Mickens on Security

James Mickens, for your amusement. A somewhat random sample:

My point is that security people need to get their priorities straight. The "threat model" section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler (see Figure 1). Basically, you're either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you'll probably be fine if you pick a good password and don't respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they're going to use a drone to replace your cellphone with a piece of uranium that's shaped like a cellphone, and when you die of tumors filled with tumors, they're going to hold a press conference and say "It wasn't us" as they wear t-shirts that say "IT WAS DEFINITELY US," and then they're going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN'T REAL. When it rains, it pours.

Posted on August 28, 2015 at 3:58 PM • 55 Comments

Comments

AnuraAugust 28, 2015 4:16 PM

I'll read the whole paper tonight, but I don't see the purpose of using HTTPS or end-to-end email/messenger encryption as being to fight against targeted attacks by these intelligence agencies, but about fighting their mass surveillance operations. It's about raising the cost until targeted surveillance is all they *can* do. Targeting specific organizations that are actually a threat are why the agencies exist in the first place (but is not an excuse for deliberately weakening the security of our systems or infrastructure).

Frank WilhoitAugust 28, 2015 4:34 PM

The First Axiom of the Great Forgetting is that the most important things are forgotten first. At any given moment, we can reassure ourselves by taking inventory of the things we still remember; but they are not only growing fewer, they are each becoming less important. All the good stuff is already gone.

Mickens columns are among the higher-value things that we still have.

The crown jewel was the whole hinterland of the understanding that surveillance is ethically invalid.

We a'n't getting that back and everything we may yet do in our time on Earth is counting sawdust. Fortunately, the sawdust, too, diminishes.

Karl LembkeAugust 28, 2015 5:27 PM

Uranium's heavy. Unless it's hollowed out quite a bit, I'd notice the difference.

EvanAugust 28, 2015 11:16 PM

Mickens' argument is a simplified version of one Bruce has made before: good security practices will defend against attackers who are merely curious or with limited resources; you can never defend against the well-funded intelligence and counter-intelligence agencies of rich countries, against whom the best defense was simply not to be a target of national importance.

There are, however, three problems with this:

1. Even if we can't keep out Mossad 100% of the time, that doesn't mean we should make things easy for them or fail to understand the techniques they may be using to accomplish it. Having to work for our data is one way, at thing point probably the only way, to keep intelligence agencies honest. The more time and manpower have to go into getting at your data, the less likely employees are to be able to put it to their own personal use.

2. As cybercrime becomes more profitable and cyberwarfare becomes more economically appealing, the line between the capabilities of Mossad and not-Mossad is going to get blurry. Ex- and even current intelligence employees could make a lot of money selling techniques and packages to paramilitaries, organized crime, private companies, etc; it's only a matter of time before grey or black market products start appearing.

3. The line between political and non-political targets is also going to get blurry. To some extent this is already happening: Russian, Chinese and US intelligence agencies obtain secrets that end up not in their governments' hands but in those of private companies. Additionally, the trend of privatization, outsourcing, and cutting costs with off-the-shelf software means private companies further and further from direct government action are going to be within the sphere of influence, because they host sensitive data, because they interact with sensitive data, or simply because their products are potential vectors for attacks against important targets.

In short, just because you know you won't be able to beat Mossad doesn't mean you shouldn't try.

rgaffAugust 29, 2015 1:09 AM

We have to try, because we have to TAKE our right to privacy... nobody's going to just give it to us, we have to take it.

But, currently we're doomed to fail, because all our hardware and software is designed wrong... This doesn't mean we shouldn't try though, it means we have to recognize that we'll need to just keep learning from our failures and learning from our failures, until we eventually succeed (perhaps not in my lifetime, or much later in my lifetime). If we don't try, we'll never learn. So keep trying, failing, and learning, then trying again. It's only the right thing to do.

ThomasAugust 29, 2015 1:30 AM

So a guy working for a company late to the "spy on your users" party (but as usual doing an exceptional job catching up) tells us that all we need to be safe is good passwords (which are uploaded to said companies servers and shared with your friends).

Don't know about you, but I'm convinced!

Joe LarabellAugust 29, 2015 4:08 AM

Even more important than *who* is attacking you would be the question of whether they are attacking you specifically for a good reason or whether you've been picked at random. A random attack is likely to be thwarted by some pretty simple measures -- all you really need is to put enough obstacles in the way that the bad guys find it easier to pick on someone else. The strong password comes in here because they're not just trying to crack your password but 1000s of passwords at once and they're going to be too busy keeping up with the small percent of people who used "1234" to even get around to your account.

But if you're being targeted specifically by someone who wants to get at YOU, be it Mossad or not, they're eventually going to get through no matter what you do short of encasing your computer in concrete. So in addition to picking a strong password, it's probably a good idea not to piss off the Mossad or the Yakuza or anyone else who might tend to hold a grudge.

CuriousAugust 29, 2015 5:19 AM

Two quotes about "paranoia":

1) Just because you're paranoid, doesn't mean they aren't out to get you.
2) "Paranoia is just reality on a finer scale." (Strange Days, James Cameron movie)

Prof McDickAugust 29, 2015 5:27 AM

James Mickens speech has just been run through a bullshit translator and this is what it came up with:

My point is that working for Microsoft has made me soft in the head and an apologist for the Prison Planet. In matters related to security, I'm blind to cause and effect, symptoms versus etiology.

For instance, I don't understand that the average "threat model" section of a government Stasi intelligence report resembles the script for a telenovela that was written by a parnoid schizophrenic.

There are elaborate narratives - "the lone wolf is everywhere" - and grand conspiracy theories - "ALCIADA, ISIS, AL-NUSRA are a mortal threat to the homeland".

There are heroes: "American Sniper", "Jessica Lynch", and other brainless tools in service to projecting the power of the US military empire. There are also stereotyped Hollywood villians and plots: "We got him (Osama)" and "(INSERT COUNTRY HERE) is part of the axis of evil".

In the real world, these threat models are ridiculous. Basically spooks rarely deal with a statistically improbable event such as a a terrorist plot, thus leading them to unleash their paranoid fantasies upon the public in the form of groundless suspicion, monitoring and framing.

If your adversary really is a terrorist, statistics show that they really are likely to get away with it and these systems have hopeless predictive value, but are useful after the fact.MOST HARDCORE TERRORISTS WILL ACHIEVE THEIR AIM AND THERE'S NOTHING THE STASI CAN DO ABOUT IT.*

* Exception: Intellectually/emotionally/mentally challenged persons set up as a patsies by the FBI in contrived 'terrorist' plots; a common feature of the modern US 'justice system'.

Die-hard terrorists are not intimidated by the fact that the intelligence groups employ blanket monitoring of communications and various networks. If they want perfect information sharing, then they will forgo all electronic devices and return to a secret and trusted personnel chain for all critical messages.

When the Stasi Omnius electronic brain is dissected upon it's grisly death, we will be witness to a enormous cancerous tumour that has eaten the life from the patient - inside-out. The spooks will beg forgiveness and cry "I was just following orders!" as they face a Nuremberg trial wearing shirts saying "IT WAS DEFINITELY US".

Then you'll be able to enjoy cracking open your electronic Stasi files that inhabit the darkest reaches of NSA data centers. Instead of looking at the photos of your vacation and family, you will be seeing your most intimate 'dick pics' and email meltdowns laid bare.

In summary, when paranoia, hubris, delusions of grandeur, neo-con politics, banksters and twisted economics find a common friend in a fascist and militarised corporate state, you know that SANTA CLAUS ISN'T REAL.

When it rains shit, it pours bitchez.

noahAugust 29, 2015 8:31 AM

I'm a little surprised at how seriously some commenters are taking this. Did we all read that same paper? Mine says, "Girl Scouts (whose “cookie sales” are merely shell companies for the Yakuza)." Obviously this guy is in the pocket of the Girls Scouts, and trying to throw suspicion off their true backers, the Illuminati. But the password advice seems legit.

CallMeLateForSupperAugust 29, 2015 11:02 AM

Entertaining. Thanks.

Approving nod to Mickens' choosing "insipid".

I especially like:
"Security people are like smarmy teenagers who listen
to goth music: they are full of morbid and detailed monologues about the pervasive catastrophes that surround us, but they are much less interested in the practical topic of what people should do before we’re inevitably killed by ravens or a shortage of black mascara. It’s like, websites are amazing BUT DON’T CLICK ON THAT LINK, and your phone can run all of these amazing apps BUT MANY OF YOUR APPS ARE EVIL, and if you order a Russian bride on Craigslist YOU
MAY GET A CONFUSED FILIPINO MAN WHO DOES NOT LIKE BEING SHIPPED IN A BOX."

Clive RobinsonAugust 29, 2015 11:35 AM

@ CallMeLate...,

..., and if you order a Russian bride on Craigslist YOU MAY GET A CONFUSED FILIPINO MAN WHO DOES NOT LIKE BEING SHIPPED IN A BOX."

Or...

    A GLOW IN THE DARK BRIDE from Chernobyl who brings her own caviar that also glowes green and is a sight for -- soon to be-- sore eyes.

I used to know someone who married a Russian girl, whilst she was not a super model, her face still makes it into fashion adds etc, last time I saw him he looked annoyingly happy and contented.

So heads you win tails you lose.

meAugust 29, 2015 2:16 PM

"Instead of training for such an event, perhaps a better activity is to discover why a madman is forcing people to swim, then bike, and then run.”

GrauhutAugust 29, 2015 6:11 PM

Funny rant: NSA, CIA, FBI, none of them named. Maybe Mickens knows them good enough as a M$ guy and fears they could MOSSSAAAAAD him! :)

WDSAugust 29, 2015 7:19 PM

I'm new to this guy. Having a hard time deciding if he is serious or trying out for a job with the Onion. Perhaps he could forward a copy of the article to the numerous people in the middle who were not targets of his chosen omnipotent villain Mossad but who nevertheless paid a price for inadequate security, whether the latter be their fault or the fault of organizations with whom they entrusted their private data. Sony and Target come immediately to mind. Anonymous had its 15 minutes neither being the Yakuza (not even being financially motivated at all) nor having to rely on credulous link-clickers. Everyone who ever owned an un-patched install of XP was at risk from hijack by amateur troublemakers at one point. Java applets are dying out in part because of HTML5 and in part because of security issues . . .

No, this guy's article definitely feels like Onion. Or maybe a little Wizard of Oz. "Pay no attention to the man behind the curtain!"

cinicalAugust 29, 2015 11:51 PM

@ Anura

>It's about raising the cost until targeted surveillance is all they *can* do

Not only in cost but stake, ie risk, is. I suspect in anticipation the next logical level for mass snooping is watermarking up a notches not only endpoints but also in transit. This logically works at all levels, or stacks, and serve as a type of optimization transparent to the end user.

@ Curious

>1) Just because you're paranoid, doesn't mean they aren't out to get you.

I like thus better describe mass watch...

...just because they are paranoid, it doesn't mean they are out to get every you.

This is all giving me the creeps

CuriousAugust 30, 2015 4:55 AM

@cinical

"...just because they are paranoid, it doesn't mean they are out to get every you."

Mixing in forms of ignorance isn't allowed I'd argue :)

So, confusing 'paranoia' with ignorance in that way shouldn't yield any interesting philosophical points, the same way a statement about "unknown unknowns" doesn't make any sense, also being based on ignorance (lack of knowledge as such).

"...just because they are paranoid, it doesn't mean they are out to get every you."
In this case then I'd say that the purported paranoia of others as expressed there, is ultimately based on ignorance (this case wishful thinking), and void of meaning.

Contrary, I'd say that if wanting to attribute 'paranoia' onto others (thinking of a government to be acting on paranoia, as general trait), the basis would be the belief that a government attribute ill will to a person, which in turn would not be based on ignorance on either party. Alternatively, the notion of attributing paranoia to an abstract entity like an organization or to some group of people, for reasons other than ill will, tends towards total delusion, something that is extremely unlikely, probably even unlikely for so called mentally ill people.

ErikAugust 30, 2015 11:21 AM

Ugh. With idiots like this guy working at Microsoft, it pretty much explains why their security is such a mess. Yes, yes, we get that if Mossad or the NSA wants our stuff there's nothing we can do. And, yes, yes, we get that not clicking every link that promises a free iPad or super-secret penis-enlargement pills goes a very long way towards staying secure. But... as security people, guess what? We have to keep the world safe (or as close to safe as possible) for people who *do* click on stupid links and open stupid attachments and try to browse interracial bisexual midget pr0n from their office PCs. Because their jobs are so stressful they need to share their stress with us or something like that. Or at least that's what the problem was a few years ago.

Guess what? Now, the criminals are smarter. We get some pretty decent spear-phishing attacks that are not-quite-good-enough to look hand-crafted, but still very, very close: industry-specific (or even vendor-specific), targeted at almost the right people within the organization. They look like they might work on occasion against someone with a normal IQ. It's not just idiots browsing sites they shouldn't at work, it's some perfectly conscientious person who visits a site that vomits a malware ad onto their browser window. This isn't movie-plot paranoia, it's stuff we see on a day-to-day basis. So, new encryption methods and isolation techniques and antivirus software and whatnot aren't magic bullets to make this stuff go away, but intelligently applied they can help mitigate some of the risks, make certain attacks more obvious, and generally raise the costs for the real-world bad guys - who tend to not lag too terribly far behind Mossad. They don't play as rough in meatspace, but they wield a mean cyber-shiv (and that is probably the dorkiest sentence I'll write this month). Add up enough of this newfangled security stuff (after weeding out the snakeoil and numerous solutions looking for problems) and the people you're working to protect ... still won't be perfectly protected, but they're no longer the low-hanging fruit. Someone with enough money and resources can still get to them, but we can at least make it more of a hassle for the criminals. Absent specific personal / political motivations, criminals almost always go for the easy money.

So anyway, James Mickins, you're right about one thing: if everyone was as smart as you, cybercrime would be almost nonexistent. But that premise is more ridiculous than the most outrageous scenario ever concocted by some infosec schlub.

keinerAugust 30, 2015 11:37 AM

This is EXACTLY the "security" philosophy I thought to find inside this Microtrash company. See Windows 10 EULA, see Skype and other nonsense compromising privacy and data integrity.

No surprise at all...

Road RunnerAugust 30, 2015 5:55 PM

Choosing Mossad to represent the high level threat in this argument is a clever trick. We all recognize that Mossad is a top level attacker, but probably relatively few of us consider ourselves to be particularly interesting as targets to Mossad. But why use the example of Mossad rather than say the NSA, China, or Russia? Because we have all come to understand that unlike Mossad, we are all targets of the NSA, and many businesses are targets of Chinese and Russian government and private hackers of the highest level. The NSA should be in everyone's threat model. Even members of the US government, such as some Senators, have learned that they must have the NSA in their threat model. Everyone seems to be forgetting president Nixon's bugging of the Democratic offices and the extreme danger that a government out of control like that could be. That's a bigger threat than the terrorists because it could destroy nearly the whole country rather than a few buildings or cities.

But we should not consider the NSA, Mossad, and other top level threats to be omnipotent. Osama Bin Laden survived then years as the number one target of the world's most advanced attacker, before they managed to get a piece of metal into proximity of his head. And if you're not a particular target of these high level attackers, you stand a reasonable chance of defeating their mass spying with simple encryption.

Or only hope for strong security is to fabricate our own integrated circuits at home or at the house of the friendly neighborhood geek. It sounds hard but I think it is possible to make sufficiently powerful chips with public key cryptographic accelerators for text, and maybe voice communication. An individual or small group probably can't do it. It might take a lot of open source collaboration in home made chip fabs to make it happen. The next level to aim for would be chips powerful enough to run something like Tor and a simplified version of html. Chips to do video may be beyond home fabrication.

Of course we also need a new operating system designed from the ground up for security. It must be extremely simplified to have any hope of achieving good security. Operating systems like Linux and OpenBSD are too complicated to ever have any hope of being secure.

fredAugust 30, 2015 8:34 PM

@ Curious
"I'd say that the purported paranoia of others as expressed there, is ultimately based on ignorance"

Well said!

DanielAugust 30, 2015 9:42 PM

@Evans

My thoughts exactly, especially on #2 and #3

I simply don't by the thesis that there is Mossad and not-Mossad. Which camp, for example, does The Impact Team fall into? (The person(s) who did the Ashley Madison hack.) Mickens may be trying to be funny but I think what he really breeds is passivity, not laughter. "Don't worry about computer security because most people are to stupid expect the 1% who are brillent, who you can't do anything about." So don't worry, be happy until your data gets into the hands of hackers, then kill yourself.

CuriousAugust 31, 2015 3:41 AM

@Fred

Hehe, I think you might perhaps have misunderstood me (it is unclear to me because your reply was very brief).

What you quoted of me is was an opinion referring to what someone else wrote that I had quoted.

My point was not that thinking of others being paranoid is something that is based on ignorance as such. Whether or not it can even be said that someone else is so called paranoid (could be anything from ignorance to arrogance on the part of myself), is not the interesting point, the interesting point there is having related to the world off someone else's opinion, whereby having assumed, both, that someone else is paranoid AND in the same turn precluding that others aren't out to get you, ending up being two self serving points with no explanation. Basically making a point off of another point, is a no-no, because it doesn't bring clarity to the context, and because it doesn't explain the context for which an opinion was stated (and in that case I shouldn't have to guess).

This all ofc. isn't about others in the literal sense, as if whether or not somebody somewhere are paranoid, or if somebody somewhere is out to get me/you; my comments are really about how one for better and for worse create meaning off of conceptual metaphors.

If I wanted to think of somebody else as being paranoid, and/or even somebody out to get me, I could ofc. do that for a variety of reasons which may or may not make much sense, simply having an imagination is afaik not a crime anywhere.

fajensenAugust 31, 2015 3:58 AM

So, what happens when people who used to work for Mossad / CIA / NSA / FSB pen-teams go private and set up their own little malware injection business?

I am more concerned about those Private Enterprises, than I am about The Organisation. Especially those of the people who got fired for a reason!

AgateAugust 31, 2015 8:37 AM

Wow. You guys need to find a sense of humor somewhere. This is a frustrated comic rant, not a serious security proposal.

Ulf LorenzAugust 31, 2015 10:54 AM

If you strip all the denigrations (which are probably meant to be funny, but whatever), what comes out is basically a practical person not understanding research. This is disturbingly similar to certain senators handing out negative awards for "fruitfly research" and similar misconceptions.

So just to set the record straight:

Researchers do not research things that are useful, but things that are interesting or doable. An overlap is nice, but that is just _one_ motivation. As a consequence, you do not know in advance what you will get. In short: Diffie-Hellmann key exchange was not invented for the needs of online shopping, but because the principle is cool.

Abstracts/Introduction sections in articles ideally highlight the state of research and former work. Nowadays, they also serve to present administrators why this research is incredibly applied even if it is not. In short: Do not take everything in there at face value.

The research he denigrates in examples is largely below what he deals with. I.e., it does not care about implementing a public key infrastructure, but describes the black box below (how you actually encrypt/hash/...). Which makes the article even more bizarre.

jbmartin6August 31, 2015 10:57 AM

This article is hilarious on many levels, and is quite on point with some of the problems in the security community. My favorite quote "Even worse than the PGP acolytes are the folks who claim that we can use online social networks to bootstrap a key infrastructure. Sadly, the people in an online social network are the same confused, ill-equipped blunderhats who inhabit the physical world." He is dead on target that security advice typically has a usability problem along with a complete lack of perspective on real world threats.

Jim LippardAugust 31, 2015 11:50 AM

I agree with Agate and jbmartin6. If you can't find either the humor or the serious points in this piece, go read Peter Gutmann's Engineering Security and Ross Anderson's Security Engineering, both free online.

tcmJOEAugust 31, 2015 5:22 PM

Wow, the number of commenters here that can't see the joke...

Security is SRS BSNS!

FigureitoutAugust 31, 2015 10:27 PM

All I gotta say is password research is boring as hell, if you have the resources of MS at your disposal then why not use it for something more meaty and interesting? Let me make it easy for the guy, there is no way to make good passwords that are human-rememberable. Passwords need to be copy/pasted into login screens from something like an encrypted USB stick if you want to have a life outside of manually typing 64 char + passwords in login screens for your life, this doesn't work for something like my school login passwords (tried); so a bunch of people will use 8-12 char passwords based off my observations.

And people who seek some of the ultra-secure solutions to threats that seems ridiculous, there's reasons for that. Get attacked by some of these people and you'll see why. If they run into a target that can repel that attack the first thing an attacker may think "did I just hit a honeypot" or "what does he/she know" and "will there be a counter attack?". If people aren't wasting these attacker's time like this, then they can cause more damage elsewhere.

Even the Mossad hitmen got caught on camera one time so yeah, that was nice for other people to note their faces.

FigureitoutAugust 31, 2015 11:14 PM

Oh I forgot, after copy/pasting your password, open up a text file and type as much garbage as possible then copy it, then paste it 5-10 times, then copy it again. This is to deal w/ the copy/paste buffer that should be cleared. You have to do this each time...lol

MrTroySeptember 1, 2015 12:24 AM

@Thomas,

"So a guy working for a company late to the "spy on your users" party (but as usual doing an exceptional job catching up) tells us that all we need to be safe is good passwords (which are uploaded to said companies servers and shared with your friends).

Don't know about you, but I'm convinced!"

Not the point I got out of that one. I felt like he was complaining at so much time being spent on impractical (assume that a public key cryptosystem exists) or niche () matters, when we haven't even gotten passwords right.

In the second half, he seems to be commenting that any paradigm that relies on programmers getting everything perfectly correct... is broken (Another myth spread by security researchers is that the planet Earth contains more than six programmers who can correctly
use security labels and information flow control (IFC))

I read it the other way around: if we could get passwords right (for the average Joe), that's a good part of the battle won.

GNUtooSeptember 1, 2015 5:55 AM

not-Mossad:
-----------
The threat model seem over simplistic here, just picking a good password isn't going to work if the computer the user is using is already compromised by malware.

The user with the "not-Mossad" threat model has to take care of the computers she is using. Else bad thing will probably happen. Computer shops deal with that kind of threat model on a daily basis.
Example: Foo installed a program to do Bar on my computer and we got a virus.

That of course assumes that this user doesn't care about privacy, and will face the consequences of its lack without knowing it.

"Half-Mossad":
--------------
Else the user has to worry about doing all what she can against non-targeted "Mossad" like threat model. In practice that might mean doing very little, but this very little is really important, because the computer users at large will benefit from it: it change the economics of the game.

"Mossad":
---------
This is over exaggerated too, people having to deal with that threat model are still alive (Snowden, Jake appelbaum, Laura Poitras, maybe also Glen Greenwald).

"Near-Mossad":
--------------
The threat model I'm mostly interested in, along with Half-Mossad. Like "Mossad", but without having to physically hide.

Would the following be enough to cope with it:
* Boot security:
-> The main computers being used have a 100% free software BIOS replacement(libreboot)
-> If powered on, the computer drops into GRUB, which prompt for a password to do anything, without entering the password the user can only power off the computer physically, that leaves a trace. The password is checked with "pbkdf2". The idea is to prevent the attacker from reflashing the BIOS replacement.
-> When the password is entered, the user can then do whatever she wants, like booting.
-> The hdd has 1 GPT partition.
-> That partition is totally encrypted (no /boot in clear), to boot grub opens the encrypted partition and loads the kernel and initramfs from there. The user enters its password to boot.
-> To avoid typing one more time the password, the key is in the initramfs, which is already in the encrypted partition.
-> This BIOS replacement integrity is easy to check: in its normal operation it doesn't write to the flash chip, so sha512sum is consistent across reboots.
-> The best way to check the integrity is to compare the has obtained with flashrom -p internal -r coreboot.rom with a dump that is obtained trough an external programmer: if there is a malware hooked into the BIOS replacement, it can't hide with SMM/SMI this way. Else the hash would differ.
* Physical security:
-> Nail polish with glider combined with glider-glue(high entropy) on the important screws. Protects the flash chip, the RAM, the HDD(That makes the attack way less easy, and dumping the encrypted hdd unnoticed is way harder).
-> Pictures of the nail polished screws are taken each time the laptop is sealed back.
-> Ideally they are checked before each boot, that prevents swapping the laptop once. Checking them often but not at each boot still work if the HDD is well protected: The hdd can't be cloned easily.
-> The computer is physically inspected before sealing it.

OS and userspace:
-----------------
* 100% free software GNU/Linux distribution.
* Interfaces with DMA disabled: Firewire, PC-card kernel modules not loaded.
* Light or no MAC security framework due to graphical applications not being sandboxed well.
* Reduction of the attack surface: Tor-browser with the security setting at the maximum.

Caveats:
--------
* No distribution have 100% reproducible builds coverage yet. Some BIOS replacement have(Coreboot, soon Libreboot, uboot).
* If the laptop is stolen while it's on => game over (The attacker will dump the RAM), unless the laptop is programmed to shut down after some time. In that case the attacker has that time to patch SerialICE to add support for your laptop and dump the RAM.
* Other chips with non-free software can betray you, like the embedded controller. Unless you have free software running on it. Potential scary uses: transmitter(The Thinkpad EC have a huge wire to the "ThinkLight") , keylogger,(power analysis?).

Bonus:
------
* Resist to chip level analysis since it requires to get around the seals to open the laptop.

Questions:
----------
* Is the standard LUKS ciffer (aes-xts-plain64) but with 512 bit keys enough: does it prevent against tempering to modify or replace the kernel in a ciffer stream. Does that resist to an active attack by the HDD firmware that would watch what and/or modify what is being written in real time.
* Is the lower attack surface sufficient to cope with JTRIG/TAO grade attacks.

Denis.

NixSeptember 1, 2015 11:58 AM

Ulf Lorenz, James Mickens works at Microsoft Research. He is a researcher. He understands research, and this is intentionally over-the-top humour, which a lot of commenters here seem to fail to grasp, for reasons which entirely escape me. Criticising this as not being a serious security proposal is like criticising _A Modest Proposal_ for economic illiteracy while failing to note that it proposes eating children.

(My personal favourite of his wonderful .login; columns has to be The Night Watch. This is someone who has spent a long time in the dark pits of operating systems work.)

DanielSeptember 1, 2015 2:48 PM

@Nix

No, you're letting your schoolboy fandom blind you. The problem isn't that Mickens fails to be funny, the problem is that he is wrong. The points he tries to illustrate with his over-the-top mockery are simply incorrect.

That's how his sarcasm is different from Swift. Swift's mockery works because at an underlying level Swift is correct--the way the poor were treated in Ireland was abominable. It's the truth that gives Swift his bite.

Mickens isn't funny, he just looks like a tard, because he's wrong.

TSeptember 1, 2015 3:13 PM

Thanks!!!!!!

That is THE BEST Laugh I've had in a long while!!!
PW's are one of my biggest pet peeves and 'needs major breakthrough NOW' topics, right up there with battery life.

Hey, I loved Schneier's PWSafe on Windows, but haven't seen it ported to Mac.
By the way, any idea how it held up in the light of just about everything we use being vulnerable to the nsa?

RusstopiaSeptember 1, 2015 4:29 PM

I stopped reading as soon as I saw that all he wanted was a way to generate "...strong yet memorable passwords". The two are almost diametrically opposed. If one can remember them too easily, they're NOT STRONG.

Gerard van VoorenSeptember 1, 2015 4:40 PM

@ Russtopia

> If one can remember them too easily, they're NOT STRONG.

On the contrary. They only need to be long.

glass beer yummy empty

for instance. See XKCD 936.

Dirk PraetSeptember 1, 2015 8:05 PM

Basically, you're either dealing with Mossad or not-Mossad.

The entire piece reads as an elaborate brainfart to out-rant Mary Ann Davidson. Perhaps he just ran out of coffee on a rainy Monday morning or accidentally caught his son dressed up as a cheerleader doing a Britney Spears routine in the attic.

TSeptember 1, 2015 8:47 PM

It's JUST FUNNY YOU ASSHOLES!
It's JUST FUNNY.

Life is miserable and hard, this is FUNNY.

Jeez, you'd hope smart people would get it.

WaelSeptember 1, 2015 10:35 PM

The "threat model" section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic

Hmmm... Where have I seen this before?

@T,

Life is miserable and hard

I hear you.

@Dirk Praet,

accidentally caught his son dressed up as a cheerleader doing a Britney Spears routine in the attic.

As @T said, life is miserable and hard ...

WaelSeptember 1, 2015 10:53 PM

@Nick P,

How did I know what was at the other end of the link..

Because schizophrenic minds think alike[1] ;) Thank you!

[1] Both minds are in the same skull, of course :)

BuckSeptember 1, 2015 11:49 PM

@Wael

In the same skull!? Seems like but a tiny slice of our conscious universe to me...

Perhaps a motivational speech from another mind than mine can provide more clarity than I!

In a public lecture in Stockholm, Sweden, Prof Hawking said: "If you feel you are in a black hole, don't give up. There's a way out." He said he had discovered a mechanism "by which information is returned out of the black hole."
Stephen Hawking: 'If you feel you are in a black hole, don't give up. There’s a way out.'

WaelSeptember 2, 2015 1:55 AM

@Buck,

... There is a way out ...

Thank you! Strange you mentioned a space object. I usually look at the sky and the stars (I saw your recent "full moon" post earlier,) then I think of how vast the "observable" universe is. It's around 14 or so billion light years across, roughly the same age as the universe. Then I think of the size of some stars compared to earth. Take a star like VY Canis Majoris which is about the size of one billion Suns, or UY Scuti which is around 5 billion times the size of our sun... And you can fit one million earths inside our Sun, then you'll get a feel for our "insignificance".

How large is earth compared to other objects: https://m.youtube.com/watch?v=Bcz4vGvoxQA

And... We're not sure how large the universe is ... https://www.cfa.harvard.edu/seuforum/howfar/howbig.html

If you're upset, see how significant we are: https://m.youtube.com/watch?v=1Eh5BpSnBBw

And without black holes, we wouldn't even be here. At least so the story goes.

This is unrelated, it's just an observation: Even galaxies collide and "pollinate" to keep the universe alive, just like animals and plants do.

Of course if you want to feel "better', then look at the other direction of the size axis.

adanteSeptember 2, 2015 6:39 AM

For more of the same, you check out his recent talk: Not Even Close: The State of Computer Security.

Blurb is below: In this bleak, relentlessly morbid talk, James Mickens will describe why making computers secure is an intrinsically impossible task. He will explain why no programming language makes it easy to write secure code. He will then discuss why cloud computing is a black hole for privacy, and only useful for people who want to fill your machine with ads, viruses, or viruses that masquerade as ads. At this point in the talk, an audience member may suggest that Bitcoins can make things better. Mickens will laugh at this audience member and then explain why trusting the Bitcoin infrastructure is like asking Dracula to become a vegan. Mickens will conclude by describing why true love is a joke and why we are all destined to die alone and tormented. The first ten attendees will get balloon animals, and/or an unconvincing explanation about why Mickens intended to (but did not) bring balloon animals. Mickens will then flee on horseback while shouting “The Prince of Lies escapes again!”

AlexSeptember 2, 2015 7:31 AM

Also, if Mossad (or whoever) can get into your stuff by guessing passwords or using some buffer overflow that showed up in Metasploit last Christmas, guess what? They will, rather than go to great expense of time and money and risk showing off their latest and greatest tricks.

Mossad is a bad example here because we know for a fact they are in the habit of compromising random individuals' security for their own purposes - specifically, they have been repeatedly caught using stolen, forged, or entirely counterfeit passports in the names of random foreigners as cover identities, notably to carry out an assassination in the UAE a few years back. This resulted in several cases where friendly states, the US and UK included, issued a diplomatic note protesting this behaviour.

They're not going to hack quantum physics to get a look at your passport, but you don't want to let it out of your sight around anything they influence unless you like the idea of being the prime suspect in a murder in some far off country.

BoppingAroundSeptember 2, 2015 9:11 AM

T,
If one has to remind that it's 'funny' in all caps, then perhaps it's actually not.

Not funny, that is.

WhatsTheBigDealWithIsraelSeptember 2, 2015 1:33 PM

I'll just chime in and agree with others, that clearly there is no worthwhile humor here. In part due to the mistaken premise, i.e. mossad vs non-mossad. Clearly the real threat models should address the full spectrum, not just two arbitrary points, that if accepted as the only states, only serve to instill learned helplessness. Though certainly bringing light to how the casual acceptance of state assassination has perverted the entirety of the situation is quite useful. Much as I view the Hillary private email server stuff as part of some massive cyberdisinformation campaign, the parts where Hillary capitalized "Jewish state" and "Promised Land" I did find interesting. I guess politicians have to body surf a wave of historical ...

Ulf LorenzSeptember 3, 2015 10:08 AM

@Nix:

Your first point is correct, I should have written "practical person not understanding basic research".

Regarding the humor: The text has so much humor that you have to carefully parse a whole paragraph for the information content of one sentence. And he repeats himself a lot. I consider that not funny, but tedious and annoying. I am aware that this is an issue of taste, though.

As for the rest, I do not criticize Mickens for not supplying a security proposal, but that he is simply far off the mark for about half of his text, where he makes fun of security papers.

Peter GerdesSeptember 4, 2015 6:29 PM

I think part of the problem is that while there is great value in making sure your crypto system is secure even against very capable enemies it is not socially acceptable to recognize this value.

Like the 4th ammendment the real value of strong crypto systems is that it makes it really hard for the government to enforce certain kind of invasive laws punishing consensual private behavior. That creates a bulwark against the kind of tyranical behavior the english engaged in before the revolution. The framers were worried about a tyrannical government rifling through people's papers and using them to charge them with sedetion or treason not stazi style mass surveillance that couldn't even be imagined at the time. Even now the fact that we care greatly about the police being able to check in on you to see if you are doing something illegal while shrugging about the access (and vulnerabilities) companies have to our digital lives is quite suggestive.

However, it's not socially acceptable to claim the 4th ammendment is important because it makes it hard to prosecute criminals. Similarly, pointing out that crypto is valuble because it obstructs the governments ability to imprison people for contributions to projects like wikileaks (or drugs for that matter).

Admitting out loud that you value the ability to resist the enforcement of valid laws is a losing position. Either you are damned because you admit support for lawbreakers leaking classified documents or you are damned because you only have vague concerns about some possible future abuse to weigh against your admission that it aids lawbreaking.

Sancho_PSeptember 5, 2015 6:17 PM

@Peter Gerdes

I’m not sure if I understand what you mean by “not socially acceptable” but I have a bad feeling reading your post.

If “socially” here means “living together, group, community of humans” I’d assume (from your nick) your focus is at least on the mainstream of the so called “western” culture.
So there is a huge area of conduct we would deem as “not acceptable”, from slavery, bigamy, murder, …, down to lesser crimes, until finally arriving in murky waters like burping and farting whilst having dinner.

Mind you, there is a schizophrenic touch in our western thinking as the basic “Anti-social behaviors are actions that harm or lack consideration for the well-being of others” [Wikipedia].
But we admire the rich, accept banksters, endures politicos and enjoy sex and crime in TV (let alone the computer games).

So it’s not easy to decide but I can’t see any link between secure crypto systems (a very technical term) and “social acceptance” because of their far distance.

Also your denying the social value of the 4th amendment is strange, on the contrary, I guess there is no culture on earth where the community would not support the basic idea of undisturbed privacy.

To make my point:
Unreasonable searches and seizures are “not socially accepted”.
The gov has to obey the law, other conduct is “not socially accepted”.
Eavesdropping, whoever does it, is “not socially accepted”.

A private conversation is private.
When I privately talk to my wife, friend, priest, lawyer: It is private.
A private communication is freedom, not crime.

LE never had, just in case, micros in my house for “the enforcement of valid laws”.
They’ve never opened and searched all letters for “the enforcement of valid laws”.

There is no reason they should be allowed to do it today.

Encryption is a safety feature against “not socially acceptable” behavior.

PontiferousPontooferousPontoonOfPoigniantPlattitudesJanuary 26, 2017 7:00 PM

I can't believe I'm reading such remarks on a Security blog in a post Snowden world. Yes, the government is watching you and with the amount of information it can acquire through privately built owned and maintained infrastructure (lines, servers, data collection tech like your phone), it can insert itself into your daily life and the lives of others in a coordinated fashion to move society. The costs associated with the intelligence operations commonplace during the Cold-War have dropped precipitously, perhaps orders of magnitude more than the drop in computing costs and consequent drops in administrative costs for the civilian population over the same period. Rather than maintaining their operations at a lower cost, or reducing activity in lockstep with a threat reduction, we have increased our expenditure and have generated even more radical possibilities, at feasible relative costs, from the sheer scale of these new operations.

Based on my observstions I'll make a hasty generalization that attacks most readers, so as to reduce my credibility and obfuscate the key issue that i've purported: Most computer types are unskilled at using their imagination to extrapolate beyond the limits of their understanding of how the mechanisms of said phenonmenon function. They take pride in their myopia and pound their chests and hark 'pragmatism' for their being grounded in rationality, as if a reactionary rejection to the ambiguity of an orwellian present were a badge of their superiority. You guys are dumbasses if you think you're safe, but stop worrying about it and just live. be alive, be creative, build create explore, that's all we ever have.

Back to ambiguity: it's inherent in the system. Stop being doltish propellerheads or at least have thr humility to realize the domain-specificity of your cognitive calibration. The reality is: even for the now-sentient govermment-corporate hive-mind-body, the world operates at a dizzing level of complexity that is characterized by its inextricable incomprensibility. We'll be fine for now, John Calvin's Newtonian dream has become our nightmare materialized, calvin has become john, but the jaws of this shining tentacled beast has not yet clamped down upon that which makes us authentic, and that it and the sartean embodyment of its actors not. The duality continues its spyyyyyy rrrrrrroooooooow

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.