Friday Squid Blogging: Squid Can Recode Their Genetic Makeup

This is freaky:

A new study showcases the first example of an animal editing its own genetic makeup on-the-fly to modify most of its proteins, enabling adjustments to its immediate surroundings.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 20, 2015 at 4:06 PM • 98 Comments

Comments

somedudeFebruary 20, 2015 4:33 PM

The other day, I stumbled upon people trying to bury or were retrieving a buried device in a snow bank. I only had a glimpse of the device. It was a white dome sitting on a rod, maybe six inches in diameter with a low profile. Anyone know what it might be?

somedudeFebruary 20, 2015 4:55 PM

Thanks, I think I am reading this blog too much. It was at my house... no construction in site... the odd thing was how fast they disappeared.

atunikFebruary 20, 2015 6:45 PM

it is interesting that the squid can recode its RNA, but does not (apparently)recode its DNA - any mechanism that would allow DNA recoding would be susceptible to a hack transmitted through the generations - a major security risk to what might be considered the animal's heritable firmware.

SomeRandomName101February 20, 2015 6:50 PM

A number of interesting news stories this week.

And, so me, a rare and sometimes visitor will numbered list these, where I have some comment I expect maybe is unique:

1. An article in a pseudo-mainstream news source, I think it was Wired, finally dug up the fact that the US had a Manhattan Project cyber project as far back as 1997. :-) What is no longer in Google News is mention of this is actually in some press a few years before 1997, though also under Clinton. I might add, this news quote has been available in Google News archive since 1997.

While I suppose some might equate this with the Equation Group, is there any other trend in the US one might have noticed since the mid and late 90s that involved computer security and primarily started and was maintained in the US?

2. The Equation Group, a comment, while I did not thoroughly read everything associated with it, I saw a number of second party references to this being relatively new discoveries. Does anyone else strongly doubt this? My guess is, like any such instance, probably that local counterintelligence had a field day with these discoveries for years before they felt a need to okay Kaspersky to have a public release...

3. The Lenovo MITM attack. Chinese intelligence &/or Law Enforcement, anyone? I have seen China rely on plausibly deniable attacks in the past, using code which was also used by sheer criminals, who may or may not have been under their control. Personally, ever since IBM sold Lenovo to China I found myself here and there saying to myself, "I really bet they are going to skewer those systems".

The ship... out of danger?February 20, 2015 7:59 PM

Inside a Room Built for Total Silence

"The room is totally covered in foam wedges, pointing inwards, the floor a metal grate suspended over them. It’s both archaic and otherworldly, a retro-futurist scene in dull brown. As Dance pulls the door shut behind us, the atmosphere deadens. Any sound waves are deflected by the multifaceted foam and are effectively sucked into the walls. It’s an oppressive sensation; much of our spatial awareness is defined by echo-location, and even with my eyes open the disorientation is irrefutable. We agree that I’ll stay in the chamber for an hour with the lights out, to divulge myself of extra sensory distractions. I lie down on slabs of foam laid out as a makeshift bed; the academics pile out, and the technician pulls the door shut and flicks out the light."

milkshakeFebruary 21, 2015 12:52 AM

it is not re-coding the genetic makeup (=DNA), the modification happens on the transcription level. But that kind of customization is odd - as if the same record could play jazz or polka, depending on the audience.

Clive RobinsonFebruary 21, 2015 5:13 AM

@ Bruce,

With regards the recent revelations about the NSA getting into firmware on hard disk controlers. Do you remember the photographs of the computers that the Guardian destroyed under the guidence of two gentleman from GCHQ in Cheltenham?

I said at the time it would if people studied them tell us quite a bit about "methods" in use. However few if any picked up on it at the time...

Perhaps it's now time to go back to the photos and talk about them to other journalists etc, I think that now people are --for a short while-- going to be a lot more interested in them, because it was not just the storage controler that got ground down at "Tweedle Dee and Tweedle Dummer's" behest.

I posted a couple of comments at,

https://www.schneier.com/blog/archives/2014/01/friday_squid_bl_410.html

And one to Skeptical at,

https://www.schneier.com/blog/archives/2014/03/firewalk_nsa_ex.html

Oh and a Giigle Search shows that my comments to Skeptical have been re-blogged at the time as well...

J.February 21, 2015 6:54 AM

RNA rewriting seems to be standard, the squid only stands out by doing it for 60% of its proteins.

Bob S.February 21, 2015 7:04 AM

SIM Key Robbery

There is and was an actual monetary loss in this theft. The heist was common thievery by a nation state. Losses include the value of the cards and keys, a $500 million dollar loss in stock evaluation, the cost of repair and replacement of cards, security review and enhancement and more.

Will there be prosecution? By whom? How?

Our government leaders have no response at all: DEAD SILENCE. Check out the political pages. They are about the usual culture war issues ...guns and gays...or which goofy bastard might be running for President. Not one Congressman has said a word, nor the President.

WTF?


michael p.February 21, 2015 7:45 AM

How unsecure we are thanks to all that security it take care of evry aspect of computers but not actial security.we have NDA'ed secure corese, bootloaders ... controled manufactures.Drm is marketing tool.Today open source can't deliver secure system no mater what is the scoupe cose hardware is ssshhh.Smoak and mirrors.

GrauhutFebruary 21, 2015 8:04 AM

Freebsd man camcontrol :)

fwdownload Program firmware of the named SCSI device using the image
file provided.

Current list of supported vendors:
+o HITACHI
+o HP
+o IBM
+o PLEXTOR
+o QUANTUM
+o SAMSUNG
+o SEAGATE

FigureitoutFebruary 21, 2015 11:48 AM

Clive Robinson RE: 'Guardian destroyed hardware' (google search term people)
--In some of the footage the idiots we're drilling w/ no eye or mouth protection (never had metal dust in my eye but imagine it's not pleasant)...The pictures weren't *that* great, but here's some:

http://www.vrworld.com/wp-content/uploads/2014/02/Screenshot-2014-01-31-12.021.jpg

http://www.vrworld.com/wp-content/uploads/2014/01/TheGuardian_215.jpg

http://static.guim.co.uk/sys-images/Guardian/Pix/pictures/2013/10/16/1381951961491/Destroyed-Guardian-comput-010.jpg

Rudimentary looking I could only make out "HP FXN1", I think also "E93839 Rev. A" too which may give one of the boards, then from there look at the actual chips grinded off.

https://www.google.com/search?q=HP+FXN1

http://www.theguardian.com/world/video/2014/jan/31/snowden-files-computer-destroyed-guardian-gchq-basement-video

http://www.theguardian.com/world/2013/aug/20/nsa-snowden-files-drives-destroyed-london

Jesuis FreemanFebruary 21, 2015 12:33 PM

@Bob S.

"Our government leaders have no response at all...

Looks like the WH sort of at least acknowledged it:

"Meanwhile, White House press secretary Josh Earnest wouldn’t comment on the report, but he rebuffed suggestions that the latest Snowden leak might harm the White House’s relationship with Silicon Valley.

“It’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so,” he said at his daily press briefing. “So, I do think in fact that there are opportunities for the private sector and the federal government to coordinate and to cooperate on these efforts, both to keep the country safe, but also to protect our civil liberties.”"

~~~

...you just keep on polishing that turd Josh. Judging by the turnout at the President's recent cybersecurity summit, it's apparent that there are, in fact, a lot of technology executives out there that are very well aware of exactly who it is that is using their technology to cause harm to this country. We'll just add this latest revelation to the pile in the out of control tire fire that is our national security policy.

JacobFebruary 21, 2015 2:01 PM

Recent stories have sent me thinking and looking around.
1. Monetization of information to be sold to advertisers. Whether it is super cookies by Verizon or the changes to Facebook tracking where people go anywhere on the Internet. Blu Ray players updating on Internet. TVs? Samsung is just the latest. Below is one from 2013.

http://www.dslreports.com/shownews/126796

Anything electronic is now in need to be looked at for leakage. It used to be sign up for free, you are sold as the product. Now they are giving you free without telling you, when you purchase, but figuring the monetization into their product and corporate business model. I have wondered for years if this was a house of cards ready to collapse. They are selling and reselling the same information like some kind of Ponzi scheme.

My concern other than privacy is that bad guys can figure out how to get in by a vector that security and consumers don't know is there. SCaDA vulnerable by t.v.? Yea, I know a little outlandish. Sandboxes or VMs can be jumped as well. Infrastructure, business including Wall Street, and government entities are vulnerable by the making of "smart" devices. Willy nilly let's make a device, advertising money machine, easier for customers to update, or we can offer better customer support needs to be addressed urgently.

2. Recent leaks. I would look carefully at game consoles as a source of leaking information, especially infiltration inside a network and computers etc. Firmware is suspect at least in my mind. I have a dislike of Sony ever since the rootkit fiasco and business practices since. ;)

3. When will a truly secure computer and OS be made. Sand boxing is inadequate and I have wondered about even using a ROM OS but that is inadequate..there are many thoughts out there. Nick pointed me to some which sent me looking for solution. I can't find any. Some are interesting though.

4. I really need to pull out my elementary grammar book. Between programming syntax, touchscreens, and emoticons my writing is really suffering. ESP. The use of commas. I wonder if there is an app for diagramming sentences. ;)

JacobFebruary 21, 2015 2:08 PM

Sorry for the double post. I meant to add. Something may not need to be plugged into network. What if Microsoft, Sony, lg, or Samsung add a cellular capability? They are not that expensive and could justified in their minds.

gordoFebruary 21, 2015 2:09 PM

Hellooo, NSA? The US State Department can't kick hackers out of its networks – report
Email servers still compromised after THREE months
Iain Thomson | The Register | 20 Feb 2015

Every time sysadmins find and delete a malware infection, installed by the hackers, another variant pops up.


[...]

Remote access to email inboxes has been disabled, it's reported. IT staff can't switch off the network to freeze the infection because the computer systems must remain operation [sic] for security reasons.

http://www.theregister.co.uk/2015/02/20/state_department_hackers_still_inside_after_three_months_report/

=============================================

EXCLUSIVE: STATE DEPARTMENT TRASHED 30,000 LOG-IN KEY FOBS AFTER HACK
Aliya Sternstein | Nextgov | February 20, 2015

During the switchover, some State personnel said they were not able to access work outside the office for months.


[...]

The decision to replace tens of thousands of passcodes and two-step authentication credentials "was based on sound cybersecurity best practices,” the State official said.

[...]

Revoking an entire inventory of log-in credentials all at once speaks to the serious nature of the attack.

[...]

The expense of canceling and re-issuing an entire department's IDs in one fell swoop can range from hundreds of thousands of dollars to millions of dollars, ... .

Which Computer Device Can You Trust?

Both the White House and State Department, for a time, delayed fully eradicating malicious activity after hackers simultaneously attacked each of their networks beginning last fall. This was intentionally done to ascertain the extent of the breaches.

[...]

On Friday, State said there is robust security in place to protect the department's computer systems and information, including the unclassified system.

http://www.nextgov.com/cybersecurity/2015/02/state-trashed-30000-login-key-fobs-after-hack/105762/

=============================================

JPMorgan Goes to War
The bank is building a new facility near the NSA’s headquarters to attract new talent
Jordan Robertson and Michael A Riley | BloombergBusiness | February 19, 2015

Convinced that it faces threats from governments in China, Iran, and Russia, and that the U.S. government isn’t doing enough to help, JPMorgan has built a vast security operation and staffed it increasingly with ex-military officers. Soon after joining the bank in early 2014, Cummings helped hire Gregory Rattray—like Cummings, a former Air Force colonel—as chief information security officer. Together the men oversee a digital security staff of 1,000, more than twice the size of Google’s security group. To make it easier to woo military talent, the bank built a security services facility in Maryland near Fort Meade, home of the National Security Agency.


The military overtones are no accident. JPMorgan is responding to attacks that the federal government is unable or unwilling to stop, says Nate Freier, research professor at the U.S. Army War College, yet it isn’t clear whether the bank’s weapons-grade operation is doing a better job than law enforcement agencies. “It’s a brave new world that’s not very well understood by the people playing the game,” Freier says. “It really is every man for himself.” (para. 2-3)

http://www.bloomberg.com/news/articles/2015-02-19/jpmorgan-hires-cyberwarriors-to-repel-data-thieves-foreign-powers

NobodySpecialFebruary 21, 2015 2:26 PM

@bob s
I don't think a prosecution is likely.
This, like the attack on the Belgian telco, was a presumably authorized attack by a state level actor against a NATO member. Wouldn't this obligate the RAF to bomb Cheltenham?

tyrFebruary 21, 2015 4:20 PM


The same State Department is all atwit because
ISIS is using Twitter to show teenage girls
cat pictures and Nutella in jars. They feel a
need to launch a massive storm of twits to
bury this in tweets.

One possibility that hasn't been talked about
much is the tendency to bury the information
when hacked by what looks like a state actor.
The open source community at least talks to
each other when they see something weird, the
rest are a lot more likely to do a coverup.
That mindset undermines a lot more security
than it promotes. It looks like the paranoids
among us were actually pollyannas who viewed
the world as rosy and the future as better.

The squid like the roach has had a long time
to perfect methods to respond to the worlds
nasty habit of doing the unexpected. It is
a lesson the endangered species Homo Sap has
to learn the hard way.

RueFebruary 21, 2015 5:54 PM

Speaking about firmware hacking, most if not all notebooks and bare motherboards these days sport some sort of Secure Boot, Computrace and various handicops like not allowing to boot from USB ports or the SDHC reader. I fear that soon they won't have to hack into firmwares as they will already own them straight from the factory.

Maybe coreboot initiative should be given more press and maybe it's time to consider alternative cpu platforms.

GrauhutFebruary 21, 2015 6:51 PM

Meanwhile, White House press secretary Josh Earnest: “So, I do think in fact that there are opportunities for the private sector ... to protect our civil liberties.”

This is either massive doublethink or blackmail.

Hacking the privacy of people in order to protect their civil liberties is definitely like f*cking for virginity.

I am shure Josh Earnest is not that damn stupid, so this must be blackmail, "we know what you had and have on your devices".

מותFebruary 21, 2015 9:31 PM

So Israeli spy Adi Pinhas cripples your computer with Superfish. Boo hoo hoo for you. Israeli spies cripple everything, even if it breaks up NATO. Turkey is tired of NATO crap with crippled IFF that lets Israel attack anytime they want. They want a little taste of sovereignty. These days that comes from China.

Clive RobinsonFebruary 22, 2015 9:18 AM

One reason why modern *nix are so bloated.

Have a look at the source code for "echo.c" for various *nix implementations,

https://gist.github.com/dchest/1091803

Whilst the original was lite n easy... later Internationalization and other bloat has made it hugh and stodgy and the potential attack surface incredibly large.

If you want a secure OS ditch the bloat one way or another, the Plan9 way might be preferable in the modern context (ie build it in from scratch not bolt layer after layer on year after year).

3074 (XXVIII)February 22, 2015 10:15 AM

Useful big picture of CIA's cyberattack on Congress. After getting caught at widespread and systematic torture, CIA used secrecy regulations for obstruction of justice, leading to a covert putsch that gelded Congress, probably for good.

FigureitoutFebruary 22, 2015 1:10 PM

Rue RE: coreboot
--Agreed, at this point in time best I could do is code review and "clean up", and adding extensive comments for non-coders wanting to understand their BIOS (that must of course place trust in the comment...). Problem w/ something like a BIOS is there must be a good emulator for testing (otherwise bricked boards) and there's a whole lot of red and non-supported boards. If they can get beaglebone chip supported I'd be willing to risk a flash, the mobo I used to have was supported but I'd lose a lot of features and get flaky bugs still (like screen flickering, which I thought actually may be a good feature during encryption (think creating EM garbage noise, so long as it's a different chain of execution from the crypto)). That's kind of a hard sell ("you mean to tell me I lose almost half of the functionality of my board!? Hell no!").

It needs a lot of work still, then make like 20 secure offline copies in the event of file corruption on server or malware infection on dev's PCs, for people not wanting to compile their own (which is still a bit of a "shifting chairs on titanic" action...but it's best mortals can do...).

Clive Robinson // Grauhut RE: bloated *nix
--Well, lets dig a little deeper...First the print statement for Unix V5, I've never seen that before, looks not right or someone being too clever: printf("%s%c", argv[i], i==argc? '\n': ' ');

I'll just do plan9 and OpenBSD. For plan9 you have 2 includes, u.h and libc.h. Ok lets check those out...uh oh includes w/in includes...more files. In u.h:
--inttypes.h
--unistd.h--(uh oh, bsd.h too.)
--string.h--(uh oh, stddef.h too.)
--stdlib.h--(uh oh, stddef.h too.)
--stdarg.h (which wasn't in github source, so different versions here)
--fcntl.h
--(you get the point, also assert.h, setjmp.h, stddef.h (again), math.h, and ctype.h)

All that w/in the echo.c file. You *have* to therefore know all those files, well enough to firstly notice say a random change (that'd probably be a good internal code review test, if person can't find tiny change then they don't know the file well enough) and then yummy bugs cropping up.

OpenBSD has some more meaty header files:
/***** WARNING *****/
--FTP server w/ a file download here (only click from w/in VM or liveCD):
string.h
stdio.h
stdlib.h--(apparently it's been removed though: https://news.ycombinator.com/item?id=9087917

Lots of classic C in those files, I'll ignore some of the "sweet tricks" and hacky workarounds present in all software (I do it too...gotta compromise and deliver otherwise someone else will do exact same thing or worse); but this is worrisome in stdio.h:

http://i.imgur.com/0jngGDs.png

If that's not hack-n-patch at its finest, I don't know what is. That would take at least a day to verify and step thru, for me at least.

So for even something as seemingly simple as an echo utility, code bloat just explodes real quick. Any sufficiently *usable* and non-worthless program will, eventually you're not cutting out fat but hitting bone...And it's just ripe for tiny bugs creepy crawling all over. We're screwed any way you dice it.

WaelFebruary 22, 2015 1:44 PM

@Figureitout,

best I could do is code review and "clean up"

That's easier said than done. I worked in a group that developed BIOS code. The group was over 20 developers strong! Each was a subject matter expert in one or more areas. And when I say SME, I'm not using that term loosely! These were people that were involved in the creation of industry standards as well as implementing these standards in the code. When new hardware came, it was possible for one or two developes to port the whole BIOS image to the new platform. But these developers were some of the best in the industry, some with 20 - 30 years of experience. I'm not saying it's impossible for a single person to review the Coreboot BIOS code... I'm saying only a small fraction of developers have the expertise and the time. Besides, BIOS code isn't just about "C" or assembler! That's about 20% of the needed skill set! One needs to understand the Hardware and the technology as well (USB, Memory, CPU, I/0, WiFi, BlueTooth, Hard Drives or SSD, Video, Sound, Sensors, power managment and sleep cycles, different bus architectures, ACPI, Flashing and updating and recovery, Hardware bugs and Microcode updates...) on top of that, and for security specific areas, one needs to understand Cryptographic algorithms and side channel attacks as well. Not an easy task for one person to master... For those few people with the needed skill set and time, maybe securing the system is within reach. But how about the rest of us? Do we "Trust" those who open sourced their work (just like we trusted OpenSSL or bash for a long time?)...
So back to your statement (best you could...) Maybe that's the best you could but I say it won't be sufficient. You'll need to go to a higher level of thinking and work with the assumption that you can't trust any one or any component.

Nick PFebruary 22, 2015 2:17 PM

@ Figureitout

That's seriously the most god-awful piece of code I've ever seen. Single-handedly makes the case for more readable, systems languages with straightforward macro's or generics. Also, more research should be done on building macro's or metaprograms as robustly as regular code. Languages like Haskell are pretty good at it but could be better.

@ Wael

I totally agree. Most of the work at that level is domain work, not regular programming. The best route seems to be raising the abstraction level in the language while using tools to eliminate or automate low-level stuff. Maybe as simple as using a readable language such as Modula-2/3 for logic, Ada-style existential types to catch data mismatches, and tools such as NICTA's Termite for I/O boilerplate. Zero-runtime Ada + SPARK or C subset + ASTREE analyzer are most powerful combos for it right now.

Clive RobinsonFebruary 22, 2015 2:49 PM

@ Figureitout, Wael,

Whilst writing BIOS code is quite hard for modern hardware, I would not put anyone off trying to understand the basics.

The problem the industry has is the number of "those who can" write good/effective BIOS code is diminishing, some have trouble seeing the screen their eyes are so old and rheumie.

There are other verious reasons for the diminishing numbers, not least is the number of manufacturers who think their hardware interface and what lies beyond need to be fully covered by NDAs and other confidentiality agreements, thus getting device data is a job for Sysphus at the best of times, and more like having to clean the Aegean Stables with your tounge the rest of the time.

Even when you are writing a BIOS / uOS for an SoC with full NDAs it can still be difficult because of what did not get put in the data sheet so having an insider at the manufactures can be a must (especially when you start discovering actuall "on chip" hardware errors). One way or another I've spent about a third of my prof programing time writing such code and I'm getting long enough in the beard to get envying looks from Santa ;-) which means it's probably past time to hand over the reigns, but to whom?

That's the rub, there are to few people who have either got the skills or want to get them because at the end of the day the ROI on such skills is small and the task is at best a thankless one.

Often you see "binary blobs" from the chip tech support people that come with the development kit. If and when you get into those blobs you just get the feeling the person who wrote it was probably a summer intern on work experiance... So they probably lack all sorts of other skills, which probably means that figuretivly speaking, it's not just the stable door that's not secure...

Getting your head around well written bottom of the software stack code will benifit the other work you do in oh so many ways.

Firstly you quickly learn the ins and outs of efficient and compact code not just for the static hardware memory model, but also the dynamic interupt model. You learn about fast and slow interupt handlers and the use of appropriate buffers to get data into process space with minimal over head and importantly how to get interupts to play nicely with each other and not deadlock or spin. You also rub up against the thorny issue of memory managment, which for small and embeded systems is often best done by garbage collection, especialy if you have either no, or a low capability MMU and it gives you an appreciation for stack based systems.

You also learn a valuable trick of writing your own code libraries that are platform independent, such that the amount you have to rewrite from scratch is minimal.

So yes dig into the code but don't expect easy or quick results.

OfftopicFebruary 22, 2015 5:03 PM

Hi i just wanted to say a total offtopic thing.
I like to play chess but havent played in such along time, so i am in this little shithole in thailand right now, and we smoke some locally made cigarettes that are called bongs or what not...

Anyhow the lady in the bar she is from azerbadjan, and a nice lady half thay and half french, and after this and that we realized we wanted to play chess.

AND wowee could she play chess, this is now my 4th week here i go there regularly to play with her, she is a good teacher too, she can just after every chessplay say what her inrtrests and tactics where at that time and what she feared from my play and what her defenses where.

SO HAS nothing to do perhaps whith security, but so i am not sure, since another thing got to another thing and so on.. anyways what i have learned is listen to your oponent, learn his or her tactics only after that you can be successfull.

so in our case we need to know first!
who the fuck is the enemy and why.
if there is no enemy no problem but if there is then what is the defense.

this snowden thing is very disturbing since we dont see the whole chess board.
...
so anyways protection is important has allways been, but learn to play chess first
so you know your enemy.

OfftopicFebruary 22, 2015 5:19 PM

Sorry i know it might not be obvious, but read between the lines.
IT is very serious and also not so much...

Korchnoy

Bong-smoking Primitive Monkey-Brained SockpuppetFebruary 22, 2015 5:40 PM

@Offtopic,

I like to play chess but havent played in such along time, so i am in this little shithole in thailand right now, and we smoke some locally made cigarettes that are called bongs or what not.

I'm your huckleberry!
Say! What's your favorite opening? Mine is the king's gambit (accepted) (so 1800's, I know)

who the fuck is the enemy and why.

Have you seen the movie "Snowden and the seven spooks"? Well, it's not out yet, so never mind!

so anyways protection is important has allways been, but learn to play chess first so you know your enemy.

Huh! "Some" enemies use supercomputers that can calculate 1.7 googolplex moves a second. They also have a team of grandmasters. Also the board will be hidden from you, and they can snatch a queen or a rook from you at will! Their "pawns" and pieces don't play by the rules you learn ;) You can't win... Go back to your cigarette ;)

BakuFebruary 22, 2015 5:41 PM

So in the Sovjet times the inside politics where hidden from the normal people but they got reliefed somehow from poetic operatic involments and also from playing the chessboard.
AND back then the enemy for the small Azerbajan was Victor Korchnoy that was playing for the Sovjet Elite, then the American borned grandmaster Bobby Fisher he came and won everything, he came to play also towards the Azerbadjany champion at that time Gary Gasparov that was playing a TOTALLY different type of gameplan a very very disturbing playstile that was truly intuitive.

Anyhow this is some of the chess history and it was intresting to see how the azerbadjani people today see the world, its nothing but what i thought it would be.And this girl played totally like a true azerbadjani warrior...

So anyhows, we dont know who is the enemy, so we cant really defend against it because of that, we can only make general assumptions and because of that we cant win the games aka we cant be grandmasters. first we need to find the real enemy THEN we can fight the enemy and win. Have a good night, CHESS AND MATE :-)

GrauhutFebruary 22, 2015 5:44 PM

@Pros here

What ist the best we have TODAY?

Do we have something usable and better (in security) than OpenBSD on armv7 with TOR for instance as a general purpose system?

www.openbsd.org/armv7.html

Something we could give to Average Joe, tell him the login credentials and tell him to work with it now?

FigureitoutFebruary 22, 2015 5:50 PM

Wael
That's easier said than done.
--[1] Once you "get over the hump", I mean, you know what I'm trying to say. For "relatively" (inside the SoCs is still a massive amount of functionality and peripherals, in a single chip! Chips w/in chips, insane...) small embedded systems I was drowning for a while in datasheets and code, much better now after months...But even the beaglebone SoC, there's so much, so yeah a CPU like 3 times larger (in physical size, completely different structure) is gonna be a hell of a bull ride lol...

I worked in a group that developed BIOS code
--Cool, lucky...

When new hardware came, it was possible for one or two developes to port the whole BIOS image to the new platform.
--Yeah but it wasn't like "radically different" eh?

BIOS code isn't just about "C" or assembler!
--Refer to [1]. Even simple (once you find it) hardware bugs are insanely hard to track down; I don't even know about this mobo I blew up (if it's a bus line in the PCB then it's toasted right?) or this board at work flashing exact same binary but different behavior. I know there's like a 10000 flash limit before memory starts deteriorating but I don't believe we we're even close. So you know, you have to be smart about allocating your time to bugs that are too ridiculous too, and it's best to learn that the hard way I think.

Do we "Trust" those who open sourced their work (just like we trusted OpenSSL or bash for a long time?)
--A simple "No".

Maybe that's the best you could but I say it won't be sufficient.
--One can always say that.

You'll need to go to a higher level of thinking
--Can't, I always want to go deeper until I reach chemistry then back up again.

[1] https://cassymuronaka.files.wordpress.com/2012/08/the-choir.jpg

Nick P
--I mean, if you're that clever to write such [working, not necessarily secure] code, you can write it better than that. You're an ass otherwise coding for "job security" or keeping others ignorant, especially in stdio.h.

Clive Robinson
it's probably past time to hand over the reigns, but to whom?
--I'd gladly take them, but you won't recognize your horse/buggy when I drive it in a ditch lol...so hand them to someone more capable lol.

You also rub up against the thorny issue of memory managment
--Yes, I have many issues w/ this. I'm convinced we're not doing the best mem. management (weird starting places, size of some structures, and actually cleaning instead of pointing somewhere else and overwriting) at work but am not sure how to implement. I'm a little OCD though so I'd probably never be satisfied. But for non-networked (tcp/ip) things it's at least less of a *super critical* issue (really not worth your time hacking our products...); not for all this "smart" stuff though, especially this smartgrid controller I saw in a magazine...holy cow this is not good. Also it's a really bad feeling when code doesn't run how it should for otherwise simple operations...I don't know how to catch that "bug" yet.

So yes dig into the code but don't expect easy or quick results.
--I never do...but I am impatient.

OT:
Internet of Crappy Things
http://blog.kaspersky.com/internet-of-crappy-things/

Computer Security in the Real World
[2] http://research.microsoft.com/en-us/um/people/blampson/69-SecurityRealIEEE/69-SecurityRealIEEE.htm

[2]Nick P don't say a damn thing about this paper lol. Not a word!

OutoftheboxFebruary 22, 2015 5:50 PM

Hmm but anyways, the thing we can do to an enemy unknown to us is good defence but also and out of the box thinking.
That was what I tried to say but it took awhile :-) cheers and bongs to you all too...555
this is where all good gerilla tactics starts, when the enemy is too big or too danmed difficult to deal with then gerilla tactics and out of the box thinking starts.

Get out of the box and use that as a defense it might not work but it will get confusing
until you know your enemy good enough and you can defend towards it correctly.

Aka do unpredective things that the enemy isnt prepared for.
Good morning Thailand sun is going up now

Clive RobinsonFebruary 22, 2015 7:22 PM

@ Figureitout,

--I'd gladly take them, but you won't recognize your horse/buggy when I drive it in a ditch lol...so hand them to someone more capable lol.

Don't be so quick, nothing worthwhile is easy, they say it takes 10,000 Hours to become proficient in a skill and a life time to master.

You are probably to old to remember how you lernt to walk and to young to have watched your own children do it... The trick most children use is to first learn how to fall over, then learn gradually how to fall in the direction they want to go but without actually falling all the way.

So for what you are doing the first trick is to learn not how to fail --anybody can do that-- but how to fail safely and learn something from the experience (which is a talent worth having).

When you have learned how to fail gracefully, you can use the lessons to fail less often, untill you fail hardly at all. Then you can apply that skill to other areas of endevor to shorten the learning curve there.

Anyone who tells you, you can develop a skill any other way is ignoring a million or so years of evolution, which has got us where we are. Whilst their will always be fast learners for whom the lessons appear effortless, often this skill is at the expense of something else.

WaelFebruary 22, 2015 8:58 PM

@Figureitout,

Yeah but it wasn't like "radically different" eh?

It was typically a minor delta.

Clive RobinsonFebruary 22, 2015 9:50 PM

@ Grauhut,

What is the best we have TODAY?

We have actually gone past the best...

In 1974, the selectret typwriter was responsible for the most efficient years of "office" productivity, which started to go down hill with the introduction of Word Procesors...

The POTS push button phone, with it's simple numeric protocols and local PABX reached it's zenith around 1980 and started to go down hill with voice mail, which has got worse with EMail and smart phones.

The thing turns on,

Something we could give to Average Joe, tell him the login credentials and tell him to work with it now?

The average joe, can not work with a computer or smart phone for that matter, they both have a large learning curve which breaks the "five pluss or minus two" rule. That is most humans can remember in short term memory between three and seven things, anything else comes along something has to go. It takes about ten to fifteen minutes for one thing to start to get stored in longterm memory, provided it is repeated over and over. But it takes several days for it to stick as the process requires you to "sleep on it". The younger you are the faster you learn new knowledge after you get above twenty five the process takes noticeably longer, however a new trick takes over which is "relating to other learned knowledge" this can get you into your nineties provided what you learnt when you were young was sufficiently broad and repeatedly excercised through life.

Think how long it took you to learn to write with a pencil, it is incredibly simple to use, but few ever learn today to master it to the point of legible cursive script, let alone draw life like pictures.

The reality of computers for the average Joe is that they to easily allow you to correct the mistakes you make... So you never learn by the mistakes to become proficient in using them like a pencil or phone or typewriter. What you become proficient in is re-working your bad work untill it becomes acceptable work, not producing good work to start off with, because you failed to get up the learning curve.

Back fourty or so years ago you used to have it drumed into your head that "penmanship matters" and it did because all exams were handwritten. But what nobody told you was that the real reason was penmenship taught you perseverance to become profficient at tasks so you would get things right by learned skill not luck and therefore would be efficient at the tasks.

So we realy should be asking first if "general purpose computing" with the quite deliberate "ever changing" skill set is what we need?

And the answer is almost certainly no...

If we want users to behave securely then the systems they use should have minimal complexity and virtualy unchanging operating procedures. Oh and "put the spike in the steering wheel" humans tend to learn within bounds when the bounds involve hurt/pain, in built safety/security only makes people reckless, pain generaly makes them cautious.

The alternative to a "spike in the steering wheel" is "safety guards" that is you don't allow the incautious or careless to get their body parts close to the blade/gears etc of the internals of the machine. It has the advantage over the spike of atleast "keeping alive" the investment you have made in training so you --potentialy-- see some return on it.

Which brings us back to your question of,

Do we have something usable and better (in security) than OpenBSD on armv7 with TOR for instance as a general purpose system?

You are actually asking two questions,

1, something usable,
2, something... ...better (in security).

The two are different, the first is about "the user interface" the second is about "the machine behind the user interface". What you are not asking is "spike or guard" to seperate the two which is important.

If the computer is being used to learn or is truely segregated then the "spike" is the best way to go. If it's for real work and it's not segregated then the "guard" is the best way to go, but it has significant implications.

That is the users will not learn how to use the system efficiently and they will take all sorts of risks you will have to guard against, not just for their security but yours as well.

Thus the machinery internals will need all sorts of "stops and guards", and it is these you are implicitly asking about.

The easiest way to ensure that "stops" work is to have the machine be only as complex as the task requires and no more, the simpler the task the easier it is to reduce the complexity and the more effective the stops you add will be. Around this you then need to add a guard with only holes for "feed stock" and "product" which should be "gated down" for the specifics of the current task. The person controling the task should have as simple as possible a user interface to control the task in a secure and unambiguous way, which follows the argument of "least surprise".

If a task is complex, then rather than try to do the whole task in one machine where stops will be ineffective, break the task down into segregated machines and apply strong checking and control to the "feed stock / product" as it progresses through the machines.

If you then think on this you will realise that you are back to the old TEMPEST / EmSec rules of "segregation / incomplexity / controled choke points".

Ultimately as @Wael will no doubt point out you have built a "prison" system. Where tasks are kept as small as posible to enable reliable checks or "stops" and the data "feed stock" into any task has been strongly checked by the "gates", and likewise the data "product" out of the task is strongly checked by the gates and each task is only allowed the resources to carry out the task and no more. Thus "out of bounds" data that is malware gets rejected by the task specific "gates" and in bounds data that is malware does not have the resources to hide in.

The question then is how you build such a system, well you can do the segregation either physically (the most secure) or virtually. Currently we know that "chrooting" and "sand boxing" are insecure when done in software only, and it is believed that software only virtual machines are likewise insecure. This means that you need some kind of non-software method of making the "guards" for resource control / limitation and the halfway house between software and physical segregation is to use logical segregation via the Memory Managment Unit. But it is only going to be effective if and only if it has sufficient granularity which most currently do not and it is only going to be secure if there is a reliable method to ensure the correct operation of the MMU. The latter point requires some non software protection for this to happen, again a halfway house would be the use of logical "rings".

Thus the hardware of choice if not physically segregated would need the MMU and ring logic built in and properly supported by the OS, arguably the common OSs are not up to the required level to ensure security.

Even if they were there is the question of task functionality and OS support. Idealy the tasks would not "see the OS" they would just read or write data from secure buffers, the OS would then move the data from task to task "gating" it before doing so.

Whilst there are mechanisms to do this in many OSs they lack the gating process, thus this would have to be built in, in some manner.

Hopefully that gives you an idea of what we should be looking for as a starting point.

Visual CachingFebruary 22, 2015 10:43 PM

@Clive "The average joe, can not work with a computer or smart phone for that matter, they both have a large learning curve which breaks the "five plus or minus two" rule."

The effective size of short term memory can be increased by "visual caching", which is the leveraging principle behind the graphical user interface.

Researchers on the Xerox Star project found that (1) conscious thought deals with concepts in the short-term memory, and (2) since the capacity of short-term memory is limited, when everything being dealt with in a computer is visible, then the display screen relieves the load on the short-term memory by acting as a sort of 'visual cache'. [from 'Tools For Thought: The People and Ideas of the Next Computer Revolution' by Howard Rheingold.]

ThothFebruary 23, 2015 12:53 AM

I wonder why SIM cards do not use asymmetric keys for their Ki key (unique SIM applet secret key) instead of using a 128 bit Ki symmetric key (current SIM applet secret key) since the asymmetric key could be generated within the crypto-processor module of the SIM cards and only the public key could theoretically be retrievable but the current SIM card industry chose to use a 128 bit symmetric secret key instead.

Of course the problem regarding the quality of the prime numbers for the asymmetric keys (RSA) would have doubtful quality but the application of a CSPRNG on a weak random probably with enough mixing via the CSPRNG would make it just good enough for use.

Some might point out that the SIM card may not be suitable for doing RSA functions but that is precisely what most crypto-processors (which is baked into each SIM card) claims to be good at anyway with their marketing of advanced RSA computation function techniques.

One thing to note as well is the ciphering key / session key (Kc) to the cell tower may not change very often since most people simply leave their phones sitting on. I am not certain on the frequency of the changing of the Kc key and do note that the Kc key would be exported out of the SIM card for encrypting the phone calls under a weak length key (Kc is only 64 bit key) and it's a stream cipher (A5 cipher) as we know.

SIM crypto have been broken long time ago and the SIM card's tamper resistance is pretty low (like most smartcards). The heavy use of NDAs and closed door development with Governmental meddling already spelt much of the doom of SIM cards and smartcards a long time ago together with most crypt technology.

Some info on SIM crypto: http://www.decodesystems.com/mt/98oct/

Nick PFebruary 23, 2015 12:56 AM

@ Figureitout

"Nick P don't say a damn thing about this paper lol. Not a word!"

Microsoft.

More seriously, it's a paper I've never read by one of the Giants of IT/INFOSEC. His contributions continue to pay off today. If I comment on it, I'd do it after reading it with a fresher mind. I'm almost tired enough to sleep and section 2 was looking really good. Similar to what Wael was wanting, actually. I'm certainly reviewing and maybe posting on it in the future.

Meanwhile, thanks for paper!

WaelFebruary 23, 2015 1:24 AM

@Nick P, @Figureitout,

Similar to what Wael was wanting, actually.

Good paper. Not similar to what Wael wants. different approach... I am after:
Definition->Elements of the definition->Relationship between elements->Trade offs->Principles->Models and patterns that implement the principles->Implementations.

Sweet dreams @Nick P...

Mark EdgarFebruary 23, 2015 7:40 AM

Gemalto have been leaking documents about EMV @ job interviews for 10 years now.

The real problem is DataCard Ltd these guys are the ones that actually personalise the smart-cards for Gemalto.

They gave me security documents at a job interview then raided my house saying i stole them 10 years ago.

I have not worked in Security since, they say it never happened.

The high court of Scotland was lied to saying i stole these documents, which i still have.
They will not recover the documents or talk for over 10 years now.

DataCard Ltd should really be looked at not the Gemalto team as they dont care about security at all.

Please ask i can e-mail anyone whom wants a copy.

The legal papers served on me are not valid it turns out, the wrong post code was used.
The raiding QC at the time said it did not matter.

I was taken to court for 200,000,000 pounds damages!

Mark Edgar

me@hakme.uk

LeeFebruary 23, 2015 8:51 AM

No such agency:

The drive processor re-purposing is not hypothetical at all. I've seen in depth treatises on this, with illustrations, running Linux inside of the drives - *any* of them.

LeeFebruary 23, 2015 9:30 AM

@Clive: If you want a small attack surface, try Syllable or Haiku. Sure - these systems have a security situation that is embryonic, and in need of TLC. But - the kernel and driver source file listings fit neatly into one full screen. That's managable.

As far a Plan9 goes - there's maybe a little too much telco in there to suit my tastes. Well - I guess I won't be using any kind of *nix* then, will I. But hey - those telco guys are all on the up-and-up, of course they are. So, pick your poison wisely, or switch cups.

LeeFebruary 23, 2015 10:04 AM

Sorry I didn't post on Friday, when there were people here :-(

@Grauhut: The average Joe won't be helped until the insfrastructure controllers really want security. Browsers now (by default) offer up cereal box key ring cryptography in their preference lists, while on the other end servers tend to pick lower crypto levels to save cpu overhead. Even when servers do select a decent cipher suite, they offer up mixed content with leaky http "side" channels. Most people (even in IT) see the leaky http channels as only an affiliated info leak, when the really big deal is that those connections are prostrate for shell code.

NathanaelFebruary 23, 2015 11:38 AM

Cephalopods are extremely, extremely impressive. They will probably take over the world after idiot humans drive themselves extinct.

NathanaelFebruary 23, 2015 11:50 AM

"so in our case we need to know first!
who the fuck is the enemy and why."

It's the Military-Industrial Complex, sometimes known as the Military-Industrial-Congressional Complex. See Chuck Spinney's blog for discussion about its bahavior.

Main motivation: getting paid.
Secondary motivation: sheer enjoyment of breaking stuff (in the NSA case, criminal computer-cracking activity).
Tertiary motivation: bigotry (anti-Islamic, mostly).
Quarternary motivation: paranoia about being caught in their numerous crimes and sent to prison.

Willing to break the law, violate the Constitution, subvert democracy, massively harm all of American industry, and destabilize world security, in pursuit of said goals, particularly that of getting paid.

There's your enemy profile. I'm not quite sure what to do with that profile. Their great weaknesses are:
-- They have no principles, so principled people will continuously defect (think Snowden)
-- They have no ideology motivating them, and this means their unprincipled employees who are just doing-it-for-the-money are going to be sloppy and lazy (for instance, letting the "call home" domains on their malware expire so that Kapersky could register them)
-- They don't seem to know when to stop; as a result, they are making powerful enemies at an extremely fast clip, including the executive offices of Amazon, Google, IBM, etc.

NathanaelFebruary 23, 2015 11:53 AM

"so in our case we need to know first!
who the fuck is the enemy and why."

It's the Military-Industrial Complex, sometimes known as the Military-Industrial-Congressional Complex. See Chuck Spinney's blog for discussion about its bahavior.

Main motivation: getting paid.
Secondary motivation: sheer enjoyment of breaking stuff (in the NSA case, criminal computer-cracking activity).
Tertiary motivation: bigotry (anti-Islamic, mostly).
Quarternary motivation: paranoia about being caught in their numerous crimes and sent to prison.

Willing to break the law, violate the Constitution, subvert democracy, massively harm all of American industry, and destabilize world security, in pursuit of said goals, particularly that of getting paid.

There's your enemy profile. I'm not quite sure what to do with that profile. Their great weaknesses are:
-- They have no principles, so principled people will continuously defect (think Snowden)
-- They have no ideology motivating them, and this means their unprincipled employees who are just doing-it-for-the-money are going to be sloppy and lazy (for instance, letting the "call home" domains on their malware expire so that Kapersky could register them)
-- They don't seem to know when to stop; as a result, they are making powerful enemies at an extremely fast clip, including the executive offices of Amazon, Google, IBM, etc.


We're working on the level of grand strategy geopolitics here. And on that level, these NSA guys are *losers*. But they're making a big mess while they lose.

Clive RobinsonFebruary 23, 2015 12:09 PM

@ Nathanael,

They will probably take over the world after idiot humans drive themselves extinct.

Not if we eat them all first on our way to extinction...

Which reminds me,

@ Bruce,

How about another squid recipe or two, after all they are voracious predators and we need to even the score :-P

GrauhutFebruary 23, 2015 1:21 PM

@Lee, Clive: "average Joe" "Joe won't be helped" "joe, can not work with a computer or smart phone"

Sometimes the world is not perfect... :)

What is the best we can offer today to Joe Average? What is best on the "better than nothing" side of the equation for use today?

If we give no answers (without warranties) who else?

FigureitoutFebruary 23, 2015 3:25 PM

Nick P
Microsoft
--Huh, so reverse psychology works on you eh? Don't hit yourself. :p

I said don't say anything b/c I would've guessed you ghost-wrote the thing, if it mentioned Orange book I'd be sure lol. Anyway, it's a decent high-level overview and mostly focuses on network security.

Wael
--I'm after stepping stones to more secure PC->minimal components having high returns->isolation by physics->safe reset to stone-cold image for inevitable malware->visibility for immediate user.

Grauhut
--Average joe can get a PC or laptop w/ disk drive from a cash bought prepaid creditcard (registered not at home, yes it's a risk so use up the funds quickly), registered to fake name, delivered to PO box, etc. however far they want that OPSEC to cut out potential malware strains or creepers messing w/ you. Do a DBAN nuke to the HDD if it has one and try to get in to HPA (I've found them locked before and I didn't do it...). Set a password for the HDD if you can and use it for backups via SATA-USB converter (handy), then set a PW in the BIOS too (I'd avoid UEFI for this PC[s]). Get a new HDD, repeat above, then put that in PC. Store those PW's on a slip of paper as backup and hide it well (book, notebooks, etc.), and keep encrypted flashdrive for daily use. Either buy CD kit of OpenBSD and put on your HDD (partition if you want too). Get another HDD and store an image of this. Practical and easy secure I/O is a fantasy, at least for me (don't know how the parsing software would work on *all* files), so I guess whatever software you want for that airgapped machine (probably just programming and encryption, maybe some design SW too). Remove wifi/BT cards if you can and optionally shield further for bonus points. Flash a separate router (you can get cheap ones) w/ open source firmware, set up VPN w/ tutorials available. Get another laptop for traditional internet using TAILS for lots of preinstalled goodness and memory wiping. Same procedures as above for cleaning it as best you can. Make use of NoScript, Wireshark, yatta yatta. If you don't use software for awhile, delete it.

So mostly software for average joe, malware can destroy all of it. Building a usable computer from scratch takes you out the average joe area. If you're interested but don't know how, ask. Once you see it's not that bad, then teach others and expand the security.

Clive RobinsonFebruary 23, 2015 4:14 PM

@ Grauhut,

What is the best we can offer today to Joe Average? What is best on the "better than nothing" side of the equation for use today?

The problem with joe average appart from his lack of skills is he does not want security he wants bells and baubles as cheap as possible, so does his boss and nearly every other boss. It's what the share holders want, profit today hang security for another day when it makes what they consider "real" profit, not "sunk cost".

Have a read of the paper @Figureitout gave in [2] of his comment,

https://www.schneier.com/blog/archives/2015/02/friday_squid_bl_466.html#c6689833

It will tell you that what we can offer in increased security purchasers don't want... and investment in what users clearly don't want to buy is unlikely to be forth comming, no matter how you talk it up. The reality is the only security that sells is the same two that were selling a quater of a century ago "AV and Firewalls" and the vendors of these are in "cut to the bone" competition.

Yes we can offer a lot better but the reality is, even with a year of NSA and GCHQ revelations, it's only the "geeks" that want improvments, but they don't want to pay for it in any way that will show sufficient profit to make it worth while.

But when you remove the likes of the NSA from the equation it's not the hardware or OS that attackers are mainly exploiting. It's the presentation level apps of browsers, Email, and messaging, with flash, adobe, and their supporting programing languages such as java, javascript etc.

Thus a sensible first step would be making web and Email browsers more secure, it won't keep out the likes of the NSA but it will make the lives of petty cyber-crooks and data aggregators much harder. The current browser quality is such that you would think they were in bed with the crooks, aggregators and harlots at the NSA. However cleaning the browsers up will be a "Herculean task" of Aegean Stables proportions and those behind the browser development have made it clear by their past behaviour that bells and baubles are what comes first each and every time...

The next step would be killing off meta data collection, the way to do this is with virtual networks designed for privacy. And by this I do not mean the abomination called ToR. I've made many comments in the past as to the failings of ToR as have others, but the ToR developers for some reason have stuck their fingers in their ears and gone "Nah nah nah nah...."

I could go on at considerable length, striping the makup off of the pig, but the simple fact is the entire Internet from the base protocols upwards needs cleaning up and securing, and we are way way beyond bolting anything else on IpSec was and is an unusable mess with real question marks hanging over it's security. And the powers behind the throne of the Internet have been infiltrated by the likes of the NSA.

For personal security, Joe can not buy unencumbered systems loaded down with crapware, and realisticaly Joe can not do what is required to evict even the easy stuff.

So realistically we need to throw Joe to the wolves as a sacrificial offering to keep them busy so that we can quietly build for us security from scratch more or less unnoticed by the powers that be. And hope that they will over step to the point where Joe and friends wake up and put their hand in their pocket and pull out hard cash to pay for security with sufficient profit it will change the current direction of the main ICT players.

Nick PFebruary 23, 2015 7:29 PM

High Assurance News Update: Covert Channel time

Research report: Covert Channels (2006)

A nice collection of various network channels and their properties. Makes for good starting material.

CLACK: A Network Covert Channel Based on Partial Acknowledgment Encoding (2009)

A reliable, TCP channel that leverages ACK's in a way that's harder to detect than prior work.

CoCo: coding-based covert timing channels for network flows (2011)

Abstract: "The CoCo covert channel modulates the covert message in the inter-packet delays of the network flows, while a coding algorithm is used to ensure the robustness of the covert message to different perturbations. The CoCo covert channel is adjustable: by adjusting certain parameters one can trade off different features of the covert channel, i.e., robustness, rate, and undetectability. By simulating the CoCo covert channel using different coding algorithms we show that CoCo improves the covert robustness as compared to the previous research, while being practically undetectable."

Implementation of a Covert Channel in the 802.11 Header

What it says in the title.

Analyzing Covert Channels on Mobile Devices (2012)

Looks at covert channels on Android devices, common countermeasures, problems with those, and stronger countermeasures.

A new covert channel over cellular network voice channel (2014)

Authors create and use a voice channel for proxied traffic, text message communications, and command-and-control.

PHY covert channels: can you see the idles? (2014)

A Layer 1, 1-10Gbps Ethernet covert channel that's undetectable by software, has 10-100Kbps bandwidth, and with a low error rate.

Towards a Systematic Study of the Covert Channel Attacks in Smartphones (2014)

What it says: a list of every covert channel in the literature for both hardware and software.

Conclusion

Data is slithering out of your devices in many more ways than people had 10 years ago. Happy hunting, defenders! ;)

name.withheld.for.obvious.reasonsFebruary 23, 2015 8:20 PM

@ Bruce Schneier

Glad to hear your voice during the interview of Rodgers (NSA Director) but was sorely disappointed by the response--he didn't even bother to answer the question. His response essentially said we need to understand the problem and are not engaged in this or that. The question you asked was specific to economic impacts to domestic technology markets in which he choose to completely ignore.

My issue, as reflected by statements made by Rodgers holding out PPD 28 as authoritative, is it is NOT A LEGAL BASIS. There is no statutory or legislative authority, ANYWHERE, to support his supposition. More problematic, he doesn't speak at all to PPD 20 and the impact this has on the assurance and fidelity of our systems or data. We are engaged in the dismantling of the information age and transforming it into the dis-information (and knowledge is a threat) age.

WaelFebruary 23, 2015 9:59 PM

@Nick P,

Thank you! Always keeping us on our toes!
I read some of them…

Towards a Systematic Study of the Covert Channel Attacks in Smartphones (2014) […] What it says: a list of every covert channel in the literature for both hardware and software.

A list of every covert channel in 9 pages with introductions, fluff and all? I wasn't impressed with this one:

Phone Call Frequency Channel: Apps can place phone calls at a predetermined frequency to encode binary values. Colluding app having READ PHONE- STATE permission can synchronously measure the call frequency by registering a receiver to a broadcast intent from TelephonyManager API informing of a change in call state [11]. Since both colluding apps require exact time synchronization, this is a timing channel.

They know how call setup works on mobile devices? Impractical!

PHY covert channels: can you see the idles? (2014)

Had a similar idea for CDMA almost 10 years ago. This one is short on details.

name.withheld.for.obvious.reasonsFebruary 23, 2015 10:09 PM

@ Clive Robinson

Thus a sensible first step would be making web and Email browsers more secure, it won't keep out the likes of the NSA but it will make the lives of petty cyber-crooks and data aggregators much harder. The current browser quality is such that you would think they were in bed with the crooks, aggregators and harlots at the NSA.

I agree and disagree with your comment(s). I'm concerned about the overt cultural issue that is reflected in the behavior of the U.S. hegemonic morons. The idiocy and lack of vision that is our system(s) and societal compacts are evidenced and apparent to many. There is little to assure the public that the actors with their hands on the wheel have any interest in doing the right thing. It is as though poor and feeble thinking is preferred and rational and well contemplated responses (not reactions) are a threat. We are being drowned in the noise of stupidity and will continue to suffer endlessly until the voices of reason can be heard.

ThothFebruary 24, 2015 12:47 AM

@Clive Robinson
Hopefully the 40 pages on the HaTCh hardware trojan catcher have something interesting especially the technique on counting circuitry wires to detect abnormalities.

Would the wire counting technique be a useful technique for keeping the honest, honest and to detect the dishonest if my understanding of the HaTCh is correct ?

One method is for open source chip makers to publish the blueprint design of the circuitry in the public domain so that whoever buys a chip could effectively take the blueprint to create a "wire fingerprint" of the circuitry of the blueprint and uses the wire counting method on the actual chip to general the chip's "wire fingerprint". The blueprint's "wire fingerprint" could be checked against the actual chip's "wire fingerprint" to ensure the wires are correct. Too many wires would indicate possible backdoors and too little wires would trigger some kind of reduction of certain features.

LeeFebruary 24, 2015 8:01 AM

The hats in this room are shaded. Imbued with a feeling of melancholy, soaked in the scene's monochromatic madness, I can only dream of a kaleidoscopic cacophony.

CallMeLateForSupperFebruary 24, 2015 1:01 PM

@name.withheld.for.obvious.reasons
"[Adm. Rodgers] didn't even bother to answer the question."

His was the common, disingenuous, frustrating "non-answer answer", a parry to a question one does not want to answer. For example, your admonishment to a child, "Did you clean your room? It's still a mess", might be parried with, "So you would do it differently." While there was a verbal response (he knows that silence isn't an option), it was neutral on the question of whether any cleaning had been done.

Sometimes the person on the hot seat doesn't just want to avoid answering a specific question, he wants to derail the entire line of questioning on which the specific question lies, because entertaining the line of questioning presents the danger of exposing a greater transgression. He might ask and immediately answer a question he would rather have been asked, either one that appears - superficially, at least - to head in the same direction or one that abandons all pretext and overtly steers the conversation in a different direction. Former advisor Rice's overused and tattered "... move forward, not backward" is a good example of the latter. (Whomever lead Obama to utter that line deserves a head-slap.)

If the person on the hot seat eiher feels he cannot shake dogged pursuit or simply decides to wimp out, he can try the rope-a-dope: reply to each subsequent, re-worded query with his non-answer answer. Rodgers did this as well in that interview, to wit: "I think we can work our way through this." ... "I said I think we can work our way through this." ...

TLA suits have an additional, very effective mechanism for shutting down a line of discourse. We know it well: taking refuge behind "national security".

As an aside, I'm not sure about what to make of Rodger's statement, “[Snowden revelations] has had a material impact on our ability to generate insights as to what terrorist groups around the world are doing,” I know that "impact" has reigned as the new "effect" for decades (go figure), so could he have said "material effect" instead? No matter; neither says anything. (Nor does "immaterial effect".) Maybe he meant "... revelations have *degraded* (or neutered?) our ability..." Naw. If he meant that he would have said that.

Clive RobinsonFebruary 24, 2015 4:41 PM

This is a totaly bad idea...

The toy maker Mattel has made a high tech Barbie Doll that listens to your child and sends their words over WiFi back to Mattel, where a computer will send an appropriate voice message back. In effect your child forms a bond with Mattel's computer system...

http://www.theregister.co.uk/2015/02/19/hello_barbie/

How long befor some creepy type works out how to hack it so they can act as the computer and abuse the trust your child has placed in it...

Can somebody give me a good reason why this idea was not strangled at birth, it's the sort of access the likes of Stalin and other psychos could only have dreamed about.

Nick PFebruary 24, 2015 4:52 PM

New, awesome, open-source processor

A 45nm 1.3GHz 16.7 Double-Precision GFLOPS/W RISC-V Processor with Vector Accelerators

Abstract: "A 64-bit dual-core RISC-V processor with vector accelerators has been fabricated in a 45 nm SOI process. This is the first dual-core processor to implement the open-source
RISC-V ISA designed at the University of California, Berkeley. In a standard 40 nm process, the RISC-V scalar core scores 10% higher in DMIPS/MHz than the Cortex-A5, ARM’s comparable single-issue in-order scalar core, and is 49% more area-efficient. To demonstrate the extensibility of the RISC-V ISA, we integrate a custom vector accelerator alongside each single-issue in-order scalar core. The vector accelerator is 1.8x more energy-efficient than the IBM Blue Gene/Q processor, and 2.6x more than the IBM Cell processor, both fabricated in the same process. The dual-core RISC-V processor achieves maximum clock frequency of 1.3 GHz at 1.2 V and peak energy efficiency of 16.7 double-precision GFLOPS/W at 0.65 V with an area of 3 mm^2."

Source code was open-sourced here for use in FPGA's or ASIC's. Runs Linux already.

Cavium ThunderX ARM processors

Meanwhile, over at Cavium (of Octeon MIPS fame), they've gotten their ARM SOC's up to 48 cores at 2.5GHz each! Those aren't multicores: they're monsters! Supports up to 1TB addressable memory with "hundreds of gigabits of I/O." If they're affordable, I think I just found a nice alternative to Intel and AMD for desktops. ;)

JacobFebruary 25, 2015 6:06 AM

@nick. Thanks! Processors using open source is exactly one of the things I would look for in a computer design with security as a goal. Microcode is something I have talked about for years as a risk. Combine with a change in OS design. I have wondered if old tech such as prom, or a physical switch, etc. For firmware. It is mentioned here.

http://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/#disqus_thread

I might be willing to soldier new chips occasionally but there are too many devices with firmware in a typical house. I would rather not play deadpool to my wife's hacked decepticon Keuric. Firmware fear should be Balanced with that not many people warrant, pun intended, that kind of attention. Bruce might be one, but mass gathering of data and hackers retooling give me pause. Bad guys will seek money if the incentives are right, such as Bitcoin theft and insurance companies. Theft might involve billing for scooters, oh sorry knee braces. They are the new flavor for ads now a days. ;)

Maybe we need some security experts publish something as a joint effort for a possible solution to state players or large criminal organization. I am not saying they are the same, just same risk. I have no problem with info/warrant but the mass gathering. I question its usefulness and believe info is always used by governments or companies but am willing to be persuaded otherwise. Anonymous info is constantly being unmasked by clever people.

What are your views on monetization of info? I view it as a Ponzi scheme house of cards ready to collapse. Similiar to derivatives, selling and reselling the same info. Lenovo, Google, Facebook all trying to sell me socks.

Clive RobinsonFebruary 25, 2015 8:57 AM

@ Jacob,

First off I'm a little abnormal in that I don't have a "burnt bean" coffee addiction and I'm not up on the latest US kitchen gadgets for an "inster-uber-hit" of "brain-burn-jolt-caffe" so I had no idea what a "decepticon Keurig" was :-/

But yes "white goods" from your "lecy toothbrush" upwards are joining the "Internet of Stupid" via WiFi or Bluetooth, sometimes purely to push advertising etc, but you have to wonder if they are doing an "ET". Such is the hell of the ten cent WiFi chip in the hands of faux engineers whipped by marketing pervs in a desire for no-cost adds-everywhere world where no doubt even s3x toys will be eventually chipped for that enriched "user experience".

But worse neither WiFi or Bluetooth are one way, and the desire to get to no-cost or consumer-pays advertising means security is a cost to far... Which means that they almost certainly will be eminently crackable, not just by researchers but any half brained ill intentioned knuckle dragger looking for kicks or worse.

So unfortunately it's not the IC/LEOs you need to worry about, everybody warrants attention depending on the knuckle draggers chosen victim type.

Further it will not be long befor various political idiots wake up to the fact that prisons are expensive, and the tax pot is not bottomless. Thus expect to see an increase in proffitable "automated fines"[1] as a way to initially "offset" prison costs and later become a replacment for direct taxation as those who wish to bribe the electorate into voting for them offer "tax breaks" as well as being "tough on crime". These "Internet of Stupid" devices will become a very cheap way of Policing for such fines... We've seen the start of this with Insurance companies putting sensors in peoples cars in return for limited discounts, it will not be long before "health monitoring devices" will become mandatory to ensure you are entitled to "healthy life style" reductions in health care insurance...

As for legaly issued warrants for information access by the IC/LEOs I'm very much against it for a variety of reasons. And no I'm not just talking about the lamentably poor oversight and lack of accountability of LEOs when they make misrepresentations to obtain one. It's the hidden nature of it, back a few years ago when information was on paper "out of sight" and often behind locked doors, closed / locked draws, cupboards and filling cabinates. An agent would have to very visably come and take them away, thus the person subject to the warrant knew what had been taken and could start legal proceadings where required and expose the misrepresentation by agents to the judiciary and seek redress. Now the agent can lie to their hearts content, and even if a judge calls them on it they don't get comeback, so there is no disincentive to the IC/LEO agents telling all sorts of lies to get access to your "private papers" in electronic form. Then there is also the question of having got "invisable access" what else they might do to "over egg the pudding" to meet their "prosecution quota". The FBI have been caught providing false information by falsifing how web pages supposadly looked and then giving them to other nations LEO's as "factual evidence" to assist in prosecutions. This has resulted in several people commiting suicide, accused of crimes they may well not have committed but cannot find evidence to show they are innocent and others with their good names destroyed and their lives shattered even when they could prove they were innocent [2].

As for the monetarisation of information, marketing and advertising is the largest industry in the world, it makes the defense budgets of nearly every nation look small in comparison. As you are probably aware there is no hard evidence that advertising and marketing actually recovers the money spent on it, it boils down to who's "cherry picked" figures you find most credible. Likewise there is little evidence that "brand power" exists in the minds of consumers, there is more evidence that a higher price has more effect in most peoples minds, and that this over rules their taste buds and other physical senses. But newer evidence suggests that in those with "excess income" it's not the actual cost but the scarcity such high costs produce, and therefore the effect a oroduct has in rubbing other peoples noses in it, more politely called "visable consumption status", it's the big reason we buy fakes... So the information "ponzi game" long predates the current "grab it all" mentality over personal data... It's when all said and done a "tulip bulb market", which has status as it's driver, and apparently unlike any other "bubble market" an ability to inflate beyond the usuall finite limits...

[1] Oh and for those who can not pay such fines the modern equivalent of the "poor house" or "labour camp". In the UK David Cameron PM is already talking about "social work for social payment" for the young. That is for the small payment they get for not being able to find work they will be made to work long hours for nothing on top of the requirment to show they are spending atleast twenty hours a week looking for work... The end result will be that existing jobs will go to make way for these "social slaves" and those who would have otherwise paid a worker will get one for free or fairly quickly for a small payment. The result of this is unskilled jobs will disappear as increasing numbers of "social slaves" need to be employed. Needless to say it will destroy the economy in the longterm, whilst in the short term the Gov books will not balance again, so on the spiral will go.

[2] Briefly cyber-crooks used modified payment card terminals in a major UK supermarket to steal peoples credit card details. These details were then used by other crooks in the Far East to make false charges for porn of various kinds via a US front web site. The FBI falsified details of the US web site and apparently also the services the people were falsly subscribed to by the crooks. This started to unravel for the UK Met Police and the FBI when on accused but innocent person could show it was not possible for them to be the person using their CC details because they were flying on a long haul flight and back then there were no in flight phones or Internet. Oh and the people who were making the false evidence abd arrests, walked away to better jobs etc, leaving behind the falsely accused with shattered lives...

ThothFebruary 25, 2015 8:47 PM

@Clive Robinson
A nicely written article. Don't mind if I were to quote from it as I am planning to write something close to that topic.

JacobFebruary 26, 2015 3:56 AM

@clive @nick

Funny. I am more a moka pot kind of guy. A habit I have been unable to break from my service days.

I am waiting for the networked Samsung t.v that will connect all the penny chipped devices and sending the info out the network or by cellular chip.

Agreed on the prison and money models. Prisons here can be owned by corporations not the state or Feds in all cases. Chicago recently got busted for a black prison site. Prisoners are charged for phone calls, medical, etc. The commissary is a quite profitable endeavor that may be contracted out. All these contracts are bid, won, and awarded with giving the government a cut of the money. Add to that the "debtor prison" perversion of the court system that is bubbling up and there are some real problems hitting news and blog sites.

Governments are looking for money anywhere they can get it. Raising taxes is bad, so sneaky and fines are enacted. Combined with last paragraph the rich are fine, poor are screwed and middle class are one adverse action from losing everything. Oh, law enforcement civil forfeiture and no knock warrants just to make the modern society interaction lottery more interesting......I hasten to add I am basically optimistic about any of these problems. Given time it tends to sort itself out. Just painful until then.

The fuzziness of evidence in the digital age add even more to the unease. I wonder which will win, weariness or cynicism? Or anger?

As I severely disabled vet I might appreciate some visitors, but I doubt they would be pleasant company. I hate this kind of weather. No grippy surfaces with this damn ice and snow means I am housebound for now.

I have had an idea for a long time. Wounded warriors want to be productive, have goals, etc. And would serve if they could. Every time I see a story about shortage of IT security personnel I practically yell. Somebody, anybody give these people training. It won't cost much. Personally I like giac. Yes, I know Bruce's and others views on certs. Some vets can do more than others. Volunteers. They could serve the country again and companies and government could have more eyes looking at things with a little over site. And writing more secured code. They could work at home for crying out loud. They are disciplined, willing, and used to structure. Being adrift is the worst feeling for them. Hard is ok if with purpose. Ok rant over.

Btw as for myself I am saving for giac certs for the materials and having someone make me a computer repair workbench of my dreams. I am going to tinker. :) I will be set! The reason I mention my idea in the last paragraph is maybe some people will think about the waste in lives and teachable skills that could fix at least some wrong and pain that is out there. Just my view and I do think I am "qualified" to state my view. ;) inside joke that ties in to recent military story of you guys.

If you are where I think you are....have some real fish and chips on me. One of these days I am going to do a "Hawkeye and ribs" delivery to myself stateside. ;)

Nick PFebruary 26, 2015 12:53 PM

re backdoors in U.S. products

There's obviously a lot of opinions floating around on the topic. I say we just ask the NSA's top tier (ECI-classified). Let's go back to the Core Secrets document to see what it says about "SIGINT enabling" (aka backdoors) in U.S. products. I'm also going to subsitute "backdoor adding" for "SIGINT-enabling" to remove the effect of double speak on people's minds.

p7

Public (Unclassified): "Fact that NSA/CSS works with U.S. industry in the conduct of its cryptologic missions."

Public: "Fact that NSA/CSS works with U.S. industry as technical advisors regarding cryptologic products."

With Top Secret clearance, the document transforms to say:

TS/SI: "Fact that NSA/CSS conducts backdoor adding programs and related operations with U.S. industry."

TS/SI with no foreigners allowed: "Fact that NSA/CSS has FISA operations with U.S. commercial industry elements."

With Core Secrets (above TS) clearance, the document transforms to say:

TS/SI/ECI: "Fact that NSA/CSS works with and has contractual relationships with specific named U.S. commercial entities (A/B/C) to conduct backdoor adding programs and operations.

TS/SI/ECI: "Fact that NSA/CSS works with specific foreign partners (X/Y/Z) and foreign commercial industry entities (M/N/O) and operational details (devices/products) to make them exploitable for SIGINT."

See the deception? The public statement makes you think NSA is helping companies improve security. With Top Secret clearance, you know they're trying to get them to weaken security with backdoors. With ECI clearance, you learn they have contractual agreements with U.S. firms and foreign partnerships to weaken the products. Moving on.

p 9

Public: "Fact that NSA/CSS exploits foreign ciphers"

TS/SI/ECI: "Fact that NSA/CSS works with specific U.S. commercial entities (A/B/C) to modify U.S. manufactured encryption systems to make them exploitable for SIGINT."

Quite the difference there, eh?

In the WhipGenie doc, they add these:

p 4

"The fact that NSA and corporate partners are involved in backdoor-adding "cooperative efforts" with reference to ECI WHIPGENIE [program]."

"The fact that the FBI provides assistance with compelled and cooperative partnerships associated with WHIPGENIE."

Note: The WHIPGENIE program repeatedly references FISA access, as that's what *it* is about.

Then, there's the BULLRUN program that said this:

TS/SI/NoForeigners: "The Backdoor Adding Project actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs. These design changes make the systems in question exploitable through SIGINT collection (eg. endpoint, midpoint, etc.) with foreknowledge of the modification. To the consumer and other adversaries, however, the system's security remains intact."

Note: That's about the very definition of a subversion attack. The original and definitive paper on that subject is here.

TS/SI/ReltoUSA: "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets.

Note: Previous quotes indicate they do this by targeting manufacturers (eg Gemalto hit) and by use of TAREX teams against specific targets (eg implants).

TS/SI/ReltoUSA: "Influence policies, standards, and specifications of commercial public key technologies."

Note: That the purpose of the program is creating backdoors indicates this influence can only be about weakening them.

Conclusion

1. The NSA aims to subvert products, insert vulnerabilities into the whole of IT infrastructure, and weaken public standards for defending us.

2. They have contracts with specific U.S. and foreign partners to backdoor their systems.

3. They try to bribe others to get them to do the same.

4. The FBI compells others (somehow) in the U.S. to do this.

5. They lie about this publicly and require personnel in the project to do the same.

6. Even most people with Top Secret clearance weren't cleared to know this.

7. The risk of being forced to assist is unknown given it's done with secret courts, law interpretations, and programs. NSA spokesperson once said people would've gone to prison if they didn't comply and do so quietly.

What to do?

Other leaks indicate Switzerland and Iceland weren't cooperating. Neither are currently allowing NSA-style surveillance. Iceland has no export controls on crypto: ideal for development of such things. Switzerland has export controls and warranted eavesdropping, but also has strong protections of citizens while rarely using eavesdropping. Both have good Internet connectivity. Businesses and individuals wanting to avoid being "compelled" into supporting NSA/FBI/CIA's surveillance dragnet are better off locating there.

Of course, once there, you will be subjected to targeted attacks approved for foreign companies. You will need to use SAP-style security to protect yourself. Companies and governments are best off pooling resources to vet various I.P. and open source solutions for their critical infrastructure. The best ROI is investing in security-enabling processors, I/O, firmware, and software TCB. Most of the business logic and major software can then be integrated with these to prevent rewriting everything. Overtime, more secure replacements will be built and integrated into these platforms. That's the easiest route for the INFOSEC part of the problem.

gordoFebruary 26, 2015 1:35 PM

NIST outlines guidance for security of copiers, scanners
By GCN Staff Feb 25, 2015

The National Institute of Standards and Technology announced its internal report 8023: Risk Management for Replication Devices is now available.


The guidance covers protecting the information processed, stored or transmitted on replication devices (RDs), which are devices that copy, print or scan documents, images or objects. Because today’s RDs have the characteristics of computing devices (storage, operating systems, CPUs and networking) they are vulnerable to a number of exploits, NIST said.

http://gcn.com/articles/2015/02/25/nist-replication-device-security.aspx


NISTIR 8023
Risk Management for
Replication Devices
Kelley Dempsey
Celia Paulsen
Computer Security Division
Information Technology Laboratory
NIST
February 2015

http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8023.pdf

vas pupFebruary 26, 2015 3:23 PM

For all respected bloggers: those are some quotes of ancient wisdom related and applied to subject matter of this blog

On security, privacy, risk:
“The beginning of wisdom is to call things by their proper name.”
― Confucius

On LEAs using poweful tools to fight petty offenses:
“Don't use cannon to kill mosquito.”
― Confucius

On responding on cyber attacks:
“Return good for good; return evil with justice.”
― Confucius

On living in police state:
“As the water shapes itself to the vessel that contains it, so a wise man adapts himself to circumstances.”
― Confucius

On roots of security professionalism:
“Imagination is more important than knowledge.”
― Confucius

On social media usage:
“Conduct thyself always with the same prudence as though thou went observed by ten eyes and pointed at by ten fingers”
― Confucius

On vague laws:
“You can force the people to obey; you cannot force them to understand.”
― Confucius

Nick PFebruary 26, 2015 6:40 PM

@ vas pup

I like those. :)

@ Jacob

Just saw your comment.

"Microcode is something I have talked about for years as a risk."

It's a risk and a benefit. Microcode let's you change ISA's and programming model without swapping out hardware. It also lets you swap out hardware without changing the ISA's and programming model. Intel and IBM have used the later with great competitive advantage for years. Other uses of it are accelerating key routines, secure ISA's, and even atomic operations for transactions. Many cool things you can do with microcode. Issue is to ensure the microcode is open for review and have safe update mechanism (pref. a physical switch).

"I might be willing to soldier new chips occasionally but there are too many devices with firmware in a typical house. I would rather not play deadpool to my wife's hacked decepticon Keuric."

Haha that's funny. I typically buy simple things with that being one reason. The better reason is old stuff, esp appliances, works *way* more reliably. My 20 yr old washer died a few months ago and I bought a 10yr old replacement that's got all the features I need. My cars have been from the 90's where there was tech but they weren't going crazy with it. Weird to think there might be a market for "privacy-preserving cars" in near future. If I got more money, I'd probably just buy and slightly modernize a Corvette Stingray or something. ;)

"What are your views on monetization of info? I view it as a Ponzi scheme house of cards ready to collapse. Similiar to derivatives, selling and reselling the same info. Lenovo, Google, Facebook all trying to sell me socks. "

It's a strange market. It's the one that makes some companies millions to billions while saying the value of a given piece of information is almost nothing. The old Internet advertising model crashed due to user desensitization. So, the new (successful) model is in bulk collection for targeted ads. I doubt it will collapse: just transform in many different ways like other experimental industries. There's even a strong case against collapse: companies will always pay for ways to push their message into people's minds and the "free" services make for great bait. It's a necessity market for businesses.

Funny thing is, the Dot Com era was exactly what you're concerned about. There was a huge bubble of investment into all kinds of firms offering *paid* technology products, services, and content. That went poof with especially few survivors in paid Internet content. Many of the survivors, including Tripod, were using ad-driven income while looking for their paid model. So, the proven model is, so far, to trust advertisers (and government snoops) instead of users if one wants a bankroll. People fight uphill battles trying to do the alternative, esp with people wanting $1 apps & $20/mo unlimited video.

Note: I recently looked at Yahoo's Financials to try to guess what a competitive, online search provider (without advertising) might cost to build. It's a bit opaque as I couldn't isolate search by itself. Yet, their costs for apps, connectivity and equipment were several hundred million a year. That's over a million a day. Google, Yahoo, and Bing aren't getting replaced anytime soon...

"I have had an idea for a long time. Wounded warriors want to be productive, have goals, etc. And would serve if they could. Every time I see a story about shortage of IT security personnel I practically yell. Somebody, anybody give these people training. It won't cost much. Personally I like giac. "

It's a good idea. GIAC is my favorite, too, if you add the hands-on testing ("challenge") option. Very practical compared to the exam cram that is CISSP. The vets concept is one route but I got a better one: turn some of that pork funding into increasing assurance of our stuff. DOD comes to mind. So much of it just to bring money or jobs to the district. Well, give them some jobs that *actually benefit us* esp INFOSEC. Then, I won't mind the waste as much. Likewise, could throw that money at employing wounded vets as INFOSEC contractors.

"inside joke that ties in to recent military story of you guys."

What was that story again?

"If you are where I think you are....have some real fish and chips on me. One of these days I am going to do a "Hawkeye and ribs" delivery to myself stateside. ;)"

I'm in the Mid-South currently. Dodging this slippery ice. Fortunately, the second round of snow didn't seem to ice over. If your nearby, I might pay you a visit once I get better cash flow and/or more reliable transportation. No promises on how soon or far that is in the future.

JacobFebruary 26, 2015 8:35 PM

@nick
Yes I agree on benefits of microcode and need for openness. The lack of openess leaves a window for exploitation.

Our washer lasted 25. I less hopeful for the new one. I prefer the older stuff too. One of my brothers is restoring a 77 Monte for me. I think I have a solution for doors. Those doors as heavy as hell. I don't think anyone will be able to hack that car. :)

Yes, I see your point on advertising on info. I do view it similiar to the dot com mess and combine it with the fickleness of the public. They are depending on the pervasive deployment to protect them, but the public can turn on them. The Ponzi can collapse at least to me.

That is exactly what I was talking about with vets. If not free a little extra money would help them along with the sense of purpose. Even minimum wage would help if their other pay was left alone. But sadly they just keep messing with vets. They are talking now about taking tricare away from us. And VA has problems. Although I hasten to add my doctors and Richmond VA are really good and responsive. I have been in the system for 22 yrs. i am alright but if anybody reads this that can help the young vets, please do. It saddens me to see the younger vets with kids. They need help. I can assure them that it is a long road but you can still accomplish things. Effort expended for goals can be its own reward.

I like giac for those very reasons. I want the materials, the test and cert is a bonus.
It was the submarine one. I qualified in mid 80s.

Absolutely. I love Starbucks! I am in Virginia. And I sympathise on the money thing. Things will be straight this summer. With 17 fused/unstable vertebra, along with knees, hips, shoulders and ribs I am rather fearful of falls and car wrecks. Hands and brain are good. Well mostly;) Lolol

the only reason I am saying any of this is that the younger vets need the kind of help you and I am discussing. I am doing "ok". But if I think they need help, it is bad for them. Offering vets work in a warehouse is doing nothing for the disabled ones. It is time to give them a way that they can do. Period, past due.

I have 6 inches of snow here. Makes for a nice picture but I am over it. Take care and talk to you soon.

ThothFebruary 26, 2015 11:52 PM

@Mark Edgar
Have you approached any whistle-blowing organisations to talk about your encounter since you seem to have a desire to announce something ?

ThothFebruary 26, 2015 11:56 PM

@vas pup
Nice quotes from Confucius but sadly he was made used of when alive and dead and up till these days, his philosophy being twisted and used in a hypocritical manner has benefited those who seek to control others.

JacobFebruary 27, 2015 1:12 AM

@vas pup
One of my favorite quotes is from Andromeda series.

"Those who fail to learn history
are doomed to repeat it;
those who fail to learn history correctly--
why they are simply doomed."

I really appreciate the sentiment. Many think they know history, but they don't really understand it. Myself included, every time I read history. There is always more to consider.

BoppingAroundFebruary 27, 2015 9:18 AM

Nick P,
> Weird to think there might be a market for "privacy-preserving cars" in near future.
How high are the chances for self-driving cars and the driving data exchange grid to take off?
If it did, I'd assume manned cars to be obsolete after a short while. I don't think the chances are high though. Not with our 'security'. However...

SkepticalFebruary 27, 2015 1:33 PM


@Nick:

Your analytical capabilities are being led astray by false assumptions. I'll go into a little detail below, but in general you're reading way too much into the document. The purpose of the document - and a draft document at that, with various inaccuracies and imprecise wording that anyone with public knowledge can spot, so who knows how it may otherwise be misleading - is to describe what general categories of facts (facts) are classified at what level.

The document does not contain or describe an entire OPSEC program. It does not provide a deception or disinformation plan, i.e. it does not provide, and is clearly not intended to provide, a briefing regarding a "cover" story for anything. So your interpretation of the (U)nclassified facts as deception operations is way, way off. It would make zero sense to brief a deception operation in this fashion.

Let's start with the "Fact of" classifications. The different tiers don't designate different stories or levels of deception. Each of the tiers refers to facts. The difference lies in the additional information one learns as one moves through those tiers.

The "Public" level of "Fact of" classification isn't in contradiction with more classified facts. A cover story isn't going to receive a "Fact of" classification (unless it is identified as a cover story, e.g. "The fact that the claim of Government A's non-involvement is part of a deception operation."

For example:

Public (Unclassified): "Fact that NSA/CSS works with U.S. industry in the conduct of its cryptologic missions."

This is a broad statement that is consistent with anything from "NSA talks with US industry about cryptology" to "NSA tortures US industry personnel with the cooperation of their employers to enable the insertion of backdoors."

It is classified as public precisely because it is so remarkably general and vague. The only statement that would contradict it would be "The NSA/CSS does NOT work with the U.S. industry in the conduct of its cryptologic missions."

Nonetheless you write the rest of your post as though higher levels of classification are altering that statement. They don't. Instead the statements of higher classification provide more information as to methods - and even then, they're still quite general and vague.

I'm also going to subsitute "backdoor adding" for "SIGINT-enabling" to remove the effect of double speak on people's minds.

I don't need to tell someone who knows as much about security as you do that a wiretap order is SIGINT-enabling, Nick, as is placing a listening device inside a person's home. All you're doing here is confusing matters by narrowing what is a very broad term. Adding "backdoors" is one way to enable SIGINT collection. It's not the only way, and you'll misunderstand the document if you read it that way. So in this case you're actually allowing your desired conclusion (that this document shows the FBI can compel Intel and AMD to add backdoors) to shape your assumptions.

So: TS/SI: "Fact that NSA/CSS conducts SIGINT-enabling programs and related operations with U.S. industry."

does not reduce to:

TS/SI: "Fact that NSA/CSS conducts backdoor adding programs and related operations with U.S. industry."

See the deception? The public statement makes you think NSA is helping companies improve security.

The NSA's cryptologic missions, last time I checked, includes decryption Nick. So the public statement doesn't imply that all the NSA is doing is improving private security.

Here's another example you give:

Public: "Fact that NSA/CSS exploits foreign ciphers"

TS/SI/ECI: "Fact that NSA/CSS works with specific U.S. commercial entities (A/B/C) to modify U.S. manufactured encryption systems to make them exploitable for SIGINT."

Quite the difference there, eh?

The statements don't contradict one another.

You also seem to believe that the latter statement must refer to some modification of an entire product line, whereas the far more likely interpretation is that it refers to targeted operations.

Much of what the NSA does is in fact targeted. Interpreting every reference to cooperation as necessarily involving mass surveillance is a huge mistake.

7. The risk of being forced to assist is unknown given it's done with secret courts, law interpretations, and programs. NSA spokesperson once said people would've gone to prison if they didn't comply and do so quietly.

No, any competent attorney in this area can describe your risk to you.

For example, the Tor Project, last I checked, uses some very competent attorneys - and they don't think that the Tor Project can be legally compelled to insert backdoors or compromise their product.

Other leaks indicate Switzerland and Iceland weren't cooperating. Neither are currently allowing NSA-style surveillance. Iceland has no export controls on crypto: ideal for development of such things. Switzerland has export controls and warranted eavesdropping, but also has strong protections of citizens while rarely using eavesdropping. Both have good Internet connectivity. Businesses and individuals wanting to avoid being "compelled" into supporting NSA/FBI/CIA's surveillance dragnet are better off locating there.

As to the Swiss, how much do you know about their security services or laws, Nick?

As to Iceland, it's certainly a fine place to do business. Is it better than the US? If the concern were only the law and security, my answer would be no. At best it's equivalent, and is actually probably somewhat inferior in that it lacks the protections that derive from operating inside the US.

The best ROI is investing in security-enabling processors, I/O, firmware, and software TCB. Most of the business logic and major software can then be integrated with these to prevent rewriting everything. Overtime, more secure replacements will be built and integrated into these platforms. That's the easiest route for the INFOSEC part of the problem.

I agree with you that integrating security with existing equipment that is important to productivity is key.

Nick PFebruary 27, 2015 11:48 PM

@ Skeptical

"The document does not contain or describe an entire OPSEC program. It does not provide a deception or disinformation plan, i.e. it does not provide, and is clearly not intended to provide, a briefing regarding a "cover" story for anything. So your interpretation of the (U)nclassified facts as deception operations is way, way off. It would make zero sense to brief a deception operation in this fashion."

It's actually a set of documents of various programs presenting different facts about those programs, NSA capabilities, and NSA goals. Far as deception, I'm not saying it's a "deception operation." I'm saying there's the real capabilities they have at the highest level, then they water that down (or even totally contradict it) in presentations to lower levels. Their SAP security guidelines also allow misleading people not cleared for programs to protect secrecy of their capabilities. That a public document on their security approach endorses deception, even fake addresses, shows it's considered a routine and necessary part of how they do stuff. Sensible, too, except when it's used to mislead America about what they're doing... to Americans.

"The "Public" level of "Fact of" classification isn't in contradiction with more classified facts. A cover story isn't going to receive a "Fact of" classification (unless it is identified as a cover story, e.g. "The fact that the claim of Government A's non-involvement is part of a deception operation.""

Good point. Might have went overboard with that. They actually do both: use higher levels to add information; lie in lower levels as evidenced by contradictory truth in higher levels. There's examples of both in the referenced documents. I've given many more in my posts on contradictions in public statements of intent/capabilities vs what's in Snowden leaks.

"The "Public" level of "Fact of" classification isn't in contradiction with more classified facts. A cover story isn't going to receive a "Fact of" classification (unless it is identified as a cover story, e.g. "The fact that the claim of Government A's non-involvement is part of a deception operation.""

I could've added more detail, there. The NSA promoted themselves as working with industry to improve security/crypto and using sophisticated methods to break foreign crypto. The public statement is intentionally vague. People reading it would assume it was consistent with other public statements, esp from IAD. Yet, we find through BULLRUN and other programs that they almost exclusively work to introduce vulnerabilities and backdoors into American crypto. Totally opposite of what they were telling Americans and the public version of that document.

"a wiretap order is SIGINT-enabling, Nick, as is placing a listening device inside a person's home. All you're doing here is confusing matters by narrowing what is a very broad term. "

I'm not really. What's happening is the NSA has added new issues to what was simple. Before the leaks, people thought the law said the government could force *carriers* to add L.I. or bug specific people in service of a warrant. Likewise, they could do searches of property or computers for data with a warrant. DOD's and DOC's official policy was also to encourage strong crypto while focusing remaining regulation on encryption.

Now, the documents don't say "force carriers to implement L.I./SIGINT-enabling or develop implants for executing warranted bugging." Instead, they talk of mandating backdoors in U.S./foreign encryption products or inserting vulnerabilities in the entirety of IT infrastructure. Each of these gives them a backdoor into the system. That's very broad and the number of categories they named off should make *every* producer concerned.

"The NSA's cryptologic missions, last time I checked, includes decryption Nick."

You're confusing mechanism with policy. Common even among security professionals. The mechanism is how they get the information or put information into the system. The policy is how they use the mechanism. Their mission, both overt and covert, drives the policies. The mechanism is typically eavesdropping and/or a backdoor of sorts. Backdoor might be inserted with malware attack, subversion, implants, and so on. If they can force software developers to add backdoors, then the result is consistent with my post. From there, they can do whatever they want with it and nobody will know. Policy enforcement is a matter of faith with their level of secrecy.

"The statements don't contradict one another.
You also seem to believe that the latter statement must refer to some modification of an entire product line, whereas the far more likely interpretation is that it refers to targeted operations."

Similar to the other quote, they do in the context of what the NSA tells the public and lawmakers. Nobody except the paranoid thought they were weakening *our* stuff. They were around to subvert enemy's stuff. A ton more clearance, you find they're hitting our stuff. Quite a contradiction in perception and deliberate: their success increased the more people trusted our stuff. After the leaks, the opposite effect occurred.

"Much of what the NSA does is in fact targeted. Interpreting every reference to cooperation as necessarily involving mass surveillance is a huge mistake. "

The documents collectively indicate they target both companies and individual products. That's not an assumption: they straight up say it in the most sensitive leaks. The thing you're missing is that most U.S. software vendors don't sell directly to consumers: they sell to distributers and resellers that sell to consumers. If they get a company to do SIGINT-enabling, they must be doing it at the product level and that necessarily affects all customers. They already did this with RSA and Microsoft's NSAKEY. The subversion was in the product for all customers to have.

"For example, the Tor Project, last I checked, uses some very competent attorneys - and they don't think that the Tor Project can be legally compelled to insert backdoors or compromise their product. "

Good thinking: I spent quite a bit of time wondering about them. Short story: they're a special exception to a lot of things and I still don't fully grasp why without specifics from their lawyers. What I found is that they're a nonprofit, they give away stuff for free, the source is available (riskier subversion), it's heavily studied by pro's, many police/government organizations in U.S. depend on their anonymity, and censorship-resistance tools get exemptions from things like export restrictions in crypto. The whole of their situation makes them unlike about any commercial or FOSS software maker. They're not evidence of anything as their too unique. If anything, their subversion resistence just means other products concerned about that should copy as many of their characteristics as possible.

"As to the Swiss, how much do you know about their security services or laws, Nick?"

Their security services might be as shady as any other. I know they want similar capabilities. Far as general practice, my email service has a nice summary. The claims are similar to what a number of international, law firms say in their Swiss profiles. A business aiming to protect privacy with more assurance of reasonable, L.I. is much better off there than here. There's other benefits with costs being my largest concerns. Strong privacy laws are why many firms, esp with trade secrets, headquarter over in Zug. Newer firms focused on privacy are basing their operations there for the same reason.

"As to Iceland, it's certainly a fine place to do business. Is it better than the US? If the concern were only the law and security, my answer would be no. At best it's equivalent, and is actually probably somewhat inferior in that it lacks the protections that derive from operating inside the US. "

It has no crypto restrictions, no Gestapo-like activities (see above), strong protections for whistleblowers, good internet access, and they're also marketing themself as a data haven. There are surely downsides where our country is better. Yet, if one wants no forced (or secret) subversion, then they have to operate in a country that doesn't do that. Iceland doesn't do that. And, like Switzerland, they're one of only a few democracies that aren't NSA SIGINT partners.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.