Friday Squid Blogging: Divers Find Squid Eggs

Divers discover a large mass of Ommastrephes bartramii eggs:

Earlier this month, a team of divers swimming off the coast of Turkey discovered something unexpected: a 4-meter wide gelatinous mass of what turned out to be one of the biggest mass of squid eggs ever discovered.

Another article, with a photo.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on August 7, 2015 at 4:58 PM • 221 Comments

Comments

Public AllyAugust 7, 2015 7:08 PM

DEFCON seems to be around BIOS/UEFI backdoors and vulnerabilities.

I think the next big thing will be hardware backdoors and it's only a matter of time before it explodes.

Markus OttelaAugust 7, 2015 7:22 PM

@ Clive Robinson

Re: Funtennas
If they're able to remotely insert only a transmitter to computer, it's in the same category as TEMPEST / retro reflectors. However, if there's also a possibility to insert receiver, then there's a bigger problem.

For TFC, imagine NH getting infected with malware that turns it into receiver. The malware would then exploit RxM via 0-day in serial interface and turn RxM into a transmitter. After that, key exfiltartion will be trivial.

Depending on the group's achievements, I may have to update the threat model to recommend TEMPEST shielding of at least RxM by default.

@ All
I started a project where I put together video clips. The goal is to drive into people's heads the fact that bulk CNE is the future of mass surveillance.

GarrettAugust 7, 2015 7:28 PM

"Unhackable" version of Windows developed by Israeli company. "Randomizes" memory, whatever that means. Lots of unanswered questions, like what are they randomizing, how did they get the source code to Windows, and for what version, and does this even exist? (I'm skeptical on all fronts.)

http://tech.slashdot.org/story/15/08/06/1351234/israeli-security-company-builds-unhackable-version-of-windows


Stagefright Android vulnerability. Highlights fragmentation of Android OS and of carrier sluggishness. Risk and severity of exploit itself arguably hyped a bit, but perhaps that's not a bad thing.

http://fortune.com/2015/07/27/stagefright-android-vulnerability-text/


AnuraAugust 7, 2015 7:47 PM

@Garrett

I've written an unhackable OS.


Is it still considered an OS if it doesn't do anything?

Anyway, great claims, no proof. I mean it sounds like ASLR, which windows has to a limited extent, but certainly doesn't make it unhackable.

ianfAugust 7, 2015 8:29 PM

ON TOPIC: I bet the filmmaker's human subject didn't dare touch that translucent underwater "blob" (never mind taking a sample for analysis in a makeshift container, a glove?) on account of unease over what if it is some finger-chomping hostile ET blob?

In other Australian news, now that we heard that Lutfu Tanriover “was diving 22 metres below the sea surface, I personally can't wait for him, or anybody else, to up that ABOVE.

Nick PAugust 7, 2015 8:52 PM

@ Garrett

They've most likely applied one of the compiler-driven techniques for randomization or control-flow integrity from academia to Windows kernel or libraries. There were a few papers that did this for closed-source, Windows applications. There's also projects that did it for Linux with minimal changes. So, I think it's feasible to do even more on Windows by knocking off academics, doing reverse engineering, and lots of troubleshooting. Still wouldn't be secure, though.

Best route with Windows is physical isolation or using separation kernels w/ hardware support (eg IOMMU). Treat it like a black box that might attack or lie to you at any time. Put as much critical processing as possible outside of it. Ensure trusted path (see Nitpicker GUI) to your critical apps or the untrusted, Windows functionality. Slowly migrate away anything you have on Windows to BSD or Linux where possible. Do the same with those in addition to tech like I referenced above (easy with FOSS).

Alien JerkyAugust 7, 2015 9:12 PM

Reminds me of the movie "Sphere". Just waiting for him to touch it then disappear into the blob.

Nick PAugust 7, 2015 9:41 PM

@ Alien Jerky

"No, what bothers me is it's reflecting everything but us."

(swoosh) (screams) (opening credits of squid, horror movie)

Strange August 7, 2015 10:08 PM

Truecrypt used in another case by fbi

http://m.theregister.co.uk/2015/08/04/truecrypt_decrypted_by_fbi/

Looks like they just tapped his jail phone and caught the system while the encrypted volume was mounted like w silk road case. But maybe not.

Better article on pentagon hack

http://m.theregister.co.uk/2015/08/06/pentagon_email_hacked/

More evidence Russian cyber criminals and Russian gov work together (they got the idea from swordfish)

https://www.fox-it.com/en/press-releases/global-cybersecurity-leader-fox-us-security-company-crowdstrike-collaboration-fbi-demystify-gameover-zeus-uncover-unexpected-new-facts/

ThothAugust 7, 2015 11:18 PM

@Strange
Running crypto on unprotected hardware (normal PCs not tamper resistant and at least some side-channel protection) is a bad idea in the current era.

We are going back in circles again as this topic was brought up many times in the past. I would say at least get a high EAL certified smartcard and put your crypto program inside it. That would leave a hole for secure interaction and you need to think out of the box to securely interact with that smartcard (like using Guards and Data diodes for work stations).

If the worry is smartcard backdoor, use a few smartcards running in parallel and never keep all the keys in the same place.

Usability and security are conflicting beasts and needs to be handled as well. My answers are a little sloppy today since most of the topics have been discussed many times repeatedly in older posts and the variety of setups and answers are there.

DanielAugust 7, 2015 11:50 PM

An unhackable Windows is like claiming someone can make Swiss cheese without the holes.

StrangeAugust 8, 2015 12:31 AM

@Thoth

Thank you for the help.

I am researching some technologies, do you (or anyone else), have any opinions on the latest zero day vuln or malware protection systems? Endpoint or network.


My interest in that story was more just the angle that truecrypt may have been hacked, as the story details. This is tied into the warning message given. The story suggests, towards the end, that the FBI or Army caught the guy because he phoned his roommate from jail and asked him to turn off a box with blinking lights. But, why would Army counterintelligence and the FBI not immediately have already searched his place and gotten this box? So, it seems like a likely cover story. A bit odd.

In fact, in context, the story author points out how the FBI patiently waited for 'Dread Roberts' to mount his encrypted volume before arresting him. And that they 'engaged elaborate distractions' to ensure they had his box and his encrypted volume open when they got him.

The story also implies the Army finally got working DLP. :-)

It is just a good story. Like the Russian Business Group tied to FSB or SVR story, it has some depth to it.

StrangeAugust 8, 2015 12:41 AM

@Garrett

If they really randomized everything, it would be problematic for memory based exploitations to take hold. There are many other types of critical exploits, however. FireFox just fixed one last night, for instance, which allowed a remote attacker to read and covertly send files from a target's computer to the attacker.

Problem there is an attacker usually wants to get system level access after such an exploitation, and that often engages another, local, privilege escalation vulnerability. Those tend to be memory based. The code that runs at System (in Unix/Linux/Mac, "root", in Windows "system") tends to be written in C and ASM and tends to be relatively clean against non-memory based attacks. Getting to run at system may also often involve process injection or other forms of memory alteration to put the code into execution.

That is definitely not unhackable, but it would deeply reduce the attack surface.

PetterAugust 8, 2015 2:03 AM

A security leak a while back have reached its end but apparently it seems that the intelligence agency don't know who read it...

"An Australian spy agency says it has no way of knowing who has obtained a "highly sensitive" report meant for our top allies after it was allegedly leaked by a junior defence bureaucrat on an online forum.

In an embarrassing security breach, a 21-year-old Department of Defence graduate allegedly managed to download a secret Defence Intelligence Organisation assessment, burn it to a disc, take it home and post it to anonymous image-sharing forum 4chan while praising Julian Assange as his hero.

Court documents describe the discovery of the leak as "fortuitous", occurring only when a former Defence Signals Directorate employee stumbled onto the post while browsing the website."

http://m.canberratimes.com.au/act-news/a-junior-defence-staffer-allegedly-took-home-an-intelligence-report-and-posted-it-online-20150804-gir4rq.html

Clive RobinsonAugust 8, 2015 4:24 AM

@ Anura, Daniel,

Then would an unhackable Windows be called Window Blinds?

No to even get close to unhackable, you need to take the windows out and "brick up the hole" with blocks of stone. Though watch out you don't get a bunch of "Jerry builders" or "Cowboys" in to do the job, otherwise you might have not just the windows being insecure but the whole building...

Speaking of "window blinds" very old joke, from back when they were first "Hip and Trendy" which oddly was before anyone said hip and trendy...

Q: How do you make a venetian blind?

A: Poke his eyes out.

Clive RobinsonAugust 8, 2015 5:23 AM

@ Markus Ottela,

If they're able to remotely insert only a transmitter to computer, it's in the same category as TEMPEST / retro reflectors. However, if there's also a possibility to insert a receiver, then there's a bigger problem.

Currently we only have the "whet your appetite" intro to go on and back ground experience, so we are in the land of "educated guesses". It's why I'm being a little cautious on my guessing, and we will hopefully know more when the talk is over and papers etc become available.

The first clue for guessing with comes from the fact they say that it does not require "physical implantation" suggests either the hardware is already there or it's a firmware/software exploit.

On the hardware side all clocked circuits are inherently transmitters, due to the nature of the way they work, so TEMPEST type attacks are by far the most likely. Whilst some logic gates are susceptable to external EM fields, there are quite a few other things you have to get right to make it work, and it's far from universal in nature. As I found out back in the 1980's when I came up with the idea of EM fault iinjection, (it works best as a way to sync asynchronous logic via the principles of "injection locking").

It is possible they have discovered a "real receiver" built into the hardware, as has been said of Intel chip sets, that they have discovered how to use but I would put that low on my list. Higher would be that Intel or other chip maker had deliberate "enhanced" certain signals that were 6dB or more up on other data signals to enhance synchronisation to say the AES circuitry in the CPU.

My "gut feeling" guess however is it's along the lines of the inverse of the Cambridge Computer Lab's "Soft Fonts". That is instead of designing a font to reduce Van Eck style screen emmisions, they have done the opposite and produced a font or similar that enhances emmisions. The reason I say "similar" is there are quite a few other vectors other than fonts you could use. Such an attack would be very universal in nature, and could be hidden away without much comment in document files of various types.

If that is the case then to some of us who have already done such things it's old news.

And this is what I suspect it is, something that is "known" but never realy talked about, that they have independently rediscovered and are now trying to make it widely talked about.

One of the reasons such things were not widely talked about when originaly discovered/invented is that prior to the Ed Snowden revelations and the release of the TAO catalogue such information usually met with a "so what" response. I know that's what happened when I demo'd both EM Fault Injection and later demo'd how to spoof GPS. It's only later you learn the 13@$tard's steal your ideas and don't pay a penny or even give credit. Thus such ideas are "time sensitive" to the wider audiance, and credit goes to "the on time showman" not the original path finders...

CuriousAugust 8, 2015 5:45 AM

"Design flaw in Intel processors opens door to rootkits, researcher says"
http://www.itworld.com/article/2965875/security/design-flaw-in-intel-processors-opens-door-to-rootkits-researcher-says.html

"A design flaw in the x86 processor architecture dating back almost two decades could allow attackers to install a rootkit in the low-level firmware of computers, a security researcher said Thursday. Such malware could be undetectable by security products."

The vulnerability stems from a feature first added to the x86 architecture in 1997. It was disclosed Thursday at the Black Hat security conference by Christopher Domas, a security researcher with the Battelle Memorial Institute.

Surely NSA and Intel must had known about this for some time?

CuriousAugust 8, 2015 6:00 AM

Jane's on 'Black Hat 2015':

"Pentagon seeks recruits at Black Hat 2015 hacker conference"
http://www.janes.com/article/53456/pentagon-seeks-recruits-at-black-hat-2015-hacker-conference (112 of 727 words/paywall)

"The world's largest gathering of self-described hackers, the Black Hat conference in Las Vegas, opened to the media on 5 August, with major defence contractors, security researchers, government officials mingling with hacking enthusiasts as the Pentagon - and US government - struggle to recruit cyber personnel."

CuriousAugust 8, 2015 6:16 AM

I won't pretend to understand the technical details here, and I might have interpreted this incorrectly: I believe I briefly heard it mentioned in a recent product presentation, that newer ASUS mainboards have a microcontroller chip that allows a user to enter the UEFI/BIOS menu and even erase the contents of the bios chip by simply pressing a key on the keyboard ('hardware execute commands') presumably from inside windows.

CuriousAugust 8, 2015 6:30 AM

"Court Rules Warrantless Cell Phone Tracking Violates Fourth Amendment"

https://firstlook.org/theintercept/2015/08/05/court-rules-warrantless-cell-phone-tracking-violates-fourth-amendment/

"A divided appellate court panel in Richmond, Virginia, ruled on Wednesday that citizens do not give up their privacy rights just because their mobile-phone providers know where to reach them."

"The decision is the strongest assertion of the Fourth Amendment rights of mobile phone users out of three appellate court decisions on the matter, setting up a likely Supreme Court hearing."

CuriousAugust 8, 2015 7:00 AM

With regard to my link above about the design flaw in Intel processors, I wanted to briefly add, that in a TED talk of Oct 2013, Christopher Domas at one point apparently referred to himself as having been a "defense contractor" at one point.

Defective DepositAugust 8, 2015 7:00 AM

@Curious:
"Pentagon - and US government - struggle to recruit cyber personnel."

No surprises there. It takes a very special kind of scumbag to systematically f_ck up fellow citizens up the ass for a living.

CuriousAugust 8, 2015 7:08 AM

EFF (Electronic Frontier Foundation) announced the "Privacy Badger 1.0" plug-in for Chrome and Firefox internet browser:

https://www.eff.org/deeplinks/2015/08/privacy-badger-10-here-stop-online-tracking

"As you browse the Web, Privacy Badger looks at any third party domains that are loaded on a given site and determines whether or not they appear to be tracking you (e.g. by setting cookies that could be used for tracking, or fingerprinting your browser). If the same third party domain appears to be tracking you on three or more different websites, Privacy Badger will conclude that the third party domain is a tracker and block future connections to it."

CuriousAugust 8, 2015 7:13 AM

@ Defective Deposit
I don't take everything I read too seriously, so I didn't take much notice of that. Heh, I was thinking more along the lines of how they would be working hard to recruit people at the Black Hat 2015 conference as such.

CuriousAugust 8, 2015 8:42 AM

Random thoughts from someone that knows very little about crypto (me):

What are "Extendable-output functions" (XOF's/SHAKE128, SHAKE256) in SHA-3?

Could extendable output functions possibly be functioning for producing compromising metadata, or baking in some kind of compromising exponent value of sorts?

"When an application requires a cryptographic hash function with a non-standard digest length, an XOF is a natural alternative to constructions that involve multiple invocations of a hash function and/or truncation of the output bits." (NIST on SHA-3)

Would also be very silly if something like this could be sort of used to somehow dramatically shorten the bit length of crypto stuff, I am also thinking.

"The six SHA-3 functions are designed to provide special properties, such as resistance to collision, preimage, and second preimage attacks."

"Cryptographic hash functions are fundamental components in a variety of information security applications, such as digital signature generation and verification, key derivation, and pseudorandom bit generation."

I hope this couldn't mean, that this would sort of work by adding some kind of seeded number or some kind of integral identifier, to make things more unique.

"Each of the six SHA-3 functions employs the same underlying permutation as the main component in the sponge construction. In effect, the SHA-3 functions are modes of operation (modes) of the permutation."
What is that supposed to mean? Different ways to skin, the same cat?

Btw, when I read about the "sponge" function, I get an association to 'Quantum statistical mechanics' (anything Leonard Susskind). I wonder what Susskind might have to say about quantum computing in computer security, and if he has any ideas. I mean, I like to imagine that things related to quantum field theory might perhaps be said to resemble the calculations of bits of data in crypto stuff, with bits of data in matricies.

Clive RobinsonAugust 8, 2015 8:50 AM

@ Garrulous Garden,

Tor is looking for an Executive Director

That is a "Poisoned Chalice" if there ever was.

TOR is irredeemabley broken for the way it's most commonly used, when viewed by an agency that can see most if not all the traffic at the network choke points.

Clive RobinsonAugust 8, 2015 9:24 AM

@ Curious,

"Design flaw in Intel processors opens door to rootkits, researcher says"

It's been around since the mid 90's so all the Pentiums upwards... The SMM has been suspected in various ways for a while now, so it's not exactly a great suprise. However I expect the "Conspiracy Theory" likers will claim it's a deliberate hat tip to the likes of the NSA et al. However, I suspect that it's a "cods" rather than a backdoor but it's unlikely it was not known about by Intel employees thus it's likely the IC has known about it for some time...

AnuraAugust 8, 2015 10:10 AM

@Clive Robinson

Then would an unhackable Windows be called Window Blinds?

No

In case you didn't get my absolutely hilarious joke, swiss cheese without holes (aka eyes) is known as blind swiss cheese.

[pause for laughter]

@Curious

The Keccak homepage should answer all of your questions:

http://keccak.noekeon.org/

octatechAugust 8, 2015 10:59 AM

So in another thread we there was talk about smartphone, dumb phones and no phones.

I have a smartphone, few apps and don't use it that much but I still need it because it is expected of me. Being able to receive a file at any time and being able to view it at any regardless if it is .jpeg, .pdf or something else.

People need to be able to reach me most times of the day so turning it of when I get home isn't a very good solution. How should one fight against all this?

I was thinking of making a box to put it in when I get home, that blocks camera, blocks outside sound but still lets it receive incoming calls. That way people will see where the phone rests during the night and figure out who it belongs to but won't be able to capture any/much data from inside my home. But I should still be able to hear it so if someone calls I can take it out of the box and answer.

Any ideas? Better solutions? Worse? Alternative?

65535August 8, 2015 11:00 AM

@ Curious

I installed "Privacy Badger 1.0" with some trepidation on a machine. I will let you know the out come.

StrangeAugust 8, 2015 11:07 AM

@curious

"The world's largest gathering of self-described hackers, the Black Hat conference in Las Vegas, opened to the media on 5 August, with major defence contractors, security researchers, government officials mingling with hacking enthusiasts as the Pentagon - and US government - struggle to recruit cyber personnel."

From the article:

Known for some of its more subversive elements, Black Hat has been a place where systems' vulnerabilities were discussed for nearly two decades and experts were recruited by government agents who attend the conference to spot talent. In recent years that government presence has become more visible, with the director of the National Security Agency (NSA) giving the keynote address in 2013 while out of uniform.

Contrary to the name, "Black Hat", the conference is simply a good professional conference for corporate and governmental security professionals. Maybe I just never looked at it or stay to my own groups too much, but never run into any kind of "subversives" there. :/

That shows how 'out of touch' those sorts are.

Only real "subversive" thing about it is the marketing from corporate, and I am sure all of the useless domestic and foreign surveillance.

And, the deep drench of paranoia which permeates the entire thing. Which has distinctly gotten deeper post Snowden and Anonymous days.

ApprenticeAugust 8, 2015 11:13 AM

I'm a Windows user with an MCSE certification who hasn't touched a Linux box, rare participant and frequent reader of this blog, and an IT employee in a large organization in the USA.

I'm keenly interested in establishing a more secure environment for my relationship between my computers, my associates, the public, and the businesses I interact with.

Ideally, I wish to conduct a typical American life, run a small business on the side with my wife, opt-out of the mass surveillance in the name of 'privacy advocacy', and reduce my attack surface.

How do I do this? Layered approach, yes. And PGP for email, or maybe GnuPG. Password manager?-- absolutely, probably KeePass (sorry Bruce, I like the extra features). Which version of Linux? Open BSD? Free BSD? Mint? Do I run Wine and port my Windows apps like Adobe Creative Suite (Photoshop, et. al), Quickbooks, and then add Open Office? Or Libre Office? I imagine a consumer level router flashed with Tomato or DD-WRT facing the modem, and then a separate pfSense box configured with Snort behind it. Or maybe something altogether different?

As to OS options, https://en.wikipedia.org/wiki/Security-focused_operating_system

So many choices, so little time. Advice for the simple-minded, anyone?

This could be a bestselling book, actually: "Security for Those Who Want Security but Have Jobs and Families and Therefore Don't Have Time to be Security Experts".

Or is there a manual for Ex-Windows users to migrate to Linux/Unix someone can recommend? I can't think of a better place to ask. Thank you.

StrangeAugust 8, 2015 11:26 AM

@curious

The vulnerability stems from a feature first added to the x86 architecture in 1997. It was disclosed Thursday at the Black Hat security conference by Christopher Domas, a security researcher with the Battelle Memorial Institute. Surely NSA and Intel must had known about this for some time?

Yeah... maybe, maybe not. They have a reputation for listening to **eveerrryyything**, but you have to remember, they do. And that is going to be a really bad problem for them. In other words, most of what they do is a complete waste of time. So expecting them to know every hack or use it, is just very far from realistic.

SmirkAugust 8, 2015 11:27 AM

I lurk this site and comments for a while now and i am interested in a new political system without the "good or bad" and with politicians being chosen on their expertise and abilities. Like a minister of defense being a professor in geo-politics etc for example and decisions being based on facts and peer review without a "us and them" or "left and right" narrative. I know this maybe doesnt makes sense as english isnt my first language.

But what my question is: how to implement crypto or infosec into politics? For example a block chain into economics or a way to keep politicians in line without them being involved in favorism and corruption?

Overal the question is: what is your idea on the ideal political stystem?

StrangeAugust 8, 2015 11:55 AM

@octatech

People need to be able to reach me most times of the day so turning it of when I get home isn't a very good solution. How should one fight against all this?

If you are a rich enough target, your phone is a hazard even with the battery out, these days. In fact, replacing your battery with a specially made one is probably something they do. Where the bug is in the battery.

But, then, anything you might regularly carry with you can fall under the very same category. Only if you are a rich enough target. And I do not mean literal money there.

You need to step back, and up, and look at the bigger picture.

Wipe the chalkboard clean, and start with your problem from scratch:

1. You have sensitive data attractive to nation state level attackers
2. There is a potential loss value if that data is obtained by nation state level attackers

Which leads to critical questions you need to be asking your self:

1. What is that data? Specifically.
2. What is the estimated cost value of that loss? And do not be like Sony was, "We aren't gonna spend 10 million dollars to protect 1 million dollars of data".
3. Where does that data have to be? For instance, must you pass that data over your phone or store it on your computer? Who do you have to share that data with? These sorts of questions. Storage, transmission questions, primarily.

A very important check here is:

1. Is this data really that important to nation state level attackers? What is the estimated value - financial estimates are a fine place to start - that they might obtain by that data.

In other words, you need to quantify exactly, surgically, 'just how badly they want it'.


The most common error I see is overestimation of potential value in regards to nation state attackers. So much of what they actually do is just go to lengths to obtain the data, and then they do not do anything with it. Even more common, people - not government - tend to vastly overestimate their own importance. Everyone has secrets, and so hearing "the governments listen to everything" can emotionally tie into them on everything they ever did they do not want strangers to know about. The paranoia can well exceed the reality.

But, on the other hand, if there is real value for them, people tend to underestimate that, too. Just it is much, much more rare where there is real value.

In that case you really do need to hire a security expert, probably a corporate consultant with strong experience in counterintelligence. If your data is such that you do not believe you could trust someone like that, you can find consultancies and consultants, but just have to be much more brutal in your search.


In general, in regards to any sort of remote communication, in ratio to the value potential of the loss of your most sensitive data (words, ideas, proprietary knowledge, sources, methods, etc) you should curtail such transmission.

If you don't have anything on your phone, and don't have anything transmitted over your phone (eg, conversations), then there is no worry. That is the only way to have 100% assurance.

If you have a company work ethic that demand otherwise, your company is just giving all that data up. You should buy a skiff for your company, and only discuss matters there.


I was thinking of making a box to put it in when I get home, that blocks camera, blocks outside sound but still lets it receive incoming calls. That way people will see where the phone rests during the night and figure out who it belongs to but won't be able to capture any/much data from inside my home. But I should still be able to hear it so if someone calls I can take it out of the box and answer.Any ideas? Better solutions? Worse? Alternative?

If you are thinking about making a box to put your phone in when you get home, you are using your phone for sensitive data transmission (conversations or otherwise) and should not be. You need to jettison all of that kind of behavior.

Or, step back from your 'ad hoc' risk analysis and get serious about doing it as right as possible. Because you are operating in the dark.

**Look at how insurance companies do it, they do it right.**

Stick to that rigorous methodology.

You really can spend 10 million to protect 1 million worth of data. Or you can underestimate the value of that data and could have protected hundreds of millions of dollars for ten million.

Consider risk analysis like the scope on a gun. Security is hitting the bullseye.

Throwing out the scope on a long range shoot is just hurting your self.

CuriousAugust 8, 2015 12:19 PM

@ Strange
I'd say that I smell a logical fallacy there. A new exploit/bug obviously isn't "every" exploit/bug, so an argument that NSA wouldn't catch everything, ultimately doesn't mean much.

I would also say that all things "realistic" ultimately also doesn't mean anything in that context, partly because of relying on this notion of that NSA must be fallible, and that all things 'realistic' doesn't really cover any ignorance of people outside one group (NSA).

This had me think of that Microsoft boss on twitter that sort of referred to this notion of Windows 10 tech preview not having a 'keylogger', as in thinking of it as being a "myth". Ofc, unless things are disproven, it is all open to call something a mere 'myth'. And so "myth" with me ultimately didn't mean much to me.

John Galt IIIAugust 8, 2015 12:21 PM

@Smirk

Your sentiment is a good one, but likely doomed. Planet earth is a quagmire of conflicts of interest. The US Constitution, purchased in the blood of our forebears, was a valiant effort to create a fault-tolerant system that mitigates conflicts of interest by separation of powers. That all has been subverted for a long time or very long time. New robust systems are needed rather desperately, but the PTB will not allow either peaceful or violent changes to the status quo. By change, I mean anything that improves the lot of the peasants. If you persist in this endeavor and achieve any meaningful level of success, you will be offered a choice. The options are to play nicely with empire (betray your constituency) or to suffer an unfortunate accident.

BTW, this alleges that the US was shipping supplies to the Soviets to advance their atom bomb project in 1942. I am looking forward to the emergence of open-source natural language processing that can put questions like this and the Kennedy incident into perspective:

http://arcticbeacon.com/books/Maj_Geo_Racey_Jordan-FROM_MAJOR_JORDANS_DIARIES.pdf

One may consider counting the number of months from "unwarranted influence, whether sought or unsought," to the brain spatter. Neurons, brains, people, groups, gangs, companies, agencies, towns, cities, states, governments, and civilizations are adaptive systems. They all respond to neurotransmitters, of which the most powerful is money. Empire is a machine, driven by greed, conflict of interest, amorality and hubris, that crushes bodies and souls to make money and power. The degraded, malignant and scary creatures Clinton and Bush embody all of it, but they are not alone.

StrangeAugust 8, 2015 12:22 PM

@Smirk

Overal the question is: what is your idea on the ideal political stystem?

The best idea I have seen here, and which I have considered myself, is making "democracy" far more distributed and granular. That would have to involve extremely good security.

Problem is, it is not just the systems being used to work such a system which needs good security, so would the people.

People have some very sick grouping behaviors, as a natural tendency. But, there are also super functional groups out there. Just as there tends to be very bad computer security, but there are some very secure systems and networks out there.

You can see some of that future from the internet, but you can also see some of the badness of that. People are all too willing to 'just belong', and set aside their reasoning faculties and conscience to do so.

The best group I have seen, ever in operation, is like this:

Everyone operates as if one person, yet each person has a very strong personality, interest set, and passion.

So, from the outside, it would appear random. But, from the inside, there is something else going on entirely.

Doing something like getting the whole world like that would mean a major personal revolution. Driven at the individual level, and having deep individual effect. As opposed to being driven at the mere social level.

Socially and individually, there is an economy of ... what one might call 'spirituality', the emotional, the intellectual, the internal... people think of such revolutions in very staid terms, like "moral revolutions", which is just how people tend to be. What they mean by that is they do not want anything to change, but only regress to the Middle Ages. It pretends to be about individual and social betterment, but is really just the same old game about being completely full of shit.

A real "spiritual" revolution would be more about dropping into the 'spiritual economy' an enormous amount of 'gold', so you do a complete 'economic' reset. That would cause normal 'spiritual currency' to become absolutely useless. So from Hollywood to rock stars, from big business to big science, from mosques and temples and churches... everything would be re-ordered in terms of social prestige and social currency.

Such a thing, however, is light years away from the capacities of society, though you see tiny lights of it in many avenues of society. When anyone or any group rises, that is truly 'right on', and gives people more reason to really feel alive, you see that sort of thing go on. In a very minuscule way.

I mean 'light years away', like 'if things followed their natural course, it would take millenia even from where society is today'. The inevitable future, but the impossible to obtain future.

A good saying from economics, by Kenneth E Boulding (no idea who he is, just a good quote):

“Anyone who believes that exponential growth can go on forever in a finite world is either a madman or an economist.”

People have in their hearts and minds that idea of exponential growth, of the infinite, in a good way, but the world is a finite one.

So, the very, very far future? Very, very so less finite. In the badness of what that finiteness means. Scarce resources. Scarce happiness. Scarce beauty. Scarce wisdom. Scarce knowledge. Scarce lifespans. And on and on and on.



BrainiacAugust 8, 2015 1:04 PM

A well rounded and comprehensive education solves most issues. Most people seek out someone to solve their problem as though a mystical force (literally their perspective, i.e. superstitions. a.k.a religion) only endows certain people with the ability to solve a problem. But if people just learned a bit extra about everything as they encounter issues, after a while they can solve their problems themselves. Especially when encountering a new not previously encountered issue.

The main issue is the lack of critical thinking skills. Most people take the attitude of memorization of what works. Solving problems is about figuring out what does not work. Why does something not work a certain way? Sure, an understanding of how something works is necessary, but without being able to look at something and think "that will not work because..." is more important than wrought memorization of other peoples work.

Gerard van VoorenAugust 8, 2015 1:06 PM

@ Apprentice

Although admitted I haven't eaten my own dog food yet, I would suggest Qubes OS and use the programs provided by the system.

SmirkAugust 8, 2015 1:07 PM

@John Galt III

I know that greed and the "establishment" are a powerful force now. But i believe we are going slowly towards a marginal cost society which will disrupt the current capitalist system. But also technologic innovation is now going to be a important factor ( but then again you have a point which we see in the problems with patents and companies withholding innovations to squeeze the last dollars out of old products/services)

@Strange
Quote: " The best idea I have seen here, and which I have considered myself, is making "democracy" far more distributed and granular....."

But how can we have a more distributed democracy when it takes decades to inform people to make a real decision because for me the real problem lays with the people who say "but what is in it for me in the next week/month/year/life"

StrangeAugust 8, 2015 1:56 PM

@curious

I'd say that I smell a logical fallacy there. A new exploit/bug obviously isn't "every" exploit/bug, so an argument that NSA wouldn't catch everything, ultimately doesn't mean much.

Not what I was saying, however. I am not invalidating your comment. It is a perfectly reasonable, fine comment to make.

It is a perceptive and right consideration to have, in terms of considering all angles of an issue. Which is what people need to do so very much more of. Myself included.


This had me think of that Microsoft boss on twitter that sort of referred to this notion of Windows 10 tech preview not having a 'keylogger', as in thinking of it as being a "myth". Ofc, unless things are disproven, it is all open to call something a mere 'myth'. And so "myth" with me ultimately didn't mean much to me.

Yeah.

Believe me - though you won't - I deal with what is considered "myth" every day. It is real, and people don't know about it. Even if they were to consider it, they would quickly rule it out.

As this effects their security, their life, their very future, it is a painful perspective to have in those terms.

It is not just one thing, though I express it that way. It is a long list of things they rule out.

It *is* good to truly not rule out *anything*, if it is done in a healthy way. That would be the pursuit and perhaps even ideal of a truly open mind. One who perceives, acts, takes in knowledge, and is not glued up by what one thinks one knows.

So, part of that stance is not getting glued up, mentally, with incorrect perceptions.

I have one perspective of the NSA, you have another. For me, I have verified this or that, for you, you have verified or not been able to verify other things about the NSA.

From my perspective: **maybe** the NSA and even intel [the company] knew about this long ago. **Maybe** they exploited it and routinely exploit it. **Maybe** they exploit it in a meaningful matter, whether dangerous or benign. Going beyond literal exploit of it, to "exploit the data they get from the attack in a meaningful matter" -- extremely doubtful. From my own perspective.

Maybe they put in a hardware bug at the design phase of Intel. Now, that? I would be surprised if they did not. Maybe this was one of them. Or maybe it is something much worse people do not know about. Is this the bug? The article did not get so much into rootkit capabilities, but mainly focused on destructive capabilities. So, I do not think that would have likely been 'the' or 'one of the' **intentional vulnerabilities**. "Intentional vulnerability", aka, backdoor.

Gov to corporate interaction is something else. Gov may have people at corporations who are nimble and effective. But, even coca cola only has two people who know their secret formula. If they were stupid enough to truly collude with corp, they would be far, far less scary.

StrangeAugust 8, 2015 2:10 PM

@smirk

But how can we have a more distributed democracy when it takes decades to inform people to make a real decision because for me the real problem lays with the people who say "but what is in it for me in the next week/month/year/life"

That is one big reason why what I was talking about is the very, very far future.

Now, do not understand me. Time is relative, and in a personally meaningful way.

What I mean by that is, hard to explain, but if you have ever had a really major life change and then looked back on the past and considered how much time has past. For instance, some people say "I lived twenty years in that five years". And, equally apt,"I never dreamed this was how my life would be".

But, aside from natural adaptation, that would require one really supermassive deus ex machina.

Reality would have to be very much 'not what people think it is', or some other really massive thing like that.


Setting those possibilities aside, then, one can dream and attempt to imagine such a very far future, but should simply be content with living a very short life and never being able to see anything truly amazing come to pass.

Even the very next day for human beings is extremely ambiguous. We have the mental illusion it is not, but really do not know. That is just an deep over simplification of reality which we use to get along through the day.


Mute SalmonAugust 8, 2015 2:58 PM

@Apprentice:

QubesOS is amazing, but if you've never touched a Linux box before, I would recommend starting with Fedora to develop some familiarity with the desktop environment and, ideally, the command line terminal before moving on to QubesOS.

My advice is to install VMWare and start playing with a VM of Fedora from within windows before switching over to Linux. Give yourself a couple of weeks. Google lots of things up, try lots of different things.

I would be inclined to use native Linux alternatives to the windows software, instead of using wine. You'll find that you can do certain things in Linux that you couldn't do in windows and vice versa. If you really are stuck with a windows software that cannot be replaced (e.g. for work), remember that you can have a dual boot system allowing you to boot your box into either windows or Linux, or you can run windows as a VM from within Linux.

There are lots of blogs and forums with help for Linux users, mostly arranged by distribution. Most distros also have their own IRC channel, where you can get real-time help from fellow users.

When you feel ready to migrate your data to your new Linux system, make sure you back everything up in the new system (I love rdiff-backup!).

Explore, and have fun.

Bob S.August 8, 2015 3:47 PM

Updating to W10 is not mandatory or necessarily automatic.

To stick with W8.1 or whatever, goto Programs and Features/choose Installed Updates in the upper left area then seek out any of these updates and uninstall them:

KB 3035583
KB 2952664
KB 2976978
KB 3021917
KB 3044374
KB 2990214

Most or all will likely pop up again in windows update, but then make them hidden when they do.

The Windows 10 icon will hopefully disappear. Unfortunately, it seems the updates keep coming back like a bad penny, but someone will find a way to make them go away for certain I am sure.

The bottom line is, W10 is not mandatory. Even if you do go for it, many of the worst spyware features can seemingly be disabled. Maybe.

tyrAugust 8, 2015 4:43 PM


@Clive

Back on the speculative end of things. How would
you feel about reworking the Net as a packet
delivery system? Without all of the centralized
control freakery that has grown up likw weeds.
If the compute power is at the end user machine
and the only thing the Net does is deliver the
end users packets, the attack surface becomes
what receives the packets. As long as the model
is to run interpreters locally which are fed
code from remote systems there is far too much
opportunity for the remotes to play with the
end user.

Most of the material I see (email) looks like an
advertisement deliver system badly designed by
clowns who consider delivering the mail some
kind of nuisance. Similarly if you send me the
text I can make my own PDF if I need that level
of functionality. Adobe finally shot off their
own foot by adding so much crap to their reader
that its insecurity sent people screaming away
to other programs. The add everything to what
should do a simple task is where a lot of the
problems are coming from. IoT makes my skin
crawl from the very concept. I don't want a
talking toilet making remarks about stool samples.
But I'm afraid once I say that some ass will
start building one.

65535August 8, 2015 5:09 PM

@ Clive, Nick P and others knowledgeable about with soft-power switches, DHCP, Magic Cookies, and the ability to turn on microphones and camera’s, I have a few questions [excluding the pwning of EUFI and TMP chips]:

1] Given the governments ability to silently turn on cell phones and record through cell phone microphones and cameras does this ability apply to other electronic items like computers and iPads, and so on? How far does this "soft power-switch" problem thing go?

See discussion of soft power switches on mobile phones:
https://www.schneier.com/blog/archives/2015/07/friday_squid_bl_489.html#c6702506

2] Give the ability to do the above and the current discussion of jumping air-gaped computers via Funantennas, DROPOUTJEEP, and the like, would configuring a number of power strips with hard off switches stop the “real time” ex-filtration of data when the computer or phone has been physically disconnected or the power/battery removed [the power strip switch acts as a Hard Power Switch]? By “real time” ex-filtration of data I am excluding cache’g of data to be ex-filtrated at a later date and other tricks?

I mention this because a client bought a new Laptop with Win 7 Enterprise on it [instead of Win 10 or Win 8.1] to avoid the constant data ex-filtration techniques of Microsoft in its newer systems – also his employees are more accustom with Win 7 pro/enterprise – which decreases the learning curve. But, there should be some air-gapped machines which hold encryption keys at the ready - air-gaped with power disconnected by a power strip switch.

SpokyAugust 8, 2015 6:05 PM

Does Qubes OS support full disk encryption during installation?

If yes, suppose I need a really secure OS with good defences against rootkits and various attacks, does Qubes fit the bill? Or is there any better alternative?

SpokyAugust 8, 2015 6:08 PM

@65535

Don't Intel-based computers have things such as Smart Connect that basically do the same thing?

a ghost only you can seeAugust 8, 2015 6:40 PM

@Brainiac

The main issue is the lack of critical thinking skills. Most people take the attitude of memorization of what works. Solving problems is about figuring out what does not work. Why does something not work a certain way? Sure, an understanding of how something works is necessary, but without being able to look at something and think "that will not work because..." is more important than wrought memorization of other peoples work.

This is true, but regular education does not teach this. Regular, Western and Eastern education teaches rote memorization. This is why, when you are well read, you see people citing the same things without even realizing it. When the material is more obscure, there may be more of an illusion it is actually a product of independent thinking. But, the reality is they simply were given choices and picked the choices made available to them. Usually without any sort of 'gaming' whatsoever. Problem is the choices presented were just that which the teacher, the professor, the teaching committee, the political parties, the religious parties, modern science, and so on knew.

And there are deep set social and individual factors engaged in that very process.

Picking a truer but less popular 'set of knowledge', for instance, won't make a person feel significantly better. They may wonder if they made the right choice. They have deep, personal concerns. 'How will I get a job', 'how will I find a good spouse', 'how will I advance', 'how will I get what I want' (which is often very strange and foolish, like 'a big house' or 'to hunt wild lions in Zimbabwe' or 'to be the most popular', and so on).

Frankly, as well, 'the supernatural' has very little to do with any of that. The reality is people want to know where their next meal is coming from, to have sex, to sleep well, to have productive social relations, to evade illness, and other such material concerns as this.

So, of course, there has not been so much thinking on thinking.

People often are not even aware just how their mind operates in that way. Far less, how to train it. But, because of MRI, there are some very productive studies.

Good quote:

http://www.apa.org/science/about/psa/2009/10/sci-brief.aspx

We have learned - especially in the Western world - that conscious deliberation is the holy grail of decision making. This idea needs to be revised. Sometimes conscious thought is more helpful, but sometimes unconscious thought is better. The important avenue for future research is to establish the circumstances when one strategy is better than the other. Perhaps because we have learned that conscious deliberation is almost always good, some people are surprised by, or skeptical about, findings that unconscious thought is helpful, or more generally, that we can perform very useful cognitive operations without conscious guidance. However, our evolutionary history should make clear that it is not surprising at all. Decision making is much older than human consciousness as we know it, and as with all such ancient abilities, we are generally quite good at them if we rely on our unconscious.

That whole set of studies is highly worthwhile to read if you come to the conclusion that people are not being trained in rational thinking at all. Not by the modern, normal, education system.

What often passes as rational, critical thinking is just someone telling you their thoughts and beliefs are rational, critical thoughts. Additional evidence, at times, may include "it is different then what you believed before". So, therefore, it is "critical". But, that is just "critical rote memorization", as opposed to "critical thinking".

It is easy to tell if you do engage in a lot of true critical thinking: do you spend a lot of your time actually thinking? Do you deliberate on matters? Do you have, on a frequent basis, thinking goals which involve making choices about 'what is right','what is best', 'what is heaviest'. Is it goal oriented, are you personally invested in making the best choice? How do you keep track of all the possibilities? A chalkboard? A pen and piece of paper?

Do you often spend time alone, just thinking. Maybe walks, baths, whatever. As opposed to constantly talking, reading, watching, listening?

Very easy these days to wake up, make it through one's day, and with all the sources of input be doing nothing but passing input back and forth. Human conductors of information, where the information is slightly tempered by one's own experiences.

Or, when people do engage in deep thinking, it might just be "how do I write this software program", "what is the best product to buy in this case", "how should I best approach this business deal". But, even that will usually be very short circuited by constantly gabbing and listening and watching. TV, Radio, Social Media, Books, conversations...

Clive RobinsonAugust 8, 2015 7:11 PM

@ tyr,

How would you feel about reworking the Net as a packet delivery system?

I would much prefer it, but I would also like it to be halfway between "packet switched" and "circuit switched" that is circuit switched has a lot of advantages over packet switched, however it's wasteful of bandwidth for non continuous data streams (audio, video and similar are continuous, comand line and similar are not). Designing such a system ahould not be difficult, and it would resolve a number of issues more equitably.

As for "interpreters", unfortunately they are a "can't live with them, can't live without them" problem. If you compare the bandwidth of a three page document in "text", "RTF", "DOC", "PDF" and "2400dpi FAX" and what you get in terms of formatting it's easy to see why "text" and "FAX" are not popular and why the others all need an interpreter...

And it's not just printed text, it's pictures, audio, video and most other "formats", raw digitized analogue world have huge bandwidth, plenty of redundancy and thus lots of issues with storage, privacy and timelyness of presentation.

Finaly as for a "poo-bot loo" they already exist... As far as I can tell it started with those who live in North West Continental Europe, where the toilets have a "shelf" design that catches it and presents it for visual display prior to being flushed... The Japanese in their quest to make all things digital have gone further with basic chemical analysis, and it's said that one of the "Dot Com Kings" has taken his loo considerably further and in the process discovered and thus received successfull early stage treatment for what may otherwise have been a fatal condition...

However I am reminded of the Douglas Adams line about the tourist planet that was so popular that it was starting to lose resources so it implemented a system where by any imbalance between what you brought and what you consumed was corrected by surgery, thus it was vitaly important to get a recipt each time you used the bathroom...

albertAugust 8, 2015 7:24 PM

@Apprentice,

Good advice from @Mute Salmon.

Depending on your level of expertise (the things you need to do), Gimp might suit you as well as Photoshop. Libre Office for MS Office, Ardour (or Audacity) for Pro-tools for audio. Cinelerra for video. (I'm not familiar with commercial non-linear video editors). Wine can run lots of Windows programs. It's worth a try first. Check their website for compatibility.
I stay with Linux, and only run a few things in Wine, nothing in Windows.
.
Set up a separate Linux box (you don't need SOTA hardware), then get used to it. I like the look and feel of GNOME 3 (a bit like WinXP); Research and test the various kinds of the Linux equivalents of the software you'll need to use. Running a small business complicates things a little, because you probably have everything running on one Windows machine now.
.
Ideally, you should do your banking on a separate Linux machine, which boots from CD (or USB), and only connects to your banks website, no others. _Nothing_ else running on it but the browser, which is a weak point, and needs configuration). OK, maybe accounting software (without network access). I have separate bank accounts for business and personal use, (For online ordering with debit cards, get another account). They are independent of each other.
.
No wireless. If you need wifi, get a separate line. I created a spreadsheet for accounting, which keeps track of income and expenses, including a summary page for my tax guy. It's a little extra work each month, but no work at tax time, and it's free.
.
Let us know how you do.
.
. .. . .. o

tyrAugust 8, 2015 7:29 PM


@Clive

https://medium.com/equal-citizens/america-s-technical-debt-c7dd6ad4a682?source=1

As a rephrase of the last question. What is
the technical debt of the current interNet
incarnation ?

We know it's completely wandered off from the
original purpose, and has been assaulted by one
and all with creeping featurisms. Is it really
the best way to do all of these tasks or is this
just humans being too lazy to think about how to
do things ?

I realize one major solar flare pointed right at
us will give a definitive answer but the problems
of living through the consequences are mind boggle.

Discussions of the details may solve minor parts
of these problems (how to make a phone that's not
a spy) (how to make your computer auditable for
things not supposed to be in it) but someday the
bigger picture needs to be discussed before we go
over the cliff and become a nice set of ruins for
the ignorant to wander through.

Clive RobinsonAugust 8, 2015 7:32 PM

@ 65535,

The issue with "soft" switches be they for power or anything else, is that they are not real switches, with real fairly reliable physical behaviour. They do what ever the "software" is programed to do to the underlying hardware and user interface. As we know these days software is most definitely not "firmware" and can be changed almost at will, by a whole cast of charecters many of whom you would not want within a thousand miles of you, let alone changing things in yours and your loved ones devices without your knowledge or consent.

Nearly all modern computers are "soft switch driven" and never power down entirely. This is especialy true of business class machines with "wake-on-***" functions where the LAN can be used to wake it and apply updates or do backups etc, etc, etc.

This is true of some laptops as well which means they can be very vulnerable to "drive by" or "walk past" attacks that a moderately knowledgeable attacker has set up. Worse laptops tend to "suspend to memory" which can be a disaster for ill thought out security, because crypto keys etc can end up in RAM etc that can be fairly easily dug out by forensic tools.

The moral is "Don't buy electronics you can not reliably turn off", which means most modern mobile phones, pads, netbooks and laptops.

This problem will get one heck of a lot worse in the near future with the likes of FeRAM that retains it's contents even when turned off... Great for fast boot up, bl**dy disaster for security.

Nick PAugust 8, 2015 8:33 PM

@ tyr

"What is the technical debt of the current interNet incarnation ?"

You're going to need a 64-bit variable for that one. Showing that formatted as $ to vendors supporting Internet compatibility should end the project immediately. ;)

@ 65535

To add to Clive's conclusion, you can get very usable systems out of the x86 and RISC boxes built before power management or always-on were mainstream. All kinds of them on eBay with native OS installed, some communities maintaining modern libs for them, and actively-maintained Linux/BSD ports to them.

Clive RobinsonAugust 8, 2015 8:35 PM

@ tyr,

As a rephrase of the last question. What is the technical debt of the current interNet incarnation ?

Firstly I don't like the term "technical debt" because it has an underlying assumption that is not valid.

To explain why go back to DOD IP -v- ISO OSI, why did DOD IP win the race and become the defacto standard with it's huge "technical debt" when ISO OSI would have given us none of the current "technical debt"?

The real answer is "the reality of resouces", ISO OSI was thought up independently of the constraint of the reality of resources, DOD IP was thought up within the constraint of the reality of resources.

That is IP was a pragmatic approach to getting a working solution at the time when resources were very constrained. ISO OSI would not have worked on the resouces available untill ten or twenty years after people started thinking about it.

The problem of course is the "legacy issue" IPv4 was known to be inadequate more than a quater of a century ago, and IPv6 was ready to run over twenty years ago. Are people running v4 or v6, the answer is the majority run v4 and even when they do run v6 they use only the lowest parts, that are more or less v4 compatible.

Legacy trumps sensible practice let alone good or best practice, and acts as a huge anchor on development.

Technical debt, rarely mentions the resource limitations or the anchor effect of legacy.

You need some kind of hard epoch that can not realy be cheated to resolve this. The only one most people can think off --if they are 35 or older-- is Y2K, where the boat anchor of legacy turned a technical debt into a financial debt of such proportions that some companies did not survive the cost, which got exponentialy more expensive the closer to the deadline they waited before acting.

Legacy has two cost components, current cost and future cost. Doing nothing now reduces current cost to minimal spend thus increases short term profit at the expense of the future viability of the organisation. Short term "shareholder benift" forces the legacy issue into a longterm debt, that grows exponentialy, but hidden untill an event happens that forces "future cost" to become "current cost" with often dire results. We have seen this more recently with Micro$haft "End Of Lifing" Win XP and setting future support costs to ridiculous levels. Mostly badly budgeted Government Departments have been worst hit, and the response almost comical. In the UK the Government decided to go "Open Source", Micro$haft through the toys out of the pram and got their senior execs to phone UK MPs with "Microsoft employment" in their voter area and threaten to pull out and sack everybody unless the politicos voted against the "Open Source" drive... Hopefully the politico's will call Micro$hafts bluff and not get blackmailed into buying overpriced OS and App licences and support.

Thus the real issue is how to deal with the legacy issue, in a way that everybody pays a small amount, not exponentialy due to shareholder demands...

ThothAugust 8, 2015 9:18 PM

@all
Quite surprisingly, the TextSecure codebase is a really huge codebase and it's really hard to do a one man audit on that stuff and to add on to the difficulty of single handedly auditing a huge security application codebase, the Android architecture of splitting codes and text file configurations and GUI into so much different components and formats makes auditing even more painful.

I would suggest Google to scrape it's current Android development process of having XML and text + Java code hybrid mixes and simply stick to pure Java for codes and text for configuration instead of mixing both.

Talk about secure phone applications or even secure phones. Very few even put in the slightest efforts to do anything meaningful or significant which is why everyone of us deems that phones are very hard or impossible to secure due to the lack of appetite and technological efforts besides the Warhawk Govts' appetite for more robust exflitration and spying.

65535August 8, 2015 10:21 PM

@ Spoky

“Don't Intel-based computers have things such as Smart Connect that basically do the same thing?”

I know I saw a Smart Audio screen on his computer and I believe the puter is powered by Intel chip set – but the Bluetooth interfaces where supposed to be disabled. I will have to call him on a work day to verify this technology.

How should it be “turned off” so to speak? Would it be services, hardware driver, or some other way?

@ Clive

“Nearly all modern computers are "soft switch driven" and never power down entirely. This is especialy true of business class machines with "wake-on-***" functions where the LAN can be used to wake it and apply updates or do backups etc, etc, etc. This is true of some laptops as well which means they can be very vulnerable to "drive by" or "walk past" attacks that a moderately knowledgeable attacker has set up. Worse laptops tend to "suspend to memory" which can be a disaster for ill thought out security, because crypto keys etc can end up in RAM etc that can be fairly easily dug out by forensic tools.”

Thanks for that feed back. I believe your 100% correct.

How about the power strip with a hard off switch connected to these devices? Would turning off the power strip to the PC serve as a hard power switch?
As for laptops I know you can remove the battery from most and still power them via power converter/battery charger. Would removing the laptop battery and using the above power switch with hard power toggle work?

@ Nick P

“To add to Clive's conclusion, you can get very usable systems out of the x86 and RISC boxes built before power management or always-on were mainstream. All kinds of them on eBay with native OS installed, some communities maintaining modern libs for them, and actively-maintained Linux/BSD ports to them.”

That is a good option for some. But, this particular customer is a windows 7 shop and only use Windows 7 for a variety of reasons [ease of use, programming with dot net, and so on] so convincing him to use Linux/BSD systems is not on the table. I don’t think he handles any classified data. It’s just a small business outfit with low but reasonable security needs.

What is your opinion on using a power strip in the manner described above to act as a “hard” power switch so to speak? See my reply to Clive.

Nick PAugust 8, 2015 10:56 PM

@ 65535

Should be fine as about anything they do will need the power-source outside of interdiction. I doubt your client is an interdiction target. So, making sure no power gets to the device at all should knock out CPU and most useful components. Only question is whether modern laptops have any functionality backed by an internal battery other than main battery. I can't remember as I haven't looked into one in a long time.

Remember, though, that we're speculating on the rarest kinds of attacks. The computer is more likely to be hit by malware that circumvents the OS and lately firmware. The malware will phone home when or how it's able. So, interface protection and app protection of whatever type you can do are quite important. Plus, have him regularly (eg weekly or monthly) restore from known-good backups on write-once media (eg DVD-R's). Helps to separate system and data partitions so data can be protected with Truecrypt derivatives while system partition's restore is faster & has less DVD's.

65535August 8, 2015 11:50 PM

@ Funny Clone

“Why not run W7 inside virtualbox under linux?”

This is a good idea. I have suggested that to him but he declined. He said his Win 7 boxes have a variety of ram configurations due using both 32 and 64 bit version. I recall his saying that the ram in each box can be low or high [I believe between 2 GB and 16 GB].

On boxes with 2 GB of ram virtualbox could slow the rather heavy Win 7 systems – as I understand his assessment – ideally, that the virtualbox solution would be a good choice.

I'll suggest a ram up grade but I am doubtful he will want to buy the additional ram and have it properly installed. He is on a fairly tight budget due to current economic conditions.

@ Nick P

“I doubt your client is an interdiction target. So, making sure making sure no power gets to the device at all should knock out CPU and most useful components. Only question is whether modern laptops have any functionality backed by an internal battery other than main battery.”

That is a good point.

I believe some laptops have relatively powerful capacitors which can probably keep the CPU going for over a minute or so – I could be wrong. I’ll have to test his laptops if possible – after flipping the power switch on the power strip.

“Remember, though, that we're speculating on the rarest kinds of attacks. The computer is more likely to be hit by malware that circumvents the OS and lately firmware. The malware will phone home when or how it's able. So, interface protection and app protection of whatever type you can do are quite important. Plus, have him regularly (eg weekly or monthly) restore from known-good backups on write-once media (eg DVD-R's). Helps to separate system and data partitions so data can be protected with Truecrypt derivatives while system partition's restore is faster & has less DVD's” –Nick P

Very good points. I know he does use external HDD’s for back up. DVD–R would be a better choice assuming there is enough time to burn the DVD-R’s during non-working hours. I will suggest that to him.

Thanks for your input.


Nick PAugust 9, 2015 12:03 AM

@ 65535

I might have made a mistake there in how I said something. Regularly restoring from backups isn't good enough. The thing is that you regularly restore from clean backup, apply updates, do any app/config changes, back that up immediately, and so on. In between these, you do your regular updates and incremental backups for more minor issues. These larger steps are to try to flush out bigger issues by making sure the system is in a clean state when it processes updates and full backup. Not sure if it's absolutely necessary but it's something I did on Windows machines. I used an Acronis Boot CD for it, too, so it didn't happen under Windows' control.

Gerard van VoorenAugust 9, 2015 1:11 AM

@ Spoky,

Does Qubes OS support full disk encryption during installation?

Yes.

If yes, suppose I need a really secure OS with good defences against rootkits and various attacks, does Qubes fit the bill? Or is there any better alternative?

I would really suggest reading the documentation, including architecture overview, FAQ and the slides of the various presentations on www.qubes-os.org. There is plenty of documentation.

To answer your question, OpenBSD is probably 'the best' when it comes to a secure OS today and if you aren't afraid of the command line and are willing to read the manuals (this is essential), OpenBSD's simplicity can be highly appreciated. But if you are a busy end-user who isn't interested in technical details, I think that's when Qubes OS comes in.

@ 'Android, the Most In-Secure OS Ever',

The most insecure (mainstream) OS contest has been won by Microsoft Windows-XP. Hands down.

65535August 9, 2015 2:29 AM

@ Nick P

“I might have made a mistake there in how I said something. Regularly restoring from backups isn't good enough. The thing is that you regularly restore from clean backup, apply updates, do any app/config changes, back that up immediately, and so on. In between these, you do your regular updates and incremental backups for more minor issues. These larger steps are to try to flush out bigger issues by making sure the system is in a clean state when it processes updates and full backup. Not sure if it's absolutely necessary but it's something I did on Windows machines. I used an Acronis Boot CD for it, too, so it didn't happen under Windows' control.”

I see what you are saying and I agree.

Currently, the client uses 3rd Party backups in addition to MS backups to the external HDDs. The buring of CD-R/DVD-R is a good option.

He uses both a File level backup which I believe is a form of XXcopy or XXXcopy and an imaging backup like Acronis, Drive image XML, and ghost on a live CD in the event he has to wipe the drive and re-install the Win 7 OS. But, there is a time issue involved so he does the best he can with both.

I forgot to say he does try to use 2 different AV solutions but one must be resident in memory and one non-resident in memory such as Malwarebytes [free addition to keep the AV from fighting with each other]. He has had very few times where a virus will slip through and corrupt the OS. He has a tight control over his employees and what they can do via the internet. It not perfect.

That said, the real question is if the TLA’s have infected his network with rootkits from the Hacking Team or Vupen. His routers do keep logs and he does backup those logs when full. I then can go through the router/firewall logs and block sites – which I do – including most of Russia and China.

It is not a perfect setup but then he doesn’t handle and classified data. He is just a small business operator. There is always a cost/benefit decision to be made [and time constraints].

The whole idea behind the power strip switch is to shut down the more sensitive machines like the box that holds encryption keys to reduce the possibility of data ex-filtration while the machine[s] are not in use - a hard power switch thing.


Clive RobinsonAugust 9, 2015 4:58 AM

@ 65535,

The first step to backing up systems, comes before you install the OS [1] .

You need to consider how to partition the hard drive to make both maintainance easier and detection of file changes --that should not be changed-- easier. Running a modern equivalent of Tripwire can be quite helpfull especialy if not done through the main OS.

Also consider ditching the Internet, WiFi, USB and one or two other non-necessities [2] doing so can save costs and other legal issues.

If you do ditch direct internet connection, you can also consider not using AV software, it's been shown time and again to decrease both stability and security, whilst offering little utility --against the latest malware or spyware-- in a correctly isolated network setup. This does not mean that Email and similar external person to person communications needs to be stopped, just that it should be setup correctly and Microsoft Products are most definitely not your friends with this.

Further having ditched direct internet connection "patch madness" can be managed more easily, and testing of OS and App patches becomes more realistic and less stressfull. With appropriate backup planning you can roll back fairly easily if patches are found to be problematical.

Finaly one of my mantras is "Paper Paper, never data", whilst this is for dealing with external usually hostile entities, it does have a baring on how you do business, and reduce your future costs.

Firstly don't use fancy features of applications, that require the use of unknown binary file formats, text based formats are generally more difficult to hide things in, and way way easier to convert or run with other applications. The need to use compressed media files is also not realy required thus open format with minimal interpretation required is a good way to go.

Further think about storing documents etc "as though printed" that is once finished "print to file" via postscript etc and store them in an appropriate database system such that they are easily searched and accessed (surprisingly this is actually easier to do than most people realise). It makes "future costs" way way less and migration way way simpler, and thus also alows organisations to step out of the "Hamster Wheel of Pain" of endless unpland upgrades etc caused by OS and App vendors need to raise revenue streams.

[1] Microsoft have over the years made this progressivly more difficult, and I can not advise on Win7 or above as I stopped at XP as did those I was supporting due to stability and resource issues (which appears to be the case with many many people).

[2] The whole "Internet connected in business" is actually very much over rated and not many workers actually use it let alone require it for their work function. Likewise not needed is the pluging in of headsets and storage of music on work machines. As for games etc... Stopping all of these activities will make the system more secure and importantly less costly to run. And might actually be more productive.

Gerard van VoorenAugust 9, 2015 5:26 AM

@ Apprentice,

One thing I forgot is maintenance. When you are the one who is 'responsible' for maintaining the systems, this could cost quite a lot of time.

In Linux there is a thing called 'dependency hell', similar to 'dll-hell', but a bit different. Let me explain.

A month ago I wanted to install GnuPG 2.1.6 because it contains Curve25519 crypto. At that time there were no easy installers so I decided to compile from source. I grabbed the 4 tarballs (it turned out you need 5) and extracted these. In the gpg dir I started ./configure and *error* you first need to install libxx. So I went to libxx and did the same thing. *error* you need to install libyy first. So I went to libyy and did ./configure and after that 'make' and 'make install'. The usual compilation output diarrhea appeared on the screen but it went fine. I continued installing the 5 libs and it was okay. Then I went to the gpg dir and ran ./configure. *error* you need gcc version xyz. At that time I pulled out some hairs. There was no way I was gonna install gcc xyz on Ubuntu 14.04 because of dependency hell. So I updated the system to 15.04. *error* first you need to update to 14.10. Anyway 2 hours later (and one sneaky question about a configuration file that was gonna be replaced but thankfully it showed the diff) there was 14.10. Two hours later 15.04. And then I could install GnuPG 2.16 without any errors.

For one system update this is okay-ish, but for a couple of systems, this is not acceptable. If you want to avoid this, I would suggest to read the NixOS documentation. The main benefit of NixOS is that there is only *one* root configuration file, that is easily deployable. It is a brilliant system.

When it comes to sharing files, I would suggest SFTP with Curve25519 crypto. Just share a subdirectory on one system and mount the share on the others. Or otherwise use Syncthing.

Festive TugboatAugust 9, 2015 6:42 AM

@Mike the Goat:

Welcome back. In the previous thread, you mentioned something about Tor enhanced visibility attacks. Do you have links for that?

8bitAugust 9, 2015 9:59 AM

Note: the "malware" in the article is not officially-recognized-malware-in-the-wild but something created by security researchers for a demonstration

New malware turns your computer into a cellular antenna
http://www.computerworld.com/article/2966038/security/new-malware-turns-your-computer-into-a-cellular-antenna.html

A group of Israeli researchers have improved on a way to steal data from air-gapped computers, thought to be safer from attack due to their isolation from the Internet.
They've figured out how to turn the computer into a cellular transmitter, leaking bits of data that can be picked up by a nearby low-end mobile phone.
While other research has shown it possible to steal data this way, some of those methods required some hardware modifications to the computer. This attack uses ordinary computer hardware to send out the cellular signals.
Their research, which will be featured next week at the 24th USENIX Security Symposium in Washington, D.C., is the first to show it's possible to steal data using just specialized malware on the computer and the mobile phone.

burly pendulumAugust 9, 2015 11:08 AM

@8bit
"The data scrambling systems used by millions of web servers could be much weaker than they ought to be, say researchers."

Basically, what the article is saying in a long-winded way is that some servers are not generating enough entropy. There are plenty of easy solutions to that for those who care enough to search.

Nick PAugust 9, 2015 11:14 AM

@ 65535

Get him on a sandboxing solution w/ whitelisting. The whitelisting is useful to restrict what apps employees can use and protects them from some social engineering. The sandboxes obviously isolate things but tools like SandboxIE also prevent buildup of garbage (including tracking data). Do some Googling on these tools to find what top reviewers think is best at the moment.

Additionally, make sure he's using non-standard programs for risky formats. Foxit Reader for PDF's come to mind. Alternative office suite. Different media player that can integrate with browser. And so on. Whitelisting, sandboxing, and hardware/software diversity were my approach to preventing TLA attacks that had little recon. Should work for him.

Brown TortelliniAugust 9, 2015 11:20 AM

@Curious, burly pendulum and everyone else:

What is the simplest way to measure the entropy provided by /dev/random or /dev/urandom?

SmirkAugust 9, 2015 11:30 AM

@Strange

I understand you. But if we know this and we also know that we cant force insight and critical thinking skills onto people then isnt it time to have a requirement that states that you have an understanding of the topic you will be voting on?

Also do you perhaps know sites/blogs/whatever which perhaps maybe be of interest?

AnuraAugust 9, 2015 11:39 AM

@Brown Tortellini

I would forget the idea of measuring the entropy entirely, and stick with /dev/urandom. There are tools that will "measure" entropy, but they don't actually measure entropy - indeed, it's trivial to make an RNG with a tiny, easily recoverable state state that any tool will come back and say "yep, completely unpredictable" even though everything can be predicted from the first fee output words.

princetonAugust 9, 2015 12:04 PM

MORE TRUECRAP NEWS

The backdoored version of the file and disk encryption application was only served to specially targeted victims. In addition to serving trojanized TrueCrypt, the domain acted as a C&C server for compromised software. The malware is programmed to steal passwords and sensitive information from infected systems, and send the data back to the C&C server.

http://m.theregister.co.uk/2015/07/30/truecrypt_ru_hub/

Malware used to attack Ukrainian government, military, and major news agencies in the country, was distributed from the Russian portal of encryption utility TrueCrypt, new research has revealed.

Sancho_PAugust 9, 2015 12:33 PM


@ all computer conspiracists, @65535, @Clive Robinson, @Nick P
Re “soft switch”

To (hard) switch off the computer is great, but (for SOHO):

a) The real evil in the room is your router.
Very likely your ISP (and others on the line / Net) have _full_ access to that box.
One may switch that power too, but I’d recommend to disconnect the router’s WAN line (which e.g. powers the telephone …) by a relay.
As @Clive said: Use it when you need it.

b) Think about the WiFi enabled inkjet. Switching power may drain a lot of ink, though.

c) The switch in a simple “power strip” will be unhappy about powering on (several) modern power supplies, the spike is just too high, it may close once and forever (although there’s one working for years now at a friend of mine).
To visually check that the power is down you’d need an optical control.
Therefore it’s best if one can see the router LEDs, esp. the WAN activity,
also to encounter heavy unexpected traffic during working.
Sorry for the inconvenience.
/tinfoil-hat

@65535
AFAIK a laptop with battery should never be on power when it’s not in use, keeping Li-Ions fully charged may reduce their lifespan drastically.
The simple electronic in laptops is not a battery management, on the contrary.
Yes, there is a coin battery for the clock chip, but it can’t power the CPU.
The capacitors could but only for a fraction of a second, and only immediately after power is switched off, so not “useful” for anything.

Clive RobinsonAugust 9, 2015 1:03 PM

@ Brown Tortellini,

What is the simplest way to measure the entropy provided by / dev/random or /dev/urandom?

The simple answer is "First define what you mean as entropy" then you will know what you need to measure and if it can be done.

Which although accurate advice is not at all helpfull, as you are probably thinking right now.

Effectivly what you would be trying to do is "prove a negative" in this case show there is no predictable correlation between bits and sequences of bits from a black box generator.

Even if you could do this impossibility, you would have to do it continuously for every bit generated, which means testing it against every bit so far generated... Which would take longer and longer untill the generator became effectivly usless.

Further you would have to build the generator yourself, because those that build TRNGs almost invariably can not do it without some problem, so they cheat and use a crypto algorithm on the generator output. This does not increase entropy, only make it substantialy more difficult to detect correlations. This is "magic pixie dust thinking" and has some serious concerns about designers hiding backdoors etc.

This subject comes up on this blog from time to time, if you search for the expression "pixie dust" you will find most of it.

whisperAugust 9, 2015 1:32 PM

Some PDF files from Blackhat 2015:

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Thomas-Advanced-IC-Reverse-Engineering-Techniques-In-Depth-Analysis-Of-A-Modern-Smart-Card.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Bell-Automated-Human-Vulnerability-Scanning-With-AVA.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-MarquisBoire-Big-Game-Hunting-The-Peculiarities-Of-Nation-State-Malware-Research.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Davis-Deep-Learning-On-Disassembly.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Long-Graphic-Content-Ahead-Towards-Automated-Scalable-Analysis-Of-Graphical-Images-Embedded-In-Malware.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-Avoid-Them.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Klick-Internet-Facing-PLCs-A-New-Back-Orifice.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Hanif-Internet-Scale-File-Analysis.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Smith-My-Bro-The-ELK-Obtaining-Context-From-Security-Events.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Conti-Pen-Testing-A-City.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Larsen-Remote-Physical-Damage-101-Bread-And-Butter-Attacks.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files-wp.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Ossmann-The-NSA-Playset-A-Year-Of-Toys-And-Tools.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Potter-Understanding-And-Managing-Entropy-Usage.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Kruegel-Using-Static-Binary-Analysis-To-Find-Vulnerabilities-And-Backdoors-In-Firmware.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Morgan-Web-Timing-Attacks-Made-Practical.pdf

Clive RobinsonAugust 9, 2015 1:32 PM

@ Sancho_P,

The real evil in the room is your router.

Yes hence my "Garden gate and path" comments in the past.

Nick PAugust 9, 2015 1:59 PM

Sancho_P has a good point: we shouldve reminded you to put extra focus on router protection. Attacks on them are on the rise. Usually 0-days and config problems. So, best route is an OpenBSD router that you customize, do from a OBSD router distro, or get from vendor (eg Genua).

65535August 9, 2015 2:00 PM

@ Clive

“The first step to backing up systems, comes before you install the OS [1] . You need to consider how to partition the hard drive to make both maintainance easier and detection of file changes --that should not be changed-- easier. Running a modern equivalent of Tripwire can be quite helpfull especialy if not done through the main OS.”

I agree.

The client does use partition method where the OS is separate from the data files. I have considered Tripwire, but at this point in time the budget doesn’t permit it – although that may change in the future.

“If you do ditch direct internet connection, you can also consider not using AV software, it's been shown time and again to decrease both stability and security, whilst offering little utility --against the latest malware or spyware-- in a correctly isolated network setup. This does not mean that Email and similar external person to person communications needs to be stopped, just that it should be setup correctly and Microsoft Products are most definitely not your friends with this.” – Clive

True.

I don’t want to reveal too much of his site setup mapping over the internet but, yes he uses a split system where more critical parts of the LAN are isolated from the outside internet.

Some machines are still on in Workgroup and do connect through a firewall appliance – I am trying to change that [it really a budget problem and license problem]. He does have an update server to relieve the stress on downloads.

“Firstly don't use fancy features of applications, that require the use of unknown binary file formats” – Clive

That is somewhat difficult since it is a Windows shop. It has a LOT of binary blobs – can’t be avoid due to cost of change over at this time.

“Further think about storing documents etc "as though printed" that is once finished "print to file" via postscript etc and store them in an appropriate database system such that they are easily searched and accessed (surprisingly this is actually easier to do than most people realise).” – Clive

He does do some of that. But… see OS X print to file exploit:
https://blog.malwarebytes.org/mac/2015/08/dyld_print_to_file-exploit-found-in-the-wild/

This exploit is a OS X deal but I would guess it can be ported to Windows.

He does use a script where some .prn extension are stripped and replaced with a .txt extension and can be printed to both paper and the screen.

I did neglect to add he does have one LAMP stack with a well known publishing bundle on the top end for internal uses.

“Microsoft have over the years made this progressivly more difficult, and I can not advise on Win7 or above as I stopped at XP” – Clive

I agree that Win 7 is heavier and slower than XP by a margin. But, XP is not supported and will now become a frozen Zero-day system.

“The whole "Internet connected in business" is actually very much over rated and not many workers actually use it let alone require it for their work function.” –Clive

I agree. Most of the work can be done on an isolated LAN. The exceptions include certain accounting/HR program that for some reason must be connected to the internet to even work [suspicious question – as in the NSA wanting connectivity to critical accounting/payroll/HR data bases].

I will note that the client doesn’t handle classified data so he is a relatively low risk target.

There is no storage of games, music or the like allowed and there is very limited use of iPhones due to leaching of time and possibly information. Blue tooth is turned off… as best as we can tell.

What to do you think of the “hard power switch” idea via power strips on critical Boxes that hold encryption keys? See, my above posts.

Thanks Clive.

@ Nick P

“Get him on a sandboxing solution w/ whitelisting…The sandboxes obviously isolate things but tools like SandboxIE also prevent buildup of garbage (including tracking data).”

That is a good idea. I will work with him on that project when time/money become available.

“Foxit Reader for PDF's come to mind.” – Nick P

We already use it.

“Alternative office suite.” – Nick P

That is a non-starter for now. He has sunk costs in Office 2003 through 2007. That would include employee training. I agree the OLE hole is a big problem. I am currently working on fix using EMET and blocking the dll.

“Different media player that can integrate with browser.” – Nick P

No, media player use allowed – saps too much employee time.

I forgot to mention we remove Flash as it is a clear danger. Hopefully, HTML 5 will take its place.

The main problem with his shop is the lack of IT budget. He works on a thin budget due to the economic situation.

Thanks for input Nick P.

@ Sancho_P

“The real evil in the room is your router.”

How true that is. The client uses business class Router/firewalls. Some, are converted servers with 2 nics and Snort style software. It’s is not perfect by any means.

“The switch in a simple “power strip” will be unhappy about powering on (several) modern power supplies, the spike is just too high, it may close once and forever (although there’s one working for years now at a friend of mine). To visually check that the power is down you’d need an optical control.” – Sancho_P

I have tested the power strip switch and it seems to work well. The power spike thing will have to be investigated. There is a 15 to 60 second period where the board is still lit by the capacitors. But, it eventually powers down.

I use a simple visually check – I switch of all lights. The room becomes dark and one can see is any leds are still on [you can actually look through fan exit holes to see the leds on a mobo]. It’s not perfect but better than nothing.

“AFAIK a laptop with battery should never be on power when it’s not in use, keeping Li-Ions fully charged may reduce their lifespan drastically.” –Scancho_P

Well, some of the customer’s laptop batteries are already dead and removed from the unit. The power converter is the only thing power said machines. It’s a low budget shop. Just buying one new laptop was a big deal.

Remember, this customer is a fairly low risk customer – no classified data or the like.

Thanks for your input.

Brown TortelliniAugust 9, 2015 2:20 PM

@Clive Robinson

>"Effectivly what you would be trying to do is "prove a negative" in this case show there is no predictable correlation between bits and sequences of bits from a black box generator."

That makes sense. I hadn't thought of it that way.

In that case, what exactly is the value of /proc/sys/kernel/random/entropy_avail measuring?

a ghost only you can seeAugust 9, 2015 2:21 PM

@Sancho_P, routers


routers...

1. they tend to be poorly updated by end users, corporate, small business, or home
2. they tend to be poorly updated by the vendors who make them
3. the more modern, the more extensible they are, so you can write some pretty sophisticated code to run on them -- even in the early 2000s, though, there were exploits that could trojan every executable downloaded over them (Barnaby Jack, ~2002)
4. they tend to have very poor access controls, with many having default accounts and passwords, or having vendor backdoors for maintanence
5. 'out of sight, out of mind' problem
6. they are excellent leverage points for a mini-cloud of sorts in terms of attacking the systems behind it
7. av or other security endpoint products that run on routers? do not exist
8. many network security products do not have protection for attacks against them, and desktop and server security products of course do not
9. they are often the most front facing systems on the network

There are limitations, of course. Not dissimilar to limitations for intruders on your wifi or landed wire networks. The major one is simply encryption, end to end, which is well down and not easily 'stepped down' or otherwise broken out of.

In the Snowden reports, the US had hacked some Chinese routers. In the 'spiderman'/sandia labs hack/hack back, it was noted Chinese hackers were using routers as temporary storage points for data exfiltrated.

The dangers are faced from everyday hackers, money or political or 'fun' motivated, as well as from nation states.

Tor Help?August 9, 2015 3:15 PM

RATS! as we'd say back in the 70s. Installed Tor Browser, was expecting mild inconvemience (the price of security), but have a big inconvenience instead: Tor Browser does not seem to remember Cookie Exceptions. Wasn't expecting that.

Due diligence found lots of forums that have multiple statements of the problem with no mention of a solution. This appears to be a "bug" even by Tor standards (which I admittedly know little about).

  Win7 + sec. updates, TorBrowser 4.5.3 (i.e. up to date), No add-ons

Can anybody help? Otherwise Tor becomes too much of a burden and I wish to do my part "fighting" the nsa by making their job harder. In return I offer y'all a little secret I just learned: nonbreaking space entities (ampersand-nbsp-semicolon) work within comments - notice that I indented the system descriptiom above. (This isn't surprising, Bruce would never completely give up style, he'd just hide it somewhere. :)

StrangeAugust 9, 2015 3:16 PM

@Strange

I understand you. But if we know this and we also know that we cant force insight and critical thinking skills onto people [...]
Also do you perhaps know sites/blogs/whatever which perhaps maybe be of interest?

You can force insight and critical thinking skills onto people.

A good place to start considering that is realizing 'all stories are autobiographical'. Now, why not all works of engineering, or other deeply involved products people do? Well, something like 'a house' or 'a bridge' is very static. There is only so much of one's own self one can put on there. But, stories are extremely dynamic, especially today, so people unconsciously mirror much truth about their own selves in there.

And so do software programmers.

So, there are many aspects of how modern systems are designed which very well mirror the internal makeup of their creators. And, that well beyond their own understandings. It was and is a more natural, deliberate process of creation. Both individual and social.

You can think, therefore, in terms of "reprogramming" or "creating programs which did not previouly exist", meditating on "AI" is useful for understanding our own selves. Upgrading the underlying hardware, creating a new and better OS, and so on are very useful metaphors for consideration.

VMs and cloud is also a very good metaphor for some of the future looking solutions, metaphorically, for the distinctly multi faceted problem of the modern state of humankind.

Science Fiction writers, are, in a sense, the new prophets. 'Daemon' and 'Rapture of the Nerds' I would recommend the most, there. 'Humans' is turning out very good, but 'AI' and 'Bladerunner' well dropped into some of these problems.

More specifically...

You can force thinking by providing people something to really think about. I think the big, black block in 2001 is a great, metaphoric representation on that. Even if it had no specific "magical" powers besides 'just being there' ('from where??', 'why??'), it serves as a sort of massive anomaly that would force thought. 'Is the world going to end', 'are there aliens', 'what does this mean to the future of humankind, to my own life, my children', and so on.

This sort of problem I have best seen represented in the initial 'Exodus' account, and in 'Wayward Pines'. Whether you consider the Exodus account real or not, does not matter. I do believe it was realistic, if it were fiction. You would have a problem with the first generation adapting to such a profound anomaly. They would have to have enormous time to sit around and think. And they would have to die out, that first generation. So, the second generation could grow up in that environment. Taking it in, as children, they could wrap their minds around it.

Critical points: in both stories, they did not have to worry about food, shelter, nor clothing. No money problems. Not many distractions. So they had plenty of time to just think. And they had major, impossible to understand matters, to think about.

But, they also had hope. Without that hope, they would have just killed themselves and gone mad, killing each other, rampaging to death. They would not have been forced to think, because the option for a positive outcome would have been beyond comprehension. Yet, the positive outcome was beyond comprehension. And that had to be clear, as well. That produces "hope" which is far more fuzzy and open then just "positive expectations". Which create static, simplistic models that are not realistic.

So, you have to solve major problems first for a true paradise. Mortality. Food supply. Energy. Shelter. Clothing. Get people's minds out of the gutter, and for good. No longer renters trying to just get by, via any means possible.

To do that, you need (and this is really where 'AI' and 'Daemon' come in) a vast "robotic" working force. One of my friends well said, 'people want a paradise, but... who do they think will be running it'. I put "robotic" in quotes. By definition, human beings are robot and have AI. But, in cinematic language, humans can understand human like beings who have consciousness, even consciousness far more vast then their own, yet who are also trustworthy and do not need to, say, eat humans for food. Or rely on social prestige for fuel. More importantly, they can operate as if in control of many independent virtual selves at any one time. And so treat hard, concrete reality as if it were merely virtual, or made of the substance of mind, of dream.

Where the old language of 'spirit' comes to be understood as a certain type of programming, which the good kind has consciousness, the bad kind does not. And can be transmitted by all the ordinary ways humans normally communicate. And by other means.

So, science fiction, open mind, don't look to ordinary answers for extraordinary returns. Ordinary answers like "let's group up, get together, and make paradise". That is the basic motive that led people into this mess in the first place. It always ends the same, without solving the other problems first.

There is hidden work that solves problems. One does have to dig for it. And keep sane while doing it. The idea that there is nothing vast and hidden, is absurd. As absurd as most conspiracy theories. But, behind all fiction, albeit so often very, very far loosely, there may be truth.

Or, could just be some elaborate cover for something very bad going on. When approaching the unknown, we often expect danger, and rarely expect good. When people behave badly, they do so because they think badly. They lack better options. Providing better options is possible to do. You just have to do the hard work of dreaming for them, at first.

tyrAugust 9, 2015 3:32 PM


@Clive

The air tax is already here in the guise of carbon
credits. Since most biological systems do 02 to
CO2 respiration the whole fuss is to get the air
tax on breathing on to save the planet.

You can toe tag babies with their expected CO2
emissions over a lifetime and also for methane
variable by ethnicity. That way they are born
with a planetary debt to society that they must
work off by re-cycling credits and community
service.
The only exemptions are for necessary industries
like armaments and financial services. The rest
must be regulated and taxed.

Celtic spelling needs a thump too. Sian doesn't
need to be spelled Siobhan. Haggis is too elaborate
when a simple gak would suffice.

Modern ISP routers are a wormcan that should make
you cry over their basic insecurity.

purring pamphletAugust 9, 2015 4:01 PM

@Tor Help

It is not a bug. It is done to prevent browser fingerprinting (a huge factor in de-anonymization).

winterAugust 9, 2015 4:17 PM

@Brown Tortellini
"@Clive Robinson

>"Effectivly what you would be trying to do is "prove a negative" in this case show there is no predictable correlation between bits and sequences of bits from a black box generator."

That makes sense. I hadn't thought of it that way."

In mathematical terminology you are trying to measure the Kolmogorov complexity or algorithmic complexity (see your favorite search engine and enjoy).
https://en.wikipedia.org/wiki/Kolmogorov_complexity

That boils down to Clive's proving a negative.

@Brown Tortellini
"In that case, what exactly is the value of /proc/sys/kernel/random/entropy_avail measuring?"

That is just a convenient estimation that should work as long as no one can mess with the input of the entropy.

An example might clarify. Record a sound, eg, of the cooling van of your computer or a 500 Hz sine wave. Compress this file using bzip2. Pick the first 512 bits as key and encrypt the rest of the recording with your favorite algorithm. Pick the last 512 bits as the next key and repeat.

Now you have bits that look as random as you can get. The bits resulting from every sound source will look exactly the same. Provably the same.

However, the van noise would contain a lot of entropy and the sine wave very little. No test, except reconstructing the original sounds could distinguish between the entropies.

That is the Kolmogorov complexity in an over-simplified nutshell.

ApprenticeAugust 9, 2015 4:38 PM

@ Gerard van Vooren, Albert, Mute Salmon,

Very much appreciate your comments. Thank you for the effort and the time.

I hear the collective voice: start with virtual and work out the bugs, learn, practice. Perhaps VM is a good tool to use for configuring driver compatibility, too? And working out those nasty "dependencies". I surely agree that such dependencies are a deal-breaker when it comes to investment of time. A real burden. Which is partly why I asked the knowledgeable crowd in this forum so I might get a head start.

Seems like Qubes OS is indeed a nice OS. And I appreciate the question in the thread about full disk encryption. I, too, would like to engage that function. I do so with Windows and an OPAL 2.0 drive currently, but there is almost assuredly holes to be found in the (inevitable?) backdoor with the third-party OPAL management software (think of WinMagic SecureDoc, Wave Systems, etc.) or even in the OPAL spec itself (trust no one, eh?).

Ok, so Fedora. But then there's this caveat: https://fedoraproject.org/wiki/Forbidden_items

So, I can't use NVidia drivers with Fedora? And so on. I might need to research a special purpose list of hardware just for my Linux build.

Dual boot is practical, but is that secure? If Windows lets the bad guys inside (think firmware malware), wouldn't it be trivial to undermine the Linux side of the boot? Therefore, wouldn't a sandboxed VM situation be more secure?

For what it's worth, indeed, I do have my small business running on one box with the usual Quickbooks, Adobe suite, MS Office, etc. And I need that software, or an acceptable equivalent. I'll have to research that too.

As for wireless? Not only is it insecure (too much attack surface), it's unnecessary in most cases, and not nearly as robust (working under a variety of conditions). I never use it. I turn it off in the BIOS as soon as I get my hands on a new laptop/desktop motherboard.

As far as phones go, most every person with a job running a side business who lives in a city is going to need one. I just resign to the fact that its insecure and there is nothing I can do about it. I use it as little as possible. And it still leaks far, far more than I ever wanted it to (locations, contacts, etc.).

I'll bookmark this thread and use the advice. Maybe someone could make a little money writing up a good beginner's Linux guide to switch from insecure Windows-based machines? Or is that wishful thinking given that I've been proselytizing Windows 10 insecurity lately and no one-- and I mean, NO ONE-- seems to care. So disappointing.

Thank you all!


SmirkAugust 9, 2015 5:16 PM

@Strange

Thank you, i will read those books and dig deeper.
I very appreciate your help.

Clive RobinsonAugust 9, 2015 6:09 PM

@ Apprentice,

So, I can't use NVidia drivers with Fedora? And so on. RI might need to research a special purpose list of hardware just for my Linux build

It's the "principle of taint" at play.

Yes you can use them if they are available, BUT they are because they are "closed source" or "encumbered" in some way assumed to "taint" the Open Source. So --in theory-- you "will not" get support from the Open Source community if you have problems with them.

For many users it's not an issue --except at some up grades-- and they quite happily use closed source "binary blobs", Nvidea being the most oft quoted case.

Encumbered is another issue, the source code may be openly available, but implement a patented or non disclosed algorithm or method. You may or may not be legaly open to civil claim depending on which jurisdiction you are in. The most oft quoted example of this is De-CSS for playing DVDs.

As it happens in the common cases people who have had problems and found solutions / work arounds make them available so some level of help is often available if you put the effort in and search for it. A classic example of this is instructions for "rooting" your Android device to enable sidewise loading of apps, or to put upgrades on your device the manufacturer is to lazy or veinal to do.A recent example of this is to do a security upgrade to prevent attackers pwning your phone via an MMS etc.

1048560August 9, 2015 6:16 PM

@ 65535 & Funny Clone

“Why not run W7 inside virtualbox under linux?”

Yes the RAM limitations could cause problems.

What type of firewall are you using for Linux?

Something that can control applications...

Dirk PraetAugust 9, 2015 7:33 PM

@ 1048560 , @ 65535, @ Funny Clone

What type of firewall are you using for Linux?

If you're talking "condom" (host-based) firewalls, you'll find that most distributions come with some sort of GUI-utility for setting up iptables/netfilter, e.g. YaST on SuSE and (G)UFW on Ubuntu and other Debian distributions. Most of them unfortunately are weak with regards to egress traffic and also lack the granular application-level control Little Snitch on OS X and Windows Firewall Control (WFC) on Windows provide. This here page contains some useful information.

Dirk PraetAugust 9, 2015 7:49 PM

@ Apprentice

Perhaps VM is a good tool to use for configuring driver compatibility, too?

In general, you'll be stuck with the drivers your hypervisor provides. That shouldn't be too much of a problem for popular Linux distributions, but getting 3D and stuff to properly work on a guest xBSD tends to be a bit more challenging.

Dirk PraetAugust 9, 2015 8:02 PM

@ tyr

Modern ISP routers are a wormcan that should make you cry over their basic insecurity.

Absolutely. That's why you should always have at least one secondary router behind them that you control yourself, and preferably re-flashed with Tomato, DD-WRT or OpenWRT. Makes it also easier to further segregate your home network into different zones for your own devices, IoT-stuff (smart TV), guests requiring internet access, DMZ etc.

tyrAugust 9, 2015 8:03 PM


Here's one for the history crowd.

http://historiadiscordia.com/

Notice the innuendo build around Thornley by non-military
folk (i.e. clueless). The instant that something isn't
spelled out in primer terms the fabrications start.

Lockheeds Skunk works at Area 51 is a classic example of
how lack of knowledge leads to the most outrageous BS
on the basis of tenuous clues. I encountered some nit
on-line who had found the Mormon Mesa rocket sled test
site where Col Stapp tested supersonic ejection methods.
It was covered in Life magazine at the time, but this
loon thought it was some great mystery. A railroad
track to nowhere must have sinister implications. Area
51 is just as mundane at the bottom, a place where you
could test things you didn't want publisized in moderate
isolation. But even if you had put it on the cover of
Life there are those who will see alien spaceships in
the bushes.

Thinking that way will make you think Iron Sky is a
documentary.

Clive RobinsonAugust 9, 2015 9:23 PM

@ Dirk Praet, tyr,

Modern ISP routers are a wormcan that should make you cry over their basic insecurity.

You usually can not avoid the ISP or others getting control of your router for a whole host of reasons.

Thus it's best to treat it not just as "untrusted" but "positively hostile" which is what quite a few customers of Bruce's old employer have concluded.

However no matter how compromised it still serves the usefull purpose of keeping traffic ment for other people on your shared segment out of your private area.

Thus my analogy about it being the equivalent of a "garden gate". The next logical step as you note is to install your own router / firewall on the private side, which in analogy is your "front door".

With the link between the two logically being your "Garden Path". Now in higher crime rate areas in the UK people put CCTV cameras and IR / Microwave movment detectors to alert and record anything that happens in the garden along the path etc.

Thus the reverse analogy would be an IDS and logging system on the "Garden Path" link set to record all traffic both in and out.

This I would say is the minimum sensible precaution these days and as others have noted open circuiting the data path or ISP router power would be a worth while moderate extra precaution.

No doubt @Nick P and others would want to add a few details to this basic level system.

hereticalAugust 9, 2015 9:39 PM

@ Curious

Great series of posts.

>With regard to my link above about the design flaw in Intel processors

I can only expect its phased out by a new gen, if what you implied were true.

ThothAugust 9, 2015 10:23 PM

@Strange, all

"patiently waited for 'Dread Roberts' to mount his encrypted volume before arresting him"

Isn't it weird that they "waited" for him to decrypt his Truecrypt volume ? How did they know ? Shoulder surfing ? Or they were already INSIDE just waiting for him to take the bait by the physical action of decrypting the volume ? Shoulder surfing might be too risky (or maybe using a bino to watch him from a distance).

"have any opinions on the latest zero day vuln or malware protection systems?"

Most commercial systems are either reserved for the elites or they are really bad and simply just annoying marketing. Endpoints are still weak and will always be. People are looking at the wrong directions. The latest ciphering system or protocols wouldn't protect you anyway. They are most likely already IN when they want to.

"If they really randomized everything, it would be problematic for memory based exploitations to take hold"

Rather untrue. Imagine you have raw memory access, what's going to stop you from scraping the entire memory and feeding it into a powerful machine to make sense of it. If you can control (microkernels or security hypervisors) the memory access and box them inside successfully (hopefully they don't breakthrough your sandboxes), you would be much safer. Yes, randomization helps for playing mind games with lower powered intrusions and attacks but they won't keep the more sophisticated ones at bay.

@Clive Robinson, all

"Intel or other chip maker had deliberate "enhanced" certain signals that were 6dB or more up on other data signals to enhance synchronisation to say the AES circuitry in the CPU."

What if I do not use AES but use Serpent (software implementations) ? I would expect them to be able to generately tap the EM frequency of the entire chip and with special focus on the AES circuits since that's a thing of interest to them. Maybe, as you mentioned before, a cascade ciphering circuit (with some dummy operations) would have effect to counter such a threat ?

Thinking along the line of how to implement a more secure software crypto engine in crypto-chips like smartcards since those stuff are so commonly available and are generally dual-use in nature. TPMs and general purpose computing with crypto-enabled chips like ARM, Intel, MIPS ...

@Curious, all

"Design flaw in Intel processors opens door to rootkits, researcher says"

I wouldn't be surprise they know how to get themselves in. I remember one of the TAOs explosed during the Snowden leaks talks about vulnerabilities of HP servers which if you were to think in a general context, so many computing chips are using the Big 3 which is ARM, Intel and PPC. I wouldn't be surprise if they have subtle "flaws" to get themselves inside.

"major defence contractors, security researchers, government officials mingling with hacking enthusiasts as the Pentagon - and US government - struggle to recruit cyber personnel"

I noticed the word "STRUGGLE to recruit". No one likes them. They just blackened their names again and again. Not surprising. They should pay more to recruit people (not sure of the salary there) because money might open people up :) .

RE: ICANN breach with leaked "encrypted" password database.

Those are hashed and salted (not sure if they salt it with random salt per password object or a global salt). Whatever the situation, if it is BCRYPT algorithm, it's actually not bad that they thought of using something really good in the open crypto community as long as they don't do stupid settings. It would be better if they actually used a hardware HSM to encrypt the passwords although some might disagree but this is a growing trend (encrypting passwords with HSMs) in my local region and also a local requirement these days for banks that want to do business in my country.

"EFF (Electronic Frontier Foundation) announced the "Privacy Badger 1.0" plug-in for Chrome and Firefox internet browser"

They need to re-think the browser as a mini-OS in itself and re-do browser security since most of us are "living inside" our browsers these days. The browser should be offering more assured security instead of being so vulnerable to all these browser exploits.

@garrulous garden

"Bruce, Tor is looking for an Executive Director"

Hopefully the new Director doesn't sell Tor off to you know who.

@octatech

"People need to be able to reach me most times of the day so turning it of when I get home isn't a very good solution. How should one fight against all this?"

I think there isn't a good solution around the smartphone dilemma. It knows too much about you more than those close to you. Restricting our actions on using the phone is the only way to at least preserve some sanity. Once you purchase and register the phone, you have no more control over it. You can try to put black tapes around the camera sensors but how are you going to control the microphone mechanism ?

@Apprentice

"I'm a Windows user with an MCSE certification who hasn't touched a Linux box, rare participant and frequent reader of this blog, and an IT employee in a large organization in the USA.

I'm keenly interested in establishing a more secure environment for my relationship between my computers, my associates, the public, and the businesses I interact with.

Ideally, I wish to conduct a typical American life, run a small business on the side with my wife, opt-out of the mass surveillance in the name of 'privacy advocacy', and reduce my attack surface."

Once you use a Windows product, you have to realize that you are much more vulnerable than other OSes. Market shares, architectures, the bulk of the codebase ... there's so much going on that makes Windows such a bad choice and I wouldn't say all of us are innocent as I am suspecting many of us are using Windows as well or other common smartphones to read and reply to the comments.

First thing is to learn Linux and be comfortable with low level stuff. No more GUI addiction. You can use the Windows box for normal computing and gaming and expect it to be compromised.

A hardened Linux box as a gateway between the Windows environment and more secure environment (a Data Guard of sorts). I would prefer to use a CD-ROM with a Linux LiveCD for the fact it is harder to inflitrate into a Linux LiveCD when you can simply shutdown the power and it is mostly out. We won't touch about firmware embedding of exploitations yet because this is just beginner steps but the idea is a quick shutdown Linux LiveCD with hardened settings. You might want to physically disable wireless networking and only use cables for this particular computer for the Gateway setup.

Your most secure box would be preferably OpenBSD or BSD type OSes. They are less common and not the focus of attacks and have a much more focused and stringent security but again, these monolithic kernels are a problem. Microkernels like L4 family would be the best but they are still rather unusable for daily operations. Your most secure boxes should not even have a wireless networking device at all. Remove the Bluetooth, no WiFi, no RFID/NFC sensors ... nothing ... Keep the Ethernet cable unplugged on the most secure box. The best is a workstation PC (because laptops usually integrate Bluetooth and WiFi into their chipboards).

Use a dedicated port to transfer between secure workstation and Linux gateway over an uncommon port number and fixed routing path. Encrypt and hash the files on Linux gateway and send it over FTP (yes plain FTP) to secure box to decrypt and verify the files (use symmetric keying). The plain FTP is deliberately use as the protocol is simpler to inspect for any attempted injection (no surprises), speed and simplicity of setup.

@Spoky

"Does Qubes OS support full disk encryption during installation?"

I would prefer to have an encrypted hard disk and run the Qubes as LiveCD. Maybe a "Ext3/4/FAT32" format filesystem or something usable across multiple OSes. Keeping the OS minimal and separated for critical systems would give more security by making lower powered intrusions unable to survive a power reset (if the malware expects to be a Ramdisk malware) or I can decrypt the hard disk to inspect for malware on another machine which it does not expect to bootup from.

@Funny Clone

"Why not run W7 inside virtualbox under linux?"

If the malware doesn't break out of the sandbox created by Virtualbox which itself is a virtualization platform ... not a security sandbox platform. Genode has a NOVA hypervisor with Seoul or Virtualbox on top. Good to take a look into something more security assuring as those done by Genode.

Link:
- https://archive.fosdem.org/2015/schedule/event/transplantation/
- http://hypervisor.org
- http://genode.org
- http://www.genode-labs.com/news/newsletter/newsletter-2014-01?lang=en

Nick PAugust 9, 2015 10:56 PM

@ Clive Robinson

Well, this is a smaller operation. So, the last point would probably be left off despite being a good idea. The private router treating public one as malicious is a good idea. It's essentially what I recommended with the OpenBSD box. The right policies and inspection features can filter out a lot of unwanted traffic going in *or leaving* the network. The box might also have a non-x86 processor to reduce odds of malware hitting it.

StrangeAugust 9, 2015 11:29 PM

@Smirk

Thank you, i will read those books and dig deeper. I very appreciate your help.

Oh, thank you for listening and asking questions.

I wish I could have given a more optimistic report, though the 'very far future' is beyond our own knowledge, just as the very near future is.
History is full of changes where little things turned the tide. Completely unpredictable. Though, considering the criteria I outlined: a major anomalous event, conditions for solving the mortality problem, food supply, water, energy problems... that does seem to be a very, very hopeless 'war' with very many fronts.

I was reminded of 'why not to despise the little things', however, this weekend, watching a WWII documentary. At the beginning of the war, the Allies were in very dire straits. The Pacific fleet was sunk, and Britain was in danger of being lost. But, the Germans owned the atlantic by their U-Boats.

So, Britain made a war changing move. They shared their top technical intelligence with the US. This included the 'cavity magnetron', which enabled the US to get their ships over the Atlantic, finally, by providing appropriate radar for the anti-submarine planes.

'The Briefcase That Changed The World'

http://news.bbc.co.uk/2/hi/science/nature/6331897.stm

Finally, as for my inclusion in that list, with the books "Daemon"/"Freedom", I would also recommend Daniel Suarez' other book, "Influx". Where the point is to get the necessary metaphoric 'language' filter to be able to see the future which otherwise would be beyond definition... and so beyond comprehension. Metaphoric frameworks from fiction can act as filtered lenses (like with, say, invisible ink, or how some words can be hidden in color to hide from the color blind). Before you put on the 'glasses' you saw nothing. After you put them on, you see it all.

FigureitoutAugust 9, 2015 11:53 PM

Thoth
how are you going to control the microphone mechanism
--On a current laptop removing camera/mic w/ fair degree of certainty was simply snipping it off inside case. On a "dumb" (read you'd be smart to use one) phone the camera was again powered by a little clip I could simply unplug or snippy snip and I didn't want to screw this one up (and threw out another one I could've searched more) so I put humpty dumpty back together before looking at mic but I bet an old mic (I'm not worried for my purposes since they're so sh*tty anyway lol) and the speaker, likely a cheap little thing, again needs to be removed. Keep in mind this is only if you want just a device w/ phone/net service.

Smart phones would be much trickier of course (just don't even put the thing near data you care about in the first place...) but likely can either just break glass and destroy camera w/ a screwdriver and if inside case use Xacto knife to cut lines in PCB or worse a tiny drill. I have an older one that I can cut up but it's already broken so I can't test if physically disabling mic/speaker breaks other things...plus I'm nervous about releasing some things I shouldn't breathe.

RE: livecd of qubes "I would prefer to have an encrypted hard disk and run the Qubes as LiveCD"
--Exactly, that's what I want: a LiveCD that boots up VM as well and no attached HDD. I don't understand virtual memory and don't really believe "the sandbox" when "the sandbox" is interacting w/ devices that cannot be emulated; there's non-sandboxed comms taking place. All the VM-based OS's and applications I've tried a little running fully w/in a live system don't work good, usually search for a HDD (data remanence and a big fat juicy target, can't do that for this threat model). Against the threat model that can still subvert that, you're mostly screwed if they know who you are and are in your network, will simply follow you around. Can still operate by going to "retreat" mode and recover via computers bought w/ cash then bury/hide them etc. by looking up places w/o your tracking devices (one can go to a place like...Best Buy or big place that has computers open for you to play w/ and conviently have an internet connection, but also a camera so this is short-term and should get re setup before it becomes known) and don't write or say anything to anyone or anything.

I'd want a boot-up config file that additionally grabs crap from /dev/random and creates say 5 email accounts/passwords and puts that in some easy to grab place unencrypted, say /tmp, then erases the config file. So someone watching from network would constantly be grabbing complete crap every boot-up.

StrangeAugust 10, 2015 12:09 AM

@Thoth

Isn't it weird that they "waited" for him to decrypt his Truecrypt volume ? How did they know ? Shoulder surfing ? Or they were already INSIDE just waiting for him to take the bait by the physical action of decrypting the volume ? Shoulder surfing might be too risky (or maybe using a bino to watch him from a distance).

Who knows? It definitely sounds fishy. I would think they would have wanted to wire his house up with video. To put him under constant but very high grade surveillance. You know, to figure out 'who he is working for', 'how they communicate', 'what information they want'. Stuff like that. Maybe even 'who is he, really'. The sort of credentials required to get that position are easy to fake. Look at OPM. Not exactly the high standard of excellence people had been thinking they were.

If hackers were able to brutalize that system, twice, and was only caught because of a vendor demo... what makes anyone think no one before them ever *put information in there*?

But, you are talking about the Army. They did not even have basic access controls to prevent what Manning did. Zero DLP. Now, they have it. They probably had no supporting protocols, like "what to do if someone is caught exfiltrating sensitive data". So, they probably arrested him on the spot.

If there was anything more complicated to his story, he could just play himself off as some idealistic dummy. Easy to play one's self down.

But... this is all very much transgressing against what Tyr is saying, above, which I agree with:

The instant that something isn't spelled out in primer terms the fabrications start.
Lockheeds Skunk works at Area 51 is a classic example of how lack of knowledge leads to the most outrageous BS on the basis of tenuous clues.

Reality is, I have read some counterintelligence cases in books, across history, and they tend to stay focused on just getting someone in jail. When they are lengthy surveillance, it is just about getting evidence. WWII operations, excepted.

But... it is an interesting consideration, in terms of a 'good story', 'what if someone had already - even long ago - already been in OPM and put data in there, and altered data which was there'. One might say, 'oh this is not stored there' or 'that is not there'. But, do you really think in the other areas of import for such data, that it really was that much more safeguarded? Or even is now?


ThothAugust 10, 2015 12:37 AM

@Figureitout
If I were to know that I am going to use the computer to browse the web and probably there is a chance of infection, the last thing is to infect a computer that has hard drives or storage devices attached. LiveCD alone booting from a CD-ROM with all disk spaces filled would be much more advantageous and without the dependency of any permanent storage. If you want to do critical stuff, reboot the CD-ROM with no network and then plugin the storage. A really simple and basic OPSEC procedure :) .

FigureitoutAugust 10, 2015 12:55 AM

Thoth
--But then you're really trusting CD-ROM firmware and banking on no data remanence which I've seen symptoms and run testing that have convinced me enough that LiveCD is not enough still (even w/ infected images getting burned to discs lol..).

All these infections really cheapen "work" since you can't really trust and put good effort in it. Can't take it seriously really, or just be prepared for epic fail and have survival skills when power systems, economy, and comms systems shut down.

Gerard van VoorenAugust 10, 2015 1:25 AM

@ Figureitout,

--Exactly, that's what I want: a LiveCD that boots up VM as well and no attached HDD. I don't understand virtual memory and don't really believe "the sandbox" when "the sandbox" is interacting w/ devices that cannot be emulated;

If you look at the Qubes OS Disposable VM doc, you can see that it is stored under /var/lib/qubes/dvmdata. In my understanding I don't think it is hard to create a ram fs and mount it at that point. Only make sure you have plenty of ram.

Btw, there is also Windows App VM functionality.

ThothAugust 10, 2015 2:24 AM

@Figuritout
It is a basic setup I believe. If you want something more secure, analog paper and pencil with acid or a flame spark and oxygen would be the most secure ...

There is almost no way to 100% defend against anything and it is almost unlikely to ever happen. It is just the level of security and requirements in a sane manner that can be more easily moved around and used.

VatosAugust 10, 2015 6:18 AM

@Dirk Praet

As far as I know, my router (provided by the ISP) is secure. Do you think it has vulnerabilities? Is there some way to test it?

FigureitoutAugust 10, 2015 6:58 AM

Gerard van Vooren
--Yes I played around quite a bit w/ disposable VM's (and appVM's and NetVM's, disposable the most though), and at the bottom of that doc, reads: At this time, DispVMs should not be relied upon to circumvent local forensics, as they do not run entirely in RAM. For details, see this thread. and that thread is: https://groups.google.com/forum/#!topic/qubes-devel/QwL5PjqPs-4/discussion

Since no one appears to have done what I'm describing, it most be hard or impossible for some reason (I don't see it, but maybe it is). Here's a quote from the ramfs link you provided: With ramfs, there is no backing store. Files written into ramfs allocate dentries and page cache as usual, but there's nowhere to write them to. This means the pages are never marked clean, so they can't be freed by the VM when it's looking to recycle memory.

Live system that spawns VM's ASAP, all booted completely from RAM; so on top of not mattering if the RAM-FS gets corrupted (lower level attacks taken out of picture for fact that they will always own), even more so if you could just close a VM w/o rebooting.

Thoth
--Don't forget to check for obvious cameras/sensors pointed down and to write on a hard surface (no soft wood or a big notebook, single pages) and wipe down the area thoroughly after. For you though I'm sure you would quite enjoy taking a flamethrower to it all and for no reason destroying a PC or 2 in the process. :)

And it has happened I just can't find the damn malware and expose it for all to see, it would probably own most everyone here except those w/ "legit" setups to maybe stop it beforehand.

Wacky SturgeonAugust 10, 2015 7:48 AM

@ Thoth, Figureitout

"I would prefer to have an encrypted hard disk and run the Qubes as LiveCD."

No such thing. QubesOS cannot/should not be run as a VM or a LiveCD. This is partly because of performance issues and partly because the system is designed to provide some protection against attacks like Evil Maid, which would not work in a paravirtualization mode.

However, it is possible to run the entire system from a USB3 pendrive. It is also possible to have a dual/multiple boot system (with QubesOS alongside other operative systems). You can also create Windows7 TemplateVMs from within QubesOS.

CuriousAugust 10, 2015 7:53 AM

Somewhat off topic: (Regarding the previously mentioned treason investigation of Netzpolitik in Germany)

According to The Guardian, the investigation of treason charges against Netzpolitik "has been dropped". The article allude to the possibility that German prosecutors will investigate to find the source of the leak.

"German prosecutors have dropped a much-criticised treason investigation into two journalists who reported on secret plans to expand online surveillance in the country."

"Federal prosecutor’s office says leaked documents on which website’s reports were based were not a state secret"

http://www.theguardian.com/world/2015/aug/10/germany-drops-treason-inquiry-netzpolitik-journalists

wary virgoAugust 10, 2015 8:16 AM

@Vatos:

"As far as I know, my router (provided by the ISP) is secure. Do you think it has vulnerabilities? Is there some way to test it?"

The subject has cropped up in previous squid posts a few times. The bottom line is that all commercial routers are shipped with a backdoor. If you haven't flashed yours with open source firmware, assume that it is compromised by design.

If I remember correctly, the world's current largest distributor of backdoored routers (by volume of connected clients) is Bruce's old employer: BT.

http://www.bit-tech.net/news/hardware/2013/12/17/bt-back-door/1

http://cryptome.org/2014/10/BTAgent-cpe-backdoor.htm

http://securityaffairs.co/wordpress/20941/hacking/netgear-linkys-routers-backdoor.html

http://www.theregister.co.uk/2013/10/22/tenda_router_backdoor/

Clive RobinsonAugust 10, 2015 8:19 AM

@ Thoth,

Maybe, as you mentioned before, a cascade ciphering circuit (with some dummy operations) would have effect to counter such a threat ?

Important as that is it needs to be a bit more than that these days, you need to randomize the order things are done in to stop the signal getting pulled from the noise by averaging etc. There are also other tricks that can mess with things. Take for instance the XOR function it can be decomposed to a mixture of NOR and NAND functions which can also be done in randomized order. Likewise multiplication you can do the sub multiplies in any order you see fit (they are NAND functions that don't carry untill you add the result). Unfortunatly the performance drops a lot, kind of like the old saying about "chopping a cheaters back legs off".

A real (true) randomization would make life way more difficult for an attacker. Also have a look at some of the work of the guy in charge of an italian company that got outed, his PhD work was on reducing the suceptability of practical systems to such attacks. Others have done work on making crypto algoritms and modes for parallel operation, usually the primary requirment for that is "out of order execution".

I think @Markus of TFC might have looked into that a bit.

CuriousAugust 10, 2015 9:01 AM

"HTC phone stores fingerprints in easily accessible plaintext" (Black Hat 2015)
http://www.net-security.org/secworld.php?id=18742

Makes me wonder how easy or difficult it would be for someone to plant some other person's fingerprint at a crime scene, and if so, if the fidelity of stored fingerprints on mobile phones would be good enough to convince law enforcement of its authenticity. I would think that the very concept of maybe finding planted fingerprints in a crime scene is not lost on modern law enforcement agencies.

Off topic: (NYTimes editorial on journalists deemed by Pentagon as being 'unprivileged belligerents')
http://www.nytimes.com/2015/08/10/opinion/the-pentagons-dangerous-views-on-the-wartime-press.html

I guess a military force's interpretation of law would have it become all too easy to both kill seemingly unarmed and docile persons (or buildings, or locations) and perhaps more importantly for coming up with excuses for doing such, if a party can simply accuse such person(s) of just maybe having partaken in surveillance in a conflict area, or perhaps accusing someone of going to, or even intending to do that. I personally think it is bad enough that military forces don't even know what they are shooting at sometimes, because they couldn't possibly distinguish a civilian from a soldier, or that they ultimately don't/didn't care.

Btw, I remember there was a story in the news some time ago, about WW2, in which norwegian resistance fighters allegedly murdered a man in the woods in cold blood, for no good reason, something about a desire for maintaing their op-sec as I remember it.

After the invasion of Iraq, I've been wondering if self defence is even legal, if being a civilian defending against an attack by a soldier, assuming one didn't die in the effort.

ThothAugust 10, 2015 10:32 AM

@Curious
Re: Fingerprint authentication
It is really horrible and sloppy for most smartphone makers to handle their security so poorly. The reason is the market has very little appetite for robust security in general (sweeping statement). Lack of knowledge, Warhawk Govts pressure to place backdoors, public being mis-educated ... those are some of the many reasons high assurance security only exist to he elite echelon and not to the mere mortals and rarely do mere mortals get things right in such a constrained environment.

Dirk PraetAugust 10, 2015 10:37 AM

@ wary virgo, @Vatos, @ Clive, @ Nick P.

The bottom line is that all commercial routers are shipped with a backdoor.

Perhaps not all of them, but the entire ecosystem of ISP and SOHO routers (Linksys/Cisco, D-Link, ZTE, Sitecom etc.) is so fundamentally broken that the only correct assumption is that they are insecure by default. For most of them, security really is an afterthought, and to make things worse, most vendors care little about service releases and security patches, especially on older models (cfr. Android). Even when reflashing with WRT/Tomato, it's in your best interest to pick a model that is supported by a somewhat recent release, as these don't always keep up with patches either.

Alternatively - and depending on your requirements and level of expertise -, you can set up a dual-homed BSD box (as @Nick suggested) with IDS and decent logging or go with something like PfSense or Smoothwall. There's even an OpenWRT setup for Raspberry Pi.

ScaredAugust 10, 2015 11:04 AM

The story of an ex-cop’s war on lie detectors:

http://www.bloomberg.com/graphics/2015-doug-williams-war-on-lie-detector/

'He has no affection for crooked cops or sexual predators, but what he hates above all else is the polygraph machine, an “insidious Orwellian instrument of torture,” as he calls it, that sows fear and mistrust, ruining careers by tarring truthful people as liars. “It is no more accurate than the toss of a coin,” he likes to say. When he’s feeling less generous, he’ll say a coin works better.'

Dirk PraetAugust 10, 2015 11:32 AM

@ Wacky Sturgeon, @ Thoth, @ Figureitout

However, it is possible to run the entire system (QubesOS) from a USB3 pendrive.

A Qubes Live USB image has just been released. Caveat: alpha/demo stage, so probably not the best way to get acquainted with QubesOS.

AnuraAugust 10, 2015 11:36 AM

Yeah, this thread has been a good reminder that I haven't updated my router in about 6 months (I blame TomatoUSB for not reminding me).

StrangeAugust 10, 2015 2:46 PM

@Curious

re: the nytimes article

Btw, I remember there was a story in the news some time ago, about WW2, in which norwegian resistance fighters allegedly murdered a man in the woods in cold blood, for no good reason, something about a desire for maintaing their op-sec as I remember it.
After the invasion of Iraq, I've been wondering if self defence is even legal, if being a civilian defending against an attack by a soldier, assuming one didn't die in the effort.

There were, obviously, enormous civilian casualties in the Iraq war. There have been in the ongoing drone strikes. And there have been very deeply underreported civilain casualties in the ISIS efforts. (The later was a major story past week or so.)

Good NYTimes reporting. They are correct on all accounts. This policy of potentially making journalists being put in the category of civilian dress combatants is horrible and has to be removed.

The Norwegian case would have been more unusual, as there were civilian dressed Norwegians fighting against the allies during the second world war. ie, the Nazi Norwegian sniper named 'White Death'.

Spies do like the journalist cover, but that should be only based on significant, conclusive evidence. Not the "well you are foreign, so you are a spy" evidence authoritarian regimes use. And, as we saw in the recent Intercept 'Echeleon' paper, even Western democracies have used.

We have also seen a lot of totalitarian-like responses from Western governments over the years, both to independent reporters, civilian reporters simply using video on their phones, and to full fledged, well resumed reporters. So, this sort of attitude of seeing journalists as 'civilian clothed enemy combatants and foreign spies', really has to die.

StrangeAugust 10, 2015 3:11 PM

@Scared

from the article

“How many people working for foreign governments apply for those jobs? If you’re looking for something that only occurs one-tenth of 1 percent of the time, running a test that’s 90 percent accurate doesn’t help you.” Depending on where you set your threshold, you either miss most of the spies or you cast suspicion on tens of thousands of innocent people. Sometimes you do both.

90% positive rate on the untrained, 100% failure rate on the trained. As the trained are actually the one's they want to get, does seem pretty stupid.

Dirk PraetAugust 10, 2015 3:58 PM

@ John

Smoothwall has been discontinued.

Just checked their website, but it doesn't look like it has. I think your confusing with M0n0wall.

tyrAugust 10, 2015 4:31 PM


@Bob S.

Windows 10 automatically spies on your children and sends you a dossier of their activity

Some details at Boing boing.

AnuraAugust 10, 2015 5:57 PM

@Clive Robinson

With regards to executing instructions in a random order; for a modern CPU where there are multiple instruction pipelines, wouldn't designing the cipher so that it can be easily pipelined practically accomplish that in the first place? For example, multiplying by a 4x4 matrix modulo 2^32 would introduce a lot of parallel instruction execution as most of the operations can be executed in any order, which would significantly up the complexity of TEMPEST attacks.

Designing it so it can be implemented purely using arithmetic operations, such as Serpent as mentioned by Thoth, I would imagine would make side channels/backdoors significantly harder as well. Certainly, requiring special instructions to achieve high performance is probably not desirable (AES-NI, PCLMULQDQ), but pure arithmetic operations like additional, multiplication, rotation, and xor are going to be much harder to analyze or backdoor.

ApprenticeAugust 10, 2015 8:18 PM

@ Dirk Praet, Thoth, Clive R.,

Thank you for the commentary and advice. It's a fool who never learns, and a wise man who learns from the mistakes of others. I'm trying.

"You can use the Windows box for normal computing and gaming and expect it to be compromised."

-- Well said. I've come to understand and accept this. My cell phone, too.

Clive: thank you for the comments about the Fedora license.

As for routers, I dare say no one doubts that all commercial routers out of the box are indeed "hostile". Personally, I've already taken a well known, consumer-level router and flashed it with open source firmware. Then I cracked open and installed a pfSense box running Surricata/Snort. It's a start, at least.

I suspect that many here in this forum are hesitant to discuss the specifics of operational security since it might give away the details of their own setups and therefore provide an upper hand to a potential threat. Duly noted. But reading between the lines and given the advice/conversation on this weekend's thread(s), I've learned a great deal. I thank everyone and sincerely so. This knowledge is too important to not disclose in a world where entire 'democratic' governments behave more and more like nannys, nosy neighbors, and in a generation to come, tyrannies (in my opinion).

FigureitoutAugust 10, 2015 10:43 PM

Wacky Sturgeon
--I think Qubes encrypts HDD, no? Yeah, I like that property of "isolating" USB controllers for potentially infected sticks.

Dirk Praet
--That's awesome, good work Qubes team! Wish it was CD/DVD though as anyone can test for themselves saving something to USB stick between boots (I used to boot into a known infected PC w/ a liveUSB thinking I was safe...ugh).

65535August 11, 2015 2:28 AM

@ Nick P

“…you can get very usable systems out of the x86 and RISC boxes built before power management or always-on were mainstream. All kinds of them on eBay with native OS installed, some communities maintaining modern libs for them, and actively-maintained Linux/BSD ports to them.”

I got to shop today and dug out and old dell desktop with hard power switch. I believe it has a PII in it [it was an old Win 95 or Win98 OS box]. I am not sure if you would classify a PII a RISC – but what the hey.

First, problem was when I installed a 160 GB hard drive in the box - the bios could not read the large drive [the box came with a 8GB HD]. Look it up and yes the Bios is too old to flash for a larger drive.

So, I removed 160 GB HD and put the 8 GB hard drive back in it [wiped it with a live CD]. Then I installed XP with no Service pack. Next, install SP2 for XP. I stopped there because it need word processing program and other programs and to not exceed 85% HD capacity [Defrag requirement in windows].

Next, I found and old Win 2000 office version. It works well. I will have to test the box further and look for stability.

The biggest problem seems to be the bios and the lack of large disk support and maximum ram is .5 GB [Ram is old PC 100 - the two slot stick - no DDR2 or the like].

These is the only draw backs I see at this time. It is XP with office so it may be acceptable to some customers and it is using less the 55% of disk space [with small swap file]. I’ll keep you informed.

Clive RobinsonAugust 11, 2015 6:33 AM

@ 65535,

First, problem was when I installed a 160 GB hard drive in the box - the bios could not read the large drive [the box came with a 8GB HD]. Look it up and yes the Bios is too old to flash for a larger drive.

This may not be an issue, depending on the exact problem.

The BIOS should only be needed to read the boot sector and second stage loader in then, the second stage loader pulls in the OS.

This type of increasing disk size issue has happened over and over again in years past, so which one you've fallen foul of I'm not sure of. The solutions varied but rarely was a replacment BIOS code needed.

You don't say if the 160GByte drive talks at the hardware level, I'm guessing 'yes'. So the simple first trick, try partitioning the 160GByte drive up on another machine so the first part of the drive is only a couple of GByte in size in FAT16 format (ie large enough to hold the OS, registry and swap). Second trick is put the 160GByte in as a second drive. Third is LILO or GRUB. Fourth trick boot from floppy, CD or USB and load in a modern OS.

Personaly once you get it up the way you want, I'd be tempted to stick with Win2K if you are developing low level code. It was about the best OS MS got in that direction, likewise WinXP for "office" type activities. Just about every Windows OS after that was about bloat and "rent demanding" activities (ActiveX being one such Xbox another). Something the Win10 upgraders are going to discover to their endless cost...

There is already a rumour floating around about "MineCraft" in that users will shortly be forced into using Win10 as a host/server etc even if they use non MS platforms as clients. It will be interesting to see how that one pans out with the next couple of updates...

Clive RobinsonAugust 11, 2015 8:15 AM

@ GregW,

Interesting factoid within there:

Yes, but remember the codicil on it of "found security vulnerabilities", how many are stilll "unfound"...

There is a sort of rule of thumb about "software bug decay". Put simply there is a rough correlation to the number of lines of code and the number of errors, that is oft --incorrectly-- said to be a constant.

Over time these bugs get detected and fixed thus you would expect a nice exponential decay. However bug fixes add new bugs and eventually code is augmented with new features which add further new bugs. Thus the line often looks nearer straight than exponential over it's life. The more users the more chance bugs are found, thus as software ages and gets close to EOL users stop using it and the number of new bugs found drops proportionately (a useful indicator if you are on the team as it's time to jump ship).

So you could say for a moderatly complex piece of software you could reasonably conclude that not all the bugs are ever found. Which gives rise to the question of just what percentage that is.... A question the OPM people are probably asking themselves...

Mack PeaceAugust 11, 2015 9:46 AM

For 40 years, computer scientists looked for a solution that doesn’t exist
http://www.bostonglobe.com/ideas/2015/08/10/computer-scientists-have-looked-for-solution-that-doesn-exist/tXO0qNRnbKrClfUPmavifK/story.html?

For 40 years, computer scientists have tried in vain to find a faster way to do an important calculation known as “edit distance.” Thanks to groundbreaking work from two researchers at MIT, they now know the reason they’ve continually failed is because a faster method is actually impossible to create.
“Edit distance” is a straightforward and satisfyingly tangible idea. Imagine you have two sequences of numbers and want to know how many steps it takes to transform one into the other. In this transformation you can add a digit, remove a digit, or substitute one digit for another. For example, you have the data strings “1234” and “2345.” To turn the first into the second takes two steps — remove the 1, add a 5.


65535August 11, 2015 1:42 PM

@ Clive Robinson

“The BIOS should only be needed to read the boot sector and second stage loader in then, the second stage loader pulls in the OS.”

It has a 40 pin PATA connector. I was surprised it could not read a large drive. The box was made for Win 95. I would guess the board was made a year or two earlier and it is only ATA-1 level – but I could be wrong.

“You don't say if the 160GByte drive talks at the hardware level, I'm guessing 'yes'.” - Clive

You are correct. The bios would not recognize the drive at all – just a blank field in the bois screen. No portion of the drive recognized in terms of GBs or name of drive.

“…try partitioning the 160GByte drive up on another machine so the first part of the drive is only a couple of GByte in size in FAT16 format (ie large enough to hold the OS, registry and swap). Second trick is put the 160GByte in as a second drive. Third is LILO or GRUB. Fourth trick boot from floppy, CD or USB and load in a modern OS.” – Clive

I’ll try those options when time permits. This is just a test rig so it is not a high priority project.

“…I'd be tempted to stick with Win2K if you are developing low level code. It was about the best OS MS got in that direction, likewise WinXP for "office" type activities. Just about every Windows OS after that was about bloat and "rent demanding" activities (ActiveX being one such Xbox another). Something the Win10 upgraders are going to discover to their endless cost...” – Cive

I agree. Win 10 is full of bloat ware and leaks information like the Titanic. So, a lot of business customers will not allow it. I don't know if I will be recommending any Microsoft products after seeing Win 10. Win 8.1 was bad and so is Win 10. That is enough to convince me.

Back to Win 2000 and XP: actually one can strip down XP during the install to be about the size Win 2000 Pro. I did look around for an old Win 2000 pro disk and only found Win 2000 server with 4 other disks containing service packs 1 through 4 for said system. So, I just went to XP. Then I upped XP to XP SP2.

I am actually happy with the performance of the box with the 8GB drive. It’s doesn’t lag too badly and IE6 works with the Internet [as does Firefox].

I’ll keep testing it when time permits.

Thanks for your input.


Nick PAugust 11, 2015 6:07 PM

@ Clive Robinson

Hacker News posted a nice TRNG that aims at simplicity, anti-subversion, effectiveness, and decent speed. They rely on noise sources that aren't affected by many variables with some minimal input from others. I like what I see. You should review it for flaws/effectiveness, post your thoughts here on its existing state, and send them suggestions to correct any problems you find.

Note: Here's the How section for details. Very simple approach. Hopefully not too simple for its own good.

@ name.withheld

Feel free to chime in as well. I'm always up for any chance to review and maybe standardize a good version of something people often get wrong or re-invent.

Nick PAugust 11, 2015 8:13 PM

@ those interested in hardware

I accidentally discovered another Scheme machine while collecting empirical evidence that XML is shit. Interesting thing about the Scheme machine is that it was implemented on older, small FPGA and PAL's. Good for those building on older stuff or clean-slate stuff on old process nodes. Even more interesting, though, was how he built it: Digital Design Derivation. It's a way to start with Scheme/LISP specifications then step-wise turn it into hardware in a correct-by-construction style. Was used to implement many prototypes, including the verified, FM9001 MCU. Original paper with technical details here. Seems to have been spun off as DRS by a company that disappeared in 2003. I.P. and tool might still be available somehow.

Anyway, the functional spec to imperative program or hardware strategies keep coming back to me. The logic is easiest to verify in the functional, continuation style. The refinements should be pretty efficient and easier to verify than hand-made code/hardware. A tool such as this might be worth copying in FOSS. It can be integrated into existing OSS flows.

name.withheld.for.obvious.reasonsAugust 11, 2015 11:20 PM

@ Nick P
I'll check it out--I believe it is possible to develop a open source consensus document at this point. There seems to be enough interest and opportunity. I can backfill to some degree for RobertT and I know that there are a half dozen irRegulars--I mean-regulars here to make something work.

Seems we have to overcome some entropy in the hardware space and it makes sense to at least launch a base level open source HA level hardware specification/process that can be CC/ISO14508/ISO27000 compliant that could be certified (might need to review the latest specifications as NIST has had a moving floor beneath them) by a third party in final path/production.

Nick PAugust 12, 2015 12:18 AM

"Seems we have to overcome some entropy in the hardware space and it makes sense to at least launch a base level open source HA level hardware specification/process that can be CC/ISO14508/ISO27000 compliant that could be certified"

Keep working at it. I figure, like hardware verification in general, it will come in different directions. We'll all keep working at stuff to see what we can crank out.

To be clear, though, in case my double post was confusing: I was just asking what you thought about the TRNG's design and implementation in terms of achieving its objective. I'm not worried about high assurance of it or the other links for now. Just whether the TRNG works. If it does, even undergrads should be able to build a reference circuit using parts they scavenge. That's a step up on this issue from the conventional approach: Googling lots of papers and guessing. ;)

Far as other stuff, I am consistently looking for a way to do step-wise refinement of functional into high performance, imperative programs or hardware. The 001 toolkit showed us it was possible but kludgey. DDD was more usable. The functional languages for software & hardware have done *much* better than prior work. Sandia's ML-based, ASSET framework was used in high assurance for instance. On all that, keep it in your peripheral in case you notice something new and useful. You can leave it to me to continue digging through the chaff to find the wheat for you to review. ;)

So, far as other links, look into at your convenience or not at all. It's just part of my regular rounds of interesting stuff. Homebrew or anti-subverison people might find the Scheme machine interesting, though.

Clive RobinsonAugust 12, 2015 4:38 AM

@ Nick P,

I poped over to http://www.bitbabbler.org/ and had a quick look.

What I did not see was a CCT Diagram, so evaluation is going to be a bit difficult. However they do say an analogue shift line and integrators, so I'm guessing some kind of "bucket-brigade line" which happend to be a technology favoured by LTC corp, who's founder --who I met in the 80's-- designed the original TDA1022 parts as well as some nice SMPU chips. .

CuriousAugust 12, 2015 6:13 AM

Lenovo bios/rootkit/vulnerability/security issue:

Not sure how to explain this. Without the usual news article about this issue, to me this is mostly hearsay at this point.

Something about Lenovo laptop's (some I guess) supposedly haveing the bios fiddle with the Windows files for quietly updating the computer during the boot process.

http://arstechnica.com/civis/viewtopic.php?p=29497693&sid=ddf3e32512932172454de515091db014#p29497693

https://www.reddit.com/r/sysadmin/comments/3gmgdj/lenovos_seems_to_have_hidden_a_rootkit_in_their/

http://news.lenovo.com/article_display.cfm?article_id=2013 (Lenovo news release, dated 11. Aug on Lenovo's website, though on Reddit someone claimed it was from 31. July)

The Lenovo news article was linked to in that Reddit thread. Though I got the impression that it isn't obvious that it is related.

I guess it doesn't hurt to point out that the Lenovo article is very recent, and that two of the posters in the arstechnica thread, one having created the thread and the other having explaining the details apparently registered very recently and have few post counts.

CuriousAugust 12, 2015 7:18 AM

Off topic: I linked to a NYTimes op-ed the other day here, in which they discussed Pentagon's view on deeming journalists as possibly being 'unprivileged belligerents'. This had me wondering today, if Pentagon perchance also think of embedded US journalists in say the middle east, as possibly being 'unpriveliged belligerents'. If so, I suspect any embedded journalists would have wanted to know this beforehand.

name.withheld.for.obvious.reasonsAugust 12, 2015 8:33 AM

@ Nick P, @ Clive Robinson

To be clear, though, in case my double post was confusing: I was just asking what you thought about the TRNG's design and implementation in terms of achieving its objective.

I plan to, just working the end of season, the academic calendar will clear in the near future where I can find additional cycles....

Just a quick response; Clive's observations suggests a parallel multi-line/bit TRNG accumulator (my definition) that resembles a FLASH ADC as opposed to a SAR ADC. This suggests a conscious design decision in support of performance (bits of entropy/sec.).

And Clive, what do you mean by CCT? Not familiar with the file/process type, it's not a SPICE model???

Nick PAugust 12, 2015 11:00 AM

@ Clive

That's what someone else when it hit HN. I just emailed them suggesting:

1. They open and publish the circuits for review but not use w/out a license (cryptophone model)

2. They let select people (yourself included) review it under NDA, give a recommendation without too much detail, and submit any problems/fixes/improvements for them.

I suggested they also could license the circuits for use in custom boards or ASIC's. I forgot to suggest they could patent it if they were worried about I.P.. I reminded them that even /dev/urandom provides pretty good entropy these days and can be audited unlike their design. Post-Snowden and from Australia, they better publish some details if they want to be trusted. ;)

Clive RobinsonAugust 12, 2015 11:56 AM

@ Name.witheld...

CCT = circuit.

A glance at a circuit diagram will give a good idea of where to start looking for issues / attack points.

65535August 12, 2015 2:30 PM

@ Joenis Soule and Curious

I look at the related HN thread and was stunned. This is somewhat like the Sony rootkit scandal - but by Lenovo.

From what I can tell it is real. Levovo was forced to make a removal kit… But, if I were a clever Chinese BIOS rootkit maker I would just disguise the next version of it.

1] This articles show that Bios rootkits are here.

2] They are difficult to remove.

3] They will become wide spread if we are not vigilant.

PierceAugust 12, 2015 2:51 PM

@Joenis Soule


Lenovo modifying Windows OS files from BIOS to install Lenovo software

Thanks for the link. Interesting stuff and it led me to this document, about a way to push an executable from BIOS to the OS in Windows 8+:

This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution. The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table.

Windows Platform Binary Table (WPBT)
http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us

PierceAugust 12, 2015 3:02 PM

The latest official version of the "Windows Platform Binary Table (WPBT)" document is here:

http://download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx

The document states...

The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration.
One use case for WPBT is to enable anti-theft software which is required to persist in case a device has been stolen, formatted, and reinstalled. In this scenario WPBT functionality provides the capability for the anti-theft software to reinstall itself into the operating system and continue to work as intended.
This functionality is powerful and provides the capability for independent software vendors (ISV) and original equipment manufacturers (OEM) to have their solutions stick to the device indefinitely.

allAugust 12, 2015 4:00 PM

probably just a question of time until some hackers abuse the Windows UEFI Firmware Update Platform to send their own "payload" to some systems

or it may already have happened.

GregWAugust 12, 2015 4:45 PM

@Clive,

Yes, totally agree that the importance of the breakdown of source-of-found-vulnerabilities (vendor-internal-finds vs customer-finds vs researcher-finds) is perhaps not as relevant as vendor-aware-vulnerabilities (her sample size) vs the (unknowable) total-actual-vulnerabilities.

I guess I just had never heard a publicly-disclosed figure like that 87% internally-found vs 10% customer-found vs 3% security-researcher-found figure so I find myself puzzling over whether it tells me anything interesting. If I tally up the number of Oracle bug entries on the bugtraq lists I can multiply by 33.3 to get the overall number of Oracle security defects over time? Interesting! Not great for Oracle marketing perhaps, but is that meaningful without comps? Not really... unless you are trying to compare the defect rate to an open source product that fully discloses all its security defects+fixes unlike Oracle (but not even most open source projects do that either-- they tend to do "quiet/proactive fixes" too... but perhaps an insider of an open source project might find it an interesting factoid for their own comparative analysis?)

What I didn't realize when I posted the earlier link was that the author of that Oracle blog post which was quickly deleted was not just an Oracle blogger but was Oracle's "Chief Security Officer"!
http://www.zdnet.com/article/oracle-to-sinner-customers-reverse-engineering-is-a-sin-youd-better-pack-it-in/

Which at first I found kinda frightening and provoked thoughts of "no wonder Oracle's been having security problems..." My current perspective (last paragraph) is a bit more muted.

In any case, it seems the Oracle "Executive Vice President and Chief Corporate Architect" walked the cat back.

Also a bit funny in hindsight was to notice that the argument made, "we can -- unlike a third party or a tool -- actually analyze the code to determine what's happening" is a ironic unintentional plug for competing open source offerings, right?

(I think we all recognize there are limits even to having the source code, as the author earlier says in an earlier post on assurance:


Given the size of COTS code bases, the fact they are in a near constant state of flux, and the limits of automated tools, there is no way to absolutely prevent the insertion of bad code that would have unintended consequences and would not be detectable. (As a proof point, a security expert in command and control systems once put "bad code" in a specific 100 lines of code and challenged code reviewers to find it within the specific 100 lines of code. They couldn't. In other words, even if you know where to look, malware can be and often is undetectable.)
)

Having now read some of the CSO's earlier writings, while I think the deleted piece was a bit naive/highminded asking the white hats not to do something the black hats will absolutely do, and the author DEFINITELY has a beef with static analysis and its overhype/limitations, I do at least appreciate the candor. And it's clear the author A) spends way more time dealing with the government than with black hats and security researchers, (which you have to feel sorry for!) and B) has a strong suspicion of security consultants and economic incentives, security certifications and those incentives and government security legislation and economic incentives. Here's a nice example of similar candor from an earlier blog post which I think raises good questions about NIST (it's not just the NSA influence we think about that we should worry about):

I’ve talked in other blog entries about the concern I have that so much of NIST’s outwardly-visible work seems to be done not by NIST but by consultants. I’m not down on consultants for all purposes, mind you – what is having your tires rotated and your oil changed except “using a car consultant?” However, in the area of developing standards or policy guidance it is of concern, especially when, as has been the case recently, the number of consultants working on a NIST publication or draft document is greater than the number of NIST employees contributing to it. There are business reasons, often, to use consultants. But you cannot, should not, and must not “outsource” a core mission, or why are you doing it? This is true in spades for government agencies. Otherwise, there is an entire beltway’s worth of people just aching to tell you about a problem you didn’t know you had, propose a standard (or regulation) for it, write the standard/regulation, interpret it and “certify” that Other Entities meet it. To use a song title, “Nice Work If You Can Get It.”

Also of interest is where the author is coming from:


"In part, my focus on public policy is due to an admitted limitation of my skill set. I enjoy reading technical articles about exploits and cybersecurity trends, but writing a blog entry on those topics would take more research than I have time for and, quite honestly, doesn’t play to my strengths. "

and

I readily admit that I am not a technologist - I don't have the in-depth knowledge that most of my team has. What I do have is the ability to ask questions until I understand the gist of - and details of - a problem, and the ability to translate the problem into terms others can understand.

It's fair game for a commercial company to call out license violators, even in the security realms. We're grown ups here and we know what licensing is. What bothered me at first was the sort of "we're depending on security by obscurity" mindset. I am not sure if that was the author's real problem-- I'd be nervous too if I was CSO over a 70 million line code base written by other people... and there /is/ some real practical value not-releasing-source-code raising the difficulty of finding security holes. I don't know enough about the author to judge if that was the root error in perspective in that piece; reading more, my guess is, "probably not". I think the errors in perspective were more tactical. First, getting on a high horse about reading licensing texts is probably a dangerous place for any of us to be (I used to read them all with a bit of weenie pride but over time I've gotten busier and busier and sloppier and sloppier.) But secondly I think it was a tactical mistake for the author, when discussing their own extremely security critical piece of software where online crown jewels are held, to in their blog post seem to value license adherence over security probes by parties who have little way to verify security claims other than "trust us". The author knows full well that certification by authority and audit is and can be an economic racket and she should not expect her customers to believe otherwise by trusting Oracle or the Common Criteria or what have you. There should be at least a tad more respect for customer (or even a non-customer like myself whose information is stored in their databases in countless places by countless parties) caring enough to check. Even if the customer is trying to ding you on price and does waste your time.

Sancho_PAugust 12, 2015 5:28 PM

@Nick P, @Clive, @name.withheld, ..., Re: nice TRNG

How can one be sure that their sw actually reads from the device,
using USB and FT232H ???

65535August 12, 2015 6:43 PM

@ Pierce

“This functionality is powerful and provides the capability for independent software vendors (ISV) and original equipment manufacturers (OEM) to have their solutions stick to the device indefinitely.” -Microsoft

http://download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx

In Lenovo's case, it appeared to phone home in plain text including the possibility of the finger print reader. It’s somewhat difficult to change finger prints once they are stolen. That’s a black mark on Lenovo.

I assume the guy’s at Fort Mead will be busy hacking away at this technology for their own machinations. That is not a pleasant thought.

Clive RobinsonAugust 12, 2015 6:59 PM

@ Sancho_P,

How can one be sure that their sw actually reads from the device, using USB and FT232H ???

Well, the chip --if that is what it is,-- is a simple serial data to USB converter, as is used in quite a few places including peripherals like mice.

Thus you can hook a logic analyser up to the serial data pin into the chip and with a small amount of work check that what you are getting out of the USB TTY device matches. It's easier these days now that you can get USB logic analysers, and could write a script to do the comparison.

It's the sort of thing you should do any way to check the health of your TRNG. For years I've complained that the Intel on chip TRNG should not be trusted because you cannot get at the "raw ouput" to check it. Intel only let you get at the processed result where they have chucked their own brand of "magic pixie dust" over it, which naturaly makes me deeply suspicious of the quality of the "raw source" and if it is actually random at all.

It may sound like paranoid thinking, but computationaly the TRNG is the forge from which the iron "to make the keys to your kingdom" comes from... as the old saying goes "the ship was lost all for a halfpence of tar".

Walk With Black SwansAugust 13, 2015 3:10 AM

@Apprentice

The "American Government" broke quantum systems back in the 90s.

So, all public key cryptography has been useless.


For quite some time.


The question which remains is, perhaps, 'can you trust them'?


I do not think Peter Zatko nor Dan Geer knew any of this. If you are wondering.


This is one reason I recommended "Influx".


But, this leaves open some questions. Did we, for instance, run someone else... my only comment there is, "yes, holy fuck, of course we did", but also... "no they had no slightest clue of this".

That is... you see some division in these matters.


You, personally, would find some idea of some kind of idea of a "syndicate" comprised of MIA and disavowed as crazy as the movies.


Any way. So for jokes and giggles. Say we did exist.


Well. I will leave that, at that.


Leave it for the experts to puzzle over dna and fingerprints.


MC. ;-)

hey riggsAugust 13, 2015 4:42 AM

[b]TAILS Linux 1.5 is out (Aug 11, 2015)[/b]

# Tails is a live system that aims to preserve your privacy and anonymity.
It helps you to use the Internet anonymously and circumvent censorship almost
anywhere you go and on any computer but leaving no trace unless you ask it to
explicitly.

# It is a complete operating system designed to be used from a DVD, USB stick, or SD
card independently of the computer's original operating system. It is Free Software
and based on Debian GNU/Linux.

# Tails comes with several built-in applications pre-configured with security in
mind: web browser, instant messaging client, email client, office suite, image and
sound editor, etc. - https://tails.boum.org/about/index.en.html

= Download:
https://tails.boum.org/download/index.en.html

John Galt IIIAugust 13, 2015 12:06 PM


It looks like the etiquette is to post random security-relevant news/information on last week's squid post until the next one comes along.

Stumbled into this in the morning news, but I've forgotten already which news compendium had it. This is a good article, although it glosses over the hardware backdoors, as firstlook seems to do consistently.

https://firstlook.org/theintercept/2015/07/14/communicating-secret-watched/

https://geti2p.net/en/docs/applications/supported#email
...
Email
I2P-Bote — Serverless peer-to-peer email application using a distributed hash table (DHT) for secure mail storage. [plugin]
Postman's anonymous email service — Provides email service within the I2P network via @mail.i2p addresses, and email gateway service between the I2P network and the public Internet via @i2pmail.org addresses. One of the oldest continuous services on I2P. [service]
susimail — Simple web browser-based email interface. Configured to use Postman's email service by default. [bundled]

https://en.wikipedia.org/wiki/I2P

[Tails-dev] Opensearch plugins for Mozilla-based (and other?) browsers
kytv killyourtv at i2pmail.org
Tue Jul 28 21:54:03 CEST 2015

John Galt IIIAugust 13, 2015 12:08 PM


Karl is a bit rabid, but he means well.

Now You're Really Screwed
http://market-ticker.org/akcs-www?post=230502

Well, today you are anyway...
http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/

THE NEXT TIME you press your wireless key fob to unlock your car, if you find that it doesn’t beep until the second try, the issue may not be a technical glitch. Instead, a hacker like Samy Kamkar may be using a clever radio hack to intercept and record your wireless key’s command. And when that hacker walks up to your vehicle a few minutes, hours, or days later, it won’t even take those two button presses to get inside.

$35 worth of hardware, more or less.

Here's how it works: Modern cars and garage door openers use what is called a "rolling code" system. That is, the code transmitted works exactly once, and the two devices have a "master" sequence generator. Thus, when you "pair" the remote to the car (or garage door) the devices are able to know the next sequence number. When you send the code the device marks where it was last and then searches forward, but never backward.

[...he has some more to say about how stupid companies are, but stupid company stories are a dime a dozen]

JeromeAugust 13, 2015 12:28 PM

@John Galt III

Modern cars and garage door openers use what is called a "rolling code" system. That is, the code transmitted works exactly once, and the two devices have a "master" sequence generator. Thus, when you "pair" the remote to the car (or garage door) the devices are able to know the next sequence number.

I wonder how possible it is that two different cars have chosen the same way to select the next number?

Sancho_PAugust 13, 2015 5:39 PM

@Clive Robinson
”Well, the chip --if that is what it is,-- is a simple serial data to USB converter, as is used in quite a few places including peripherals like mice.”
Um, this is their high-end “Multipurpose Hi-Speed USB Slave Converter”, not sure you’d find them in mice? But this excellent + versatile beast isn’t the problem. It’s the device driver / dll and the EEPROM data (remember the VID/PID stunt of FTDI ?).

USB handling is deeply woven into the OS, the presence (and purpose) of an attached FT232H (+ TRNG) will be easily detected and I’m afraid the bit stream could be modified by malware without touching the USB data.
My concern is the computer, not the TRNG device.
It boils down to ‘it’s not secure if you can’t trust HW + FW + OS’.
I think encryption is good but must be done externally in a trusted device
(e.g. tfc @Markus Ottela).

Sancho_PAugust 13, 2015 5:42 PM

@Jerome

AFAIK they use the same “way” (firmware) but a different serial in the base number.

JeromeAugust 13, 2015 9:27 PM

Sancho_P:
---
AFAIK they use the same “way” (firmware) but a different serial in the base number.
---

That would make sense. Thanks!

FigureitoutAugust 13, 2015 11:11 PM

Nick P RE: "trng"
--They make the point that random isn't even defined so this term "true" combined w/ "random" shouldn't even exist...It's a bullsh*t marketing term, only PRNG should be used since the term "random" has nearly the same depth of meaning as "the universe", so arrogant to think we know what it means... Anyway, lots to read and definitely can tell lots of study. The vast majority of my research in PRNG's over summer was reading how it's being done now. One relevant tidbit I can confirm based on my quick study over the summer w/ PRNG's is:

Plotting samples visually, in various dimensions and after various manipulations, had an early appeal. It's widely claimed that our eyes are sensitive to patterns that other tests might miss, and who doesn't like pretty pictures as proof of something or another – but the reality was that this was a relatively poor way to detect anything but the most glaring departures from a random distribution, and only useful over relatively small sets of samples at that.

I found this out the hard way of course, since w/ my hard head I don't trust until I experience something myself and feel that feeling of "that's why dumbass". Plotting small samples is next to worthless, your PRNG would "truly" suck if it had such a quick repeating pattern. You would need millions upon millions, and likely billions before even becoming partially useful for human-readable patterns or you're going to potentially ruin your research on not having enough data to make a conclusion.

In my freelance, amateur and importantly *unpaid* research, no one here besides Clive Robinson could mention another potential viable attack on a PRNG circuit based off avalanche noise common in zener diodes (basically all these types of PRNG's will have a zener diode). I used a common function included in IDE download in Arduino to sample to show how easy it could be to get those digits from the circuit to usable data, saving the data automatically to a file is something I should've done but didn't b/c I wanted to handle it myself. My attack (in my defense, I couldn't generate and find more signals due to basic tools missing from my arsenal) I was so confident would work did not work but I still hold EMSEC attacks are possible b/c they are on any electrical circuit...But the reality is, if someone is just standing outside your home attacking your HWPRNG then you've got a special psycho on your hands and need to generate these numbers elsewhere or somehow else.

The big difference is M. Ottela and Mr. Vazzana were offering up a PRNG w/ a public circuit w/ discrete components sampled off a breadboard whereas this is a USB device w/ surface mount components and no circuit offered up and trying to make some $$$.

Joenis Soule
--Yeah that was a good comment, I've got some weirdness w/ a netbook whereby I think it comes pre-encrypted (which doesn't make much sense...) and I can only get the backup key (?) and of course can't encrypt w/ Veracrypt b/c of GPT issue (not reverting this to MBR yet).

John Galt III RE: replay attack
--Yeah sounds like there's a solution now it's just so many of these systems are already out there and can't be upgraded w/o new hardware. But wonder if a simple countermeasure if some creeper gets a usable code, if you can just use the key fob after leaving (only use the inside lock when leaving vehicle) in car to a different location and that means a different rolling code that uses up the stolen code...

In the same way though, I discovered by chance a feature that I had no clue existed but it is quite public and I believe some kind of "soccer mom" dumbass feature added in, I looked at it w/ my RTLSDR, it does an unlock signal and then this continuous repeating much smaller signal and that's it; but I want to see actual data of it. Across quite a few manufacturers this works, there's a signal sent out that if you hold down the unlock key on your keyfob it rolls down *ALL* windows in the car. What a perfect backdoor for a criminal, eh? No loud broken glass, no finger prints, in and out. *grumbles*...

meanwhile, in FaceBookLand...August 13, 2015 11:27 PM

Facebook revoked the internship of Mr Khanna because he was using the data that The Govern...I mean Facebook...collects.

Even though this intern is no longer at Facebook, the data surely is.

I am sure it will all be entertaining one day.


Facebook revoked internship for student who made 'Marauder's Map'
http://mashable.com/2015/08/13/facebook-intern-marauders-map/


Facebook revoked an internship offer to a Harvard student after he launched a controversial Chrome extension that showed your Facebook friends' location down to the nearest meter.

...

Khanna also said that Facebook's head of global human resources and recruiting dinged him because his accompanying Medium post described the way Facebook collected and shared user data — an approach that seemed to violate the social network's "high ethical standards" for interns.

name.withheld.for.obvious.reasonsAugust 14, 2015 2:41 AM

@ Clive Robinson
Okay, got it...I tend to think more along the lines of a schematic.

And, I agree, a "Circuit Diagram" goes a long way along with a Gerber file (need to see trace layouts, pin/pad density, trace-widths/parallelism, ground planes, transmission line characteristics, signal propagation, etc.).

benAugust 14, 2015 10:32 AM

Even when told not to, Windows 10 just can’t stop talking to Microsoft
http://arstechnica.co.uk/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/


For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots.

Clive RobinsonAugust 14, 2015 11:46 AM

@ ben,

Even when told not to, Windows 10 just can’t stop talking to Microsoft.

For those that can remember Microsoft got hammered by the EU over their "anti-competitive behaviour" with IE, this "talk to Bing" is very possibly in breach of the court settlement. Thus "if" the political will is there MS could find it's self in very real problems.

Nick PAugust 14, 2015 12:26 PM

@ Figureitout

Yeah, that was an advantage of Ottela's work. Theirs seems better in a number of categories, though, with them doing a lot of work to get there. The man-years of work, ease of cloning, and lack of huge, legal team are why they haven't published full schematics. They're trying to recover the investment but aren't pushing a mainstream product. Plus, they correctly pointed out that (a) most homebrew attempts out there are crap in one or more dimensions of TRNG design/performance and (b) inexperienced people trying to copy them usually make them worse. So, they tried to build something that works and facilitates easy verification by hardware hackers.

People worried about that can always feed a shoebox of die rolls or well-shuffled cards into hashes several times to seed an ISAAC CPRNG. Should work well enough. Alternatively, try to correctly build and use a TRNG described on the web by reputable source. (See how loaded with risk that sentence was?) Preferrably a combination of them. Still trusting third parties but design is more open. Choose your poison, I say. ;)

Gerard van VoorenAugust 14, 2015 12:42 PM

@ Apprentice and everyone interested in Qubes OS,

After using Qubes OS for 5 days here are my initial thoughts. Take it with a bit of salt. ;-)

  • The quality of Qubes is GOOD!
  • VMs work as advertised.
  • The documentation is to the point.
  • VM manipulation (access control, increase disk space, memory, cpu, etc.) is easy as pie. This is Pretty Good Security.
  • A single user OS makes sense.
  • The foundation (dom0) is based on Fedora.
  • Backup is also okay. VMs can be included and excluded.
  • Fonts. It is hurting my eyes. There is a ~10 step in fixing the fonts, but it should 'just work'. This is actually a Fedora issue.
  • 4 Gb of memory is the bare minimum, but you need 8 Gb when you want to use several VMs.

The real problem with Qubes OS is that there is a bit of learning involved, even for an experienced Linux and VMware user. I am not saying that Qubes is hard, it's only different, like Plan-9 is different. Right now I am now using Ubuntu 15.04 with full disk encryption, but I really like the Qubes lightweight seamless VM idea. This is a good solution for keeping things separated, for experimenting, for running several operating systems concurrent and doing this all secure.

Nick PAugust 14, 2015 12:45 PM

@ Clive Robinson, name.withheld

The BitBabbler team, esp lead engineer, responded to me. Should support my claim about real vs perceived INFOSEC in that he said I was the only one talking about a security review with specific concerns out of all the emails and visits they got. It was literally the only thing that people didn't ask. (rolls eyes) Like me, he also doesn't see the value of open specs given most people aren't qualified to evaluate them and those that can "should" be able to evaluate the device itself. That plus a concern of cloned I.P. is why it's closed right now with select reviewers.

Anyway, he gave me a long and thoughtful email that attempted to address many of my points. I'm going to ask him if I can forward you the whole email to keep us all on same page and save writing. Clive, I lost your address that tommy forwarded me when Hush locked my account due to inactivity. (assholes) However, I made a new, public one for my security consulting that aims to convey the right impression (marketing) while being easy to spell: digital kevlar (no spaces in between) on Google's email service*. Interesting to see if the email scrapers will process that. :)

So, you two just send me an email with a few statements for me to do basic authentication. I figure all our public/private emails are compromised anyway so I'm not too concerned unless I see PDF's or EXE's in attachments. ;) After you email me, I'll send each of you my Swiss email and hopefully the engineer's reply later.

*Note: Every variation of my name & INFOSEC function had been taken already. Probably scripted. Surprising that this one wasn't. How do you like it?

JakeAugust 14, 2015 1:31 PM

And now a true story about how difficult it can be to keep your PII data from falling into wrong hands:

My wife went to see a doctor today, for her ankle pains (some Dr. Durham at Orland Foot and Ankle Clinic).

On their paperwork they wanted her to provide her full social security number.

After consulting with her insurance company (Blue Cross / Blue Shield), and out of concern for identity theft, she only wrote the last four digits on it and handed the paperwork back to the clerk.

It should not have been very necessary either, being that they did get a copy of her drivers license.

And they also took a separate facial photo of her. They said that the photo was "like an additional identification".

Afterwards they came back asking for her complete social security number. She said she spoke with her insurance company and should not need to give it.

The end result was that the doctor did not want to see her, simply because of her not wanting to give the complete SSN.

She then asked if they can remove her photo from their system and the clerk told her that she is not able to. So now my wife is waiting for a call back from some system administrator who apparently should be able to remove the photo.

Clive RobinsonAugust 14, 2015 3:59 PM

@ Nick P,

It appears (from X-employees) that Kaspersky have been very naughty...

http://mobile.reuters.com/article/idUSKCN0QJ1CR20150814

Not that this is exactly unexpected, there's been many rumors down the years of AV companies "brewing their own", not just for testing but to let them "accidently" go wild to keep business going. Thus to be told atleast one was using it to noble the opposition for "Competative Advantage" is unlikely to supprise those that have been admins etc since the atleast the late 1980's, early 90's.

On another matter there was a bit on this blog about Oracles CSO throwing the toys out the pram over Reverse Engineering, well in other olaces it's created a bit of a 541t storm, especialy as it was taken down so quickly.

With regards Email, I've got to set up a new giigle account just to get a few android apps so I'll let you know the details.

BoppingAroundAugust 14, 2015 4:19 PM

Jake,
> she **only wrote the last four digits** on it

I am not American but I have a vague memory that those last four digits are just enough to identify someone.

SocialSecurityAugust 14, 2015 4:38 PM

The professionals want your full Social Security number NOT for identification purposes, but for BILL COLLECTING purposes. Any court/debt collector action requires the full number.

FigureitoutAugust 14, 2015 4:47 PM

Nick P
--Certainly I think M. Ottela should be using a better PRNG than one designed by an admitted rookie. So long as the sampling point for any microcontroller w/ an ADC safely uses 3.3V or less. I don't think it would be that hard in python to take in some local entropy and mix that up w/ samples. You didn't however address their admitting that they could be selling snake oil b/c random is not defined. They could be charging you for something that *may* be as prevalent as air.

What makes me mad though is no one can say WHY an avalanche-noise based PRNG is crap or a practical attack on an air-gapped system sampling a PRNG. Not to mention the current methods of study just aren't solved yet at all (and I don't like it or find it very fun, besides getting the bits, so I don't wanna do it). They will only attack intake or conversion of data.

Lol at "correctly build" too, it's pretty straight forward if you're not lazy or avoid actual hardware.

Clive Robinson RE: email
--I posted to MTG's site but either something happened to it or MTG took it down (wouldn't be the first time that damn goat screwed w/ me on the net). But I don't know what we'd talk about except it being a very one-sided convo of me asking why and how on some stuff. Maybe you could say truth w/o some other tweety birds chirping in your ear. Just saying instead of leaving hanging.

BuckAugust 14, 2015 5:28 PM

@Jake

Sorry to say, but it gets even worse than that... Even though she decided not to provide her social security number today, you've likely given enough information here to uniquely identify your wife.

Assuming a female patient is seen for ankle/foot work within the next week somewhere in 32806 or a neighboring zip code, a so-called 'anonymized' medical database could be used to find a short list of possible birth dates. Using that information, if she also happens to be a registered voter, a short list of name/address/political affiliations can be found. Find the one whose husband is named Jake, and our de-anonymization is complete! The SS# probably won't appear in any public dataset, but I doubt it'd be too hard to get a hold of if someone were determined enough...

Policy and Law: Identifiability of de-identified data

Description: Dr. Sweeney's first contribution involved linking de-identified patient-specific medical data to a population register (e.g., a voter list) to re-identify patients by name [cite, cite]. She then showed that "87% of the U.S. Population are uniquely identified by {date of birth,gender,ZIP}."

Nick PAugust 14, 2015 7:28 PM

@ Clive Robinson

That's hilarious. A sneaky variation of the old, "fake AV," scam. I particularly like how the "security" companies blindly trusted each others' submissions without verification or concern for malice. It was probably done for economic reasons given huge volume of virii doing all kinds of different things. Worth someone's Ph.D. to look into securely sharing and verifying signatures of malicious executables without similarly being poisoned. Props to Kaspersky, though, as that was some nice villainy in a market that's full of [sh]it.

Good thing I used BitDefender on my few Windows boxes. (pauses) I... think... it's a good thing I used BitDefender... (paranoia resumes) Oh hell, I figured they'd all screw me and it's why I have a Linux desktop. :) (pauses) Nevermind, gotta stop thinking... lol.

"With regards Email, I've got to set up a new giigle account just to get a few android apps so I'll let you know the details."

Cool. I'll be checking the account periodically. I'm about done with my reply to the main engineer. I went ahead and asked for permission to forward his + my email to you or name.withheld when I get your addresses. As he covered a lot of ground, it will save him typing and keep us on same page initially.

I can't tell from his description if it's an ASIC or visible, analog circuits on PCB connected to SOC's for MCU/USB-interface. I've asked for clarification. He did say they intentionally made implementation simple and price cheap so hardware people could analyze it easily. Can't say anything further until I get his reply except to say his email was a pleasant read compared to most and the non-subversive reason the specs are closed is pretty believable. So far. ;)

@ Figureitout

"You didn't however address their admitting that they could be selling snake oil b/c random is not defined. "

It wasn't an admission of anything, doesn't prove anything, and didn't merit a reply. It's actually a symptom of their site's (and email's) extra amounts of honesty about risk. I can't even remember where they mention it but the nature of randomness is still open to debate. So, they move to practical where you pick sources that physics & experience show have random noise. Then, they throw all kinds of tests at that in many configurations to determine the output. Then they use mixing functions that combine effectiveness of sources without as easily hiding faulty ones. Then they measured the output of many units over many months and allegedly let third parties do the same.

So, far from snake oil, the impression I had from the How site was that they were focusing on the right things. Simple mixes of well-known noise sources using simple circuits with extensive testing is about the best you're going to get in assurance for TRNG's. The others doing open, TRNG HW were doing same thing except usually with only one noise source, little environmental consideration, and less testing. So, my initial impression was that BitBabbler's credibility and caution were ahead of rest.

And that leads me to see how they respond to questions and if they'll let someone like Clive review the specs. If they won't shoot their wallet with open spec, then having trustworthy and competent reviews along with on-site verification steps from those reviewers would help. Plus, the character assessment of how they acknowledge the risks and justify their decisions. Both are ongoing.

Remember, though, that others have posted links here to people who regularly break hardware open and analyze it for security. BitBabbler's engineer told me it was specifically designed to make that easy. Still getting more info on that. My take so far is, like OpenBSD team, they built it for themselves after being disappointed by other solutions out there (esp open TRNG's) and then made it available to others. They're for-profit so they charge for it. Surprising part supporting this notion is they're specifically *not* targetting mainstream audience: they prefer people who already realize a need for the tech and have skill to find its flaws to improve it. *That* is quite different from the response I normally get ("just trust us cuz we need the millions!").

Most interesting thing was a claim that they didn't expect flood of attention due to HN article. I was concerned about that being a ploy to generate intruige so I checked back on HN thread. There's a bunch of negative speculation from commenters, with Thomas Ptacek (Matasano) saying HRNG's are useless, but there is no reply from BitBabbler. They're aware of the post and marketing opportunity given our emails. Yet, they're clearly not interested in convincing that audience their product is worth it. Fits with their claim of trying to solve a hard problem for themselves and sell to people qualified enough to want/review it. So, I'm far from ready to recommend them but they're operating exactly the opposite of most subversions. And I like their attitude as it's the one I recommended, too. ;)

"Lol at "correctly build" too, it's pretty straight forward if you're not lazy or avoid actual hardware."

Contradicts most of your posts here. You've described one set of headaches and up-hill battles after another. You run into more despite having good help. People double-checking a design vetted by competent people they trust isn't lazy: just effective use of time. Can't become an expert in the engineering of every single safety or security product one uses. It's the whole point of reviewers or certification. Far as issues with those: I suggested two people here for a reason. :)

name.withheld.for.obvious.reasonsAugust 14, 2015 8:15 PM

@ Nick P, Clive

Figureout is not off in his comment about PRNG, and a robust hardware solution would probably be defined by analog diode driven to the knee or even the thermal transmission of various semi-conductor dielectrics (kind of the underlying zener diode principle).

What I have been toying with others probably haven't consider, nano-materials could provide some interesting support in a design with a high level of operational symmetry. Believe it or not, linearity in a random number generator is important. Why is not completely obvious but work I'd performed in the past, a project out of Princeton, is a good example though it was many moons ago.

Think of a graphene, carbon nano material (nano-tube), and a "doping" material to form a "current" stream that in essence is a noise source. Picture a Chinese checkers board titled at an angle, the stream of marbles is constant from the top end of the board. The marbles fall as a water fall does, and the distribution on the board is source of entropy as newly introduced marbles ebb and flow from the holes on the board. The larger the board, the greater the matrix siz, thus a higher level of entropy, and with a nano-material, reaching values of a million bits or higher would be possible.

I just wanted to throw that out for consideration...


ThothAugust 14, 2015 8:19 PM

@Nick P
Hopefully something useful (in sense of usability) comes out sooner for Genode to make a more assured and secure environment rather than relying on Windows, Linux or those usual problematic OSes.

Currently looking into Turaya to see how they get their TCB usable and done.

Another approach might be to run NOVA/Genode/Virtualbox or Seoul combination and then use multiple Windows and Linux VMs on the combination since I get the feeling from my recent digging of reports regarding this combination which seems to be a rather common road many people might have taken.

More work on Genode side have to be done on allowing hot swapping of instances/scenarios from untrusted userland probably by issuing a simple 'swap-land' command or something that will kick into some sort of management mode to pick another userland scenario to enter into or perform administrative functions.

JakeAugust 14, 2015 9:13 PM

@Buck
"you've likely given enough information here to uniquely identify your wife."

dang. although not being registered to vote might be a saving grace here?


@SocialSecurity
the doctor's office called us back later and explained that they store the SSN "X'ed out" in the application they use and that it is only made available for bill collecting purposes.

I'm not sure how safe that app is but they were quite professional with their explanations AND most other doctors around here may want the same level of information...besides that they are the closest podiatrists office to our home...so we may end up going back there anyway;-P

Nick PAugust 14, 2015 10:05 PM

@ Clive Robinson

A classic paper that led to prevalence of L4-based, microkernel research. A good adaptation of that was Nizza Security Architecture, as seen in Mickro-SINA VPN. A possibly better model, though, came from the KeyKOS line of capability-security & microkernel development in form of EROS. That kind of thing will probably be an upper limit on legacy architectures with kernel/user separation. Have seen more developments using hypervisor mode but it's basically same types of stuff.

Cambridge's CHERI took capability model further in hardware while providing legacy compatibility with modified toolchains. A number showed Linux compatibility while modifying hardware to avoid implementation attacks. Shows a path for strong security with monolithic applications. SAFE took it a different direction with a "zero-kernel" OS built on tagged hardware, safe languages (functional), and aim of verifying everything. Microsoft topped most language-based security (incl SAFE) with clever, dual-verification technique in Verve OS.

So, we've gotten to see the evolution of various paths in monolithic, microkernel, capability, CPU, and language-based security. Thing is, all of them are going strong fighting many critical issues. The eventual solution might come out of any but will likely be a combination. I keep seeing a model that turns a type-safe, memory-safe language containing strong modules/interfaces into an executable with compiler enforcing messy details such as protection mechanisms. Might even be agnostic to the how. On one architecture, it might compile it down to a component-based, microkernel system with auto-checks at interface. On another, it might convert it to assembly blocks with correct tags on code and data. And so on.

@ name.withheld

It sounds like a good idea. It's missing the possibility of verification discussed in other circuits. However, if you control design, it certainly sounds interesting. I think the circuit-based methods on existing process nodes make more sense given we reuse the tools, knowledge, and cost reductions of them. BitBabbler's approach, combining multiple noise sources, could be implemented with many parallel chains on a high end process node. Should provide a tremendous amount of good random numbers without much work. Intel get's 1+Gbps from thermal noise alone on a chip where that was tiny part of it.

So, by all means play around with that idea. A good variant of it would have nice obfuscation potential, for sure. I think the reference should standardize on simple, effective circuits with multiple noise sources. Throw in entropy pools, hand-made entropy, and CPRNG's if you don't fully trust entropy source.

@ Thoth

Turaya used Perseus Architecture, which is similar to Nizza. Here is the result of that project. Here is the resulting product. They probably did a lot of what Genode is doing in terms of porting critical layers, then left everything else to VM's. That's the approach you were doing if you wanted to keep costs down to make a *product* profitable. ;)

"multiple Windows and Linux VMs on the combination since I get the feeling from my recent digging of reports regarding this combination which seems to be a rather common road many people might have taken."

It's what I would've done as a short-cut. Can't do it on this machine as I'm down to two laptops. Gotta keep them alive until I get more income and can risk bricking one a month.

"kick into some sort of management mode to pick another userland scenario to enter into or perform administrative functions."

Could you elaborate? Do you mean like how CMW's, INTEGRITY, and QubesOS switch between VM's easily? Or something else?

ThothAugust 14, 2015 10:52 PM

@Nick P
Current scenarios I am running on the Genode/Fiasco.OC/L4Linux is once you booted up into the image, you have just a single L4Linux session and that's it. What I am thinking is to have a command prompt switch or command of course using Nitpicker trusted GUI would be much easier but the "what if I don't want GUI" comes into play although I could have compiled in the Nitpicker too if I wanted.

Something like calling a 'swap-world' in the command prompt of an instance of a L4Linux would switch view to a Management View and you can see like an L4Linux instance running, a native scenario instance running ... and other stuff. Maybe even assign resources to the L4Linux if it's running out of RAM or something or maybe spawn another L4Linux instant and kill the old one.

FigureitoutAugust 14, 2015 10:56 PM

Nick P RE: malware
I particularly like how the "security" companies blindly trusted each others' submissions
--Can you imagine just how insanely impossible and awkward any sort of business would be if they treated each submission like a super malware? Intel agencies are the most suspectible to these malwares anyway. I'd probably like seeing their setups for submissions and then their "trusted zone". They still have guys reversing incredible malware no one else can do, all these companies do.

RE: Prng
Simple mixes of well-known noise sources using simple circuits
--Yeah, except you don't know the circuit so you can't say that besides "taking their word" b/c they smooth-talked you w/ an email. They attached a FTDI chip that while it seems simple (I like the no firmware aspect, protocol is done entirely in hardware (allegedly), I do wonder though why do USB chips have so many pins?!), has an EEPROM that other open PRNG's don't and you can sample via a different protocol (much simpler than USB...). If someone is going so far as to use a HWPRNG, then why not have a dedicated device sampling from an actual SIMPLE (in theory) protocol and not USB? That was a $$$ selling decision.

I do like the sound of their extensive experience in analog electronics and electrical engineer's arch enemy is noise and the chaos it brings so they hopefully designed in some natural EMSEC based on just good clean design (but since it directly connects via USB to traditional endpoints the problem will, predictably and once again shift to endpoint...malware logging USB comms...etc...); I just want the damn circuit to see what it is and why is the PRNG in TFC "crap". No ring oscillator to attack. And I'm sure those buying a HWPRNG are just fine using some blackbox no matter who's reviewed it for something so important as the entropy to your crypto keys!

And yeah tptacek is focused on 'corporate' security, not the homebrew stuff we do here meant to force physical attacks w/ the highest threat model; no surprise he doesn't see a use of a HWPRNG since he probably hasn't sold a company that did that or consulted some sucker on it. Doesn't matter, we'll have harder setups than his stuff anyway.

Contradicts most of your posts here.
--Not to me, security is a big massive migraine that never goes away. I'm used to it now so I don't feel it but I know my systems are still way too weak and insufficiently protected (I don't want to waste so many seconds each day manually typing 50+ char passwords multiple times each day and extending my OPSEC further than I've ever done, for normal business).

I had and still have a lot to learn so I put myself in positions to fail, it doesn't matter to me so long as I learn good stuff. And I value personal verification so very much, that I can see much more than trusting a review from someone and some complex opaque thing I don't even know how to approach. Even having expert review, the expert won't be focused solely on just that, there'll be plenty of tentacles pulling at him/her. Problem needs quite a few more peripheral help/support team attacking the problem too and working as a team. I caught a surprising dumb mistake from an "expert" who even still does a ton of good work (as good as is practical) and works fast. I take a little longer to orient and adjust but I'm thorough and love the feeling of knowing where bugs will be.

Clive Robinson RE: kernel
--I'm going in the other direction (I would consider my life a success if I'm one of the few on the planet that can cut microcode, doubtful I'll probably live happily above that but at least see it), so I'm not going to be trying kernel/OS design for quite some time until in and around the hardware I feel safer. If anything I would work on some RTOS to really get a sense of how an OS works but even still that's a bit above my pay-grade right now. But of course microkernels sound better for security (just way harder to implement and then write applications for).

Just got a little netbook and it seems to come pre-encrypted (screw that, give me the computer and let me encrypt it) and also apparently locked down w/ "secure boot" meaning I can't boot up anything else or from what I'm reading even image the drive! WTF! No, don't like this at all.

name.withheld.for.obvious.reasons
Figureout is not off in his comment about PRNG
--Thanks mate, we have to gang up on Nick P and show he's wrong! Hah, only slightly kidding :p On bitbabbler, just being devil's advocate and as we all know usually makes for stronger verification (unless devil's advocate is a straight up troll). Still haven't heard of any practical attacks I can launch tomorrow on these kinds of PRNG's....there must be some, am I just completely missing something or has it been overlooked..?

Nick PAugust 14, 2015 11:47 PM

@ Figureitout

re malware

Yes, I did it for years with various protocols and formats. Detecting whatever Kaspersky's people came up with would be tricky. Yet, the second the false positive problem became known, I'd probably implement a whitelisting program for common software (esp OS) to use as a check against potential false negatives. That by itself should catch many false negatives and quite a bit of Kaspersky's scheme without knowing it.

I wouldn't blame them for anything attacks really clever or far out. I just expect them to try to do something about those after they find out. All one can do there.

re PRNG

"Yeah, except you don't know the circuit so you can't say that besides "taking their word" b/c they smooth-talked you w/ an email. They attached a FTDI chip"

Actually, their email said they fought with various issues that crept in for years. The engineer said the greatest subversion risk was FTDI chip but there's a diversity of suppliers for that sort of thing. Suggested if they found problems they'd swap it out. I guessed that it was a $$$ thing because they couldn't price one at $35-150 with a whole ASIC development & no wide market. They'd literally have to be aggressively marketing it to get back an ASIC investment. This isn't unusual as every "open" device uses proprietary SOC's or standard cells to reduce cost + time to market. Would you drop $100k-$1m on one component in a system that hardly anyone might buy? Or just use a COTS chip for interface in early prototypes to see how market reacts?

"hopefully designed in some natural EMSEC based on just good clean design"

Maybe but I doubt it. Modern stuff leaks so much it wouldn't make sense doing EMSEC on one component & a low-cost one at that. I think people should just use EMSEC safes & rooms with vetted, simple components. None of that stuff that probably has radios hidden in it, etc.

"I just want the damn circuit to see what it is"

Me too. They're worried about a loss of "man years" worth of investment from piracy. Our old hardware guy talked about his endless battles with that with some copying them to transistors. So, I get their concern but I'm pushing to see what compromises might happen.

"And yeah tptacek is focused on 'corporate' security, not the homebrew stuff we do here meant to force physical attacks w/ the highest threat model"

Exactly. Corporate and mainstream. He's yet to see how assurance activities (not paperwork) at EAL6+ can increase security of a design by systematically preventing, detecting, and recovering from weaknesses. He also reduced the problem to "high security" = "doesn't support browsers." Well, secure platforms not giving full privileges to insecure platforms? No shit lol. At same time, I linked to half a dozen or more strong architectures for web browsing with one or two implemented in high assurance direction. Told him to take his pick. Didn't hear back lol.

"Problem needs quite a few more peripheral help/support team attacking the problem too and working as a team. I caught a surprising dumb mistake from an "expert" who even still does a ton of good work (as good as is practical) and works fast. I take a little longer to orient and adjust but I'm thorough and love the feeling of knowing where bugs will be."

Sure. However, people watching a long time have seen that most amateurs can't cut it in high-security engineering or hardware engineering. Takes too much accumulated knowledge and experience. They often try to tackle non-existent problems, suggest things that are obviously bad, or question what's obviously good. In rare cases, they spot something others overlook because they're set in their ways, in a hurry, make a mistake, or just luck. However, most of the time they post stuff on S.O., etc and an experienced person has to get them on the right path. So, it's questionable if they can contribute to the big picture or hard stuff vs whether they're a time sink.

Personally, I see the amateurs on a supporting role working on what they understand. This could be analyzing common threats, implementing functionality spec'd by experts, doing various analysis, and so on. Basically grunt work but important. In parallel, a chunk of their time is devoted to exercises solving new problems where some answers are known and some unknown. They're mentored on this with peers or teachers helping them understand successes, failures, and so on. This further develops their skill so they can tackle harder problems while having foundational knowledge to do it. Over time, they become the leads on projects and the mentors for others. Takes a lot of time, though.

Note: Smart, well-educated amateurs with good mentors *in academia or at home* can take on hard problems if they choose. Many clever architectures and schemes came out of this. So long as it doesn't hit production without expert review.

Of course, the general rule of thumb of mastery of anything is around 10 years. And security is like all kinds of fields put together plus specific mindset and domain knowledge. So, unsurprising the new people do what they do. I know because I was once one of them. I worked through old problems and solutions piece by piece, learning it bit by bit. Only regret is I majored in CS/IT instead of EE. Hardware turned out more important.

Of course, had I done that, I might not understand the system and software issues like I do. I might be able to farm out the hardware stuff to specialists once I have a good architecture in mind. Farming out the other stuff is more difficult as there's fewer people understanding it. So, whether I made a wise decision is still open for discussion but more hardware design experience would've certainly helped. :)

"Figureout is not off in his comment about PRNG
--Thanks mate, we have to gang up on Nick P and show he's wrong!"

That will be fine if we start talking about PRNG's. Thing is that I've been reviewing a board that runs several TRNG's through a mixing function in hardware. That's not a PRNG. People have proven me wrong many times in life but talking about an unrelated, subject's problems isn't how they did it. :P

FigureitoutAugust 15, 2015 12:33 AM

Nick P
--Oh boy you're up late tonight, must be having a sleepover at Wael's (I know what you guys are doing...and it's gross :p).

Would you drop $100k-$1m on one component in a system that hardly anyone might buy?
--No absolutely not from a small business perspective. You definitely have to be smart where you put your time/effort when you're too small to devote teams of 5-10 people or more on each part of a system.

Told him to take his pick. Didn't hear back lol.
--Yeah you guys normally don't get along lol...

RE: amateurs helping
--Well, you generally don't give the rookies the hardest parts of a project, generally the easiest parts, and even still will probably have to help. Main point is to double check work (I really enjoy programming in pairs, don't care if I'm at keyboard or not, you catch each other and talk out problems much faster); many times that means I'm just double-checking something done correctly, but sometimes not.

Only regret is I majored in CS/IT instead of EE
--Yeah but do you like it? Sounds like you like CS field much much more (object oriented, bah I don't like that lol). I like to be right in the middle of those 2 fields lol, so I'm friends w/ both.

That will be fine if we start talking about PRNG's
--Which is what every "TRNG" is since the science/methods of study as to what backs up these claims of true randomness are way too weak for engineering. So suck on that 8^P

Nick PAugust 15, 2015 1:07 AM

@ Figureitout

"-Oh boy you're up late tonight, must be having a sleepover at Wael's (I know what you guys are doing...and it's gross :p)."

It really is. Trying to fix this mess that people call hardware and software architecture working within their constraints is... frankly disgusting. Someone has to do it, though.

"No absolutely not from a small business perspective. You definitely have to be smart where you put your time/effort when you're too small to devote teams of 5-10 people or more on each part of a system."

Exactly. So, I don't blame them for it. I just keep it in mind.

"Main point is to double check work"

It's a good point and if the rookie is capable then by all means.

"I really enjoy programming in pairs, don't care if I'm at keyboard or not, you catch each other and talk out problems much faster"

I might be proven wrong but still think that's a bad idea. Relates to concept of flow: heightened productivity that only happens with minimal interruptions and noise. Good ideas and code practically flows without thinking. You go back to review it (or someone else does) later. The pair programming is distracting and has constant interruptions. I think there might be some kinds of people (eg you) that do work better that way but years of tests shows most don't. Actually, most that thought they were doing good on multitasking actually were slower and they only perceived it. Lots of issues & research to be done in this space.

"Which is what every "TRNG" is since the science/methods of study as to what backs up these claims of true randomness are way too weak for engineering. So suck on that 8^P"

Nah, a TRNG uses physical phenomenon that always comes off as random or is random in physics to produce random numbers. Trick is extracting without issues that randomness for your system's use. A PRNG is a mathematical function that pretends to be random, leverages a seed value, can be recreated with the seed, and might show how fake it is with its output over time. The CRNG's are PRNG's designed with cryptographic principles to eliminate that aspect. However, whatever randomness ultimately is, the TRNG's appear to be much more the real thing unlike the PRNG's that fake it. We can't with current knowledge get the seed even if the Universe is really a PRNG underneath for all this.

And, besides, have you seen the equations for all the low-level phenomenon? Good luck cracking all that stuff at nanometer scale to guess any possible, initial state. Computer scientists can barely model the simple stuff they understand much less all that. So, there is certainly a world of difference between TRNG's and PRNG's.

"Yeah but do you like it? Sounds like you like CS field much much more (object oriented, bah I don't like that lol). I like to be right in the middle of those 2 fields lol, so I'm friends w/ both."

Good call. I certainly like turning my ideas into reality more than screwing with wires although my year or so worth of hardware studies showed it was interesting. I can totally see the allure. Even I'm digging through all kinds of hardware stuff, even general-purpose analog, trying to understand how to connect from concept to silicon in a correct and secure way.

Coolest part of systems is they're practical and solve about all our problems leveraging the right combination of software, pre-existing hardware, and/or custom hardware. Coolest thing about software is you can endlessly build and modify it at no cost except time on pre-existing, hardware. Coolest thing about hardware is that... you get to hold the result in your hands knowing (if full-custom) you wired it up yourself and feeling ownership of it. :)

So, it's all good in a different way with each building on the other if you learn it.

AnuraAugust 15, 2015 2:48 AM

@Nick P, @Clive Robinson, @Figureitout

As I've said in the past, randomness is poorly defined and possibly non-existent. Instead, it's about unpredictability. When it comes to physical effects like, for example, detecting photons using a CCD, while you might be able to get some idea of what the image looks like, exact photon strikes depend on so many different variables that is impossible to measure, let alone determine past or future variables.

Clive RobinsonAugust 15, 2015 5:07 AM

@ Nick P,

(paranoia resumes) Oh hell, I figured they'd all screw me and it's why I have a Linux desktop. :) (pauses) Nevermind, gotta stop thinking...

Nagh don't stop thinking, just reach around the back a pull the cable.... if you are still reading then you probably got the right one. If however you are seeing a little white dot, then yup ultimate computer security step (1) accomplished power disconected, time to give it a (Step 2) concrete overcoat and (Step 3) deep sea swiming lessons B-)

Autumn is early this year or atleast the soft fruit harvest, so I've a long weekend without the use of the computer, picking, washing and freezing, otherwise no jams (jelly), pickles, cheeses, cordials or pie fillings :-(

So my replies will be be brief(ish :-)

From my point of view a minimal OS with "hot swap" / "redundancy" and usable on minimal RISC CPU architecture is the way to go on an OS baseline, not just from the "High Availability Assurance" requirment but because parallel computing is the way the industry is going, which means the IPC has to be highly efficient. Which as I point out occasionaly is a bit of a problem security wise thus security mediation by hypervisor on IPC is going to be challenging. However the upside is the low level OS becomes effectivly a "switch" of higher dimensions simulated in memory, hence a simple "message" passing stream system is the best starting point. Such switch design is fairly well understood from the telco industry thus most pros/cons will be known and understood. Such a switch is also scalable to just about any scale the laws of physics allows (time distance tradeoff of speed of light) as our currnt phone network shows.

It also alows RTOS to blend in as well which is becoming much more of an issue these days where automation of systems is getting closer to the primary transducers, as aircraft, ships and cars are showing more visably than the more rapid progress in the likes of your "white goods" fridge, freezer, boiler(furnace) aircon and the near invisable smart metered utilities and medical equipment. It's easy to see how IoT is going to be pervasive in these areas and it makes little sense to not include it in such a scalable switch architecture. Thus not planning it in from day one is going to cause problems down the line, and thus a much more problematic security surface. Daft as it sounds computers of all forms need to become the equivalent of "phones" running apps or parts of apps ontop of a wide area distributed switch directly equivalent to the "Central Office Exchange" model which is what the bulk of the OS will become.

@ Figureitout,

Much though your argument about RNGs is correct the industry has settled on TRNG for RNGs that are not deliberatly determanistic and PRNG for those that are. It's also decided to a lesser extent to use DRNG for those that are digital which is often but not always synonymous for the better class of PRNGs that fall into the CS-PRNG / CRNG class. Maybe you should consider ARNG or FRNG for analog and faux respectivly, it might catch on, where as continuing to use PRNG for TRNG is not.

You might not like it, and others can see the point you are making. But you have to remember that humans are tribal in nature and treat those obviously different as outsiders often with suspicion or hostility. But importantly almost always with friction untill one side grinds the otherside down or they go away. Even the Romans understood the principle of the modern phrase of "Illegitimi non carborundum" [1].

@ Name.withheld...,

The idea sounds interesting, ill ask some questions next week on the new squid page.

As for the linear issue, yup, we usually understand the time issue in "half life" sources when it's explainef but forget the magnitude issues in them and all other sources. Then few get to understand sampling, limiting and mixing issues either... Random generators are a whole field of endeavor in their own right, but you won't find it all nicely bundeled up in a text book for the beginner :-(

[1] https://en.m.wikipedia.org/wiki/Illegitimi_non_carborundum

Wesley ParishAugust 15, 2015 5:51 AM

@Clive Robinson

Smile it could be worse, they are planning on taxing breathing next.

You mean, like this?
ht tp://pandora.nla.gov.au/pan/10063/20120504-0022/www.antisf.com.au/the-stories/free-air-for-sale.html

And wait, there's more! I expect the public will be cheering the show trials as loudly as they've ever done before.

CuriousAugust 15, 2015 6:57 AM

The nerve Yahoo has for their pop-up saying:

"By using Yahoo you agree that Yahoo and partners may use Cookies for personalisation and other purposes"

As if it even made sense for demanding something of the user, but without telling them ("and other purposes").

Nick PAugust 15, 2015 12:31 PM

Another attack by Ben Gurion's finest is on Hacker News. I call it a "known unknown" in that it uses a known, EMSEC risk (cellphones) in a previously unknown way. Nice attack. I posted the following essay on hacker news:

Ben Gurion is on a win streak in emanation attacks. Neat example with a common culprit: writings on TEMPEST said cellphones within meters of a STU-III telephone compromised it immediately with inadvertant, active attack. This is going in opposite direction with a known attack vector. A nice example of a "known unknown." That wireless devices, cellphones or SOC's, greatly increase risk in EMSEC is even more evident with this. Gotta stay banned in high-security organizations and that presents very tough tradeoffs along with supply chain issues in terms of SOC's. Identifying the hidden functions of SOC's (including analog/RF) is a cat-and-mouse game that rivals the brains that go into software attack and defense from what examples insiders gave me.

Far as EMSEC, I've pushed people in INFOSEC to consider it for a decade. I argued we should because (a) U.S. used such attacks since 1914 w/ Russia using them wisely in Cold War, (b) there's a sizeable industry on defense (TEMPEST) side, (c) most commercial/personal systems were massively vulnerable, and (d) research in possibly hostile countries continued. Supported even more by leaked NSA TAO catalog that features emanation attacks, including one (RAGEMASTER) that looks like my past work. All outside high-security said it was theoretical (despite use by Russia), no evidence/detection of any attacks (how would they lol?), or so rare as to be not important (again, measured how?). Took a while for it to really hit mainstream attention and I'm glad to see people in recent years are finally worrying about a 101-year old attack strategy (emanations).

Ben Gurion's results, past and present, support my case: a new cat-and-mouse game could form on pro side for stealing classified or trade secret information with emanation attacks. Declassified documents on TEMPEST history showed defenders had a *hard* time for first decade even for passive attacks. The likes of NSA, Russia, Israel, and *maybe* China are decades ahead of defenders with Israeli researchers innovating the most on attacks. NSA valued it so much, even against allies, that it once diluted its capabilities when sharing with UK and (IIRC) Canada to keep them behind (read: vulnerable).

My recommendation is that research-funding organizations in as many countries as possible start dropping money on their best E.E.'s to recreate those decades of research. Reducing the signal, shielding, masking... all of it for each component that's common in systems. Another easy route, which I used to recommend, was EMSEC safes or rooms with filters on cabling plus the myriad other leaks that crop up (even toilets lol). Seemed to be easier, but not easy, as there were more companies doing it than securing arbitrary equipment operating in the open. We do a ton of research until even our undergrads and amateurs can apply given techniques to solve the problems for boxes, safes, or rooms they own. Maybe. It's quite complicated...

Regardless, these attacks will only get better and for more parties. NSA et al long figured out it was best attack albeit required specialists and sometimes physical presence. Demanded they save it for high priority targets. Attacks with cellphones and interdiction, along with radios in COTS stuff, mean physical presence might not be an issue in future attacks. The game's heating up and defenders got a lot of catch-up to do. I suggest they start by studying the field of electromagnetic compatibility (EMC) [1], books on TEMPEST shielding [2], commercial sector [3], and declassified military documents on similar subjects (some in [4], esp Red-Black).

[1] https://en.wikipedia.org/wiki/Electromagnetic_compatibility

[2] http://www.amazon.com/Design-Shielded-Enclosures-Cost-Effective-Methods/dp/0750672706
(An example. Generally, you want author to be TEMPEST certified or have strong background in EMC.)

Free book I just accidentally found on architectural shielding:
http://nashville.dyndns.org:800/YourFreeLibrary/Shielding/ArchitecturalEMIshielding.pdf

[3] http://www.tempest-inc.com/
(Found this in my bookmarks. Think they were good and helped with self-tests, too. Been too long time, though, so memory is fuzzy & many firms are gone.)

[4] http://www.jammed.com/~jwa/tempest.html

FigureitoutAugust 16, 2015 2:10 AM

Nick P
Relates to concept of flow: heightened productivity that only happens with minimal interruptions and noise.
--I'd like to see people avoid interruptions in my spot now lol (I'm normally ok w/ background noise, but certain kinds of loud drilling I cannot function anymore), I feel awkward b/c I can tell who's coming by the sound of their walk lol and I get that feeling of "do I turn around or just stay focused on screen". That's really annoying the social expectation when I'm trying to keep a chain of logic together. And I couldn't care less for any kinds of office politics.
The pair programming is distracting and has constant interruptions.
--I'm normally alone, but I find it much more fun to work in teams on something. Plus it depends on the focus of other person too w/ regards to interruptions.

Coolest thing about software is you can endlessly build and modify it at no cost except time on pre-existing, hardware. Coolest thing about hardware is that... you get to hold the result in your hands knowing (if full-custom) you wired it up yourself and feeling ownership of it.
--Yep well said. This is why something in the computer realm like microcode and in the radio work like SDR is so exciting (software functioning or controlling hardware, changing actual hardware w/ software inside dense IC's.)

Anura
--Yep, just saying it's slightly absurd, in english language to call something "truly" something when something isn't defined, you can't define it if it's a thing. Man screw this field I'll be over here not going nuts over such a field.

Nick PAugust 16, 2015 11:41 AM

@ Figureitout

"(I'm normally ok w/ background noise, but certain kinds of loud drilling I cannot function anymore)"

I recently had to deal with that during a near-by renovation. It was in a closed space I was working in. So friggin' loud all I could hear was static and pain. Others bitched but I made custom earplugs out of tightly wadded paper towels haha. Worked fine. They're gone now thank goodness.

"I'm normally alone, but I find it much more fun to work in teams on something. Plus it depends on the focus of other person too w/ regards to interruptions."

I hear you. Team thing makes sense. Question is should it be real-time or certain periods of collaboration? I'm open to research being done with different types of people working pairs or solo for certain periods of time before a peer reviews it. Thing is a lot of good code or solution that's time to create. So I'm wondering what constant distractions or interactions of pair programming do to that.

The most innovative, cleverly-designed stuff I've seen wasn't a result of pair programming. I can't imagine how they'd think it up constantly talking and listening in between thoughts. Even extroverts. However, doing a business or MVC app that way would probably be straightforward given there's little innovation and plenty of room to overlook small mistakes.

"This is why something in the computer realm like microcode and in the radio work like SDR is so exciting (software functioning or controlling hardware, changing actual hardware w/ software inside dense IC's.)"

I agree. That stuff is cool. My research on microcode found two things that made that better: (a) microcode simulators that let you experiment without destroying an actual chip; (b) HLL-to-microcode compilers that let you use it without hand-wiring. I figure (a) would appeal to you more. For RF, check out the Field-Programmable RF Arrays from Lime Semiconductor. State-of-the-art, low-cost SDR prototyping.

FigureitoutAugust 16, 2015 2:05 PM

Nick P
Question is should it be real-time or certain periods of collaboration?
--Little of both? Maybe not early morning. On a hard bug you're stuck on or doing testing.

The most innovative, cleverly-designed stuff I've seen wasn't a result of pair programming.
--Not sure here, I'm mostly focused on things (underlying design mostly done essentially, reality is there's things we can't get into (the actual chip of course) besides relying on documentation and outputs) actually working reliably rather than brand new features, actually had to strip stuff out for one product. All the usual crap w/ getting a product to market. Little tricks in code to make stuff work is main thing I'll keep secret from competitor, little bit of hardware design that's relatively straight forward, just needs tweaks here and there that are difference b/w failure and functioning. Some of our stuff is old things that still sell in niche markets and tracking down bugs on new parts (going EOL or people penny-pinching and then causing us problems w/ cheap crappy parts). Also it's fun pushing certain parts to the edge of their specs or stumble across bugs not in datasheet and then weirdness happens sometimes...Then what lol...I'm talking behavior there's not really rational reason for (told brown-out detectors, which are really common now, in past not having that would cause really strange bugs; can test this by supplying chips just barely enough power). There's proprietary stuff we can't see to diagnose some stuff...if it's not reliable though scale it back.

Field-Programmable RF Arrays from Lime Semiconductor
--Nice thanks. Based on some things I'm hearing about platform I'm working on (well on the side, not "work" work), is getting 900MHz long range (100 miles line of sight), so maybe that means like 5 miles non-line of sight. Right now it's about 2-3km. That and the data rate (heard up to 256kb/s, so like slow internet now; so good enough for text files or maybe images). It's fun just programming existing chips for now for me. I may get to work on some FPGA stuff actually soon, maybe. Either that or an assembly project. I'll try to filter out non-NDA knowledge if someone gets more into FPGA's here.

Clive RobinsonAugust 16, 2015 3:06 PM

@ Figureitout,

... heard up to 256kb/s, so like slow internet now; so good enough for text files or maybe images.

I can tell from this you are to young to remember "dial up Internet" that with a following wind might get up to 48Kbps... and to think it was just a decade or so ago...

Your comment has just made me feel "old -n- creaky" :-(

So the obligitory "old fart", walking stick shaking comment has to be gummed out,

    Yah bo sucks, you yougsters just don't know when you've got it good, hurumph hurumph

AnuraAugust 16, 2015 4:40 PM

I'm old enough to remember the frustration of trying to look at porn on a 28.8, but too young to remember having to buy it in paper form.

BuckAugust 16, 2015 8:30 PM

@Jake

dang. although not being registered to vote might be a saving grace here?
Maybe, but probably not...

There's plenty of other public databases that are available to be cross-correlated in order to identify you and your loved ones...

Birth certificates, the Census, crime reports, death records, genealogy research, legal proceedings, marriage licenses, obituaries in newspapers, professional licenses, property deeds, etc. - just to name a few...

Anonymity is a lie... To each their own ;-) Be careful out there!

FigureitoutAugust 16, 2015 11:35 PM

Clive Robinson
--Actually I do remember dialup and having to wait for someone to GET OFF THE DAMN PHONE lol. And LAG! And I do know we "have it good" too, I'm aware of these things lol. Off to drink some metamucil now...

Anura
--TMI mate! :p

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.