Friday Squid Blogging: Giant Squid Sculpture at Burning Man

It looks impressive, maybe 20-30 feet long:

“I think this might be the coolest thing I have ever built,” said Barry Crawford about his giant, metal squid that was installed at Burning Man.

The sculpture is entirely made of found objects including half of a dropped airplane tank and a metal vegetable strainer. The eyeball opens and closes and the tentacles can be moved by participating viewers.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags:

Posted on September 18, 2015 at 5:47 PM168 Comments

Comments

Amazon Revealing Customer Identity September 18, 2015 6:06 PM

Amazon billing account names are being displayed in every review or comment you’ve made ever made. I verified it on my screen today, but it was intermittent.

This hack allows Big Data to data-mine our most objective and critical thoughts with verified identities. Very disappointing.
Sadly I’ve lost all trust in Amazon…

name.withheld.for.obvious.reasons September 18, 2015 7:11 PM

During today’s, 18 Sept 2015, congressional session of the U.S. House of Representatives, floor votes on several bills on the calendar regarding Planned Parenthood were held. During the debate period there was an interesting argument given specifically respecting Plan Parenthood’s behavior that “made necessary” the need to suspend funding in lieu of an investigation into wrongdoing. The whole statement held as arguments for action could have replaced the original organization “Planned Parenthood with “DoD”.

The issue of innocents being killed, the gruesome methods of death (think of drone strikes on children) that the government was spending money on an organization involved in the death of these innocents. This along with several other statements would, no analogy is required, make de-funding the DoD possible while a investigation is held regarding the alleged criminal behavior.

Pulling the text directly from the congressional record will be simple enough, I will use that to completely restate the arguments made on the floor of the house and feed it back to them.

These statements were made by the Republican representing the committee of record (in control of the bill debate time), it will be trivial to establish the same argument to suspend funding of DoD for one year while a congressional investigation (potentially criminal) in an effort to the reach the facts. Given that Republicans call for action in the moral issue of abortion, in the case which directly parallels this moral assertion, I am certain the response will shed light on the hypocrisy is that is party politics in the United States, and in this case the Republican party.

Milo M. September 18, 2015 9:05 PM

The head of the Temple University physics department was indicted 4 months ago for wire fraud in a case involving illegal technology transfer to China.

Last Friday the government dropped the charges.

http://www.nytimes.com/2015/09/12/us/politics/us-drops-charges-that-professor-shared-technology-with-china.html

“The schematics, prosecutors said, revealed the design of a device known as a pocket heater. The equipment is used in superconductor research, and Dr. Xi had signed an agreement promising to keep its design a secret.

But months later, long after federal agents had led Dr. Xi away in handcuffs, independent experts discovered something wrong with the evidence at the heart of the Justice Department’s case: The blueprints were not for a pocket heater.

Faced with sworn statements from leading scientists, including an inventor of the pocket heater, the Justice Department on Friday afternoon dropped all charges against Dr. Xi, an American citizen.

It was an embarrassing acknowledgment that prosecutors and F.B.I. agents did not understand — and did not do enough to learn — the science at the heart of the case before bringing charges that jeopardized Dr. Xi’s career and left the impression that he was spying for China.”

Rather than bringing espionage charges, DOJ built a case on wire fraud.

http://articles.philly.com/2015-05-24/news/62549623_1_xi-china-u-s-defense-department

“The six California defendants face charges of economic espionage, which requires prosecutors to prove the thefts were carried out to help a foreign government.

Xi’s four counts of wire fraud for violating his contract with the unnamed U.S. company requires no such proof, even though federal authorities list China’s government as one of the entities with which Xi sought to share the sensitive technology.”

http://www.aps.org/publications/apsnews/updates/xicharges.cfm

“The government’s case, Xi’s legal team says, relied on a flawed understanding of the science and technology underpinning Xi’s work. On August 21, Xi’s legal team made a presentation to the government outlining problems with the case, and later provided them with a draft of a motion to dismiss. “These weren’t problems that made the case weak; these were problems that made the case against professor Xi nonexistent,” says Peter Zeidenberg, Xi’s lawyer.

According to Xi’s team, the devices he shared with colleagues in China were not the STI Pocket Heater, but two different magnesium diboride heaters, including one of his own invention. That these were wholly different devices is confirmed by affidavits provided to APS News by Zeidenberg, including one written by Ward Ruby of Shoreline Technologies, a co-inventor of the Pocket Heater. Additional expertise that Xi offered to share with Chinese researchers, in emails presented as evidence in the case, was focused in another area of research entirely—oxide thin films, Zeidenberg says.

“What he was engaged in was routine academic collaboration,” says Zeidenberg. Following the presentation, the government moved to drop the charges on September 11. The U.S. Attorney’s Office in the Eastern District of Pennsylvania had no comment on the case.”

They not only had no comment, they issued to public statement at all.

http://www.justice.gov/usao-edpa/pr

If this is the first team protecting us from espionage, industrial or otherwise, it is disturbing.

Dr. Xi may get his department chairmanship back, but his reputation will take longer to heal. And his research group, including a lot of graduate students, will likely lose a lot of grant money, since their leader couldn’t work with them to apply for new grants.

There’s no doubt that there is persistent espionage from China (and from France, the UK, Russia, and lots more) that needs to be countered. But when the subject matter is highly technical, call MacGyver, not Rambo.

Mike Barno September 18, 2015 9:10 PM

@ Clive Robinson and Bruce :

I don’t know about other browsers, but in mine this page has no title…

Are you sure? I run Firefox and I see an apparent title in the normal small font used for general text. Security through Obscurity?? Driven below multiple readers’ event horizon by the accidental encryption of a malformed HTML tag, it seems.

VirtualAstroBoy September 18, 2015 10:08 PM

@r

Mine either, Tor Browser 😉

On another note, why wouldn’t every security junkie on this forum be running straight Debian (or dual boot with Windows) and then virtualised sessions of preferred Linux stream e.g. Whonix to limit your attack surface vector from VERY LARGE to small i.e. Xen or other virtualisation software attack verctor only?

Yes, I know they can break out of the virtual session if they are good enough, but surely clean snapshots used in this way, without javascript, with committed Tor use, with no weird plug-ins etc is the de-facto standard for people who give a shit about privacy.

I think Micah Lee makes the case nicely below. If you don’t think so, tell me why.

https://theintercept.com/2015/09/16/getting-hacked-doesnt-bad/

6o1 September 18, 2015 11:03 PM

@VirtualAstroBoy, VMs are all well and good, and one nice tool to have, but firejail is really good for all but the most insidious threats. It lets you tailor seccomp and caps to each application. You can screw it down exactly as tight as you want. You will love it.

Figureitout September 18, 2015 11:36 PM

VirtualAstroBoy
–We do but we don’t put all our eggs in one basket…What’s going on w/ systemd? Ultimately the most sensitive info needs prior protection to entering any kind of electronics…few have info needing that level of protection but it’s fun practicing and being able to nearly offer that service for a little side change.

Thoth September 19, 2015 1:51 AM

@VirtualAstroBoy
The concept of virtualizing is not new. @Nick P and I have talked heavily about using a TCB and running jailed stuff on top of it. This includes running native applications and virtualized environments above TCBs. The US DoD uses these Trusted Computing environments very frequently. You can look up DO-178B specifications and @Nick P can go on about the Orange Book.

You can look up a whole ton of literature that talks about safely virtualizing resources and separating then via TCBs.

Most accessible resources to mere mortals are not fully ready for showtime yet and the users are expected to dig up the source codes themselves and have extensive technical knowledge.

Whonix and Qubes have a working desktop but they lack assured security as the TCB they use is a Xen hypervisor which has huge amount of codebase to berify and assure.

Genode is a good project that supports multiple TCB platforms and they also support multiple scenarios. They have NOVA secure hypervisor (very tiny TCB easily verifiable and secured) and you can run multiple instance of Seoul VMM or modified Virtualbox VMs. In the instance one of the VMs are infected, the separation afforded by the TCB would secure the infection to just the particular VM. Besides the NOVA serup, it supports other L4 microkernels including Fiasco and lately seL4 too. It has a secure GUI as well called nitpicker and can be used in ARM chips in the TrustZone Secure world side as well. All this said, if you are willing to delve deeply into the technical details, Genode might be your cup of tea. Don’t expect ro build Genode and have something like Quves, all ready to rock and go. Genode have a lot of usability and documentation rough edges and I am in contact with Norman from Genode to even out user documentations so that it can be closer to the plug-and-play style.

If you want military grade references Sirrix AG, General Dynamics, Green Hills and LynxSecure provides Government grade TCB and I have tried to talk to some of them requesting normal user sales of their products but none of them have gotten back with any reply yet. I wonder if they will be willing to sell these secure TCBs to civilian users in the first place as a daily desktop.

Links:
– genode.org
– sel4.systems
https://os.inf.tu-dresden.de/fiasco/

65535 September 19, 2015 3:20 AM

@ stine

“The only solution to this problem that I can think of involves the B-52” –stine

I would not go so far as suggesting the “Rolling Thunder” treatment for the various parts of the DOJ -but some quality time in cell could be useful for behavior adjustments of certain Attorney’s for the State who think they can scam the US Constitution and the US Court system via an NDA document.

Although, most of the Stingray NDA was known it is now officially acknowledged by a very large Law Enforcement entity. The secrecy of the Stingray is coming apart at the seams – which it should have a long time ago.

It is very troubling that the secrecy of the Stingray is higher on the list of the FBI than doing normal police work and convicting criminals.

Here the FBI instructs the Sacramento County Sheriff’s Department [SCSD] to drop any case [including rape or murder] to keep the Stingray and Harris Corporation out of the picture:

“8. In addition, the Sacramento County Sheriff will, at the request of the FBI, seek dismissal of the case in lieu of using or providing, or allowing others to use or provide, any information concerning the Harris Corporation wireless collection equipment/technology…” FBI memo to SCSD

This has conflicting goals of keeping the FBI and the Harris Corporation safe while letting rapist walk free. This stinks to high heaven. It is criminal like thinking. If the Stingray is legal then show it to the court! If it is not don’t purchase it!

[Here is the tip-off clause to the FBI so they can “deputize” local law enforcement people and hide Stingray equipment from the public – or otherwise deceive the court system of evidence of foul play]:

“Sacramento County Sheriff learns that a District Attorney, prosecutor, or a court is considering or intends to use or provide any information concerning the Harris Corporation wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (including its Technical/engineering description(s) and capabilities) beyond the evidentiary results obtained through the use of the equipment technology in a manner that will cause law enforcement sensitive information relating to the technology to be made known to the public, the Sacramento County Sheriff will immediately notify the FBI in order to allow sufficient time for the FBI to intervene to protect the equipment technology and information from disclosure and potential compromise.” –FBI memo to SCSD

https://assets.documentcloud.org/documents/2426424/sacramento-co-sheriff-fbi-nda-25mar2014.txt

[or non-OCR pdf]

https://assets.documentcloud.org/documents/2426424/sacramento-co-sheriff-fbi-nda-25mar2014.pdf

Worse, it appears that the SCSD is trying and end-run around legal evidence rules by getting an “OK” from and judge and then immediately sealing [hiding] the said “OK” from the public. This “OK” is not a warrant.

“The new SCSD policy does not fully explain exactly what information will be in the authorization application. Worse still, it imposes an automatic sealing of such applications, making it impossible for the public to know whether the SCSD is following its own rules…” –Arstechnia

http://arstechnica.com/tech-policy/2015/09/sheriff-well-get-judicial-approval-not-a-warrant-when-using-stingray/

It looks like the US Constitution takes a back seat to Justice Department. The inmates are running the system. This could end badly.

Curious September 19, 2015 4:08 AM

“D-Link Accidentally Leaks Private Code-Signing Keys”
https://threatpost.com/d-link-accidentally-leaks-private-code-signing-keys/114727/

“Private keys used to sign software published by D-Link were found in the company’s open source firmware packages. While it’s unknown whether the keys were used by malicious third parties, the possibility exists that they could have been used by a hacker to sign malware, making it much easier to execute attacks.”

Ad Blocking War Shakes Apple Cart September 19, 2015 6:06 AM

Apple recent decision to allow customers to block advertising has forced Internet sites and their advertisers to adapt. Rather than outright attack Apple’s reputation (and harm themselves) they go against generic ad-blockers.

Data privacy regulators in many western countries have also blocked American Big-data collection, further increasing intense pressure on our high-tech companies, Wall St enablers and advertising networks to exploit data/exploit from American consumers.

Consumers benefit by
1) not being tracked across the web at home, as they drive and use their smart phone
2) Blocking advertising blocks malware injections
3) denial of credit, loans, insurance, employment and clearances
4) corporations adding unwarranted surcharges from drawing conclusions based upon false assumptions of unregulated Big-Data
5) not be forced to watch irrelevant commercials
6) making better product purchases by avoiding biased or slanted information
7) increased attention span and mental focus

American High Tech industry has devoted entirely too much resources to making consumers the target product. They have manipulated technology to force consumers into being tracked and monitored. Their lust for ruling power and vast sums of corporate money unequivocally distorts American democracy and freedoms guaranteed by the Constitution.

We see these distortion daily in the lack of high tech product unrelated to tracking or improving our lifestyles. Instead consumers voice, handwriting and typing and personal files are now being exploited.

Our (secret Stingray trained lying) FBI/DHS/NSA insist ‘secret’ doors installed so they can eavesdrop, just like pre-Snowden. Now the Communists are insisting too. There is no real difference in repressive regimes.

One sided, invasive corporate Terms-of-Service allow unreasonable search circumventing due process, legislative and judicial oversight. Establishment politicians need to exploit this data and get elected.
The corporate authored secret Trade Agreement severely erodes citizen rights and privacy.

In such extreme distorted circumstances, ironies will surface. The tables are bitterly turned when Communist China receives US government approval to build a high speed train from LA to Vegas. Where is American High-Tech? Instead Wall St is literally shooting out money from cannons. Have America lost its Pride?

The Chinese are now financing subdivisions using American front companies with laborers who cannot speak English. No American financing or jobs to build even our homes. Are Chinese laborers next to arrive to rebuild our crumbling roads and bridges?

Why is America under such a viscous sustained attack?

ianf September 19, 2015 6:51 AM

@ Ad Blocking War Shakes Apple Cart
Apple’s recent decision to allow customers to block advertising has forced Internet sites and their advertisers to adapt.

Strangely enough, or perhaps not, this has yet to migrate to Apple’s other main operating system, and a true cash cow besides, the iOS. Probably an oversight…

[…] “Why is America under such a viscous [=having a high viscosity—ed.] sustained attack?

I have to assume you meant VICIOUS. If so, let me commiserate with you over the poor, viciously-by-Chinese-labor-beleaguered, defenseless United States of America (here today, gone tomorrow).

Cass September 19, 2015 7:57 AM

Did firstlook.org fail to publish a warrant canary for July?

Yesterday, over the course of an hour, I noticed the current canary at https://firstlook.org/canary change from one covering June to one covering August (skipping July?). I also noticed the hash change from SHA1 to SHA256 and the PGP signature change (though not the signer). Does anyone know when their June warrant canary first appeared and did a July one appear at any time?

Does this represent genuine silence? Or was someone in the signing-to-posting chain on vacation? Could what I witnessed have resulted from user error (i.e., a flaw in the AutoCanary software used by First Look or its associated business process)? For example, does AutoCanary software require a confirmation if a user tries to sign for a period that is the same as or prior to a previously signed period? Does the software require confirmation if the user skips a period? Would the latter change the legality of the warrant canaries, since the signer would now be making a retroactive positive statement about receiving an NSL when confirming a skipped period?

I haven’t checked this canary since The Intercept first announced they would start publishing them monthly (First Look Media Publishes Warrant “Canary,” Releases Software for Managing Canaries). In that article, they stated their intention to update the canary the first week of each month to cover the previous month.

When I went to the First Look canary yesterday, I expected to find one covering August (or at least July). I figured something might be up when I saw the June one instead, but I didn’t think of taking a screen shot until later. Unfortunately, by then, the published canary had been updated to one covering August (July skipped).

I did a search, but I couldn’t find anyone else remarking about July having been skipped. The wayback machine was no help as it had only one version of the canary (from yesterday, after the update to the one covering August). Even Canary Watch was of no use, since they only link to the current version. Fortunately, I was able to get a screen shot of the google cached version of the canary page which hadn’t been updated since Sept 4 and was still showing the June version of the canary. I hope others get a chance to archive/screenshot this before google updates its cache.

Shouldn’t Canary Watch or something similar be archiving all versions of a site’s warrant canary along with the timestamp of when the change occurred? Is there a legal reason why they can’t do this? Because without someone tracking all changes, the AutoCanary model might not work so well.

58-14 September 19, 2015 8:16 AM

@65535, this business of deputizing local officials is crucial. It’s a longstanding CIA trick for proliferating domestic cutouts (very evident in their JFK coup d’état, for example.) By now FBI is so infested with CIA detailees that the two are almost indistinguishable (the one remaining distinction is functional: CIA perpetrates crimes on the public, FBI covers them up.)

As for the constitution, yeah I kind of remember that, that’s that thing with the foundling fathers and Benjamin Lincoln and all them, right? Good times. Now we pledge allegiance to the COG. PDS is fuzzy on a few of the details, since his collateral clearance is long gone, if he ever had one, but he’s on the right track. We’re back in the USSR.

Didn’t take any B-52s to get of that, did it?

name.withheld.for.obvious.reasons September 19, 2015 8:33 AM

@ Bruce Schneier
Looks like a pointer to the reference of the comment is not linked to the database pointer on the comment store or it is de-referenced by some script component. Haven’t parsed the comment section to see if ALL Friday Squids are not pulling the descriptor/tag text yet…

@ Thoth
The assurance/safety OS’s offerings that include separation kernels (think of it as independent slices of a kernel divided across the run-time system) and the subsequent application layer can provide benefits in several different design areas/considerations. Complex watchdog or recovery procedures can be brought up to the app layer providing robust application performance. What can be problematic is the the BSP support for specific platforms and, none of these platforms really address a secure TCB (at boot or during run-time). Offerings that are interesting include QNX and VNX, both are versions that provide SYSV5R4 compatible system call interfaces and abstracted libraries for things such as X/xorg. LynxWorks does provide a “commercial” version of there DO-178B offerings… It is essentially a NIX separation kernel that provides Linux/Windows type of run-time environments.

As I see it, there is an issue with power up, boot, and boot strapping that implicates all platforms in the commercial space(s) as vulnerable…even certified platforms can be considered problematic/brittle. My thesis consists of using provable boot code/process (ROM to RAM) where things like SPI/SMBus or ACPI cannot provide hooks (especially with BSM hardware support).

Complexity is the enemy of either/and safety/security….

Paul September 19, 2015 8:45 AM

We have heard about the Samsung TVs that snooped on people. Sony has now joined the club, after a fashion. My last Sony TV (a 32 inch in the bedroom) has an abysmal operating system that makes finding the right channel a bit of an ordeal. However, Sony gives away a nice app, called Sideview, that makes it easy to combine reviewing what’s on andd changing channels, possibly even recording stuff (which I haven’t done).

I was looking forward to replacing the main TV in the living room with another Sony, maybe in a few months (we have only ever had Sony TVs).

Then Sideview got an update and I was notified that Sony reserved the right to collect information from it and to use it. Supposedly this will help Sony show me things I might want to see, but the idea of having this monitored, recorded and monetised (it will be) is too much. I will not use this app and I will not buy another Sony TV. This surveillance is out of control and needs to be reined in.

Why: we know from experience that information collected for one purpose will be used for another. Needless to say, I have ZERO confidence in Sony’s data security. I hardly watch TV, but that isn’t the point. The intrusion of remorseless and near coercive information harvesting into seemingly innocuous activities at home is just wrong (in my book anyway; YMMV).

I don’t know if I have time to figure out how to subvert this. It may just be easier and cheaper to give up having a TV.

name.withheld.for.obvious.reasons September 19, 2015 8:55 AM

Follow on to Squid Comment Descriptor/Thread Name…

The reference/database index to the comment is “c6706198” where the first squid comment was made, the next allocated comment is enumerated as “c6706200”.

Hope that helps…

BoppingAround September 19, 2015 9:29 AM

Where’s the title? Still celebrating Friday? Bad show, especially on the 100
latest comments page.

[Off-topic] Thoth,
The other day (probably way back) you mentioned some old treatise on haggling
(perhaps lobbying and persuasion as well), of Chinese origin, I believe. Can you
remind me its name and whether it’s available in English?

I think it’s name was guay xi or something like that.

Also, are you aware of any Chinese treatises regarding the choice of profession?
One that interests me allegedly spoke that man should choose a job that he cares
not about.

Unfortunately, that’s all I know; the man who had mentioned this died several
weeks after. I never had the chance to enquire further.

Sedate Wrist September 19, 2015 10:00 AM

@Paul:
“I don’t know if I have time to figure out how to subvert this. It may just be easier and cheaper to give up having a TV.”

Simply pull the ethernet cable from your TV set and watch regular TV. If you really need to watch online content on your TV, download it to your computer first and stream it to the TV via LAN. Alternatively, get yourself a raspberry pi and run any of the open source media centers with a proxy.

Paul September 19, 2015 10:35 AM

@Sedate wrist

Thanks. I have a Raspberry Pi and a NAS with Plex and am comfortable with tech generally (I just used IPtables to block Microsoft Windows 10 related surveillance — the backporting of some stuff to Windows 7). My annoyance is at the increasing need to have to take these kinds of measures. You’ll have seen the sudden popularity of the Peace ad blocker on iOS, followed by its curious removal from the market on what sound like bogus grounds (has the developed been bought out and required to sign an NDA?).

I am just weary of it all and would like to see more pushback (like the lawsuits against Facebook for repeated lying about privacy and repeated cynical and deliberate efforts to subvert it).

I like the app, which makes the TV’s useless UI irrelevant, but it won’t work without an Internet connection, and the price is high.

All this is going to get much worse unless differential privacy becomes legally required.

ianf September 19, 2015 11:00 AM

New OT. If true, and not merely some press-venting of a pedestrian conflict between the parties involved, I wonder how that coding project was described internally within the VW software division, or to the outside consultancy hired for the purpose: “we need the output of sensor X to be adjusted down by random value of between 18 and 27 percent. Yours not to be asking why.” (?)

The Guardian: Volkswagen under investigation over illegal software that masks emissions

California and EPA accuse VW of installing ‘defeat device’ software that reduces nitrogen oxide emissions while a car is undergoing official tests […]

Daniel September 19, 2015 11:56 AM

@VirtualAstroBoy

Because to a large degree virtual machines are security theater. First, if the underlying OS is compromised then the virtual machine is by definition compromised. Running a Whonix VM doesn’t magically change this reality. The only people who are trying (and in my view failing, but at least they are trying) to deal with this reality is the people behind Qubes. Qubes is headed in a solid direction, whether it gets there is unknown. Second, running multiple VMs require good operational security because one has to remember to perform certain activities in certain VMs and it is easy to blow up security from memory lapses or inattention.

When one gets to the core a VM is nothing more than a fancy sandbox. They were initially designed to help programmers with debugging. They only became popular for security purposes later. A VM is only as good as the OS that hosts it and the person who is using it–and experience teaches that neither inspires confidence. Having said that, I’m not opposed to VMs–they have there place. But they are not a security panacea.

Nick P September 19, 2015 12:26 PM

@ name.withheld

“What can be problematic is the the BSP support for specific platforms and, none of these platforms really address a secure TCB (at boot or during run-time).”

Funny that I said about the same thing on Hacker News in a recent discussion on them. I didn’t trust them to put the rigor in the BSP’s outside the evaluated configuration because they didn’t technically have to.

“Offerings that are interesting include QNX and VNX”
“”It is essentially a NIX separation kernel that provides Linux/Windows type of run-time environments.”

I agree, esp for QNX, except the part about separation kernel. I’d just call it microkernel because it was designed for reliability and performance. John Nagle gave me this nice description [1] of its mechanism. The separation kernels have less functionality w/ often with conformance to SKPP. They do even less than security kernels before them. An important distinction we should keep to maintain high level of trust in separation kernels.

That said, QNX is upping its security focus in recent years in terms of modifications to the kernel and available libraries. I’ve been recommending it for systems focused on reliability and/or lower complexity. Hard to recommend it for even medium assurance security given its networking stack was smashed immediately after code opening up. Less scrutiny, developers not focused on security, and them pulling stuff out of NetBSD means there’s more 0-days in there. So, I recommend them for reliability: point-of-sale, SCADA, monitoring systems, mobile/tablets (i.e. Blackberry Playbook), and so on. At least until MINIX 3 matures. 🙂

[1] https://news.ycombinator.com/item?id=9872640

r September 19, 2015 12:55 PM

@a nonny bunny,
A ‘proofed’ secure software is still software, it’s only as secure a the substrate it’s running on. You wouldn’t build your house on a sand dune would you?
So to answer your question: YES, it would still be vulnerable to ‘row-hammer’ bit flipping and other types of ‘interference’ like the FCC guides on emissions. It would also be vulnerable to more direct DMA attacks over PCIE, firewire, Thunderbolt and maybe USB3(?).

I think I read that row-hammer style bit flips are protected against to a point by ECC Memory (server class ram).

ECC means error correcting code, it tracks a basic sum of every so many bits in order to detect such errors.
But flipping is a problem I recently ran into on my external, the ddrescue manual recommends lzop? for long term storage.

name.withheld.for.obvious.reasons September 19, 2015 1:03 PM

Forgot to mention that one of the “PURPOSED” features of Windows 10 looks like a DRM/Copyright/DMCA engine that allows Microsoft to tag/analyze/collect media and data that would be “illegal” to store on a system. So, when you bring up a JPEG/PNG/GIF that your copied from the Onion’s web site you might get an automated take-down notice. The offending image will be forward to the FBI and local police and a vehicle has already been dispatched to your location, the door bell will ring in three, two, one…

name.withheld.for.obvious.reasons September 19, 2015 1:20 PM

You’ll all love this one, from the Department of Justice’s OIG, “Department of Justice Inspector General Audit of FBI Next Generation Cyber Initiative”

I quote from summary text provided by publicintelligence.net:

“The private sector’s reluctance to share information has been further affected by the distrust of government created by the Edward Snowden leaks.”

Wow, the FBI believes that it is Snowden’s fault, what if the Whistleblower’s name had been Daniel Rainden?

It is the fact that the government is involved in extensive surveillance that is beyond the pale, irrespective of the “messenger”. Also, the risk of being smeared with the taint associated with participation in the fascist state’s machine might seem to be more problematic… What about OPM, if the government cannot secure its own data, what liability is/can be attributed to a cooperative arrangement with the FBI?

65535 September 19, 2015 2:36 PM

@ 58-14

“…this business of deputizing local officials is crucial. It’s a longstanding CIA trick for proliferating domestic cutouts (very evident in their JFK coup d’état, for example.) By now FBI is so infested with CIA detailees that the two are almost indistinguishable.”

This is a dirty trick and an abuse of power. It’s a creeping cancer. Public hearings might be in order.

“We’re back in the USSR.”

Yes, it is starting to feel that way. There are strong parallels in the rise of Hitler and what is going on behind the scene. The aggressor ID’s its enemies, surveils them and slowly grinds them into the dirt. Soon the aggressor is in control.

sena kavote September 19, 2015 3:37 PM

Griselda Blanco and crypto wars

It is wise to at least try understanding other side’s arguments even if they are irrelevant or dishonest. When officials cry for crypto backdoors, terrorism is common argument as is organized crime. They have difficulty giving current and specific examples of how digital communication and storage relates to those, without giving information about current operations. The fresher the examples are, the less information is available and the more both sides of the law have to keep secret. Terrorists and gangsters in prison may be concerned that talking would endanger others in field and lenghten own sentence.

For theory oriented people like us, the readers of this blog, who I guess usually skip crime news unless it is something computer related, the 3 documentaries in the ‘Cocaine cowboys’ series, even though relating to events decades ago, I believe are a good way to gain deeper insight on what officials could mean when they say “organized crime” or what they want to evoke in those listeners who follow crime news and study crime history more closely. ( Maybe you could also gain some insight by watching ‘Godfather’ parts 1 and 2 too, but difficult to say for me since they are fiction and may be unrealistic in some ways. Anyway they are good as works of art. Same could be said about ‘Breaking bad’. ‘Mr Robot’ seems mostly realistic but is artistically slightly bad. Also, some Star trek episodes are about mafia. )

Cocaine cowboys { II hustlin with the godmother | reloaded } tells stories about cocaine trade, mostly that related to Griselda Blanco’s organization. Griselda Blanco was a godmother queenpin drug lord drug baron hardcore criminal who may have killed upto 200 people by her orders and by shooting some of them herself. Some of those murders / killings had only a weak excuse, some had rational motivation, some were collatelar damage and some were self defense. At one time she may have been the most dangerous woman on Earth and most powerful and most violent criminal on US soil. She was killed 3 years ago by a tactic she used on many her victims / enemies. (Content warning: the documentaries have some gross disgusting pictures and I advice to look away from the screen when those are shown. Depending where you get the movies, your video viewer setup and other things, you may want to have subtitle files for your language from some subtitle web site.)

When mrs. Blanco was leading her crime empire, only communication equipment were landline phones, car phones, aircraft radios, walkie talkies and radio amateur short wave radios. Those are not encrypted: only “manual” message obfuscation could be used.

The 3 documentaries tell amazing stories and teach things about operational security that have legal use, including in infosec. Mickey Munday has given separate interviews on some youtube channels, telling more interesting details that I believe have analogies in infosec security engineering. At least one tactic is obsolete: hiding speech on bowling alley background noise. Over a decade ago I saw on TV a software that can separate voice sources from audio, at least from raw .wav files, maybe not from compressed .mp3 ( anything on Linux repos? ).

Alleged Silk road webmaster-administrator got called a “kingpin”, as if he is on the same level as hardcore criminals like mrs. Blanco. Almost as silly as calling “terrorist” someone who sends few thousand dollars to Somalia. War on drugs laws were originally written against people who like violence and need only a weak excuse for it.

Integer overflows

Is it ever ok to make a program rely on integer overflows, by for example moving from 65535 to zero? Does any programming guideline allow it? Integer overflows are one reason for vulnerabilities. I think I would not mind a processor that crashes any process that has integer overflow. Is there a gcc or LLVM compiler option for implementing that protection in software? Would it be practical to use variable definitions where any minimum and maximum value can be given? For example, instead of:

unsigned short int Width;
unsigned short int Height;

Something like this:

int(0, 1920) Width;
int(0, 1080) Height;

Wael September 19, 2015 4:00 PM

@sena kavote,

Does any programming guideline allow it?

Just wrap your variable in a class that defines the allowed operations and behavior when the variable wraps. You could do that easily with C++ or other languages of your choice. You can also achieve the same effect with assembler by paying close attention to flags (overflow, under flow,…)

d33t September 19, 2015 4:20 PM

The “Caller ID” system is still being used as authentication by many PSTN and cell phone users. It is an easy tool for scams for a very small investment, and using VoIP, it can be done from any place on the planet with an Internet connection. Many phone customers may not have the faculties to weed out a scam from a legitimate phone call. Putting oneself on the government’s “Do Not Call List” appears to do pretty much nothing, and may even give attackers more known to be live and potentially valuable PSTN / cellular customers phone numbers to harass and scam. What ever happened to the enforcement side of the “Truth in Caller ID Act”? My guess is that there is no easy way for Uncle Sam to collect revenue from fines from accidental violations by legitimate companies or all out criminal scammers.

I have a couple of other thoughts / questions related to “Caller ID”:

1) We should change the name of it to something like “Fake ID”.

2) There should be an investigation into the number of people who have been wrongfully prosecuted, incarcerated, billed, harassed and or killed (other) based in part (probable cause) or whole by “evidence” involving (“spoofed”?) “Caller ID”.

3) Maybe the horribly flawed and fraudulently marketed product “Caller ID” could be adjusted with some R&D and the same protocol could be used to send a users public key for usage in an end to end encryption system that protects telephone call privacy instead (content only)? This might not work, but I think it’s a cool idea.

4) Since “Caller ID”, “Call Detail Records” or “Local Usage Details” are featured so often as evidence in fake cop shows, it must be a popular, go to resource for law enforcement to this day. There is usually a shred of truth in fiction. (irony)

5) If “Local Usage Details” are a featured method for establishing probable cause, how often is “Fake ID” (our new name for “Caller ID”) leveraged for the NSA’s (or other agencies) activities both domestically as well as abroad in justifying to FISA the intercept of other metadata associated with a victim of “Caller ID spoofing”?

6) If one were a “terrorist”, why wouldn’t “Caller ID spoofing” be used as an easy method for mapping some of the habits of anyone with phones, an awesome, renewable revenue source, a tool for psychological warfare, or even a way to “Swat” your enemies without risking much at all?

Anyhow, it’s still broken and could likely just be disabled or fixed by forcing VoIP companies to verify legitimate CID before allowing usage of PSTN terminations. GV has a feature like this for connecting GV numbers to hard lines. It’s also flawed and has holes, but it’s better than nothing at all for limiting abuse. I’ve recently gotten some angry phone calls from people who have claimed that some of my GV numbers have called them multiple times. Which could have led to my swatting by angry recipients of fake calls using my CID (which would be hilarious). Hmm, maybe GV is being used to do the spamming too? Why not?

Thoth September 19, 2015 6:11 PM

@name.withheld.for.obvious.reasons, Nick P

I guess the only way to ensure secure boot or in some parlance called trusted boot would be to do so in a TPM enabled chip (the CPU must also be the TPM itself) like ARM and MIPS. The ARM TrustZone or MIPS Ommnishield technology include tamper resistant security design into the chips that boots in phases and “measures” each boot phase to ensure the correct sybsystems boots up. One other design of secure boot and execution is thr smartcard chips where you need the correct crypto-keysets to load any program. These physical security chips can be used as a root of trust to boot the TCB and prevent tampering. The only question left is how much can we trust these blackbox chips from not betraying us.

Thoth September 19, 2015 6:38 PM

@BoppingAround
Maybe you can refresh my memory by finding nore details. I speak a lot here and can’t seem to remember.

If you are interested in a Chinese treatise on haggling, diplomacy, lobbying and persuasion, the book is called “Gui Gu Zi” (鬼谷子). The best is to use a Internet facing PC that is not sensitive to search using the Chinese name for the treatise.

The book is very powerful as it teaches skills including body language and oratory skills to manipulate a person subtly. Even the beginning chapters of the ancient book itself said that the person who reads this book should be of good and esteem character so as not to misuse it’s contents.

Here’s some brief history. Off topic stuff.

The name Gui Gu Zi means Master/Scholar of the Ghost Valley as he was famous for living as a hermit in Tian Men Shan (Heavenly Gate Mt.) Which has two outcrops naturally arching that forms a gate-like structurebfacing the sky. Some modern scholars believed that instead of Ghost Valley, the name should be Tortoise Valley because of the closeness of prounciation of the word Tortoise and Ghost and the use of Ghost is to invoke mystery and fear to prevent ordinary people from entering the valleys to disturb the hermits. The mountaina and valleys there are natural defensive barrier which give rise to the name Kui Gu or Tortoise Valley. This prevents deployment of troops to hunt the famed scholars living in that mountain during the politically unrest periods of China.

Gui Gu Zi is also sometimes speculated as a ground of smart scholars and hermits whom compiled their works into the treatise and some have considered him as a real historical character and even deified into a saint.

He is said to be the friend of Sun Tzu whom during Sun Tzu’s later days passed his famed work called the Sun Tzu Bin Fa to Gui Gu Zi telling him to pass the Sun Tzu works to Sun Tzu’s descendants when the time was ripe. Sun Bin whom is Sun Tzu’s descendent received the Sun Tzu works from Gui Gu Zi wih Gui Gu Zi’s own works as well which causes his classmate Pang Juan to be jealous ar his inheritance and plot to sabotage him but failed. During Sun Bin’s later days he compiled all the work into the Sun Bin Art of War just like his ancestor, Sun Tzu did.

r September 19, 2015 8:36 PM

@thoth, all

Edit: you guys are ALL gonna be pissed. (This is long)

I’ve always been willing to bet that even though such a system (‘secure’ boot, TPM) itself is guaranteed clean in such a case the data it parses is not. It seems to me that the more complexity we add the more errors we find. At this rate our software will never be bug or exploit free. Not at least until someone branches stuff deemed ‘feature complete’ and then freezes and audits the code. It could be a very long time before such a thing is realized, but it’s an absolute necessity.

Our technology is still evolving, we haven’t even begun to imagine what it’s going to be like 50 years from now. Let-alone a mere 10. It’s all one big moving target, and therein lies the problem. There is absolutely nothing to stop a clean boot with faulty or ‘quick-to-market’ code from handling buffer and integer overflows. I think this is why Windows is deployed on UEFI the way it is now. (The ring -1 and -3 crap.) Secure boot solutions are only half of the battle as they only address the issue of true (local) persistence.

I think that what we really need is some sort of consensus on feature ‘completeness’. We need to identify the softwares required and then proceed to branch/freeze them. Developers do this to an extent now but we all know that back-porting bug fixes doesn’t equal auditing the base, it’s called ‘long-term support’.

My point is, a hardware model that reinforces the integrity of itself and the operating environment it provides still provides an operating environment. In the end it’s still only as reliable or as secure as it’s end user if not less so.

But then, there’s other questions to be asked. We know what an integer overflow looks like, we know what a buffer overflow looks like… but from what I’m reading about ROP chains and ‘use-after-free’ bugs – is that a type of big we can truly rid ourselves of? That kind’ve error isn’t due to a programmer completely, it’s due to design and complexity.

Can we be rid of the unknown?
Can we reduce our codebase enough to minimize unknowns?
Can we trust the larger code bases to not be half-patched?
Can we trust the people or companies who make these commits?
Do we trust the auditors?

Thomas Jefferson once wrote: “If a law is unjust, a man is not only right to disobey it, he is obligated to do so.”

So… can we trust those who would ask for our keys, our thoughts or even our whereabouts to understand the calling that is security or privacy?

I don’t think that there is anything in this world that they have not touched, manipulated, modified, coerced or molested. The fact is; if they didn’t do it: someone else surely would.

The worst thing about all of this? We’ve got it all wrong. None of this is private and thus: none of this is secure. Very few of us speak face to face and so we involve our ISP, we elicit help transmitting or ideas from Cisco, we ask Microsoft for permission to use their whiteboard. We have couriers do our bidding, we ask them not to read our coded and uncoded messages, but you know what? They don’t work for us. They sell us subsidized school supplies that we will probably never own. They lease us paper, they tell us to use ‘their’ pencils and they offer to forward our messages to our fellow classmates… It used to be, that sometimes we got caught passing messages in class. These days it’s like our companies got caught passing so many messages that an agreement was reached to avoid charges of complicity or contempt… I think, just like our ISPs, that all our companies have to photograph/transcribe any and all third party messages to not be considered complicit or be found in contempt. I think they have immunity as long as they advise by two simple rules: a) let the teacher know, and b) don’t let the other students know.

My apologies,

Thoth September 19, 2015 9:19 PM

@r
The respons you gave were expected and we all raised that concern along the way before. Complexity is indeed the enemy of security. We cannot make a system bug free. We can only lessen the bugs and @Clive Robinson, @Nick P, myself and others have pointed out it is impossible to not leak in some way. It is just how much ome leaks and what you expect for security in your requirements and protection profile. I doubt any foolproof system. It is about how much you can deter and migrate quickly. If you look at ARM and MIPS, the security is bakrd into the chip. No added extension chips needed. I won’t say it is foolproof but if a clean, simple and open design and implememtatiom for secure boot can be implemented, why not ? That does not mean MIPS or ARM implementations and designs are provrn clean and good. On the contraru, Qualcomm’s ARM implementations already found to have bugs in the TrustZone and a couple are fatal but they have supposedly been fixed.

Curious September 19, 2015 10:58 PM

Something about Symantec issuing a digital certificate for google.com:

The article title seemed a little misleading to me so I omitted it here.
http://googleonlinesecurity.blogspot.no/2015/09/improved-digital-certificate-security.html

“On September 14, around 19:20 GMT, Symantec’s Thawte-branded CA issued an Extended Validation (EV) pre-certificate for the domains google.com and http://www.google.com. This pre-certificate was neither requested nor authorized by Google.”

65535 September 19, 2015 11:42 PM

@ d33t

‘I have a couple of other thoughts / questions related to “Caller ID”: ‘

‘1) We should change the name of it to something like “Fake ID”…’

Caller ID spoofing is a big problem.

It was originally used for Private Investigators a LE and then ‘trickled down’ to main stream hackers. It was used for “Swatting” but VOIP has taken its place [interestingly a lot of police call centers still rely on “Caller ID” with it known problems].

Note that caller ID is different from actual billing data or the many Charging Data Records [CDR]. But, some LEs still use Caller ID in Swat situations without confirmation –very dangerous.

California has some legislation with is supposed to allow “auditing” of these caller ID spoofing service. I don’t think it was very successful given the caller ID spoofing services moved international and VOIP has taken its place. This could end badly.

[Wikipedia]

Caller ID spoofing has been available for years to people with a specialized digital connection to the telephone company, called an ISDN PRI circuit. Collection agencies, law-enforcement officials, and private investigators have used the practice, with varying degrees of legality…]

https://en.wikipedia.org/wiki/Caller_ID_spoofing

“Many people do not realize that Caller ID spoofing has been around since Caller ID was created. For over a decade Caller ID spoofing was used mainly by businesses with access to expensive PRI (Primary Rate Interface) telephone lines provided by local telephone carriers. A single PRI line can provided businesses with up to 23 telephone lines and all of these lines are capable of having unique telephone numbers. Caller ID spoofing, in it’s most basic form, was typically used by businesses to display one main telephone number on all outgoing calls, even though those calls were not really originating from those numbers. Around the late 90’s and early 2000’s Private Investigators took notice of Caller ID spoofing in it’s most basic form and began purchasing these expensive PRI lines with the intent of selling access to other Private Investigators for a fee. These services were typically referred to as “blind lines” at that time. Private Investigators, concerned with their anonymity, would regularly use these blind line services to guarantee that their real telephone number would not be shown to the called party. Private Investigators knew first hand that Caller ID was not 100% blockable, and that toll free 800 numbers would typically be able to see their real Caller ID number, even if *67 (Caller ID Blocking) was used. Some of the providers that offered a blind line service were: US Tracers, Skip Tracey, Universal Communications, and IISNet. The services provided by these companies were marketed very discretely and only people with the P.I. industry typically knew about these services.

See:
http://www.calleridspoofing.info/

More history:
http://www.victimsofcrime.org/docs/src/what-is-caller-id-spoofing.pdf?sfvrsn=2

Well known spoofing service:

http://www.telespoof[dot]com

[and]

http://www.calleridspoofingfree[dot]com/tag/private-investigators/

[and]

‘spoofcard[dot]com’

“One of the programs used by private investigators is a phone tool called Spoofcard which lets you change or fake your caller ID telephone number and disguise your voice to sound like that guy from the Saw movies. Another useful, easy to use feature of Spoofcard is the call recording feature which gives you the ability to record the calls you make. Your recorded telephone calls are automatically converted to a high-quality mp3 format. Listen to them and download them to your computer. It’s as easy as logging into your control panel over at SpoofCard.com”

http://www.horsebanger.com/private-investigator-telephone-programs.html

[Old testimonials from spoof card]

“Guys… I had the laugh of my life when I called a friend using a female voice and using a French accent – I made him believe during 3 minutes of call that he won tickets to a Montreal Canadiens hockey game.. and that he would have a diner with captain Saku Koivu and his friend Craig Rivet…. he was so in it was un-f’ing-believable.. the most fun part is to listen at the calls once the’re recorded! Thanks a lot SpoofCard! you rocks. Cheers from montreal!”

“I am A licensed Fugitve recovery agent in Virginia, I used spoof card on a fugitive from justice, I called him using his mothers number and told him I was at his mothers house. I told him that if he didn’t turn himself in, his mother would go to jail for aiding and assisting a fugitive at large. 20 mins later, I picked him up in front of his mothers home while mom was asleep inside. 20,000.00 in my pocket. great product!!!”

“Anyhow, it’s still broken…” -d33t

It is. Nobody seems to want to fix it… for various reasons. This is a travesty.

Curious September 19, 2015 11:47 PM

Contactless Fingerprint Technology?

“NIST, FBI collaborate on biometric technology certification program”
http://www.fiercegovernmentit.com/story/nist-fbi-collaborate-biometric-technology-certification-program/2015-09-03

“The National Institute of Standards and Technology is researching the potential of contactless fingerprinting devices that would allow biometric reading simply by showing one’s hand rather than placing it directly on a scanner.”

http://www.nist.gov/itl/iad/20150903fingerprint.cfm (NIST announcement)

name.withheld.for.obvious.reasons September 19, 2015 11:58 PM

@ Nick P, Thoth

Yeah, I didn’t categorize the few interesting sets of RTOS’s that might be of interest. There are a number of other commercial solutions that can be of academic interest as adoption is so narrow (Matlab comes to mind).

VNX is a proven, robust, lite OS interface (libraries of posix, SYSV, etc.) that is almost bullet proof. Green Hills has a number of useful offerings, Lynxworks is a little late to the game but has what could be termed a useful, but not nearly as tested, as a number of other RTOS’s.

Of the separation kernel architectures, the ultimate may be an Inverse Separation Kernel (I made this up)…essentially the OSF MKAD Kernel base. QNX is interesting as it, and OSF MKAD, use a messaging passing architecture (very simple) at its core. The OS is so lite as to be nearly ridiculous compared to today’s bloated IoT crap. Anyone that believes that GNU compilers are robust, or that Intel knows what it is doing (except for MASM) should move all of their investment portfolios into bonds. There are some compilers that are unencumbered by the kitchen sink mentality.

Then there is a whole set of CASE-based systems that very in complexity and capability (and price).

@ Skeptical — Are you still here? Your level of contribution to the subject matter has really fallen off — Is there anything we can do to help? Are your wife and kids okay? If you have a really difficult personal problem, I understand. Mum’s the word.

r September 20, 2015 12:18 AM

@name,

as per your comment about masm, i started out with tasm and an old school punch-card coder pushing me. i sincerely regret never getting into java as per his recommendation as of yet, but there is still time left in my life.

NASM, was and is wonderful for low level stuff.

the macro facilities within it enabled me to do some sincerely unheard of things at the time, and maybe still even now —

Mr zero knowledge September 20, 2015 12:45 AM

@ VirtualAstroBoy

My eyes are going to give up on this not so smart phone, though my fingers have adjusted to it. Its about time.

r September 20, 2015 1:42 AM

here’s something fun,

http://www.csoonline.com/article/2984599/advanced-persistent-threats/russian-military-attacked-possibly-by-chinese-cyber-group.html

proofpoint is saying china[?] is using the PlugX trojan to spear phish the russian military.

more fun, the trojan is being loaded by a signed F-Secure executable that has been dll-side-loaded.

Mikko needs to withdraw that cert pronto. 🙂

with sidejacking who needs stolen certs? they should delay-load their imports with a signature check for it’s known dependancies built-into the binary to begin with.

Anura September 20, 2015 3:00 AM

@sena kavote

I think I would not mind a processor that crashes any process that has integer overflow.

If you have a system that crashes on overflow, be prepared to watch as MD5/SHA1/SHA2/SHA3/Blowfish/Twofish/Salsa20 and many many more cryptographic algorithms break, since they rely on modular arithmetic[1]. Also, if it’s at the processor level, be prepared to watch as any efficient arbitrary precision integer library breaks as well.

[1]While you often think of integers as being unbounded, so 65535+1 = 65536, for many application 0 is the intended result. Cryptography is one of the areas where modular arithmetic is useful, especially modulo 2^n – it allows you to operate on a finite number of bits, it’s efficient, and “a + b mod n = c” is invertible if you know c and either a or b. Multiplication by a constant is invertible if the number is odd (for mod 2^n), and matrix multiplication modulo 2^n is also invertible depending on your choice of constants (for mod 2^n, matrices made up of either all even or all odd numbers are not invertible

Curious September 20, 2015 4:11 AM

“Error Exposes 1.5 Million People’s Private Medical Records on Amazon Web Services [UPDATED]”
http://gizmodo.com/security-hell-private-medical-data-of-over-1-5-million-1731548110

“Police injury reports, drug tests, detailed doctor visit notes, social security numbers—all were inexplicably unveiled on a public subdomain of Amazon Web Services. Welcome to the next big data breach horrorshow. Instead of hackers, it’s old-fashioned neglect from companies managing data that exposed your most sensitive information.”

ianf September 20, 2015 4:44 AM

Remember “The Information Highway?” – it’s been a while since I last heard it. Seems the idea lives on in the name of a major Swedish telecom/ ISP/ cable-TV/ fibre, etc supplier Bahnhof. Here are Googletranslated vital fragments of a recent op-ed written by its CEO, Jon Karlung (lightly [embellished by me]).

This is Bahnhof’s promise [to customers] in five points:

  1. We defy [the] police. We simply will not disclose information to the police and other authorities when their issues are not serious offenses. However, we have procedures in place to help as soon as possible in case of serious crimes such as terrorist crimes, child pornography, murders. We [rely] here on [the Swedish Law] Procedural Code 27 chapter 19 paragraph.
  2. The police officer requesting information about our customers will from now on [have to submit his/her] own data on the same form, namely [the] name, entity and [the] registration number. These data are [stored securely] for later sampling. The information can be used by scientists who want to examine the extradition [(?) processes]. Our method thus differs significantly from the proposal of the government’s investigation, which does not recommend any particular control instance.
  3. We delete this information systematically. Operators often have access to information that we are not legally required to save, but still exists in the system. Bahnhof has reviewed its processes to continuously be able to erase as much as possible.
  4. We rate our security system. The system is built so that we [have] isolated the data required to store a single system which is encrypted and only accessible to persons with security.
  5. We have now completed a so-called kill switch function which means that in a few minutes [we] can destroy the digital system and erase the stored data forever. The purpose here [are] pure contingency reasons. As a telecom operator, we take our responsibility [for] protection of Sweden.

Apparently the company invites being sued by the government, so it can bring the case(s) out to EU courts in Brussels. I have never seen ANYTHING REMOTELY LIKE THIS from any commercial telecoms operator (The Pirate Bay’s defiance doesn’t count). @Bruce will be in Sweden shortly, perhaps he’d care to check it out between mad dashes to & fro airports ;-))

65535 September 20, 2015 6:24 AM

@ ianf

Interesting, I wonder if this is going to be written into Google’s Terms of Service contract [or EULA].

If not, then this statement might not be legally binding. Further, there is some troubling questions regarding what Google will do with it’s customer’s data.

What is a serious crime? When will Google delete data? Who does Google give the encryption keys to? What does “accessible to persons with security” mean? Does this apply to 5-eye or USA customers?

Here is the five point translation using google translator – it should be correct 🙂

This is Bahnhof’s promise in five points:

“1. We defy police. We simply will not disclose information to the police and other authorities when their issues are not serious offenses. However, we have procedures in place to help as soon as possible in case of serious crimes such as terrorist crimes, child pornography, murders. We are supporting us here in the Procedural Code 27 chapter 19 paragraph.

“2. The police officer requesting information about our customers will from now on give up their own data on the same form, namely name, entity and registration number. These data depth we store for later sampling. The information can be used by scientists who want to examine the extradition benefit. Our method thus differs significantly from the proposal of the government’s investigation, which does not recommend any particular control instance.

“3. We delete this information systematically. Operators often have access to information that we are not legally required to save, but still exists in the system. Bahnhof has reviewed its processes to continuously be able to erase as much as possible.

“4. We rate our security system. The system is built so that we isolated the data required to store a single system which is encrypted and only accessible to persons with security.

“5. We have now completed a so-called kill switch feature which means that within a few minutes can destroy the digital system and erase the data stored data forever. The purpose here is pure contingency reasons. As a telecom operator, we take our responsibility in the protection of Sweden.

“After EU judgment April 8, 2014, we stopped immediately to the data store, after which other operators followed suit. Admittedly, the Swedish Post and Telecom Agency has forced us to start the data store again, on threat of penalty. But the method of resistance that we choose now former untested. The data is stored – but we apply from today a much stricter practices when they are left out. This is in line with the European Court’s judgment. Probably takes PTS also our new approach to court. But the more action pending, the more chance we have to appeal to the European Court and win.

“The verdict in the European Court took note of the data storage may be legitimate, but then it must be in proportion to what you want to fight – ie serious crime. Our Promise means that we cooperate with the police in the fight against serious crime, while safeguarding personal privacy with all available means. We operators are forced to fight against meddling politicians to citizens’ rights are nothing but a disgrace to a democratic and enlightened society.

“Jon Karlung

“CEO Bahnhof”

http://www.svd.se/vi-vagrar-lamna-uppgifter-till-polisen

Bertram September 20, 2015 8:55 AM

MI5 pays UK Muslims to spy on terror suspects. Bruce has often quipped that when you let amateurs handle your security, you get amateur security. That’s exactly what’s going to happen here. People will report each other for all sorts of petty reasons.

In addition there’s the question of whether it is – or should be – legal for MI5 to operate in the UK; surely undercover investigations are the domain of the police, with oversight by the courts.

And then there’s the question of whether we shouldn’t be building bridges and integrating moderate, sensible muslims into society, rather than alienating them and treating them as the enemy.

CallMeLateForSupper September 20, 2015 9:25 AM

Re: the leak of medical records stored on Amazon Web Services, surfaced above by Curious.

I note this gem in the article:
“Tomorrow, Vickery* will turn over the data to the the Texas Attorney General, where it will be destroyed.”

Destroying digital COPIES contains the leak (nudge-nudge, wink-wink). Good job, Mr. State Attorney General. (not) Yet more security theatre[TM].

*Vickery is the guy who found the records database.

Slenderman September 20, 2015 9:26 AM

name.withheld, Skeptical’s busy on the other thread standing tall for the Boston Fusion Center – you know, the courageous homeland security heroes who put their life on the line at the tip of the spear in the Podunk periodical room, keeping us safe from predators like Aaron Swartz who abuse their library privileges; and convicting vicious killers like Whitey Bolger, when he couldn’t shoot straight anymore, who may have used libraries.

Skeptical is down there defending the honor and judgment of heroes such as Vincent Lisi, Special Agent in Charge of Barking Up the Wrong Tree for the Amerithrax strike force, who ferreted out six thousand lone-wolf mad scientists including everybody at Dugway, USAMRIID, and CIA. Yes, that Vincent Lisi, impresario of the lamest, cheesiest show trial* since Stalin purged the Trotskyite-Zinovievite Terrorists.

Skeptical is endorsing the cautionary counsel of the supersleuths who apprehended cheerful stoner Jokar Tsarnaev, then caught the real perp by mistake and had to phone in in a bomb threat to clear the courthouse so they could spring him.

Boston, elephant graveyard of DCIPS rejects.

  • ffwd past the interviewer, who never shuts up

CallMeLateForSupper September 20, 2015 9:49 AM

@Bertram
“In addition there’s the question of whether it is – or should be – legal for MI5 to operate in the UK […]”

I think it’s unlikely that any outcome to the negative on this question would deter or stop such programs. It is so easy to comply with the letter of the law (while ignoring the spirit of the law): zip over to Europe via the “Chunnel” to do the deed(s). “We did not operate in UK; our contractors operated in UK.”

ianf September 20, 2015 1:05 PM

@ 65535 wonders “if this is going to be written into Google’s Terms of Service contract [or EULA]. If not, then this statement might not be legally binding. […]

Paraphrasing Tina Turner, what’s Google got to do with it… got to do with it…, it being the declaration of a Swedish ISP’s CEO, a company that is independent of Google, and governed by Swedish, not any Yankee laws. Far as I understand, it is precisely in order to have the blanket-ty data retention laws proved in ex-territorial EU courts, that Bahnhof elected to defy any “garden variety” police requests, those not covered by the “serious offenses” Criminal Code—as Bahnhof interprets it.

Perhaps you need to attend the ONLY SILLY VALLEY & US CONGRESS COUNT DEPROGRAMMING BOOT CAMP to understand fully what you’ve posted (and then repeated—WHAT FOR?—my already Google-translated quotes, because apparently once wasn’t enough.)

d33t September 20, 2015 1:16 PM

@65535

Thanks for your reply, Roger on all points.

Democratization of the PBX and VoIP trunks broke the CID system completely and opened up spoofing to the general public in like 2003 (probably earlier).

Being that CID / CDR / LUDs etc. manipulation has been possible for aeons, it seems like a lot of criminal cases could be appealed by showing that manipulation is possible in court. If probable cause was established in a criminal case using CID records of whatever type, it could be shown that there is certainly reasonable doubt with regard to the authenticity of the evidence based on CID since CID can easily be spoofed by anyone with a tiny bit of work.

It also seems like a decent string to pull on connected to the NSA’s constitutional violations as well.

It would also be cool if it was fixed some day.

Cheerleader w a Chainsaw September 20, 2015 2:05 PM

@Critic al

Some thoughts about Snowden … in villanelle form … http://critic-cal.blogspot.co.uk/2015/09/snowden-what-where-you-thinking.html 🙂

Snowden did nothing wrong. He did as his conscience commanded him to do.

He made a brave sacrifice for the good of the country, for justice and liberty, globally.

He could have just accepted the easy way and been silent about these clear wrongs.

As for damage to the country, the focus there should be on the OPM hack. That is some odd 20 million people hacked, each and every one of them trusted the government with their private details. While they beheaded that organization — who was above OPM? Why did no one in all those agencies and organizations entrusting such private data of theirs, of their own people, refuse to get involved, then, or afterwards? Or what about any of them getting involved after the attack?

Every single one of those 20 million people think about that betrayal of trust, probably every single day.

Aaron McFarlane September 20, 2015 3:43 PM

Your tax dollars at work! Script kiddies of QuantaCo keeping you safe from protected speech.

Wesley Parish September 20, 2015 7:23 PM

From the “My FBI agent’s got ‘Yesterday’ on his Birth Certificate Date of Birth entry” file:

http://www.tomdispatch.com/post/176046/tomgram%3A_rebecca_gordon%2C_flying_the_unfriendly_skies_of_america/

Security Theatre with a cast of thousands. And no one’s yet had the imagination to suggest this as a “Terrorist Movie Plot”.

And I thought I was joking …

http://pandora.nla.gov.au/pan/10063/20111005-0029/www.antisf.com.au/the-stories/a-public-touch-up.html

It wasn’t their fault, as he himself had pointed out to an over-inquisitive reporter in a phone interview just a few minutes ago — it was hardly their fault that terrorists had developed ever more effective means of camouflaging themselves, and so the inspections had to become ever more intrusive. One did not expect women to be so fanatical that they would replace their saline and silicone inserts with plastic explosives. But someone had written a short story about such a thing happening, and it had been made into a movie, so they were doing their duty in protecting the public by…damn, he was going to have to put that reporter on the no-fly list, wasn’t he! Obnoxious little puppy, he should’ve been drowned at birth!

http://www.tomdispatch.com/post/176046/tomgram%3A_rebecca_gordon%2C_flying_the_unfriendly_skies_of_america/

But we were, of course, living in the post-9/11 United States, in an era in which the government seems to have given up pretending that it has to obey the law when it comes to anything that falls under the category of “national security.” So we didn’t even get a reply to our FOIA request (although in theory the government was obligated to respond to it) — at least not until the ACLU sued. By this time I’m sure you won’t be shocked to discover that the pro bono attorney working on the case for them also found himself on the no-fly list.

Albert Einstein is alleged to have stated that only the Universe and human stupidity are infinite, and he wasn’t so sure about the Universe …

Bob S. September 20, 2015 8:05 PM

“Security firm AVG can sell search and browser history data to advertisers in order to “make money” from its free antivirus software, a change to its privacy policy has confirmed.” ~Wired.com

I think this is the kind of FRONT DOOR Comey et al have been talking about. Corporations are going to take all personal data right up front. They are going to sell it to the highest bidder. And it’s all legal because you can, sort of, opt out.

The recent iOs9 upgrade was interesting in that they are taking data too, you can opt out, and there are …sliders, just like with MS and so many other major corporations now.

It seems like a concerted cooperative effort to me. And the timing to be released this fall is no coincidence in my opinion at all. It’s timed to coincide with passage CISPA, Cyber Intelligence Sharing and Protection Act, this fall. It’s a very high Republican priority. No doubt they are waiting for some incident to cover quick passage without debate.

CISPA is the final nail in the coffin of cyber privacy as it will allow corporations to vacuum all personal and private data, EVERYTHING, to be sold the the highest bidder, which includes the government. Meanwhile, the corporations will get double whammy immunity from any legal action not to mention literally billions of dollars in fees from tax payers to divert the flow to military-police agencies all over the world.

The logic of it is: it’s all right if they tell you right up front they are recording your every keystroke, verbal utterance, photo taken, email ever written, every text message, your biology term paper, your passwords to everything…yes everything of everything.

But, you can move the slider to opt out.

Maybe.

I am absolutely certain there will be a legal way to reverse opt outs either at corporate insistence to improve the bottom line, or government demands to feed the beast in the name of “security”. That’s why updates will become mandatory. Reversing opt outs will be done via the update process.

Facebook and Google became two of the wealthiest corporations ever created based on selling private data and getting that data by any means necessary. CISPA will make their model the bullet proof law of the land.

Sure, folks can migrate to Linux or whatever. But, it’s a very safe bet the vast majority of adversaries and targets won’t have the slightest clue or care the least. That’s just the way it is, and will be.

65535 September 20, 2015 8:25 PM

@ d33t

“Democratization of the PBX and VoIP trunks broke the CID system completely and opened up spoofing to the general public in like 2003 (probably earlier). it seems like a lot of criminal cases could be appealed by showing that manipulation is possible in court. If probable cause was established in a criminal case using CID records of whatever type, it could be shown that there is certainly reasonable doubt with regard to the authenticity of the evidence based on CID since CID can easily be spoofed by anyone with a tiny bit of work. It also seems like a decent string to pull on connected to the NSA’s constitutional violations as well.”

I agree.

The CID spoofing problem should be fixed. Any CID shenanigans by LE or the NSA should be exposed and tossed out of court.

@ ianf

Your “SILLY VALLEY” shouting derogatory comment is not worth answering.

Clive Robinson September 21, 2015 2:10 AM

@ BobS,

I think this is the kind of FRONT DOOR Comey et al have been talking about.

Yes, it forefills two of their basic requirments, firstly it converts much of what you say or do into business records “legally” –in the US and– in some jurisdictions which don’t have the idea that peoples data belongs to the person and not the collecting entity.

Secondly is the thorny issue of “tipping off”, if the corporate entity is always collecting, then the target sees no difference in the level of collection. If the corporate entity pushes out a more invasive degree of “collecting” in a patch then it’s not just the target who sees it but everybody who gets the patch, there will be noise in the technical press providing the required deniability.

Of course the problem is countries could decide that their privacy rules prevent the US corporates etc doing this… or they could have in the past, but not now if they have signed on with those trade treaties that Obama has been desperately pushing down countries throats in secret. Because it enables these data collecting entities to push their business model –presumably with US govt blessing if not help– through secretive courts in countries that are in the FiveEye coverage…

As for Linux etc, that won’t be a problem because Intel has a dirty little suprise hidden in their more modern CPU’s. It’s a second CPU that is cloaked in secrecy that can examine all system memory including the video and system RAM, it can also do a whole range of other things with all I/O invisabley to the main CPU, so no AV software can see it’s activities. Oh and don’t forget the main CPU microcode, this could be altered to make the likes of AES keys etc available to this second CPU again in a way that neither the OS or any software you add to your system can…

So anyone using “Intel Inside” already has “Stealth Open Door Inside”…

The security question is not about stopping/prevention but only one of “When are all the other CPU’s going to get a Stealth Open Door Inside?”… Maybe it’s time for a new “sticker campaign”…

The direction this has been going in for nearly a decade, has been seen by a few, but to say “this is the direction it’s going” even a few months ago would have got you written off as a “Paranoid Conspiracy Theorist”. Even now most people will do that as a knee jerk reaction rather than face up to what has been happening behind their backs.

One or two of the people on this blog have suspected for sometime this is the direction things have been going in ever since TPM first began to be thought about. Some of us have been telling people what to do to properly “air-gap+” computers and how to secure information, but as I’ve noted a number of times in the past this type of OpSec is hard, very hard. And US Corps such as Intel have been doing the best they can to make it even harder, ironically as a side effect of industry demands for security… As has oft been said “The road to hell is paved with good intentions”, and as I frequently point out “technology is agnostic to use” like a scalpel it cuts, but is the hand that holds it a life saving surgeon or is it that of a life taking thug? Technology like locks can keep people out or keep people in, it all depends on who turns the key. And for those clinging on to the forlorn hope that Intel would not alow this to happen, all I can say is Intel can not now stop it even if they wanted to, they are compelled to walk the road they have paved.

For instance those that still chose to believe “in the sanctity of the Intel or others Private Signing Key”, they have not been talking on board the fact that there is no such thing. For some time I’ve said on this blog and other places that “code signing” not only means nothing about the code quality or security, it can also be broken as a process. The TI calculators signing key became public knowledge for some reason, so people can now load their own code onto their calculators, you could call that the “First Signpost”. Then the Stuxnet statelevel malware came along as the “Second Signpost” and demonstrated that the private signing key could be copied or in other ways subverted, and that happend “so long ago” that people using computers have already forgotten it or in some cases never heard of it, which in of it’s self is scary about what it says for computer security. The question is “What will be the Third Signpost that makes the scales fall from peoples eyes?” and is the final nail in the lid, perhaps it will be the DNS-Sec key, or something less mundane, who knows till it happens.

The thing is that just about every step we have taken to build our security Fortresses has taken us another step closer to being imprisoned forever in an inescapable pit of hell of our own devising.

So is there another path? Can we take it? Do we want to? Or are we condemed…

Cassandra September 21, 2015 3:18 AM

@Clive Robinson

I agree that OpSec is very, very hard, and I’ll copy the comment I put on the cryptography product survey thread yesterday regarding Intel equipment:

“Just to illustrate the extent of the problem regarding compromise of standard computing hardware, it is instructive to read the Libreboot FAQ, and the answer to the question “Why is the latest Intel hardware unsupported in libreboot? “:

http://libreboot.org/faq/#intel

It is all very well having carefully designed software that correctly implements well-regarded cryptographic algorithms. The problem is, you are likely to be running that software on compromised hardware. If you are at all concerned about operational security, you should be worried.”

I hope we are not condemned, but the path to free, open hardware is not an easy one.

Clive Robinson September 21, 2015 4:07 AM

@ Thoth, Figureitout,

Here are some interesting electronic projects I found when trying to browse for voice encryption.

I’ve found the problem is not encrypting voice, that’s relativly easy, the real hard part is making the ciphertext capable of travelling down the voice channel and getting to the other end and be reliably decrypted.

As we know voice is highly redundant with actuall “wanted information” bandwidth being as little as 3bps (~36 words / min). Such redundancy makes it possible for humans to communicate in very poor quality channels that few digital modulation channels can survive. In fact untill the late 1950’s only Morse code could work as well in similar conditions.

One of the main issues is that modern networks are nolonger analog but digital in nature, and this requires some form of compression of the voice. Many of these compression systems are modeled on the human voice and it’s perception by the human ear. With the result that many modem signals will not survive the same compression process. Those that do usually have a much lower data rate than provides exceptable voice reconstruction using similar voice compression.

Thus the first step in voice encryption is to find much better voice compression algorithms than are used by the current phone voice channels. The second step is to find a modem which will survive the voice channels used by the phone networks. The third is to find a suitible error correction mechanism to meet the requirments of the encryption mode you are planning to use…

All good fun –not– and interestingly why there are so few realy secure voice encryptors that work on the majority of voice channels. Of those that do they tend to use phase insensitive continuous modulation such as MFSK with adaptive channel correction or time dispersed Forward Error Correction.

It’s one of the reasons I was intrested in encryption systems and modes that have error correction / tolerance built in, of which very few exist outside of stream ciphers.

Thoth September 21, 2015 4:10 AM

@Cassandra
I am afraid every step of technical advancement we take, we are bound inevitably to be even more doomed.

Anyone can name a truely open and commercially viable and off-the-shelf chip ?

Whatever security we are trying to brew these days, we are simply hoping for the best. That’s the sad reality. I recommended haddware security with split keys in my posts but if a state actor or a puppet master really wants in, even the best secret sharing or data diode might not save you. We are just helplessly hoping the enemies either be stupid or careless.

The only saving chance for technology is to take a back seat and review what damage has beem done and to start over again.

Curious September 21, 2015 9:30 AM

How about arranging for having some kind of open source cpu?

I guess it wouldn’t make much sense of me here to talk about an “ideal” open source cpu as I don’t much about those things, but I guess in the case of having some basic cpu running I would like for the wiring to at least be subject to inspection and/or checkup.

Instead of trying to jam the most of wirings into some tiny chip like modern cpu’s, how about having a chip on a slate with numberous layes that you somehow inspect each in turn without having to take the thing apart and risk damaging it?

🙂

Bob S. September 21, 2015 9:38 AM

Secret 3G Radio in Every Intel vPro CPU Could Steal Your Ideas at Any Time

“Freelancer Jim Stone has just discovered the secret (or so he says), and according to him, the 3G is part of a second physical processor embedded within the main one. Said second CPU has its own embedded operating system and can be woken up at any time because the “phantom” power of the system is always there to draw upon.

In other words, the secret 3G chip can act as a backdoor, complete with wake-on-LAN and wake-on-mobile. Which is to say, the computer can be turned on remotely through this undocumented 3G radio.”

BUT!

Supposedly it’s all part of the Intel® Anti-Theft Service:

EXCEPT!,

“Intel is discontinuing Intel® Anti-Theft Service.” ~per Intel

@Clive

Thanks for reading reviewing my post. I fully understand my words are straight from the tin foil hat zone, but so much has happened in the last several years proving indeed, they are out to get you, me and everyone. A secret separate CPU from INTEL seems egregious. Or is it?

That’s one of the problems, the various corporations stand mute to all queries or at best resort to NSA inspired double speak.

In the case of the Intel AntiTheft service, does that mean the second cpu is no longer baked in, or not?

I dare say getting a straight answer is likely impossible.

Cassandra September 21, 2015 10:47 AM

For more on Intel’s remote management capabilities (Intel vPro), this Tom’s Hardware article gives an overview.

http://www.tomshardware.com/reviews/vpro-amt-management-kvm,3003.html

Note that the final page discusses AMD’s capabilties using ‘DASH’ and mentions that non-Intel network adaptors are looking at suppoting it.

Worth a read from a security perspective, rather than an ‘IT manager wanting remote management of servers’ perspective.

dnsmasq ftw September 21, 2015 11:12 AM

Apple is claiming they invented adblocking now? Great.

My favorite de-snooping tool is running dnsmasq inside a LAN as the DNS server and enable logging queries. I have a SQL backend on rsyslog that I use to easily figure out what device is requesting what URLs and then blacklist those requests by sending them to a black hole on my lan.

Micah’s article is so full of problems I don’t know where to begin. I guess an article about implementing NIST/DOD standards for a secure desktop isn’t as sexy as a poorly reasoned use of VMs.

Clive Robinson September 21, 2015 11:48 AM

@ BobS,

That’s one of the problems, the various corporations stand mute to all queries or at best resort to NSA inspired double speak

Sometimes the Corps don’t realise they have been had over as well by the NSA or don’t care.

As I’ve said technology is agnostic to use, therefore to get a technology accepted with “dark use” find a “good use” no one will argue about.

I’ve long known and have said here from time to time that the FiveEyes play “tag team” at international standards meetings and usually use the excuse of “Emergancy Safety” etc. It’s why if you dig into all the telephone standards you will find ways for “listen in” by an operator to be established, which means every GSM mobile phone is a “bug in your pocket” just waiting to be enabled remotely.

For obvious reason this capability has been kept quiet by those who know, most because after asking or pushing for answers have been “finessed” into believing that it’s for emergancy situations, such as accident. But if they keep pushing they get the “hush hush” talk and get told it’s a vital tool for situations involving hostages etc… However a third of a century ago the game was given away by Peter Wright of MI5 who wrote the book “spycatcher”.

If you look at most reviews of the time you will see the old boy network at work, where they alude to the fact it’s a very boring and tawdry book by a man with a borderline mental health condition who had a wrong fixation his boss was a member of the Burgess and Co “Cambridge Ring”, or was out to make up stories or salacious gossip to get the pension he was denied by Maggie Thatcher. Whilst you may think this if you only read the last part, I can assure you the first part is a riviting read from the technical asspects of electronic eavesdropping. You will even find mention of his technical assistant the late Tony Sale, who fought so hard to preserve Bletchly park. Any way he and I had a number of chats and his opinion was that what Peter wrote was factual in the most part, and he amplified on some of the funny side of the antiespionageand how the technology had a habit of biting back. One such was about an officer who whilst working undercover had an early high power VHF wire hidden in his trousers and got second degree burns in a sensitive spot and had threatened to sue for loss of manhode and child producing capability. Another. About an officer disguised as a mother pushing a pram with an early CCTV camera andvideo transmitter in it. Unfortunatly an old bewiskered military type had been tuning his TV and received the pictures, putting two and two together and coming up with six decided it must be some kind of pervert and attacked the officer rather vigoursly with a walking stick. He also confirmed other asspects of telecoms technology I had some deep suspicions about to do with “finessing” of standards.

So the old saw about “being paranoid does not mean they are not out to get you” holds true as you and others are begining to find. In fact I would work on the assumption that if it is technically possible there is someone in the IC trying to make it practicalno matter how whacky it might first appear.

d33t September 21, 2015 11:59 AM

Many terrible deeds go unpunished:

“Although some lines in the report remain redacted, it appears that another problem centered on the N.S.A.’s acquisition of bulk domestic metadata. It used phone numbers and email addresses linked to terrorism to search that data, hunting for hidden associates of terrorism suspects.”

Telephone games can be played against anyone:

“You could call it a hole in the system,” said Lee Moore, the principal of 911 Consult, which works with law enforcement to implement their 911 systems. “We go with the phone number information that we receive, and check the location of that number. There’s no inherent system to allow us to look at a 10-digit number and know that it is indeed what it says it is.”

Retroactive Probable Cause:

“Thomas Tamm who was a DOJ lawyer — who was charged to write up request for warrants to the FISA court. And he saw all these warrantless wiretaps and warrantless reading of emails coming through as justification for probable cause. They should have gone through the FISA court, and here they were using the data that they already collected to go through as justification for probable cause to get a warrant from the FISA court. So you know, this is the collection of content that’s been going on all along – even the latest 5IG report came out at the bottom of page 8, the top of page, it says in there where Addington told General Hayden of NSA that (this was in the first 45 days of the authorization of 4 October, 2001, of the President).. he was telling Hayden that the President’s authorization authorized him to collect content of US citizens as well as metadata.”

Clive Robinson September 21, 2015 12:32 PM

@ Andrew,

A more advanced civilization wont use simple but encrypted signals for communications, which are no different from random data.

Actually the use of encryption is fairly unimportant from this point of view.

If you look at the way we try to maximise scarce bandwidth utilization the modulation methods we use get more and more complex and thus closer and closer to AGWN when you view their spectrum. Further we routienly use “whitening” which is very similar to “Direct Sequence Spread Spectrum” to “spread signals within the mask” to reduce interferance and various types of overloading of comms equipment. You can see this in the V42 CCITT specifications for modems in telephone usage.

But there is another issue, the way to utilise bandwidth most effectivly is not to radiate signals into free space. We still have some old analog TV transmitters, but these are being replaced with Complex Digital Modulation systems such as DBTV which are also starting to be used in some cable television systems, but these are being superceaded by IP based high speed Internet connections. Similar with HF and MF broadcasting much of which has been replaced with low power satellite systems. Within a couple of decades few people will be radiating lots of power into space as it’s way way to inefficient both as a resource and cost issue. The spectrum will increasingly be for “personal communications” via low power mobile devices, and this will include the military who have already found that iPhones actually are way more cost effective and reliable than what you would consider traditional MilSpec Comms Gear.

About a decade ago I had reason to be at the UK National Space Center just outside of Liecester, when an important guest speaker from SETI was there. I pointed out then that I thought the search for ET by just receving was totally pointless because if everybody did that nobody would ever hear anybody else.

I also pointed out that they were looking in the wrong part of the EM spectrum. Rather than microwaves we should be looking at the ELF end of the spectrum. The reason for this is the most powerfull transmitting systems on this planet are at 50 and 60 Hz respectively and are the power distribution networks, of which some 25% is wasted due to a mixture of IR losses and radiation. It is unlikely we will replace these distribution networks inside of the next couple of centuries for several sound economic reasons. So while terestrial broadcasting of TV and the like will have much less than a century of radiating into space our power distribution might get more thsn half a millennium, which is likewise to be the case for other civilisations. From an efficiency point of view 35-1000 Hz is the most likely frequency range. However there is a problem, to listen for such signals we need to use antennas with dimensions measured in tens of kilometers which need to be not just off planet but pushed out to the edge of our solar system beyond Pluto’s orbit, which currently takes thirty odd years to get to and suffers from a lack of power as the energy from the sun is tiny at that range.

Any way I’ve said this all before here a couple of times and little or nothing has changed in the intervening time, except for the amature VLB V/UHF radio telescope.

AJWM September 21, 2015 12:46 PM

@sena kavote

Re: integer overflows

There are two widely used computer languages that provide that kind of range specification, Pascal and Ada (the former not as popular as it was a couple of decades ago, the latter largely confined to military embedded systems). No doubt there are others.

The Pascal version of your example would be something like:

type
WidthType = 0..1920;
HeightType = 0..1080;

var
Width: WidthType;
Height: HeightType;

As I recall, the typechecking is done at compile time, not sure if there is run-time checking (might be implementation dependant).

I’m not aware of any hardware that implements this sort of thing at the integer level, but Unisys A-series (nee Burroughs Large Systems, like the B6700) do hardware bounds checking at the array (segment) level, as well as memory-tagging executable code vs data.

Daniel September 21, 2015 12:49 PM

@Cassandra

The answer to your question about LibreBoot and Intel is that LibreBoot doesn’t support Intel because they are full of shit.

First, the website cannot make up its mind which versions of Intel are bad. In one place they mention anything past 2006, another past 2008, and still a third 2010. I have a 2008 intel mobo on one of my machines and it doesn’t have any of the nasty microcode that LibreBoot implies it has.

Second, this is directly from the LibreBoot website itself.

Libreboot has so far been biased towards Intel. This needs to end (the sooner, the better).

http://libreboot.org/docs/tasks.html

Those people at LibreBoot do not come across as security conscious–they come across as kooks who don’t have any idea what they are talking about.

Clive Robinson September 21, 2015 2:02 PM

@ Nick P,

Oh and I forgot the “No 541t Sherlock” article of the week,

http://arstechnica.com/security/2015/09/seven-years-of-malware-linked-to-russian-state-backed-cyberespionage/

Let’s be upfront about this all the super powers are upto this sort of activity one way or another. The real difference is the way the game is played via the degree of seperation between the coal face of the keyboard and the walnut desk of the top dog in the executive, giving the required degree of deniability.

thevoid September 21, 2015 2:48 PM

@Clive, @all re: spycatcher, books

since you have mentioned it a number of times, i think people will benefit from a link:

https://wikispooks.com/wiki/File:Spycatcher.pdf

the actual pdf is linked near the top of the page.

as an aside, are there any other books you think are essential (on any topic really)? eg maybe some highlights from the dead tree cave.

actually, this should go to everybody: are there any books you consider essential reading? as our civilization seems to be headed for a new dark age, it’s perhaps time to consider knowledge that is worth saving. science, math, history, philosophy, etc.

Cassandra September 21, 2015 3:37 PM

@Daniel

Thank-you for your feedback. I shall bear it in mind and give your opinion the weight it merits.

I usually find that on close reading some nuggets of good information can be gleaned, even from the least promising of sources.

Curious September 21, 2015 3:47 PM

Somewhere on twitter:

“Adobe’s Shockwave Player released 2 weeks ago is missing 155 updates for its bundled Flash player, incl. 6 0days ”

😀

k14 September 21, 2015 4:32 PM

When the Chrome browser padlock icon is “yellow-triangled”, the doc. says
“… Furthermore, this page includes other resources which are not secure. These resources can be viewed in transit, and can be modified by an attacker to change the look of the page.”

Is there a site, somewhere, that demonstrates the extent of what a middleman could do, to change the look of a page?

J Blues September 21, 2015 7:33 PM

Zerodium To Pay $1 Million For Exploit That Breaks iOS 9’s Enhanced Security
http://www.tomshardware.com/news/zerodium-1-million-ios-9,30129.html

Zerodium, a zero-day vulnerability company that specializes in buying and selling exploits, announced that it will offer a record-breaking $1 million for a full iOS 9 browser-based exploit delivered to it by October 31. The company will be able to offer up to three such prizes for a total of $3 million.

tyr September 21, 2015 7:51 PM

@Clive

I noticed many years ago that military voice channels
that I could decipher were incomprehensible to others
because of the effects of the compander and frequency
clipping being done to keep them in the channel band-
width. Not all ears are equal and the tech effects do
impact what you can effectively hear. I mentioned that
a voice to text, transmission encrypted, text to voice
might be a way to bypass that particular problem. The
sounding Like Hawking problem might lose you some of
the nuance of romance but at least you wouldn’t have
some nosy spook listening in.

The alternative is to sound like drowning under a
waterfall with a mouthful of marbles.

Thoth September 21, 2015 8:13 PM

@Clive Robinson

“military who have already found that iPhones actually are way more cost effective and reliable than what you would consider traditional MilSpec Comms Gear.”

I won’t be surprise that Android and iPhones are the better ways to communicate if the cell towers are not down. Recent occasions have shown that military communications are done over social chat groups, commercial instant messengers and good old cellphone calls. There are situations where the manpack set / comms set / signal set simply doesn’t work (usually out of range from others) and there is cell signals (assuming during military training exercises) and the next option would be the smartphone. It is a sad reality that so much military operations are now bleeding into commercial insecure space not designed to handle classified operations information but soldiers are more and more carelessly and un-willfully leaking operational information due to convenience.

You should know the quirks of the manpack set. That heavy metal on one’s back sometimes works and is erratic and you must be within range of another manpack set / comms set or a transmission or amplification tower of sorts.

Recent advances like trying to use mesh comms over these manpack sets and comms set are a good idea (e.g. Thales SquadNet).

Countries may complain that their operational information are being leaked overseas via these instant messaging programs and VOIP programs over civilian smartphones. It is rather inevitable where the most convenient method is preferred over security as most of the troops are not so security conscious and even those higher ups are bringing insecure smartphones into defense conventions and getting pwned badly anyway.

Jonathan Wilson September 21, 2015 9:06 PM

Regarding GSM phones and listening capability, there are phones out there (the in-development Neo900 is one) where its physically impossible for the cellular radio to get audio from the microphone except when the main CPU pushes it because of how its designed. And since (in the case of the Neo900 anyway) it will be possible to run with 100% FOSS on the main CPU, I would be willing to bet money that even the best spooks in the world couldn’t turn a Neo00 into a listening device remotely in the way that might be possible with other devices.

Nick P September 21, 2015 9:49 PM

@ Bob S, Clive Robinson

I hope it’s true because it would be a “hell yeah!” moment for me. I’ve been saying here for a while they could or would sneak a 3G chip into a desktop processor. Just to consolidate across product lines and reduce dev cost if nothing else. Plus, embedded radios w/ legitimate purposes would be best way to appease Five Eyes. Add another to my record. 🙂

@ Clive Robinson

re 20committee

Wow, this guy stays on the bullshit. Starts in very first paragraph where U.S. cancelled Snowden’s passport, had planes grounded, prepared torture flights, and so on while promising to do everything they could to get him. This immediately puts Snowden in a position to find a safe spot. Russia is pretty much the only place where they won’t touch him. Most obvious explanation for his trip there. But 20committee assures us it’s a diabolical scheme with Russia and Wikileaks instead of self-preservation? Why start using Occam’s Razor now!?

“It’s especially important given the fact that Wikileaks is playing a leading role in the Snowden case”

Snowden, like Assange, is a famous leaker exposing U.S. government. Assange also is an egomaniac with dim future. So, of course he keeps doing what he did before to help Snowden and boost his own position in the process. Who isn’t doing that among Snowden supporters in media lol…

“One need not be a counterintelligence guru to have serious questions about Shamir and Wikileaks here.”

A counterintelligence guru should have serious questions about the goals and legitimacy of the U.S. TLA’s operations by now. We’ll probably have to wait on his commentary on that, though.

“Evidence that Wikileaks is not what it seems to be has mounted over the years. Assange’s RT show didn’t help matters, neither did the fact that, despite having claimed to possess secret Russian intelligence files, Wikileaks has never exposed anything sensitive, as they have done with the purloined files of many other countries. ”

Now, this is more interesting. Assange being on RT, wanting Russian security, and avoiding (if he has) leaks on Russia is clearly a tie with Russia. The arrangement might be as simple as “Keep doing your thing, Assange, but leave us out of it.” That would be beneficial enough. Wanting Russian security would lean in direction of closer cooperation. So, Assange was a potential Australian agent and is now a potential Russian agent. His potential handlers in each country are potentially flipping out about double agent potential lol.
So, much potential there. Still not as much as Assange has wasted with his ego and lack of self-control in the bedroom.

Far as Snowden, nothing changes. The data at hand fits our theory about him. This doesn’t change even if he planned to go to Russia (only safe place), is cooperating now for survival, and so on. The best theory is that he acted out of conscience with Russia eventually benefiting from that. A smaller theory, esp considering his supposed chat logs, would be that he is playing people because that’s what he does. I’d need to see more support for that past the weak assertions of 20committee and logs from when he was a young, cocky spy. One of the better pieces of evidence against it, imho, was in John Oliver interview where Oliver pushed Snowden’s buttons to get an emotional response. The responses he got in context support our main theory and would be terrific improv if he was a fake.

So, weight of evidence plus response pattern = 20committee is a frau… I mean, the realist’s image of Snowden as a whistleblower in survival mode is accurate.

Michael And Ingrid Heroux September 21, 2015 9:59 PM

Canadian intelligence is spoofing our internet and they are posting fake news stories to make us think some of our friends have been murdered and they have been doing that for a while now. Some of the web sites are so real you can’t tell the difference. We had a good friend of ours that helped us get some of our internet straighten out but they murdered him shortly after that and they are reporting it was an accident. He was Jim Brewer, Obama’s senior technical adviser in the white house. Canadian Intelligence are messing around with our children also through their Sony GTA5 video game online play. They befriended our children over the months of playing with them and they were trying to lure them out of the house to get at them. We reported it to the Vancouver Police but the police can’t do nothing about it. They have been threatening to murder our family again because they don’t want us to go to court against them over the fraudulent 30-08 warrants they took out on us. They have been trying to bribe us with large ammounts of cash to forget about going to court against them.

https://twitter.com/jakebrewer

Nick P September 21, 2015 9:59 PM

@ Clive Robinson

re Russian malware

“Mr. Robinson, I had us meet here because I have sensitive information. I’m concerned for my safety in the event I publish it and the claims are so outlandish that I need a second opinion before I release it. You and mainstream media might be stunned by what I found. There’s evidence… evidence that… Russia still spies on countries. Shhh! Look normal and calm: they might be watching. My leaker tells me that the superpower that spent $10-50 billion on the Olympics can actually afford full-featured malware and skilled hackers to use it. The opponent of the West used these tools… to spy on the West. Leaks showed Russian spies using illegal methods to obtain political, military, and economic information that could benefit its politics, military, and economy. It’s possible that the information I’m giving you, once released, will make the shock of Snowden’s release pale in comparison. Conferences will be held, outrage will be expressed, entire borders might be re-drawn once people know what Russia’s “security service” was really doing.”

“No shit, Sherlock! I think you should call the Guardian back to tell them you’re no longer interested in being a journalist there. Actually, I think you’d make a perfect crossing guard. For a road with no intersection. Just keep waiving and telling people the obvious.”

🙂

Attachment: previous report and Pulitzer submission.

rgaff September 21, 2015 10:38 PM

@ k14

JavaScript can change any pixel of the web page to anything. It could make it look like something completely different, or be more subtile and devious. There is no limit.

That is your “documentation”… but you don’t have to believe me, you can learn JavaScript yourself and see for yourself…

@Nick P

“where Oliver pushed Snowden’s buttons to get an emotional response”

You mean where Oliver asked him if something stupid was a good password, and Snowden did the slight eyeroll and serious but cautiously quiet “this a joke, right?” That was classic 🙂

4G September 22, 2015 12:49 AM

Zerodium has offered $$$ for FireEyes exploits as well. Not exactly 1 million though. But prob. better than going to FireEyes with it.

Figureitout September 22, 2015 1:39 AM

Thoth // CR RE: tsb & audio crypto
–I’m definitely going to try that “TSB” one sometime, that’s sick. What I want, PW-protected and lock bits set; last thing is “encrypted instructions”, just makes me nervous thinking how that could possibly work (reliably), would likely be best in hardware…Other stuff (don’t really think about audio encryption yet since it’s already a big risk if you’re going that far to even speak) too busy but thx m8’s and it’d likely stand out you’re using crypto like tor…

Nick P September 22, 2015 12:13 PM

@ rgaff

I’m surprised you didn’t know what I was talking about. It’s the one that combines surprise, confusion, and pain. Re-watch it to see if you notice.

@ Figureitout

You like tearing shit apart and proving why it’s not trustworthy. How bout you buy an iPhone and go for that Zerodium bounty? Then you can afford your own lab. You’ll also be able to afford the parts to clone and modify the Magic 1 for a trusted computing experience. 😉

Note: Honestly, I’m not sure why more people haven’t cloned Magic 1 or similar projects with all the paranoia. A mix of implementations on FPGA’s, GAL’s, PAL’s, TTL’s… might make subversion too difficult.

Figureitout September 22, 2015 8:11 PM

Nick P
–Don’t we all? I prefer to build up constructively BTW and I’m not sure there’s a way to really “prove” something besides what we can repeat but I definitely don’t want to start another philosophy debate. No time and doesn’t sound very fun (don’t like studying crap like ciphertext etc. on top of trust issues “oh that’s not an exploit lol”).

I wonder too, except when I tried using a 20-year old laptop and couldn’t stand just a little extra lag. I’m eventually going to do the katy68k thing.

OT
–Just to clarify my thoughts on “encrypted instructions”, not sure if that can really exist besides just having a chip in middle (could just be inside a SoC these days) that just MUXes/shifts/inverts/etc. a signal headed for a register but the chip may need to be redesigned and that’s still the static target to be attacked unless we increase memory and open up space to hide…trade-offs…

Clive Robinson September 22, 2015 9:25 PM

@ Figureitout,

I’m eventually going to do the katy68k thing.

I realy hope you don’t mean that, she might get a restraining orded on you (google katy68k to see why).

I suspect you are actually thinking about the 68008 based “68 katy computer”…

I think I’ve mentioned that back in the 1980’s Tourch Computers UK made a 68K based “second processor board” for the Acorn BBC Model B computer –Acorn being the ‘A’ in ARM– that ran Unix. So yes the 68 Katy should run Unix on a terminal at an acceptable speed. BUT… without an MMU you lose a lot of security protection it provides with Virtual Memory.

I’ll be honest if I was going to port *nix I’d look at one of the 32bit MicroChip SoC devices they have the same amount of memory a much faster CPU for just a couple of USD. One has also got four serial ports and a “USB to Go” interface so will give a darn sight more “bang for your buck”. Also you get a nice array of development tools at very low cost.

pocus September 23, 2015 12:07 AM

Zerodium, a zero-day vul^nerability company that specializes in buying and selling exploits, announced that it will offer a record-breaking $1 million for a full iOS 9 browser-based exploit delivered to it by October 31.

I think that means they may already have it.

Clive Robinson September 23, 2015 8:58 AM

Should “Three strikes and out” apply to Lenovo?

For the tird time this year Lenovo have been caught spying on their customers computer use. Worse for many the machines source through IBM…

http://boingboing.net/2015/09/22/yet-another-pre-installed-spyw.html

Maybe this time people should follow US Gov advice and avoid this Chinese product, because their are legal implications for anyone who is required to not disclose information either by contract or legislation.

Thoth September 23, 2015 11:05 AM

@Clive Robinson, Nick P, all
I believe a better solution might be a somewhat trustworthy guard. That is just the first half which I will continue below.

In fact, I think it’s about time civilians should and must adopt the robust tactics used by the Defense Sector not because they have to hide “dirty little secrets” or they have “nothing to hide” but because the pervasiveness and robustness of such exflitration and inflitration techniques that is very very deeply disturbing.

As I always like to say, secure thyself lest be a pawn of others. Indeed a person may have nothing to hide but the fact they become someone’s pawn to be used in the global Great Game Neo Edition … where so many different powers, both Corporate Organisations and Governments trying to use the humans and machines as their global multi-player Multi-Player Real Time Strategy Game … is just deeply disturbing … very very disturbing to say the least…..

Will high assurance security breed more terrorism or global conflict ? Like a double edge sword, you can’t say a blade is really good or bad. The intentions of the user matters but as technologists and engineers, we have to stay totally neutral to whatever sides trying to sway us.

Now continuing from above, we can setup a high assurance tamper-resistant guard. All HTTPS/SSH … secure comms and key generation and cryptography for COMSEC must pass through the guard. Of course a software must be installed into the end-user for negotiation and traffic with the COMSEC guard. The COMSEC guard with the full knowledge of the session keys could decrypt all authorized and registered traffic (it has it’s own database of approved protocols) and make all sessions stateful otherwise it would drop the session immediately. If the user needs a client-side authentication keypair for email encryption or authentication, the session keys for encryption have to be generated on the guard and then issued to the client-side session (assuming the client is using a smartcard) and if the guard cannot decrypt the outgoing email, it would stop delivery of the network packet. The problem is it’s a huge risk as a single point of failure by taking too much on itself so it must be designed to a high assurance Orange Book standard.

For now it might not be feasible due to so much chip subversion, toolkit (compilers and so forth) subversion and what not.

I wonder if such intentions of providing more robust and assured security to commoners might raise even wider eyebrows and fear within the global IC.

rgaff September 23, 2015 1:38 PM

Along @Thoth’s lines of thought…

Since you cannot trust the guard machine, instead of decrypting, how about just making sure given encrypted traffic really is encrypted and to a given level of standards? For example, it would be a big improvement over the current state of things just to see a squid module that just makes sure port 443 traffic or CONNECT traffic really is properly secure HTTPS traffic (strong not weak stupid encryption) and drops it otherwise.

Nick P September 23, 2015 6:22 PM

@ C language fans

I stumbled upon this paper in a recent HN discussion on C language issues. John Nagle wrote it as an attempt to stop issues like buffer overflows with very conservative changes to C. The idea is to not break a bunch of apps, introduce overhead (eg CCured), add complex memory management (eg GC’s), and so on. Just simple stuff that catches problems. It fails to get dangling pointers but Microsoft Research’s Undangle can help there.

Think Figureitout, Clive, Wael, or name.withheld might chime in on this proposal. Not sure if it will get adopted but it’s conservative enough to have a chance. And could have an impact.

Thoth September 23, 2015 6:31 PM

@rgaff
The use of a guard is to ensure that the communication taking place is what you expect. An example is you want to access a website A but you don’t want and not another website B or C or anything else. The guard must ensure that is the case. Another example is using authorized protocol say you disallow RDP or VNC protocol or illegal IP address targets which when it detects illegal attempts will drop it.

Guard are not 100% solutions since you can attempt side channel leaks in authorized protocols which allowing the guard to measure the data is vital in a sense.

I guess the better idea is to avoid Lenovo computers completely.

name.withheld.for.obvious.reasons September 23, 2015 7:40 PM

@ Nick P
Just two quick things…looks like parametric tokenizing of existing function and probably casts to declared non-scoped (file level) code would be necessary. The second is that some of the standard proposals, specifically pragmas, have been implemented in many of the compilers referenced.

One comment, I believe there is a mis-statement respecting safe-types in C++ mentioned in the “Conclusions” section under the Alternatives sub-section.

C++ addresses safety by trying to hide the unsafe constructs of C under a layer of standard templates. In practice, the templated constructs tend to “leak” raw C pointers, and buffer overflows in C++ applications are still common.

Depending on how one would go about the process of code migration and the use of C as the primary language (without having to rewrite sections of code) the use of condition language directives can fix both the code and the perception. The author(s) have probably not considered wrappers based on C++ that can be equated to per-processor directives that could keep the object code tight.

Examples might include directives or conditionals wrapped with #DEFINE STD_C for non-dependent code or for making name mangling constituent. You can wrote some code in C++ that is very difficult to debug without a full blown debugger…
Which made think of this:

name.withheld.for.obvious.reasons September 23, 2015 8:06 PM

In making public statements on this blog (or any other for that matter) I realized that I was having to a.) rationalize the statements based on probability and potential risk, b.) and that the information would be nothing more than fodder to put under the tinfoil hat. The breadth and expanse of the security state cannot be believed…

With a.), considering the use of a drone to perform summary executions seemed unimaginable (legally, politically, morally, and ethically) and the use of targeted strikes seemed conspiratorial in nature. But, having blown the down-low, the possibility for mayhem actual exists and I must take the necessary precautions to avoid deadly calamity. The risk that I am on a list, high, but the rational and decision process leading to such enumeration is flawed and irresponsible. In my case, the failure of the security state could cost me my life.

With respect to b.), I cannot imagine feeling compelled to write a blog post such as this…but I know I have been playing the “canary in the COBOL mine”–thanks Grace Hopper.

How did I/we get here… Time to keep my wits about me (or at least nearby).

Nick P September 23, 2015 9:26 PM

@ rgaff

“Since you cannot trust the guard machine”

I can trust one I build with caveats. I can also make it semi-trusted where it does security with violations detectable. Anyway, why can’t you trust yours? What risks did you see with what likelihood that they occurred or would?

@ name.withheld

Thanks. I’ll keep it in case it helps in a future discussion.

Wael September 23, 2015 9:29 PM

@Nick P,

I stumbled upon this paper

Hadn’t had the chance to read both papers. Skimmed one of them. I’ll chime in at a later time when I finish reading them.

chris l September 23, 2015 10:13 PM

OPM now admits that the fingerprints of about 5.6 million people were released as part of the larger hack of 21.6 million people: NY Times. The earlier reports said it was fingerprint data of about 1M people. They aren’t offering any details, but given that the hack of records of 21.6M is everybody back to about 2000, I’d suspect that the fingerprint data are everybody who got a PIV-II card since they started issuing them. Right now the press reports all say “government employees” but they generally haven’t been good about acknowledging that many non-employee people have to get the cards.

rgaff September 23, 2015 10:55 PM

@ Wael

I see your smiley… but you’d build a device with caveats because it’s better to have one with fewer caveats than one with a bazillion caveats. 🙂

In the real world, we can’t wait for “perfect theoretical security” before having any… we need to implement it incrementally.

@Thoth, Nick P

Either way, I’m uneasy with having a guard that is designed to MITM my end-to-end encryption, just to double check that everything looks ok in the layer inside the encryption wrapper. I’d rather have something that just checks the encryption wrapper, and makes sure the wrapper itself is up to snuff. This is incrementally better than what we have now: which is nothing at all.

Nick P September 23, 2015 11:33 PM

@ rgaff

“Either way, I’m uneasy with having a guard that is designed to MITM my end-to-end encryption”

You already have software doing that effectively so why not hardware/software with more assurance? The reason to trust a guard is that it’s easier to trust. It’s easier to trust because it has less functionality you don’t need, more you do, hardware you want, extra security if needed, and likely diversity in details. All this makes attackers’ job harder. Good design means it can be recovered, modified, or swapped out regularly for further assurance. You can build security-critical functionality on its TCB w/ auditing instead of something likely to be compromised.

You can trust something highly likely to fail stealthily or something less likely to fail in general. Choose one. 😉

Note: Here’s an example of a guard approach to IPsec. Think your Linux rig is as trustworthy as 50kloc w/ strong isolation? Probably not. Replace IPsec with protocol engine for your application to get an idea of how such architectures reduce risk.

Wael September 23, 2015 11:39 PM

@rgaff,

In the real world, we can’t wait for “perfect theoretical security” before having any… we need to implement it incrementally.

It’s a bit more complex than that! We haven’t even agreed what “perfect theoretical security” means (we discussed what “security” means from time immemorial on this blog, and we agreed that there is no such thing as absolute security.) If we don’t know what we’re aiming for, then surely we’ll not reach our target. On top of that, we have different perceptions of what the “real world” is really like; a quick glance at some of the debates here will prove it 🙂

Then again, we’re not always in a position to start developing “secure systems” from scratch. We’re often asked to harden an already deployed system that looks like a sieve. Basically we go around unf##king what others have done (of course “others” excludes participants on this fine blog.)

You’ve got to secure the whole ecosystem: end points, components, protocols, human beings, …

Thoth September 24, 2015 12:05 AM

@Nick P, Wael, rgaff, COMSEC et. al.
The reason I mentioned that cryptographic keys (especially session keys) activities must be handled by the COMSEC Guard is to try and root out possibilities of malware at end-points trying to use encryption as a cover. If you check simply for strength of encryption, you might be better off using a network encryptor of sorts providing more robust randomness and ciphering.

The Guard acts as a moderate strength stateful filter which most firewalls are incapable of doing so as they were not designed in that fashion.

Nick P September 24, 2015 12:06 AM

@ Wael

“Basically we go around unf##king what others have done (of course “others” excludes participants on this fine blog.)”

Haha. We appreciate that. Well, I’ll admit I recently threatened to f*** it more in response to a DOS on Mach post. Cuz you really can’t make that any better. 😉

“You’ve got to secure the whole ecosystem: end points, components, protocols, human beings, …”

(Dr. McCoy voice) Good God, man, I’m a security engineer not a deity!

Wael September 24, 2015 12:30 AM

@Nick P,

Cuz you really can’t make that any better

Hmm… You’ll change your mind in short order. ADA, ShmADA 🙂

(Dr. McCoy voice) Good God, man, I’m a security engineer not a deity!

James Tiberious Kirk replies:

“There’s another way to survive — mutual trust and help.
And:
“If I can have honesty, it’s easier to overlook mistakes.”

But since none of us is a diety, perfection in any matter is unattainable. We just strive to improve “things”…

name.withheld.for.obvious.reasons September 24, 2015 12:54 AM

Spock (from nearly any episode of Star Trek):
“That is most illogical…”

Problems at its core are from MEAT-SPACE, not OUTER-SPACE. Case in point:

From the Congressional Research Service, 8 Sept 2015, Report Number R44817 titled “Encryption and Evolving Technology: Implications for U.S. Law Enforcement Investigations” the following observations are offered:

1.) The report, more accurately titled:
“Public Law in the Service to Government: Secure Communications (Financial, Transactional, Intellectual, Proprietary, Confidential, Internal (VIDEO) Cameras, Personal, Recreational, Unpopular, Intimate, or Otherwise) shall be under Restricted Use, Strong Encryption for Government Personnel Only”

2.) The obvious bias towards the needs of government over the rights of persons cannot be ignored, throughout the document language is used to denigrate or disparage public use of encryption in ANY FORM. Furthermore it is argued that “stored communication” (a statement mangled from the common term of “stored data” is deliberate and intellectual dishonest) needs to be part of the CALEA scope. Additionally it is argued that access to un-encrypted forms of “stored communications” need be part of CALEA. Not only does this infringe on the fourth amendment, but in this case there is the need to eliminate much of the fifth amendment).

When was it possible to listen to your calls under a lawful order, and rummage through your locked desk drawer or cabinets. CALEA comes into force prior, given reasonable suspicion, it never provided an automatic warrant expansion here might be a sample case file based on this logical:

DATE: SOMETIME IN THE NEAR FUTURE, 05:00 GMT

WIRETAP: Intercepts on tapped phones X/Y/A

INTERCEPTED: nothing of interest during the phone calls

GATHERED: Found some files in the file cabinet named;
INTERNAL-COMM-SME-RISKS-TO-IP-FROM-WELL-CONNECTED.docx

EVIDENCE TURNED OVER TO PROSECUTOR DUE TO DATA COLLECTED DURING WIRETAP

Wael September 24, 2015 1:27 AM

@name.withheld.for.obvious.reasons,

You’d think they applied CRT like thinking before they proposed all these constraints on cryptography, but you’d be wrong! As Spock says… Most illogical. However, since we only have more limited view of the inputs, then maybe it’s the logical thing to do…. Who knows….

Wael September 24, 2015 2:30 AM

@Nick P, @ rgaff, @Ingo,

Note: Here’s an example of a guard approach to IPsec. Think your Linux rig is as trustworthy as 50kloc w/ strong isolation?

What a coincidence! Maybe I should read the entire blog before I comment… The SINA @Ingo referenced on a different thread is what’s described in the paper @Nick P posted … (And it’s in Englisch, too) 🙂

rgaff September 24, 2015 9:14 AM

@Nick P

“Think your Linux rig is as trustworthy as 50kloc w/ strong isolation? Probably not.”

Indeed, probably not… but… until someone can actually DELIEVER those “50kloc w/ strong isolation” into my grimy little hands and I can literally USE it… at least make my Linux rig ever so slightly less holey in the mean time… This is what I mean by “incremental” above…

rgaff September 24, 2015 9:27 AM

@Wael

“We haven’t even agreed what “perfect theoretical security” means …”

You’re just proving my point of why we can’t wait for it before improving the security of what we already have in admittedly-small-in-the-grand-scheme-of-things ways here and there… So… making my sieve-like Linux rig firewall check the integrity of all the protocols going through it, instead of just blindly opening up whole ports and checking nothing at all… would be an incremental improvement that I could use today, while we wait for some undefined perfect solution to all our problems maybe coming someday…

Wael September 24, 2015 9:57 AM

@rgaff,

You’re just proving my point of why we can’t wait for it before improving the security

Crap! That wasn’t my intention 😉 You are correct, though.

Nick P September 24, 2015 11:58 AM

@ Wael

“What a coincidence! Maybe I should read the entire blog before I comment… The SINA @Ingo referenced on a different thread is what’s described in the paper @Nick P posted … (And it’s in Englisch, too) :)”

I saw that lol. They posted the standard rather than the products. The German companies are already on the list so I didn’t bother. U.S. has HAIPE and Germans have SINA. The paper I posted is an attempt to build SINA with tiny TCB. Whether they deployed it is another question.

Nick P September 24, 2015 12:02 PM

@ rgaff

“This is what I mean by “incremental” above…”

I get the idea. I push for incremental, meaningful increases in assurance. However, I’m not sure it applies to most hardening that happens. The attackers look for a 0-day in something you use. This will be any part of the stack that’s likely on and has to be configured a certain way to work. You can turn off, change, MAC, etc all sorts of things but will still be vulnerable. That means that the only thing that improves your security are things that counter or limit the attack.

And now we’re back to obfuscation, separation kernels, modified hardware, wrappers, software replacements, and so on.

+45^2-10 September 24, 2015 1:54 PM

Security researchers have discovered a new malware program that infects automated teller machines (ATMs) and allows attackers to extract cash on command.

New malware infects ATMs, dispenses cash on command
http://www.computerworld.com/article/2985860/malware-vulnerabilities/new-malware-infects-atms-dispenses-cash-on-command.html

Like most ATM malware, GreenDispenser likely requires physical access to the machine to be installed, which suggests either the compromise of the ATM’s physical security or help from insiders, the Proofpoint researchers said.

Once installed, it hooks into the XFS (eXtensions for Financial Services) middleware that is implemented on many Windows-based ATMs. This platform enables the interaction between software and an ATM’s peripheral devices, like PIN pad or cash dispenser.

When GreenDispenser is active, the machine’s screen will display an error that reads: “We regret this ATM is temporary out of service.” While regular customers won’t be able to use it, criminals can bypass the error by typing a specific PIN that’s hard-coded in the malware.

Interestingly, GreenDispenser uses some type of two-factor authentication. After the hard-coded PIN is entered, the ATM will display a QR code, which the criminals probably scan with a mobile application in order to obtain a second, dynamically generated PIN.

The second PIN unlocks an interaction menu on the ATM that gives attackers control over the cash dispenser. Another option on the menu allows criminals to uninstall the malware in a way that securely wipes it and makes it hard for forensics teams to later recover it.

Nick P September 24, 2015 2:21 PM

@ all

Been in a long discussion on C programming language and security. I know, I can’t escape those. 🙂 Anyway, for people interested in alternatives, I recently discovered that ATS language was used in one hell of a resource-constrained project: programming 8-bit CPU w/ 2KB RAM. Might be first use of safe or verified programming at this level. Overhead for functional, verifiable, GC-less programming didn’t top 50 bytes in their examples. Efficiency as an argument for unsafe code is getting weaker and weaker over time. 🙂

darn evildoers September 24, 2015 5:40 PM

Jeb Bush Comes Out Against Encryption
https://firstlook.org/theintercept/2015/08/19/jeb-bush-comes-encryption/

“If you create encryption, it makes it harder for the American government to do its job — while protecting civil liberties — to make sure that evildoers aren’t in our midst,” Bush said in South Carolina at an event sponsored by Americans for Peace, Prosperity, and Security, a group with close ties to military contractors.

Bush said, “We need to find a new arrangement with Silicon Valley in this regard because I think this is a very dangerous kind of situation.”

Thoth September 24, 2015 6:13 PM

@darn evildoers
As usual, demonizing of personal security mechanisms just to promote themselves.

Oh… and the war loving Bush dynasty that love to see Americans suffer…

USA is already deep in the nostrils filled with debt and competitions from other nations are high but of all things this country wants to focus is not lessening it’s own debts but digging deeper grave by scaring investors and businesses around security products and others.

Schneier have the other post on Crypto products done by non-USA entities which precisely show that USA is not the sole chokepoint when it comes to Crypto and tech security product. In fact before all these recent blow out of another Crypto war, all these stuff contributes to the cash flowing in and creating jobs in USA but now they destroyed it. The money and job will go somewhere anyway.

So many critical security infrastructure relies on crypto and security which includes banks and corporates. It is of a dual use nature just like SSL and Database Encryption for Banking security or Govt data security can be and must be used to protect individuals. The increase of personal IoT devices and health monitors makes it all the more important and these idiots running for the throne in Washington doesn’t listen and doesn’t any what they are talking about. They are pathetically parroting what other candidates are selling and trying to outsell not knowing the poison they are selling to destroy their country.

Even in the authoritarian regimes in South East Asia and South Asia, most of the dictators here are more tolerant to personal security and mostly less stupid anyway.

rgaff September 24, 2015 6:28 PM

That’s because authoritarian dictators know that outlawing banking and online commerce would be stupid… and outlawing all defense against the common 2-bit hacker would be stupid too…. but here in the USA, well, our leaders are all just stupid beyond measure.

Figureitout September 24, 2015 8:28 PM

Clive Robinson
I suspect you are actually..
–Good job Sherlock. :p I mean no actually I’ll restrain her alright…Incoming tickle fight 🙂

Nick P
–Now is not a good time for a review, sorry. I’d try it if I have free time. I’d rather see his setup too and a demo of an exploit it prevents.

And the ATS language…phew that syntax sucked ass as usual I’m sorry mate that would increase dev time exponentially and make me hate my job…And their example was just flashing an LED, why not do something a little more complex like initializing and reading an ADC then sending that info to a terminal or LCD. Oh and it just gets converted to C anyway b/c not enough people know how to make robust toolchains.

No harsh feelings. Not looking for another language debate either…use it if you like it I say, and let’s see how many people use it (how many use ADA or Forth after ~30 years?).

Thoth September 24, 2015 9:53 PM

@all

My new definition of Security which I expanded from earlier Squid posts regarding Individual and Hive-Mind Security.

The website is self-signed with SHA1 thumbprint of “‎99 64 91 5e c6 f2 c8 1f 29 52 02 03 d1 cc 90 f9 e5 e3 5a d8” just in case you are more security conscious.

Link: https://askg.info/paper/16.html

Nick P September 24, 2015 11:13 PM

@ Figureitout

Oh I agree on the syntax and don’t plan to try the language yet. It’s meant for people willing to do more theorem-proving-style stuff far as I know. The language is interesting in that it lets you apply high-level, verified programming to low-level things. Demo’d on device drivers already. That someone used it for 8-bit programming was more of an endorsement that it can handle low-level stuff. I mean, if you can do 8-bit control code, you can probably do algorithms efficiently in 32-64 bit processors.

Its importance is being one of the waves of languages countering the idea that safer programming equals slow languages with bloated runtimes. The main one I’m rooting for, though, is Rust as it’s a modern language with clever safety decisions. The lead developer told me today it’s already in use on embedded projects, too. That’s a good sign.

Thoth September 25, 2015 2:28 AM

@all
Re: Obama’s failed backdoor/frontdoor

That is not a strong case of winning the current Crypto War yet. The main players, FBI and NSA are still utterly unconvinced and who knows what have been happening under the waves of publicity. They might already have made their moves and decided their methods despite the publication above. The only way to win the Crypto War is to permanently convert all the mindsets towards personal and individual security. This will permanently win all and any Crypto Wars.

Clive Robinson September 25, 2015 4:31 AM

@ darn evildoers,

Jeb Bush comes out against encryption

Of course he does it’s a political sound bite, on a subject that’s never likely to effect his clan. And if he came out pro encryption, the next newsworthy item from the Four Horsemen of the Internet Apocalypse, where the authorities say “encryption hampered our investigation” would end his political career, irrespective of if it’s true or more likely compleate hokum (remember unlike you they are alowed to lie, even under oath for “National Security”).

You have to remember that, even if the FBI and other US LE & IC agencies get a compleat ban on encryption, they will only move to a different excuse to blaim for their poor performance.

And this is perhaps the most important reason the Politicos should say “No Way No How” on any limitation of personal freedom when it comes to personal privacy, and should instead be passing legislation to make personal information of all forms the property of the person not the entity that collects it.

Because if the politicos ever say “yes” even once the Marketing, LE and IC entities will just like small children pester and pester untill they get their own way on further measures. And all privacy will die the death of a thousand little cuts and everybody world wide not just in the US will be a commodity to be defrauded and abused for profit. With it becoming a serious crime with heavy punishment worse than for terrorism for trying to stop it.

They say a frog in a saucepan of cold water won’t jump out if you bring the water slowly to the boil, well this is exactly the principle the LE &IC agencies and the Marketing organisations are using on US citizens and want to do the same to everybody else in the world.

The LE &IC agencies have the power to kill a politicos career deader than a bullet between the eyes, the Marketing organisations have the money to bribe, corrupt and purchase legislation that their own highly paid lawyers have put more loopholes in than it would be possible for a single individual to find in ten life times. Together they make a formidable force, fighting them requires a similar or greater commitment from the citizens.

Unfortunately Donald “the shetland pony” Trump is making the life of the likes of Jeb and Carli “HP Spy” an easy “Pony and Cart Show” where serious topics don’t get discussed, nor questions asked, lest it spoil the theatrics.

Nick P September 25, 2015 5:03 PM

@ tyr

I think the post was refuted by the commenter Metatone 09.24.15 at 10:37 am. Easily could’ve been a few people in a team. So, it proves nothing.

I tried to do a more objective analysis supporting conspiracy as normal here. I gave specific example of MKULTRA here. Ted Gioia’s list here supports a modern example. Such examples clearly illustrate that many people can operate in secret doing evil things with low odds of detection and for many reasons.

Clive Robinson September 25, 2015 7:21 PM

@ tyr, Nick P,

Easily could’ve been a few people in a team. So, it proves nothing.

Err I think you will find the entire industry was complicit…

To meet the NOx requirments, every other manufacture had to have a urea based system in the exhaust system.

VW did not, so you would expect every single diesel engine manufacture to get one of VW’s amazing “clean engines” and put them through various tests to see what was different about the VW engines and compare to patent claims etc. Thus you would have expected all other manufactures to not just have tested but blown the whistle as well.

But nobody did… which makes me thing all diesel engine manufactures are pulling their own stunts, and thus “are not going to become the messanger that gets stabbed along the way” by having their own tricks revealed by VW in retaliation…

Thus making the statment that they all have something to hide…

Nick P September 25, 2015 8:02 PM

@ Clive Robinson

“Thus you would have expected all other manufactures to not just have tested but blown the whistle as well. But nobody did…”

Now THAT is a much better argument for industry conspiracy. 😉

@ all

Interesting article on NSA “whiz kid” turned privacy tech author:

http://fortune.com/2015/09/24/will-ackerly-virtru-ex-nsa-anti-hacker/

Dude sounds pretty cool and would be probably be fun to have at CCC or whatever. However, that doesn’t lead to trust of the product as I noted on Hacker News:

“Glad they managed to build something that’s is potentially strong while easy to use. That’s difficult to bootstrap. Unfortunately, it’s so difficult to design good cryptosystems, protocols, etc. that I can’t trust the product until it gets strong, peer review from a diverse audience. Both the level of screw-ups in the field and massive investments in subversion by nation-states means a tool like this needs to be fully open-source plus local, build option. Note that they can do open-source w/ proprietary license.

The escrow is also a problem. There’s the risk of hackers, malicious insiders, courts in regular legal system, and the court in the secret legal system. If you do escrow, it needs to run on the most secure and tamper-resistant systems you can throw at it w/ 3rd parties verifying this. Given above risks, it’s better if they don’t do escrow and instead switch to a private/public key model. Bernstein et al have given us some really fast and secure software for that, too. They just auto-generate the key-pairs locally & handle the public key management instead. Would be a nice improvement.”

ianf September 27, 2015 1:00 PM

@ Clive … would expect every single diesel engine manufacturer to get one of VW’s [allegedly] amazing “clean engines” and put them through various tests to see what was different about them and compare to patent claims etc.

It’s SOP, competing product strip-down. Saw it done many times to industrial computer peripherals. These items, usually purchasable only in OEM bulk (B2B), were then acquired piecemeal at trade fairs, etc.

[… But no competitor] has blown the whistle… makes me think all diesel engine manufactures are pulling their own stunts.

That’s what I’m hearing too, so it’s no surprise that nobody wanted to risk the disclosure blowing back in their “faces.”

Clive Robinson September 30, 2015 2:01 AM

@ Moderator,

The “berta” and “andy” posts above are both commercial spam.

This time it’s my words the perp is stealing… not sure if I should be annoyed by the plagiarism or flattered by the –random– selection, so I shall in turn just copy “the red queen” and scream “off with their heads” 😉

Wael September 30, 2015 3:49 AM

@Clive Robinson,

This time it’s my words the perp is stealing

Imitation is the sincerest form of flattery

flattered by the –random– selection

I think it’s pseudo random, you should be quasi-flattered 🙂

Gerard van Vooren September 30, 2015 6:32 AM

Hey guys, I think I am having an interesting (but probably stupid) idea.

This is about the tracking cookies that bothers us all. Companies want to make money and today the tracking cookie and other advertising is key in that process. It stinks but that is the way it works. So how can that problem be solved? It’s obvious there need to be another way to generate revenue. Then I thought about Google for business where you can pay (in Europe) 50 Euro/year and you can use a set of Google applications. But why does it only restrict to Google? What if there is a non-profit foundation or cooperation where people pay 50 Euro or Dollar a year (fixed) subscription and then they can then use web sites of companies that are participated, without ads and tracking cookies. The ad budget of this organisation is key so that needs to be substantial.

There is one site where you login and from there on you use OpenID (or similar) for the sites that are connected. One site with an overview of all these sites. You can also login these sites with the OpenID key without logging into the main site. The source code of the main site should be written in a safe language, GPL licensed and open sourced. It should also have (at least) encrypted email functionality with a clear distinction between members and others because of the encryption. The reason for this all is trust.

About the sites of participated companies. There need to be a financial allocation. Big sites should earn more money than sites that are less viewed. But also a regular inquiry (once in a month) where members can reward the content of the sites. So the financial allocation is a combination of page hits and reward. That’s pure democracy!

And why restricting to web sites only? A play store also comes to mind but you got to start somewhere.

I don’t think that one such organisation could handle all the content of the world. Local (national/regional) decentralized organisations make more sense, also in promoting local companies and to avoid abuse.

k14 October 2, 2015 1:22 PM

People who are the beta test site, and not in a friendly kind of way. What can we do? Who can we go to?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.