) One question I have: Why would the DoD make such documents available to everyone? Who's the intended audience? Russia and China can read them, too! Is this a manifestation of the "Capablanca effect"[1]?

[1] I made that up. It's referring to a quote about Jose Raul Capablanca, previous world chess champion:

Against Alekhine you never knew what to expect. Against Capablanca, you knew what to expect, but you couldn't prevent it! – George Thomas

* OT: On security & complexity -- practical examples from chess:

The essence of Capablanca's greatness is his rare talent for avoiding all that can complicate or confuse the conflict. - Max Euwe

Capablanca's play produced and still produces an irresistable artistic effect. In his games a tendency towards simplicity predominated, and in this simplicity there was a unique beauty of genuine depth. - Mikhail Botvinnik

Capablanca was among the greatest of chess players, but not because of his endgame. His trick was to keep his openings simple, and then play with such brilliance in the middlegame that the game was decided - even though his opponent didn't always know it - before they arrived at the ending. - Bobby Fischer

Edward SnowdenFebruary 1, 2015 10:42 PM

"When it comes to resources, the US believes in investment and free trade, not conquest and theft. As with all nations, this was not always the case, but it has been the case now for many decades."

Hmm... "Own the Internet", wasn't that on a slide somewhere?

The 'US' is a state. It has no beliefs. It has laws and policies. It has hundreds of millions of individuals that to greater and lesser extents follow and deviate from those laws and policies. It doesn't take much of a student of history and modern mainstream media to see that unethical actions that equate to 'conquest and theft' have been rather undeterred by the letter and the spirit of the law. And by 'undeterred' I mean- 'implemented at scale'.

Nick PFebruary 1, 2015 11:08 PM

@ Wael

With CFI, the mediation can happen at many levels. The strongest schemes do it at the hardware level with actual circuitry running parallel with processor. Examples are a list of permissable jumps created at compile time enforced by processor checks during execution or tagged memory that keeps data from overwriting pointers. Another scheme disallows jumps by default, passes the attempt as an exception to a trusted software process, and stores permitted jumps in a cache for faster lookups. Many ways to do it. All enforce the invariant of "control flow works as it's supposed to" rather than "let's hope we stop tactics X, Y, and Z from hitting unprotected control flow."

"I had this request before! Remember? I more or less agree with the rest of what you said."

I see what you mean. Looking back at it, that particular quote is horrifically self-defeating with the use of the word monitoring. My bad. Might have taken a while to say but I said it. ;)

"The image I have of you is that of a researcher sitting in a cube working on a dissertation, is that close? Shed some light on what you do :)"

Far from it. I've previously said my work is a shit job outside IT that barely pays the bills. I just do whatever my company needs me to do. The duties range from blue collar to white collar to security to whatever. I'd rather be doing what you described minus the cubicle: I'd never work in a cubicle due to detrimental effect on the mind. I'd work in a modified janitorial closet before a cubicle if only for the privacy and lack of interruptions. Well, the boss banging on the door of an echo chamber while I'm in deep thought could be pants-shittingly startling. Might not be such a good spot... Roof maybe?

Of course, we both know you'd just like to get closer to knowing as much about my career history as I know about yours. :P

@ Buck

"and please pardon my metaphor here"

HA!

@ Clive Robinson

The bit problem is a tradeoff. We can learn a lot by looking at the ones that go overkill on it: SAFE and CHERI. There's still more than enough memory left over in these. More lightweight systems can squeeze a ton of protection out of 2-3 bits. There's also systems that effectively stretch the bits with encoding. So, this issue does have an impact but far from a deal ender.

"More importantly do you have tags for char,int,long long etc and do you also have a tag for if they are signed or not, also what about null data or unset values? "

You don't need to know all of that. Almost all injection attacks target pointers, arrays, key memory areas, and so on. They need this to function. So, your goal is really to create a scheme that maintains protection of such things. The oldest tagging systems often worked in conjunction with memory protection (eg segments) to achieve that. Some just protected things like pointers, while others (eg System/38) had rules for high level objects like stacks. So, realistically, you're more likely looking at scalar data vs array with bounds info vs pointer vs piece of code vs I/O object. Things like that have sufficed so far.

Note: SAFE is one that has an extra 32-bits in the tag with support for near arbitrary policies with user-defined types. Operations fail by default, results sent to a trusted handler in software, and permitted ops' type rules get put into the cache. Their recent paper showed them running four very different security policies simulatenously. The performance impact on their alpha quality prototype was significant, but actually acceptable for many applications.

"On balance I find the lack of tagging less secure but more efficient as well as more programer friendly thus market friendly than tagged systems which with a very limited and fixed data type set are more secure. "

CHERI already runs FreeBSD, a few others run Linux, and SAFE could easily be targeted by Java. The security vs legacy tradeoff is adjustable incrementally. Sounds pretty market friendly to me.

" The trade off is complex but I just don't think the general computing market is going to accept the significant limitations of tagging for what will be seen as a marginal increase in security."

Good tagging schemes offer a *great* increase in security up to the total prevention of entire classes of code injection. The part about the tradeoffs and market acceptance are true, though.

" especially as I suspect the pragmatic result will be a hybrid solution."

That's very possible.

BuckFebruary 1, 2015 11:14 PM

@sam

You have a group of people converging on a loc. battery out, lol... say hello to Fred
Hey Fred, how 'ya doin..? Have you ever read this ol' thread:

Michael Meyers

Well, it's all very well for a nice white bloke to refuse to answer the questions and be delayed for half an hour, but would it have been such a pleasant experience for a muslim US citizen? I doubt it.
kangaroo
That would be the point, wouldn't it? If a member of the privileged caste is treated poorly, what hope is there for those of us less privileged? If those who are the most protected by culture, tradition and law are too cowardly to stand up for their right to respond to dickishness with dickishness -- well those of us a shade darker are truly screwed.
I hope more "privileged white males" stand on their rights -- unlike the rest of us, the only reason they refuse to confront the obnoxiousness of petty bureaucrats is simple narcissism and cowardice.
Which is probably why such behavior causes such resentment particularly among privileged white males.
Brandioch Conner
In other words, the white man MUST be a dick so that the rights of non-whites are protected.
If more people were willing to give up 90 minutes of their time to protect the rights of all of us, we'd be a better people.
I couldn't possibly presume to empathize with @65535's caste or situation -- but, then they came for me -- and there was no one left to speak for me. :-\

Bong-smoking Primitive Monkey-Brained SockpuppetFebruary 1, 2015 11:27 PM

@Clive Robinson,

So stock up whilst you "can"

Ha! My obtuse puppeteer missed that one! Strange he makes fun of the host of this blog while he's guilty of his own pet-peeve. I know for a fact my forgetful puppeteer read a similar thing about "can". He read it on the same month, the same year (July, 2012.) too... What hypocrisy!!!

Nick PFebruary 1, 2015 11:31 PM

@ Buck

Interesting to re-read what I wrote there so long ago. Found this off-topic remark in response to a government conference:

"The real nuggets to take home from what I read are these: NSA is relying on COTS for sensitive information; NSA hopes to rely entirely on COTS; NSA strongly promotes TPM and TNE in COTS products; NSA is leveraging trusted software on untrustworthy processors; NSA hopes to reduce accreditation time for these untrustworthy COTS components. To be honest, I'm not really comfortable with any of these points. Brian Snow's work made me think the NSA was making progress in the right direction. Now I know better."

Post-Snowden, still true and for more obvious reasons. By 2010, I had a firm grasp on all their varieties of bullshit. Although, I still questioned at the time whether it was intentional subversion or incompetence related to politics/funding. Clive's remarks indicated he was unsure and leaning toward the latter as well. One value of the leaks is that they cleared that up for us: subversion for surveillance state, not failures of the Idiocracy. Always love tying up loose ends in long-running investigations. ;)

WaelFebruary 2, 2015 12:11 AM

@Nick P,

With CFI, the mediation can happen at many level [...] enforced by processor checks during execution or tagged memory that keeps data from overwriting pointers [...] "let's hope we stop tactics X, Y, and Z from hitting unprotected control flow."

Ok! That makes sense.

My bad. Might have taken a while to say but I said it. ;)

Two friggin years? What a magnanimous thing to say! Class act, Nick P, class act

Far from it. I've previously said my work is a shit job outside IT that barely pays the bills [...] Of course, we both know you'd just like to get closer to knowing as much about my career...

Stop! I nailed you. I now know what you do for a living :) One of these days, Nick P, one of these days... But perhaps if you remove these colorful words from your resume, you could find a better position? Send your resume around, you certainly have the knowledge and talent!

Nick PFebruary 2, 2015 1:39 AM

@ Wael

When I saw "smart pipe" in the URL I knew what kind of shit I was about to see. But how you got our base SDK I'm not sure. I think we have a leak we need to plug. Maybe we shouldn't have those "penetration" testers attacking our "pipes." Who knew the rain of shit that could fall on us for accepting such a contract!?

Note: I needed the laugh after watching Kill The Messenger. I appreciate the short-lived relief from reality.

Gerard van VoorenFebruary 2, 2015 2:25 AM

@ Clive Robinson

AFAIK the memory in modern day computers is still flat. It doesn't matter whether it has bit flags or not. What does matter is that when you manipulate the data you know the specs (signed/unsigned/int8/int32/float64/string/whatever). A decent language wants, because of that, to know exactly how the memory should be dealt with. In C however everything is an int unless you say otherwise.

Yesterday at Fosdem [1] I visited a presentation of the C2 language [2], which solves some C issues without having high level functionality, so it could be a direct C replacement, for instance for writing kernels. The syntax is a mix of C and Go/D, including the macro system of D (no open ended CPP, good for parsing) and the package system resembles Go. The building criteria is left completely outside the language and it uses configuration files for that (probably TOML in the future, no AutoTools or [x]make). It can do bit manipulating without bit shifting/masking and it still uses unions. C2 is still in development but it looks pretty good.

[1] https://fosdem.org/2015/
[2] http://c2lang.org/docs/c2lang_design.pdf

Andrew_KFebruary 2, 2015 3:27 AM


The British Army is building an 1,500 person dedicated Sock Puppet Brigade. The Special Operations Force (SOF) will be working closely with NATO and "other" agencies. -- JonKnowsNothing

I am irritated. Why is this made public? In my understanding publicity just decreases efficiency of psyops. They are intended to be subtle, aren't they? I haven't found any explaination aside this being an artifact of some power struggle within GB's security/military apparatus. Perhaps someone here has an enlightening idea aside them looking desperately for PR...

Regarding TRNG -- I used to trust zener diodes and plain elecronics, designs such as described here (sorry, text is available in German only) without any "intelligent" building blocks. With a decent shielding for the diode, of course. I would be interested in the opinion of those knowing more on design of TRNGs than me :)

@ Clive Robinson
Thanks for the pointer to RetroBSD -- working with FreeBSD for several years now, still liking their philosophy.

@ Grauhut

A mic preamp without mic generates thermal noise to. -- Grauhut

I would expect the noise to contain artifacts generated by the surrounding computer and it's EM activity. Just record some audio from the device while starting a program/using a program/switching windows/doing some HDD work/..., then normalize it and listen carefully. You will probably be able to make a connection between your actions and what you hear. That's at least my experience with an unused microphone preamp in a notebook. Tough, maybe things have changed over the last ten years.

@ 65535

I am planning to institute a no-cell phone policy at my place [...]. -- 65535

I like the idea, but don't underestimate the challenge to enforce it when you have visitors not familiar with security concerns (parents, siblings). You will quickly be targe for all kinds of humor. Just be aware. Part of my personal OPSEC is not to be too obvious about it. Tough you are absolutely right about microphones and cameras in smartphones.

Anyhow, if you cannot block it, you may fiddle with its input as suggested by Clive Robinson. That is -- put a source of noise into the pot ;)
OPSEC is often about pragmatism, unusual usage of everyday things, using otherwise unwanted side effects others do not notice. That's why I'm personally interested in it, it's the child in me that gets alive and enjoys this kind of thinking.

@ Thoth
As it may have gotten lost in one of the older squid posts, may I draw your attention to a former comment of mine?

GrauhutFebruary 2, 2015 3:57 AM

@Andrew_K: "I would expect the noise to contain artifacts generated by the surrounding computer and it's EM activity."

Of cause, but this is random to. If an attacker is so deep in your system that he can record your EM activity and exploit it, than he usually doesnt need to exploit it anymore! ;)

WaelFebruary 2, 2015 7:20 AM

@Nick P,

When I saw "smart pipe"...

Sometimes one needs a laugh :) Cover your base so the SDK doesn't leak again.

Clive RobinsonFebruary 2, 2015 7:46 AM

@ tyr,

Replace the gasket with steel wool for a bit more overkill.

A more effective RFI and hermetic gasket, can be made more simply with a length of Coax Cable such as RG172 etc. You remove the outer plastic and if required the inner conductor, leaving you a plastic gasket covered in a nice copper braid, that just needs a little glue in a couple of places to stay put. If you need a lot of give in the gasket use the 75ohm TV antenna feed as the inner plastic is an expnded foam, that suprisingly sticks together quite well with "super glue"...

I have a couple of old "7.62 ball" ammunition cases which I've moded that way, which contains a communications tranceiver which covers 1.5-50MHz and 130-180MHz as well as a small hand generator. The other box holds a toolkit and spares as well as the head set and key. In the garage I have a fishing bag containing a light weight aluminium tube mast (think more robust tent poles and guy line plates and lines), a diplexer and balun which has a Ntype for feed in, another for VHF-UHF out and two screw terminals for a 600ohm HF feeder out or broad band HF antenna. I've done one or two Ham fests with it as well as operate "marine mobile" HF and VHF. I've used it's VHF receiver with a "clover leaf" antenna to pick up weather and other satellite transmissions (including getting the UK's "prospero" a few years ago). The "heavy" part is the bank of NiFe cells, which you need fo be a twenty something professional weight lifter to carry any distance ;-)

Sadly since I've been unwell I've not been out camping with it as I used to, and the tentage and cam-nets are likewise just sitting there (along with some 10 man rat-packs from my days of wearing the green).

Hopefully my son will pass both his marine and amature licences then I can "shove the kit" his way ;-)

Clive RobinsonFebruary 2, 2015 8:13 AM

@ Nick P, Wael,

When I saw "smart pipe"...

When I saw "smart pipe" my mind automaticaly added another "b" word to the end... As you may or may not know certain monks of asian religions develope fairly fantastic "mind control" over their bodies, one legand of which is to open their sphincters and let down their bowels, for cleansing... thus they had a "smart bum"

Being as how the NSA record every thing imperfectly, their word recognition software is bound to mis-translate "bum" into "bomb" thus start hunting for Bruces's legandary "butt bomber" terrorist plot, and airport screening lines having to be lengthened for inspection time with the obligitory "Evolution" comment of "There's always time for lubricant" (see Utube for the film clip ;-)

CallMeLateForSupperFebruary 2, 2015 9:08 AM

@tyr
"military surplus ammo can... [is] designed to minimize
RF inside."

That is not so.

"Replace the gasket... "

There it is! The designed-in rubber-ish gasket prevents good EM shielding. It is there to prevent environmental moisture from reaching the ammo. (But yes, if removed entirely and replaced with properly installed wire braid then one would get better EM shielding.)

Clive RobinsonFebruary 2, 2015 9:09 AM

@ Nick P, Wael,

Speaking of "smart" as you probably know a "smart phone" is anything but, it's realy just a "thin client" with a few other peripherals thrown in.

Back when I was mucking about with "fuzzy logic" and "neural networks" some crystal ball gazers were talking about not simulating neurons and synapses with standard CPUs but actually putting them on silicon. Well something like a quater of a century later it looks like "Brain Chips" are starting to get somewhere, and for the same reason I've been thinking about multi-lightweight CPUs on chips being parallel programmed, traditional CPU architectures have hit a wall where the cost of speeding up sequential CPU architectures is not realy viable any longer.

Any way have a read of.

http://techcrunch.com/2015/01/31/the-ongoing-quest-for-the-brain-chip/

And also think about how such chips could improve security.

AndTheBeatGoesONFebruary 2, 2015 10:14 AM

my apologies if already posted...

DEA Planned To Monitor Cars Parked At Gun Shows Using License Plate Readers

http://yro.slashdot.org/story/15/02/01/2117208/dea-planned-to-monitor-cars-parked-at-gun-shows-using-license-plate-readers

More and more, we continue to see an uptick in the type of activies spawned by the 3 letter agencies, under the veil of watching criminal activity but taking with it the normal lawful activity of honest citizens, using guilt by association as a measure. Sort of the "guilty unless proven innocent."

I suppose we will see that other infamous 3 letter group jump into this with guns blazing (figuratively speaking).

Nick PFebruary 2, 2015 10:42 AM

@ Clive Robinson

Smartphones aren't thin clients. Thin clients perform almost no computation locally: merely provide an interface (eg web browser) to a computer that does. Smartphones have so much functionality they can replace desktops for many use cases. The only real difference is number of I/O ports and price-performance ratio.

re neuromorphic chips

Something I've looked forward to for a long time. The applications should be interesting. Far as security, these architectures would be *less* secure due to inherent flexibility and no visibility into its internal model. There have been security applications of neural networks in the monitoring domain. Not sure what value they have past that.

Clive RobinsonFebruary 2, 2015 11:05 AM

@ Nick P,

I was thinking along the lines of neural networks to examine source code and network traffic etc looking for paterns that might be indicative of various security weaknesses... And then learning from there how to spot variations etc.

It could also usefully monitor certain emoloyees to see if they are exhibiting certain activities which would indicate they are planning to leave, or commit a crime etc. I can easily see SEC wanting such systems to catch insider trading and the like.

Dirk PraetFebruary 2, 2015 11:19 AM

@ Nick P., @ Clive, @ Wael

Smartphones aren't thin clients

They are actually electronic ankle bracelets in disguise you also happen to be able to make phone calls with. Even Orwell couldn't make this up.

JonKnowsNothingFebruary 2, 2015 11:51 AM

Andrew_K February 2, 2015 3:27 AM
The British Army is building an 1,500 person dedicated Sock Puppet Brigade. The Special Operations Force (SOF) will be working closely with NATO and "other" agencies. -- JonKnowsNothing
I am irritated. Why is this made public? In my understanding publicity just decreases efficiency of psyops.

@Andrew_K

There are a number of reasons why it was made "public" you can pick from the following:

1. Stupid.
This would be as likely as any "leak" from "an Official close to..." or "an anonymous Government/Law Enforcement familiar with the investigation" would be to actually being a "leak". It's propaganda and greatly valued by the Government's Official-Unofficial Leaking Task Forces.

2. Recruitment
This is more likely. Just like the Military Military E[a]t[s] Al[l], , are recruiting gamers to fly their drones and play PVP with real world guns, rockets, bombs and other fun toys, there are lots of people who would like to be part of "the action" but aren't quite up-to-snuff to get into the NSA/GCHQ/CIA/FBI.

Military Systems depend on "stupid" by definition so Option 1 is still viable but in a different context.

3. Fear and Intimidation
My bet is on this one. As "social media" is shown more and more to be a tool of "law enforcement for us and jail for you...", it's so much easier to build false-evidence-convictions if you can get the other side to participate in a on-line chat where you can cherry pick the proper words, dates and times and rewrite chat logs. They can wait years to get the correct wording and convince judges and juries that their "evidence" hasn't been tampered with "trust us".

It's a great STOP SIGN in front of anyone wishing to engage in discussions that are Not Appreciated. You might get off easy with 1,000 lashes if they can manipulate you into thinking you have any freedom of thought at all. You might even get a trip to an exotic location, room, board and torture included for free, including a DRM Free music track of: "Let the Bodies Hit the Floor" provided 24x7, as a participation reward.

4. Envy
This cannot be missed. The GCHQ is getting all the good stories and NATO and the military are collecting debt and coffins. The debt has been circulating the planet since the US invented Toxic Stocks and Toxic Mortgages and Toxic Investments. The coffins remain out-of-sight with the only acknowledged deaths being: "insurgents, radicals and extremists" which for some is "good riddance".

So, they need to up-scale the image of being a Great Warrior for Western Ideals, with great institutions like monarchies, floggings and unlimited detention and they need to get bodies for The Forever Wars.

See the latest outbreak: USA "thinking" of sending arms to Ukraine - gee what happened to the NATO mutual warfare admiration society??

They need something to put in those coffins.The coffin industry might collapse if they don't get more bodies soon.

Bob PaddockFebruary 2, 2015 12:22 PM

Desktop 'Screened Rooms'.

"In 1997 Ramsey took the technician out of the large expensive shielded screen room and put his hands and eyes into a portable benchtop RF Shielded Test Enclosure. With thousands placed in service worldwide the patented STE technology became the standard for efficient and cost effective RF isolation testing. That legacy has continued with a wide variety of STE's to suit every RF test application and the size requirements you have today. Our exclusive double lip gasket technology assures an RF tight seal each and every time. Steady-hold hinges maintain the opening at any location and prevent gasket compression due to prolonged closure pressure when not in use"

65535February 2, 2015 3:38 PM

“…I like the idea, but don't underestimate the challenge to enforce it when you have visitors not familiar with security concerns (parents, siblings)… Anyhow, if you cannot block it, you may fiddle with its input as suggested by Clive Robinson. That is -- put a source of noise into the pot ;)…” - Andrew_K

The pot idea was to make it familiar and non-evasive. The source of noise is a good idea also.

The risk of kid jokes is already there. We have kids to take unbecoming pictures [sloppy eating and so on] and show them off. Getting the camera and mic out of the picture is part of the "no-cell phone" policy goal.

RFI and hermetic gasket, can be made more simply with a length of Coax Cable such as RG172 etc. You remove the outer plastic and if required the inner conductor, leaving you a plastic gasket covered in a nice copper braid… I have a couple of old "7.62 ball" ammunition cases which I've moded that way, which contains a communications tranceiver which covers 1.5-50MHz and 130-180MHz as well as a small hand generator.” –Clive

That is interesting.

@tyr
"military surplus ammo can... [is] designed to minimize
RF inside."

That is not so.

"Replace the gasket... "

“There it is! The designed-in rubber-ish gasket prevents good EM shielding. It is there to prevent environmental moisture from reaching the ammo. (But yes, if removed entirely and replaced with properly installed wire braid then one would get better EM shielding.)” –CallMeLateForSupper

I can see the rubber leaking RF. Clive’s idea is good.

“In 1997 Ramsey took the technician out of the large expensive shielded screen room and put his hands and eyes into a portable benchtop RF Shielded Test Enclosure…” Bob Paddock

Nice line of equipment. But I was looking for something a little cheaper.

gordoFebruary 2, 2015 4:30 PM

...just saw this; streams live this evening at 7pm EST:

NSA leaker Edward Snowden to address Toronto school from Russia
Karolyn Coorsh | CTVNews.ca | Published Monday, February 2, 2015 10:18AM EST

U.S. fugitive Edward Snowden is set to address hundreds of high school students at a world affairs conference being held Monday night at a Toronto private school.


The former NSA contractor is the keynote speaker at the annual World Affairs Conference, which was organized by students from Upper Canada College and Branksome Hall in Toronto.

The moderated discussion is called “Privacy vs. Security: A Discussion of Personal Privacy in the Digital Age.”

Snowden, who now lives in asylum in Russia, will be joined by journalist Glenn Greenwald via video link from Brazil.

http://www.ctvnews.ca/canada/nsa-leaker-edward-snowden-to-address-toronto-school-from-russia-1.2216706

=============================================

Edward Snowden announced as keynote for World Affairs Conference on Feb. 2
News | Upper Canada College | January 28, 2015

Traitor or hero? None other than controversial privacy activist Edward Snowden — joined by journalist Glenn Greenwald — has been announced as be the keynote speakers for the World Affairs Conference (WAC), co-organized by Upper Canada College and Branksome Hall, and Canada’s oldest annual student-run conference, on Monday, Feb. 2.


[...]

Addressing a national student audience of 900 delegates from 27 different schools in Grades 10 through 12, the topic of the live, moderated discussion will be “Privacy vs. Security: A Discussion of Personal Privacy in the Digital Age.” This keynote represents the first time Snowden will address a live audience comprised of high school students.

[...]

A livestream may be accessed remotely at 7 p.m. on Feb. 2 at www.ucc.on.ca/wac-2015-keynote/

[...]

http://www.ucc.on.ca/2015/01/28/edward-snowden-announced-as-keynote-for-world-affairs-conference-on-feb-2/

SamFebruary 2, 2015 5:34 PM

@ Buck
"Hey Fred, how 'ya doin..? Have you ever read this ol' thread:"

Long thread. Too long to read it all. Just tell me what are you driving at?

@ Edward
"The 'US' is a state. It has no beliefs. It has laws and policies. It has hundreds of millions of individuals that to greater and lesser extents follow and deviate from those laws and policies. "

Yes, quite convenient to hijack the opinion of a nation to benefit the few, isn't it?

Nick PFebruary 2, 2015 5:45 PM

@ Clive Robinson

Source code scanning is an unknown. I prefer deterministic methods used in type systems and compilers. Worth looking into, though. Network monitoring is a good call: already been done in academia and maybe commercial sector.

Didn't think about insider analysis. Now that you mention it I recall a DOD, DARPA, or some other funding program for inside threat detection. We discussed it here and might have been Mudge running it. Neural nets would almost certainly have been tried. So, one could start by looking to see if that program's results went public.

BuckFebruary 2, 2015 7:40 PM

@Sam

@ 65535 "I do that. But, I was trying to think of a simple and not so invasive method of enforcing my new “no-cell phones in here” policy. That would include guests and children.
You have a group of people converging on a loc, battery out, lol... say hello to Fred.
What I'm saying is, assuming @65535 is not considered a minority in his community, then he can calmly and politely explain his house policy. Eventually, Fred will come to find that just because some flashing lights on his screen have (dis)appeared, it doesn't necessarily mean that some sort of terroristic activity is taking place. The real winner from this situation is humanity as a whole! :-)

Dirk PraetFebruary 2, 2015 8:31 PM

@ Wael, @ Grauhut, @ Skeptical

The Great Siberian War Of 2030

Very interesting paper. I got to finish about 14 pages of it (the font sucks on my "smart" device.) One question I have: Why would the DoD make such documents available to everyone? Who's the intended audience?

Interesting paper indeed. The reason the font sucks is that the .pdf is in fact a scanned copy. The Office of Net Assessment is a small internal Pentagon think tank tasked with comparing US military capabilities to those of other countries and identifying emerging or future threats or opportunities for the United States. One of the preoccupations of the office is American dominance as shown in "Preserving American Primacy" [January 2006] and "Preserving U.S. Military Superiority" [August 2001]. They report to the Secretary of Defense and specialise in looking at issues 20 to 30 years in the future and over the last decade have had a particular focus on China as the next Soviet-style rival power to the US.

An index of of reports produced over the past 20 years was obtained through FOIA. Not all of them have been declassified or published.

The thesis of the paper itself is that for demographic and other reasons the waning Russian empire may not be able to hold on to Siberia and other Far East regions. The resulting vacuum will make Siberia an interesting opportunity for the Chinese, especially if global warning continues which will make it easier for them to exploit its many resources. The most interesting parts are pages 81 to 88 presenting a possible destabilisation and war scenario whereas 89-95 offer a number of lessons learned. Do note that neither the US or EU play any significant role in these events. Neither are they in any way trying to get Siberia in their own sphere of influence.

I was impressed with the paper's qualities, but what struck me most are a number of similarities with what is currently going on in Ukraine. Substitute China with the EU/US, and this is some really serious food for thought.

ThothFebruary 2, 2015 8:45 PM

@Clive Robinson
I don't remember there is a splinster opening technique from the Far East. In reverse, almost all techniques I have known about required closing it instead regradless be they Chinese, Japanese, Korean, Tibetan and any other Far Eastarn techniques. Opening the bottom is considered leaking (bad).

Have you opened a manpack set before (seems like the radios you described are very similar to a manpack set or even copied from one so I guess you did). I wonder what contributes to the heavy weight of a manpack set ? I am suspecting the main culprit is the huge removable batteries of the manpack set that makes it heavy instead of the actual chips ?

Does your manpack set portable radio include functions for encrypted transmissions and OTAR ? Would be interesting to see an entire manpack set built from scratch with crypto and some EMSEC in-place.

@Andrew_K
Interesting essay. I would put it up on the website soon.

I would sign this post later on down the line once I am in reach of my keys.

WaelFebruary 2, 2015 9:03 PM

@Dirk Praet,

I was impressed with the paper's qualities, but what struck me most are a number of similarities with what is currently going on in Ukraine.

Likewise, I was impressed as well! Still, I would have thought this would've been classified. Makes one wonder what the classified stuff looks like! Thanks for the input -- food for thought, for sure!

SamFebruary 2, 2015 9:10 PM

@ Buck

Yeah, OK.

@ Clive Robinson
"http://www.nytimes.com/2015/02/03/technology/in-net-neutrality-push-fcc-is-expected-to-propose-regulating-the-internet-as-a-utility.html"

Sounds like more hope & dopey from the great swine.

Nick PFebruary 2, 2015 10:40 PM

@ Nate

Dude, that was 2010 when NSA's image was still legit and Google just got hit with a big cyberattack by Chinese government. It was a decent option from a company's perspective to get help from a top electronic espionage organization that regularly battles with China and is paid by taxpayers rather than Google's wallet. Today, they'd be less likely to make the same move.

NateFebruary 2, 2015 11:19 PM

@Nick P: (rechecks date) Ah, so it is. That explains a lot.

Goes to show how much Snowden has changed the game - in 2010 it totally _was_ plausible that the NSA were still playing defense, and I would have believed that this partnership was mostly about protecting their systems.

Nick PFebruary 2, 2015 11:29 PM

@ Nate

Night and day my friend. That's the difference in perspective of NSA pre- and post-Snowden.

FigureitoutFebruary 3, 2015 2:35 AM

heartbleed in rust

A post dedicated to a Mr. Nick P claiming "memory safe" tools will "make code injection impossible".

The point is that if we don’t actually understand what vulnerabilities like Heartbleed are, we are unlikely to eliminate them simply by switching to a magic vulnerability proof language.

http://www.tedunangst.com/flak/post/heartbleed-in-rust

http://www.reddit.com/r/programming/comments/2uinge/heartbleed_in_rust/

And this one is nice: http://www.enyo.de/fw/notes/ada-type-safety.html

WaelFebruary 3, 2015 3:03 AM

@Figureitout,

The point here isn’t to pick on rust. I could have written the same program with the same flaw in go, or even haskell if I were smart enough to understand burritos. The point is that if we don’t actually understand what vulnerabilities like Heartbleed are, we are unlikely to eliminate them simply by switching to a magic vulnerability proof language. - From the first link

Sounds right. It's not a purely "programming language" thing; the programmer is at least just as faulty. Programming languages can't be the scapegoat for lousy programmers (or code-cutters, as @Clive Robinson prefers to call them) all the time ;)

Clive RobinsonFebruary 3, 2015 3:29 AM

@ Figureitout, and other "makers" and hardware hackers,

Read it and weep...

Yesterday the latest version of the Raspberry Pi was released effectivly called the "2B+", where the Broadcom chip has been updated to quad cores, but the price is still the same.

Well, guess what Micro$haft Dev posted that as part of it's IoT policy a striped down version of WinDoze 10 would be heading the 2B+ way....

http://dev.windows.com/en-us/featured/raspberrypi2support

I'm hoping that it's an aprill fool two months early, or just another attempt to warm over the corpses of Win CE / Mobile. But I fear not. Ask yourself in all honesty as IoT is aimed at low power low functionality devices like light bulb sockets, do you realy want your lights having Blue Screen of Death moments in the middle of the night? No I don't either...

ThothFebruary 3, 2015 3:48 AM

@Clive Robinson
When they mentioned the release of Raspberry Pi B+ with Windows 10 availability for it, it is probably the moment where the team in-charge of RPi have tasted huge success and decided to just "let go and free fall" in a way by making a pact with Microsoft (if there was one) or maybe Microsoft decided to walk in without talking to the managing team of RPi ?

Hopefully there is an option that allows choosing an OS (instead of force-fed with Windows 10 Pi Edition + DRM if there is one).

I noticed the Broadcom chip has markings on it. Is it a faulty one ?

Will there be a rush to hoard the existing stock of RPi before the new version releases ?

Clive RobinsonFebruary 3, 2015 3:57 AM

@ Figureitout, Nick P, Wael,

The thing about software bugs and their resultant attacks is things evolve.

From the attackers point of view, for criminal types using "low hanging fruit" style attacks is prefered as the resource investment is less thus generally they see a better ROI on them. At the other end you have the likes of the NSA, but they still where possible prefer "low hanging fruit" because it enables them to blend in, whilst also not giving high level attack code to AV companies knowing that after a relativly short time the code will get paraded in public.

The supplies of user OS and apps are slowly raising their game, not from choice but as a way of not going out of business.

Thus todays high hanging fruite will be the day after tommorows low hanging fruit.

Thus the protection type safe languages will give us will fairly soon be below the low hanging fruit mark...

It's why I mentioned the use of neural net chips for code review, if --and it's a big if-- we can get machine learning to the point where it can not just find existing code problems but look for new ones then it's something we need to seriously consider. Because as I keep saying "tools are agnostic to their use" thus I can see the likes of the NSA et al throwing lots of money at the problem in order to rapidly find new attack vectors to add to their arsenals and thus stay ahead of who ever the "Orwellian enemy of the day" is.

This type of forced code evolution will outpace human programers, and they will not be able to keep up, heck most are not even hanging in by their fingernails now (myself included). Thus we need a new way to do things, which is what caused me to think about the Prison idea where the functions of what is effectivly a scripting language are written by security specialists in a way that ordinary coders can use safely. Also all the bits to do with the Prison and signature watching.

Andrew_KFebruary 3, 2015 4:03 AM

@ JonKnowsNothing, Regarding psyop SOF

1 was what I tought initially. 2 is a "maybe" but then I would have expected that to be a less-understandable note on some "carreers and opportunities" site, frequented by the folks you described -- those that would be turned on by the secrecy of such a job; big PR might ruin it. 4 is essentially what I meant by "power struggle inside GB's security/military apparatus".

This leaves a very frustrating option 3 since once more infrastructure intended to protect is used to control.
After re-editing this post multiple times I have to admit, you're probably right. The point I missed is that most people have literally no long-time-memory regarding events influencing their security as long as their everyday environment does not change. Unless subject to super surprise fun vacation, they will not notice.

@ Buck, 65535
I really hope 65565 has a social community that will appreciate the effort. My experience in the private life is -- in contrast to professional life -- not very encouraging. Most people do not realize they're being a (valuable) target.

@ Thoth
You're welcome.

Dirk PraetFebruary 3, 2015 5:30 AM

Something odd seems to be going down at Tor or with Tor hidden services. About an hour ago, Tor exit cluster operator Thomas White ( @CthulhuSec ) posted a number of strange tweets to write down and save a couple of SHA1 checksums calling it "proof of knowledge and disclosures". Full message goes:

"Please keep a copy of the following checksums for future use. I am not
at privilege at this moment to divulge anything further about what these
checksums may or may not verify other than to state they are a proof of
foreknowledge about events which are about to unfold. I hopefully will
never need to release these, but if I must it is crucial the
authenticity can be verified by as many people as possible. The context
of these and who it concerns at Tor hidden services.

ebbf8fe315b77419c96d67accc41d5501cb22aa9
On Twitter: https://twitter.com/CthulhuSec/status/562549685802774528

ba993b4a132df12537aab9fde4b297197b92a45a
On Twitter: https://twitter.com/CthulhuSec/status/562549758242611200

At this moment (3rd Feb 2015) I am under no compulsion to write this
message and I have not been served any gag orders in relation to the
exact text above. Should for any reason I become unable to disclose the
above information myself, another person will step forward to do so.
Thus gagging orders aimed at myself, my legal team, my known associates
or any other form of restraint against me will not prevent the release
of this information. Should my enemies test my resolve on this matter –
you will fail."

GrauhutFebruary 3, 2015 10:02 AM

@Toth: "Hopefully there is an option that allows choosing an OS (instead of force-fed with Windows 10 Pi Edition + DRM if there is one)."

R2 runs the same distributions as before, but with a new kernel and bootloader. The ARMhf bins continue to work.

M$ can not afford to be closed out of the maker scene, so they try it later this year. Seems Intel didnt make it with the quark soc.

My R2 board is underways, monday i will know more.

Nick PFebruary 3, 2015 12:34 PM

@ Figureitout

tedu's article says you have to know what to implement and then implement it right. Safer languages are for the second part. Then, you picked an article where a guy works his ass off to make a failing construct in Rust. He then admits "no true rust programmer would ever write a program like that." That's when the reader with a brain clicks the little x to not waste more time.

Note: Funny the next article is Ada because there's an article out there showing Ada use would've prevented Heartbleed with bounds checking.

The Ada article you picked shows a subtle flaw in the type system where a number of things have to be combined for it to fail. A so-called Heisenbug that's extremely hard to spot in advance or detect while testing a compiler. I'd forgive any language author for such a slipup. That you use that one subtle error as evidence against Ada while ignoring its many successes undermines your argument. It was also empirically shown to be 1.37 times more cost effective than C with 5.9 times better defect rate overall. Also outdid C++ in both categories although closer to 2x less errors than 5x.

Feel free to keep trying to find selective, anecdotal, and even highly made up (tedu) evidence to argue that type or memory safety doesn't reduce vulnerability count. I'm sure some individual might buy into it, write some C software, get it widely adopted, and make NSA hackers smile at their new boxes. ;)

@ Wael

That's what the guy said in the article he linked to: gotta know the feature and implement it properly. His Heartbleed bug intentionally avoids implementing the feature. Has nothign to do with language arguments except for trollish ones saying "X prevents all problems!"

@ Clive Robinson

There is a bit of evolution. However, most of them are rehashes of the same thing: pointer abuse, buffer abuse, overpriveleged OS mechanism, covert channel, and so on. There are tools that totally prevent these and some that detect them reliably. We just need to use the tools. Past that, there's containment ("Inevitability of Failure") and recovery mechanisms. Plus, developing new defenses for each attacker advance.

Far as nets, it might become another tool in the toolbox. The fields of static analysis, dynamic analysis, and type systems already have tools to knock out almost every major error in a deterministic way. A number have mathematical proofs of their method, as well. So, I promote putting money into further work on those and integrating them with developer tools. Black boxes with significant error rates, no understanding of internal workings, and huge training sets would be a step backward for program analysis tools imho.

"NSA et al throwing lots of money at the problem in order to rapidly find new attack vectors to add to their arsenals and thus stay ahead of who ever the "Orwellian enemy of the day" is."

This part I agree with. It's probably what they're doing. The defenders are barely trying to find problems in their code. The attackers have plenty of labor and tool money. So, their odds of discovering something are better. It wouldn't surprise me if NSA tried using a neural net for finding vulnerabilities in *binary* code. Neural net to find it, deterministic tool to generate exploit.

AreYouSurprisedFebruary 3, 2015 2:34 PM

Google, Amazon, Microsoft Reportedly Paid AdBlock Plus To Unblock

http://yro.slashdot.org/story/15/02/03/1517230/google-amazon-microsoft-reportedly-paid-adblock-plus-to-unblock

From the posting...

"Internet giants Google, Amazon, Microsoft and Taboola have reportedly paid AdBlock Plus to allow their ads to pass through its filter software. The confidential deals were confirmed by the Financial Times, the paper reported today [Paywalled]."

And these companies wonder why we think badly of them, don't trust them, or mostly believe they are in league with the devil (greed et al). And most likely, they all say they did nothing wrong (they just got caught).

By the way, one of these money sucking businesses is proposing to put Windows 10 on the newly accounced Raspberry Pi 2. Not hard to figure out their motive (cut off Linux at the pass, and get back to the PC days of hardware vendor controlling contracts).

SkepticalFebruary 3, 2015 3:09 PM


@Grauhut: Skep, you just renamed conquest and theft to investment and free trade. Remember the 90s "privatizations" in Russia.

The growth of oligarchy and indeed "kleptocracy" in Russia during that period represented a failure of US policy and hopes for Russia. What the US wanted was the growth of rule of law, and democracy, to allow self-determination and entrepreneurship in Russia replace the corrupt control of the Party elites, which had hollowed the Russian economy.

There will be a race for Siberia and everyone knows this. The western economy can not afford to loose this potential to China.

"The Great Siberian War Of 2030"

You linked me to a 99 page PDF as evidence for the above. I am nearly persuaded that you did not bother to read the document (which is well written, and fascinating, but the core scenario is rendered unlikely by other parts of the authors' analysis, and in any event is merely described as a 'serious possibility' if my memory of the paper, after reading it very quickly, is correct). So, some facts about the paper:

(A) The paper describes at some length why the "natural wealth" of Siberia is deceptive. Quite simply, the environment is too harsh to make the benefits of extracting the resources worth the cost. There are detailed arguments made on this point, noting that the attempts to develop Siberia has been driven more by political imperatives (Russia's self-conception as a Eurasian great power, one of vast territory and resources - a vision which requires Siberia to play a central role in the story).

Indeed, the most fascinating aspect of the paper is its discussion of the contrast between the allocation of resources in the West, which has been directed mostly by the markets and individuals within those markets, and the allocation in Russia, which was and unfortunately remains heavily state directed. Siberia is presented as an example of an enormous misallocation of resources.

The authors further claim that by 2030, the development of other sources of oil and natural gas, and progress in alternative energy, will depress and flatten oil and natural gas prices, rendering the allocation of resources to Siberia even more of a mistake than it is now.

(B) The paper describes a scenario in which China and Russia go to war over Siberia. However the paper struggles to find a rationale for China to engage in such a war. Ultimately it settles upon China's need to direct internal tensions, which have risen to dangerous levels by 2030, outward towards an external enemy. Russia, by then engaged in a war with various Chinese proxies in Siberia, presents itself as an opportune target (the paper's analysis of Sino-Russian relations, and the history of Siberia, is quite relevant here).

In other words Grauhut, the paper is completely at odds with the notion that the US has, or should have, any desire to occupy or control Siberia. Moreover the paper doesn't view China's efforts in its scenario as beneficial to China vis-a-vis the United States. Far from it.

I must ask why you cited this paper at all. I almost suspect you (if you did read the paper) of deliberately sabotaging the arguments you are presenting! In which case, well done (truly) and I appreciate the citation.

@Wael: Very interesting paper. I got to finish about 14 pages of it (the font sucks on my "smart" device.) One question I have: Why would the DoD make such documents available to everyone? Who's the intended audience? Russia and China can read them, too! Is this a manifestation of the "Capablanca effect"

The short answer is US law. Apparently the paper was responsive to a Freedom of Information Act request, and there's nothing in the paper that could be exempted from such a request as classified. The scenario is fanciful, and the analysis, while well done, does not seem predicated on classified information. The paper does not reflect US policy or even advise on US policy. It represents entirely the views of the authors.

I'm not sure how many people appreciate the extent to which US policy and the US Government is open and transparent. Discussions here often focus on over-classification (which exists) and the leaking of secrets (let me check... yup, definitely does happen), but there's a huge volume of information put forward by the US about everything ranging from its intelligence and defense policies to information it collects about the energy industry. I cannot think of any nation that practices the same magnitude of transparency (without denying, to be clear, that overclassification does occur).

@Dirk: I was impressed with the paper's qualities, but what struck me most are a number of similarities with what is currently going on in Ukraine. Substitute China with the EU/US, and this is some really serious food for thought.

Some enormous differences though. In the paper's scenario, China uses a war to direct and relieve internal tensions. US/EU involvement in Ukraine has been extremely muted, and greater involvement will only exacerbate rather than relieve any internal tensions. The US isn't experiencing any internal tensions the likes of which the paper imagines might cause China to engage in such a war, and neither are any nations in the EU (there are plenty of internal tensions, but not the sort that would be remotely resolved or placated with a war). Finally neither the US nor the EU has any interest in making some historical claim to land or territory in Ukraine, nor in punishing an enemy centuries old. For the US and Europe, this is about the right of Eastern European nations to exist as democratic, self-directed, self-governing entities, not as vassals of a dimly reconstituted Soviet Union.

There is however one key quote in the paper about Ukraine which is illuminating.

In describing the importance of Siberia to Russia and Russian self-conception, the paper draws upon a quote by Zbigniew Brzezinski: Russia without Ukraine is a nation-state, but Russia with Ukraine is an empire.

And that, more anything else in the paper (written obviously years before the current crisis), in conjunction with its analysis of Russian self-conception, is key to understanding events in Ukraine, including the reasons for staunch US and European resistance at this point.

scepticalFebruary 3, 2015 5:02 PM

Let me be perfectly clear about one critical issue. Some claim that I make nonsensical assertions with no supporting facts or inductive logic whatever. I empathize with their frustration. This is a regrettable necessity of my Position of Trust with the Counterterror Fusion Center of Landover Mall LLC. I swore an oath, and I am bound by duty and honor to keep it. The Acme Security Guarantee of Timeclock Performance and Restroom Quality imposes tight restrictions on my statements to the press or public.

So yes, it may at times seem that I'm pulling opinions out my ass or making shit up. But you lack the appropriate clearance and need to know. Without my insider access to deep background, or my extensive security experience, you are unable to validate the truth what may initially seem to be ridiculous bloviation.

Withholding facts and reasons is how we Keep You Safe. Believe me, you do not want to know. I submit that ordinary civilians do not want to take the agonizing decisions involved when a young lady exits the Victoria's Secret dressing rooms wearing four brassieres. You can't understand what's at stake unless you've been there on the ground, at the tip of the spear, when little Miley asks for a Barbie Dream House™, and Santa gets a boner. I stand ready for incident response when school's out, and a group of military-aged-males exhibits intent and capacity to deposit what is termed a payload directly on the seat. I shape, deter, dominate, and disinfect these threats every day. For your protection, I spend 42 hours plus overtime in a shadowy world of danger and international intrigue. You're welcome for my service.

SkepticalFebruary 3, 2015 6:21 PM

@"Edward Snowden": "When it comes to resources, the US believes in investment and free trade, not conquest and theft. As with all nations, this was not always the case, but it has been the case now for many decades."

Hmm... "Own the Internet", wasn't that on a slide somewhere?

You've heard of the concept of air superiority, or perhaps air supremacy? That slide was likely referring to the cyber equivalent.

It's a very different thing from "owning" in the sense that the Government of Venezuela owns its oil company.

The 'US' is a state. It has no beliefs. It has laws and policies.

Laws and policies that reflect, contain, and often straightforwardly state, beliefs. Obviously the meaning of the sentence you quote is that the US, through its law and policies, supports investment and free trade as a means for the promotion of both prosperity and progress, wealth and human rights, rather than supporting theft and conquest, which go hand in hand with corruption, repression, and greater likelihood of war.

It doesn't take much of a student of history and modern mainstream media to see that unethical actions that equate to 'conquest and theft' have been rather undeterred by the letter and the spirit of the law. And by 'undeterred' I mean- 'implemented at scale'.

It takes a very selective understanding of the topic of discussion to make the characterization that you are.

Grauhut was speaking about US seizure of foreign resources - literally conquest and theft. And one point the US had policies supportive, indeed encouraging, of conquest and theft. Indeed international law even recognized rights of conquest. But that policy, and international law, changed. In international law, the rights of conquest were abandoned for a recognition of the right of self-determination, something most strongly supported by the United States. Concessions from European colonial powers were only wrung from them by the US due to the strength of the latter, and the weakness of the former, following WW2. Even during the Cold War, when the US sometimes violated this principle for the cause (in the view of the policymakers supporting the violations) of its own defense, one consistently finds the principle playing a strong, sometimes controlling, role in US policy.

As to free trade rather than theft, US efforts in favor of free trade have ranged from vigorous enforcement of the Foreign Corrupt Practices Act (forbidding companies from bribing foreign officials) to the establishment and protection of the very institutions, treaties, and laws that allow free trade to exist.

Those who have made the greatest profits from the internet, and who own huge resources related to the internet today, are not US Government officials (unlike the case in other countries), but private entrepreneurs.

The animating belief behind US policy is that self-interests and ethical values coincide here. That is, that free trade and investment are both in the interests of the US and of the greater world, and that these are also policy choices in keeping with US values.

These policy choices are not altered in the least by the actions revealed over the last 20 months, unless you think that the US has somehow conquered and stolen Google by tapping into foreign cables used by Google.

You can certainly argue about the prudence or propriety of this from a privacy vantage. But in terms of conquest or theft vs. free trade and investment? Not really, unless you want to quibble about semantics (e.g. "the US is 'stealing' data, and therefore has a policy that favors theft"). It's a fair issue in its own right, but it's a very different discussion than the one Grauhut raised by bringing up Siberia.

SkepticalFebruary 3, 2015 6:27 PM


Time for one more I suppose... this was too entertaining to let go.

@Muppets Attack: This is great. skep still believes S&P, even after they swallowed the banker's CDO assumptions hook line & sinker and totally discredited their sorry bought asses. Speaking of hook line & sinker,

When Russian 5 year debt yields 15%, that means the market has already concurred with S&P's judgment (and with the judgment of the other two major ratings agencies that have the debt one notch above junk). I love the attempt at distraction though.

An economy scrabbling by its fingernails at the brink of recession, self-destructively goosed by official crime in breach of prompt corrective action statutes and Federal Reserve Act Section 14(2), and now, despite the Fed's desperate atropine shots, poised to whipsaw the most volatile component of GDP, investment, as the suckers who levered up to frack get ruined, along with banks and retail investors stuffed with cast-off spread product and beta.

Muppet is trying to talk about the US economy, which grew 2.6% in 2014, and has grown over 13% since the recession in 2009. Judging by the inflows into US debt and equity markets, no one thinks the US is on the brink of a recession.

The Federal Reserve ended quantitative easing (what Muppet calls "official crime" and what the rest of the world calls part of monetary policy) months ago, and is actually poised to raise interest rates.

In the context of portfolio theory, "beta" refers essentially to how a security tracks the overall market. Muppet is referring by this in the above to index funds, which essentially track the performance of a given index (like the S&P 500, a very broad market index). If you invested in such a fund at this time last year, then you've gained 17%. Two years ago? 35%. 5 years ago? 90%. Let's say 10 years ago, which includes the financial crisis of 2008-2009. 70%.

So ouch Muppet, those poor investors in US equities. Let me know when the facts start hurting, and we'll talk about something else.

And why? Because they're tools, immolated by CIA to spite Russia in a loony plan to warp the terms of trade by diverting water from agriculture to extractive industries.

This is great stuff. Maybe a plot for a future Russian James Bond film?

When the mainstream and moderate muppets like skep get creamed for their patriotic but innumerate investment notions, some of the money he loses will be mine. Again. Like in 01 and 08.

The market bottomed in 2009, not 2008, but Muppet knew that.

"entire developed world." and not, as required by the supreme law of the land that skep never heard of, by the security council. He doesn't even know which article of which instrument he's ignorant of this time. Putin's foreskin knows more international law than skep + DoS. And Putin enforces it too. That's why he drives you losers apeshit.

I lack your claimed knowledge of Putin's foreskin, so I'm afraid I have no counter-argument. Victory is yours! Have a good morning.

Dirk PraetFebruary 3, 2015 7:04 PM

@ Skeptical

US/EU involvement in Ukraine has been extremely muted, and greater involvement will only exacerbate rather than relieve any internal tensions.

Quite right. Which begs the question what on earth folks like US Assistant Secretary of State Victoria Nuland and EU foreign policy chief Catherine Ashton at some point were hoping to achieve by visiting Kiev and openly supporting government protesters. That's like Sergey Lavrov joining in on an Occupy Wallstreet rally in New York. Or why the US is now reconsidering whether to provide weapons to Ukraine in its fight against Russian-backed separatists or just increase financial assistance. And what to think of the Ukraine Freedom Support Act of 2014 stating that it is US policy "to assist the government of Ukraine in restoring its sovereignty and territorial integrity in order to deter the government of the Russian Federation from further destabilising and invading Ukraine and other independent countries in Eastern Europe and Central Asia". Which to me reads as an overt green light for supplying advisors and weapons. I wouldn't call that "muted".

And let's not kid ourselves: this is not about supporting Ukraine's right to exist as a democratic, self-governing nation. Neither is it about making claims to its territory. It's about interesting trade and other agreements to tap into Ukraine's natural resources and getting a firmer foothold in the region. All at the expense of Russia that, as you quote yourself, historically considers Ukraine an integral part of its influence sphere, not just for its resources but also for its geo-location and significant population with Russian roots in the Crimea and other contested border regions.

Ultimately it settles upon China's need to direct internal tensions ...

I don't entirely agree with your reading that that's China's only motivation. You seem to have overlooked the part that exploitation of Siberian land and resources does become more interesting due to global warming. Although it is a valid reason. There's quite some analysts out there - both domestic and foreign - that consider China a ticking time-bomb for economic and social unrest. At which point diverting attention away from the homefront is the traditional recipe. Conversely, it's also one of the drivers for comrad Putin in Ukraine.

And just like the EU/US are not making any historical or territorial claims over Ukraine, neither is China on Siberia in the paper. The drivers in both cases are economic and political. A country like Poland would make for a fine US proxy in Ukraine, I suppose.

@ sceptical

Please go away. You're annoying.

Nick PFebruary 3, 2015 7:10 PM

re language based security
(@ Clive your thoughts on Shen's type system would be interesting)

Recently looked back at LISP and Typed Racket [Scheme] in interest of securing a LISP. That's it's the most powerful and productive language ever invented means I'd love to use it in place of Ada or Oberon. Especially integrate it like a high assurance 4GL or MDD tool. Still in conceptual stages there but found some interesting work:

Coding a LISP interpreter in Shen: a case study
http://www.shenlanguage.org/library/shenpaper.pdf

The Shen language aims to create a simple, powerful LISP with optional static typing. The static typing is *sequent calculus*. You can define arbitrarily powerful types to go with your Shen/LISP functions and data. It's tripping up even Ph.D.'s, though, because it's underlying theory has almost no exposure in academia. I think it's interesting because of all the specialized type systems that wipe out certain types of errors. Neat to think one could prototype in LISP, just code in an easy to analyze style, and check each function/module/statement with custom type systems for the job. I'm sure there'd be plenty of type system reuse and maybe general ones but the power is still interesting.

Towards a secure programming language - an access control system for Common LISP (2009)
http://www.dtic.mil/dtic/tr/fulltext/u2/a517052.pdf

This work builds an access control model on Common LISP to enforce POLA, demonstrates this with an example application, enumerates some LISP properties that are security headaches, and gives a tagged processor architecture to help solve them. Personally, I think the object-capability model espoused by E and Shapiro's work could be combined with work like this to get an even better option.

Ajhc - Haskell Everywhere
http://ajhc.metasepi.org/

These people trip me out. They're trying to do low-level, kernel software in Haskell for its safety benefits. House operating system team and Galois have accomplished quite a bit in this area. The jhc/ajhc work compiles Haskell into C code with efficiency good enough for some embedded use. They even rewrote an audio driver in Haskell. The most exciting thing, though, was that they are doing what I suggested here years ago: grab the source code of a mature, readable BSD OS (esp NetBSD); rewrite it piece by piece in a safer language; ensure they can connect integrate with each other as you do it; eventually have safer NetBSD. This is exactly what they're doing with their "Snatch-driven development," a term I previously thought only applied to IT teams working for Nevada brothels. Work stalled as they're switching to ATS language: a prover-centric language for low-level and ML-style programming. All interesting.

BuckFebruary 3, 2015 9:03 PM

@Wael

You wouldn't happen to have any sweet stories about any/some recent synchronicities, that you'd be willing to share, would you? ;-)

WaelFebruary 3, 2015 10:43 PM

@Buck,

You wouldn't happen to have any sweet stories about any/some recent synchronicities

Whatever do you mean? I hope you're not insinuating this:

"Snatch-driven development," a term I previously thought only applied to IT teams working for Nevada brothels.

Not a problem! I can always find one ;)

That jiggled @Nick P's memory, perchance? :)
@Buck, you're such a troublemaker ;)

gordoFebruary 3, 2015 10:55 PM

Former FERC Chief Jon Wellinghoff Speaks Out on Grid Security and Distributed Generation
Chip Register, Contributor | Forbes | February 3, 2015

In Wellinghoff’s view, protecting our centralized grid from all forms of attack – from bombings to EMP to cyber – is a never ending journey. We should of course do what we can for now, but the best use of resources is to reconfigure the grid, to change it from a centralized Goliath that can be downed with a single rock to hundreds of smaller grids. These could have thousands or even millions of generation sources attached to them, thanks to rooftop solar, micro-nuclear plants and other innovations in the field.


Ideally, the money we would spend building higher walls, according to Wellinghoff, should be spent incentivizing consumers and generators to invest in these technologies and grid companies to adapt the national infrastructure around them. Only this can ultimately lead us to a safer (and cleaner) place. [last two paragraphs]

http://www.forbes.com/sites/chipregister1/2015/02/03/former-ferc-chief-jon-wellinghoff-speaks-out-on-grid-security-and-distributed-generation/print/

[ This post is follow-up to posts on another squid thread: https://www.schneier.com/blog/archives/2015/01/friday_squid_bl_461.html#c6688230 ]

BuckFebruary 3, 2015 10:58 PM

@Wael

I would never mean to insinuate anything of the sort! I had just noticed a few of my own lately, and found myself pondering on some of your ideas whilst washing the dishes... As for me making trouble - certainly not to my knowledge! ;-)

Revenge of the MuppetsFebruary 3, 2015 11:33 PM

Here we have skep straining to condescend, arguing interest rates with no evident inkling of maturity structure or duration (Kindleberger just kicked a hole in his coffin in exasperation) and drooling over long-only returns like Grandma does, reasoning from past results at two-sigma extremes of valuation and mean-reverting margins. Perfectly characteristic of the wannabe geostrategists who plot to crush Russia with financial wheeling and dealing but can't understand an index fund prospectus.

Clearly, skep was not in the room when his idols had Russia on the ropes six years ago, with that lethal hot-money tsunami they imagined they'd induced - you know, back before Russia ejected their sorry asses from the Syrian theater, and saved your stepped-on US face with OPCW intervention. Their Doctor Evil fantasies were just as funny then. Well, you had to be there.

Of course you weren't in the room when they hatched that mad-scientist petro/agro gambit. But surely you know who was there, who related it... Don't you? Oh dear, you don't. So much for playing economist. Best try something else.

Ah, skep, let's hope you get lots of MIPRs or graft or whatever you subsist on, because money as dumb as yours is like manna from heaven. Exactly like manna from heaven, come to think of it. Manna is locust crap.

WaelFebruary 3, 2015 11:41 PM

@Buck,

I had just noticed a few of my own lately,

Ok, let's start from the beginning. Lie on the couch and tell me about your childhood. Snow Moon, eh? :)

and found myself pondering on some of your ideas whilst washing the dishes

Which of my ideas would washing the dishes bring to your mind? I'm rather curious!

BuckFebruary 3, 2015 11:57 PM

@Wael

Very good questions!
I'll have to follow up later, after some deeper introspective thought... :-\

name.withheld.for.obvious.reasonsFebruary 4, 2015 12:38 AM

@ Skeptical

I am at a loss for where to begin, start, or end--you arguments are so outside the realm of entertain-able that I must pause and give reason to my response.

1.) The U.S. is working from a unilateral position in both law and treaties.
2.) Understanding where the U.S. capital market(s) make hay, leveraging non-direct resources (i.e. debt/credit), and where benefit(s) are given to the top and the risks are transferred to the bottom is necessary.
3.) The bottom never, if ever (French revolution maybe be an outlier), influences the market(s) to provide benefits to the bottom at the cost of the top(s).
4.) Your delusional sense of fairness via-a-vie the markets is exceptional--considered that the FED is holding off 5 trillion dollars from the debt off-book.
5.) And, given point 4, who's on the "hook" for that off-book bet...

So as a cartoon character, skeptical is more like a moose and less like a squirrel (especially when quoting a less than 2% a year growth in recent years, try attributing the economic gains by payroll[s]). If you need a clue, try the following:

For the following income brackets track the following:

1.) Percent gain in net income (not wealth) for those making less than 250K a year.
2.) Plot the same for those enumerated in 1, with incomes greater than 250K a year.
3.) Plot co-linear charts (normalized) for 1 and 2, but plot both income and wealth distribution...

name.withheld.for.obvious.reasonsFebruary 4, 2015 12:52 AM

@ Nick P

The attackers have plenty of labor and tool money. So, their odds of discovering something are better. It wouldn't surprise me if NSA tried using a neural net for finding vulnerabilities in *binary* code. Neural net to find it, deterministic tool to generate exploit.

Dude, that is so last decade...there were several companies engaged in that type of activity.

What was that whole World-Wide-Fiber effort back in the early part of the new millennium?

FigureitoutFebruary 4, 2015 12:55 AM

Wael
the programmer is at least just as faulty.
--That's something Nick P seems to have a problem coming to terms w/. Code-cutting is only ok when you reach a certain level (am I going to "re-implement i2c & spi routines to get in the f*ckin' chip? I thought initially all i2c & spi routines would be like exactly the same for different chips, nope different...How can I "code around" hard limits like registers and "ports"? RF protocols are hard to change too, can tweak, but not big changes. You reach a certain limit, it's the "driver" code. Am I going to write better code than the damn embedded engineer at the company?--Maybe if I'm that good, which I'm not yet.); and it's a bad thought thinking how much code you never look at and rely on...

Clive Robinson
Read it and weep...
--Uhh, my eyes are dry. You'll probably do a quick "cringe" (I made a joke last time you posted something about M#, and in US that's the "pound sign", so MS has a language that "impounds" the programmer lol, and for WinCE, uhh you know when a person winces lol) when I say this is what's good about the market. I won't buy that sh*t lol. Embedded Windows...just no. Windows is a good operating system for "using" and not taking care of that sausage sh*tshow beneath the screen, Unix and all the derivatives is nice for "really using"; terminal is way better, in pretty much every way. But all the major chip companies have Windows as a big target for IDE's which, I'll be honest, I do like having those "cushy squishy GUI tools" to program the chip. Actually fun, and if I need to see a file immediately and the IDE can go to where I need to, that's nice (otherwise I have 3 screens, which I do, which is still not enough for files I need to see all the time).

I wish MS would focus on making WindowsXP better and not Windows 8, or even 9, 10, I don't care; it's getting worse. The frickin' "app screen" or whatever on Win8, f*ck you; terrible idea. Now I got to install another program just for my start menu?

Looks like Windows is opening up .NET too (my little G/FSK thing needed .NET...), /r/programming is going nuts over it: http://www.reddit.com/r/programming/comments/2unrll/net_core_is_on_github/

http://blogs.msdn.com/b/dotnet/archive/2015/02/03/coreclr-is-now-open-source.aspx

Regardless, I'm just looking at FreeRTOS for the arduino nano, just got a nano, not bad (has FTDI USB chip however, not cool w/ companies that think it's ok to brick customer's hardware). This is how I want my 1st computer, just a single SoC, breadboard pinouts, maybe microUSB, physical flashing buttons. Just looks silly w/ a big keyboard and I want a screen for such a tiny board lol.

RE: neural chips
--I say, how about we understand the brain before trying that, eh? We don't even understand the brain, and that's a "whole 'nother can o' worms" I don't want to touch. It's a squishy machine that evolved itself (maybe, we don't f*ckin' know), electrical impulses that can see/touch/taste/hear/smell. All I'm saying is I don't want to be the guy debugging problems on those chips.

Hey, I know you like PIC. I always keep a long list of projects I want to do, some I actually do, others just read and think for later. But I got some OTP-PIC chips w/ *small*, and I mean small amounts of memory (192 bytes of RAM, can't recall ROM size, but not large at all). I haven't messed w/ PIC at all, and I'll need a dev board, but what kinds of things can you do w/ such a small size chip that's, you know...usable? One thing I think of is a voltage regulator, like 5V (I always need another frickin' power supply). Just driving LEDs I don't care about, or just flicking a relay (maybe, but not really). If I can have I/O routines in there, like an OTP I/O interface, that'd be really nice. Have you done any really small PIC projects that were actually useful?

Nick P
you have to know what to implement and then implement it right
--Hurr durr, people can keep saying that and not even know what it means, then rely on a faulty implementation they don't understand. Abstracting away memory problems that are the programmers' responsibility will *in due time* mean that eventually programmers won't even know how to check for memory errors or even know when it's happening. Look at where we've come from and where we're going. I'm kinda pissed, I wish I lived before internet and around 1970's so I could get a good grip on what computers actually do w/ hard constraints and appreciate the complexity than get spoiled as a kid and have to go back and force myself to learn a lot.

there's an article out there showing Ada use would've prevented Heartbleed
--Oh really, and you couldn't find it in your link farm? How many new bugs does that expose to me then? Maybe b/c almost no one codes Ada, b/c maybe...no one likes it? If I want to jump to a subroutine, I want to use a bracket, not a frickin "end loop, start this, end that".

Oh so many successes, how much exposure has Ada really had to attackers? Probably mostly the ones that'll be "in & out" anyway. It remains to be seen just how many bugs can be exploited in the type system due to the rarity and very low use "in the real world". Essentially relying on obscurity to make its claims now, won't last long.

Oh "empirically shown", shove it. I want real field testing, not some fruity theoretical "this is how it should be" crap. B-b-but 1.37 times more cost effective--STFU. How much does it cost to learn, and are there ANY tools to do anything? Have to make the tools myself, eh? That's a huge cost to me, now let's multiple that by 1.37*10^9 for a company.

Feel free to keep trying to find selective, anecdotal, and even highly made up (tedu) evidence
--Oh I will, evidence is evidence, whether you hand-wave it's anecdotal or not.

make NSA hackers smile at their new boxes. ;)
--And I'm sure they're smiling when they infect DARPA machines and DOD machines and infect their dev PC's for the type system. Probably smiling when the NSA computers themselves are infected lol or they imported viruses in their surveillance (ever think of that?). I think NSA has enough problems to deal w/ besides infecting its citizen's PC's like insider threat (Snowden doesn't talk, basically exfiltrated an enormous amount of data, moles can do the same, probably already have). Winky smiley right back at ya ;) I'm used to all kinds of stupid attacks that do nothing and having my PC's taken over (and moving). I appreciate the free training and studying more and more attacks (thank you may I have another! :p).

RE: Shen
--Oh here's a little excerpt you may want to re-read:

Most Shen programmers elect to work with type checking disabled. But more seriously, students who do elect to use it may try to circumvent the type checker by 'force feeding' the system in an attempt to beat the type checker – viewing it as an antagonist rather than an aid. It is fairly easy then for the programmer to poison, either deliberately or non - deliberately, the logic engine and thus produce a spurious verification.

--Huh, how about that? They didn't like the type system and tried to actively "break out of it".

RE: dtic paper
--That paper sucked (clicked x-box), dumbass smiley graphics "Carl playing Cmdr".

RE: Ajhc
The jhc/ajhc work compiles Haskell into C code with efficiency good enough for some embedded use
--Why compile to C code? Why not straight assembly? Won't that just embed unsafe code right beneath you? It just adds another component to fail and debug.

When all the Lispy type systems get some real exposure, we'll get to see all the bugs it has and all the hacky-patches added like every other computer system keeping it together. B/c our knowledge is incomplete and we don't understand. It's not a double standard, it's a single one. Our computer designs are not elegant, are not "engineered", merely hack-n-patched, and can fail w/ the smallest most basic of errors. They suck still, and they will for a long time, probably forever.

WaelFebruary 4, 2015 12:56 AM

@Clive Robinson, @Nick P, @Figureitout, @name.withheld.for.obvious.reasons,

Thus we need a new way to do things, which is what caused me to think about the Prison idea where the functions of what is effectivly a scripting language are written by security specialists in a way that ordinary coders can use safely.

Some manifestations of the prison idea have been implemented before, although it would seem at a subconscious level, as an implementation of a security mitigation tactic. That is a bottom up approach. Some OS providers, for instance, noticed the dangers of allowing third party developers to implement device drivers which sometimes caused severe system stability issues and possibly kernel integrity breaches. In addition to unintentional serious bugs, kernel mode driver development freedom allowed malicious developers to create root kits by using tactics such as Direct Kernel Object Manipulation. Some OS providers considered imprisoning developers by limiting a portion of device drivers to be implemented in "User Mode" -- "Kernel Mode" device drivers would be no longer allowed. Developers would be deprived of tainting the kernel. This is one manifestation of a Prison, synonymous with "limiting the freedom" of developers. This approach, however, is rather reactive. Going Top down is a different approach -- a proactive one, where one uses the Prison construct as a Security Design Pattern. The Prison can have several manifestations, of which the above is just one possible understanding of many. Some manifestations or application of this design pattern will be easy to implement; other manifestations will be difficult or expensive.

The same thing applies to security principles. Take POLA, for example. One can apply it at different levels; hardware, software, functions and methods, classes and interfaces, error codes, etc... The application of a "Security Design Pattern" (of which the Castle and the Prison are two patterns) can follow a similar path as "Software Design Patterns" and "Principles of Security"...

WaelFebruary 4, 2015 1:06 AM

@Buck,

Okay, how about this:

so MS has a language that "impounds" the programmer lol

And this:

Some OS providers considered imprisoning developers by limiting a portion of device drivers to be implemented

How about that for a recent synchronicity. One minute apart, too!!!

WaelFebruary 4, 2015 1:12 AM

@Figureitout,

That's something Nick P seems to have a problem coming to terms w/

Patience, grasshopper... patience. Give him a couple of years :)

FigureitoutFebruary 4, 2015 1:40 AM

Wael
Some manifestations or application of this design pattern will be easy to implement; other manifestations will be difficult or expensive.
--Which ones? It's kind of hard to even approach w/ any confidence when you can't even trust your tools, any chip could have a malware in today's environment, even in a f*ckin' digital multimeter giving out false values. That's just...that's evil. False data, that'll lead to false science. Now expand that to other highly complex tools necessary, and this is where it gets so damaging...Can't even trust my tools! What the hell...

Patience, grasshopper... patience.
--I don't have a patience lol. Frickin' now, want it now. I want to be alive and experience it, not dead...

WaelFebruary 4, 2015 2:33 AM

@Figureitout,

Which ones?

This, at the moment looks relatively difficult to implement, although I had shared something similar at the principle level subsequently For the "easy" ones, I just gave an example of the "User Mode" device driver. But to see that, you'll need to look at it from the "Owner's" perspective (The OS supplier, in the earlier example.)

You, as an owner of the system, have neither complete or exclusive control on it, nor do you posses complete awareness of the weaknesses, threats, backdoors, etc... Rather difficult for an individual without a component that the "owner" - you - has control over. Remember the example I posted about the "Secure" texting thingy? I previously linked to it several times.

Was hoping to dodge the C-v-P discussion until I have a coherent picture to share, but the subject comes up often. Who knows, maybe I'll discover it's a pipe dream caused by a second smoke whiff from my sockpuppet... Even if that ends up being the case, I don't think it's wasted effort; I learned and shared something ;)

steveFebruary 4, 2015 5:45 AM

"Muppet is trying to talk about the US economy, which grew 2.6% in 2014, and has grown over 13% since the recession in 2009. Judging by the inflows into US debt and equity markets, no one thinks the US is on the brink of a recession."

The US economy has never been better. Modern economists believe debt and equity have an inverse relationship. When money flows out of equity, money flows into bonds; vice versa. Reality is only slightly different.

ThothFebruary 4, 2015 7:56 AM

Signature for February 2, 2015 8:45 PM

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU0iTsAAoJEIiF+ZVvv8Gd1qwIAK//zSgy87cQ2FVWtO3CRnBW
rqg+0DjjtKq7sF8BUmv44eV0c3AwPwV6hV49jTSnDp6uM1FYYh5IEjaNZtQ4xO+f
K7B/jbIn2xN6kvbCUEy5IZvADa8RfENiWdbP+jjweiSHsABYSgvf127lTHTUR+bL
OIguJqIeJpmVo5FzULquJjb9Z9pm5g7ntcIhOUWoCVzZ3TaBi2+EBxyd581GIEY7
JFVTyfxh8+iRVkJhjedMCG6wIU9pYCrcKKMF6YCCU3mD5yRyrqbb/lFGLOOhgx3e
qXl2AvvdyjjtHJcGvslKz7znE0ZPm2PV+QPefUYmHlXzAGIj/KteQ0wTgLK5Gqs=
=0e8j
-----END PGP SIGNATURE-----

Signature for February 3, 2015 3:48 AM

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU0iRuAAoJEIiF+ZVvv8GdiQkIAKXnJOn689d5W8mWqE6hJsXz
DL39IMZtYa96MDB71CBcPa7WM9c2y56ygLoEfFGxQ35vHD8verL2Hnp4OGlUpVQ8
3uCIGKRWMWudPuV+401NojVWV1OWTW8WO6ug2le9XA0mjlV2d07TrLRr4ibTvnjJ
HJuFADjk16h52NjVoSJsPKlM9e8a7yQ4nOjQeXsUeCxFB9rzF4MHp8y4CLv6SKwc
CMU54KBPq0+7D73TSNRf0YynNUFko/Y6zZpJvxUvCfWYwtvvxAaDj1Ai3BYx7O3d
daua0G4RJq3iuh21uLIQ+2SIJBQgW38dQbUUzGcHGgzJ2iXhBsy8sdl9CEcueN4=
=6Ibg
-----END PGP SIGNATURE-----

Dirk PraetFebruary 4, 2015 11:19 AM

@ name.withheld.for.obvious.reasons

There is indeed more to the good news show than meets the eye. The gap between rich and poor is steadily growing and there's an $18 trillion elephant in the room that everybody keeps ignoring. Unless current policies are drastically changed, US debt is projected to keep growing at a steady pace until eventually a Greek scenario will present itself. Dick Cheney may still think that deficits don't matter, but a debth bigger than a nation's GDP sooner or later always blows up in your face. Ask any country that's been there.

Nick PFebruary 4, 2015 12:03 PM

@ name.withheld

The question is what tools and at what quality *they* are using. Now *I* have been aware of insidious methods for some time now. ;) It's why I advocate building software with tools that eliminate such things by design. Their labor and incentives are a force multiplier defenders using manual methods will never keep up with except for rare, limited cases (eg qmail, GPG).

Btw, since you helped review a tool, here's a gift or two to help with your various embedded efforts. Galois stays kicking ass in practical and assured development. Those might benefit your own work.

@ Figureitout

"That's something Nick P seems to have a problem coming to terms w/"

Nah, that's a lie your telling repeatedly to justify your claims. My security framework has a bunch of human-centered activities with implementation being just one part of it. All the activities must be performed correctly. Then, I add that some languages make the implementation safer and you start talking like the programmer should worry about a million things unnecessarily instead. You also write as if I haven't said anything about the other things. All quite deceptive to support your view that weak tools and strong tools are the same. Or recently...

"Code-cutting is only ok when you reach a certain level"

...that anyone using strong tools is a code cutter. On contrare, why would you force a master craftsman to waste time with subpar tools? You're really saying Wirth's Oberon systems were code cutting because he used a safe language? MULTICS and 99.999% uptime mainframes are code cutting because they used PL/I-style languages? The SPARK implementation of Bruce's Skein algorithm is code cutting compared to the (flawed) C version? Compared to these, all these C/C++ apps and Linux systems look positively hacked together with all the maintenance and security troubles one would expect.

"Oh really, and you couldn't find it in your link farm?"

I found three from the 90's. They're all dead now. Common problem with things from the Old Web. Wayback can only keep up with so much. Personally, I'd rather do new studies on the modern tools to see where they're at. New C++ standard borrows a bit from Ada and even functional programming. Should improve quality & productivity over previous standard. Ada 2012 design by contract, which Eiffel already proved out, will make it kick C++'s ass in software maintenance and preventing interface issues.

Note: That people often download and fail to compile C/C++ applications without hitting forums with questions says plenty about that toolset. Rarely have that experience in type safe, better integrated languages. (Not including Java for this claim...) Those apps just run.

"Abstracting away memory problems that are the programmers' responsibility will *in due time* mean that eventually programmers won't even know how to check for memory errors or even know when it's happening."

So, given that claim, the mainstreaming of things like Java and PHP means there should be nobody right now that knows that stuff. And yet there are more people using C/C++ and doing low-level coding now than ever. Reason: people choose what they want to work on, with what tools, and so on. Plenty choose low level, memory managed stuff. Another false claim you use to push for a lack of memory safety for majority of apps.

"Oh so many successes, how much exposure has Ada really had to attackers? Probably mostly the ones that'll be "in & out" anyway."

No, not the riff raff out in the wild and I wouldn't feel better if it survived such low caliber people. Professionals have used it for decades, though, in safety- and security-critical applications. A high assurance A1-class runtime was also built a long time ago. That's the level NSA pentesters often gave up on and that runtime secured arbitrary Ada programs. So, there's your upper bound on what it can do if you design it that way. Whereas, C/C++ "sandboxes" on C/C++ "hardened OS's" continue to be smashed in more and more clever ways [that often don't apply to safer languages].

Note: Main risk is the complex compiler. I'd build a tool to convert Ada to a C subset that preserved its safety checks. Then, run that through CompCert. Compilers need more security analysis, though. Runtimes get plenty of effort in quality improvement thanks to DO-178B, etc.

"Oh "empirically shown", shove it. I want real field testing, not some fruity theoretical "

Now I know you're so biased you're not even trying to think or check sources. In that paper & programming in general, empirical evidence means the results of work in the field: watching people use the tools for similar projects, measure the results, and comparing. Every study showed Ada programmers outperforming C/C++ programmers in productivity and defect count. This included when they were C/C++ programmers that just learned Ada. Says a lot. Likewise, Coverity's automated defect hunting tools show that Python code is currently the safest in the entire industry due to good language design. Similar for LISP and even Java [in hands of at least average programmers].

It would make sense if people still used C with FFI for absolutely lowest level or most performance critical algorithms of the system. LISPers, Smalltalk, functional programmers, etc often do. Yet, the empirical evidence against it in general would argue for using the other stuff wherever possible. Given the better languages have been used to write OS's and mission critical applications, I doubt the person developing the next BitTorrent client or web app really has much excuse to use inferior tools.

Conclusion

Using good tools to do better work isn't dumb: it's common sense in most industries. Even mainstream IT has learned this lesson. Sooner INFOSEC developers do, sooner we can get more robust stuff out there.

re other links

Shen
"Huh, how about that? They didn't like the type system and tried to actively "break out of it"."

Glad you noticed my actual point that time. A type system so powerful, yet too unusable for even most mathematicians. How to fix that (the mathematicians' education and/or type system) is an open question. Yet, I figured more openminded people with a math background might have clever ideas for how to use or improve such a powerful type system. This is what happened with provers in general. Started out as horrible, several hundred page long, handwritten monstrosities. Now, we have compositional, machine checked proofs and lightweight, automated tools like SPARK. Shen might have potential given a lot of work.

"That paper sucked (clicked x-box), dumbass smiley graphics "Carl playing Cmdr"."

In other words: "I neither liked the author's presentation style nor understood enough about LISP programming to assess his work. I have nothing further to add."

"Why compile to C code? Why not straight assembly?"

Because C is a virus that spread to about every platform and toolchain. There's more work on C compilers than anything else. So, the easiest route to get from a HLL to arbitrary assembler is to compile to a safe, effecient C representation. Usually includes the runtime, bounds-checks, etc. I used to do this with type-safe BASIC and even LISP. Matter of fact, Chicken Scheme compiles to C with some of the best speed in the industry.

Coding directly in it in general is a sin given modern tools. Leveraging its multi-decade-optimized toolchain in a safe way is smart if one has limited development resources. Many do both: one to C for portability and one to a few native targets for hopefully better results.

Don't worry, though: LLVM bytecode is catching up as the new cross-platform assembler. There's already a formal semantics for it in the works. The safest language out there, Haskell, was already integrated with it. It's a major experimentation hub for optimization, program safety, and so on. Apple's dependence on it ensures it gets funding and improvements. Will only get better.

"When all the Lispy type systems get some real exposure"

They did get exposure to some of the best minds in the history of Comp Sci: the artificial intelligence field. Flaws will be found and corrected as usual. Used properly, though, LISP is dynamically and strongly typed: immune to vast majority of problems C/C++ languages experience without much effort on developer. Crashes in C/C++ are usually correctable exceptions in LISP that can be fixed while app is running. Its internal representation and evaluator has also been implemented in hardware before: risky native code was unnecessary. There's also been security kernels and mathematically verified runtimes/compilers.

Despite designed opposite of security, LISP variants have actually achieved a lot more than C/C++ in that area with tiny funding. Quite impressive for a list processing language from 1956. It's why I keep my eye on security-oriented papers for the event that someone finds better model for securing it. Absolute, sheer power plus security plus productivity plus good performance would be a dream come true. I'll keep dreaming and waiting until these younger researchers in FP field invent it. They're always inching closer.

@ Wael

"Some manifestations of the prison idea have been implemented before, although it would seem at a subconscious level, as an implementation of a security mitigation tactic."

Sandboxing, "safe" interpreters, Google's Python clouds... examples abound. Not bottom up, though: hacks to make unsafe code above work on unsafe platform below. Occasionally done bottom up: microkernels, type-safe OS's, capability machines, crypto per page machines, etc.

"Some OS providers considered imprisoning developers by limiting a portion of device drivers to be implemented in "User Mode" -- "Kernel Mode" device drivers would be no longer allowed. "

POLA principle implied user-mode components. Typical microkernel approach. Even better models are lightweight formal verification (Microsoft) and synthesis from VHDL (NICTA). Btw, little known is that Microsoft from Vista onward changed drivers so they'd be mathematically verified to a degree. The verifier creates an abstract interpretation of the driver, models its interaction with Windows kernel API, and finds any risky interactions. Distributed free with Windows SDK. This is why we see so little driver failures and blue screens in modern Windows despite most running in the kernel. A little known and very successful use of higher assurance software methods by the last company you'd expect it to come from. ;)

"Going Top down is a different approach -- a proactive one, where one uses the Prison construct as a Security Design Pattern. The Prison can have several manifestations, of which the above is just one possible understanding of many."

You mostly just described POLA principle as it's been used over the years while renaming it Prison. That's some innovation. :P

@ Thoth

"MingW32"

They'll just hack your box and delete the original. You better have offsite backups for whatever you're notarizing. :P

@ All

This discussion reminds me of Paul's excellent and enlightening essay about how UNIX turned into a pile of "festering hacks" nobody really understands. His claim was that modern developers raised in the bazaars wouldn't know what a cathedral or good design looks like if they saw it. So, how could they be expected to build one esp working with bazaar's offerings?

I think the concept applies to languages: some tools are better for building cathedrals than others. The tools inherent attributes map to inherent qualities of a cathedral. No surprise that much C/C++ code ends up in bazaars and horrendous proprietary software. The few counterexamples are produced by elite programmers.

WaelFebruary 4, 2015 1:25 PM

@Nick P,

Sandboxing, "safe" interpreters, ...

No argument there!

You mostly just described POLA principle as it's been used over the years while renaming it Prison. That's some innovation

I'll need to rearead my comment later to see why it came accross to you that way.

stephenFebruary 4, 2015 1:40 PM

@ When the Cookie Jar is Empty
"Is this a joke?"
"When the FED forces interest rates below the natural rate, they are in effect telling the world that all is well and that there is plenty of saved wealth available for consumption and risky, long range investment."

Your points are well-articulated until you made the assumption, like our dear friend here will too, that the FED forces interest rates, while in reality a play on discount window.

NateFebruary 4, 2015 4:45 PM

Aaaaaand he's done. Guilty on all 7 counts. A smoking crater so deep it makes me wince, but unfortunately he brought it on himself.

http://arstechnica.com/tech-policy/2015/02/ulbricht-guilty-in-silk-road-online-drug-trafficking-trial/

Not at all a surprise, but this was a case that had to happen just to demonstrate that yes, the police CAN Internet. If you hang up a flashing neon sign above yourself saying "Criminal Kingpin Loud And Proud", you may very well attract attention.

Also, as experts have been saying for a long time, Bitcoins are exactly like Jacob Marley's chain made of lockboxes. All your transactions follow you forever and they WILL be presented as extremely strong, cryptographically non-deniable evidence at your inevitable trial. Best not to use them for anything you wouldn't want your mother and your great-great-grandkids to know about.

Dirk PraetFebruary 4, 2015 5:34 PM

@ stephen, @ When the Cookie Jar is Empty

Your points are well-articulated until you made the assumption, like our dear friend here will too, that the FED forces interest rates, while in reality a play on discount window.

I'm not sure what you mean by that. Of course the FED manipulates interest rates, as do other central banks around the world. The mechanics are relatively simple. By lowering interest rates, it becomes cheaper to borrow money and less lucrative to save, encouraging individuals and corporations to spend. So, as interest rates are lowered, savings decline, more money is borrowed, and more money is spent. Moreover, as borrowing increases, the total supply of money in the economy increases. So the end result of lowering interest rates is less savings, more money supply, more spending, and higher overall economic activity.

Other tools available to the FED to manipulate the economy include open market operations, adjusting banks' reserve requirements, influencing market perceptions, auction facility and term securities lending facility.

BuckFebruary 4, 2015 7:22 PM

@Wael

Ha! Yeah, that was a pretty good one. ;-)

For me, washing the dishes is kind of a monotonous task that requires little concentration, which frees my mind to wander... So, none of your ideas in particular, I just wondering what you were thinking at the time (sorry if that sounds creepy ;-)

As for the 'Snow Moon' reference... Well, haven't you heard that strange things can happen when the moon is full?

Did Wael's cryptic comment during the 'Full Cold Moon' predict the coming thaw in U.S. - Cuban relations?

Wael is reminded of an old post during the 'Full Beaver Moon' (which was also posted just before a full moon)

After a brief hiatus, Wael returns during the 'Full Hunter's Moon'

He also makes a brief appearance just days before the 'Full Harvest Moon'

Imposter Wael waxes and wanes on about thoughts of C v P and the delight of limericks during the 'Full Sturgeon Moon'

Wael has a bad day during the 'Full Buck Moon'

Buck takes too long to reply to Wael during the 'Full Strawberry Moon' (followed by an interesting discussion about 'moon bounce')

Wael and others take sockpuppets to school during the 'Full Planting Moon'

Buck makes an observation about Heartbleed that no one seems to have noticed after the 'Blood Moon' (Sorry, I couldn't find any good one for you here, plus google said my search patterns were fishy and made me fill in a CAPTCHA - must be because of the eclipse ;-)

Wael and others get conspiratorial during the 'Full Worm Moon'

Wael's only post during February comes just before the 'Full Hunger Moon'

Wael was very active during the 'Full Wolf Moon'

ThothFebruary 4, 2015 8:30 PM

@Nick P
Thanks for the reminder. Windows, Open/Free/NetBSD or not, all machines an OSes are compromised (assumption). I wish there is a stronger scheme and MSA(at least)-resistance machine. I have been looking at using things like RPi and reading up their CPU cores and hardware and sadly they all are in bed with the HSAs. Broadcom cores or outright ARM cores on most Arduinos, RPis, Beagleboards ... All those are HSA-friendly. I did look into using HSMs since that's my current day job and I get to handle them daily but they are not as "rigid" and "resistant" as most people like to think. Smartcards, tokens, what you can think off that is convenient is not going to be comfortable.

I did think of using a multiple quorum based smartcard and write my own codes to do a quorum based digital signature scheme but the endpoint (the PC running the software) is the biggest weakest link regardless of the OSes onboard as we all gladly know.

It's hard for much assurance to be done other than picking up a person's handwriting and format of writing style and also the person's attitude and psychology from his/her posts over time.

I will use another signing scheme to prevent flooding @Bruce's commentaries from all my GPG4Win signed post. I will sign my posts every week on my website instead with a link of "https://askg.info/forum/bruce/" as the base directory and every month per txt file. The link is under construction.

I would still like to remind and refer to RobertT's statement (forgot one of his post) that trust should start from the most atomic levels (hardware).

Anyone who have a good sceheme to practically use cryptographic keys on a somewhat more trusted hardware would be more than welcomed to post them here or mail me at "info@askg.info". I would not accept any form of non-plain-text (.txt with UTF-8 encoding or ASCII) attachments.

WaelFebruary 4, 2015 10:33 PM

@Buck,

As for the 'Snow Moon' reference...

I'm amazed. This requires some serious analysis... Seems you're a third order thinker! Stay tuned (before the next full moon!)

WaelFebruary 5, 2015 12:06 AM

@Nick P,

You mostly just described POLA principle as it's been used over the years while renaming it Prison. That's some innovation

I don't see how my comment can be viewed as renaming POLA to "Prison".

Nick PFebruary 5, 2015 12:29 AM

@ Wael

Device driver developers forced to use usermode as example of prison pattern. That's actually a POLA and reliability pattern.

Limiting freedom of developers is a common use of both type safety and POLA. These are often combined for prevention and damage containment.

The one thing in your comment different from traditional POLA is the line "Prison idea where the functions of what is effectivly a scripting language are written by security specialists in a way that ordinary coders can use safely." It seems to be compatible with POLA concept but sufficiently different from normal implementations to give it a new label (or category). That said, it's still similar to the old safe, scripted execution environments people prototyped during the Agent-oriented Computing paradigm fad of the mid 90's. They combined sandboxing, scripting, and restricted interfaces in the hope of having mobile agents replacing client-server apps. That didn't happen but many of their concepts were rediscovered over time in other things.

WaelFebruary 5, 2015 1:05 AM

@Nick P,

Device driver developers forced to use usermode as example of prison pattern. That's actually a POLA and reliability pattern.

True! No disagreement!

Limiting freedom of developers is a common use of both type safety and POLA. These are often combined for prevention and damage containment.

Also true! But I said: Some manifestations of the prison idea have been implemented before, although it would seem at a subconscious level. A prison is manifested by the application of a subset of security principles to a component or a subsystem. For example, to implement a type of prison, one may need to apply the following set of security principles: POLA, check at the gate (trust boundary interface,) trust no one, etc... The first example you gave: That's actually a POLA and reliability pattern, isn't just one "scalar" principle. That's why I said at the "subconscious level". The intention is the same, but the approach is different.
A design pattern is composed of a subset of security principles acting on an "entity" to achieve a desired behavior. If principles are bricks, then the prison is a building (to over simplify.) When you have these "Security design patterns" of which we only discussed Castles and Prisons, and occasionally a highway, we can then compose systems at the pattern level: Castles within a prison that contains other prisons on top of castles, etc... Think of principles as low level assembly instructions and design patterns as high level instructions (your favorite ANSI 'C', of course.) Sometimes a single principle will map to a single "Pattern", in which case your comment (Prison is an alias of POLA) would be applicable.

WaelFebruary 5, 2015 1:53 AM

@Nick P,

The one thing in your comment different from traditional POLA is the line "Prison idea where the functions of what is effectivly a scripting language are written by security specialists in a way that ordinary coders can use safely.

These were @Clive Robinson's words. I only commented on them

ThothFebruary 5, 2015 2:14 AM

Request for Papers:
Anyone interested in writing papers and wanting to publish them on the security website I created may like to consider these subjects I am currently looking for papers on. you may submit some other topic not included below.

Topics of Interest:
- Anonymity while using Digital Signing Keys.
- 6 degrees of Separation and Mass Surveillance.
- Security System Architecture: Castles, Prisons, Interstates and more...
- State of Current Scripting & Programming Languages in the Insecure World.
- Hardware In/Security.
- Dummy's Guide in the Mass Surveillance World.
- Communication In/Security.
- Cryptovirology/Kleptography.

Format:
- Semi-formal/Formal (with Abstract, Models and so forth).
- Algorithms are welcomed but not fully required if not needed.
- Publication Criteria: https://askg.info/paper/pub-criteria.html

Intellectual Property of Papers:
- All IP rights, patents, trademarks of authors would fully and rightfully belong to the author.
- If the work you publish does not belong to you, please set a note so I can approach the original author for publication rights.

Publication License Agreement:
https://askg.info/paper/pub-criteria.html

Clive RobinsonFebruary 5, 2015 7:57 AM

@ Thoth,

I would say it is or soon will be a case that all SoC based computers will be compromised in some way. Likewise the OS, even Open Source OS's, just a look at various "code libraries" has shown they have either been compromised or have coding failures that are indistinguishable from a cleverly crafted and deniable compromise. Even "the father of Linux" had to get a further education on random number generators (or that was the way it appeard to play out). So even the best of programers can make assumptions and thus mistakes that criticaly effect security one way or another.

Thus as far as I'm concerned, trying to make ICT systems secure down to the physics, even for a domain expert is not something that is achievable, because of two fundemental issues,

1, The first is you can not "see everything" with your own eyes.
2, The second is issues around A) known knowns, B) known unknowns, C) unknown knows, D) unknown unknowns, that exist (and always will).

Thus trying to make a system default secure either by bottom-up ot top-down methods will fail, no ifs no buts no maybes (anyone who belives otherwise go back and re-read the above untill you get it.).

Thus we have two major issues to deal with,

i, The hardware can never be fully trusted.
ii, Even the most knowledgable of designers do not have the knowledge to make systems secure now or into the future.

Yup sad but true, and no amount of arguing will change that. Oddly we accept this in humans and financial investments but apparently we can not accept it in our ICT systems. Why I have no idea, but it is most certainly causing more significant harm than a belief in "perpetual motion", which those "more sneaky" are using to their advantage (see what happened to English King Richard) and other "advisors behind the throne".

So "What to do?", surprisingly perhaps we have known for longer than computers have been around. Those involved with "secrets" have long known the first part which is "Trust but verify". Those involed with business have known for centuries if not several millennia the second half which is "mitigation" or not as the ages old saw has it "Don't put all your eggs in one basket".

The trick is not to rely on "trust" but "mitigate and verify" anything an "agent" does for you.

Knowing this and one or two other tricks --such as "divide and conquer"-- alows you to build systems that you do not have to trust the components of implicitly but will give you the levels of security you might want. Thus you don't have to start at the very bottom and do the impossible, but can instead pick a point quite high in the computing stack and work either way above that point.

In essence as @Wael is "slowly"[1] realising this is how my "Prison" system works and the implications of it. One major benifit is you can still use the likes of POLA and those ideas @Nick P and others talk about --which don't work on their own-- within the Prison framework and get not just the level of security you want but importantly at a "sweet spot" that can not be offered reliably in other ways. And like many such "sweet spots" at lower cost than any other individual methods price point.

[1] Wael, it was you who posted a link for @Figureitout just the otherday to a thread more two years old where you said you would think about it and get back to me later, so you only have yourself to blaim for the "slow" ;-) Seriously though I would not expect anybody to pick it up quickly because just about everybody these days is sailing on either the dangerous downwind tack or trying to beat into the wind instead of the fast and efficient and safer reach on the "beam of the wind". You have to go back to the work done in the 1950's through 70's and as @Nick P oft points out read it, and understand it, because they might not have known everything, but what they did know is increasingly a "lost art" in our contempories.

ThothFebruary 5, 2015 9:58 AM

@Clive Robinson, Nick P, Wael
Any thoughts of using the Lemote (http://www.lemote.com) brand of computers for more privacy related stuff. The bulk of the Lemote's CPU processor chips are outsourced to ST Microelectronics and the other bulk by the Chinese's own fabs.

The concerns are now Chinese backdoors (Lemote's) or FiveEyes (ARM, Intel, AMD, NXP, ST's own CPUs...) which is the "lesser of two evils" when both are just as devilish.

These Lemote's stuff mixed with proper OPSEC, Guards, Data Diodes (although the same is applicable for computers with common FiveEyes backed chip products would have better advantage or not ?

As @Nick P have pointed out, to do proper crypto key management and usage, a common computer wouldn't cut it and I reminded that whatever the case and @Clive have also pointed out, the open source or closed source OSes and components are pretty much insecure to certain extends too... it's just how much influence the FiveEyes and HSAs have decided to invest. For now, I would assume the FiveEyes and HSAs' targets would be common computing equipment easily bought off the shelf and downloaded off the websites (Apple, Intel, ARM, HP, Dell, Acer, Asus, Nvidia, AMD, HTC, Samsung, Motorola, Nokia, Blackberry ... etc ...). My guess would be to look at the other direction where they have lesser focus (security by obscurity) since it's still a sooner or later issue when the FiveEyes realize more people are flocking in the other direction and start pumping cash into corrupting them all.

Making a chip on your own to do asymmetric and symmetric key operations plus protocols like PGP, SSH, SSL/TLS ... wouldn't be very feasible. The only way out would be to pick the less likely targets and put them together in a bunch of differing trust level objects to play their crypto games over a quorum to do key operations (close to @Clive's Prison model). My idea would be to use a lesser known hardware computer and over a quorum of smartcards each from different vendors to contain a quorum of keys for crypto operations and another quorum of another set of smartcards using a huge variety of brands for containing quorums of unwrapping keys but the scheme would have to hinge on a center piece which is a "higher trust" computer off the network to combine all the functions.

Would that be possible, @Clive ? Or is there a better scheme ?

Nick PFebruary 5, 2015 12:02 PM

@ Thoth

The simple route is to put whatever assurance you can into a diverse piece of hardware in combination with a guard or diode. The Tinfoil Chat Architecture can be used with GPG, for instance, to accomplish same goal. The guard strategy would be a simple, embedded device with programmed I/O on each side. The device carefully moves data between systems following a security policy. Policies might include data diode (strict one-way), network pump (allow TCP ack's), or full two-way communication with strong restrictions on types and destinations of messages.

Mike the Goat, Clive, and I have all described setups like this at times. We all used serial ports for transfer at some point. However, Clive has described IR ports for enhanced speed w/out as much EMSEC issue and I once used IDE in PIO mode for (20-40Mbps?) non-DMA link. Requirement is that Internet-connected transport computer must convert incoming messages into simple format to be sent over simple non-DMA protocol. You also need to be able to do some low-level coding (and correctly) for the guard. Good news is that a number of microkernels already have serial or IDE drivers with support for ARM. So, an ARM microcontroller board (fresh or repurposed COTS) is a start.

One air gapped system concept of mine was a PS2 behind a guard. The PS2 is a MIPS system capable of running Linux, connecting a keyboard, and being networked. They also keep getting cheaper. ;) You can do same thing for Dreamcast (SuperH) and PS3 (PPC). Then, there's Palm Pilots, graphic calculators, and pretty much any Linux-enabled toy device with communications hardware. All of those are very unlikely to be subverted. Additionally, many microcontrollers are Harvard-style architecture which can reduce your risk depending on how they modify the architecture.

Nick PFebruary 5, 2015 12:18 PM

@ Clive & people with heavy math background (esp proving)

Here is a brief tutorial and description of the sequent calculus that Shen uses as a type system. It's a form of first order logic (eg PROLOG) with a certain structure and a bunch of inference rules. Unfortunately, it's giving developers a hard enough time that they don't use it. Like USL, it seems like they try to shoehorn everything into a rigid language to enable massive automation. Given difficulty of real proving, this might be justifiable if it is usable. Shen's FP, macros, and LISP plus ability to use lightweight formal methods on any type or function indeed sounds powerful.

So, my question is what do you all think about Sequent Calculus combined with Shen? Shen author's say most trouble comes from limited education people get in this kind of type theory and activity, even in math or formal methods classes. Maybe expressing it a certain way will get people on board and make it worthwhile. Or do you think it's an inherently bad option and amateurs have a better route to full verification?

@ All interested in formal methods

An excellent textbook (free) for program verification with functional programming and Coq theorem prover. Throwing it in because most formal methods work uses Coq prover. Additionally, Adam Chlipala has a book on Certified Programming with Dependent Types. He's used Dependent Types as a lightweight formal method to achieve many verification goals. So, that's hitting it from another direction.

Nick PFebruary 5, 2015 12:24 PM

EDIT TO ADD: An inexpensive book covering much of the logic and strategy around first order logic with Shen examples. Might be a good read for anyone learning logic, first order logic (PROLOG), automated logic, or Shen's specific variant.

GrauhutFebruary 5, 2015 12:47 PM

@Clive, Toth, AreYouSurprised

Raspberry Pi 2 b+ -> First impression: Really fast under Debian Jessie on a 8G Sandisk Ultra microsd.

Image from Collabora sjoerd.luon.net/posts/2015/02/debian-jessie-on-rpi2/

So no, the new rpi2 is not bound to M$. :)

Nick PFebruary 5, 2015 3:28 PM

@ All

How Tor Avoids Backdoors: How to Copy That?

Reading through Tor project comments, the main ways they avoid being required to backdoor something are (a) not running the network themselves and (b) not selling it. This means they're neither a carrier nor a business. The laws for mass surveillance target those mainly. This kind of leaves any privacy-oriented carrier, software developer, or service provider in a bad situation locally. So, the trick is how to (for profit) develop privacy-oriented services in a way that maintains the Tor projects key attributes. Feel free to brainstorm on this one as it's a critical component in giving the market a way around forced backdoors.

One of my early ideas is to create a platform for high assurance systems and a secure piece of hardware. A domestic company designs the hardware, software, and applications. Along with support and integration services. A company in Switzerland, paid by domestic company, the vets the designs, puts them on hardware, and sells that system internationally. A reference, open source stack is available for the system. It's free/cheap for personal use and reasonably priced for business use. The Swiss side, along with others globally, build and sign binaries in a distributed SCM scheme like I've previously described. Optionally, an international foundation might control and license the software with the domestic company paid to improve it with licensing fees. Gotta make sure the stuff isn't outright seized during an "investigation." ;)

The domestic company can't be compelled to insert any obvious backdoors into the TCB (hardware or software) as they don't actually provide it. Some forms of that are clearly illegal in Switzerland, esp if other Swiss laws (eg contracts) prohibit it. A subversion-resistant development process is used to increase risk of detection and deterrence value. The likely reaction would be an import ban or interdiction. An import ban should increase confidence in the product's claims and is therefore unlikely. Interdiction might happen selectively or massively. It's a risk that will be warned about with tamper-evident shipping or pick up from factory options available. Supply chain countermeasures must also be used as HSA's will attempt to pollute it.

Thoughts? Compliments? Criticisms?

Nick PFebruary 5, 2015 5:12 PM

@ Grauhut

I'm aware of it. I'm talking about a scheme specifically for a company operating in the U.S. under U.S. law to avoid the backdoor issue similarly to Tor. While still making a profit or enough nonprofit revenue to support the offering. Far as Iceland, they're one transoceanic cable cut away from losing data haven status or availability in event of an outage. Nobody else seems to notice that risk about them but it's important given intelligence agencies messing with undersea fiber.

Hmm, on second thought, the Wassenaar Agreement affects most good countries for this sort of thing including Switzerland. Iceland's crypto and press protections could be useful here. Same model as before except any encryption technology is developed and supported by an Icelandic foundation/company. They'll have tools to integrate the crypto with the main software and the main software will be written to make such an integration easier. So, the crypto portion is just purchased and downloaded from Iceland with fewer restrictions given most democracies allow imports.

Nick PFebruary 5, 2015 5:23 PM

@ BoppingAround

It's an ALGOL68-type language better for applications development than C++, has fast iteration, a vibrant community, and will only improve at its niche. However, people comparing it to Rust say the Go compiler lets buggy code through much more. Stuff that sophisticated modern languages can prevent or more reliably handle. There's little excuse for that given how far safer, systems languages have come.

If I were you, I'd explore the features and arguments for/against a bunch of them. Here's a list to explore: Racket Scheme, Python, Haskell, Ocaml, Scala, Rust, Pike, Eiffel, Smalltalk, Go, Ada 2012, Julia.

WaelFebruary 5, 2015 7:29 PM

@Clive Robinson,

thread more two years old where you said you would think about it and get back to me later

I couldn't locate what you're referencing.

AnuraFebruary 5, 2015 7:44 PM

http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560

For those following the story on the Anthem breach where 80 million customer records were stolen, including Social Security Numbers, it turns out that Anthem did not encrypt the credit card numbers. Their reasoning for not encrypting it was that it's easier to use that way.

That said, it's completely idiotic that a number we have to hand out for all sorts of things is all that's necessary to confirm our identity for things like credit applications.

fj09jv0February 5, 2015 8:13 PM

@Nick P "If I were you, I'd explore the features and arguments for/against a bunch of them."

One feature that eliminates some languages with automatic memory allocation is the need to be able to wipe RAM after encryption to avoid leaking the plaintext.

Nick PFebruary 5, 2015 8:49 PM

@fj09jv0

Nah you just need a secure overwrite built into the memory management scheme. Function call, VM instruction, built into object destructors... many ways.

AnuraFebruary 5, 2015 9:36 PM

@Nick P

The method I would suggest is to be able to mark variables as sensitive and have the language automatically zero on deallocation. Bonus, the OS can prevent the memory from being written to disk, or can even encrypt it during hibernation if you build the feature into the OS.

WaelFebruary 5, 2015 11:03 PM

@Nick P, @all,

Mike the Goat, Clive, and I have all described setups like this at times.

Speaking of @Mike the goat (Horn equipped or otherwise,) he is alive and kicking. He was just running a small electrical experiment. He updated the canary, perhaps for the final time.

FigureitoutFebruary 5, 2015 11:50 PM

Wael
--Yes, the links are good "in theory", however the actual code, how it was flashed, etc. still won't be shown b/c it's probably not actually secure (b/c it's an impossible problem). Then there's still that neverending risk of the developing PC (I strongly support any efforts to make new developing PC's one can actually use...in this century..., but they still originate from insecure ones and hold onto the hack-n-patches of making the PC work), and that cascading problem (one of a few I obsess over) continues to cascade down to how can one make something trustworthy w/ untrustworthy tools, and not know which are (at any given moment) and just how compromised. Then the prospect of "bugs in the building" observing the critical parts as they happen, getting the weaknesses immediately "from the source", and EMSEC (attackers camped just outside your unshielded lab), paralysis.

Paranoia at its finest, distracting from the actual design; and it leaves you w/ nothing. Since we now have SoC's the size of dimes that can squeeze absolutely insane amounts of "things", all the peripherals, memory, even RF chips (which need an antenna), a goddamn *radio* could easily be housed in the chip, and remote firmware flashing is a "feechur" now that is possible in COTS (can be rendered null, however you still don't know "for sure").

Such a hard problem, puts many engineering problems to shame, doesn't even pale in comparison at all. So much variables and vectors...Instead of our hack-n-patch imperfect computers made by imperfect beings "to work", our computers need to resemble a "prison". No memory freedom, locked down on D-block. Keep the psychos locked up, any whiff of freedom and they'll shank you w/ that toothbrush they've been grinding away at like a psychopath, itching to stab you in the neck. And there's always a steady supply of drugs and underground markets and corruption in a prison; and they're always looking for more inmates.

Anyway, instead of going the way I should be (if I could, securely), I'm looking at RTOS's and other small OS's like on routers too. Just keep inching my way down further as I can understand. Spoiled on a screen and keyboard, so those are mandatory as well (I have a general idea of how modern keyboards work, but not completely by any means). Until I really understand it and then using some small OTP-chips. Best I can do, and I'll share it eventually; if the blog's still around (otherwise on internet somewhere).

RE: MTG
--Can't count out that crazy bugger when he gets quiet lol. He's seen I think just how bad it can be, when you get enough people tasked to you. You have to rely on good OPSEC and physical contact, and actually take it seriously and not laugh about it...

Nick P
--Going to have to do a play-by-play on this one. I've got a bunch of sh*t I should be doing instead, so I'm not going to expand way out (also will be repeating myself again and again).

My security framework has a bunch of human-centered activities with implementation being just one part of it
--That's nice, except it's impossible to implement.

All the activities must be performed correctly.
--Again, impossible.

you start talking like the programmer should worry about a million things unnecessarily instead
--Yep, us programmers get sh*t on a lot. Where I currently work, it's a running joke in the lab to always look for something to blame on hardware or software, my little issue I was having w/ a control bit, seems to be hardware (chip level, not a simple board problem, could be malicious flash as always I'm unaware of) so yeah. I commend companies that provide "programming manuals" as well as datasheets. Reference code is nice too, but it'll probably end up being a crutch; guess it depends on the experience (that doesn't happen overnight, takes decades, I don't care who you think you are) and skill of the programmer to write better code than being provided by the company lol.

All quite deceptive to support your view that weak tools and strong tools are the same
--Pretty deceptive statement and wrong conclusion on my viewpoints, I *never* advocate weak tools. I advocate ones the programmer has control over, not some massive sh*t-turd I can't even wrap my head around. Also have to place trust in them if they get too big as always.

All the Oberon/MULTICS/SPARK programs, what do they run on eh? Where were they made? Tried and true, isn't that your thing? The new "type-safe" constructs, how much real-world exposure have they had to attacks? What if an attacker can break into type-casting system and "tag" a virus as legit? Always a question, always. And would a programmer that relies on those tools be able to notice a problem if it's "abstracted away"?

That people often download and fail to compile C/C++ applications without hitting forums with questions says plenty about that toolset.
--And the same problem will persist, and you'll be repeating yourself again. B/c in the past while I was a baby, our hack-n-patch computers shot off and now we expect so much out the box w/o appreciating the amount of logic required.

Another false claim you use to push for a lack of memory safety for majority of apps.
--Nope, my viewpoint is I don't believe we've solved the problem; and the same f*cking problems will re-emerge and then we'll be even more spoiled and dumbed down and weak to be able to deal w/ them.

No, not the riff raff out in the wild
--And yet they still find ways in, they apply their viewpoint only they can have at that instance in time, to find a flaw. Only thing holding it up is decent OPSEC. Also rarity of use, barely used, so it's obscurity too. Not actually exposed to better pentesting.

Every study showed Ada programmers outperforming C/C++ programmers in productivity and defect count.
--Defect count *maybe*, productivity?--Ha no. Again what OS or other programs can you point to in Ada that are actually useful? What computers was the Ada type-safe system built on?--That's the real issue I'm getting at.

Using good tools to do better work isn't dumb: it's common sense in most industries.
--Yep, and they don't exist. The new ones will have bugs which won't be stamped out for a long time, probably never as usual.

*"
*blah blah sh*t that won't make a difference, moving on*
*"

Don't worry, though: LLVM bytecode is catching up as the new cross-platform assembler.
--I'll worry and won't blindly trust. Probably has same amount of bugs and same amount of bullsh*t. Just "new" and abstracted away from control of what's actually happening.

I don't have the time nor brainpower to address the rest. Someone else can if they want to. Talk's cheap, action is needed (will people actually use it or is it usable). I don't believe it though. Our tools have been compromised, supply chains, you can't make something secure w/ compromised tools or corrupted supply lines, or so much surveillance. A true renaissance of computing is needed, a trustworthy rebuild of the logic step-by-step that can be realized in one head, and that's obviously too much of a task/problem. Meanwhile, my "hiding spot", embedded chips will continue to keep getting shoved out to the simplest chip I can get is some insane SoC eventually as the older ones die from age.

The mindset of separation is needed, and that takes a long time to build and come to grips w/.

WaelFebruary 6, 2015 1:14 AM

@Figureitout,

Yes, the links are good "in theory", however the actual code, how it was flashed, etc. still won't be shown b/c it's probably not actually secure (b/c it's an impossible problem). Then there's still that neverending risk of the developing PC...

Not impossible. The links were a high level conceptual approach. Opsec process was omitted for clarity :) Here is a brief Opsec process for the development PC:

  1. Start with an air-gapped PC-1
  2. Download the source tree of FreeBSD (or your favorite OS) on a different PC-2
  3. Air-gap your PC-2
  4. Build the kernel and development software on PC-2. Only build the absolute minimum binaries needed for development (no X windows, mail services,..)
  5. Create a boot disk with the stuff you built on PC-2
  6. Boot PC-1 from the CD you burnt in the above step, and install the OS
  7. Develop the software you need (crypto, flashing, gadget program,...) use assembler or 'C' -- both will require different verification steps after building
  8. If you used assembler, verify the built binary with a hex editor to make sure the binary matches the expected results from your source. You are making sure that the compiler and linker didn't add "extra" stuff. If you used 'C', then disable all optimizations on the compiler, and create a map, listing, and assembler output then go through the manual verification steps to make sure the built binary looks fine
  9. Create some input test vectors and run them to check functionality and compare the calculated output to the expected one.
  10. Run some static analysis on your software, and fix warnings
  11. Verify the flashing software the same way
  12. Don't trust the hex editor? Try different editors on different OS's, on different air-gapped HW If all checks out, flash your "secure texting" HW, and go about your business
  13. All verifications, flashing, development must be performed on air-gapped PCs.
  14. After flashing, use a debugger and do a step-by-step check
  15. Delete everything from PC-1 securely and reinstall the original OS
  16. Extra credit: Shield your flasing cables
  17. Extra extra credit: perform the whole operation in a Faraday cage
I didn't vet every step above, some are out of order, and maybe something is missing. Add the steps you think are missing. A process like this should be good enough, unless your tinfoil hat is made out of depleted uranium -- In which case nothing will be "secure", no matter what you do.


I didn't talk about how to follow the process and whether to write it down or memorize it and pros and cons of each -- YMWV (Your Milage Will Vary)

WaelFebruary 6, 2015 1:53 AM

@Figureitout,

(that doesn't happen overnight, takes decades, I don't care who you think you are)

According to Malcolm Gladwell, in his book Outliers: The Story of Success, it takes 10,000 hours for any person to master a profession. So you're in the ballpark assuming a work week of 40 hours (37.5 in Europe) with an "efficiency factor" of 25%.

Gerard van VoorenFebruary 6, 2015 2:28 AM

@ Nick P

[About Go] It's an ALGOL68-type language better for applications development than C++, has fast iteration, a vibrant community, and will only improve at its niche. However, people comparing it to Rust say the Go compiler lets buggy code through much more.

Please be specific.

Stuff that sophisticated modern languages can prevent or more reliably handle. There's little excuse for that given how far safer, systems languages have come.

I have used Go quite a lot now. The 'defaults' of Go are to me rather well chosen. Looking at Go code from a C perspective it looks just right. The boilerplate code is specific. Until now there is not much Go code I can't understand when reading it. I don't claim to be a good programmer so when I can understand almost all Go code I read, that alone says something about the language. There are not many languages that read as easy as Go. Rust certainly doesn't, nor does any of the ML languages that I know, nor does C and certainly not C++.

The only *real* argument against Go is that it is a garbage collected language and that argument only counts for RT / embedded areas.

Btw, the experimental C2 language (http://c2lang.org) tries to be a real replacement of C. It has all the low level stuff but with less ambiguous parts, less clutter, modules and a good build system / tooling.

GrauhutFebruary 6, 2015 4:34 AM

@Nick P Iceland is the new data switzerland. :)

(Energy costs -> geothermal generated electricity, cold air for cooling, ideal located between NY and London for HFT arbitrage business, great legislation)

Wiki:

Iceland is currently connected via these submarine communications cable system to the rest of the world:[4]

CANTAT-3 with 2.5 Gbit/s to Denmark, Germany, and the Faeroe Islands.
FARICE-1 with 200 Gbit/s to the United Kingdom and the Faeroe Islands.
DANICE with 200 Gbit/s to Denmark.
Greenland Connect with 20 Gbit/s to Newfoundland and Labrador, Canada and Greenland.
Emerald Express to Ireland and New York (ready for service in 2014).

Emerald PR:

The “Emerald Express” will be the most advanced next generation undersea telecommunications system constructed to date! It is a software-managed, intelligent network that will provide low-latency, utilize sophisticated coherent digital technology, and increased bandwidth. Emerald Express will be comprised of four fibre pairs, designed to carry 100 wavelengths of light on each fibre pair, with each wavelength operating at an initial speed of 100 Gbps, equivalent to 10 Tbps per fibre pair, resulting in 40 Tbps cross-sectional capacity.

The “Emerald Express” system focuses on wholesale low latency transatlantic services for carriers, ISPs and the financial services sector. In addition, the Emerald Express system connects data centre industries in Iceland and Ireland.

ThothFebruary 6, 2015 5:40 AM

@Grauhut
Sincerely hope that Iceland, the last few remaining lands of liberty to a good extent, would not fall to the corruption of the Global Warhawks of the FiveEyes, China, Russia, Germany, France, Israel ... and other ambitious and hypocritical regimes.

One reason I hosted my website in Iceland despite the rather expensive price forking out from my own wallet is they are still not too badly influenced by the Global Warhawks. HGow long they could hold out greatly depends on how long it is going to take to wake most ignorant people from their slumber...

BoppingAroundFebruary 6, 2015 9:42 AM

Nick P,
> However, people comparing it to Rust say the Go compiler lets buggy code through much more
Do you happen to have a link to that?
> f I were you, I'd explore the features and arguments for/against a bunch of them. Here's a list to explore:
Thanks, I'll think about that.

name.withheld.for.obvious.reasonsFebruary 6, 2015 12:28 PM

Coming in to an infotainment channel near you...

AT&T and Verizon announce, along with a number of third parties you know nothing about, a new service that will be automatically installed on your smart phone:'

Predictive Messaging Service (PMS) 1.0

PMS works by leveraging existing data sources and with the help of government services to delivery text messages to people you forgot to inform about conversations you may, or may not, have had...in real-time.

For example, say you call an old friend and discuss your mother-in-law...the call is automatically converted to text and a message is sent to your wife with the content of the call in text message form. Now, when you get home your wife will be able to catch up with your activities when you where away from home.

Nick PFebruary 6, 2015 12:46 PM

@ Gerard

We already discussed it here when you had a different name. I did look at more modern comparisons as you suggested.

@ Gerald, BoppingAround

I didn't find much directly comparing Go against competitors except for this one. The author's conclusions make it like Mozilla figured out how to make a lightweight, marketable Ada. It also protects memory operations without garbage collection. I'd take it over Go for low-defect systems programming.

@ Grauhut

I'll be damned. My info was way out of date. Emerald Express is exciting as I'm pretty sure it's that tech I posted on a few years ago where they used black magic to amplify existing fiber's throughput up to terabit levels. Now we're getting 40Tbit. Woo-hoo!

@ name.withheld

I would say "Cyanogen Mod coming to those very same smartphones near you!" Then, I see headlines where Microsoft is buying it out. (!) At least we still have the various encrypted chat apps to slow them down a bit.

SkepticalFebruary 6, 2015 5:45 PM


@Dirk: And let's not kid ourselves: this is not about supporting Ukraine's right to exist as a democratic, self-governing nation. Neither is it about making claims to its territory. It's about interesting trade and other agreements to tap into Ukraine's natural resources and getting a firmer foothold in the region. All at the expense of Russia that, as you quote yourself, historically considers Ukraine an integral part of its influence sphere, not just for its resources but also for its geo-location and significant population with Russian roots in the Crimea and other contested border regions.

No, this is not about trade deals or natural resources. US interest in either in Ukraine is insignificant. For the US and most of Europe, this is about long-term stability in Eastern Europe. And that means not permitting Russia to intimidate Eastern European states with military action. Anything less signals to Putin that he can do the same to the Baltic states, to Poland, and who knows the limits.

What both the US and most of Europe are determined to do is not allow Eastern Europe to once again fall under the control of foreign conquerors. They are determined to encourage, and to defend the right of, Eastern European nations to rule themselves.

It is in the interests of the US to do so, because long-term stability and progress in Eastern Europe requires as much. But it also happens to be the right thing to do.


I don't entirely agree with your reading that that's China's only motivation. You seem to have overlooked the part that exploitation of Siberian land and resources does become more interesting due to global warming.

The paper found this to be only a possibility, and not one that played a role in its 2030 scenario.

ThothFebruary 6, 2015 7:47 PM

@Andrew posted an interesting image above n this post (https://www.schneier.com/blog/archives/2015/01/friday_squid_bl_463.html#c6688367) with an image of nuclear and base positions of bases and nukes. If you observe the bases aligned in Hungary, Serbia, Germany, Bulgaria and Turkey ... they form an arc ... an enveloping arc. Tactically this enveloping arc would be suited as a containment strategy (to contain Russia). Why wasn't this arc moved further to Poland, Ukraine and other frontline "buffer countries" to the USA cause or any other "frontline buffer friends of NATO/US" ? Because they are buffers !

The three bases in Bulgaria (I guess) might have dual purposes as a line to contain Russia and also to intercept the Russian fleets in the Black Sea if necessary. One good tactic is to use the strategic positions of the Bulgarian bases to deploy asymmetric and symmetric warfare strategies at the mouth of Istanbul where it is very narrow and the most dangerous spot ships have to pass by. It seems the fall of Ukraine/Crimea and Georgia might have already been predicted by the US and NATO due to it being a buffer state ?

The bases in Belarus, Moldova, Ukraine, Georgia are an outward arc of defense and are placed on the most frontline of Russian "territory".

If the image is correct, almost all Russian nukes are in Russia and it forms a circular defensive formation tightly bunched together) whereas the NATO and US nuclear assets if correct, are spread out across Europe. US/NATO nukes in Germany, Belgium, Netherlands, Italy and Turkey seems to form a line of enveloping arc nukes on an offensive posture to surround the Russia "territory" and the other line of nukes in the UK and France in the picture are more of self-protection (due to the arrangement in a circular formation.

FigureitoutFebruary 7, 2015 12:08 AM

Wael
Not impossible
--It is though. I'm taking it to the most extreme, I want to beat any and all attackers; literally impossible to attack me is what I'm getting at. Go big or go home, eh?

Any OPSEC procedures are valuable, but almost always insufficient (never, never give up your personal OPSEC, it's a highly personal secret). For instance, right at #2, *boom* (I can't resist the joke, but "the sh*t hits the fan" at "#2" lol, sorry), OPSEC broken that depends on your connection (ie: router, modem, and any immediate upstream devices, if there's upstream devices there'll be downstream ones) and how you handled your connection (not even that, file that was taken from unknown PC and placed on server and exposed, then getting it to you via insecure network.

Where did you get your Hex editor from? Internet? Where did it come from? Where was it built and where did anyone here get started from? You started from a pre-compiled program, everyone did, don't lie. It's the truth. Now here's where the entire toolchains that exist today could've been hosed then...

These possibilities destroy my trust, b/c it's likely already happened, before I was even born...Just like the economy already being f*cked before I was born.

Shielded cables can be defeated at the immediate interface or the CPU accepting the signals, I've frickin' heard USB signals, I need to capture them and let you hear them yourself. There must be compromising info in them.

Faraday cages can be defeated w/ bad OPSEC if you need a USB stick (which, saving every revision of a code file, like you should..to a CD instead of USB stick is so wasteful, it's disgusting). OPSEC takes money though and not being physically tracked.

I won't add steps, I'll have such a long and paranoid posting...unbelievable.

What would be interesting, if someone posts code they actually say is secure (in particular, Nick P or Clive Robinson, "the code cutter hater" himself). They'll probably state that it's "proprietary" as if every code they wrote was subject to an NDA, b/c they probably know it's insecure just like all code lol. It's all bullsh*t when you have over 30 people (not including other support and data sources) tracking you. Obscurity is the name of the game, you can't attack what you don't know.

WaelFebruary 7, 2015 2:38 AM

@Figureitout,

literally impossible to attack me is what I'm getting at.

Then you must cease to exist. Only then, no one can attack you! Well, that's not true either... But you wouldn't care because six feet under is sort of a faraday cage, and if your coffin (after a long prosperous life) is made out of recycled butter cookie cans, then it's even better! Lol

Any OPSEC procedures are valuable, but almost always insufficient (never, never give up your personal OPSEC, it's a highly personal secret)

Debatable! However, not sharing OPSEC adds some sort of a barrier. An application of the Least Privilege principle, so you've got a point.

For instance, right at #2, *boom* (I can't resist the joke...

Funny, you should've saved that one for the smart pipe thread ;)

Where did you get your Hex editor from? Internet? Where did it come from? Where was it built and where did anyone here get started from? You started from a pre-compiled program, everyone did, don't lie. It's the truth. Now here's where the entire toolchains that exist today could've been hosed then...

I got it from the Internet in the form of source code, compiled it on PC-1, and verified it with several other hex editors that were built on the same PC and other air-gapped PCs. There is a lot of manual investigation needed -- you gotta practice safe hex dude, or you'll get infected with something that can haunt you for rest of your then miserable life. Yes, we start from a precompiled tool chain (we can build that later as well, with the same precompiled chain -- so it's a circular thing.) You manually verify every executable, this is the price you pay for the needed security level.

What would be interesting, if someone posts code they actually say is secure (in particular, Nick P or Clive Robinson, "the code cutter hater" himself)

And how is that different than downloading it from FreeBSD.org? You still have to compile it and verify it, even if you trust his highness and his excellency! The problem isn't in the source code --- it has to be reviewed regardless of its origin. The problem, that you brought up, resides in the output of the tool chain! Still not a 100% secure (in the sense that you still will be attacked,) but you can improve it with additional OPSEC steps, as you mentioned.

Clive RobinsonFebruary 7, 2015 5:18 AM

@ Figureitout,

What would be interesting, if someone posts code they actually say is secure (in particular, Nick P or Clive Robinson, "the code cutter hater" himself)

Well if you've been listening to all the "Prison Lectures" you would know that I don't consider anybodies current unmitigated hardware secure, thus by definition any source code could not be "secure" from "bubbling up" attacks from further down the computing stack, further even mitigated hardware I only think is probabilisticaly secure from "outsider" attacks not from "insider" attacks.

And by your far from unreasonable assumption that the current "tool chains" are hexed ;-) by those outsiders wishing to be insiders, turning source code into loadable executable code would be an insider attack.

Now because I'm old enough to have been an engineer when the first 8bit processors came out, I had to build my code the hardway via switches and buttons connected directly to the CPU/memory lines, much like many other "enthusiasts" at the time. And thus hand coded my first "bit bang" serial "loader" and went from their into ROM and built up things to the point where I built a striped down BIOS that I could get a simplified version of what later became CP/M up and running. Because I had access to a PDP11, I wrote my own cross assembler and HEX tools etc, and ripped off early versions of unix code ideas to build other tools. I also did my own fully original programes one of which was a reliable 9600baud PSK tape loader / recorder, it got used by others and sadly developed new features but lost some of it's reliability in the process :-(

When I purchased my own "personal computer" an Apple ][ back in 1980 it cost me the equivalent of a quater of the average annual income of engineers (over 20,000USD in todays money). And much as @Nick P has described I started writting my own tools in Basic, Pascal and Fortran 77.

As Wael has indicated there is nothing to stop you going down that route, except your bodies needs for sleep and sustinance of various forms. Which means you need an income for a secure place to be and have power etc, etc, etc.

There is no reason why you should not do it far more quickly than we did at the time because most of the work ended up in books etc which you can get hold of and they have flow charts etc. Have a look around many of the "PIC microcontroler" books for home robots etc, your uP may not be a PIC but the easily readable assembler code and flow charts can be converted in your head. The thing is even if your laptop is compromised you can take the HEX files and run them through a native disassembler and visually check the code. It's no where as fast as "click-n-go" development, but at least you will be confident the code is what you wrote "warts bugs and all".

I still do similar today when bringing up a new hardware board, the advantage I have is over a third of a century of my own code libraries to cross assemble.

And here is a hint to "realy listen to" which is "don't be clever, KISS it instead". Use only a tiny common subset of the most basic of assembler instructions you will find on any uP.

That is make up your own very basic hardware agnostic assembler to write your code ideas up in. Which you can then use to easily convert to the destination assembler of your latest uP. That is write your basic "get-up&go code" in it because what works on one uP will work on nearly all uPs with little or no changing. It means you can be up and running on new hardware in a couple of days virtually sight unseen.

For my sins I have in the past, designed a PCB from the data sheets, sent it off to be made whilst waiting for the chip manufactures development kit to arrive and in the mean time written a basic BIOS for it long before the PCBs arive let alone the components to go on it. Then had the basic hardware core up and running within an hour or two without going near the uP manufactures software tools.

Back when I first started doing that it was "needs must" due to a lack of resources, these days it's "needs must" due to a lack of trust... as a King once said "The more things change the more they stay the same".

TonyFebruary 7, 2015 6:00 AM

@ Figureitout
It's all bullsh*t when you have over 30 people (not including other support and data sources) tracking you.

bit overkill aided by Snowden-revealed toolkits? lol

suppose a few extra layers won't hurt as claimed by the aluminum salesman.

FigureitoutFebruary 7, 2015 3:20 PM

Wael
Then you must cease to exist.
--Yeah, I can dream though right?--"No you can't"--lol k

Debatable!
--Operational clues are nice depending on what someone is after or how you defend yourself, you should keep it down probably; or poison the well, there's that too.

I got it from the Internet in the form of source code, compiled it on PC-1
--You gonna do this to me, eh?! Then where and how did the compiler get on the PC-1? lol

gotta practice safe hex dude
--Aww that's no fun, I stick my USB sticks in any open "port", then they get really loose. :p But seriously hex-editors and disassemblers are some of the coolest programs to me, like what the? How the? How's it working?! And debugger that can stop or slow down execution (even on physical device), that's a handy feature I want for some security program.

you'll get infected with something that can haunt you
--I already am, it got in and I learned "after-the-fact". There's separate ones (USB, HDD, BIOS, maybe audio) and this makes diagnosing a major pain. The worse thing about seeking out a malware is "are you really containing it?"--which I have not, but I can't afford to buy new desktop PC's; so I'm stuck w/ infection. It's something in the murky depths of firmware, I've used same downloaded images, different behavior b/w PC's so it's below OS.

we can build that later as well, with the same precompiled chain
--And continue compiling one of the most mind-warping "trusting trust" infection. Meh, it gets to the realm of "this is a f*cking waste of time", but it's so annoying we can never know! For sure!

And how is that different than downloading it from FreeBSD.org?
--B/c if it's C then I can get a "reasonable"--very "reasonable" depending on size lol, idea of what it's doing, in my head w/o putting it on a machine risking yet another infection. Unless it has some tricks I keep finding in C, they make sense eventually.

even if you trust his highness and his excellency!
--Nope don't trust him lol, former GCHQ, he wants to be "a fly on the wall" too much. Too many "jokes", I have a question I want to ask in person but can't.

Clive Robinson
I don't consider anybodies current unmitigated hardware secure, thus by definition any source code could not be "secure"
--I have followed, and I recall you saying people don't know how to code securely, most especially us newbie code cutters. Just wonder what that looks like. I think it's bullsh*t that relies on obscurity. What gets me is some highly imperfect code like driver code, so frail, but works.

Now because I'm old enough
--Yep, those skills aren't as marketable as they used to be; except maybe the big chip companies. Now I can have a working whatever prototype w/ arduino in maybe 5-6 hours. I'm looking into FreeRTOS now on arduino nano (still have some routers, debating whether to turn into proxies and firewalls or mess w/ a full blown OS on them too), I'm not hand-loading code, this would be kernel code, working thru some of that area (processes, threads of execution). I don't know what I want to actually do w/ it though lol (having the same problem w/ beaglebone, frickin' indecisiveness...).

ripped off early versions of unix code
--Now did you rip it, or cut it w/ a pair of scissors? :p

Have a look around many of the "PIC microcontroler"
--I have, I always have an assortment of projects revolving that I need to finish (like si4432 thing, just get like radar output line connected to it and notify me; so I can be done w/ it); but one thing is an OTP chip w/ maybe the necessary USB-chip, basically I just want to power it on, and any USB stick gets wiped-overwritten-wiped automatically when plugged in, that's all it does. I'm still stuck on getting file (assuming file hasn't been infected) from infected point A to safe point B.

at least you will be confident the code is what you wrote
--Probably won't be, ever. If I don't know the extent of infection there's not a lot of confidence. I'm still spinning my wheels here, and this helpless circle-jerking on my part really pisses me off. But the problem doesn't just go away, still here.

a hint to "realy listen to" which is "don't be clever, KISS it instead"
--C'mon I know that! I don't write "clever" code (at least that I give out), I'm mucking thru some and at least "tidying up" a bit, still just mostly sweeping under rug. It took me *SO* long to get here finally getting a grasp of crazy code, man grrr! I honestly think some of it is job security ("if only I can understand it, they need me").

Use only a tiny common subset of the most basic of assembler instructions you will find on any uP.
--I'd prefer to do that anyway, especially in assembly lol, too many instructions I don't know I get the "oh sh*t" feeling.

Tony
--Mostly personal experiences, I was here before Snowden. And that was overkill on investigators part, not mine.

BuckFebruary 9, 2015 11:53 AM

@Wael

Would it surprise you to learn that you've known all along the answer which you seek?

Keeping in mind that the moon isn't the only celestial body that effects us, go back and re-read your comment posted directly above that one. B-)

WaelFebruary 9, 2015 1:30 PM

@Buck,

go back and re-read your comment posted directly above that one

I did read it, actually. I didn't specificaaly choose a particlar epsiode. Not important, I guess. Wierd things happen all the time, and we can't be expected to to have the ability to explain ecerything...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.