Schneier on Security

Nick P • February 22, 2015 2:17 PM

@ Figureitout

That’s seriously the most god-awful piece of code I’ve ever seen. Single-handedly makes the case for more readable, systems languages with straightforward macro’s or generics. Also, more research should be done on building macro’s or metaprograms as robustly as regular code. Languages like Haskell are pretty good at it but could be better.

@ Wael

I totally agree. Most of the work at that level is domain work, not regular programming. The best route seems to be raising the abstraction level in the language while using tools to eliminate or automate low-level stuff. Maybe as simple as using a readable language such as Modula-2/3 for logic, Ada-style existential types to catch data mismatches, and tools such as NICTA’s Termite for I/O boilerplate. Zero-runtime Ada + SPARK or C subset + ASTREE analyzer are most powerful combos for it right now.

Nick P • February 23, 2015 7:29 PM

High Assurance News Update: Covert Channel time

Research report: Covert Channels (2006)

A nice collection of various network channels and their properties. Makes for good starting material.

CLACK: A Network Covert Channel Based on Partial Acknowledgment Encoding (2009)

A reliable, TCP channel that leverages ACK’s in a way that’s harder to detect than prior work.

CoCo: coding-based covert timing channels for network flows (2011)

Abstract: “The CoCo covert channel modulates the covert message in the inter-packet delays of the network flows, while a coding algorithm is used to ensure the robustness of the covert message to different perturbations. The CoCo covert channel is adjustable: by adjusting certain parameters one can trade off different features of the covert channel, i.e., robustness, rate, and undetectability. By simulating the CoCo covert channel using different coding algorithms we show that CoCo improves the covert robustness as compared to the previous research, while being practically undetectable.”

Implementation of a Covert Channel in the 802.11 Header

What it says in the title.

Analyzing Covert Channels on Mobile Devices (2012)

Looks at covert channels on Android devices, common countermeasures, problems with those, and stronger countermeasures.

A new covert channel over cellular network voice channel (2014)

Authors create and use a voice channel for proxied traffic, text message communications, and command-and-control.

PHY covert channels: can you see the idles? (2014)

A Layer 1, 1-10Gbps Ethernet covert channel that’s undetectable by software, has 10-100Kbps bandwidth, and with a low error rate.

Towards a Systematic Study of the Covert Channel Attacks in Smartphones (2014)

What it says: a list of every covert channel in the literature for both hardware and software.

Conclusion

Data is slithering out of your devices in many more ways than people had 10 years ago. Happy hunting, defenders! 😉

Nick P • February 24, 2015 4:52 PM

New, awesome, open-source processor

A 45nm 1.3GHz 16.7 Double-Precision GFLOPS/W RISC-V Processor with Vector Accelerators

Abstract: “A 64-bit dual-core RISC-V processor with vector accelerators has been fabricated in a 45 nm SOI process. This is the first dual-core processor to implement the open-source
RISC-V ISA designed at the University of California, Berkeley. In a standard 40 nm process, the RISC-V scalar core scores 10% higher in DMIPS/MHz than the Cortex-A5, ARM’s comparable single-issue in-order scalar core, and is 49% more area-efficient. To demonstrate the extensibility of the RISC-V ISA, we integrate a custom vector accelerator alongside each single-issue in-order scalar core. The vector accelerator is 1.8x more energy-efficient than the IBM Blue Gene/Q processor, and 2.6x more than the IBM Cell processor, both fabricated in the same process. The dual-core RISC-V processor achieves maximum clock frequency of 1.3 GHz at 1.2 V and peak energy efficiency of 16.7 double-precision GFLOPS/W at 0.65 V with an area of 3 mm^2.”

Source code was open-sourced here for use in FPGA’s or ASIC’s. Runs Linux already.

Cavium ThunderX ARM processors

Meanwhile, over at Cavium (of Octeon MIPS fame), they’ve gotten their ARM SOC’s up to 48 cores at 2.5GHz each! Those aren’t multicores: they’re monsters! Supports up to 1TB addressable memory with “hundreds of gigabits of I/O.” If they’re affordable, I think I just found a nice alternative to Intel and AMD for desktops. 😉

Nick P • February 26, 2015 12:53 PM

re backdoors in U.S. products

There’s obviously a lot of opinions floating around on the topic. I say we just ask the NSA’s top tier (ECI-classified). Let’s go back to the Core Secrets document to see what it says about “SIGINT enabling” (aka backdoors) in U.S. products. I’m also going to subsitute “backdoor adding” for “SIGINT-enabling” to remove the effect of double speak on people’s minds.

p7

Public (Unclassified): “Fact that NSA/CSS works with U.S. industry in the conduct of its cryptologic missions.”

Public: “Fact that NSA/CSS works with U.S. industry as technical advisors regarding cryptologic products.”

With Top Secret clearance, the document transforms to say:

TS/SI: “Fact that NSA/CSS conducts backdoor adding programs and related operations with U.S. industry.”

TS/SI with no foreigners allowed: “Fact that NSA/CSS has FISA operations with U.S. commercial industry elements.”

With Core Secrets (above TS) clearance, the document transforms to say:

TS/SI/ECI: “Fact that NSA/CSS works with and has contractual relationships with specific named U.S. commercial entities (A/B/C) to conduct backdoor adding programs and operations.

TS/SI/ECI: “Fact that NSA/CSS works with specific foreign partners (X/Y/Z) and foreign commercial industry entities (M/N/O) and operational details (devices/products) to make them exploitable for SIGINT.”

See the deception? The public statement makes you think NSA is helping companies improve security. With Top Secret clearance, you know they’re trying to get them to weaken security with backdoors. With ECI clearance, you learn they have contractual agreements with U.S. firms and foreign partnerships to weaken the products. Moving on.

p 9

Public: “Fact that NSA/CSS exploits foreign ciphers”

TS/SI/ECI: “Fact that NSA/CSS works with specific U.S. commercial entities (A/B/C) to modify U.S. manufactured encryption systems to make them exploitable for SIGINT.”

Quite the difference there, eh?

In the WhipGenie doc, they add these:

p 4

“The fact that NSA and corporate partners are involved in backdoor-adding “cooperative efforts” with reference to ECI WHIPGENIE [program].”

“The fact that the FBI provides assistance with compelled and cooperative partnerships associated with WHIPGENIE.”

Note: The WHIPGENIE program repeatedly references FISA access, as that’s what it is about.

Then, there’s the BULLRUN program that said this:

TS/SI/NoForeigners: “The Backdoor Adding Project actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs. These design changes make the systems in question exploitable through SIGINT collection (eg. endpoint, midpoint, etc.) with foreknowledge of the modification. To the consumer and other adversaries, however, the system’s security remains intact.”

Note: That’s about the very definition of a subversion attack. The original and definitive paper on that subject is here.

TS/SI/ReltoUSA: “Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets.

Note: Previous quotes indicate they do this by targeting manufacturers (eg Gemalto hit) and by use of TAREX teams against specific targets (eg implants).

TS/SI/ReltoUSA: “Influence policies, standards, and specifications of commercial public key technologies.”

Note: That the purpose of the program is creating backdoors indicates this influence can only be about weakening them.

Conclusion

1. The NSA aims to subvert products, insert vulnerabilities into the whole of IT infrastructure, and weaken public standards for defending us.
2. They have contracts with specific U.S. and foreign partners to backdoor their systems.
3. They try to bribe others to get them to do the same.
4. The FBI compells others (somehow) in the U.S. to do this.

5. They lie about this publicly and require personnel in the project to do the same.

6. Even most people with Top Secret clearance weren’t cleared to know this.

7. The risk of being forced to assist is unknown given it’s done with secret courts, law interpretations, and programs. NSA spokesperson once said people would’ve gone to prison if they didn’t comply and do so quietly.

What to do?

Other leaks indicate Switzerland and Iceland weren’t cooperating. Neither are currently allowing NSA-style surveillance. Iceland has no export controls on crypto: ideal for development of such things. Switzerland has export controls and warranted eavesdropping, but also has strong protections of citizens while rarely using eavesdropping. Both have good Internet connectivity. Businesses and individuals wanting to avoid being “compelled” into supporting NSA/FBI/CIA’s surveillance dragnet are better off locating there.

Of course, once there, you will be subjected to targeted attacks approved for foreign companies. You will need to use SAP-style security to protect yourself. Companies and governments are best off pooling resources to vet various I.P. and open source solutions for their critical infrastructure. The best ROI is investing in security-enabling processors, I/O, firmware, and software TCB. Most of the business logic and major software can then be integrated with these to prevent rewriting everything. Overtime, more secure replacements will be built and integrated into these platforms. That’s the easiest route for the INFOSEC part of the problem.

Nick P • February 26, 2015 6:40 PM

@ vas pup

I like those. 🙂

@ Jacob

Just saw your comment.

“Microcode is something I have talked about for years as a risk.”

It’s a risk and a benefit. Microcode let’s you change ISA’s and programming model without swapping out hardware. It also lets you swap out hardware without changing the ISA’s and programming model. Intel and IBM have used the later with great competitive advantage for years. Other uses of it are accelerating key routines, secure ISA’s, and even atomic operations for transactions. Many cool things you can do with microcode. Issue is to ensure the microcode is open for review and have safe update mechanism (pref. a physical switch).

“I might be willing to soldier new chips occasionally but there are too many devices with firmware in a typical house. I would rather not play deadpool to my wife’s hacked decepticon Keuric.”

Haha that’s funny. I typically buy simple things with that being one reason. The better reason is old stuff, esp appliances, works way more reliably. My 20 yr old washer died a few months ago and I bought a 10yr old replacement that’s got all the features I need. My cars have been from the 90’s where there was tech but they weren’t going crazy with it. Weird to think there might be a market for “privacy-preserving cars” in near future. If I got more money, I’d probably just buy and slightly modernize a Corvette Stingray or something. 😉

“What are your views on monetization of info? I view it as a Ponzi scheme house of cards ready to collapse. Similiar to derivatives, selling and reselling the same info. Lenovo, Google, Facebook all trying to sell me socks. ”

It’s a strange market. It’s the one that makes some companies millions to billions while saying the value of a given piece of information is almost nothing. The old Internet advertising model crashed due to user desensitization. So, the new (successful) model is in bulk collection for targeted ads. I doubt it will collapse: just transform in many different ways like other experimental industries. There’s even a strong case against collapse: companies will always pay for ways to push their message into people’s minds and the “free” services make for great bait. It’s a necessity market for businesses.

Funny thing is, the Dot Com era was exactly what you’re concerned about. There was a huge bubble of investment into all kinds of firms offering paid technology products, services, and content. That went poof with especially few survivors in paid Internet content. Many of the survivors, including Tripod, were using ad-driven income while looking for their paid model. So, the proven model is, so far, to trust advertisers (and government snoops) instead of users if one wants a bankroll. People fight uphill battles trying to do the alternative, esp with people wanting $1 apps & $20/mo unlimited video.

Note: I recently looked at Yahoo’s Financials to try to guess what a competitive, online search provider (without advertising) might cost to build. It’s a bit opaque as I couldn’t isolate search by itself. Yet, their costs for apps, connectivity and equipment were several hundred million a year. That’s over a million a day. Google, Yahoo, and Bing aren’t getting replaced anytime soon…

“I have had an idea for a long time. Wounded warriors want to be productive, have goals, etc. And would serve if they could. Every time I see a story about shortage of IT security personnel I practically yell. Somebody, anybody give these people training. It won’t cost much. Personally I like giac. ”

It’s a good idea. GIAC is my favorite, too, if you add the hands-on testing (“challenge”) option. Very practical compared to the exam cram that is CISSP. The vets concept is one route but I got a better one: turn some of that pork funding into increasing assurance of our stuff. DOD comes to mind. So much of it just to bring money or jobs to the district. Well, give them some jobs that actually benefit us esp INFOSEC. Then, I won’t mind the waste as much. Likewise, could throw that money at employing wounded vets as INFOSEC contractors.

“inside joke that ties in to recent military story of you guys.”

What was that story again?

“If you are where I think you are….have some real fish and chips on me. One of these days I am going to do a “Hawkeye and ribs” delivery to myself stateside. ;)”

I’m in the Mid-South currently. Dodging this slippery ice. Fortunately, the second round of snow didn’t seem to ice over. If your nearby, I might pay you a visit once I get better cash flow and/or more reliable transportation. No promises on how soon or far that is in the future.

Nick P • February 27, 2015 11:48 PM

@ Skeptical

“The document does not contain or describe an entire OPSEC program. It does not provide a deception or disinformation plan, i.e. it does not provide, and is clearly not intended to provide, a briefing regarding a “cover” story for anything. So your interpretation of the (U)nclassified facts as deception operations is way, way off. It would make zero sense to brief a deception operation in this fashion.”

It’s actually a set of documents of various programs presenting different facts about those programs, NSA capabilities, and NSA goals. Far as deception, I’m not saying it’s a “deception operation.” I’m saying there’s the real capabilities they have at the highest level, then they water that down (or even totally contradict it) in presentations to lower levels. Their SAP security guidelines also allow misleading people not cleared for programs to protect secrecy of their capabilities. That a public document on their security approach endorses deception, even fake addresses, shows it’s considered a routine and necessary part of how they do stuff. Sensible, too, except when it’s used to mislead America about what they’re doing… to Americans.

“The “Public” level of “Fact of” classification isn’t in contradiction with more classified facts. A cover story isn’t going to receive a “Fact of” classification (unless it is identified as a cover story, e.g. “The fact that the claim of Government A’s non-involvement is part of a deception operation.””

Good point. Might have went overboard with that. They actually do both: use higher levels to add information; lie in lower levels as evidenced by contradictory truth in higher levels. There’s examples of both in the referenced documents. I’ve given many more in my posts on contradictions in public statements of intent/capabilities vs what’s in Snowden leaks.

“The “Public” level of “Fact of” classification isn’t in contradiction with more classified facts. A cover story isn’t going to receive a “Fact of” classification (unless it is identified as a cover story, e.g. “The fact that the claim of Government A’s non-involvement is part of a deception operation.””

I could’ve added more detail, there. The NSA promoted themselves as working with industry to improve security/crypto and using sophisticated methods to break foreign crypto. The public statement is intentionally vague. People reading it would assume it was consistent with other public statements, esp from IAD. Yet, we find through BULLRUN and other programs that they almost exclusively work to introduce vulnerabilities and backdoors into American crypto. Totally opposite of what they were telling Americans and the public version of that document.

“a wiretap order is SIGINT-enabling, Nick, as is placing a listening device inside a person’s home. All you’re doing here is confusing matters by narrowing what is a very broad term. ”

I’m not really. What’s happening is the NSA has added new issues to what was simple. Before the leaks, people thought the law said the government could force carriers to add L.I. or bug specific people in service of a warrant. Likewise, they could do searches of property or computers for data with a warrant. DOD’s and DOC’s official policy was also to encourage strong crypto while focusing remaining regulation on encryption.

Now, the documents don’t say “force carriers to implement L.I./SIGINT-enabling or develop implants for executing warranted bugging.” Instead, they talk of mandating backdoors in U.S./foreign encryption products or inserting vulnerabilities in the entirety of IT infrastructure. Each of these gives them a backdoor into the system. That’s very broad and the number of categories they named off should make every producer concerned.

“The NSA’s cryptologic missions, last time I checked, includes decryption Nick.”

You’re confusing mechanism with policy. Common even among security professionals. The mechanism is how they get the information or put information into the system. The policy is how they use the mechanism. Their mission, both overt and covert, drives the policies. The mechanism is typically eavesdropping and/or a backdoor of sorts. Backdoor might be inserted with malware attack, subversion, implants, and so on. If they can force software developers to add backdoors, then the result is consistent with my post. From there, they can do whatever they want with it and nobody will know. Policy enforcement is a matter of faith with their level of secrecy.

“The statements don’t contradict one another.
You also seem to believe that the latter statement must refer to some modification of an entire product line, whereas the far more likely interpretation is that it refers to targeted operations.”

Similar to the other quote, they do in the context of what the NSA tells the public and lawmakers. Nobody except the paranoid thought they were weakening our stuff. They were around to subvert enemy’s stuff. A ton more clearance, you find they’re hitting our stuff. Quite a contradiction in perception and deliberate: their success increased the more people trusted our stuff. After the leaks, the opposite effect occurred.

“Much of what the NSA does is in fact targeted. Interpreting every reference to cooperation as necessarily involving mass surveillance is a huge mistake. ”

The documents collectively indicate they target both companies and individual products. That’s not an assumption: they straight up say it in the most sensitive leaks. The thing you’re missing is that most U.S. software vendors don’t sell directly to consumers: they sell to distributers and resellers that sell to consumers. If they get a company to do SIGINT-enabling, they must be doing it at the product level and that necessarily affects all customers. They already did this with RSA and Microsoft’s NSAKEY. The subversion was in the product for all customers to have.

“For example, the Tor Project, last I checked, uses some very competent attorneys – and they don’t think that the Tor Project can be legally compelled to insert backdoors or compromise their product. ”

Good thinking: I spent quite a bit of time wondering about them. Short story: they’re a special exception to a lot of things and I still don’t fully grasp why without specifics from their lawyers. What I found is that they’re a nonprofit, they give away stuff for free, the source is available (riskier subversion), it’s heavily studied by pro’s, many police/government organizations in U.S. depend on their anonymity, and censorship-resistance tools get exemptions from things like export restrictions in crypto. The whole of their situation makes them unlike about any commercial or FOSS software maker. They’re not evidence of anything as their too unique. If anything, their subversion resistence just means other products concerned about that should copy as many of their characteristics as possible.

“As to the Swiss, how much do you know about their security services or laws, Nick?”

Their security services might be as shady as any other. I know they want similar capabilities. Far as general practice, my email service has a nice summary. The claims are similar to what a number of international, law firms say in their Swiss profiles. A business aiming to protect privacy with more assurance of reasonable, L.I. is much better off there than here. There’s other benefits with costs being my largest concerns. Strong privacy laws are why many firms, esp with trade secrets, headquarter over in Zug. Newer firms focused on privacy are basing their operations there for the same reason.

“As to Iceland, it’s certainly a fine place to do business. Is it better than the US? If the concern were only the law and security, my answer would be no. At best it’s equivalent, and is actually probably somewhat inferior in that it lacks the protections that derive from operating inside the US. ”

It has no crypto restrictions, no Gestapo-like activities (see above), strong protections for whistleblowers, good internet access, and they’re also marketing themself as a data haven. There are surely downsides where our country is better. Yet, if one wants no forced (or secret) subversion, then they have to operate in a country that doesn’t do that. Iceland doesn’t do that. And, like Switzerland, they’re one of only a few democracies that aren’t NSA SIGINT partners.