Friday Squid Blogging: Strawberry Squid

I think it's a very pretty creature with some impressive adaptations.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on August 15, 2015 at 12:32 PM • 124 Comments

Comments

JacobAugust 15, 2015 1:15 PM

For some years, Kaspersky ran an elaborate dirty war against rival AV vendors by tainting clean files in such a way as to cause the competition to report false positives in large numbers. Kaspersky had evidence that the competition unjustly took its AV research results for a free ride, and retaliated.

http://mobile.reuters.com/article/idUSKCN0QJ1CR20150814

Among some vendors, Microsoft had also been targeted. Although MS did acknowledge in the past the onslaught of the tainted files, they refused to comment about a linkage to Kaspersky.
A technical presentation from 2013 by Microsoft's antimalware research director, Dennis Batchelder, et al, tells interesting tales..

https://www.virusbtn.com/pdf/conference_slides/2013/BatchelderJia-VB2013.pdf

Bob S.August 15, 2015 1:54 PM

Reckon so: Why a Future Ride in a Self-Driving Car Could Be a Trip to Advertising Hell

Billions of dollars in advertising revenue, taxes, fees, fines, service and maintenance costs are at stake.

People will not be able to move one inch without every word, twitch and sneeze being recorded forever to be used by vast secret armies of government and corporate predators.

I can imagine mandatory visual and audio commercials coming from hidden speakers and multiple screens every few seconds, not to mention government sponsored "condition yellow" fear warnings.

Yet, think how convenient travel will be.

Alien JerkyAugust 15, 2015 2:23 PM

The NSA has stopped recommending P-256, AES-128, 2048-bit RSA/DH and SHA256.

At the NIST Lightweight Cryptography Workshop a few weeks back, during a break, I asked an attendee from the NSA the following:

NIST specifies that AES can be used up to Top Secret. Does that mean that it is not to be used for higher classifications?

He paused a moment, gave me a funny look, then asked one of his colleagues about it (no answer). The subject was quickly changed then the workshop continued.

So, when a spec indicates up to a certain level but not above, that means it has vulnerabilities.

At the same workshop, during a panel discussion that included that same NSA person, during a discussion key lengths, he said:

There is no reason to have a key longer than 90 bits.

I take that to mean the NSA can crack a 90 bit key.

A challenge to that statement was made by a very experienced attendee, who stated that she questions whether a 256 bit key is adequate, and that her experience is that a 90 bit key is just ridiculous.


RegalAugust 15, 2015 2:42 PM

NSA Preparing Quantum Resistant Encryption Algorithms
https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

IAD recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite. Based on experience in deploying Suite B, we have determined to start planning and communicating early about the upcoming transition to quantum resistant algorithms. Our ultimate goal is to provide cost effective security against a potential quantum computer. We are working with partners across the USG, vendors, and standards bodies to ensure there is a clear plan for getting a new suite of algorithms that are developed in an open and transparent manner that will form the foundation of our next Suite of cryptographic algorithms.

Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms. For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.

For those vendors and partners that have already transitioned to Suite B, we recognize that this took a great deal of effort on your part, and we thank you for your efforts. We look forward to your continued support as we work together to improve information security for National Security customers against the threat of a quantum computer being developed. Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy.

FeatherstoneAugust 15, 2015 3:02 PM

It's interesting listening to the TLA's complain about going dark because of things like full disk encryption, but apparently they are not going down without a fight.

Imagine you have fully encrypted your disk with Truecrypt, Veracrypt, or even Bitlocker while disabling your Microsoft OneDrive account. This can be a problem for LEA's, right? They can't read the disk or inject malware by booting from another device, it's encrypted. What to do? Well... let's just ask our friends at Microsoft for some help. And true to form, Microsoft has come through with flying colors.

Starting with Windows 8, Microsoft has introduced the Windows Platform Binary Table. This interesting bit of code allows OEM's to install an executable file in the BIOS, which Windows will read and execute upon startup. It can even replace system files. Billed as an anti-theft feature that allows software persistance when the hard drive is formatted and Windows is reloaded, this is ideal for accessing encrypted drives when you do not know the key. If you can get access to the computer in question a short time while the computer is powered down, you can reflash the BIOS using a USB drive or CD rom. If I remember correctly, many laptops are assembled with blank ROMs, and the BIOS is programmed with a JTAG like interface on one of the external ports.

So you are going through customs with your encrypted laptop, they take it away for a few minutes to examin it. You're safe because your hard drive is encrypted, right? Or the local police take it out of your sight for a few minutes. Maybe you leave it unattended in your locked hotel room. It only takes a few minutes to reflash your BIOS. The next time you start it, Windows loads and executes the malware. Neat, huh? No more worries about getting access to a fully encrypted drive.

It's not only the OEM's that can write a BIOS. It's well within the capability of nation states or any good programmer for that matter. I would be willing to bet the NSA, as well as nation states like China and Isreal are already expoliting this.

How long before someone creates a series of replacement BIOS files for popular computers and sells the system to local or state law enforcement?

How long before hackers create malware that will identify your BIOS, download a modified replacement, then reflash from within Windows leaving a back door that will survive reloading the operating system?

This feature has apparently been around in one form or another since 2011. It would have totally flown under the radar, except our friends at Lenovo decided to use it to install some persistant crapware that would survive Windows being reloaded.

http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-anti-theft-feature-to-install-persistent-crapware/

This affects most new Windows PCs, and there is no way to disable it. It allows direct code execution into secure boot sequences.

From seclists.org: "Additionally, the code is injected and executed in Windows after the Windows kernel has booted - meaning hard drives are accessible. In a HP document - http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page 18 - they reference they use Windows Platform Binary Table to inject their code into encrypted systems (e.g. BitLocker) (!!!!)."

http://seclists.org/bugtraq/2015/Aug/44

We owe the people at Lenovo a big thank you for bringing the issue to the surface. What I'm surprised at is the lack of outrage appearing on the web. Everyone seems to think this is just a case of Lenovo acting in a manner similar to Sony when they installed a rootkit preventing people from copying CD's. But this is so much more, a way to compromise the operating system of virtually anyone running Windows 8 or 10.

When you come right down to it, if you are concerned about privacy and the security of your files, you just can't trust Microsoft.

JacobAugust 15, 2015 3:17 PM

@ Alien Jerky:

The payback for finding a weakness in AES is very large due to its ubiquity. I claim that for extremely sensitive material one needs to encrypt in tandem using 2 different algorithms, one of which can be AES.

And yes, 90 bit key is ridiculously short against a well-funded adversary.

Markus OttelaAugust 15, 2015 3:23 PM

@ Alien Jerky:

While generally considered the limit of computationally feasible, it's hard to estimate whether a 90-bit key is actually secure against the NSA. As for the attendee who questioned 256-bit keys, I think quoting Keccak Tune calculator is enough:

Considering an irreversible computer working at 2.735°K (the average temperature of the universe), Landauer's principle implies that it cannot consume less than 2.62x10^-23 joule every time a bit is changed. (Computers actually consume much more than that.) Just counting from 1 to 2^256 would take at least 3×10^54 joules (the total energy output of the Sun during 2.5×10^20 years).

Like previously discussied, NSA has Suite A and Suite B crypto. I find it plausible what Nick P said, that suite B is ridden with side channel vulnerabilities. So that would mean NSA can trivially extract keys used operator-wide in SIM-cards.

There are much easier ways to obtain keys though. If subpoena/gag order doesn't cut it, they will break into CA/Server/target computer system and exfiltrate the keys and then leverage the privilidged position. Snowden has in numberous occations said that end point security is the main issue. As an infrastructure analyst who turned down job offer at TAO I think he's quite qualified to make such a statement. I put together a video about bulk CNE that explains why OTR etc isn't going to help you in the future.

Alien JerkyAugust 15, 2015 3:46 PM

@Markus Ottela

Everyone keeps associating breaking encryption with only being able to do a brute force crack. That is such a fallacy. Brute force is an obvious, yet simplistic way to crack a code, or you can use math and logic.

By analyzing an encryption for what the key IS NOT, you can start eliminating big blocks of possible keys as not being the answer.

To paraphrase Einstein, If you remove all the wrong answers, then all you have left is the correct answers.

Will it take millions, or billions of iterations using this process? Possibly, but we are talking billions, not 2^bignumber permutations, which can be accomplished in a reasonable time frame. Using finite element analysis techniques and iterative solution methodologies, the answer is approached following a logarithmic curve. Initially everything is a total guess, but as the wrong answers are eliminated, the number of bits to crack quickly diminishes. Eventually the possible correct solutions will fall into a range that is feasible to use brute force, or just keep doing the algorithm until you have an answer.

The use of brute force as a strength metric is wrong. Many papers exists demonstrating key recovery of encryption for various algorithms. Just because someone has not found a clean algorithm for cracking a key simply means that an iterative process may have to be used instead of an equation.

For those of you out there who are well versed in advanced physics, you will recognize that this is the case with most real world difficult problems. While in theory an equation should exist, finding a solution is often much simpler using iterative techniques.


Carl 'SAI' MitchellAugust 15, 2015 4:13 PM

@Alien Jerky

The reason we use brute force attacks is that, by definition, any algorithm which can be cracked significantly faster than brute force is broken. It's not that brute force is the only attack, it's that if any other attacks are possible then you shouldn't use that algorithm.

Alien JerkyAugust 15, 2015 4:35 PM

@Carl 'SAI' Mitchell

The reason we use brute force attacks is that, by definition, any algorithm which can be cracked significantly faster than brute force is broken. It's not that brute force is the only attack, it's that if any other attacks are possible then you shouldn't use that algorithm.

Just because someone has not demonstrated publicly (cough.. EN ES EH) does not mean that it cannot be done. Or possibly nobody has looked with the proper mindset.

I notice a monolithic thought process in much of the encryption community. Most read the same books so they think alike and do the same thing. Occasionally someone comes along with a fresh perspective and notices that the emperor is fat (and has no clothes).

The history of science shows many problems that for a long time looked like no solution existed. Then someone finds a solution and people wonder why they did not think of that.


BoppingAroundAugust 15, 2015 4:38 PM

Someone posted a link to a Czech site with a story regarding to Windows 10 spying several days ago in one of the squid threads. Today I saw a translation of that story.

I did not save the link unfortunately. But I have a few notes if anyone is interested.

-----BEGIN

The most voracious data hoarder, according to the story, is Cortana. The voice queries seem to be sent to the following list of servers.

The researcher suspects that Cortana performs speech-to-text conversion and sends it to the mothership along with the voice recordings.

Some users have complained that Cortana continues to run in the background even after they disabled it.

Microsoft assure that the data is thoroughly protected but they will divulge it to LEAs should the latter ask.

The OS surveils user's search queries, analyses e-mail contents. Some data is also sent to Bing search engine.

The gathered text information is stored within temporary text files that are sent to the HQ once per 30 minutes to oca.telemetry.microsoft.com.nsatc.net, pre.footprintpredict.com and reports.wes.df.telemetry.microsoft.com.

The telemetry server collects geolocation and IP address information. Footprintpredict shares data with Bing. It is not just the information entered into the browser that is sent but any other, for example, from IM programs. The OS may intercept the input of any installed program. Thus should the user mention holidays in the messenger, he may be bombarded with corresponding adverts.

The researcher claims that if one types the name of a known American film wherever, the OS will perform the corresponding search on the storage device(s) and create an index file. The latter will be sent back to MS, here:

df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
cs1.wpc.v0cdn.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com

The names of 'foreign' films did not trigger anything like this. The OS does not seem to perform content analysis either, so if the film file is called by whatever other name, it will not be indexed. The researcher suspects this may be used for copyright enforcement and targeted advertising.

After you have activated Windows 10 and used your web camera the OS sends circa 35 MB of data to the following servers:

ca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net

The researcher has noticed only one such transmission, presuming the OS does not perform such transmissions frequently.

-----END

Sorry for lousy translation. You'll get the idea anyway.

JacobAugust 15, 2015 4:39 PM

GOST may not be as secure as thought...

"The S-Box used by the last two Russian standards in symmetric cryptography has a hidden structure which we managed to recover. The knowledge of this decomposition gives us a significantly more efficient hardware implementation. However, it is based on sub-components whose lack of cryprographic strength is puzzling."

https://eprint.iacr.org/2015/812

Markus OttelaAugust 15, 2015 4:58 PM

@Alien Jerky:

The best known, biclique attack on AES reduces complexity by 1.6 bits, so it's about 3 times faster than brute force. I think there's some framing effect here, can you give a more precise estimate on how large amount of keys can be eliminated?

Can you also provide some sources on how the security of these non-linear, by definition, unpredictable PRPs can be reduced >166 bits? Why would you even suggest brute forcing is being done as part of the process, if such reduction of security can be accomplished in the first place? Not that I'm an expert in crypto or that I was very keen on solely trusting AES with TFC (four cascaded symmetric ciphers in total), but I find your claims for now, implausible.

John Galt IIIAugust 15, 2015 6:15 PM

I'm surprised to not recall seeing any discussion of smart meters as a gateway to backdoors in a variety of appliances, including routers, modems and computers. Call me paranoid, but my working assumption is that new appliances will include all kinds of telemetry, including microphones that will send data through the smart meters. I've been meaning to open source some systems for producing robust powerline isolation that would be useful in airgapping a system. It has been a long time since I saw the article about the coffeepots from China that allegedly had wifi built into them, that phoned home using your wifi network, after it was plugged in. I think that the intent was to exfiltrate files from poorly secured systems.

Clive RobinsonAugust 15, 2015 6:18 PM

@ Jacob,

Yeh I thought the Kapersky stuff was of not for the humour side of it Nick P also thought so as well.

When people take credit or free rides off of others, sometimes the price they pay is rather more than they first thought ;-)

With the NSA changing Suit B algorithms you have to try and guess why. In the past most would have assumed it was caution based on information from research. However post Snowden trove and the Dual Eliptic Curve stich up of NIST you have to ask is there alternative reasons.

Take 2K RSA, in the open community we doubt that they can directly attack 1K RSA, so as my ancestors would say "I din'y ken t'fash"... However they may have discovered an indirect way, we know there have been issues with SSL crypto... But alternativly they may be trying another finesse to bounce people out of using RSA, as legacy code by and large can not use the larger RSA sizes... Which gives rise to other thoughts, so on and so on and "down the rabbit hole we go, following the sounds of 'I'm late, I'm late for a very important date'".

Welcome to the land beyond the looking glass where all is not as it seems.

Mike BarnoAugust 15, 2015 6:38 PM

On-topic: squid!

Thursday's (August 13) installment of the syndicated daily "B.C." comic strip is a squid-centered episode. It's primarily visual, so I won't try to describe it.

NitpickerAugust 15, 2015 6:43 PM

Just counting from 1 to 2^256 would take at least 3×10^54 joules (the total energy output of the Sun during 2.5×10^20 years).

Markus,

Interesting calculation.

A straight N-bit counter, with N>>1 would see on average two bits flip at every count, not one.

If you used an asynchronous counter, where power consumption only occurs when a bit flips, such as when the carry ripples, your result would have to be doubled.

A 256 bit synchronous counter would perform as many operations per clock, regardless of whether a bit flipped or not, so it would consume 256 times as much.

Carl 'SAI' MitchellAugust 15, 2015 6:51 PM

@Alien Jerky

You misunderstood my point. I'm making no claims about the security of any particular cryptosystem, merely the following: Any cryptosystem for which an attack significantly faster than brute force is known (by ANYONE, even in secret) is broken. Therefore, the requirements for a brute force attack are a useful measure of the security of a cryptosystem, assuming no other break exists. You chose your key sizes based on the difficulty of brute force (with some security margin for safety), you chose your cryptosystem based on the best known attacks. You don't want to just pick a bigger key size for an already broken cryptosystem, that's not likely to end well. If there are attacks you don't know about you may have made a bad choice, so it's good to design your system to be flexible.

albertAugust 15, 2015 6:58 PM

@John Galt III,
That IS something that smart meters could do. Modems, routers, and computers could easily be rigged to use a smart meters as an output device.
.
That said, I believe filtering might be rather more simple than 'securing' firmware and software, and injection techniques would need to be sophisticated enough to defy physical inspection.
.
. .. . .. o

Markus OttelaAugust 15, 2015 6:59 PM

@ Nitpicker:

I'm using this http://keccak.noekeon.org/tune.html to get the values. And yeah, quite possibly, I'm not sure what the working principle of "irreversible computer" is, or if the Keccak team took such thigns into account. The calculation looks like it tries to forgive everything there is to, in order to show the energy consumption can not possibly be met.

ThothAugust 15, 2015 8:13 PM

@Nitpicker
Are you from Genodeland ? That name sounds very familiar.

Cryptographic algorithms have always been the lesser of the problems. The more effective way to bypass crypto as we all know is backdoors and side-channel flaws. An unprotected hardware is a sitting duck to Power analysis and EM analysis which I am curious why the Warhawk Agencies have been complaining when so much researches have proven that a whole ton of commercial side-channel countermeasures are close to useless or straight up useless and people are paying for these useless countermeasures for their NXP, Atmel, Infineon, et. al. hyped filled "DPA/SPA proof" chips.

Untrusted computing bases for stealing keys and PINs and corrupting data I/O are also a huge vulnerability in any "secure system" setup. Most of them don't include a reliable and secure means of data interaction and authentication channel despite their "secure chip" system.

There are tonnes of methods to simply skip the crypto and grab the essential data which can be easily executed (especially with the huge fundings of the Warhawk Agencies).

Whine more and people will hate them more :) ?

Nick PAugust 15, 2015 8:54 PM

@ Markus Ottela

That Suite B, esp AES, were designed for side channels was Clive's idea. I agreed with that as a strong possibility after seeing their move to DSA over RSA under dubious circumstances.

What I claimed was two fold. One, Suite A is a classified set of algorithms that probably serve as obfuscation more than anything. They know standardized algorithms get all kinds of investments into cracking gear. So, they try to make the enemy work harder with algorithms they believe are strong and kept secret. The devices possessing them are quite restricted to help ensure this.

Second, the Suite B algorithms *can* be secure. I think what you're remembering is my distinction between Type 1 and 2-4 encryption. The Type 1 certification focuses on ensuring correctness with no leaks throughout the lifecycle. It specifically focuses on RNG's, algorithm implementation, interfaces, covert channels, EMSEC... you name it. This, along with protocols like HAIPE, constitute what they believe is strong security. They allow AES and I think Suite B for these devices *as implemented in that process*. Regular AES? Doesn't cut it.

So, the real distinction is how those algorithm's are done with their most rigorous processes vs how they're done commercially. The difference leads to many implementation-based compromises in the field for commercial stuff. That they didn't work hard to prevent that is where we see their true colors. The algorithms themselves, although having some issues, can be deployed securely with the right effort. It's the process that matters and the good one we can't have. :)

Nice video. I'd swap out the initial scenes with him talking on satellite or whatever. It's weaker than the rest of the video. Make the same points with similar quality video for effect. Maybe keep Bruce's segment talking about code. However, overall, it comes off as trying to talk to two audiences at once. Gotta pick one and technical people already know this stuff. ;) So, I'd focus on what lay people understand.

@ Jacob

Unlike Clive, I think this is normal. They want TS protection to last around 40 years or so. So, they try to guess what will despite future advances. Landau's timeline showed they did decent at guessing when DES would be cracked by non-nation-states. Their recent worries are quantum computers and better factoring algorithms. So, they increment the minimum as stuff like that improves while they scramble to come up with something better. Funny thing is that academics are running circles around them on that as far as I can tell. NSA is playing catch-up on post-Quantum's defensive side although they could be doing better on offensive.

@ Jacob, Clive, Markus

What was more interesting was a link I found clicking through others in Jacob's reference: Commercial Solutions for Classified Program. In a nutshell, it looks like it's about getting Common Criteria-style certification or C&A down to around 90-days under some type of circumstances. They specifically brag on the reduction in amount of Type 1 gear they need. So, acquiring and managing that is still a burden due to restrictions on it. So, what are they replacing that with?

See for yourself. Looks like they're taking a giant step back from strong stuff to COTS in places that used to use Type 1. Only two that looked good... to a degree... were Information Assurance Specialists and Ultra Tech. They seemed like they at least knew what they were doing but not necessarily doing it compared to Type 1. I can't really tell in detail how these enforce security, isolation, etc. In all likelihood, they don't and won't when strong attacks come. DOD just made us weaker again unless Type 1 was unnecessary in these deployments.

I did spot Boeing Black in that list. Got the Validation Report. Evaluated at EAL1 assurance requirements. That was a WTF. Looked up the Certificate and mobile Protection Profile to find neither mentioned Evaluation Assurance Level but P.P. did mention EAL1 assurance activities. I think new CC changed things to remove EAL's or something. Regardless, given EAL4 wasn't adequate, I'd hope the default would be that with source code and pentesting. Instead, it appears the Boeing Black (in CC at least) got some basic, black-box functional and security testing along with paperwork review for its qualifications. That's it in EAL1.

So, who wants to buy a Boeing Black? :)

Moreover, who wants to make a lot of money building stuff for CSCP given low bar and fact that them using it might help next Snowden? ;)

Note: Can't wait to see what U.K. and Australia do. They're the other countries with lots of high security work. If they similarly drop, that's saying something really bad about that market segment and similarly making it so much easier for private companies to best them. So do it.

Nick PAugust 15, 2015 9:01 PM

@ Thoth

I think the name was chosen in terms of the verb nitpick: when someone gripes about little things in someone's post. That's what the commenter is doing.

ThothAugust 15, 2015 9:34 PM

@Nick P
Yup. I nearly thought a representative from Genodeland finally appeared so feedbacks and issues can be given to them in a more informal setting :P .

David HendersonAugust 15, 2015 9:57 PM

@Featherstone There was a blog entry about 6 years ago on the Evil Maid vulnerability.

https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

Once physical access to a computer is granted, its pretty much all over.

Your customs agent need only install the Evil Maid attack.

Closer to the Windows 8 table and its exploitation:

There is an open source bios available at coreboot.org

The bios could be checksummed regularly and bios modifications detected in a honeypot.

ThothAugust 15, 2015 10:01 PM

@Nick P
I am guessing Boeing Black might just be another ARM TrustZone sort of stuff again just like Samsung KNOX. EAL 1 for the Boeing Black could either mean they followed Samsung KNOX (EAL 2) and did not decide to fully commit into evaluations and marketing yet or they were simply that terrible.

Proof of the ARM TrustZone connection is in the brochure. It says "Dual 1.2 GHz ARM® Cortex®-A9 CPUs" from the brochure (http://www.boeing.com/assets/pdf/defense-space/ic/black/boeing_black_smartphone_product_card.pdf).

If they want to open a new market, they should be using MIPS processors with the latest OmniShield MIPS technology (http://imgtec.com/platforms/omnishield/) to split into multiple sensitive compartments instead of TrustZone's double compartments. This way, you can have a whole set of different compartments for different classifications (Restricted, Confidential, Secret, TS ...) and you might actually have a higher evaluated security level if you can setup N numbers of security zones without impacting too much usability and security.

I would like to believe most EAL evaluations these days seems to be moving in the direction of reading reports and paperwork with very minimal hands-on work. There are many cases of higher evaluation products that ends up with flaws and we know it happens rather frequently that the evaluation did a bad job at catching basic problems in security designs (on the field).

If given a choice between Boeing Black or Samsung KNOX, I would still pick KNOX for the reason of maturity (SDK kits, App markets for KNOX, developer and support community for free or corporate plans, wide deploment in every Samsung phone). Boeing Black is an untested ground and I would be more than conservative to even touch it.

Meanwhile, someone should really poke at Samsung KNOX to evaluate it's current Samsung Galaxy S6 series of phones with the latest KNOX inside.

Cryptographic security chips evaluated to a higher evaluation level could be bypassed and the recent DEFCON 23 have slides on how to do those. Whitebox crypto in higher evaluation chips have been shown to fail (and weirdly it does not affect their evaluation levels). Systems designed to be secure could be bypassed by a simple USB stick ... you name the vulnerabilities, there are sure to be evaluated and certified security problems not learning from errors.

CuriousAugust 16, 2015 3:26 AM

Off topic:
https://news.vice.com/article/the-google-search-that-made-the-cia-spy-on-the-us-senate

I had planned to read everything before posting here, but I only read half of that article. Will read the rest later. :|

Several interesting things there I believe.

So, a recent FOIA request apparently turned up some documents that is said to show that the current director of the Central Intelligence Agency (CIA), John O. Brennan had written a letter acknowledging that the US senate committee had been monitored when searching for files re. torture, on a computer system set up by the CIA (Google search software btw). The letter was never signed, nor sent.

The committee people having done a search on CIA files, found the 'Panetta review' (Leon E.Panetta, being a former director of the CIA), something the CIA as I understand it, didn't want to be found, because the CIA had their lawyers call it a draft, to make it unavailable, because of how drafts are considered internal working documents.

Btw, this thing about internal documents being kept secret and unavailable to the public, is something I remember reading about when they started this online search system in norway, for which people could get insight into official documents online. Apparently, there are some things that have documents becomes secret for a variety of reasons.

There are probably more interesting stuff in that article.

CuriousAugust 16, 2015 3:35 AM

According to Phys.org: "143 is largest number yet to be factored by a quantum algorithm"

I think the headline is a little contradictory as it was written, but nevermind. I would think that it should state "to have been factored" and not "to be factored".

http://phys.org/news/2012-04-largest-factored-quantum-algorithm.html

"Now in a new study, physicists have set a new record for quantum factorization by developing the first quantum algorithm that can factor a three-digit integer, 143, into its prime factors, 11 and 13."

CuriousAugust 16, 2015 3:53 AM

Microsoft with some kind of USB security patch for Windows products:

http://blog.lumension.com/10501/five-years-after-stuxnet-your-usb-drive-is-still-being-patched/

"Although this latest vulnerability isn’t directly linked to the flaw that Stuxnet exploited, it’s still important to patch – as history has shown that this can be a successful route for hackers keen to target organisations."


https://threatpost.com/microsoft-patches-usb-related-flaw-used-in-targeted-attacks/114240

"This flaw allows someone with physical access to an unlocked machine to use the USB drive as an avenue to write files where the user normally could not,” Young said."

CuriousAugust 16, 2015 4:10 AM

"U.S. tech companies are now using a massive database to stop child pornography"
http://www.dailydot.com/politics/facebook-twitter-google-child-pornography-iwf-hash-list/

"Facebook, Google, Twitter, Microsoft, and Yahoo are using a new database run by the U.K. group Internet Watch Foundation (IWF) to delete offending images nearly instantaneously using digital fingerprints known as hash values."


The seemingly huge amount of internet pornography in general have always seemed a bit funny to me. Why is so much of it free, and does the US FBI et al maintain such websites to bait people to either view and/or pay for the more dubious stuff?

FattyAugust 16, 2015 5:01 AM

The thing with Firefox prefetching something when you hover over some link can be turned on if you use any of the addons with advanved options. I wouldn't say it's critical as it is either and actually I am not sure it happens with any link in general or the links in the default page.

CuriousAugust 16, 2015 5:43 AM

About Windows' 10 newly updated EULA.

Even being a mere gamer, I despise Windows 10 and Microsoft more and more, and I never liked them in the first place. As I might have mentioned some time ago, with windows it feels like I don't even own my own computer.

http://www.dailydot.com/technology/microsoft-eula-piracy/

"The company has added language to its terms that give it the ability to monitor and disable illegal software, games, and even hardware."

ThothAugust 16, 2015 6:06 AM

@Curious
I would theorize that properly managed network connectivity and content might be possible to seal leaks to a certain extend otherwise you might want to go lower level and tampering with libraries or even run the OS in an enclosed system that monitors it and probably inject and manipulate cryptographic and system functions.

Gerard van VoorenAugust 16, 2015 7:24 AM

@ Curious,

> About Windows' 10 newly updated EULA.

At this rate, I wonder how Microsoft® Windows 13® is gonna look like. Something like that when you write a dirty word in 'your' Microsoft® Text Editor®, Microsoft® is gonna overwrite that immediately and sends a copy of the original text to the local police® and lawyer agency®.

And to think about it, Microsoft® got bloody rich by doing illegal things by its own.

Nice company®.

--

Microsoft® Windows 10® is Spy Ware®.

Jonathan WilsonAugust 16, 2015 7:35 AM

It may not be news to people here but the Australian TV show 60 Minutes (based on the US show of the same name) ran a story tonight talking about phone security, IMSI catchers, http://esdoverwatch.com/ and other related topics.

Its notable because its the first time I have ever seen a commercial network talk about the dangers of such things. All the details of the story can be found at http://www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking/
I have no idea whether that link (or the videos that it might contain) work for non-Australians though.

Even more telling is that the journalist said "I have no problem when spies and law enforcement are using this technology but bad guys might get it and then its a problem"

There is also this (somewhat related) story
http://www.abc.net.au/news/2015-08-16/metadata-retention-privacy-phone-will-ockenden/6694152
about an ABC journalist (for those who dont know, the ABC is the government-run TV network in Australia, a bit like the BBC in the UK) who asked Telstra (his phone provider) for a copy of the metadata the phone company was holding on him. He got back a partial set of metadata, redacted the actual phone numbers in the file and then published the data set for people to play with. Great example to use if you want to show someone why metadata retention and collection is a bad idea and just what law enforcement & intelligence agencies (or a hacker who breaks in and steals the retained data) can actually do with the data they retain.

The more we get these sorts of issues exposed by the mainstream media (as opposed to a bunch of geek/hacker/security sites) the more likely we are to convince people that no, the slightly decreased risk of terrorism is NOT worth the total loss of privacy that comes with it.

FeatherstoneAugust 16, 2015 7:52 AM

@David Henderson

The evil maid attack has been around for years. With an unencrypted drive, once you have physical access, it's all over. The drive can be copied, files and malware can be added, and system files can be changed to introduce backdoors. Now that fully encrypted drives are starting to gain acceptance, this technique no longer works. The drive is fully encrypted. Reading it does no good. You can't write anything to it because you do not have the key to unlock it. Governments all over the world see this as a problem. Black bag jobs just don't work as well any more.

So Microsoft comes to the rescue with the Windows Platform Binary Table. By replacing the standard BIOS with a modified version, you can write files to a fully encrypted drive! Windows will load these new files as part of the startup routine. Think about it. A fully encrypted drive no longer offers any protection. It only takes a few minutes to reflash a BIOS. Black bag jobs are back in business.

Say you are a journalist passing through customs with a laptop carrying the Snowdon documents. The government would dearly love to read the drive, but they can't because it's encrypted. This Windows "feature" allows them to quickly and easily install a RAT on the laptop the next time it is booted, and the user doesn't have a clue. It was only out of your sight for a few minutes. They couldn't possibly have had time to open the case, remove the drive, and image it. But let's say you are the suspicious type, and assume the laptop was compromised. You reformat the drive and reinstall Windows, or buy a new hard drive and install Windows. Guess what, the malware from the BIOS is reinstalled by Windows on the first boot!

Yes, you can mitigate this vulnerability. Use a dual boot system, boot into Linux first, and do a checksum on the BIOS. Modify the laptop to disable the ability of the BIOS chip to be written to. Disable all the external ports on the laptop.

This is just another example of a backdoor that is becoming quite common in Windows. Microsoft says it was put there for theft protection or to reinstall drivers when the hard drive is replaced. It works well for these purposes, but I'm not buying it as the real reason it was introduced.

PeteAugust 16, 2015 8:52 AM

@Curious

Re: child porn

What I am curious about is how do people even find such stuff online? I mean I would imagine that it is being peddled in some forums or other places that require a login, and therefore would not be indexed by search engines.

So does it spread by word of mouth?

Re: Windows 10:

"The company has added language to its terms that give it the ability to monitor and disable illegal software, games, and even hardware."

Disabling of hardware is probably done through the ever-running "Group Policy Client" (gpsvc) that cannot even be disabled. Or, it can be disabled but then the user loses access to the Windows Firewall settings.

MrBeanAugust 16, 2015 10:49 AM

How does one get a BIOS checksum using Linux? Is there something to use? (preferably something easy as well)

Nick PAugust 16, 2015 11:34 AM

@ Thoth

Nah, I think the new version of Common Criteria is baking assurance activities into the Protection Profile and eliminating EAL from there. Not sure if that's for everything or what because what I've read doesn't tell me so far. Not a good sign for intended goal of CC, eh? The mobile PP Boeing used and validation report had EAL1 stuff buried deep in it. Previously, a Protection Profile had an associated EAL that was close to top. Product's certification also mentioned it very visibly because it might go at or above that EAL. So, this is quite a change in how they do it AND assurance level.

Certified products page shows that, under assurance level, some say the EAL w/ modifications and others just say "PP Compliant." The Protection Profile link is next to them. First is Windows 8. Protection Profile lists specific activities but not an EAL. Has security target which references PP and has Windows-specific information. Lists specific assurance activities rather than EAL. So, it appears to be some kind of hybrid scheme. Might need to consult an expert to see what's going on.

Note: While I was looking it up, I found on Common Criteria news section that Singapore just voluntarily terminated its membership. Not sure what's going on with that.

@ Jacob

I've read several pieces on child pornography from anonymous insiders and people trying to honeypot them. The thing all the insiders said which others don't refute adequately is that almost all the content is old and sometimes really old. The FBI even usually does its busts based on hashes of images they've had for a while. I think the last one talked half a dozen new image sets and this one says 1-3 a year. Stark contrast to media which acts like 20 kids are grabbed, abused, and recorded every month or something.

If anything, we should celebrate the probable truth that efforts started long ago have worked: new child porn production is way down and that means more kids were likely spared from trauma. Still people suffering, esp where video wasn't goal, but statements like that about their desperation to find content always relieve me. Kids are safer than before. As risk can't be zero, that was the real goal right?

Slime Mold with MustardAugust 16, 2015 5:29 PM

@ BoppingAround

Thank You!

@ Curious

I also read about half the article when this leapt out at me:

(California Senator and erstwhile Chair of the Senate Select Committee on Intelligence)"Feinstein wrote to" (CIA Director) "Brennan on January 23, 2014..."

"'Second,' her letter continued, 'the search may have violated the Fourth Amendment, the Speech and Debate Clause of the Constitution, various statutes (including federal criminal statutes, such as the Computer Fraud and Abuse Act and Executive Order 12333)' which says its unlawful for the CIA to conduct domestic spying."

This is a hoot. In October of 2013 Feinstein penned an op-ed for USA Today defending NSA spying and parroting the "least untruthful" NSA talking points.

I can't tell if having been victimized changed her perspective, or as I suspect, this is the arrogance of an oligarch.

WAY OFF TOPIC: Did the editors of Vice really think anyone outside the Washington, D.C. Beltway was going to read something this long? The piece is somewhat interesting, but when I was learning to write the rule was "cut, compress, condense, then cut some more".

Jonathan WilsonAugust 16, 2015 5:30 PM

@Featherstone If you care enough about the security of your stuff that you are worried about a BIOS attack, you shouldn't be running Windows at all.

tyrAugust 16, 2015 5:45 PM


@Nick P., Jacob

I'm ambivalent about the idea of relaxing and thinking
the problem has been minimized. It may be true for the
Net and it might not have ever been a mass movement in
society but human suffering is not quantifiable. The
penalty of tying you over an ant nest for harming a
child seems reasonable to me.

I do not ascribe to the view of humans as monsters who
routinely engage in satanic ritual, sex with pre adolescent.
children, or cannibalism on a large scale. There is a
segment of society who loves to indulge themselves in
that set of fantasies (some in law enforcemnt) which
has deleterious effects on society at large.You are
right to point out the scale of the problem is the
least addressed part of any reasonable solution.

ThothAugust 16, 2015 6:29 PM

@Nick P
I am quite surprise Singapore pulled out from CC process as well. Not sure what's up.

It seems like the newer CC processes are getting too complex ? They need to tailor the CC process in a way to be easily understood and carried out if they have intentions of changes in their minds since their goals are to improve security assurance but apparently I think their goals these days are to kick security assurances in the face.

Best is to follow the good old days of the old Orange Book ;) .

Maybe that's why Singapore pulled out because the newer CC processes are just to confusing ?

By the way, Singapore rarely produce security assurance products so I wonder if we are going to put any of thing through those processes. Why spend the effort when we are a huge consumer economy and don't produce much security assurance products ?

@Featheestone, all
Regarding Full Disk Encryption, I believe there are still some boot instructions in plaintext which could be corrupted if needed in Evil Maid scenario if you were think about how are you going to decrypt a volume to get the bootable content. You need a boot instruction set to get you to decrypt the bootable volume before it boots the actual OS and data. If there is an vulnerability in the initial boot instructions for decryption or have control over it, why can't it be made malicious ?

The better choice is a security integrated chip with secure boot instructions like TPM but the sad thing is most TPMs are built against the users and to control users so it's still problematic.

65535August 16, 2015 7:58 PM

@ Curious
Re: ‘Google Search that made the CIA Spy on the US senate’

https://news.vice.com/article/the-google-search-that-made-the-cia-spy-on-the-us-senate

I read the whole thing. I gather the CIA bungled the setup of a “shared drive” and the configuration [done by a subcontractor] of the ‘Google in a box’ search device. This lead to the Senate staffers some how getting the Full Panetta Report [which should slanted in favor of the CIA].

https://news.vice.com/article/the-weird-saga-of-the-other-smoking-gun-torture-report-the-cia-still-has-under-wraps.

This was covered by emptywheel:

https://www.emptywheel.net/2015/08/12/did-the-white-house-see-john-brennans-apology-letter-before-he-unsent-it/

The CIA then got the DOJ to threaten Senate Staffers with spying charges [treason type charges]. The Senate staffers felt intimidated by the CIA/DOJ action and there was an internal battle with DiFi [D-CA] and non-apology issued by the CIA.

It is an interesting story because it pits the Senate/Congress purse-string holders against the CIA. But, I see no reduction is funding of the CIA as a result. I don’t know what to make of it.

On topic: Emptywheel is covering the newly released documents by the NYT/propublica

https://www.emptywheel.net/2015/08/16/whats-a-little-or-a-lot-cooperation-among-spies/

and

https://www.emptywheel.net/2015/08/15/att-pulled-cell-location-for-its-mobility-cell-data/

Both are good reads.

tyrAugust 16, 2015 8:55 PM

@Nick P., Jacob

Here's an interesting video on the subject.

https://thoughtmaybe.com/child-slavery/

The shrill insistence that the Net is somehow the
culprit in the problem overlooks the greater area
of child abuses by society. Since the interNet is
completely new it can't possibly be the root of
all problems with human behaviors. Demonization
of anything can usually be traced back to control
freaks with a different agenda which goes unstated.

They are far more afraid of those who practice
journalism or those who expose corrupt government
practices than they are of people who hurt children.
That's why they want to read every e-mail, it has
nothing to do with safeguarding children.

Starkey has an interesting viewpoint on piracy at
boing boing. Maybe the real problems are children
living in poverty in an age of abundance.

Coyne TibbetsAugust 16, 2015 9:10 PM

How NSA and GCHQ spied on the Cold War world via Why you shouldn't trust your Intel/AMD/ARM chips.

This discusses how NSA and GCHQ made a deal with Crypto AG, a company that made machines similar to Enigma, in the '50's, to help ensure the ability to spy on other countries. High points include:

  • Deliberately selling more easily broken machines to countries the NSA and GCHQ wanted to spy on
  • Deliberately omitting mention to those same countries the more advanced machines it was making that were not so easily broken.
  • Keeping NSA apprised as to the technical details of machines; and also on which machines were being sold to which countries.
  • Gong so far as to use separate brochures, identified by special marks, that were given to different countries.

The founder of Crypto AG, Boris Hagelin, apparently offered to do these things for nothing, but NSA apparently kicked back some things anyway, including a job at NSA for Haeglin's wife.

In one document, Hagelin hints to Friedman he is going to be able "to supply certain customers" with a specific machine which, Friedman notes, is of course "easier to solve than the new models". William Friedman seems to have struck a deal. [...] Previous reports of the deal suggested it may have involved some kind of backdoor in the machines, which would provide the NSA with the keys.

For machines sold to Egypt,

The 1955 deal also appears to have involved the NSA itself writing "brochures", instruction manuals for the CX-52, to ensure "proper use".

I've raised the idea before that NSA may have forced hardware manufacturers to implement back doors. This raises the spectre that this may not even be needed, that the companies might do it out of "loyalty" without even being paid.

Still trust Intel/AMD/ARM hardware?

ThothAugust 16, 2015 11:06 PM

@Nick P, Clive Robinson, Figureitout, crypto et. al.
Interesting crypto board with a Pro version that has a wireless transmitter. it uses a combination of ARM and Atmel Atsha204 which the Atmel I believe is a keystore while the ARM does the crypto since the only algorithm the Atmel offers is the SHA-256.

Splitting keys stored between the ARM and Atmel would likely prevent collusion. Good if more assurance and EM shielding can be included.

Link: https://www.kickstarter.com/projects/flutterwireless/flutter-20-wireless-arduino-with-half-mile-1km-ran/description

IETF clownboatAugust 17, 2015 12:57 AM

Just finished the new MIT OCW course on Elliptic Curve Crypto they put up this year: http://ocw.mit.edu/courses/mathematics/18-783-elliptic-curves-spring-2015/

Was looking around DJ Bernstein's papers to get more ECC research and found this gem from last year
http://cr.yp.to/papers.html#bada55 "How to manipulate curve standards: a white paper for the black hat."

In said paper, he shows the probability of the entire public (including himself, referred to as pesky researcher) being fooled by bogus NIST curve proposals and exactly how you would go about exploiting a sabotaged curve with just an infinitesimal vulnerability using a parallel GPU cluster, and how to prevent any adoption of good curves (such as his own curves) by simply bribing hardware manufacturers to start using the bad curves so excuses can be made that it's already implemented so must become a standard. All around good read, I have even less trust in the IETF/NIST than before.

Clive RobinsonAugust 17, 2015 1:46 AM

@ IETF clownboat,

If you make a lose distinction between "logical" and "mathmatical" ciphers where traditional block and stream ciphers fall in the "logical" and the likes of RSA and EC fall in the "mathmatical" various differences become apparent.

If you look at various attacks and other weaknesses we appear to have reached a kind of stability point with logical ciphers, but not even close with mathmatical...

Which suggests we are way further up the maturity curve with logical ciphers. Where close in system implementation attacks are the current growth area mainly by time based side channels.

This suggests that until the next major attack class (quantum) becomes realistic our current logical algorithms are sufficient, whereas we are still "doggy paddling in the pool" of mathmatical ciphers.

This view point has it's dangers, as unlike closed community research academic research tends to be more about making a name for yourself than by satisfying "customer needs". That is the academic market is badly skewed by the "those who have most are given more, whilst those who have least will lose more" principle. Thus the way to academic immortality is to be the first to open up a new field of endevor, not to bring usability or stability to an existing field of endeavor. This is becoming more and more apparent as "tenure" becomes a thing of the past in academia, as a young "proto-academic" you have a choice, become one of the increasing number chasing fewer posts, or go out into the comercial world where research is at best closed, where you will make money but not have either fame or immortality. But more importantly closed work and research holds the community at large in a state of paucity of knowledge thus lack of progress, or put more easily "each man will have to invent his own wheel" which we have seen with the chaotic development of Closed Source Software especially around the likes of the Microsoft Foundation Class (MFC) for Windows.

Such paucity of open knowledge is not a good place to be in with respect to crypto it takes us back to the old pre-DES days, which the likes of the NSA would just love.

IETF clownboatAugust 17, 2015 1:51 AM

In addition, djb is all over the Crypto Forum Research Group (IETF cfrg) mailing list continually calling them out for endorsing bad curves and signature schemes promoted by Microsoft shills, denouncing bogus Cloudflare objections to new proposals, or their strange behavior in permitting shills to spread FUD about Ed25519(SHA-3-512(m)) then dismissing his responses to their false objections as "out of line". He is like the master troll of that group. "I think it's important for the public record to be clear on the security advantages of Curve25519 over PinkBikeShed"

Reading his posts is also a master class in crypto engineering too, as his gives long explanations for reasons why people are wrong and how bad decisions in crypto engineering are made, and how modern timing attacks are done.

FigureitoutAugust 17, 2015 2:38 AM

Thoth
--Haven't seen RF side (code/schematic etc.) but the ATSHA204 is a pretty cool chip. Seems like a TPM type thing. Looks like 16 256-bit keys, serial number for authentication, and OTP memory for further authentication. I personally care most about how data gets in and out of chip (I/O). Single wire interface is an interesting protocol w/ 1 asynchronously timed wire (SDA). Mildly interesting datasheet.

Gotta watch out for the watchdog timer (mentioned most likely for single wire interface incase of losing sync (hardest part of asynch stuff)), looks like it's default configuration is to have that on.

Oh and < 150nA sleep current is...damn I can't even measure that unless maybe the scope. Can't imagine much compromising emanations while it's asleep (awake...different matter).

ThothAugust 17, 2015 4:45 AM

@Figureitout
It looks close to a fine design being that the keystore (Atmel chip) cannot do crypto and the crypto (ARM chip) unlikely tp be used to store keys (but potentially could). This would be closer to @Clive Robinson's Prison model but still not good enough.

The use of Guard circuits could enhance the security of logical I/O and a deterministic random timer on another chip could provide clock support. Lesser collusions.

A standalone clock to randomize I/O to provide unpredicability and also to spew random noises would be fun to defeat some side-channel attacks.

Would you be able to setup a SDR unit the size of a modern smartphone with the above circuits and boards with say a coverage of 1 to 1.5 km ?

65535August 17, 2015 5:06 AM

@ John Galt III

“I'm surprised to not recall seeing any discussion of smart meters as a gateway to backdoors in a variety of appliances, including routers, modems and computers.”

It was discussed lightly on a thread or two. I talked about the AC power lines as a means of data exhilaration [putting IP on home/office power lines]. Then someone also add the Smart Power meter to complete the circuit to authorities. It is a problem [although nobody yet has demo’d a proof of concept which I know about].

Dirk PraetAugust 17, 2015 6:56 AM

@ Gerard van Vooren

Microsoft® Windows 10® is Spy Ware®.

Although the obvious answer would be to ditch it all together, most of us will in some way or another be confronted with it anyway (family, friends, work, customers). So we have to mitigate the best we can, using tips and techniques from those who are working the issue. Check out DoNotSpy10 and this here list of hosts Windows 10 seems to be phoning home to. I am actually surprised they haven't appeared on Dan Pollock's blacklist yet (for inclusion in hosts files, routers, proxies etc.)

I guess we also owe Lenovo a big thank you for bringing the Windows Platform Binary Table into the spotlight. First there was Superfish, now this. Either they are incredibly stupid, or it's a really subtle Chinese way of drawing attention to some innovative attacks computer users can get scr*wed by the usual suspects. I do wonder how much MSFT has been paid for introducing such an obvious backdoor mechanism. From a security vantage, I cannot imagine even one single engineer considering for more than 15 seconds that this was a good idea.

Clive RobinsonAugust 17, 2015 8:02 AM

@ John Gault III,

I'm surprised to not recall seeing any discussion of smart meters as a gateway to backdoors in a variety of appliances, including routers, modems and computers. Call me paranoid, but my working assumption is that new appliances will include all kinds of telemetry, including microphones that will send data through the smart meters.

I must have missed your comment the first time.

There are a number of ways you can look at smart meters as "antisecurity devices". Discussions in the past have concerned the following,

1, The lack of their secure upgadability.
2, The use of weak protocols.
3, The expected life expectancy of more than 30years.
4, The ability to control home owner equipment.
5, The ability to spy on people via power usage.

If I understand you correctly you are adding another category on to this, that is (6) home owner purchased equipment containing snooping electronics that then use the mains power wiring to exfiltrate data out of the property.

Whilst I'm aware of some entertainment / white goods using WiFi or other network connection to do this like Google's unit, various TV's and a very creepy sounding childs toy, I've yet to see a reasonably verifiable article on other devices. Though fridge freezers and microwaves and overns have been talked about for years having barcode readers for inventory control and cooking times etc.

The problem for the device is that it needs the user to connect it, to the communications to the internet. That is assuming the user or their neighbors have set their WiFi up securely, the device can not piggyback out to the Internet on it.

The problem with using the mains wiring in the home is the primary limitation of lack of bandwidth and high noise and secondary limitation of no onwards connection to the data collector.

Smart meters thst are designed to communicate over the actual mains wiring are generaly designed to be broadcast receivers, using very very low bandwidth devices on the transmit back haul using protocols not designed for bulk data transportation. This is to prevent overloading of the limited bandwidth. However some smart meters have been designed to use various RF comms systems or other comms including cellular and POTS.

In almost all cases the smart meter network is considered private and thus not generally gatewayed onto the Internet (though this could change). Which would present a difficulty for any other consumer devices doing an ET and phoning home.

So without colusion between the smart meter manufacturer and the white good device manufacturer and the utility provider the current risk appears low.

However as has been observed "there is lots of money in consumer data" and just about any one who can collect it ends up selling it as can be seen by TV shows of Police traffic cop etc activities. So it may happen in the future if the primary limitations can be overcome, so yes it may be a future worry.

Clive RobinsonAugust 17, 2015 8:22 AM

@ Dirk Praet,

I do wonder how much MSFT has been paid for introducing such an obvious backdoor mechanism. From a security vantage, I cannot imagine even one single engineer considering for more than 15 seconds that this was a good idea.

Well firstly MS don't employ that many "engineers", though they do employ a lot of code cutters...

The excuse MS came out with about theft prevention is an obvious nonsense. Both hardware manufactures and software providers really really want your machine stollen because each and every one of those thefts add to their profit margins as you have to buy new kit and software.

As for the "drivers" nonsense, the obvious question is if the computer uses bespoke drivers, where are they going to get re-loaded from to get the machine to the point where it could download them?

There was a perfectly adiquate mechanism from the IBM AT days back in the 1980s which migrated up into PCI etc, so no this new backdoor mechanism is not required.

But did the NSA pay for it, probably not, the US has in effect black listed Chinese companies of which Lenovo is one. Thus you have to ask how Lenovo got to use this backdoor? The NSA would have required some method of being able to see the source code if others were going to use such a backdoor in order to protect their own systems.

Nick PAugust 17, 2015 11:07 AM

@ Dirk, Clive

Europe's VERISOFT said they aimed to verify the entire stack from the hardware to OS to applications.

U.S. companies and NSA say they need to backdoor the entire stack from hardware (eg Intel AMT) to OS (Windows 10) to applications (RSA/Chrome).

"Buy American" just doesn't have the impact for me these days that it once did. ;)

Richard HAugust 17, 2015 11:48 AM

@ Markus Ottela, @ Nitpicker

No expert here, but I've read the Feynman Lectures on Computation.

The interesting and maybe surprising bottom line is that the energy cost using an ideal, reversible, (insert other assumptions here) classical-thermodynamics computer is 1/2 kT per bit of the final output, regardless of how complex the computation is or how much intermediate storage is used. In essence you have to pay one unit of entropy to change each bit of the output register from its unknown initial state to the final state, precisely because it is unknown. Everything else is always in a known state and thermodynamically cost-free.

TomS.August 17, 2015 2:25 PM

@Curious

re:UEFI HTTP Boot

Peter Bright's Ars Technica piece references UEFI 2.5 and the http boot feature. His brief summary of network boot and OS install over the network is better than I can do.

For those, myself included, who really haven't looked at what UEFI can do, when they say this thing is a platform, believe them. There's support for running OS neutral applications in hardware without installed OS boot, all manner of network connectivity: wired and wireless, DHCP, DNS, ICMP, TCP, UDP, (M)TFTP, HTTP, TLS over IPv4 & v6. The specification is >2600 pages and incorporates many dozen other standards by reference.

There's a Boot Integrity Service that is described as pointing to applications used to verify digital signatures. Presumably that's one of the OS neutral applications that UEFI can run. (Huge room for error in my understanding here.)

I did not see any support for DNSSEC, and SSL3 was on the list of accepted secure transports, recent IETF deprecation to "MUST NOT" notwithstanding.

If a system is going to boot and install from distant resources, I'd like to be able to trust the path.

Thanks for piquing my own curiosity.

TomS.August 17, 2015 3:37 PM

@Curious, Gerard, & Dirk:

The DailyDot piece has an error. It is linked to the Microsoft Services Agreement, with a list of covered services at the end.

Windows 10 and Microsoft Update are not listed under the MSA.

Widnows 10 has it's own OEM and Retail EULA.

6. Updates. The softwareperiodically checks for system and app updates, and downloads and installs them for you. You may obtain updates only from Microsoft or authorized sources, and Microsoft may need to update your system to provide you with those updates. By accepting this agreement, you agree to receive these types of automatic updates without any additional notice.


Windows 7 Professional Retail EULA (pdf) for comparison.

TomS.August 17, 2015 4:20 PM

re: Windows Platform Binary Table

Lee at Firmware Security has followed this well.

Most recently posts about a 2012 talk given by Alex Ionescu discussing this very feature.

tyrAugust 17, 2015 4:51 PM


Off topic

Here's long read with some interesting implications about
the mental state of those who multi-task buried in it.

https://theamericanscholar.org/solitude-and-leadership/

I'm going to try to track down the Stanford papers since
they answer some questions I've had for a long time about
the impact of modern comp culture and its effect on our
thought processes.

So what happens when most are incapable of thinking having
traded it for a superficial ability to skitter about in
event driven chaotic behaviors ? Can you sustain technical
civilization in such a case ? If you can't how are these
brave new world humans going to aurvive on their way back
to caveman levels of society ?

It is basically the same process implemented in the separate
classes of the schooling system which toss the students
from subject to subject making sure they cannot concentrate
for an extended period of time on anything. The process is
useful for the production of higher numbers of cannon
fodder but horribly in-effecient for making problem solvers.

xmfcvaAugust 17, 2015 5:46 PM

Wow took me awhile to get through, seems to work nicely now.

well.. i never really noticed that this page ever covers any solutions at all.
kindof annoying to me, allthough there are not much solutions if the game is over then is there?

I dont want get boring with things but one small approach using dnsspoof
and almost googling it its unheard of so i wanted to post it since i use
it, sometimes it doesnt work though so dont think its a perfect solution
its just a small part of stuff one can use easily...

It works nicely for me as a locally intended spoof for stuff not wanted.
this is a very cool code when it arrived it was the dsniff package and still seems available to most distros.
so here is a snippet to get your going to use it not as an attacktool.

#to use in Networkmanager/dispatch script etc...
#!/bin/bash
killall dnsspoof
ifconfig wlan0 | grep 'inet addr:' | cut -d: -f2 | awk '{print $1}' $wlanhostip
dnsspoof -i wlan0 -f /etc/dnsspoof.conf host '$wlanhostip' &
service dnsmasq restart

and then you can do stuff like
/etc/dnsspoof.conf

127.0.0.1 crl*.*
127.0.0.1 ocsp*.*
127.0.0.1 stat*.*
127.0.0.1 *.2o7.*
127.0.0.1 *.49winners.*
127.0.0.1 *.addthis.*
127.0.0.1 *.addthiscdn.
127.0.0.1 *.adnxs.**
127.0.0.1 *.adobe.*
127.0.0.1 *.advertising.*
127.0.0.1 *.amazonaws.*
127.0.0.1 *.aol.*
127.0.0.1 *.api.*
127.0.0.1 *.apple.*
127.0.0.1 *.ask.*
127.0.0.1 *.baidu.*
127.0.0.1 *.bing.*
127.0.0.1 *.casino.*
127.0.0.1 *.cbsi.*
127.0.0.1 *.chartbeat.*
127.0.0.1 *.cloudfront.*
127.0.0.1 *.cnet.*
127.0.0.1 *.cxense.*
127.0.0.1 *.cya2.*
127.0.0.1 *.domainsigma.*
127.0.0.1 *.doubleclick.*
127.0.0.1 *.ebay.*
127.0.0.1 *.facebook.*
127.0.0.1 *.firefox.*
127.0.0.1 *.flickr.*
127.0.0.1 *.freecall.*
127.0.0.1 *.freevoipdeal.*
127.0.0.1 *.gemius.*
127.0.0.1 *.google.*
127.0.0.1 *.googleapis.*
127.0.0.1 *.google-analytics.*
127.0.0.1 *.gravity.*
127.0.0.1 *.hao123.*
127.0.0.1 *.hediera.*
127.0.0.1 *.icloud.*
127.0.0.1 *.iesnare.com
127.0.0.1 *.insnw.*
127.0.0.1 *.kitcode.*
127.0.0.1 *.ligatus.*
127.0.0.1 *.linkedin.*
127.0.0.1 *.live.*
127.0.0.1 *.marinsm.*
127.0.0.1 *.meinkauf.*
127.0.0.1 *.merchenta.*
127.0.0.1 *.microsoft.*
127.0.0.1 *.mozilla.*
127.0.0.1 *.msn.*
127.0.0.1 *.msnbc.*

or what ever...
happy it exists and good to use dnsspoof for a good purpose
//Chris

PS: not sure i like what happened after juli 24 with your page
seems you moved it to another location, but after that its a pain in half but to send anything here and espcially anonymously, so i had to do this semy anonymously and thats the last time it happens, not ok, fix it.

Dirk PraetAugust 17, 2015 8:31 PM

@ Clive

But did the NSA pay for it, probably not, the US has in effect black listed Chinese companies of which Lenovo is one. Thus you have to ask how Lenovo got to use this backdoor?

As far as we know, Lenovo just used this interesting new Windows "feature" to create persistent crapware on affected machines, not backdoors. So far, I haven't heard of any others parties admitting to similar (or even more unsavory) practices. I believe it is safe to assume that Lenovo and most other manufacturers got the WPBT specifications from MSFT somewhere at the end of 2011 as part of existing contract frameworks, passing well under the radar for most other parties.

Just like you, I don't buy the "anti-theft" and "bespoke drivers" explanation. Unless the entire company is made up of morons (Hanlon's razor), I'm having a difficult time understanding that a feature like this would ever pass quality and security control without raising red flags. Especially in light of their Secure Windows Initiative. Hence my suspicion that its primary purpose is to facilitate covert LE access, either at the direct request of unnamed TLA's, or in the same spirit of "amicable collaboration" we've recently seen from AT&T.

With Lenovo being excluded from lucrative US and other 5Eye nation contracts, it is thus not entirely impossible that they deliberately pulled the crapware stunt hoping it would be discovered, thus drawing everyone's attention to a hitherto little known mechanism for screwing over Windows users, in the process giving the USG and its IC the middle finger. Diving even deeper into the realm of conspiracy theory, perhaps some folks at MSFT were not particularly happy doing their masters' bidding and secretly teamed up with Lenovo to get the feature out in the open, knowing that Lenovo had little to fear anyway in terms of USG reputation. After discovery, Lenovo could simply pull their crapware never to worry its existing customer base again, but with a security community now well-aware of the WPBT potential for abuse.

Then again, the simplest explanation remains that everyone both at Lenovo and MSFT involved in this are just a bunch of fumbling idiots who are more concerned with branding and marketable gizmo's than with their users privacy and security.

@ Nick P.

Verisoft was a really good initiative but it looks pretty dead these days.

"Buy American" just doesn't have the impact for me these days that it once did. ;)

Same here. The average home user may still not care, but even without grand political statements, US tech these days is suspect at every big non-US enterprise or government organisation where confidentiality is of the issue.

FigureitoutAugust 17, 2015 10:31 PM

Thoth
--The actual data on the chip is generally secure if it's just chip-to-chip comms, it's when you connect it to a "WINTEL" internet connected PC which opens up a portal for all the malware you can get from internet. Partially assume any file is malicious from internet, and you don't take things as seriously, so when they go bad it's not a big deal.

We've had this talk before (and you already know), it's about being "good enough" or "good enough for now, use b/c it'll be safer than what I was doing before, but have eyes on a more secure machine" (sorry for run-on lol). Clive's prison model is just that, a model that hasn't been implemented publicly. And since attacker has ultimate advantage b/c it's easier to destroy than build up constructively (which, if attacker can think, means their own machines could be rooted and they are either incriminating themselves or giving away their methods to someone else who owned them in another hole). Ultimate security means using digital means to setup meetings, then exchanging hand-written OTP's w/ no speaking (keys created at random times in odd places, then hidden and keep place in your head). Even most 24/7 surveillance will miss that b/c of the angles of surveillance needed still.

RE: guard circuits
--Yeah I don't know how besides parsing data in software converted a certain way that can in no way turn executable. It's a "blackbox" concept to me now.

For security, main thing would be the protocol (have to put yourself as a computer and spell out everything explicitly, the funny example I use is forcing a delay that let's the CPU process instructions instead of just combining the instructions into such a small time and I don't even know what happens; it's this "assumed logic" that screws us w/ computer security a bit). Depending on what you connect too, there would need to be a tap on a bus line inside a chip lol, just ditch all electronics at that stage lol.

RE: sdr unit
--Well, I mentioned awhile ago that an SDR *receiver-only* is easily attainable on android and an RTLSDR. Just look out for "RF Analyzer" or let me know if you want full setup details (it's surprisingly easy and pretty sweet when it works). Except not a lot of "modes" are supported (so like FM, AM, SSB, etc.).

In terms of designing an SDR from scratch?--No I can't do that now, use another existing design that's battle-tested (in RF, you want something that definitely "works"). Having RF comms (can technically send "data" but it'd be, kind of silly; bah can't say it :( )at that range w/ the right antenna (antennas on each transceiver and elevated), yeah can do that. I've mentioned selling to hobbyist market and other custom orders to my boss, just need to know legality (I could at least make firmware changes to change up RF comms a little bit, or customize the receiver w/ more menu items (and either hash or crypto functions, done locally and then transmitted), list goes on and on), since I'd probably want one myself. I can find your keys if I need to and email.

What's the use case or what are you thinking? Discrete comms? File transfer?

xmfcva
never really noticed that this page ever covers any solutions at all
--I'm not sure what kind of conclusive solution a dnsspoof is when you think there's side channel comms happening beneath that? We're concerned here about a "root of trust" that goes to the core of computing. So have a go at that problem, please and grace us w/ a solution.

And it's pretty easy to post anonymously if you *really* care, just have to frame other people and elevate your OPSEC and be disciplined.

ThothAugust 18, 2015 12:56 AM

@Figureitout
My use case is a generic wireless device that has flexible radio capability that can switch to common WiFi mode or custom radio frequency with high security for data and non-data feeds.

I always wonder how small you can pack a secure chipset because most secure radio setups I have seen especially the military manpack sets are heavy, bulky and their reception simply sucks especially in jungle and cluttered environment. It is just a curiosity if civilians can build better quality secure radio than military.

Regarding chip to chip comms, you could probe the comms between chips to hack them or compromise a critical chip in some way.

FigureitoutAugust 18, 2015 1:36 AM

Thoth
My use case is
--Too much features for us unfortunately. Maybe we'll make something like that if there's a market for it, but for now it's parts of that.

To make RF reliable you need to send stuff back and forth (easy to eavesdrop), same as any other robust protocol, needs confirmation every little chunk of data. If you're doing asynchronous one-way comms, you'll be dropping a lot of connections and resending meaning easy DOS potential or just really slow and unreliable (so you don't know if attack or just physics, which is common I guess)...

RE: military vs civilian radios
--Oh no, these are different. "Real" radios are still heavy. Another thing about digital modes is they can be really slow if small and low power (don't want that when calling in an airstrike). I wouldn't make that conclusion based on fact that civilians are forced by law to bend to no legal encryption on amateur bands, stay off all other bands (legally), and power limits and antenna setups (money and location). Thus by legal decree commercial radios will be likely less secure. Note how serious it is to sell an RF design and not have an FCC certification in US (which then publishes your circuit on its site, letting all have a peek and search for weaknesses).

Regarding chip to chip comms
--SoC's (FPGA's will be worse) communicate via different parts of chip w/ internal buses using SPI protocol. In that case, you don't get the verbatim comms unless you decap and tap those lines (not trivial at all, not even sure how to do it and still be reliably receiving or if caused error).

Clive RobinsonAugust 18, 2015 6:57 AM

@ Thoth,

I always wonder how small you can pack a secure chipset because most secure radio setups I have seen especially the military manpack sets are heavy, bulky and their reception simply sucks especially in jungle and cluttered environment. It is just a curiosity if civilians can build better quality secure radio than military.

The reason they are heavy and bulky is primarily not the radio but what goes around it and the specification not just for maintainability and availability, but survivability in quite harsh environments.

It's becoming a better known fact that "mil spec" is dying as an industry sector, likwise Private Mobile Radio (PMR) as the reliability of celular mobile radios improve.

The think of note is it's easy to design "small" if you have no intention of making it "user serviceable" or even "repairable". Which is why the likes of modern mobile phones can be made so thin.

Further if you make it small and light, you don't need the robustnest of machined metal cases with heavy internal shock mounts etc.

But mobile phones have another advantage, they work line of sight around the bottom of the microwave band. This generaly won't work in rugged terain unless the cell site has some kind of "Sky Hook" keeping it in a visable place. Military radio generaly works from the top of the MF band through to the mid UHF band depending on the use it is being put to. This necessitates various types of antenna tuning that are quite bulky when made robustly and can easily be more than a third of the radio volume.

Mobile phones also have another advantage, they use TX power down in the milliwatt range, and only need to have a battery that gives maybe 24hours of RX and an hour or so of TX time. Military radios work from 5-500watts, with HF man packs frequently wirking 25-125watts, with RX and TX times vastly increased to the equivalent of 250 and 20 hours respectivly, this gives batteries that take up upto two thirds of some manpacks volume and eight percent of the weight.

I've got radio equipment I've designed that covers 0.1-3000MHz RX and 1watt TX into 50ohms, it fits fairly easily into a 1U 19" rack. The physicaly largest component is the SMPSU in it's shielded case, the second largest being the CPU board that does the various modulation and demodulation at the 100MHz IQ second IF.

It's a bit old now, but still serves well for doing radio astronomy and amature radio and some older broadcast work. If I was designing it today I'd go for an IF bandwidth of more than 10MHz and a lot more CPU power for the more complex modulation modes around such as DAB and DTV, and try to get around 10dB more on the RX dynamic range which more modern ADCs give.

RossAugust 18, 2015 9:51 AM

Article talks about something called "synthetic identity fraud". Although the title refers to it as "ID theft", it does not always (judging from the information in the article) necessarily entail stealing someone else's identity.

The CPNs, or Credit Profile Numbers, discussed in the article seem to be able to be nearly any number(?). The perpetrators use these open credit card accounts under new addresses that are not tied to their own previous credit profile.

So in the end this is probably mostly a case of creating fictional credit profiles, except in cases where they may use someone elses social security number. But in that case I should be expected that the social security number has to match also the persons other details, like their name and so on.


Synthetic Identity Fraud: A New Kind of Costly ID Theft You’ve Never Heard Of
http://abcnews.go.com/Business/synthetic-identity-fraud-kind-costly-id-theft-youve/story?id=32596029

ThothAugust 18, 2015 10:32 AM

@Clive Robinson
That old and heavy iron (a.k.a antique radio) that the signal guys have to carry are not very appreciated. I guess that wouldn't change for many decades to come. I was recently talking to my old mates and they were complaining to me about that old iron on their backs and after seeing the Flutter Wireless set that got me wondering. I dare say most of them prefer mobile communications than old iron radios since it works better than radios that make funny noises and have poor quality but life is as it is I guess.

squidAugust 18, 2015 11:36 AM

Bug in Wget passes user's real IP even with proxy use (such as Tor/TAILS)

"Just FYI, it appears there is a bug in wget while using a proxy that allows wget to be forced to use the FTP port and thereby unmask the user's IP (normal usage) or at least leak the user's network adapter IP (in TAILS)."

- Comment @ Reddit:
https://www.reddit.com/r/TOR/comments/3hc02l/how_can_i_download_webm_videos_longer_than_30/cu6yzv5
https://archive.is/3YYo0

- Original discovery of bug @ lists.gnu.org:
https://lists.gnu.org/archive/html/bug-wget/2015-08/msg00020.html
https://archive.is/Ah3Pg

- Reported to TAILS project development list (tails-dev):
https://mailman.boum.org/pipermail/tails-dev/2015-August/009370.html
https://archive.is/nPi5h

- First response @ tails-dev
https://mailman.boum.org/pipermail/tails-dev/2015-August/009383.html
https://archive.is/derHC

tyrAugust 18, 2015 4:09 PM


@all

This is worth reading.

https://medium.com/backchannel/the-end-of-the-internet-dream-ba060b17da61

It is also worth acting upon.

@Clive

I have my own collection of obscure texts, a bunch of Intel
pubs from 70s and 80s, three massive tomes from Motorola
and TI semiconductor and integrated circuit specs, also my
grandfathers multivolume electrical handbooks. If you need
to wind your own powerplant generator these are what you
need. Haunting used book stores turns up some amazing finds.

I found a prestigious academic magazine with an article
in which some middle easterner (based on the name) tried to
pass off some of Erwin Schrodingers work as his own. It was
far too pricey for general circulation. I heard later the
publisher was condemnned by the scientific community and
folded.

Pricing stuff too high sometimes has nasty ulterior motive
but academics aren't overly bright once they enter unknown
territory. It's part of the reason for the copyright wars
over public domain materials.


Dirk PraetAugust 18, 2015 6:29 PM

@ squid

Bug in Wget passes user's real IP even with proxy use (such as Tor/TAILS)

Aaargh. Thanks for sharing.

NateAugust 18, 2015 8:34 PM

The Ashley Madison data has been dumped to the Net. http://arstechnica.com/security/2015/08/data-from-hack-of-ashley-madison-cheater-site-purportedly-dumped-online/

Apparently there are 15,000 government and military email addresses. This could get interesting, if they're legitimate. http://www.csoonline.com/article/2973036/vulnerabilities/ashley-madison-hackers-publish-compromised-records.html


us.army.mil - 6788
navy.mil - 1665
usmc.mil - 809
mail.mil - 206
gimail.af.mil - 127


ThothAugust 19, 2015 12:53 AM

@Anura, Secure Messaging et. al.
A Low Assurance and Ephemeral Web-based End-to-End Secure Push Messaging with User-Derived PKI.

Most secure messaging apps require the installation of applications which are cumbersome or intrudes into a person's privacy on their devices (Android Permissions style). Removing the need for a dedicated application for lightweight secure messaging over ephemeral devices and systems could open a whole new window of opportunity for the use of secure messaging while also being mobile and subtle.

Modern messaging apps have their proprietary protocols and ports they use which could also be used as a give-away sign for anyone listening on the network the probable apps that are being used. The direct counter to leaking probable applications via ports and protocols is to use standard protocols and applications commonly used on the Internet as a means of masking one's activities and the most common protocols are Web-based protocols like the HTTP/S protocol for Web-based activities.

The use of the HTML5 Websocket as the transport medium for Web-based chats are growing and the rise of many web chats like CryptoCat uses Web-based socket technologies to conduct encrypted in-browser secure messaging. The down side of CryptoCat is you have to always generate a new identity whenever you want to create a session and your peers might not be willing to always be handling new identities nor do you want to do so either.

The use of a simple HTML5 Websocket enabled browser would be advantageous in terms where to an adversary, you are using a HTTP/S protocol (and thus hard to sensor or differentiate) and the only tool is a common web browser. Browsers have always been faulted for their poor handling of Cryptography (especially in the RNG department) and have been less than secure in a general sense but that is not the scope of this proposal document.

The cryptographic algorithms would leverage miniLock techniques which uses Daniel J. Bernstein's NaCL variant for Javascript via the TweetNaCL-JS library. Naturally, the signing keys would be derived deterministically from a user chosen username (usually in email address form) and a user password. Closely following miniLock, scrypt is used on a BLAKE2 hashed user password and email address or username as scrypt KDF salt. The algorithm is generally represented as Curve25519-XSalsa20-Poly1305 which is consistent with the miniLock and also default NaCL algorithm suite for encryption and Ed25519-Poly1305 or Ed25519-BLAKE2 as the signing algorithm.

Other than the KDF similarity with miniLock, to provide for secure web-based push messaging, a channel encryption between the push message server and clients are required and also the messages are End-to-End encrypted (similarity with TextSecure protocol).

When a user registers, they will upload their user Public Curve25519 and Ed25519 keys to the push messaging server via a hardcoded server Public ECC key. If the Public Key for the user already exist, they are encouraged to regenerate a new keypair by either changing the username/email or increasing password complexity or another password. The private keys are never stored (assuming trust of system) and only recreated when the user forms the username and password back into the private key.

User settings would be tied to their public keys and the user must sign their settings for authenticity. User do not need to display personal identifiers and have full control of their settings in the form of text files.

The push messaging server will not allow unauthenticated upload or download of messages to prevent attempted injections of corrupted messages. The user would require the use of their private key to authenticate a challenge-response message with the push messaging server which the server possessing the public key of the user before allowing messaging functions to take place. The server would also prevent duplicate login attempts and also handle timeouts or broken connections to only allow a single instance of a user to be logged on at a single time to keep the message queues consistent.

The server is only set to hold a fixed number
of uploaded messages (or can be set to unlimited caching) after which no more messages can be uploaded until the recipient downloads their messages to read and clear their message box. The messages must eventually be deleted from the push messaging server for space. The user can set themselves to delete every newly downloaded messages upon receiving or to delete them manually later.

The users will check for their message boxes in the push messaging server either manually, over a set timing or when the server sends a signal to the client.

The protocol are sent in fixed blocks and padded to prevent some traffic analysis attacks. The protocol would encapsulate a message type header, the message and a signed checksum (BLAKE2 hash following miniLock). The channel encryption between clients and server would be used to wrap the message block via generically encrypting and signing the packets before sending to the server to unwrap and verify the packets before deciding from the packet header on the actions thus enabling hiding of the nature of the packets and messages.

Session key negotiation packets (Curve25519 public params) are signed with user's signing keys and exchanged in the messages as specially marked KEX packets when unwrapped by the push messaging server and resting in the message box before. This is in accordance to TextSecure protocol.

The web-based in-browser push messaging chat would allow on the fly private key usage without the need for storing private keyfiles anywhere with simple username and password method of deriving keypair. Logging in to and using the push messaging service are done via keypairs and encrypted client-server channels. End-to-end messaging security bypasses scenarios of compromised push messaging servers.

A feature in consideration is to have a server proof by getting a user to sign the server's public key and hosting the user acceptance of server's proof with the user profile that the user would request the server to provide during login to proof an authwntic server with the server's public key together.

CuriousAugust 19, 2015 2:16 AM

Oops, I forgot to add a snippet of text for the article I just mentioned:

"But in a blog post on Monday, a Commerce Department official said that the plan to move to international management needed more work. As a result, he said, the department would renew its contract with Icann for at least a year — with an option to renew for an additional three years."

(http://www.nytimes.com/2015/08/18/technology/us-transfer-of-internet-oversight-is-delayed.html)

GregWAugust 19, 2015 5:47 AM

@Clive, @tyr,

For those interested in efforts to save old tech manuals, here's a fresh story of a guy trying to save at least some of 25,000 manuals from a esteemed manual seller going out of business on a last-ditch/last-minute effort before they were all thrown in the trash.

A post from last Friday describing the effort/intention that started this past Monday:
http://ascii.textfiles.com/archives/4683

And an update 48 hours later:
http://ascii.textfiles.com/archives/4724

Nick PAugust 19, 2015 11:55 AM

@ Clive Robinson

Trump does like of look like a horse haha. The lizard was good, too.

Markus OttelaAugust 19, 2015 7:51 PM

@ Nick P
Thanks for clearing that misunderstanding. If suite A algorithms are mainly just obfuscation, couldn't they also be a testing environment for some cryptographic primitives? If say NSA watches Russian cryptographers ponder these implementations that have somehow leaked, they might get valuable feedback from the enemy.

What do you think, is the NSA's information assurance dept not meddling with proper implementation a failure on their behalf, or part of focus on offensive side?

RE: Video (and exploitation in general)

The video tried to take all the clips I could find; A naiive attempt to show "this subject is on the table". Over time I hope I can find better quality versions -- what was the satellite video you referred to? If it's the Snowden with Constitution as BG, I think the audio has important point of "exploitation happening daily".

It's hard to find the target audience. If the technical stuff goes over a persons head, any attempt to provide a solution will most probably go as well. Even technical people do not seem to agree on the matter, especially on what the GCHQ's bulk part in bulk CNE is -- whether it's the data type (i.e. exfiltrate bulk data from targeted servers or whether it's bulk of targets to exfiltrate personal data from.

I had a quick chat with Matthew D. Green on Twitter and it would seem he disagrees; "exploitation is hard". I've very limited knowledge in this stuff but with proper tools it was trivial to exploit Windows with 0-day using metasploit.

In this case the OS was WinXP SP0 and the attack was the MS03_026 RPC_DCOM example Vivek Ramachandran used in his Metasploit video lecture series. While old, it' a valid way to emulate the capabilities of an HSA. What really striked me was the complete undetectability of the attack; Meterpreter gives attacker roughly the capability of Regin; clean file exfiltration, keylogging (main threat model of PGP / OTR).

I'm not sure if installing modern AV / IDS would've stopped the attack, but at the time (2001-03) I'm pretty sure it hadn't. Metasploit is trivial to script with python. I don't see why it would have been a problem to automate the RPC exploit against the entire IP4 range in 2001.

I'm pretty sure NSA at least now has such a capability. The mass surveillance and profiling makes it easy to choose what targets to exploit, to make sure the "expensive" 0-day doesn't end up fired once (against everyone, Symantec's research shows the average lifespan is IIRC something like 380 days).

So a $1M exploit against W7 gives the NSA access to 60% of world's computers for more than a year. Firewalls etc. naturally need their own exploits but it doesn't make things exponentially harder. I'd say CNE is much more important and easier than breaking crypto (yet still NSA hires the top tenth of mathematicians annually).

Any thoughts on skewed reporting of leaks and why while Snowden regularily talks about end points, it's not well received by the audience?

ThothAugust 19, 2015 9:27 PM

@Markus Ottela
I would say algorithms are just as important as CNE and other methods of getting what they want. It's kind of a race between breaking the algorithm first or breaking the system (CNE) first. Whichever is the most convenient, they will definitely use it. If a method of (in/ex)flitration fails, they have backups for persistent access.

The cryptographers are also used to provide algorithms for their own security capabilities too in the even someone breaks their existing ciphers (somehow) for a defensive side and for offensive side to break someone's ciphers.

It is not surprising that they are getting so much taxpayer money where they can go on a hiring spree and the more people the merrier isn't it ?

Clive RobinsonAugust 20, 2015 8:57 AM

@ Figureitout, and the usual suspects,

Whilst having a hunt round I found myself on this interesting site,

https://embeddedmicro.com/

It has an interesting FPGA system with IO Shields, and what appears an easier to use than normal HLA of Verilog,

https://embeddedmicro.com/tutorials/lucid

Oh and have a look at their basic CPU tutorial, it certainly looks like it takes a lot of the crap out of RTL to logic,

https://embeddedmicro.com/tutorials/lucid/basic-cpu

Clive RobinsonAugust 20, 2015 9:42 AM

Finland is looking to replace welfare with basic wage,

http://www.bbc.com/news/world-europe-33977636

Smaller scale exoeriments in the past has show such systems have many benifits, which stop people getting into "benifit traps", they can also plan employment/education thus actually vastly improving their life chances but also taxable income earning.

Of course the big fear from both sides of the political spectrum is firstly higher taxes for the "tax avoiders", secondly less ability for politicians to interfere with the economy, thirdly less civil servants, less crime, and probably better health outcomes for citizens which has a down the line issue with pensions.

ThothAugust 20, 2015 10:29 AM

@Clive Robinson
Wow, that's cool stuff. Wonder what kind of effort is needed to create a forgetful encryptor on it. Maybe a Vernam Cipher would be nice.

To create a customize CPU, all that is needed is the IO Shield and SDRAM shield ? What else is needed ?

Nick PAugust 20, 2015 10:46 AM

@ Clive Robinson

Wow. Didn't know their unemployment rate was so high. Also unusual to see "equality" being a big obstacle to getting things done. Finland's problems sound nice from where I'm at. :)

Nick PAugust 20, 2015 12:45 PM

@ Markus Ottela

"Thanks for clearing that misunderstanding. If suite A algorithms are mainly just obfuscation, couldn't they also be a testing environment for some cryptographic primitives?"

That's a neat idea but not what it is. The algorithms have stayed the same for a long period of time, are deployed at most sensitive sites, are restricted in use, and so on. It's likely that they trust it the way they used to trust secretive devices to protect them. Their logic is probably the same as it was when they used to build custom, crypto solutions in the past. They hope the enemy has to (a) get the COMSEC device, (b) successfully reverse engineer it despite protections, (c) extract the algorithm/implementation, and (d) break that enough for external attack. I think even they realize it's misguided a bit: next step was using public algorithms w/ a Type 1 development process and creation of devices that were less restricted.

re video

Far as "satellite," I just assumed it. I'll say "weak link" that starts at around 1min in. Sounds garbaged. The explanations by Snowden and Bruce on endpoint issue is good. However, the language is weak in that technical people need more data and laypeople don't know what an endpoint is lol. The TED description next was great as anyone will understand that. Gonna stop review there. Combining TED-style description with stuff in slides that shows it visually might be a nice move. So, you have some describing what happens in English for Gmail/photos, you have document with that word, and a picture highlighting NSA's interception. This sort of thing they'll understand.

It's also imperative to work in the parallel construction angle. Laypeople think this stuff is only for terrorists or doesn't effect them. They need to know that (a) NSA is sending data to organizations that prosecute people daily (including IRS), (b) parallel construction of false evidence trails (scary by itself), (c) legal protections are bypassed, and (d) "State Secrets" privilege plus immunity means this can't be challenged. Hell, there's so much there that parallel construction probably needs half a dozen videos of its own. Anyway, combining massive invasion and scope of NSA collection with what amounts to secret police coming after Americans should scare them a bit. Maybe include examples of people's lives destroyed by FBI, DEA, IRS, etc for barely any reason at all and ask them if they want those agencies to have NSA's information and secrecy.

Anyway, just ideas. The key to reaching lay audiences is describing capabilities in English, showing documents they can interpret with the commentary, and showing them why they personally should worry. This is what John Oliver did with his brilliant "dick pics" concept. Everyone interviewed was horrified about the Dick Pics Program and think it should be shut down. Now, gotta do this for the rest. :)

re Green

That's really strange to me as Green is normally pretty smart. There are people collecting bounties and publishing exploits on major software all the time. I'm not sure how he could justify his statement. In any case, even if it were true, it doesn't matter in terms of risk against major adversaries. It just means there would be a relatively small number of people finding and weaponizing exploits which they'd sell to who can afford them. State-level stuff costs hundreds of thousands to millions while malware market sometimes sells stuff for thousands to tens of thousands. We've seen results of both.

So, it doesn't change anything. I mean, it might make them more selective in targeting. However, we've seen the Chinese per Mandiant hit tons of firms for TB of information using primarily spear-fishing and 0-days. They use them quite pervasively without any loss of capability. Reason is that there's a continuous supply of new 0-days in form of "enhancements." :)

Anyway, I saw a mistake many make when you said:

"So a $1M exploit against W7 gives the NSA access to 60% of world's computers for more than a year. Firewalls etc. "

Actually, a few $1M exploits give them access to every version of Windows and Mac with large market share. Then, the BIOS/UEFI attacks can make that last until hardware is upgraded. More careful work at network level can extend that even further. So, all in all, they could own most systems and for much longer than a year. If they wanted to. Wouldn't be a bad move for several million dollars.

Why they're not doing it I can't say. Let's just hope they're hoarding 0-days and being selective with that. The Equation Group leaks support this. So, there is a benefit to raising bar on passive surveillance. At best, it really hampers them. At worst, they waste lots of 0-days. :)

re laypeople and "endpoint" issue

"Any thoughts on skewed reporting of leaks and why while Snowden regularily talks about end points, it's not well received by the audience?"

(@ Bruce, too, as people keep making this mistake...)

They don't what endpoint means. ;) Gotta put it in English: their computer, tablet, phone, or device. Remember, brain is associative: more prior thoughts link into it the more they comprehend and remember it. Also, assume technical audience already knows about this stuff and stay almost entirely in lay terms given they're the voting majority. So, you go from:

"Attacks on endpoint bypass the crypto entirely. Computer with bits size of universe. Math is good. (blah blah blah)"

to

"Their attack tools can hack into your computer/phone the second it connects to the Internet, it goes around the security features to get access to all the information on your computer/phone, digs so deep into it that their tool sees the information before it even gets to your encryption product... what I'm saying is that they see every letter as you type it, every picture as you take it, hear every word you speak before these even get to Gmail/iMessage/phoneline... and they even built a system called QUANTUM that can do this automatically, without human intervention or review, to millions of computers at once. They even have tools that attack the chips themselves (eg BIOS). These attacks dig so deep into your machine that you can erase your whole disk, reinstall Windows/iOS, you start it back up, it gets instantly re-infected by what they put into the chip, and the infection automatically starts re-sending the data to NSA & FBI."

Notice the difference. Anyone reading this who can use a computer will understand what it means. Some won't understand every term but the context gives them the idea. Others will understand most terms. They'll help the prior group understand the situation in conversation. Then, I drop a technical point or two so anyone asking technical friends or professionals what they think will get confirmation along with more, scary explanations (esp over BIOS). Finally, I use the word FBI to remind them that law enforcement has some kind of access to this and implies it might be used on them.

*THAT* is how you help lay people understand the risks. Then, when we talk solutions, you might (a) dismantle the program as too much power in few hands, (b) reforms where you describe changes in English while contrasting to above, and/or (c) argue for tools and methods to improve security of machine to stop the above by preventing those tools from infecting the system. There's a number of ways to describe (c) but it depends on what (c) is in that conversation.

Also, gotta make sure you don't come off as fear-mongering or paranoid. This is why I say cite the documents visually for whatever points are made. You're a concerned individual reporting what their own documents say and not speculating at all. This reduces risk of dismissal. Hope this helps.

Nick PAugust 20, 2015 2:40 PM

@ Clive Robinson

You think YOU found a cool description of processor design, eh? Admittedly, much tidier HDL than usual and neat to combine flexible I/O with FPGA. However, I found a potential bombshell that needs expert review. Started with a post on HLS being dead, an advertisement for one in comments, and I checked it out for curiosity. The product is Synthagate. The methodology was interesting. Doing some digging to see if they're dead/acquired/whatever led me to this book by its inventor, Professor Baranov. The table of contents and the book are quite detailed going from abstract state machines to synthesis of control and datapath with a lot of detail on the How. Watching them merge the messy FSM's into a solid, single one was neat as hell.

So, my questions for you looking at the book's opening and skimming it's details are: is this a legit methodology, esp for generating HDL from algorithms for acceleration? Is it something smart engineers, but not HW people, could pick up with no or maybe 1 HW person on the team? Is it worth imitating in an open-source, high-level-synthesis tool? Previously I complained HLS was too hard for us to get anything past toys out of academia but this book seems to have done most of hard stuff already. Plus, it's been implemented in production albeit at unknown quality: neither of us trust benchmarks in this field for good reason. ;)

Here's is the books summary with brief descriptions of each Chapter and technique. Pastebin expires in a week in case of copyright issues. I was about late getting back to work reading the part on synthesizing a 16-bit processor: shit was just too neat despite me barely comprehending it lol.

AnuraAugust 20, 2015 4:44 PM

You know, I generally don't like the idea of releasing personal data from a hack. It's kind of a dick move, and I felt the same way after the Ashley Madison hack. That said, while I have no ill will to most of those people who would cheat on their spouses and don't think they should be publicly shamed, I will take great pleasure in reading about prominent members of the religious right who get caught-up in this.

Hey CortanaAugust 20, 2015 5:55 PM

Apprently, Intel has intigrated into the chip an always on, listening for audio cues. They've demo'd some win10 machines that wake from poweroff by saying hey cortana. Its hardware not software, so pull the plug and drain the caps and remove the batteries.

Clive RobinsonAugust 20, 2015 7:24 PM

@ Anura,

That said, while I have no ill will to most of those people who would cheat on their spouses and don't think they should be publicly shamed

Whilst I agree with the "I have no ill will", they are cheating.

Now I don't know how it is where you are but in the UK marriage is a publicaly made commitment usually befor a God, supposadly freely entered into by both parties, with amongst other commitments of,

    ... to love and cherish... forsaking all others... untill death do you part

Thus if they break those publicaly made promises, why should those breaches of promise not become part of the public record?

Just as they would with divorce proceadings or other formal annulment of marriage.

I was once told by a retired army sargent who had fought in both Africa and India during WWII "Son when you get married, your cock belongs to your wife and don't you ever forget it", he had a point.

Another friend in the army once said "Marriage is the prelude to divorce, if you don't get married you can't be divorced", which in a some what odd way of looking at it is true. Back when he said it there was little or no co-habiting laws so there was a significant advantage in not being married if things went wrong. But as others have pointed out, marriage is more likely to end a relationship, and baddly than if not married. In the UK there was evidence to show that co-habiting relationships lasted longer on average than marriage for the same age groups...

FigureitoutAugust 21, 2015 12:37 AM

Clive Robinson
--Was nice, thanks. The 3rd one was the best. Still um prefer programming existing designs (I'm nowhere near proficient where I can cross the main vendors and be "the guy" that can implement just about anything embedded-wise).

Like the instructions, so they can "cut some fat out" by just having "less than"(LT) and "equal"(EQ) and no "greater than"(GT) since you can just reset to 0 once it reaches a number (which needs to be loaded and "stored" first). Can't really do some nice features or additional protection w/o greater than though (maybe setting a condition that *must* be true by checking if a num is LT, GT, or EQ in some kind of "watchdog" perhaps (if you have the power, kinda nice to have some protection unless it can be subverted (probably can:( ))).

Debugging I think I recall some branching instructions during if-statements; would you consider those "pig-fat" or necessary (I think they're nice for just a little bit of quicker readability).

Then the code was "OK", looked kinda C-ish, like defining instructions, structs, and a weird form of cases; but still don't feel like I'm seeing the computation (I'm afraid I'm doomed to the muddy pigsty of where-ever). Comments on address and dout were: "don't care", well that's pointless, thanks.

Otherwise, nice.

FigureitoutAugust 21, 2015 12:57 AM

Clive Robinson
--Don't have a link (nothing's new for you eh?), but a question on secure protocol design if you're up for it. As far as an asynchronous design (having the global clock signal will be the "nicest" to have sure, but most secure?), would a generally secure one involve:

--Start point sends 1-way signal to node that does another 1-way signal to endpoint that then sends received a "start and stop" bit-combo (let's assume no injection, any kind of interference in something as delicate as a computer is screwed anyway).

--Node computes pre-programed bit-combo and simply switches a switch to another node that then sends back a received signal to an endpoint the human just turns his/her head for confirmation.

Basic "boomerang" high-level approach trying to get confirmation of a 1-way signal in an isolated separate channel. Can enforce and confirm mostly in software at this time. Find that good enough or will be subject to hair-pulling errors?

Clive RobinsonAugust 21, 2015 4:43 AM

@ Figureitout,

The problem with one way signalling is it has to be robust to non and out of order delivery issues. Whilst one part of this problem "detection" can be resolved fairly easily with sequence numbers, the "loss of data" can not. Thus you are stuck with accepting missing data or providing some kind of forward error correction to account for data loss.

For instance if you think about a toy tank, you send basic left / right instructions and rely on "visual feedback". Which works ok untill it goes behind the settee etc. If you just continue sending left right etc the unknown errors quickly build up and it becomes chaotic. Thus you change the commands to go to point A, point B, etc, which gets rid of the error build up, but does not help with correcting errors. One way to do this is send "from point C go to point D" thus if the previous "go from point B to point C" message is lost then the tank can make that one lost message error correction. However, it is actually physically one step back in time from where it should be, so there is a "catch up time" issue to contend with, which the tank may not be able to do and thus things become chaotic again. It's these "chaotic" reasons why forward error correction is not liked from a reliability issue. But also because each forward correction step adds more data to each message and thus requires much greater band width.

To see why "nod of the head" feedback does not work well, consider the cases of out of order and out of time delivery. In the case of the toy tank let's assume it beeps for each command it recieves. If you as the controler send a command what do you do, do you resend the command again or do you wait then resend, and if waiting how long do you wait? With instant visual feedback it does not matter because you can adjust what you send to correct corrections. But what happens when the feedback is not instant?

I could go on at length, but it should be clear that the feedback is actually both the more important and more difficult part to get right. Further that it gets exponentially more difficult with finer grained control and faster response times. This is something battle field commanders have found out the hardway thousands of years ago, which is why "superior numbers" and "autonomous behaviour" is liked in troop leaders. Such that the commander gives just an objective and a time to accomplish it, to the leader and the troops go out and do it with a reasonable probability of success.

Now consider how such systems respond when the communications is activly under attack, thus both your messages and error correction mechanism needs to be secure and proof not just against "loss" and "out of order" messages but false messages, replays, bit flipping etc in both the forward control channel and return acknowledge channel.

Then move on to dealing with an inside traitor who is trying to hide covert messages within the legitimate forward or return channels.

It should become clear that there is no ideal solution, in that what you do to improve one asspect is counter productive to another aspect. For instance increasing the bandwidth for legitimate traffic, makes covert traffic insertion much easier. Thus trying to control one channel for covert traffic by "clocking" makes other aspects considerably more difficult, in that it makes a DoS attack much much easier.

Thus you have to do a "SWOT" type analysis on each comms path and make the design choices as appropriate. Thus you might view comms paths as "internal" and "external" where internal Threat is traitors, and external Threat is DoS and adjust your design requirments differently for each.

If you have a look at the original Shannon paper on secrecy systems it's over fourty pages long, and only dealt with one or two of the issues. Thus there is more than a serious books worth to get to know and understand on the subject of comms.

And as I said each comms channel is different so "hair pulling" is to be expected along the way. Which perhaps answers the age old question as to why "bald men are considered wise men"...

Coyne TibbetsAugust 21, 2015 5:55 AM

Site complaint. I am getting this frequently when doing "Preview":


unused

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@schneier.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

JimAugust 21, 2015 8:31 AM

I think we are in a situation where one major company's (take Microsoft, for example) privacy policy gives other companies the guts to come with similar policy.

So now it's like a race to the bottom, for user data collection (or race to the top, if you work in marketing or at NSA).

Here's about Spotify's policy:

Spotify's New Privacy Policy is Atrocious
http://gizmodo.com/wow-spotifys-new-privacy-policy-is-atrocious-1725495810

one of the examples in above article


With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.

BoppingAroundAugust 21, 2015 9:27 AM

I wonder how far does this shite go for those who have never used any of these services (FB, the aforementioned Spotify etc) and are not intending to start.

I know there are at least several photos of me on FB. Thank god I'm a rather minor part on them, but those photos exist. What else? Any data about me shared by the service participants. My phone number if anyone who has it owns an iPhone or Android smartphone and has synchronisation enabled, as well as having third-party apps that snoop on one's contacts.

I never asked for this. Yet I am in the dragnet too. Maybe to a lesser extent.

Irksome.

FigureitoutAugust 21, 2015 11:48 PM

Clive Robinson
--It's what I don't want to hear but know it's probably true.

One thing is pre-programmed instructions like w/ drones (surprised you didn't use that example (which probably use a check at a certain altitude then entire time keeping track of distance to know precisely when to turn around when too far (or when losing comms))).

Don't know how to deal w/ different timing issue if you were to say "split" up comms and bring back together at endpoint w/o bringing up a separate channel that'll be attacked.

Was thinking some kind of hash for each node could be made w/ the full list in each node, but they need physical protection (well any secure computing system does, I found it uncomfortable to leave a PC in my doctor's office w/ USB ports right there and keyboard right in front of me and short passwords to shoulder surf..).

I could go on at length
--I'm all ears and need some hints, and will get in trouble if I "look" too hard it gets creepy.

onsider how such systems respond when the communications is activly under attack
--The data in transit would have to be pre-encrypted of course. And what do we see in military? Completely separate channels of authenication in emergency loss of comms; probably some kind of ridiculous frequency-hopping, phase shifting, etc.; or something new.

false messages, replays, bit flipping etc in both the forward control channel and return acknowledge channel
And I said ignore that, need a safe-zone to work or it's complete crap, bunch of false conclusions. I don't think any protocol could ever be secure enough to just be implemented on anything and not have more surrounding work backing it up (simple monitoring for one).

Then move on to dealing with an inside traitor
--Impossible! Insider will know how to evade that. Even NSA as we can see, had terrible internal security where simple social engineering for passwords worked even given its resources for paranoids to go to work (b/c we'll take it way too far and get way too out of touch w/ actual threats). Again, this suggests that a lot of more info that's thought to be secret is out there, for everyone lol.

Nick PAugust 22, 2015 12:36 PM

@ All
Financial opportunity

Tarsnap is offering a bounty for exploits on the software with Thomas Ptacek offering to match it. Tarsnap is made by the guy who devised scrypt. It has a good design. So, improve it and get paid. :)

@ Clive Robinson

re link

Mainstream has finally discovered MILS/separation kernels. Eventually they'll discover the security requirements, too. ;) Meanwhile, some of those that invented, designed, and deployed separation kernels have determined they're inadequate against high-strength attackers on Intel-style hardware. They've moved on to the clean-slate and HW modifications while mainstream is beginning on the old stuff. Funny, funny.

re book

Do check that out. The FSM stuff alone is interesting given that both of us used them extensively. Need some opinions on whether the control and synthesis model looks legit enough for real-world apps past company's opinion. If it is, then I'll just start forwarding the book to various teams working on HLS tools on a budget. Might save them a ton of work.

re BitBabbler
(@ name.withheld)

I've completed my preliminary review after probably thousands of words exchanged between their lead engineer (Ron) and I. They're not really ringing any alarm bells. If anything, quite a few of the responses were unusual in a good way. Their incentives are aligned right for quality. They're targeting people like us rather than mainstream and would be at high risk of being caught bullshiting. Although they won't release specs, the core of TRNG are simple analog circuits that can be analyzed by the usual tools. They used this as a compromise so it would be easier to verify w/out FOSS HW while letting them recover investment. JackPair was $40+k while theirs is partly analog and in Australia: a likely six digits in development costs. I'd be more skeptical about them handing it away for free to be honest.

Worth noting about the evaluation aspect. As I wanted specs, Ron pointed out that the nature of the circuitry threw them down a rabbit hole many times in terms of what they expected and what they were getting. Manipulating noise of different types, the analog nature, and so on meant that a mere schematic wouldn't tell you much. You'd have to test it yourself by hand to understand what it was doing. So, their goal was to use simple components to make that easier. He volunteered that the riskiest component was USB and so they picked the dumbest one available in that form-factor. He had a risk reduction for it, too, but was limited by cost.

In any case, I've learned enough from you, our old HW guy, and my analog research to find his claim believable. There is certainly a huge mismatch between what a TRNG does in theory and what the circuits actually do when you start linking them up while injecting/absorbing noise. That review would be black box anyway follows from that. Good engineers can also R.E. a schematic out of the PCB if they wanted. Simple components to make review easy seems like a good choice. Ron's most worried that there's a risk they never thought of or something can slip past existing QA measures for entropy. That's why they want experienced analog and HW people to test every hypothesis they can on the devices themselves to help them eliminate more risk. They're not interested in what random people on the Internet think as that won't tell them anything useful. The OpenBSD model I've been calling it. ;)

So, at this point, they seem above board, the design is smart, it's supposed to be easy to black-box, and next step is more experienced, HW guys putting it through the paces. So, I encourage you and name.withheld to buy one to confirm or call bullshit on their claims. Plus, to suggest improvements and risks they might've not thougth of if you spot them. Your previous comments on subject indicate that's highly likely. :) That they're an established HW company that's working hard *not* to get attention on this product before its quality is established is by itself quite a plus in my book. Honestly, I can't remember the last time a security vendor was worried about selling too much product. Could be a first.

Clive RobinsonAugust 24, 2015 5:57 AM

@ Nick P,

I was going to look at the zip file over the weekend, but other more pressing issues arose... any way due back at the Hospital later this PM to have another test or three :-(

Hopefully I'll get time to download and read it later this week when I've caught up with things.

Nick PAugust 24, 2015 10:53 AM

@ Clive Robinson

"I was going to look at the zip file over the weekend, but other more pressing issues arose... any way due back at the Hospital later this PM to have another test or three :-(

Hopefully I'll get time to download and read it later this week when I've caught up with things."

Good to hear about the zip. Sorry to hear about the hospital. Bad luck like that going around. So behind on shit myself due to issues I'm battling.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.