Friday Squid Blogging: Squid Fishing in the Gulf of Thailand

Long article about a very lucrative squid-fishing industry that involves bribing the Cambodian Navy.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on July 3, 2015 at 4:39 PM • 156 Comments

Comments

tyrJuly 3, 2015 5:23 PM


@Clive

That OLE hole was amazing. How are you expected to fix
something that broken ?

There was a good reason for compartmented applications
software, the one size fits all scheme was always full
of nasty holes.

The term Feeping Creaturism comes to mind.

rgaffJuly 3, 2015 6:04 PM

@Milo M.

How can there possibly be White House involvement, approval, or request for this, unless they require there to be backdoors in everything (secretly, if possible)? Which is, of course, the exact opposite of security.

albertJuly 3, 2015 7:47 PM

Pentagon releases "2015 National Military Strategy"

http://fas.org/man/eprint/nms-2015.pdf

"...We now face multiple, simultaneous security challenges from traditional state actors and transregional networks of sub-state groups – all taking advantage of rapid technological change..."

"...Future conflicts will come more rapidly, last longer, and take place on a much more technically challenging battlefield..." - Hard to believe things could get any worse.

This is what the military wants us to believe. It seems a little one-sided.

Who's responsible for decimating the Middle East? Apparently the Pentagon has concluded that US Foreign Policy isn't going to change in the future.

Increasing dependence of technology looks cool, and is effective, as long as it works. Modern armies run on two things: communications, and oil. Disrupt either or both, and you have no force. Protecting these is the primary goal of the US military.
.
...

Nick PJuly 3, 2015 9:43 PM

@ Milo M.

Thanks for the link. Not sure what to think about it. The thing that bothers me is that they all write like it's never happened before. A UL-like model for security actually did happen and worked. The government then killed off the good initiative by bad policy. The initiative was also geared toward their requirements rather than the commercial sector's. Common Criteria followed it with many good security *features* ending up in products per the Protection Profiles but not *assurance* because few will make the sacrifices.

So, there's already a model to copy and build on. I gave my suggested improvements here. Doubt this new one will do much if they haven't even learned the lessons of the prior and current one. Forgot they existed, even.

Recce by DeathJuly 3, 2015 10:03 PM

@albert thanks for the comic relief. US beltway culture is a wonder of the world for its unremitting dauntless failure and pointless carnage. Its inverse achievements would not be possible without a military suckup culture that selects, vets and advances cookie-cutter asskissers with no vestige of integrity. As they march toward war on the SCO with their characteristic dim-witted alacrity, we look forward to seeing their fighters becoming chaff and their fleets enriching the ecosystem with extensive artificial reefs. Then the civilized world can step in and reconstruct US culture. Seen it done a couple times with rotten basket-case failed states. They've really got it down to a science.

gordoJuly 4, 2015 3:02 AM

The Snowden Surveillance Archive has been up and running on the Canadian Journalists for Free Expression (CJFE) Web site since March. This looks like a great, ongoing, curated resource. Here's a portion of the media release:

Wednesday, March 4, 2015

CJFE launches the Snowden Archive, a new resource for surveillance research
Archive provides detailed access to documents revealed by Snowden

TORONTO – Canadian Journalists for Free Expression (CJFE) is excited to announce the launch of the Snowden Archive, a comprehensive database of all of the documents published to date from the Snowden leak.

Created in partnership with the Faculty of Information at the University of Toronto, the Archive is the world’s first fully indexed and searchable collection of publicly released Snowden documents.

The Archive is a powerful resource for journalists, researchers and concerned citizens to find new stories and to delve deeply into the critically important information about government surveillance practices made public thanks to Edward Snowden.

“We are extremely proud to launch the Snowden Archive as a tool for Canadians, and the world, to better understand the scope and scale of mass surveillance programs,” said CJFE Executive Director Tom Henheffer. “We believe this tool is just the start of many important stories to come, and hope this will help the public engage in conversation about government surveillance practices.”

The Archive allows users to search Snowden documents by:

• Agency that created the document in question
• Journalist and media outlet that first broke the story from the document
• Full text of the document
• Keywords, surveillance program names and more

The Snowden Archive and additional information on the project can be found at cjfe.org/snowden

SandraJuly 4, 2015 4:18 AM

Demand your right to privacy and due process. Let ICANN know that you object to any release of personal information without a court order. There's no time to waste – ICANN policy discussions are already underway and the close date for comments is July 7, 2015.

https://www.respectourprivacy.com/

uair01July 4, 2015 5:22 AM

Last week I read the book "Running Dog" by Don DeLillo and I was surprised how contemporary these paragraphs sound. It's as if he's describing our current surveillance situation. And this is from 1978, long before anyone heard of smartphones or the Internet:

"When technology reaches. a certain level, people begin to feel like criminals," he said. "Someone is after you, the computers maybe, the machine-police. You can't escape investigation. The facts about you and your whole existence have been collected or are being collected. Banks, insurance companies, credit organizations, tax examiners, passport offices, reporting services, police agencies, intelligence gatherers. It's a little like what I was saying before. Devices make us pliant. If they issue a print-out saying we're guilty, then we're guilty. But it goes even deeper, doesn't it? It's the presence alone, the very fact, the superabundance of technology, that makes us feel we're committing crimes. Just the fact that these things exist at this widespread level. The processing machines, the scanners, the sorters. That's enough to make us feel like criminals. What enormous weight. What complex programs. And there's no one to explain it to us."

"Go into a bank, you're filmed," he said. "Go into a department store, you're filmed. Increasingly we see this. Try on a dress in the changing room, someone's watching through a one-way glass. Not only customers, mind you. Employees are watched too, spied on with hidden cameras. Drive your car anywhere. Radar, computer traffic scans. They're looking into the uterus, taking pictures. Everywhere. What circles the earth constantly? Spy satellites, weather balloons, U-Z aircraft. What are they doing? Taking pictures. Putting the whole world on film." "The camera's everywhere." "It's true."

CuriousJuly 4, 2015 7:33 AM

NSA documents is said to show how they have targeted government officials in Brazil, people associated with finance.

I recall having read in the book "Privacy on the line", something like: by conducting espionage against others, you will effectively undermine the initiative and secrecy of others when making deals with them, so that you gain knowledge beforehand, when other people have decided for themselves on what would be the lowest acceptable offer for a trade agreement, so that you can force others to accept their least appealing situation.

https://firstlook.org/theintercept/2015/07/04/nsa-top-brazilian-political-and-financial-targets-wikileaks/


All this spying business in Germany and Brazil (and probably everywhere else) have me wondering: if USA have/were to have foreign government official on their payroll so to speak (or sympathisers), it is not fair to assume that such people would be bugged by USA at the very least (to try learn if they are loyal)? Not sure what to think of that. I can however see that simply eavesdropping into someone's phone, wouldn't necessarily reveal if someone that were collaborating with USA in fact was a double agent against USA (maybe hard work if not impossible to successfully tail and control someone everywhere throughout the year). This ofc have me wondering if hypothetical top level informers and sympathisers might not be as important as I initially imagined them to be. I guess different people would be of different value to an intelligence agency spying on another nation or group of people, and maybe limited to a time period.

CuriousJuly 4, 2015 7:36 AM

To add to what I wrote just above:

It is a little unclear to me (I rushed through this), however I also got the impression that USA intended to target high ranking people working with finance (so the espionage as such wouldn't be incidental as I understand it).

PetterJuly 4, 2015 7:59 AM

The post above should be She and her. Not he and him.
Sorry for that.

Clive RobinsonJuly 4, 2015 8:06 AM

@ tyr,

That OLE hole was amazing. How are you expected to fix something that broken ?

Yup just about catastrophic for all MS Win OS users...

It even alows normaly safe RTF and other human readable text files to be turned into an attack vector. I'm surprised not to see "Total fail Micro$haft" comments about it...

Maybe it should be called MOAB, for "Mother Of All B*llsups". If I was an IC drone working for the TAO I'd kiss the ground the MS droid who let that one out walked on... It originates from the same time as the droid who let "Teardrop" out was doing their Redmond cubical time, I wonder if it's the same droid or droid group, and where they are now?

But not even a squeak from the "usual suspects" it almost makes me think it was "slipped out" just prior to 4th July holiday to keep it quiet...

But even on this blog apart from you and me "no comment", I'd have expected @Nick P and @Thoth to have picked up on it....

Ahh well, let's see what happens post 'Independence Day' ;-)

Nick PJuly 4, 2015 9:35 AM

@ Clive Robinson

I didn't comment on it because it was Yet Another Windows Vulnerability Due to Backward Compatibility Requirements And Ancient Stupidity. These will continue to flow out with Microsoft only able to do so much about them. This one's certainly a whopper, though. The only thing jumping out at me is that it works on RTF files: a format I used long ago to avoid .doc's bloat and security issues. Turns out, one of my friendemies could've powned me with one. (sigh)

Just reinforces my claim that these large, legacy OS's can't be trusted for security. The only solution to legacy apps in them is to wrap them up in VM's. Then, apply security engineering to hypervisors/VMM's as they're a simpler problem and we need them anyway. Good news is that there's plenty of work, including prototypes & products, in that from hardware on up.

Crystal BallsJuly 4, 2015 10:02 AM

Seems whenever the powers that be get called out for their malfeasance, a new terror alert is created. Seems all these terror alerts lack specificity. Kind of like a fortune teller with her crystal ball.

I see... wait... must have more money to see the vision... (puts a billion dollars in the bucket)... ah... now I see your future...I see terror... a man, or a woman, might be a child, or a beagle... committing a heinous act of.... oh wait... must... have... more money... (pays another billion)... ah now it is coming in clear... a bald beagle, or maybe a red headed blond from somewhere not here...might cause something to happen... I know not what will happen... or where... or by whom... (yeah its whom not who)... wait!... I see snow... a disaster in snow... you are in a room... in a den... looks like a Snowden... I see something happening to you... your nose... its getting longer... and longer... whats this?... a shield... no... a guardian... a newspaper... I see more terror...


oops... burgers burning on the barbeque... later...

Clive RobinsonJuly 4, 2015 10:37 AM

@ Nick P,

I didn't comment on it because it was Yet Another Windows Vulnerability Due to Backward Compatibility Requirements And Ancient Stupidity.

Yeah "ancient stupidity" is the whole ethos behins OLE.

The last time I played with it (because some was paying) was back in the 90's (96 IIRC). I thought it was a disaster waiting to happen as I indicated to the person cutting the checks, but they gave the usual Not Happening Here (like NIH syndrom but more complacent ;) response...

I had a scan on the source of the problem "packager.dll" and it has a more recent claim to infamy (cve-2014-1441) apparently another of it's many issues was excercised by "Sandworm" (the aleged Russian IC tool for getting at infrastructure controling SCADA systems).

Whilst AV software etc is inefective, it appears that according to Stefan Kanthak, SAFER stops the unpacked executable from running (not tried it as I don't have an appropriate MS OS handy, so can not confirm),

http://home.arcor.de/skanthak/SAFER.html

BUT... good as SAFER maybe... it's only available to the later MS OS's. Personaly I think it's something that should have been built into the NT kernel from day one, like so many other things like propper process control and reporting that I've moaned about since NT3 (so much for Dave Cuttler's claim to NT being a better Unix than Unix)...

Bob S.July 4, 2015 10:44 AM

VPNs are so insecure you might as well wear a KICK ME sign
Brit boffins' test of 14 prominent privacy tunnels finds leaks galore thanks to IPv6 mess

"Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage," ....

Yeah but, I thought IPV6 was so much more safe and secure than IPV4?

That's not true and according to the researchers most of the privacy/security claims of leading VPN servies are not true, either. They leak like a seive.

I've wondered why the likes of FBI and NSA haven't whined about evils of VPN and SSH services. I guess the wondering is over now. Governments and hackers find it child's play to break them.

This was a lot more fun when it was only some teenage hacker in Romania puting up creepy crawly spiders all over your web page.

I don't know why, but today I feel like signing a decalartion claiming my/our independence from repressive and corrupt government-corporate cracksters.

JonKnowsNothingJuly 4, 2015 10:51 AM

@Nick P
Just reinforces my claim that these large, legacy OS's can't be trusted for security.

Well the legacy ones are bad but the upcoming ones are worse.

  • Win10 beaconing your Wi-Fi password to everyone and his dog so they can connect to your home computer - automagically. If one of those "friends" is on Facebook - their FB friends get your Wi-Fi PW too.
  • Upgrades to browsers with "hidden installs" and disconnected (non-functioning) Opt-Outs?
  • Software with Magic Marker Click Trackers installed by default.
  • Mega Corps able to "buy into" White Lists so they can by pass blockers and harvest your information while you "think" you have a block in.
  • MS is already shoehorning in pre-Win10 installers and nagware on Win7 and Win8 systems using the Windows Update System and marking some of these as Critical/Important fixes.

It's not getting any better in the future.

Nick PJuly 4, 2015 11:04 AM

@ Clive Robinson

Brandioch Conner brought SRP up as a solution in a previous discussion. Essentially, it's a whitelisting system. Someone wrote a nice article comparing the various solutions. DefenseWall and Bit9 made the approach pretty easy. However, I find that this interview explains well our uphill battle in getting stuff like that widely adopted. This one particularly hits the nail on the head:

"I think it's the lack of consequences. Take T.J. Maxx, Target, Neiman Marcus or any of the other headline-grabbing data loss incidents. What has been the real-world, bottom-line impact of those situations? All of those folks are still in business."

@ JonKnowsNothing

Upcoming "Windows" OS's, you mean. There's still a tiny bit of competition in the desktop OS market. They're not all doing things that bad. Some are also easier to modify to suit our security needs. ;)

albertJuly 4, 2015 11:14 AM

@Recce by Death,
You can bet [whatever] that that ALL the BRICs countries top the list. That alignment poses the biggest threat to US hegemony. BRICS is a potential financial powerhouse of world-wide dimensions; bad news for the US/EU financial sector. BRICS leaders need to protect their societies from the US/EU bankster system (that is, keep their oligarchs in line), and they'll be fine. Russia and China are the new enemies. North Korea, Russia, China, and the Muslim terrorists are the also bogeymen fodder for the MSM.
.
The US military are not 'dim-witted'. Their leadership is highly intelligent. The last thing any military wants is war. It's the civilian chicken hawks that promote it. I haven't decided whether the chicken hawks are idiots, psychopaths, or just plain stupid. All great politicians harbor one or more of those traits.
.
@Clive,
¡OLE! is what they shout at bullfights, which means slow death for the bull. (I leave it as an exercise to determine who the 'bull' is in that metaphor*).
.
*I think this was the name an auto made by American Motors (AMC) in the seventies.
.
...

Uncle BobJuly 4, 2015 11:38 AM

An Independence Day Conspiracy Theory
Because Independence Day without a Conspiracy Theory is like a Christmas without a Christmas Story.

(this is actually an old conspiracy theory with some new additions)

Many years ago US of A got something called Lyme Disease. This is a tick-borne illness that was first diagnosed in the town of Lyme in Connecticut.

About 10+ km (7+ miles) to the south of coast of Lyme, in the Long Island Sound, we have an Animal Disease Center that had long been used for a biological weapons program.

Due to the proximity of Lyme area to this research center, and other factors, a popular conspiracy theory has been that the pathogen that causes Lyme disease originated at the Plum Island research center.

One of the other factors is that the center, according to below article, had actually done research on tick-borne diseases and published papers on this research:

http://www.examiner.com/article/did-lyme-disease-originate-out-of-plum-island

Now, for one reason or another it has been decided that this research center should move its operations to Manhattan, Kansas.

The operations in Kansas will be housed in a center called NBAF, short for National Bio and Agro-Defense Facility. This facility will be located adjacent to Kansas State University, as explained in this article:

http://www.bizjournals.com/kansascity/blog/morning_call/2015/05/nbaf-will-host-groundbreaking-ceremony-in.html

The transition from Plum Island to Kansas actually started already in 2011. In order to not to put a stop on the research during this transition period, some of the research work was transferred over to the Kansas State University BRI (Biosecurity Research Institute, at Pat Robert's Hall). It is expected to transfer from BRI back to NBAF once the latter facility is completed.

As mentioned in below article, the research at BRI is now at the third year:

http://www.k-state.edu/media/newsreleases/mar15/brinbaf31115.html

The new part to this conspiracy theory is that we now have a new kind of tick-borne illness that has originated in Kansas.

New 'Bourbon Virus' Blamed for Kansas Man's Death
http://abcnews.go.com/Health/tick-borne-bourbon-virus-blamed-kansas-mans-death/story?id=27764076

New Tick-Borne 'Bourbon Virus' Is Deadly And Unlike Anything Previously Seen In U.S.
http://www.huffingtonpost.com/2014/12/24/bourbon-virus-tick-kansas_n_6377932.html

Perhaps the new illness is just coincidental. Or maybe it is related to the research but merely a symptom of lousy laboratory practices. Sort of like many decisions related to computer security by certain large corporations have been lately...

taylorJuly 4, 2015 12:17 PM

@Bob S.
"VPNs are so insecure you might as well wear a KICK ME sign"

I am so glad someone is finally paying attention! I have posted about these vpn leaks a couple of times before, generally receiving no response or complete indifference. I cannot understand why the IT sec community isn't kicking up a major fuss about this. Some of these vpn services are advertising themselves explicitly as anonymizing solutions for hostile zones, but they won't even fool ebay's advertising banners, let alone a repressive government in control of the nation's infrastructure, ready to send a pair of friendly armed guys to knock on your door. If I had to guess, there are probably several thousand internet users across some of the more volatile areas of the world who have, quite literally, been wearing a "KICK ME" sign while using leaky vpns without realizing it.

Bob S.July 4, 2015 12:43 PM

Windows 10's Wi-Fi Sense password sharing sparks security concerns
"The option would allow anyone with a network's password to share access to it with all their friends."

When you set up wifi there's a check box to opt out, but even if you try to opt out you MUST change your SSID name with the following "_optout". Sounds like they bought into FB-like in-security procedures.

"...a user who shares network access sends the password through an encrypted connection to a Microsoft server, where it’s stored in an encrypted form before being handed off securely to any of their friends who needs it based on location data from their device. Microsoft says that someone who gets access through Wi-Fi Sense will only have access to the Internet and won’t be able to get to any other computers or other devices on the network...."

Automatically all of your contacts will get signed into your network via credentials stored in MS servers as well as friends of friends, etc for facebook, skype and outlook and we would assume others friends like PRISM, NSA, GCHQ,MOSSAD and so on.

I wonder, why even have a password then?

Actually, I am not over the key logger built into the W10 preview edition. I still haven't read anything official that it's been removed from the retail version.

Recce by DeathJuly 4, 2015 1:20 PM

@albert, the BRICS, right, funny you should mention that. Here's NSA illegally spying on Merkel's attempts to enlist the BRICS in stabilizing European banks,

https://wikileaks.org/nsa-germany/intercepts/WikiLeaks_US_Bugs_Germany_Plotting_BRICS_Bailout_for_Greece.pdf

THROUGH the IMF, which would have involved the US in the decision in any case. The US quashed the idea, destabilizing European banking at great cost to its satellite states. S2C51! Turns out NSA has an international financial policy branch, which explains a lot. The 'button-pushing uniforms' Snowden told us about can now play at being international wheeler-dealers and screw up diplomacy directly.

re dim-witted, military recruitment involves multiple filters. One is class, the 'poverty draft:' when the agreement involves someone sending you out to get your limbs or face blown off, it's more apt to be accepted by people with no access to quality liberal education. One is culture: the anti-intellectual milieu of the South is predisposed because they're acculturated to violence. A third is merit: smarter people have other options (The smart ones get channeled into banking to be thieves and frauds.) So they're not too bright, but on induction they're not devoid of honor or integrity. It takes years of conditioning to produce the decorated worms who lied Pat Tillman's death away.

CuriousJuly 4, 2015 1:41 PM

Hm, could it be said that "Windows 10's Wi-Fi Sense" is has a similarity to a key escrow scheme?

CuriousJuly 4, 2015 1:44 PM

@Bob S.

The tech preview keylogging feature that I have been hearing about is also bugging me so to speak, as I look forward to upgrading to Windows 10 this summer, only to get to play directx 12 games.

Rex RollmanJuly 4, 2015 1:46 PM

@Clive

Wasn't OLE basically Microsoft's answer to Apple's Publish And Subscribe from System 7?

Jeremy LJuly 4, 2015 1:53 PM

@Bob S


I wonder, why even have a password then?

Good question. Reminded me of that wifi password harvesting scheme that Google had running some years back, the one that they blamed on a software bug and a disgruntled employee. It made me wonder if there is some eagerness on part of the government to get to this data, and if so, why?

Actually, I am not over the key logger built into the W10 preview edition. I still haven't read anything official that it's been removed from the retail version.

Another weird thing - well, weird IMHO at least - is this "Mouse and Keyboard Center" software that they peddle to users even when both mouse and keyboard are already working fine. Also this software does not add any new functionality to the mouse or the keyboard, so what is it for I wonder?


meJuly 4, 2015 2:04 PM

I'm SHOCKED that there is actually a discussion going on here suggesting that it would be a reasonable thing to install and run Windows 10! Hello!?

Bob S.July 4, 2015 4:05 PM

@Curious

Re: "Wi-Fi Sense" ... similarity to a key escrow scheme..."

Exactly.

Voluntarily giving up the key to MS is the same as voluntarily giving it up to the government.

Making the opt out process obtuse and confusing aids in compliance. Of course, when that isn't good enough, "civilized" nations will simply go for the throat with mandatory key disclosure laws and thus achieve another step towards transparent (to the government and corporation) electronic mass surveillance and control.

I would watch the Brits closely...they are itching for a go at it. They already have a key disclosure on demand law, mandatory government collection would seem a logical, repressive next step.

CuriousJuly 4, 2015 4:14 PM

@me

I guess I might be the only gamer here. :P I feel a little bad about posting on Schneier's blog so I try to quickly mention that I am either non-professional, or that I am into gaming, so as to not get annoyed about what I write from time to time. I am sadly a Windows user for the foreseeable future. If I ever got into linux, I would probably try to be a control freak, but my interests are more about philosophy and language, than coding and technology, and I also lament that I don't want to learn a bunch of stuff I probably won't remember because aren't using that knowledge daily.

LaurenJuly 4, 2015 4:16 PM

@Uncle Bob

how's this for a "conspiracy theory"...

Rock Star Admits He’s Been to Snuff Parties Where People Are Murdered For Fun
https://youtu.be/PDwBDs_TjM0
Ralph Rieckermann, the former bassist for The Scorpions admits he has attended elite snuff parties where people are murdered for the entertainment of the wealthy guests who pay up to $100,000 to attend.

dont believe everything you hearJuly 4, 2015 5:07 PM

Lauren,

that thing about Rieckermann visiting a 'snuff party' is not exactly correct.

Ralph Rieckermann has posted below video with his own official statement of something he says was taken out of context by TMC.

Ralph Rieckermann official Statement about TMZ Snuff Party Video Clip
https://youtu.be/BQU6CxvPV0A

Summary: his statements to TMC was about an S&M party where he saw some stuff that made him nearly throw up. When he wanted to leave, the host had started telling him about a snuff party.

So the correct story is not that he was at a "snuff party" but that he was at a S&M party where he was told about a "snuff party".

Nick PJuly 4, 2015 5:46 PM

re snuff party

My general response is to just think they're full of shit. This goes the same for movies "based on" or "inspired by" "true events" or "a true story." It's usually so far from the real thing that it should be labeled fiction. A relevant example was when I saw an early Hostel trailer that was inspired by real events. Later, that got changed to someone online said they saw something like that advertised. As "real" as it gets...

JustinJuly 4, 2015 6:02 PM

@Nick P

Ralph Rieckermann: "The truth is, yadda, yadda, yadda." But the thing is that all this talk about "snuff parties" hardly even raises an eyebrow among the stars and their entourage. And don't tell me it couldn't happen.

Because it all goes to show just how little the lives of "little people" matter to the stars. Something we should all do well to take heed of.

Nick PJuly 4, 2015 6:14 PM

@ Justin

Maybe. I agree we matter little to them. Far as snuff parties, celebs are in the deep end of a culture where people constantly lie, shock, and so on for attention. I figure they're just desensitized to it. Maybe a combo of that and your point about them not giving a shit in general.

tyrJuly 4, 2015 6:39 PM


@Nick P, Clive

Well SAFER answered my question about what to do with
that OLE hole. It looks like the average user of MS OS
is shit out of luck without an intensive education in
the settings arcana.

At least you provided some comic relief with the NT is
a better Unix. That sums up MS perfectly, they just
can't do anything without their odd obscure what you
need to make it work right philosophy. On that one
point an MS OS will never make a decent scab on a bad
Unix versions ass. : ^ ).

I did like the fact that that OLE was capable of bypassing
Firewalls, AV software and other security measures and
doing it invisibly to deliver a payload right to even a
paranoids system. I followed one link off the SAFER
down the Microsoft rabbit hole which purported to be a
fix by scabbing certificates onto every form of usable
software after setting restrictions that negated the idea
of a computer. The BOFH in me thought of the joy that you
would incur by fixing this problem for a shortsighted
management and anouncing that it was fixed but none of
the firms programs would be able to run now.

@Curious

It is a pain and an economic burden but setting your game
engine on a separate comp from your normal online activity
is the way to go. The instant you have a one machine does
all your attack surface opens so wide then defense becomes
a full time job instead of a nuisance. You can get reasonable
used hardware for the mundane net activities. Then all of
the usual snoopers get access to is the glory of gaming.

I highly recommend FreeOrion on a slow machine to give them
a thrill. It has all the excitement for a snoop of watching
paint dry or golf on TV.

@All
Check out Megan Fox on the demise of LEGO Universe for the
humour of the day. Technological over employment strikes.


ThothJuly 4, 2015 7:01 PM

@Clive Robinson, Nick P
The OLE hole is another Micro(Fail)Soft's work as usual. I wouldn't be much surprise that even the most innocent data objects on a Microsoft's OS could be weaponized.

I have been busy building my Genode/Fiasco.OC/L4Linux kernel so I didn't really looked at the recent posts. Now I have a built ISO ready, just about time to look for an old CD-R and pop the thing in for a run. For now it is built for the 32 bit Intels and probably the next one would be ARMs and hopefully it could boot off a RaspberryPi sitting near me.

Probably these TCB kernels should be able to stop these petty attacks to a certain degree unless they decide to physically tamper with the hardware.

Nick P, are there any records of Micro(Fail)Soft Windows running on top of Fiasco + Genode ? I wonder how that would perform in stopping MSA threats.

JustinJuly 4, 2015 7:27 PM

@Nick P

... your point about them not giving a shit in general.

Well, I'd rather not be mired in manure.... Just common decency and respect for human life would be enough.

Nick PJuly 4, 2015 8:16 PM

@ Justin

"Well, I'd rather not be mired in manure.... Just common decency and respect for human life would be enough."

Celebs don't have any impact on my life. They can act however they want and I don't care. I suggest ignoring people like that unless they're in your face or you can influence the outcome. Just unnecessary stress or irritation otherwise.

@ tyr

"I did like the fact that that OLE was capable of bypassing
Firewalls, AV software and other security measures and
doing it invisibly to deliver a payload right to even a
paranoids system."

Paranoids on Windows tend to sandbox individual apps, use text files excessively, disable anything we can in Windows, use non-Microsoft apps, and regularly restore from clean backups during update cycles. I did these. Whether RTF attack would slip through the cracks or not is an interesting question. Given the attack, there's a good chance it would even if other things would've been blocked.

Why real paranoids don't use Windows for secret or critical activities. I'm less paranoid than before given my extreme, threat model. Still been off Windows quite a while, now. ;)

@ Thoth

"Nick P, are there any records of Micro(Fail)Soft Windows running on top of Fiasco + Genode ? I wonder how that would perform in stopping MSA threats."

There's a picture on the homepage of Genode virtualizing Windows 7 via Virtualbox. Genode and Fiasco can't be considered trustworthy yet, though, due to lack of qualified review and QA. I'd just consider them a decent alternative to regular VM's for isolation.

Green Hills INTEGRITY-178B, Lynx's LynxSecure, and VxWorks MILS have all virtualized Windows systems in production systems. They combine a separation kernel/hypervisor with Intel's virtualization hardware to let Windows apps run side-by-side with security-critical apps and/or drivers on the TCB. Similar to Nizza's approach to Linux. The actual security is highly dependent on the hardware, firmware, trusted components, and interfacing with untrusted components. Kernels themselves can't do the job alone as untrusted code might abuse the system through trusted code it calls. Hence, the whole TCB must be assessed and shown to mitigate against certain risks.

Nick PJuly 4, 2015 8:44 PM

@ Thoth

EDIT: Genode was on a roll at FOSDEM with three presentations. They put the core on seL4 recently but with more work to do before useful. Their latest release comes with an eBook and a bunch of other improvements. The best thing is that I find myself nodding and grinning when reading most stuff in their presentations. They've certainly studied good stuff of the past and are applying what lessons they can.

Have a feeling that I'll be running a form of this as a desktop (maybe secondary) after I straighten my personal situation out a bit.

Clive RobinsonJuly 4, 2015 9:01 PM

@ tyr,

With regards to Meghan Fox being "all a twitter" over "lego managment being dong averse"...

I think I mentioned it about a month ago, I fell about laughing at the idea, and it's the sort of thing I would have mentioned discretely to @Nick P ( the mod tends to be a bit sensitive about such things).

Clive RobinsonJuly 4, 2015 9:06 PM

@ Nick P,

Speaking of straightening out personal situations, have you heard anything from "Mike the Goat" recently?

ThothJuly 4, 2015 9:12 PM

@Nick P, Clive Robinson, Figureitout, Passive Squid, secure civilian options et. al.
Good to know that Genode/Fiasco have a Windows running on top. I did notice they have seL4 running with Genode but as like you said, it's still work in progress.

The open Security/Research community does not have a lot of secure options at hand. We would never be able to get our hands on things like VxWorks MILS, LynxSecure, INTEGRITY-178B and so on. It's as good as asking General Dynamics to sell us their Secteria product lines or asking them to sell a development kit for their AIM / SPIE security chips or asking Harris Corporation to sell a development kit for their Citadel cryptographic chips.

The seL4 TCB is a rather unusal exception by General Dynamics to release a supposedly working TCB out into the open and under Open Source terms and licensing.

Recently, I heard of news that the seL4 had problems with the Beagleboard they claimed to support and I hope they had gone about doing something about it or at least the Open Community have already had a work around.

Even if you could pay these contractors the money for their products, they would self-censor themselves and probably even highlight you to the Warhawk ICs they have made a "selling of souls" pact with. This goes same for my company I am currently working for, we mostly only entertain legitimate corporate users of security solutions (and note we aren't selling our souls to Warhawk ICs but to Warhawk Contractors - Thales) unless ... you could fork out cash out front :P .

We can't forget that most of the GOTS/COTS are relying on low assurance civilian technologies done in a very sloppy manner.

High assurance no more :) ...

Nick PJuly 4, 2015 10:14 PM

@ Clive Robinson

I haven't. I meant to email him when I got GPG setup but didn't get around to it. Too much going on. Getting in touch with him is on my backlog, though. ;)

@ Thoth

We can still learn from them where they have good ideas. INTEGRITY getting user-mode processes to donate their own resources for kernel tasks on their behalf is a good example. VxWorks MILS modified their fixed-time partitioning scheme to let components donate theirs to others if they have nothing to do. LynxSecure (and OK Labs) made IPC middleware so programmers didn't have to manage individual words. And so on.

So, they still have value even if you don't (or can't) use them.

FigureitoutJuly 5, 2015 12:13 AM

Clive Robinson RE: OLE
--It's pretty goddamn bad, the amount of attacks possible boggles the mind and makes me convinced there isn't a single clean system on earth; we all have some kind of malware we don't know of (surely you amongst others know this from some of "your sins"). Hacker news covered it, some guy claims to have blocked it w/ the SRP; sure does not make one feel confident or secure (how many goddamn times have we heard of bypasses of all kinds of sandboxes preventing execution, we need to monitor actual buses, but even the best of diodes *still* will have leakage) b/c f*ckin' huge attack surfaces like C:\Windows, C:\Program Files and C:\Program Files (x86) were whitelisted (gotta run something), never had any malware in those places, eh? And while going virtual sounds nice, it doesn't work in embedded (at least so far for me), pisses me off, could've saved the company $500 on old-ass software (I just need to see what file they write to tell your free trial is up). If an organization "buys" applications or software and it can just be run virtually a million times (ie: copied), vendors aren't going to like that, eh? Servers are main thing that should never be "real", but I don't really actually believe the "virtual" aspect.

https://news.ycombinator.com/item?id=9821405

Something that "really gets me" is I migrated from Windows (still use of course, but when I build on it I don't trust (I had a silly happen the other day where I was going thru erasing more remote OTA firmware macros (just #if's, don't even want to see that sh*t) and the next build a default "ID" of 000 (supposed to be 4 0's, still unknown why just 3 returned) continued happening no matter what, sent me to paranoia-land of more malware triggers, turns out this strange bug was caused by not reading EEPROM before checking it (sounds stupider hurr durr than it is, the read was done elsewhere in another build), even when we explicitly write it to the condition (FFFF...) we want it to be true, always would re-write to 000), when I delete I don't trust (more like just erasing pointers but data still there, so stop calling it "deletion" and "formatting" is kind of a joke to me, it's not real erasing), but still some of my first computing experiences were w/ Windows and internet w/ IE; what "really gets me" is still malware that hitched a ride, carves space on the fly and continues riding from such an insecure place.

RE: mike the goat
--Probably out in a field eating some grass and stuff, or ordering sh*tty android phones from China and getting death-threats when he catches them selling falsehood ripoffs lol.

Thoth
--Cool on the kernel build, if you make a RasPi build, do share (maybe host on your site). Got my Pi up and running finally today (had a touchscreen for it, but I also have like 5 smartphones w/ better screens and I get so much better use from it as a regular PC). Get a malware, *should* be ok just re-write SD card (Don't need to get into that I likely wouldn't be ok and even initial write could be false, we know. I know what you would do though, throw it in the fires of Mordor any chance you get lol..amazing you still have a computer left! :p). Tried some others but I just like Raspbian on my Pi, it's so much better than the beaglebone experience b/c the community is massive (I haven't actually run it as a PC, want beaglebone VPN servers most likely, and why can't they just put a regular damn HDMI not a micro-one (not even mini! micro! I don't want to spend another $30 for an adapter!)); just got to clear stuff I don't want (mathematica/wolfram, pygames, scratch, etc.).

Question, so what do you run after booting up that kernel?

Another question to everyone on wifi drivers: So I'm fortunate to have a USB-dongle that doesn't have the ID # and I have to manually add it every boot up (which I want to script, b/c it's annoying doing this every reboot). Is it best to either get the guy to rebuild w/ this ID or rebuild myself or just script it at boot up? It's weird, I create a new ID, then it makes a "remove_id" file which I can't delete, and then has multiple directories that repeat like a mini zip-bomb. The "fix" I'm applying was for Ubuntu but it's worked on Kali and now Raspbian lol.

JonKnowsNothingJuly 5, 2015 12:33 AM

@Nick P
Upcoming "Windows" OS's, you mean. There's still a tiny bit of competition in the desktop OS market. They're not all doing things that bad. Some are also easier to modify to suit our security needs. ;)

While there are other OS that might have better prospects for being more secure or handling data privacy better, the unwashed masses still worship at other idols.

Even if you found the "perfect" OS, you cannot ignore that the entire hardware system from chips to motherboards to connectors along with every transport protocol is like swiss cheese. Each of these areas will be leveraged against any future privacy or security gains by every exploiting agency.

With upcoming mandated "voluntary cooperation", nothing you can put in a future box is going to be any better than the current offering in this regard. The only thing that will happen for sure is that the exploits will be "better hidden".

I don't want to sound too defeatist but "the future O/S" on offer will just be as awful and even if you got one rock solid the hardware weeps a river of data.

There are ideas on how to move off this merry go round but the future O/S options (near future ones) won't be the answer because the whole systems has to collapse first before it can be rebuilt. No one wants to repair the bridge while it's still standing, but once it falls into the bay folks get a different perspective quick.

WaelJuly 5, 2015 1:52 AM

@Clive Robinson, @Nick P, @Figureitout,

Re: Mike the goat....

Strange that he's been scarce this year.

ThothJuly 5, 2015 4:03 AM

@Figureitout

"Question, so what do you run after booting up that kernel?"

I have not found myself a CD-R to write and boot it so probably would tell you once I have it done. Actually ... I think I could edit the VirtualBox script to force boot the thing since it is suppose to make VirtualBox think it is a 32 bit Linux running hidden in it's core a Fiasco.OC with Genode Framework.

Will post my experiment results here some other days once I have compiled enough data.

Wesley ParishJuly 5, 2015 4:04 AM

@Clive, Nick P, et alii ...

Personaly I think it's something that should have been built into the NT kernel from day one, like so many other things like propper process control and reporting that I've moaned about since NT3 (so much for Dave Cuttler's claim to NT being a better Unix than Unix)...
Hate to sound like a scratched record (anyone remember those?), but that's one of the reasons why I would like Microsoft (and its partners in grime) to open the source trees of their obsolete OSes like WinNT 3.x to 4.x, and even 5.x, OS/2 1.x, 2.x, 3.x, 4.x, VAX VMS, and related source trees, under the GPL or related source code license. (Slipping onto web sites without explicit right to do with it what one may wish, is not opening the source, at least as far as I'm concerned. :)

Nothing like getting ancient stuff aired out completely. And somebody might even be able to revitalize and secure such a source tree, at least to half-way to the OpenBSD standard, which should be the default FOSS security standard. But perhaps IBM, Microsoft et alii are too embarrassed ...

Clive RobinsonJuly 5, 2015 4:29 AM

@ Wael,

Wrong sort of goat in that it has neither mic or horn antenna ;-)

@ Nick P,

Secure "social" email, yes it's something I need to sort out as well, whilst there are a lot of services, I'm not sure I trust any of them, all the ones I've looked at have "cracks" just not sure if others can drive a wedge in or not...

Oh you might like this....

http://thenextweb.com/insider/2015/07/02/the-cybersecurity-industrys-billion-dollar-scam/

It starts of OK and you find your head nodding along, then you get to this point,

So beware of threat intelligence clouds, sandboxing, containerization, and white listing.  They are all based on stale information and don’t work.

And you think "oh journo who does not know why white lists and black lists are different animals", but then you think again about "sandboxing and containerization" and "stale information" and you get a touch of "cognitive dissonance", they are after all, imperfect as they are, the basic "lab bench" for putting "instrumentation" around when analysing new malware.

Thus the author has a very specific meaning, one you find in secure-it-ware vendors trying to flog adaptive solutions. What they mean is "your sandbox" has deficient instrumentation around it and is thus usless, when compared to "our sandbox" which is wonderfull because of what instrumentation we use.... Thus it's not the "sandbox" that's realy in question as a methodology but the how and the why of the instrumentation.

So the author has an axe to grind, and views the world with a very particular slant of an adaptive solution provider.... and it turns out he's an insider from the industry he is calling crooks and charlatans even though he's part of the problem. Because it's the same old "Marketing Advatorial" of "my mousetrap...." being "the one true..." etc etc, you see from shody "home alarm" salesmen.

Gerard van VoorenJuly 5, 2015 5:22 AM

@ Nick P, Thoth,

"The actual security is highly dependent on the hardware, firmware, trusted components, and interfacing with untrusted components. Kernels themselves can't do the job alone as untrusted code might abuse the system through trusted code it calls. Hence, the whole TCB must be assessed and shown to mitigate against certain risks."

One can only choose the hardware, verifying chips is hard so that part is based on trust unfortunately.

A decent microkernel already does POLA, that mitigates threats. Now all servers (daemons) are already written in C and replacing these with safer languages would take a serious effort. Maybe there are alternative clever ways.

I think that there are two problems with microkernels that needs to be addressed to gain increased security:

1) APIs with contracts. C has 'contracts' with assert, but that is rudimentary and it is not visible in the API. Having the APIs written in Ada (or another language that has contracts such as Racket) and link that to the existing C code would deal with abnormalities in the proper way.

2) IPC. Having a fast (binary), type safe, system wide mandatory IPC which handles the serialization / deserialization saves tons of code and eliminates a serious amount of bugs. An example of this is etypes. Again, this code could be written in Ada and linked to existing C code.


@ Skeptical

"I suspect AQ would simply have used a different haven, perhaps somewhere in Africa."

I agree. He could have moved to Africa (like he did). I also agree that rebuilding Afghanistan with all its internal struggles would be really hard. I only wonder that if the US tried he (and many others) would still have this anger towards the US.

Clive RobinsonJuly 5, 2015 6:12 AM

@ Gerard van Vooren,

... that rebuilding Afghanistan with all its internal struggles would be really hard. I only wonder that if the US tried he (and many others) would still have this anger towards the US.

Part of the problem is that the US never had any intention of "fixing Afghanistan", it was not what they were "invited in" to do. They made dam sure that they carried no liability for any of the actions or consequences of the behaviour and actions of their personnel prior to any "assistance". That is at the very least US military law had primacy over any other law.

Most people involved with "trade" have a simple ethos which you see on signs in shops "Break it and you pay for it". Society works in general on the "You break it you make good" principle which has been codified into law for thousands of years. If you go far enough back in Middle East history you will find law obligating a person who kills another to assume responsability for the deceaseds family.

The US nullified that code, and used it as a way of carrying out atrocities on a whim. It's thus not surprising that people in the Middle East and many other parts of the globe see them as the "Spawn of Satan" going around torturing and murdering people as though for entertainment.

Slime Mold with MustardJuly 5, 2015 7:40 AM

Re: How Microsoft Got To Be What It Is...

A tale of Bill Gates, IBM, computer illiterates, and the Joad family (from Stienbeck's The Grapes of Wrath ).

I was a bit player. Like tens of thousands of others, whom, circa 1985, had to make decision...

If anyone REALLY CARES - I'll write the other five or six paragraphs.

Nick PJuly 5, 2015 11:24 AM

@ Wesley Parish

It's an interesting idea and one we've considered here. Holding it back is largely for competitive advantage via lock-in far as I can tell. Remember that they've always used weird formats, proprietary protocols, and undocumented functions to make ports more difficult. They might also have 3rd party I.P. in the source code they can't share. Then there's also the embarassment factor: something known since the Windows 2000 source code leaked with all the profanity in it. ;)

Even if they could publish it, I recommended that they release it under a proprietary, open-source license. Such a license let them charge for the source while letting people spot flaws and more easily extend it. There's quite a few companies doing that or dual-licensed stuff. Proven model so long as you can sell what you have.

@ Clive Robinson

I agree with your assessment. I similarly have a mix of praise and critique for him. The praise is him calling the game for what it is. The critique started the moment he threw sandboxing and whitelists in with the rest. He seems to think there's one tool or method required to stop attackers. He fails to realize that those two are good tools for handling certain issues. He also fails to realize there's quality differences among solutions in each category. Although most are bad, there are good approaches to firewalls, monitoring, sandboxing, whitelisting, and so on.

More on those two. The majority of sandboxes fail because they're built on foundations with many cracks in them. An example of sandboxing done right is the separation kernel approach I once pushed that isolates components on a TCB of around 6-12Kloc. For its interface, there's not much functionality there at all much less attacker opportunities. Likewise, good whitelisting on Windows stops two real threats: non-technical insiders installing dangerous software; social engineering attacks like the EXE-looks-like-PDF spearfishing effort that worked on many companies. Throw in that certain products lasted years of NSA pentesting, where they *gave up*, and one should believe some offerings have value even if most don't.

His final recommendation is Big Data and machine learning. These are mere buzzwords which suffer a similarly high signal-to-noise and con-to-real ratio to mainstream security. Everyone's doing cloud, scaling, big data, machine learning, and so on. I'm sure SAS and EMC will happily offer us security appliances that big data the problems away. His recommendation just layers his own bullshit on top of security industry's.

The real problem and resulting solution is already worked out: lack of POLA, code/data separation, and info flow control in our hardware. The security solution is simply to create mechanisms that enforce these in all operation states. Simple in concept, hard in practice. So, we modify the hardware, firmware, hypervisors, OS's, middleware, tools... anything necessary... to create and preserve these properties. We do the same for our networks, databases, and UI's. Simple methods like capability approach or language-based security can hide vast majority of details from users and developers. The result is a stronger baseline.

That's the measure I use to assess security products. It's how I know most aren't worth a penny. However, quite a few are and there's plenty of potential for the next one. Good news is academia and corporate R&D keep rolling out new solutions with working prototypes to analyze. We won't get security from the security industry but at least we might get it from *someone*.

@ Gerard

"One can only choose the hardware, verifying chips is hard so that part is based on trust unfortunately."

Gaisler's SPARC processors are open-source. Oracle open-sourced the T1 and T2 processors. The Rocket RISC-V CPU is open-source. The OpenRISC chip is open-source. With funding, these can be turned into ASIC's on their existing fab immediately. With a little more funding, they can be modified for a different one so long as it's not a smaller or very different process node. There's also several companies to choose from for making the masks and companies can obscure their identity to make targeted attacks more difficult. Companies like ChipWorks can easily spot modifications to a final chip if they have full details of what it should look like and how it works.

So, people wanting open hardware are in the most ideal position since the days when people rolled their own. That was more ideal but people don't want hand-wired, 5Mhz chips these days. ;)

"A decent microkernel already does POLA, that mitigates threats. Now all servers (daemons) are already written in C and replacing these with safer languages would take a serious effort. Maybe there are alternative clever ways."

Already being done. There's a bunch of secure hardware prototypes that protect legacy code by changing the C compilers. Linux and FreeBSD have been ported to these. DIFT and CHERI research are examples. There's also programs that leverage existing hardware to better protect legacy programs. Control Pointer Integrity is best, recent example. There are also tools that automatically restructure and insert checks in C programs. Softbound + CETS is a recent example.

So, you can rewrite it all but don't have to. There might still be some rewriting to do where the tools can't handle something. Yet, that should be a small portion of the system.

"Having the APIs written in Ada (or another language that has contracts such as Racket) and link that to the existing C code would deal with abnormalities in the proper way."

It's a good idea and they do that as far as I'm aware. Another thing to do is use C verification tools such as Frama-C w/ ACSL for pre- and post-conditions. It's gotten good enough that it's already NIST-endorsed for aiding verification in high assurance software. I recently found out that it was also used on PolarSSL to prove absence of some errors.

"Having a fast (binary), type safe, system wide mandatory IPC which handles the serialization / deserialization saves tons of code and eliminates a serious amount of bugs. "

This is an issue that could use some standardization. The separation kernel vendors were using CORBA ORB's lol... OK Labs did a lighter-weight version of that with CAMKES. I think something like Google Protocol Buffers for microkernels would be ideal. If there's a message layer, I'd work from ZeroMQ before I'd work from CORBA. It's really an open issue as you said. Solution is to get more academics and middleware people trying to make a name by solving it creatively.

Gerard van VoorenJuly 5, 2015 1:25 PM

A little bit off topic, but *really* funny.

Hillary Clinton Accuses China Of Hacking

I can't even explain it.

(ok, something with yes, that's obvious and maybe, maybe something with looking in the mirror, which she also obvious doesn't wanna do, or maybe it is just plain dumb populism that is so thin)

Clive RobinsonJuly 5, 2015 1:45 PM

More on the background to OPM failure, they can not deny they were told it was going to happen...

http://www.pasadenaweekly.com/cms/story/detail/?id=14669

Put simply a group of people doing open and non clasified work at NASA were told that they would have to submit to the pig at the trough like behaviour of the OPM.

Supposadly it was "voluntary", when the workers said they had no reason to volunteer such information they got the OPM leaning on their emoloyer and the employees were given the OPM "My way or the highway" message. The employees filed a court case, which they eventually lost because a DOJ lawyer lied to the court...

Thus the OPM had been told in open court that they were not considered to be fit and proper persons to hold such personaly sensitive information. I suspect it's not the only time...

A Nonny BunnyJuly 5, 2015 2:02 PM

@Bob S

VPNs are so insecure you might as well wear a KICK ME sign

I wonder how long ago they did that study, because some of the data in the table shown is outdated: e.g. PrivateInternetAccess has at least 29 servers in 18 countries, not 18 in 10. And it has for a long time.
So hopefully the rest of the results are also grossly outdated... though I won't hold my breath.

Anyway, for my use-case I'm not worried. And my firewall blocks traffic that doesn't go through the VPN if it should have (assuming I configured it correctly).

A Nonny BunnyJuly 5, 2015 2:08 PM

@Gerard van Vooren

@Hillary Clinton Accuses China Of Hacking:

U.S. Democratic presidential candidate Hillary Clinton accused China on Saturday of stealing commercial secrets and "huge amounts of government information," and of trying to "hack into everything that doesn't move in America."

I'm pretty sure they'll hack the things that are moving as well. Like spy satellites.

And what, like the US isn't doing the same? We all know China only copies ;)

Clive RobinsonJuly 5, 2015 2:08 PM

Part of the Ed Snowden revelations, gave information about "a spy group" the Canadian's called "Animal Farm" which they believed may well have been from France.

Well a quit sophisticated modual based back door called "Dino" contains code from other exploits attributed to animal farm as well as further French language indicators.

Aside from the fact Dino could be French Govt Espionage tools, thus the anouncment has a tie in with the recent Wikileaks anouncment, the backdoor is actually quit interesting in it's own right,

http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/

Nick PJuly 5, 2015 2:53 PM

@ Clive Robinson

re OPM and NASA

Hadn't heard of it. That's really messed up. A new reason not to work for the government given there's no reason to believe this risk will change.

re Dino

That one actually is interesting. Much better organized than most. It's like someone wanted to re-create their own work environment in the malware for... ease of use? Didn't the old-school tools like BackOrfice and Subseven do similar things to aid script kiddies? We might be seeing these developers' version of how real hackers create tools for less-skilled foot-soldiers to use.

I like the author's analysis of the probability of language false flag. Further down the rabbit hole, they might realize that's what the France-hating creator wanted them to think. ;)

Note: Best possible outcome is if we find out it's French-speaking developers in Canadian intelligence being tracked by security investigators in the same organization. Unlikely, but I'd laugh my ass off. Still waiting for that level of government incompetence in these things. So far, they're all doing much better than I'd have hoped for...

Nick PJuly 5, 2015 7:19 PM

SlopPy: An error-tolerant Python interpreter that facilitates sloppy programming

"Whenever SlopPy encounters an uncaught exception, instead of crashing the script, it will create a special NA ("Not Available") object, make that the result of the current expression, and continue executing normally. Whenever an NA object appears in an expression, SlopPy propagates it according to special rules. For example, all unary and binary operations involving NA will return NA.

SlopPy allows imperfect scripts to finish executing and produce partial results (and a log of all exceptions), which can be more informative than simply crashing at the first uncaught exception. SlopPy is a drop-in replacement for the Python 2.6 interpreter, so it should work seamlessly with all of your existing scripts and 3rd-party libraries with no run-time slowdown."

As if the programming wasn't sloppy enough haha... In other news, there were some nice presentations on mainstream OS work here with one mention of high assurance, interesting unikernel stuff, and enough mentions of Docker that my mind began trying to block it out. Least the mainstreamers are learning lessons about modularity, portability, and especially *avoiding monoliths*. Seems like they might accidentally be creating new forms of monoliths, though. Hmm.

One thing that bothers me with these sites is they're almost cult-like with a slew of unfamiliar words that only these types of people use with few definitions but plenty zeal. The more it involves the cloud techs, the more this is the case. At least many of these justify a lot of it with good arguments vs traditional techniques.

WaelJuly 6, 2015 1:05 AM

@Nick P, @Thoth,

It's gotten good enough that it's already NIST-endorsed for aiding verification in high assurance software.
High assurance no more :) ...

That's right! "Shanghai Curse", "Anguish Chaser", "Anguish Search" are adequate anagrams :)

tyrJuly 6, 2015 1:26 AM

@ Nick P

I had to laugh when the SlopPY page offered to compile it
for your computer. While it may be well meaning it would
seem a lot better idea to let the end user do most of
the work.

I'd say it's not quite ready for prime time but makes me
nostalgic for the old ROM chip BASIC Interpreter which
you could crash without it stepping on itself. It is a
noble effort though.

WaelJuly 6, 2015 1:55 AM

@Thoth,

The clue is on this sentence:

pH–sensitive Hydrogel with Alkaline Silicon Etching (pHASE) transient sensor will be a self-powered wireless sensor deployed in a mesh network to monitor its surroundings.

I would think altering the pH will deactivate the sensor or cause it to "evaporate"! I guess the acronym "VAPR" isn't a coincidence -- it's too close to "vapor". Just a speculation, first time I hear of this ...

How do they alter the pH on command? My guess is as good as yours ... Could be done many ways.

WaelJuly 6, 2015 5:51 AM

@Thoth,

was hoping if someone had the experience.

You addressed by name not by "experience". What's not precise and how?

ThothJuly 6, 2015 8:29 AM

@all
What a shame of the SG's Govt stooping so low.... A spreadsheet showing some Agencies that are customer. There is one entry for Singapore... the Infocomm Development Agency. What a huge shame on them. Their primary mission in Singapore is to:

1.) Develop Singapore's IT/IS skills and workforce.
2.) Standardize IT and also promote IS.
3.) Regulate information (includes censorship).

and now ... evidence of using Hacking Team's tool against it's own citizens seems to be appearing especially with this spreadsheet ....

IDA is NOT suppose to be in-charge of cyber-offensive and SIGINT which is left to the local Military to do (epsecially with the opening of SG's Cyber Command). Although it is nothing shocking to know about their relationship, it is rather weird that an organisation that is tasked to promote security and information development has a secondary agenda (again nothing surprising).

Link: http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html

AlfredJuly 6, 2015 8:56 AM

According to this page at Reporters Without Borders, the Hacking Team software is supposedly able to "break encryption" on emails "encrypted with PGP".

Does this mean encryption can no longer be considered as safe as Bruce likes to portray it as? Or just that the implementation in PGP is broken? Or is this just Hacking Team's marketing hype?

http://surveillance.rsf.org/en/hacking-team/


Hacking Team’s "DaVinci" Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP)

Nick PJuly 6, 2015 9:33 AM

@ Thoth

"3.) Regulate information (includes censorship)."

That's what the hacking tools are for.

ThothJuly 6, 2015 10:05 AM

@Alfred
Algorithms and protocols are usually safe. The implementations and endpoints are not. You attack from the implementations and endpoints as they are always the weakest link.

@Nick P
Quite surprised they did not pass the hacking job to the Cyber command, CSIT, DSO, DSTA and all the other SIGINT agencies here but took the job themselves.

tyrJuly 6, 2015 3:25 PM

@ Thoth, et al

I've noticed that any agency has a nasty habit of mission
creep that can usually be traced back to one or two over-
zealous individuals. You can see this in the current state
of LEO wanting to add cyber, anti-terror, and national
security to every minor police force on the planet. The
same thing occurs when some minor bureaucrat has a budget
that doesn't get technical oversight.

Assuming that these agencies are driven by rational, logical
and deterministic motivations is the road to grievous error.
There's a lot more going on than the public faces of policy.

I love the one man band theories concerning leaks. You'd
think that the planetary population size might clue those
who think Ed Snowden is the lone ranger into the possibility
that there are others who aren't particularly pleased with
the new model surveillance society. Maybe we need to get
past Bentham and call it the Ubuiquicon instead of the
panopticon. I think Zuboff is onto something with her basic
description of "surveillance capitalism" and everyone wants
to get in on the new paradigm even if they only dimly see
what it is.

Clive RobinsonJuly 6, 2015 4:09 PM

@ Alfred,

As @Thoth above notes, it's not usually the encryption algorithms that fail, but the implementation in the endpoints.

There are two ways this failure can happen for an attacker, passively or actively. The former is due to implementation issues in the system opening up side channels that leak information, the second, by the attacker making changes to the system. A pasive attack is difficult to detect, and you have no indicator that it is being monitored or by whom. An active attack leaves footprints in the system which can be very much more easily detected, and reveal information about the attacker and their direction.

The more covert and skilled an attacker the less likely they are to use an active attack, due more to protecting their own people who are more valuable the more skilled they are. However commercial organisations have "share holders" to consider over their own personnel and this means they prefer to go with lower skill and covertness, especially if a well paying customer is actually doing the attacking and acting on any information obtained. A comercial company with moderate skill can move the parts of the actuall attack around and disguise them and there interfaces in various ways similar to polymorphic code used in virus malware (Zeus was in effect a lead in this direction, though their customers were "honest" criminals with simple data requirments not state protected thugs looking to dispose of people in various ways).

There are standard "OpSec" proceadures for dealing with both passive and active attacks on encrypted communications systems that I and others have mentioned on this blog for a considerable time that pre-dates the likes of the Ed Snowden Revelations and the majority of the "cyber-commands" that have become the "must have status symbols" for dictators, tyrants and despots as they try to follow in the footsteps of the supposadly more civilized representation political systems with the representatives having "for sale" signs or "rate cards" for those with the cash or clout to buy them...

The first and most important step is issolating "message encryption" systems from communications and communications encryption systems. That is the messages need to be independently encrypted and decrypted on systems that are always used "Off line" --in the security not communications sense-- which starts with them being suitably "energy gaped" (that is galvanicaly, physicaly and all possible energy channels gaped). This is actually quite difficult to do due more to "human" than technical issues.

For obvious reasons such "energy gapping" is due to physical issues fairly visable if individuals are under observation unless considerable care is taken, which also has the danger of tying down agents, or tying them to operators. It's a problem that was well known during WWII and a little historical research on the real SOE and downed airman support organisations Ian Fleming fictitiously called "Q Branch" in the James Bond books will give you a good idea of what is involved. Even today the basics are the same it's just that the technology has got a lot lot smaller, whilst also making detection of physical deception by agents much much easier. However interestingly, inovation usually benifits the agents not the attackers first, and it's this differential that allows "The Great Game" to continue at an ever increasing pace.

However technology has defects, for instance anyone thinking that "flash memory" chips are a good way to do One Time Pad (OTP) Key Managment (KeyMat) for agents due to the very very small size, needs their head examining. Preferably befor any agents they are responsible for have their heads examined rather physicaly by an attacker.

Likewise ensuring the "T" in TRNG real means 'true' in the security sense needed for OTP KeyMat, not the 'D' (determanistic) or 'P' (psudo) in less secure and insecure meanings of random bit stream / number generators, is contrary to what many people think actualy a quite difficult problem especialy where high volume is reguired (hence we often use the less secure CS-DRNGs that the likes of the NSA reputedly tried to put a back door in).

Security is hard at the best of times and is dam near impossible if not fatal for the ill prepared or inexperianced in the face of a skilled and determined attacker.

And this is just one of the reasons the UN is making enquiries about the business activities of certain companies when it comes to human rights abuses.

ThothJuly 6, 2015 7:24 PM

@tyr
I am pretty sure Singapore's IDA do not have the expertise nor legal provisions to engage in Cyber Command activities as these are for the local Military/SIGINT organisations. It is purely scope creep and out of the boundary.

It is like asking Civil Defense team to be equipped with firearms without explicit permits nor firearms training. Sounds hilarious but in a distorted manner.

Although it is not known to be legal for that organisation to carry cyber-weapons, I doubt if the SG Govt would disapprove since they are all one family and have shown to protect themselves pretty well.

ThothJuly 7, 2015 12:56 AM

@Bruce Schneier, all
Re: Hacking Team is Hacked (https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html), Comment:

"EDITED TO ADD: Hacking Team had no exploits for an un-jail-broken iPhone. Seems like the platform of choice if you want to stay secure."

That is a very bad advise. No exploitations does not mean it is proven to be secure. One indirect example being Linux and Mac OS were not so widely used in the past and most people thought that switching to Linux or Mac OS would meant they are more secure because they are more obscure which is unhealthy. Similarly, an "un-hacked" phone does not proof it is not hack-able.

We know that phones are hard to secure as they were not designed with security in mind at the outset of their design. Most of us would dismiss phones being less capable of being used as security appliances for the general public safe for Governments and big corporations like General Dynamics and Thales have created product lines for secure mobility.

The feature for a safer and higher assurance rated phone for the public would have to make the a lot of changes but some of them are within practical limits to be effected.

- TEE environments should not leverage on secure/normal world but to allow more virtualization types. What happens if a malware signed and installed in the Secure World starts kicking about ?

- We should take into consideration that every process has it's own resource and be segregated (Process Separation) and also allow bulk separation (World Separation).

- Move away from Unix-based authentication systems like recognizing root access and simply redo the kernel to only allow userland login. There should be no additional hidden credentials of any sort as a backdoor. If the user fails to login, it should fail gracefully.

- Expand usage of hardware TPMs and SEs in the APIs and by default. Let the users take advantage of these TPMs and SEs as much as possible. The current Android's Keychain API only handles RSA keys and symmetric or non-RSA keys are left out in the cold. Using RSA keys to wrap a symmetric key could be possible but takes a lot of effort.

- Native support for PCSC/PKCS11 besides using seek-for-android 3rd party open source APIs to access PCSC/MSC APIs.

- More work to be done in the TrustedPath department for higher assurance GUI / Framebuffer handling. Proper isolation of framebuffers, logical units of codes and other units into different security zones or worlds (Process/World separation) with more advanced options above the TrustZone could allow untrusted applications to also have a secure GUI frame isolated within itself since there will actually be no separation between secure/insecure zones anymore as all zones are treated as untrusted and isolated.

The idea from the zone separation have already been implemented in GlobalPlatform/JavaCard environments where card applets (cardlets) are segregated within their domains and are all treated as untrusted between each other which allows you to load a whole range of different levels of sensitivity applications within the "secure" confines of the cardlets. Only the ISD domain (root domain) is trusted and it's routine is simply to manage applets (Add/Delete).

- SELinux permissioning should be removed as it has proven to be ineffective and only by means of secure isolation is it proven to lessen attack surfaces. Users are always going to click the "Accept" or "Allow XXXXX App Access" blindly. The better way is to virtualize all resources and allow resource whitelist/blacklist and secure encrypted versioning with a user created root device keypair. In the event a virus were to attempt to eat away at some precious data, it could be restored as needed to a limited extend to limit damages. Cryptographic version checksuming to detect malware chewing away at data and securely sanitizing unreliable data would be most welcomed.

- Tracking of whom has access to what resources and how it is used would also be a good feature as you might want to block certain resources being accessed from certain apps. One example is you don't want a chat program to dump all your PIIs, videos, photos, switch on your microphone or snap pictures from your phone cameras when you simply don't want to authorize it to do so. If you want to use the camera, you could assign it the resource exactly the moment you want it to do so by provisioning the device resource to that process at the particular moment in time and no more than it needs.

These are some basic extend that a mobile device's (micro)kernel/OS and hardware should be doing in this era of mass intrusion of privacy and instability.

ThothJuly 7, 2015 1:04 AM

@all
A contactless JavaCard applet market. Sells it's NXP contactless smartcards for developers and users to pair with their NFC phones to load applets for real world use.

Link: http://fidesmo.com/

AlanSJuly 7, 2015 8:57 AM

More Susan Landau on Comey and encryption: Keys Under Doormats: Mandating Insecurity

I'm concerned about the issue of how exceptional access might work. You've heard how important such access is, but you haven't been told how such exceptional access would work. There's good reason for the silence. The difficulty is that as soon as an actual proposal for getting at the plaintext of encrypted data — whether in motion or at rest — is presented, the problems with the "solution" are exposed....The problem is that once one gets into the nitty gritty of how exceptional access might actually work, the idea of exceptional access looks more like magical thinking than a realistic solution to a complex technical problem.

Links to a new report:
Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Whiteld Diffie, John Gilmore, Matthew Green, Peter G. Neumann, Susan Landau, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner


k10July 7, 2015 11:43 AM

2 questions. 1. Empirically, what is the most secure (incl. against MITM) way to get your snail mail? (Mailbox? Po box? Something else?) And 2. Should access to crook-free comm channels be a civil right, and if so, how would one's govt go about ensuring it?

FigureitoutJuly 7, 2015 11:17 PM

Thoth RE: bae sensor
--Can't even view that site unless I turn on javascript...Strikes me as a mostly offensive weapon, so "good luck". I'm a junior COTS engineer so can't help, ask some "war hawk" contractors. I'm betting it's "power scavaging" is nearly matched in COTS w/ tech., some of it I've peeked at but never had a chance to take it to the lab. 2-way RF...basic, all the onboard sensors...basic, being triggered...basic. Most of it should be doable w/ COTS (but you won't be making this at home), size and performance are the biggest questions. But at the end of the day it's going to a) have lots of crappy data and b) not work that well and c) create lots of unnecessary pollution and d) b/c of short range and physical nature expose an attacker if target is actually good (drones will again give clues and unless it self-destructs will lead back to possible operator).

You probably won't laugh but I find it funny, again man, the self-destructing hardware! What's w/ you?!

RE: fidesmo
--Can't view that site properly again due to all the javascript. NFC has a big problem..smartphones and attack surface...

However wondering if anyone has tried this android app: http://www.paranoiaworks.mobi/sse/ Can't find any crypto reviews but my first impression is very easy-to-use crypto (in addition to encrypting your phone, and password; adds some nice steps to one's digital stance). No annoying ads too so another plus. The clipboard eraser doesn't work but you can still access it and delete it (which still isn't actually deleted in regular smartphones lol).

Simple sample protocol for a "secure text" (read: not secure since we can't monitor the attack surface b/c it's too large) is encrypting text w/ one of the ciphers, say Serpent-256. W/ your friend who knows how to use PGP and you've exchanged email contact details (which is a weakness in probably all security protocols I'll think up, it seems to be a kind of impossibility to verify and authenticate remotely w/o being easily attacked and spoofed), write and save email to wipable USB stick on LiveCD airgapped PC (could be your RasPi too). Take laptop w/ Tails to free wifi somewhere off your schedule, email text, as well as password for encrypted text-message and cipher used. Send encrypted text and wait for response.

Fairly strong, and quite usable and doable (once you've gotten started practicing decent OPSEC for a few years).

ThothJuly 7, 2015 11:59 PM

@Figureitout
RE:Fidesmo
I see it as a good opportunity to use it as a mass propagation tool for security applets but at a cost of user comfort as now Fidesmo gets to control the applet. Maybe a secure bootloader as the applet that bootloads more codes would be useful.

As I have mentioned, the RFID/NFC crypto and mechanics are uncomfortably insecure and not going to be the best. It took a long time to get the contact based smart cards to work properly (SCP02 and SCP03 secure channels) let alone the RFID/NFC ones.

I have setup a project page specifically for exploring booting Genode and blogging my experiences in handling them. You can find them via:

Link: https://askg.info/research/genode/

Self-signed TLS Website Certificate SHA1 Hash: 99:64:91:5E:C6:F2:C8:1F:29:52:02:03:D1:CC:90:F9:E5:E3:5A:D8

Currently it doesn't contain any contends and the resources have to be cautiously used as they may or may not work properly (Intel 32 bit Linux/Fiasco.OC). Currently I have only managed to use it's script and QEMU to boot it with and without graphics (terminal access).

I will focus on the Intel 32 bit before moving on hopefully to ARM although no promises :) .

FigureitoutJuly 8, 2015 12:54 AM

Thoth RE: rfid/nfc
--Yeah, they're fun; useful for perhaps quick exchange if under surveillance or setting up your own rfid/nfc lock at home which is kinda nifty I guess. The arduino rfid ones allow you to write to the card and then transmit that to a reader if I understand correctly; I haven't tried b/c they warned one could "brick" the card easy writing to wrong spot. BUT, I'm sure you've read about criminal attacks on RFID/NFC credit cards (also hacks to extend range, sometimes kind of absurd lengths than what you think is rfid/nfc...); anyone passing you w/ a reader could swipe that info since reader provides power, so if you take a subway daily or heavily crowded city out of question if you really care about the data.

RE: genode/fiasco
--Good, quality work takes time. Was meaning to mention an Intel board, galileo ( http://www.intel.com/content/www/us/en/embedded/products/galileo/galileo-overview.html ) but Intel has enough money IMO. Have you heard that they're working on 14nm and 10nm chips? So...retarded, making verification more impossible. Sounds like their having trouble and delaying it another 6 months or more.

Kernel code and OS/RTOS/microkernel/etc. code is just a bit much for me now. I still like below OS for now, much smaller code base; but of course not nearly as useful or usable.

I haven't been able to finish up the HWRNG stuff and I have more tests and a little write-up I'll post. I've never built or studied them before and I've done a bit now, but I want to come back to it later kind of. W/ regular discrete components it'd be hard to fit in my copper shield box and I'll need some shielded wire (special kinds that you can't really do at home); surface mount it'd be easy (just not to solder...). Just...busy...grrr always happens and then get too tired to work lol. Man, always. Once summer ends my personal research time goes out the window completely...

But for time-being I can't prove easy EMSEC attacks on the RNG but I know they're there.

But anyway, as is layed out in the TFC manual, you can use this circuit to sample some numbers on the RasPi or Arduino in my case, and then run them through a CSPRNG w/ other samples. My other project involved a board most people won't have so I'm just using it as practice for a short-range RF-security project I have in mind (it'll avoid internet channels, that's main thing for me and should be for others; random internet attackers won't be able to get a radio nearby unless they're ultra-stalkers).

ThothJuly 8, 2015 1:29 AM

@Wael
It took you quite some time to find the meaning to my name but still ... better late than never.

Please don't lump me with the sensitive "I" word. I don't want a cruise missile landing on my door steps from a USS submersible in regional waters. Please use the word Aset as her Kemetic name.

@Figureitout
The problem with usual smart card NFC/RFID is they don't usually use 3DES/AES based SCP02/03 "secure" channels due to how long it takes. Non card based may not even support them :) .

WaelJuly 8, 2015 1:45 AM

@Thoth,

It took you quite some time to find the meaning to my name

You didn't pay attention to this post? Oh no! I'm more than familiar with Egyptian methology! I studied it since elementary school and visited most areas of interest there! Are you sure you know the history of your name?

Oh well, I stand by my theory until you debunk it or come up with a better explanation.

WaelJuly 8, 2015 1:58 AM

Geeeez... I misspelled "Mythology"! Almost spelled it like "Methamphetamine" -- a coincidence, really!

ThothJuly 8, 2015 5:20 AM

@Wael
Meth-ology ... so you meant that people writing myths are on drugs ?

Probably you are more right than not to call it Methology since it is rather true that some of them might have been drugged up before penning something down that would be passed on for ages.

Ah ... you seem to have figured my "name| out awhile ago. Guess I have forgotten that one.

WaelJuly 8, 2015 5:57 AM

@Thoth,

Rumor has it that Egyptians visited the Americas before Mr. Columbus did. Traces of cocaine and nicotine were found in several mummies. Other similarities with ancient cultures support this theory, too!

some of them might have been drugged up before penning something down that would be passed on for ages.

Correction: Some of them might have been drugged up before chiseling something up that would be passed on for ages. So you could say Ancient Egyptians went on long trips; Sea voyages and acid trips :)

Ah ... you seem to have figured my "name| out awhile ago. Guess I have forgotten that one.

It's in my DNA , so I didn't need to "figure it out". Oh, no! I tore @Figureitout apart -- lol. Will have to wait for his wrath tomorrow (or today.) You forgot, eh? I have just the right prescription for you! Now where is that link to the Milk of amnesia :) Seems I need a spoon or two myself!

Clive RobinsonJuly 8, 2015 6:08 AM

@ Thoth, Wael,

Meth-ology ... so you meant that people writing myths are on drugs ?

In Zanadu, the Kubli Khan a stately pleasure doom did decree...

One of the slightly more modern "myths" that reputably was written under the influence of "a penny's worth of the finest" dried sap from a certain poppy species... not the more modern chemical brain state unbalancers, that are reputed to smell like feline urine...

WaelJuly 8, 2015 6:17 AM

@Clive Robinson,

There is a cheaper way. Smoking dried up cockroaches will have the same effect, some say :)

ThothJuly 8, 2015 6:29 AM

@Wael, Clive Robinson, Nick P ...etc...

"You forgot, eh? I have just the right prescription for you! Now where is that link to the Milk of amnesia :) Seems I need a spoon or two myself!"

I guess I am too busy with real life stuff like handling a recent case of a client of mine losing his cryptographic Key Loading Device (KLD) and a stack of blank smartcard tokens (~ 20 pieces ?).

Good thing the KLD was not loaded with live keys and the smartcard tokens containing the live keys were supposedly still in safe hands.

I think we all need a spoon or two too especially for that poor client who lost at least ~ USD$5000 of items (without live keys otherwise his head might roll). The flimsy looking KLD itself was already a couple of thousands USD worth by the way.

I wouldn't be surprise that Kublai Khan, Genghis Khan and his descendants had taken a spoon or two since it was reputed that Genghis Khan invited a reputed Taoist Priest and Alchemist from China, Qiu Chuji, to his court to teach Chinese alchemy and had him some mercury pills. Qiu Chuji supposedly claimed he had no recipe of sorts but taught him Taoist yoga practices to lengthen his lifespan. Kublai Khan is said to invite magicians, priests, sages and even the Tibetan lamas famous for their knowledge of esoteric and scriptural Buddhist teachings. Are they on a dose or two of the fine nectar ? Most likely :D .

Clive RobinsonJuly 8, 2015 6:33 AM

@ Wael,

I'm aware of dried, mushrooms, banana skins, mace (husk of nutmege) and a couple of other things including some frogs, but roaches is a new one on me...

As for that bloke Coloumbus, boy was he ever a late comer to the party, the Egyptians were not the only ones, you can add to the list the Vikings, Welsh and possibly the Huns.

WaelJuly 8, 2015 6:49 AM

@Thoth,

I guess I am too busy with real life stuff

And we're playing around staying up until 5:00AM?

ThothJuly 8, 2015 7:11 AM

@Wael
Please calculate using my time (GMT +8). I think you have forgotten my location :D . It was about 7pm when I replied.

Markus OttelaJuly 8, 2015 7:21 AM

@ Bruce Schneier et al.

Some thoughts on Keys under doormats: Mandating insecurity by requiring government
access to all data and communications
from the perspective of OSS/FOSS:

1.1
It looks very much the privacy is a secondary goal;
By the sound of the congressional hearing of FBI representatives, there are no smart ideas how exceptional access would be implemented. Instead, they seem to think the government should create a Hayden-box for companies to operate in, and the free markets would then secure the communications however possible (filling the box to it's edges).

3.1-3.3

"If the data is encrypted, the most obvious mechanism to allow for police access
would require that traffic between Alice in country X and Bob in country Y would have
its session key also encrypted under the public keys of the police forces in both X and Y,
or of third parties trusted by them."

Another question is, how can LEA trust Alice does not edit source code of software in a way that plaintext P for Bob is different than P' encrypted with public keys of police forces of countries X and Y.

Should applying theory of crypto or libraries, and writing or publishing one's own software be also illegal, even if there is no economic gain or industry to speak of?

4.2 bullet 3:

How would providers of open source software covertly insert the backdoor? Why would anyone download patched software? Why wouldn't they just remove the added lines of code?

WaelJuly 8, 2015 7:24 AM

@Thoth,

I go by the time zone I live in! That's what counts to me and my sleep cycle. Good night!

Markus OttelaJuly 8, 2015 7:42 AM

@ Figureitout:

"--random internet attackers won't be able to get a radio nearby unless they're ultra-stalkers."

My guess is it's more practical to listen to the samples emitted by the HWRNG circuit than it is to inject to it. Both versions allow you to XOR the whitened HWRNG output with /dev/(u)random so there is no single weak link.

The OTP version also evaluates the data read from HWRNG, so were adversary to produce a constant string of ones, it not be accepted by genKey.py.

When you connect the HWRNG to RPi, you could use twisted pair cable to connect GPIO and GND, that should block a lot of the noise. Additionally, injection moulded metal boxes are cheap, practically TEMPEST proof and they can house the RPi, HWRNG and batteries during sampling.

ThothJuly 8, 2015 7:53 AM

@Markus Ottela, Bruce Schneier, et. al.
RE: Keys under doormats: Mandating insecurity by requiring government
access to all data and communications from the perspective of OSS/FOSS

I have not read the actual document itself but here's some thoughts.

"Another question is, how can LEA trust Alice does not edit source code of software in a way that plaintext P for Bob is different than P' encrypted with public keys of police forces of countries X and Y."

"It looks very much the privacy is a secondary goal;
By the sound of the congressional hearing of FBI representatives, there are no smart ideas how exceptional access would be implemented. Instead, they seem to think the government should create a Hayden-box for companies to operate in, and the free markets would then secure the communications however possible (filling the box to it's edges)."

I think a bunch of smart cryptographers and privacy experts are simply trying to mock at the idea of "Key Escrow" being possible ? Image the hundreds of countries and each country have it's own selfish agencies, how many Public Keys would you need to encrypt a global encrypted chat and what if the chat messages are routed in a sort of TOR-like network or a Darknet ?

How about the Box-in-a-Box concept where you encrypt something offline with a trusted separate mechanism you trust and toss it into the escrowed chat program and your partner decrypts the Box-in-a-Box offline in a trusted separate mechanism ? You could build your trusted encryption circuits from scratch with transistors (http://megaprocessor.com) considering you distrust all blackbox IC chips as an example ?

The fact is that these frontdoors or backdoors are not technically feasible with a lot of contradicting conditions. I am guessing it is another attempt to shove the issue at the Anti-Crypto gangs' faces by playing their games and showing that it is unlikely to succeed.

Markus OttelaJuly 8, 2015 9:26 AM

@Thoth:

Tor-routing doesn't matter if the plaintexts are encrypted with government issued public keys: If the alternate ciphertext is concatenated and sent to server, it can be read from that location. Content can most of the times be used to identify participants so whatever anonymity Tor offers, it's probably not enough unless messages have confidentiality.

But if it wasn't clear, I'm with the authors on this one; Adding the public key for every LEA is infeasible, but my point was that even if there was a single global adversary, and therefore a single public key, an open source software might not encrypt the same plaintext for both the recipient and the LEA.

You're right about a trusted AEAD mechanism being globally uncontrollable -- information how to implement provably secure algorithms and systems unforgettable and unrestrictable.

WhatValueIsThisJuly 8, 2015 10:42 AM

Senate Advances Plan To Make Email and Social Sites Report Terror Activity

http://tech.slashdot.org/story/15/07/07/2135210/senate-advances-plan-to-make-email-and-social-sites-report-terror-activity

This should wreak havoc with Google, Facebook, Microsoft, & others.

Oh, wait! Doesn't the primary spook agency already have all of this stuff? Are they now abdicating the jobs they claim to have been given? Maybe they weren't doing this to start with (all FUD).

Maybe they weren't given that job in the first and are now trying to weasel out of liability (or responsibility) for what they have done or failed to do.

Why is Congress trying to pass the buck to sites that don't know shinola about terror activity when they already have organizations that are significantly better equipped to do this? How much will taxpayers be paying those sites for performing this government agency work that they are not qualified to perform? Sounds like another round of corporate inspired wellfare (for corporations).

Nick PJuly 8, 2015 11:23 AM

@ Figureitout

" Have you heard that they're working on 14nm and 10nm chips? So...retarded, making verification more impossible. Sounds like their having trouble and delaying it another 6 months or more."

Remember the lesson from our old hardware guru here. He reminded us that designers practically fight against the laws of physics to get sub-90nm designs working. That it gets harder and harder as it goes downward. The 10nm and 14nm designs with little tool support will take the best people to even produce. Backdooring such a black box will either be hard or impossible for a period of time without knowledge of design + a simple (eg one-circuit) modification opportunity. So, his recommendation was to use the newest technology possible along with plenty obfuscation and splitting of security functionality among many circuits.

So, I welcome 14nm and 10nm. Not to mention 28nm SOI might get a discount. Rocket CPU was already tested on 28nm. ;)

United Airline Future CustomerJuly 8, 2015 4:29 PM

legal disclaimer: all alleged. not verified
Re: Fix the Broken Airline Industry system
http://www.reuters.com
Computer Glitch halts United Airlines flight for two hours
1.)why are the major media colluding with ENTIRE AIRLINE INDUSTRY in calling this a computer glitch?
is a glitch similar to a 'ghost'?
2.)most likely scenario - net engineer software MIS-configures
3.)Why no resilient fail-over design?
incompetence? cost-cutting? bureaucracy?
4.)How come the pattern of mis-behavior will continue until the CIO (Chief Information Officer)
CEO? is 'personal resignation' eliminated?
5.)What is the simplest solution?
http://undeadly.org
http://blather.michaelwlucas.com
OpenBSD router
6.) Network Cloud - Virtual Network to avoid
single point of failure including hardware/software?
OpenBSD on Digital Ocean Cloud

Why the SOFTWARE ENGINEER GETS NO RESPECT JOKE
Old lady gets heartburn on plane. Thinks she has
heart attack. So, Are there any Doctors/Skilled
Nurses on board?

No, I do NOT need your ROUTER DETAILS, but why
do you have SO MANY LOOPS AND BLACK HOLES and
inconsistent configurations? - Non-profit volunteer work, of course.

*no endorsement of any mentions. no direct
conflicts of interest. NO I AM NOT A SHORT SELLER
of the United Airline stock!

Conclusion on the USA Airline Industry
1.)it's 'low morals' to price gouge when the oil
price is low
2.)add incompetence to 'poor customer service'
plus 'price gouging' fair profits are fine
plus 'lack of independent criticism' plus
'lack of government regulatory action'
www.wired.com

"Why the 40 year old Tech is Still Running America's Air Traffic Control?"

ThothJuly 8, 2015 7:57 PM

@Nick P
RE: 10/14nm chips

"The 10nm and 14nm designs with little tool support will take the best people to even produce. Backdooring such a black box will either be hard or impossible for a period of time without knowledge of design + a simple (eg one-circuit) modification opportunity. So, his recommendation was to use the newest technology possible along with plenty obfuscation and splitting of security functionality among many circuits."

That is a good idea there. The smaller the chips the easier to destroy. Try piecing together a tiny 20nm chip being smashed to pieces with a sharp object.

The smaller the chip, the harder to freely add additional unknown circuits and every single circuit and gate takes a lot of effort to arrange and place on such a tiny surface. If the chips are going to be mass produced for a whole range of purposes (like smartcards) which can be used in a myriad range of products and going to be produced very quickly in huge bulk where the chips are expected to have very short lifespan and to be misused and thrown away (all these are the requirements of smartcards and RFOD/NFC security IC chips), it becomes less incentive to actually backdoor them since you can't accurately target someone and the noise to accuracy ratio is simply too high and the user might discard it anytime due to it's dirt cheap cost. A dedicated security IC chip like those made for HSMs and FPGAs are more likely targets for backdoors (I won't say smartcard chips are free from these stuff but might be harder to do so) since a HSM or a security device with long life expectancy and heavy usage with very little likelihood of being replaced might actually attract more incentive to put a backdoor since the ratio of noise to accuracy is pretty much in the favour of the attacker as not everyone would own a HSM or a security device knowingly whereas a tag or smartcard is so common to the point it becomes very mobile, huge in numbers and generates too much noise for any accuracy of sorts. That's just my attempt at guessing on what the best method to blend into the crowd and escape targeted surveillance by generating more noise whenever possible.

ThothJuly 8, 2015 7:59 PM

@Nick P, Figureitout
I think I would recommend the best way for most journalists and privacy people is to go mobile and with a lot of noise.

Nick PJuly 8, 2015 8:26 PM

@ Thoth

"That is a good idea there. The smaller the chips the easier to destroy. Try piecing together a tiny 20nm chip being smashed to pieces with a sharp object."

Not actually. The smaller they are, the worse off you are for destruction. Ross Anderson's Security Engineering gave a good example:

"after tests showed that 1 mm chip fragments survived the protective detonation of a control device carried aboard airborne command posts, the software was rewritten so that all key material was stored as two separate components, which were kept at addresses more than 1 mm apart on the chip surface"

The smaller it is, the more stuff survives and the further you have to separate the stuff. Better off if your design doesn't rely on that.

"tag or smartcard is so common to the point it becomes very mobile, huge in numbers and generates too much noise for any accuracy of sorts"

Looking into such things is worthwhile. I once considered a chip that looked and partly worked like a SIM card. But did more. A friend came up with using his PSP (or something similar) for black hat work given most cops would assume it was a gaming headset for boredom. There's lots of potential for not standing out but the trends are making that more difficult. Chips we could afford to make barely fit in a smartphone and drain its power quickly. Maybe put it in some heavy-ass Beats headphones but there goes not standing out lol...

"I think I would recommend the best way for most journalists and privacy people is to go mobile and with a lot of noise."

I recommend old-school tradecraft where-ever possible. Create noise with the digital methods and send messages with old-school methods. Couriers, drops, radios, and wifi devices w/ removable batteries are your friend.

ja se oolannin sota oli kauhiaJuly 8, 2015 10:35 PM

FBI Director Says Agents Need Access To Encrypted Data To Preserve Public Safety
http://www.npr.org/sections/thetwo-way/2015/07/08/421251662/fbi-director-says-agents-need-access-to-encrypted-data-to-preserve-public-safety


FBI Director James Comey told senators on Wednesday that increased encryption on mobile devices is complicating the FBI's job.

Comey, along with a roster of Obama administration officials, has been asking Silicon Valley companies for months for a solution that would allow law enforcement to monitor communications with a court order, while protecting the privacy of consumers.

Nick PJuly 8, 2015 10:51 PM

@ ja se

Perhaps they should just use their creativity and investigative prowess to build alternatives to many Silicon Valley companies' tech that steals all their market share. Then backdoor it. And then...

Oh wait, they can't even understand key escrow issues or build a boring case file system. Anything practical in tech is clearly beyond their creative capacity. Good for us. :)

WaelJuly 9, 2015 12:06 AM

@Nick P,

due to his strict adherence to security principles. Mwahahaha.

Just make sure you don't dox me ;)

BuckJuly 9, 2015 12:34 AM

@tyr

What, no mesh? Is it a given that the mesh-network eventually evolves into a ball of yarn?

@Wael

I seem to recall you doxing yourself atleast twice now... Or was it all just an ingenious rouse..? :-P

tyrJuly 9, 2015 12:40 AM


Did anyone else see the BBC, Finnish kid with 50000
hacks to his credit in two years ?

Apparently he found a bug in some commercial stuff
and used it to build a botnet. The script kiddies are
getting more dangerous all the time. Maybe it is time
to start investing in real security.

WaelJuly 9, 2015 12:55 AM

@Buck,

I seem to recall you doxing yourself atleast twice now

The outcome of Self-doxing is called an autobiography.

Don't mix up de-anonymizing with publishing degrading or otherwise embarrassing things that we want to keep private :) I guess that's one reason we want to encrypt things.

I'm writing an unauthorized autobiography. -- Steven Wright (one of my favorite comedians)

FigureitoutJuly 9, 2015 12:59 AM

Wael
wait for his wrath tomorrow
--Lol, can't do that here anymore; have to be "civilized" and all that jazz. May have a tickle fight though (google 'tickle fight' and click 1st link lol, wow...it's real) and it looks like a precursor to something else...maybe get some of that "milk" of amnesia.8^p

Markus Ottela
--Depends on if you know what you're looking for (my home bench kind of sucks, for instance I have like a...50+ year old(maybe more or less, not sure) analog scope and the [single] probe's missing the wire grab part. My radio goes to ~3.5MHz when some of the switching noise I'm looking for is likely around 100kHz and below (maybe 1kHz...) and my little RTLSDR dongle can only see to 24MHz and I haven't built a better antenna for it (this is where I need those tiny connectors attached to a wire from a factory, it's very hard to do by hand; in fact lots of RF connectors are very hard to do by hand, which then raises the issue of taps in the cable...).

Things I'd want (I'm not a big fan of mechanical/craftsman type work, I'll do it but it generally sucks from me compared to better skilled person or machine) is inverter on AC, USB ground loop isolator for power into RPi, shield box over RPi that connects to RF connectors outside (which shield the wire and most important *the connection*) then put ferrite cores and toroid cores ( http://www.readytoflyquads.com/media/catalog/product/cache/1/image/1200x/040ec09b1e35df139433887a97daa66f/2/0/20121004_043147.jpg ) all over. But yeah that's essentially what I'd be building for this HWRNG.

Probably going to just run TFC programs more or less on 1 RasPi (every time I go to Fry's and see like 10 of them I get urges lol...I don't bring a lot of money to Fry's lol)? Not *use* per se since the isolation between multiple devices is the point, but just run the programs. Did you build a lot of data diodes for other connections besides TFC? It's what I'm planning on doing...

Nick P
--Maybe, but that doesn't make me feel comfortable, how can we even be sure every transistor is working? That would be good test knowledge to know (and surely highly protected proprietary info). What about signal integrity issues not caught in lab that manifest in my PC b/c the IC is too scrunched that crashes out of blue and I think it's a virus? Or it becomes an attack vector like row hammer...

Probably a lot of that "safety" is overridden by having to use *extremely* complicated start up code.

WaelJuly 9, 2015 1:19 AM

@Figureitout,

May have a tickle fight though

No thanks! I'm not playing footsie with you -- not today! That sounds just too kinky! Speaking of which, do you know the difference between "erotic" and "kinky"? "Erotic" is using a feather; "kinky" is using the whole damn chicken :)

Clive RobinsonJuly 9, 2015 8:15 AM

@ Wael,

Get the joke right it's "What's the difference between kinky and perverted..."

I told that joke to Terry Pratchet at a house party in Oxford [1] back in 87 and he then put it in one of his books, and around the world it has since gone. Terry had quite a taste for "dark jokes" which his wife did not approve of unsurprisingly (and no I'm not going to tell any of them here, I've already "shocked the moderator").

[1] The weekend party was at a friend's (Dave) parent's house in Oxford. He was very much into Dungeon's and Dragon's played out in costume in castles and such like and paid for it by doing a few publicity and party gigs, due to one thing and another he got the nickname of wolfman which most people called him. For my sins I knew several computer journalists who also knew more mainstream newspaper journalists and they drank alot in various London pubs. Any way one of those mainstream journalists who worked for the "Daily Fail" decided to "make news" and unfortunatly Dave was to be part of it unbeknown to him...

Basicaly the Daily Fail journalist persuaded Dave that he had a publicity stunt gig for quite a bit of money and that Dave was ideal for it. Basically like some of Dave's other publicity gigs he was to run up dressed as a "wolfman" and grab a designated person who would be photographed etc, all very silly but the vouge at the time.

Unfortunatly this time it was a setup and the target was Princes Margaret... Dave nearly pulled out but the journalist had guessed that the money on offer would swing the day and it did. The journalist took Dave to the appointed spot and Dave ran across as he did for such gigs, picked up Princes Margaret. He was promptly grabbed by the bodyguards thrown to the ground and far from gently detained. He was later released after he told his story and the police did some checking. However by that time the "Fail" had published the photos front page etc.

Dave rarely talked about it, as I suspect back then as few people believed that journalists were dishonest and would set people up like that (though Terry who had been a journalist and was then a publicity officer did say he was "not suprised" in a way that raised an eyebrow).

Well with News International papers such as "The News of the World" doing "phoney sheik" stings which we now know due to court action were often setup as stunts etc, and all the phone tapping, bribbing of police officers, and journalists getting criminal records as their employers sell them down the river, I guess even Joe Sixpack is going to be a bit suspicious of journos these days.

Sadly due to one thing or another the last time I saw Dave was in a car accident, where we got T-boned at night by a driver without lights on. I got taken to hospital with whiplash and minor cuts and scrapes as I was siting in the passenger seat on the impact side. We aranged to meet up a little later but work got hectic as did other commitments and Dave later underwent surgery etc.

AskMeNoQuestionsJuly 9, 2015 8:55 AM

And I will tell you no lies.

Technology and the End of Lying

http://tech.slashdot.org/story/15/07/08/2223257/technology-and-the-end-of-lying

Gee, I thought this was already done with tne alleged mind scanners or what they call thought reading devices. Apparently, that bit of FUD wasn't taking hold so now they introduce this new "schtick". They? Why, the overlords of course.

We are continually beset with these "advances" that subject us to perils of what they know and how it can be used against us. Seldom do any of these "revelations" indicate how they can be used for any of us. Most seem fear inducing, with apparently the desire to make everyone grateful when they offer to abate our fears as long as we are compliant.

Nick PJuly 9, 2015 10:20 AM

@ Wael, Buck

"Just make sure you don't dox me ;)" (Wael)

"I seem to recall you doxing yourself atleast twice now... " (Buck)

The juxtaposition makes it even better. LMAO.

"with publishing degrading or otherwise embarrassing things that we want to keep private :)"

Nobody is publishing anything about your activities on Omegle, Adult Friend Finder, and so on. Your secrets are safe with us.

WaelJuly 9, 2015 4:19 PM

@Clive Robinson,

Get the joke right it's "What's the difference between kinky and perverted..."

Maybe that's how you told it to him. He saw it fit to say it this way:

Just erotic. Nothing kinky. It’s the difference between using a feather and using a chicken.”

― Terry Pratchett, Eric

Maybe your memory is failing you! Look, I have a spare bottle with your name on it -- join the club ;)

Or you can get it by yourself. But be careful! There are two types, one that makes you forget, a peny's worth of the finest immitation, and the ones that fix memory loss -- they look alike, so it's a gamble.

ThothJuly 9, 2015 7:57 PM

How long are we going to accept a buggy OpenSSL ? Afterall these bugs, it's down to yet another new bug.

Link: https://nakedsecurity.sophos.com/2015/07/09/the-openssl-cve-2015-1793-certificate-verification-bug-what-you-need-to-know/

It is suppose to be FIPS 140-2 Level 2 certified ... why didn't FIPS certification and whatever certification it went through evaluate it's security ? The honest answer is they don't really look at the product and stress it fully. It is part of a consumer demand to get over the process of certification quickly, read the declaration report by the vendor and scratch the product a little and stamp a certificate on it.

The problem is with the way products are certified and how security products are made. They are made in no/low assurance configuration.

It is about time we should switch up all the OpenSSL codebases in products and migrate them over to LibreSSL or BoringSSL where there are lesser code complexity, cleaner interfaces and codes and lack of sickening bureaucratic (FIPS, CC EAL) terms to meet requirements and code them straight and clean from the core with better assurances. Note that CC EAL to me is just another "report reading" session where you read a well formalized report and hand it a higher level because the requirements of CC EAL is more report orientated instead of actually stressing it in real field environments.

A nice sounding report may not be practical on the field.

ThothJuly 9, 2015 9:22 PM

@all
NSA releases / open sources it's SIMP platform for network compliance to DoD standards.

Link:
- https://github.com/NationalSecurityAgency/SIMP
- https://github.com/simp

NSA's Description of the SIMP:
SIMP is a framework that aims to provide a reasonable combination of security compliance and operational flexibility.

The ultimate goal of the project is to provide a complete management environment focused on compliance with the various profiles in the SCAP Security Guide Project and industry best practice.

Though it is fully capable out of the box, the intent of SIMP is to be molded to your target environment in such a way that deviations are easily identifiable to both Operations Teams and Security Officers.

At this time, there are no commercial requirements for the use of SIMP outside of the purchase of Red Hat Enterprise Linux licenses as applicable.

FigureitoutJuly 9, 2015 10:07 PM

Wael
--Bah, too silly lol. not today! -- Hrrmpf, fine! I'll be waiting though...

Thoth
I think I would recommend the best way
--It's specific to a) their requirements/threat model, b) what they're willing to do day-in-day-out, c) how much they're willing to pay for protection and customized setups.

I'd help some people out (for some $$, not free) for a medium-to-high security stance so long as I have some funds to spend and they follow directions (watch you get some hopeless moron of a client that blames you for their problems b/c they're the kind of people why we need all these legal warnings like "don't stick your face in a chainsaw"). Depending on the clients, it could be way more fun than what I consider "work" lol, there'll be some traps to catch some people who try too....

Biggest steps though is either going live (or VM, but it needs HDD and the concept of "virtual memory" just doesn't rub me right, but I'll still dabble it just to see) and begin practicing OPSEC physically separating memory sticks and thinking how your data looks to someone else and can they easily touch it (and having backups, lots of backups). Then living life like you're going to have a breach every night in your sleep and be prepared for recovery...

ThothJuly 10, 2015 12:32 AM

@Figureitout
RE: Handling moronic clients

"watch you get some hopeless moron of a client that blames you for their problems b/c they're the kind of people why we need all these legal warnings"

Don't worry about that. I have to handle these type of clients on a daily basis and they will still stick their necks up a chainsaw even when I told them not to (not literally) especially when they have already asked me to specify best practices which on some occasions they may not agree respectfully or outright insulting manner.

"Depending on the clients, it could be way more fun than what I consider "work" lol, there'll be some traps to catch some people who try too"

Not a good idea to trap clients if they are your paymaster as your manager/boss might be piss if they hold off their payments.

" begin practicing OPSEC physically separating memory sticks and thinking how your data looks to someone else and can they easily touch it (and having backups, lots of backups)."

I did mention that recently a client of mine lost his bag containing a cryptographic Key Loading Device and a stack of smartcard tokens (luckily those are blank cards) in the public transport. Good thing is he managed to retrieve the lost bag with the KLD and cards intact from the transport driver the next day. Talk about practicing OPSEC in the field. I don't mean OPSEC are not do-able but the procedures must include minor and major event handlings and corrections.

"Then living life like you're going to have a breach every night in your sleep and be prepared for recovery"

I won't be able to wakeup with energy to do my work next morning if I have to live a life attempting to guard against every second of attempted intrusion into my computer or room....

What is needed is to define your sensitive boundaries and reaction responses in a sane manner. An example:

(Higher digit numbers meant more sensitive / important)

Layer 7: Backup email address / contact methods, personal secrets
Layer 6: Personal credentials and logins, crypto keys (PGP/SSL...), work related secrets ...
Layer 5: Sensitive reading lists & visited sites, personal likes and dislikes, habits ...
Layer 4: Personal PIIs, contact address book, friends addresses, personal email, work email, work contact,
Layer 1 ~ 3: Public facing contact, public profile (redacted), public reading list

What you might want to protect is the very small yet very sensitive secrets usually at the topmost layer (Layer 7 in my case). If you look at layer 7 in the sample, you would not be writing down personal secrets since that is too much to protect. Yoou might have a hidden means of contact via some form of hidden email address and that again simply requires memory in your head so that's not going to be written down either unless ... you really have a bad sense of security or you have like a couple kilobytes of data you can easily protect with an easily remembered 32 byte key (256 bit key) and use the MegaProcessor (http://www.megaprocessor.com/) to encrypt your couple kilobytes of really most sensitive secrets.

You just need to map out what you deem most important and segment them out carefully.

WaelJuly 10, 2015 1:39 AM

Minor advice

I noticed that someone had a link in his post (it was a link under his name.) It was a link to some LinkedIn profile. Seems like a clever "attack tactic". If you, like I do, keep logged in to your LinkedIn profile and click on that link, you may reveal more than you want to. So a caution, especially for you "Anonymous cowards", make sure you are logged out of all your social media accounts before you click on any link.

If you are exceptionally evil, then login to this account before you engage in correspondent ;)

ThothJuly 10, 2015 1:59 AM

@Wael
Maybe your fingers slipped up on some amnesic milk spilled on your keyboard causing typographical errors.

Have you not asked my wife, Safkhet, to bless your keyboard ?

Remember to visit her at Heliopolis next time.

FigureitoutJuly 10, 2015 2:07 AM

Thoth RE: bad security at work
--My personal procedures take ~5-10 min every morning and they could be way better but there's you know...other work to be done...now. We have to interact w/ customers where they all bring their own PC to interface w/ a product, and w/ multiple new browser builds (shudder) and of course any kind of malware will affect data flow in the browser lol...I jokingly suggested we just ship a separate computer w/ the product to cut out possible bug sources (slightly...).

Not a good idea to trap clients
--No, never (unless the client isn't who s/he says s/he is, where it gets hairy). I meant for attackers, I'd have traps to catch attackers wasting my time debugging stupid sh*t.

RE: opsec on the fly
--Lol, good OPSEC includes double-checking your possessions constantly (I double check my keys each time I switch gym machines since I lost my keys from my pockets) so if they do get stolen/lost you can log a more accurate time (and then, w/ other investigators, look for potential attackers in area at that time, etc.).

I won't be able to wakeup with energy
--Welcome to my life past 6.5 years, not a good feeling when you know things in your room have been moved around...(I have some weird "condition" (probably just OCD) or just something in my family, my grandma is same way, remember a lot of things placed all over the place (maybe my passwords or...traps watching what intruders touch), and if they move it really really makes me feel discombobulated...).

RE: layers of data
--Yep, exactly what you have to do. For starters you need at least 20 separate memory sticks and 5+ PC's.

Wael
make sure you are logged out of all your social media accounts before you click on any link.
--Man, DUH if you care about OPSEC lol. What the hell are you doing staying logged in linkedin?! Put the "milk" down and bend over, time to spank that pumpkin 'blank'... :p

WaelJuly 10, 2015 2:25 AM

@Fifureitout,

time to spank that pumpkin 'blank'... :p

Take a number. @Clive Robinson, @Nick P, and @Mike the goat are ahead :(

WaelJuly 10, 2015 2:48 AM

@Thoth,

Maybe your fingers slipped up on some amnesic milk spilled on your keyboard causing typographical errors.

If you find such a potion, then you have found your answer to erasing keymats from your device.

ThothJuly 10, 2015 3:04 AM

@Figureitout
RE: layers of data

"--Yep, exactly what you have to do. For starters you need at least 20 separate memory sticks and 5+ PC's."

You just need a PC with a bunch of hard disks (with the OS installed into the hard disk for booting) and probably some live CD-R.

If you are worried about firmware attacks, very few things would be able to safe you.

You can consider 5 PCs if you are thinking about using the Intel Compute Stick (http://www.intel.com/content/www/us/en/compute-stick/intel-compute-stick.html).

ThothJuly 10, 2015 8:54 AM

@Nick P, Figureitout
I took the l4linux.iso hosted on my webpage (https://askg.info/research/genode/resources/) and burnt the ISO into a DVD and booted it off a laptop and you get a TTY terminal with minimal Unixy things on it. It boots a Fiasco.OC as the microkernel with a L4Linux on top of it as it's userland.

The point I want to state is that the Genode framework for Fiasco.OC/L4Linux compiled and written to a DVD and booted off does give you a terminal to work with at the very least. I noticed it doesn't handle my laptop's wireless so I would assume the L4Linux kernel doesn't have any capabilities for it which is actually good since an attacker could not simply ride off the WiFi and must use covert channels like lights, screen, audio, video and what not. You could effective make yourself a more assured OS and get off the network for a while booting from a Read-only media if you are even more paranoid.

If you are so paranoid, you might want to boot off a Fiasco.OC/L4Linux, copy the ISO onto the ramdisk OS and burn the image into the read-only media and to ensure nothing gets to slip in any further, you can simply burn random bytes into a huge file to simply fill the entire media's space until it runs out of space. You would effectively have a read-only filled media that has no more space to hide stuff ... that is to say during the burning process you are not infected :D .

Disclaimer: Use the ISO at your own risk and don't blame me for whatever I compiled and don't trust what I compiled.

Nick PJuly 10, 2015 3:19 PM

@ Wael

" Seems like a clever "attack tactic". If you, like I do, keep logged in to your LinkedIn profile and click on that link, you may reveal more than you want to."

Even possessing one when the investigator or attacker knows your name can create problems. So, LinkedIn users certainly shouldn't stay logged in and ensure it's set to private.

"If you are exceptionally evil, then login to this account before you engage in correspondent ;)"

Now that's a nice trick. Love it!

@ Thoth

"If you are worried about firmware attacks, very few things would be able to safe you."

Old PC's or embedded boards using ROM's as root of trust. Or jumper-protected EEPROMS. You have to physically update them. The convenience of software or remote updates is one of the reasons industry switched to flash. Thing is, it was just as convenient for hackers. ;) So, just switch back and that solves at least *that* problem.

Note: Device firmware attacks might be blocked at interface level. It's what I tried in the past. I haven't exhaustively explored the issue because I just didn't know enough about that stuff. It would be worthwhile for researchers to investigate how far they can go with software defense of peripheral firmware on top of a microkernel architecture.

re L4 stuff

Cool that you tried them out. I expected the interface to be simple. Yet, many Linux and BSD users live on command lines with a whole assortment of console apps. I did on MS-DOS even before that. So, it would definitely be a good start. A surprising number of applications can be done with consoles. Even multimedia.

The wireless has to do with the drivers. They either don't have them or they don't work well. Mainstream Linux support for wireless can still be a pain to configure with plenty Googling. A device driver wrapper for Linux driver or rump kernel are the easiest route. Although, disabling wireless is often an improvement to security as you noted. High assurance systems usually only supported wired communication unless wireless was mission-critical (eg a radio). And then only supported administration through a dedicated serial port. There's lessons to be remembered in there. ;)

The ISO trick is decent. Just make sure it's a write-once DVD. Far as more paranoid, this guy ported OpenBSD to Fiasco L4 kernel. I like the security enhancements (eg MAC) of FreeBSD and Linux. So, I'd be more likely to port one of them with Linux already partly done for me. If FreeBSD, could piggy-back on the CheriBSD project possibly.

WaelJuly 10, 2015 4:56 PM

@Nick P,

Now that's a nice trick. Love it!

Bait and switch attack pattern :)

Nick PJuly 10, 2015 5:13 PM

@ Wael

Of course! And creatively applied to a new problem domain. The mind of an engineer in action. ;)

ThothJuly 10, 2015 7:12 PM

@Nick P
That is what happens when you don't have much space and availability of home-made PCB boards which is to figure out a rad-only CD/DVD-R only ISO bootable disk. That is to assume the hardware is not targetted and without a network connection, how is viruses coming in (unless you count the USB or covert channels or covert storage in some firmware or chip-based flash for firmware that somehow turns writable) and a ramdisk OS that is not permanent to store those nasties.

Next thing would be to figure how to run a multiple scenario on bare metal and how to load things like Haskell and GCC inside userland onto the bootable ISO so it becomes more feature-rich. Probably the CCID/PCSC libraries for smartcard interfacing would be useful so I can use it for handling keys in smartcards.

FigureitoutJuly 10, 2015 11:18 PM

Thoth
need a PC with a bunch of hard disks
--Had some bad experiences w/ persistent malware on them, still debating how far I want to go either finding it (encrypted...) or getting a researcher to look at it (I don't have much $$ to pay), so I generally feel better running live letting contents of RAM die each shutdown instead of VM in the HDD (in "virtual memory", something just seems "off" about it). That being said, developing w/o a HDD *sucks* mega, need that storage. So I use it but just stay ready for if/when a malware comes back bad; and verify building by doing little changes and seeing it manifest how it should (sometimes it doesn't lol...)(doesn't prove security, just showing control; and you can lock down small code bases pretty good where someone needs to go at it w/ a programmer to alter code (after flashing, of course malware could be compiled in toolchain and just squirt malware in each build...can't be sure...)).

Same w/ USB's, don't trust but have to use. Bringing my breadboard and EEPROM chips to exchange a file w/ someone will get me mean looks. Can do small files b/w graphing calculators but I feel too much like a kid exchanging pokemon on gameboy lol...I've started working a little w/ USB chips (not the one storing the memory, but enabling comms etc.) now on some boards, and I envision something like a RasPi or even much smaller just a micro on breadboard w/ pinout for usb connector, and wiping the memory w/ "dd" or DBAN, then reflashing the comm chip sometimes. For now pretty limited to just wiping the memory...

RE: fiasco build
--Cool, was it easy to build? May try that out sometime. Yeah probably doesn't have the wifi driver to keep size down. Does it have "lsusb" in it? Doubt it, but you could get a usb-wifi thing (I like them instead of in the PC b/c I can just remove it easy), search it w/ that. You have to know which one, look up driver, and check for it. Even having driver may not be enough if they don't have the "ID #" lol, annoying...

But I wouldn't care about wifi, just use a separate PC beside w/ it. Feels good not opening yourself up easily to the world and physcially upwards of ~8miles of potential attackers eh?

ThothJuly 11, 2015 1:16 AM

@Figureitout
What I meant by having a PC with a bunch of hard disk is to have each hard disk having their OS inside them. If you want to use a seL4 with Ubuntu on top, say you load in HDD 1 and grab some RAM sticks and boot it. Once you are done, you remove the HDD and swap yet another HDD. Effectively the PC is simply a motherboard and a casing with no fix HDD and RAM sticks. Oh ... and have a handful of RAM chips so you can randomly choose a RAM stick with your HDD and pop into the laptop cover and screw it back to use so if the malware sticks to one RAM stick, it may not be prepared to handle another HDD although that is troublesome and not a full solution in itself.

It does not perform LSUSB. It's very very stripped down. No GCC ... nothing. Bare essentials only. I doubt if it has a proper GNU-coreutils either. Can't find the shred program either. Have not tried the dd command though. It is simply barebones.

If you have time, follow this build. Just a hint, the instructions did not mention the NIC and DDE_IPXE library so that makes the instructions a little inaccurate in my opinion. To rectify that, follow the issue I raised to Genode.

Link: https://github.com/genodelabs/genode/issues/1614

For the build, you can take half a day to build a basic running platform. Best to build on Ubuntu 12.04 LTS.

Forget about the WiFi thingy. The reason anyone wants a TCB is because one feels insecure and WiFi being a huge security offender deserves to be outside the build. I am thinking of adding some scripts (looking into the Genode's APIs) for it's Genode Crypto Libs and also make it into a security centric platform.

Note that the build is very basic and bare. It has a Trusted GUI called 'nitpicker' that uses the TCB components to handle framebuffering but I have not gotten to compile in the GUI portion yet.

@Markus Ottela
Probably you could play around with the Fiasco.OC/Genode/L4Linux build with your current setup (use the ARM build by keying in 'arm' built when asked - it is not so straightforward as a 3 letter keystroke :P ) and use it for your TFC to make it even more hardened.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.