Mike the goat August 7, 2015 1:31 PM

Ping! First poster in the Friday thread. There has been so much awesome stuff going on in the infosec world lately – the long predicted enhanced visibility attacks on tor (I spoke about this all of five years ago well before anyone even considered such attack was possible), the pwnage of a Chrylser vehicle using a disposable sprint cell (yep, really clever engineers must have figured that remote attacks were likely and figured restricting it to sprint’s netspace was an effective mitigation. Suffice to say, it wasn’t!). I have been away from here for far too long. If anyone can give me a quick brief, I’d be eternally grateful. Hope everyone here is okay.

anonymous August 7, 2015 1:49 PM

So does this mean that Fridays will now be devoted to meerkats instead of squids?

And is anybody busy compiling a collection of “Squids That Look Like Bruce Schneier”?

Clive Robinson August 7, 2015 2:42 PM

@ Figureitout,

So that’s how they came up with some shap shifting aliens in “Deep Space Nine”.

Clive Robinson August 7, 2015 3:10 PM

@ Bruce,

That hat… it’s a little Greenwich Village Cyclist.

Have you thought about an Aussie Akubra,

I’ve a rather nice khaki territory, it’s got a larger (4inch) brim than most others in the range, and it keeps the sun from wrinkling the face and as more appropriate to the UK the rain of your glasses.

You can see another famous author modeling another one here,

War Geek August 7, 2015 3:28 PM

Has anyone kicked the tires on a .net-ish crypto implementation from Rebex?

This is apparently their engine

The site makes a lot of the right noises about support the same crypto algorythms as the cool kids. However, no where can I see anything about security certification/audits/mildly-hard-glares being leveled.

What raised my eyebrows about them is hearing about new 2015 Microsoft Dynamics based application installs observed with 2011 rebex sftp client applications and libraries. A casual perusal of rebex’s fixes since 2011 makes this a little breath taking.

Buttshark attack August 7, 2015 3:56 PM

ZeroFox, dime-a-dozen bin rats branching out from greasing bureaucrats to the Big Time: tattling to cops about protected speech. The ultimate white man’s welfare job, reading black girls’ tweets and scaring pussy cops with HIGH SEVERITY/PHYSICAL THREAT advisories.

Run by James Foster, Navy loser who paid through the nose for one of those Wharton vanity vacations, then prudently deep-sixed his shit Capitol College computer information technology degree to become a WHARTON mumblemumblemumble. Extra patheticness in the spectacle of this cracker skulking around for free (‘pro bono,’ as we say in The Biz,) spying on DeRay McKesson, a guy who’s got more brains in his cast-off foreskin than there are in Foster’s extended inbred white-trash family.

Darwin failed us here. The purpose of the Navy is for peckerwoods like Foster to get sent off to some sordid war we’re losing and get run over by a JERRV or something. What’s he doing back here, living off my taxes?

Brandon August 7, 2015 4:43 PM


that meerkats site says that

Bruce Schneier doesn’t use Tor. He just accesses sites from YOUR computer.

That’s pretty scary. But now I know why my internet connection has been so slow lately.

Clive Robinson August 7, 2015 4:43 PM

On the assumption this is this weeks Squid page and I’m to tired to wait up if it’s not…

Did people hear that the Office for Personnel Managment (OPM) that has done so much for China this year it was put up for not one but two Cyber-Security Awards?

Well it only won one the other going to “Hacking Team” who have done so much for the world despots security issues.

Any way here’s to OPM’s success of “most epic fail” at the PWNIES, apparently the “gold plated my little pony” is in a box somewhere if a person at the OPM would like to pick it up, I’m told that Black Hat do have some plain brown baggies normaly used to clean up after your dog, if an OPM representative want’s to have a degree of anonymity at the pick up…

Stuke August 7, 2015 5:06 PM

The resemblance is very slight except maybe that meerkats look up to check for hawks and eagles. Bruce looks up out of innate optimism; at least, I hope, not out of a need to check for carnivorous birds.

Jon August 7, 2015 6:03 PM

Meerkat scheduled to speak to the ToasterMasters Cinnamon Bread Annual Convention, Aug. 14th

Meerkat scheduled to speak at the Meeting of Agatha Heterodyne’s Plumbers Association, Aug 29th…

(my bad)


Nick P August 7, 2015 7:55 PM

@ Mike the Goat

I’ve at least made some process on dedicated chips. I found an open-source synthesis flow, FPGA architecture, and Xilinx bitstream generator astonishingly derived w/out reverse engineering or EULA break. On fab side, I found a mixed-signal S-ASIC, a company doing cheap runs, and what nodes to target (130-350nm, esp 180nm).

Mostly been going through extremely hard times that keeps me from doing anything that takes too much thinking. Wael is apparently as he said he’ll be gone a while. I’ve been preaching and teaching on HN a lot. New favorite site for geek news as newsbites and quality of comments are high. Posting some stuff here periodically. Did an update on asynchronous logic successes and general-purpose, analog computing which I think has untapped potential. Got about 100+ security and tech papers to catch up on that I batched lately lol…

Been a lot of interesting stuff to read. Thoth posted the best collection here. Far as hacker spirit, I think this paper is one of better one’s in an age of subversion fears. Similar to my own recommendation: asm -> macro-asm -> simple language -> complex language. Except he used proven cheat of building a LISP to build everything else. And I do have several papers describing how to build LISP/Scheme CPU’s in great detail. 😉

Mike the goat August 7, 2015 10:46 PM

Nick: wow, you’ve been a helluva lot busier than I have been! Had some minor family and health scares but all appears to be well now. I got caught up in a group that was trying to make a secure phone and they wanted someone to audit it. I will talk carefully so as to not put myself into any trouble re NDA but to summarize – you cannot grab a commodity phone from an Asian manufacturing house, flash a custom Android firmware onto it and call it “secured” – not even close.

They put a lot of effort into stripping a lot of the aosp code that wasn’t relevant for their purposes and obviously it lacked the google play services etc.. But fundamentally it still had binary blob drivers in its kernel, would have been exploitable via the stagefright bug that came out recently as it still used sf and they made no attempt to audit the firmware of the radio, probably the most critical bit.

So in short I gave their project a very negative review and they didn’t like that much, so decided to ignore it and launch anyway. Awesome!

Really interesting in hearing about how far along you are with your silicon ideas?

Thoth August 8, 2015 12:51 AM

Wow … the similarities …. By the way, that meerkat is so cute 🙂 .

Welcome back, @Mike the goat … or maybe you just trying to catch up on how similar our host, @Bruce Schneier is to those cute meerkats ? 😛 .

pB August 8, 2015 3:38 AM

So did someone alert you to this, or do you have a vanity search spider running the web?

Just curious.

Clive Robinson August 8, 2015 3:54 AM

@ Mike the Goat,

But fundamentally it still had binary blob drivers in its kernel… …and they made no attempt to audit the firmware of the radio, probably the most critical bit.

I’m not aware of anybody that does not run up against these issues, regardless of who’s chip set thay use.

The reasons are simple,

With regards the binary blobs, these come from the chip manufacturer, who has “trade secrets” they won’t trust even to NDA, usually these are because of F..K-U.s in the hardware they want to keep hidden. In effect they are hiding that the goods they deliver are not as per the advertised spec, the reason is that the spec went to marketing before the design went to mask.

As for the Radio Firmware, the cost of getting a “from scratch” design through approvals process is “prohibitively expensive” and almost certainly doomed to fail on the first half dozen iterations. Which is why nearly all “new” radio head ends are actually minor iterations to existing designs that have made it through the testing process. Back when I was involved with designing phones, I took a look at the then new GSM specification and approvals docs, when printed out in quite dense print on double sided A4 the stack was considerably more than a couple of feet in hight. I guestimated it would take atleast a year of solid reading to get through it and then another couple or so years to actually get to grips with it from a design perspective. So an individual would be looking at more effort than they would spend on getting a degree and masters in electronics…

Just more recently I had reason to download and use the AT Command set (remember from Hays Modems) for a Motorola radio module it filed a couple of those large “lever arch” binders.

And that’s not the least of your interface issues… oh no then there is the “one ring that controls them all” of the Subscriber Identity Module (SIM). Officialy it’s the SIM that controls much of the radio functionality and thus the baseband electronica, it gets OTA updates you don’t even get to see normally, Thus to be secure you would need to put in not just a guard but a faux SIM that you actually control, which is something both Apple and Intel have looked into.

Thus I’m not of much hope that a realy secure mobile phone can be designed by a small “fresh faced” team of engineers in any period of time they could get “seed money” for.

Which is why I’ve been looking at other ways to do things, hence getting the updated AT Command set.

ianf August 8, 2015 4:05 AM

It’s all the meerkats doing, they’re Attention Whores, every single last one of them.

rgaff August 9, 2015 2:27 AM


I liked the bruce schneier facts site…

“Bruce Schneier can recite pi. Backwards.”

At first I was like, “ok, where would he start”… then it hit me, “at the end, obviously!”

Mike the goat August 9, 2015 5:33 AM

Clive: agreed with you – it is security through obscurity. I can’t gather exactly why they’d want to fight to keep radio firmware closed source – there really isn’t anything interesting, secret or particularly inspiring about SDR code. You can only guess that the code is hacky, laden with bugs and potential ‘sploits – or alternatively has black code in it, included possibly at the request of intelligence agencies. With govt nothing surprises me.

Nick P August 9, 2015 11:48 AM

@ Mike the goat

Lol that’s actually a common strategy among “Android hackers.” It was actually part of my strategy for the obfuscation aspect. Would have to be combined with other methods for true security. I was looking at applying work such as SVA-OS and/or Softbound + CETS on native code w/ a compiler for Dalvik that produces safe native apps from them. Enough work for a few Masters and Ph.D. theses so I’m keeping that at the concept stage for now.

“Really interesting in hearing about how far along you are with your silicon ideas? ”

I’ve learned a ton about the field without the mental capacity or background knowledge to actually do anything with it lol. However, it’s still useful in advising specialists on what and how to build. For example, 180nm (MAYBE 130nm) is the best you can target before weird effects start kicking in. The Qflow system already went from HDL to gates for a lot of and should be able to handle it. Those tools always need a library of primitive functions to start with which is usually proprietary. However, there’s reference implementations that are open-source with possibility of proprietary, open-source license for commercial use. Tools such as Chisel in Scala and MyHDL in Python make it really easy to design & simulate the hardware compared to main HDL’s. Analog can be supplied by companies specializing in this. Finally, the prototypes and production chips can be done with multi-project wafers that split mask costs among everyone sharing the wafer with actual chip cost being low from that point on.

The above could be combined into a flow from independently-verified HDL (think C) to low-level RTL (think LLVM bytecode) to gates (think asm) w/ open, process libraries all using open-source tools. At this node, there’s many companies that could make the masks or fab the chips. Diversity to reduce odds of subversion. Past that, porting the design will require specialists and custom tools. My concept is to just build a metric shit-load of I.P. with high-performance and low-power variants on 130nm-350nm with focus on 180nm. Aim for reference implementations of everything critical for useful SOC’s, from Ethernet to caches to CPU functions. Sell it inexpensively to COTS with requirement that submit back any fixes they make when ASIC proving it. Free to academics or individuals for non-commercial use if they submit back any changes they make.

Meanwhile, I found a shortcut for interim. SPARC ISA is mature and well-documented with only a $99 registration fee for implementations. Gaisler makes both regular and rad-hard SOC’s using SPARC while also releasing the source for much of it. The processors are parameterized as such that you generate a custom SOC for your needs. So, modify if for security against code injections or leaks using what academics already published. Use Leon3 or Leon4 with plenty cache for performance reasons. Have experts use Qflow plus few commercial tools they desire to put that I.P. on 180nm with MPW’s. Once solid, do board designs with gEDA and prototype them. Put microkernel or modified Linux/BSD w/ CPU security support on that. Optionally have ChipWorks, etc tear it down if you think something was swapped. Now, you have a system validated from HDL and source down to gates and assembler with strong protection against attack + the typical tools. Keep building on this in parallel until custom, un-hindered I.P. is developed and even mix them as desired.

First run done commercially should cost a few hundred K to low mil + licensing tops. Done academically with their discounts even less. But we want to sell it so that’s not reasonable. Overall approach, since process node is weaker, is to copy Cavium’s RISC CPU’s plus plenty accelerators approach. The most common usages have hardware acceleration. Raises the chip cost slightly to get a much better user experience. First usage of these are trusted terminals, root-of-trust for network, VPN’s, and guards.

Justin August 9, 2015 3:36 PM

@ Buttshark attack

Yeah, yeah, yeah, just shut up already. It’ll all work itself out.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.