Friday Squid Blogging: Polynesian Squid Hook

From 1909, for squid fishing.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on January 29, 2016 at 4:23 PM • 114 Comments

Comments

GreyJanuary 29, 2016 5:07 PM

The ProtonMail official release date has been pushed back to the 18th February 2016.

iOS and Android apps will be officially released on 18/02/2016 and their blog states that "custom domain support" will be added along with 5GB of storage - both features require a paid account.

Now seems like as good a time as any to move over to an encrypted email service particularly post-CISA which allows all historic emails to be disclosed (and much more). Their service is based in Switzerland.

https://protonmail.com/blog/release-delayed-until-feb/

Police Resist When THEY are TrackedJanuary 29, 2016 5:51 PM

Law enforcement has no issues with mass surveillance tracking of law abiding citizens in secret without any judicial oversight. But lets turn the tables:

Chicago Police Hid Mics, Destroyed Dashcams To Block Audio
https://www.dnainfo.com/chicago/20160127/archer-heights/whats-behind-no-sound-syndrome-on-chicago-police-dashcams

We need a national, uniform code of conduct for law enforcement with progressively severe consequences for intentional tampering and subversion of official records
1) First offense – verbal warning
2) Second offense – formal written reprimand and unpaid suspension. Probation. Ineligible for promotion.
3) Third offense – termination and automatic referral to district attorney. Police license terminated

Special Circumstances
An additional crime of special circumstances will occur in cases involving death, serious injury or corruption of justice. Police should fight against terrorists not become one!
Logically then, citizens should be able to share these incidents of possible state sponsored terrorism modeled after the CISA law. Are you interested in the TRUTH lawmakers?

ThothJanuary 29, 2016 6:04 PM

@Grey, PGP et. al.
The better option is to use any mail with end-to-end security in a less obvious manner. PGP with the huge PGP message banner is a gove away sign and using a secure email providers like ProtonMail also marks you as a person of interest. The better idea is for a secure email protocol wuth end-to-end encryption like PGP but remove the vulnerability of the huge PGP message banner and also in the header of the PGP encrypted message, make it harder to know the public key recipient involved. One way is to use miniLock file encryption scheme to have multiple public key encrypted headers and recipients have to use their private key to bruteforce and find their session key encrypted block. It would still leak information on how many recipients there are for the message as each recipient have a session key block. One way to stem the leaking of possible amount of recipients is to create fix amount of session key header blocks. An example being a 5 session key header block increment so you can hide 1 to 5 recipients and if you have less than 5 recipients you can fill it with random bytes to fake other non-existent recipient.

The problem comes in dealing with a variety of public key length with some preferring to use 2048 bit RSA and some using 4096 bit RSA and some preferring to use different types of ECC curves with shorter key lengths. This makes it hard and bulky to create the redundant session key header blocks of an encrypted message if it were to have to handle a variety of key length and might leak even more information. One way to fix it is to fix the length of every session key header bkock to the biggest possible key sizes some one might use (i.e. 8192 RSA size but you can go up to 16kb key sizes and more) which trades off redundancy for efficiency.

On the matter of metadata glimped while observing the encrypted MIME email travelling between global mail servers would be unavoidable unless there is a real need to not use the traditional email format and use a specialize secure messaging format.

GreyJanuary 29, 2016 6:23 PM

@Thoth

PGP isn't used by many people and whilst, in my opinion, it is the gold standard of email encryption it is incredibly cumbersome. Providers like ProtonMail handle the decryption - subject to the user inputting the correct password. The obvious benefit to this is that it allows you to search encrypted emails on the server; something that you can't do with plain PGP.

Also these online providers offer an easy to use portal-based system for a non-ProtonMail user for them to log into and decrypt their message. The recipient is provided with the password out-of-band. Obviously there's a degree of trust here but they do make their source code available. Any emails sent without the explicit encrypt flag for non-ProtonMail recipients will receive the message via TLS (subject to support) and you could bake in any additional protection you felt necessary.

The other way of achieving good security would be via a conventional email account using a combination of PGP and S/MIME. A highly sensitive message could be encoded and signed with PGP, then encoded and signed with S/MIME (triple-wrapped). Even assuming compromise of the Certificate Authority you'd still have the PGP to fall back upon. Nothing would protect you if either endpoint was compromised.

No solution seems to fix the omnipresent metadata 'problem' although for most people this I suggest is not so much of a concern contrasted with the other option of having their private emails totally unprotected.

Slime Mold with MustardJanuary 29, 2016 8:11 PM

@Bruce

Regret to inform you that your Squid Lure is, in fact, an octopus lure . The mislabeling is actually acknowledged in the sixth frame (seventh line from bottom): "squid, or rather, octopus..."

The lure is constructed from a cowrie shell. Although they are known favorite of octopi, I cannot discover any squid that eat hard shellfish.

David LondonJanuary 29, 2016 8:13 PM

In case you were wondering how police nationwide manage to kill someone new every shift and get away with it, the nuts and bolts of police impunity is in this and subsequent disclosures:

https://archive.is/8tuPP

Didn't require extraordinary hacking - this is the police, after all - but finally civil society is taking the problem of institutional obstruction of justice into their own hands.

RadioStarJanuary 29, 2016 8:33 PM

@Police Resist When THEY are Tracked

I hate to say this, but there are plenty of good police. One has to always keep in mind statistics when evaluating security issues...

This does not mean the US - and other national - policing agencies and justice systems are not entirely fucked up.

They certainly are.

Yes, you can point out the hyperpower of the US, and the prison statistics which put the US on the same line with the worst totalitarian nations which have ever existed....

But the real problem is that the worst criminals in the world are not those of the sort likely to find themselves in prison.

End.

The entire age has to be reset.

@albert

I wrote a post in a recent thread on drone technology and the problems therein. They are worth repeating. Albeit, in numerous ways, Germany, your country, has many more problems in these regards then the US....


But, to recap, briefly: drones are extremely popular for the amateur market. This is unlikely to change. The primary problem, besides with crashing them, is their battery issues. The core reason why drones are even a thing.

Lithium ion batteries are great, and made the sure in amateur drones possible. After all, RC is hardly new. And loud. Not backyard fun.

But the best of them only last thirty minutes.

So, hydrogen fuel cells is the next wave. And this requires more automation.

Which gets into GPS jamming and spoofing wars....

@Grey

I do use protonmail, but mostly because part of my job is actually *to be surveilled*.

Hushmail is what I depend on for anonymity, which I really consider only a silly card to play to throw people off. Why? Because Hushmail won't turn over their information to anyone? No, because of nyms.

@Comment

... tor...

It should be noted that Roger Dingledine was NSA. Some say of ex-Spook, that they are never really ex.

A poor cover I would say, but...

Dingledine is not exactly the most realistic name I could ever think of, anyway.


Someone else posted somewhere this week about the problem of encryption being it is all amateur and non-governmental driven.

Bzzzt.

Wrong.

It is all NSA driven.....

Not that the NSA is the God people tend to think it is, lol.

ThothJanuary 30, 2016 1:08 AM

@Meir
In fact I believe it is more of the astern Mediterranean including Israel. Not surprise the UKUSA warhawks are monitoring the progress in unstable regions.

Quite surprisiny, all they claimed to have used are open source software suites (Image Magick and antisky) and a whole lot of patience bruteforcing the encryption and managed to break into the encrypted feeds. With enough decrypted feeds, I believe the guys in GCHQ and NSA might already have worked out the encryption algorithms for these feeds long time ago.

RadioStarJanuary 30, 2016 2:34 AM

Meir • January 30, 2016 12:33 AM

The NSA has been viewing encrypted Israeli drone video. The encryption algorithm was presumably strong yet applied to video in a brain dead fashion.

https://theintercept.com/2016/01/28/israeli-drone-feeds-hacked-by-british-and-american-intelligence/

It is just a matter of time before the US goes to war with Israel. Not that I would know, lol... I mean from my own understanding, Israel is basically our little sister we watch after.

So. We struck Iraq and Afghanistan to sandwich Iran. And Isolate our "buddy" Saudi Arabia.

Really.

:-)

This is probably why I actually work Israeli operations, and why I am privy to the fact WE did the Dubai Hit. Which the Mossad fucked up. But, did not hurt us. Which I know, and who else? ;-)

We have to take over all of North Africa and "The middle east". In quotes. Because I also mean Iran.

So, FYI.

Just to let you know the future.

We do not fail. :-) :-)

Really.

:-/

WaelJanuary 30, 2016 4:25 AM

@keiner,

Time is going nuts?

Interesting! Possibly a software update that went bad, like someone stubbed out relativistic time calculations from a new update? It's unlikely a bug in the old software. Just speculating what happened to the 10 minutes...

albertJanuary 30, 2016 10:47 AM

@RadioStar,

RE: Drones:
What's interesting in the CRS drone report, is the fact that the FAA is actually doing something about the drone issue. Hobby drones are low on their priority list, and there's the typical bureaucratic inertia to deal with...but they're trying.
While I don't want to be hit in the face by -any- size drone, a 55-pounder (the maximum weight limit in these regulations) would definitely give you a terminal headache.

With hobby drones, jamming techniques will become more popular and widespread, to the point of becoming dangerous to the heavier and more deadly commercial drones. A fatal (or just serious) drone-aircraft encounter will likely get the lead out of the FAAs efforts.

A simple way to increase loft time, without increasing battery capacity, is lighter-than-air assistance. The disadvantages are obvious, but the advantage of staying aloft for hours is something to be considered.

. .. . .. --- ....


keinerJanuary 30, 2016 10:53 AM

@Wael

I particularly enjoyed the overspecific dementi that no ammunition went crazy over the GPS flaw. Nothing said about drones coming down or navigating out of range...

xyzJanuary 30, 2016 10:55 AM

@RadioStar
The NSA has been viewing encrypted Israeli drone video. The encryption algorithm was presumably strong yet applied to video in a brain dead fashion.

Funny the article only briefly mentions that they have also been viewing video feeds from fighter jets.

It's doubtful that their fighter jets would have had encryption applied in a brain dead fashion.

Wouldn't surprise me if the thought of the article is to hide the true extent of the capabilities (or back doors) used by USA. Thus the Intercept wants to provide you "information" but not really the actual full picture.

Ergo statements about algorithms applied in a brain dead fashion.

hermanJanuary 30, 2016 11:28 AM

@xyz: The US has been listening in to American made planes in Israel. I have not seen any evidence that they listened to any Israeli designed planes though.

ianfJanuary 30, 2016 11:28 AM


OT—I don't know 'bout you, but, judging by description, this 400-page/ €6 ebook “The Kraken Project,” (a novel) by Douglas Preston HAS IT ALL:

    A giant squid; NASA; mission to Saturn; a brilliant programmer named Melissa; a self-modifying thus terrifying runaway AI program called Dorothy; greedy Wall Street traders in hot pursuit, of; a veteran CIA agent; Northern California; cancer.

C U AnonJanuary 30, 2016 11:57 AM

Albert and xyz, trolls should not be fed at any time. Like bears if you feed them they quickly become a public nuisance and liable to cause significant harm.

recursive joinJanuary 30, 2016 2:20 PM

@Thoth, @Grey

Protonmail from a different tack..

There are benefits to using services like protonmail other than as a means to ensure ones privates stay private. As intuitive as that pursuit is - and acknowledging that one could very well find oneself in a situation where absolute anonymity determines ones immediate life/liberty/fortune - and as much as this may be your particular situation (or simply your passion) - this is not the case for most people. But that doesn't mean there isn't still value in using protonmail.

Besides the benefit of enhanced privacy, by using services like protonmail (in conjunction with the many other similarly privacy-promoting technologies) the individual makes a political/social statement. The same way they make a statement simply by NOT using privacy infringing technologies. The mere use (or not) of any particular product or service promotes (or not) the ideals/finances of their providers. I realize that one doesn't always have workable alternatives. But where one does, they should ensure they use them - even if the only benefit is the statement that use makes.

As an example, imagine the impact of the message that would be communicated if most people started using TOR for their day-to-day browsing and ceased all activity on Facebook. Not because they were a spy, wanted to protect trade secrets, conceal criminal activity, or participate in some illicit rendezvous. But simply to communicate to commercial/governmental interests that they value privacy.

I can't help but think that for most people in most situations, it's better than not to promote privacy enhancing technologies by regularly using them. Even if that means they "stand out" and become a person of interest. I mean, so what? If some TLA actually does go to the trouble of looking at most people, all they're likely to glean is what is already obvious to everyone else; that they're idiotically wasting their time and our money.

The more "persons of interest" average folks become, and the more incrementally difficult it becomes to see what they're saying, the more mass surveillance becomes disinteresting.

Clive RobinsonJanuary 30, 2016 2:54 PM

The non existant ISIS encryption app

I don't know what to make of this.

Various media organisations have mentioned that IS had a secure mobile phone message app, which I was a bit suspicious about for various reasons.

Well it appears others were suspicious as well, and went on the hunt for it...

They found not a lot except some group called "Ghost Security Group," that claims to have relationships with Western Counterterrorism interests and the media...

http://www.dailydot.com/politics/isis-alrawi-encryption-messaging-app/

The article makes interesting reading, and the FBI's James Comey and other prominent in the media US persons get mentioned over their quiet suspect claims about terrorists using encryption.

So the question arises about Ghost Security Group, who or what are they. Currently they are looking like a fake group trying to provide faux information to be used as propaganda for various LEO / IC political interests in the US and UK.

ianfJanuary 30, 2016 3:57 PM


@ Clive, a month ago @thegrugq wrote an somewhat detailed analysis about the [jihadi, not simply ISIS'] “Cyber Terrorists Who Can’t Cyberand who can’t hack for shit.” Choice cuts, but worth reading in full:

    The Islamic State’s is running out of hackers after the US announced the death of the Bangladeshi Siful Haque Sujan, [who] was possibly the top ISIS hacker. [He] appears to have had technical literacy, and maybe even knew how to program, but he does not appear to have had cyber security skills. It seems likely that he gained the ISIS hacker mantel by simply being a “computer guy” at the ISIS shop. The most specific the Western forces could come up with for a description for his hacking responsibilities was “anti-surveillance,” i.e. he read privacy manuals. […] ISIS has not had much luck conducting offensive cyber attacks. The biggest hack attributed to the ISIS hacker crew — Cyber Caliphate — was the TV5monde hack, but it was actually a false flag operation by Russia. Even if it was actually ISIS affiliated hacktivists, it is no more impressive than any other hacktivist attack (i.e. low skill).
https://medium.com/@thegrugq/cyber-terrorists-can-t-cyber-144406a2d78b

ianfJanuary 30, 2016 7:09 PM


More acute insights from @thegrugq on ISIS/ terrorist field communications that manage to stay ahead of traditional, inertia-laden counter-surveillance. Long story short: encryption is neither used, nor does it matter.

First this preamble: two months ago, in the wake of the November Paris attacks, while flipping the cable channels, I came across Glenn Greenwald speaking about then-topic-of-the-day, which was giving the police all sorts of powers to decrypt electronic messages of terrorists. He said something very acute, that, however, seems not to have trickled down to other mass-media (perhaps the small-audience footprint of "France 24 in English" channel was here to blame).

    GG said that "terrorists have no need to talk on the phone to one another, because they plan their attacks face-to-face… it has become family affairs… look at the Kouachi brothers; the Tsarnaev Boston bombers; Abdelhamid Abaaoud and his "cowgirl" cousin in Molenbeek…" [paraphrased from memory]. Stands to reason [@ Name & Who? take note].

Now, from @ thegrugq about use of common chat apps by the terrorists:

[…] Suspected terrorists in Europe, young men, are playing online video games with their friends, some of whom are also suspected terrorists. These games have chat functionality. Security forces are caught off guard as no one was thinking of FIFA 15 as a terrorist communication tool. The reality is, almost anything young people use today allows them to chat with each other. This is less an encryption problem than an overabundance of communications options available to, and used by, young people.

    […] “The phone tapping yielded nothing,” Marc Trévidic, the chief terrorism investigator for the French judicial system, said in an interview. […] No one talks on the phone anymore” [thegrugq's own emphasis]
Also read “Generation Jihadi 2.0,” thegrugq's analysis of cheap-but-seldom-effective vs. field-directed-hence-deadly terror methodology, that last deployed in November in Paris.

One of ManyJanuary 30, 2016 7:55 PM

From:

https://www.eecis.udel.edu/~vijay/BLAST/Lesson_5.html

"There are four basic types of camouflage:

Concealing Coloration: when an animal hides itself against a background of the same color.

Disruptive Coloration:

The stripes, spots or other patterns on some animals are used to make it hard for other animals to see the outline of their bodies.

A herd of zebras crowded together might look like one large mass to a lion rather several zebras. This makes it hard for the lion to single out a weak zebra and come up with a good plan of attack. Also: The zebra's stripes also helps it hide well in tall grass from the lions. Even though the a zebra's stripes are black and white, whereas the color of grass is green or brown, the stripes also provide effective camouflage because lions are color blind!


Disguise: This is like concealing coloration except that the animals blend in with their surroundings by their shape and/or texture rather than color.


Mimicry: Animals that use mimicry are imposters. They mimic the characteristics of unappetizing animals. A monarch butterfly is toxic and unappetizing to birds. Viceroy butterflies safeguard themselves from birds who prey upon them by looking a lot like monarch butterflies. "

Device users need to choose their own style of camo. Personally I think Zebra stripe would work well against mass surveillance. How can the predatory government, corporation or other crook zero in on a rogue zebra, when they all look alike.

Today opsec lesson:

Be like a zebra.


Or, at least RTFM above on camo and apply according in your daily struggle against "them".

Alien JerkyJanuary 30, 2016 8:44 PM

My thought of the day:

Being paranoid, but wrong, is better than not being paranoid, but wrong.

hoodathunkitJanuary 30, 2016 10:56 PM

Zebra stripes? You are so wrong; so very, very wrong:

"First of all, stop using the zebra as a symbol of something that is daring, exotic or eye-catching. . . . . Secondly, be wary of misconceptions or biases you might be bringing to your work. The theory that zebra stripes offer a form of camouflage has lasted for more than a century. . . . Finally, and here’s probably the most profound insight — if you’re an innovator, it’s worth questioning all the bizarre legacy processes in your company. There’s probably a good reason why things are the way they are, even if you can’t figure it out right now. In the case of zebras, of course, these bizarre legacy processes are those stripes."
https://www.washingtonpost.com/news/innovations/wp/2016/01/28/what-zebras-and-their-mysterious-stripes-can-teach-innovators/ or just Goggle the news on zebras.

WaelJanuary 31, 2016 2:43 AM

@Alien Jerky,

Being paranoid, but wrong, is better than not being paranoid, but wrong.

Sometimes being paranoid and right happens more often than you'd think.

Paranoid ... :
and right!

Not paranoid ... :
and wrong.[1]

[1] For those who don't know, Bob Ross is the instructor in the cartoon.

CuriousJanuary 31, 2016 3:36 AM

Has anyone evaluated to what degree ECC crypto is backdoor implementation friendly compared to other crypto solutions? I wrote crypto solutions as I don't quite know what to compare ECC with, not being a cryptographer.

Who?January 31, 2016 6:04 AM

Talk from Rob Joyce, head of the Tailored Access Operations (TAO) team at the National Security Agency, about how we can avoid NSA surveillance:

http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions

Common sense, and a bit depressing too—we have to know our network to protect it, is there any chance to achieve this knowledge with technologies like Intel AMT running everywhere?

It would be nice to know what experts on this forum think about his talk.

Who?January 31, 2016 6:27 AM

Pushed the "submit" button too early.

Want to add that what worries me is that there are are too many different malware classes detected. I understand that Intel Anti-Theft and Computrace are identified as suspected malware but the rest... aren't these too many entries to be just false positives?

UhuJanuary 31, 2016 6:40 AM

@Ianf: A counter example to Generation Jihadi 2.0: The Norwegian right-wing terrorist managed quite a tally on his own. And if the Americans weren't in that train (purely out of chance), that attempted attack might have ended quite a bit different as well. I for one am quite glad that the people attracted to daesh are, so far, not too bright.

UhuJanuary 31, 2016 6:44 AM

I like this quote from the movie After Earth (2013):
Fear is not real. The only place that fear can exist is in our thoughts of the future. It is a product of our imagination, causing us to fear things that do not at present and may not ever exist. That is near insanity Kitai. Do not misunderstand me, danger is very real, but fear is a choice. We are all telling ourselves a story and that day mine changed.

(or just "Danger is very real, but fear is a choice.")

I read it as "The danger of terrorism is real, but attacks are not necessarily as likely or as successful as one would fear."

Clive RobinsonJanuary 31, 2016 7:56 AM

@ Who?,

It would be nice to know what experts on this forum think about his talk.

I read the article a few days ago and thought "stating the obvious", but then I've been thinking about this sort of problem for a third of a century or so from one aspect or another.

I started out finding and exploiting attacks of the sort you find in the TAO catalogue. Only I've had quite a few years head start on them in some respects.

I Then found out where some of the kit I'd designed ended up (stealing IP) and as a result I started to think about "how do I protect me?" from such state level worms.

You have to consider the whole computing stack from the -X physical layers through the users/managers (8), market (9), legal (10) and up.

The problem with the -X physical / hardware layers is "bubbling up" issues into the higher layers. The simple fact is you can not realy trust the PC hardware from this century, thus you have a serious issue as old hardware becomes scarcer and scarcer with time.

Thus you have to look at other hardware sources or instrumentation and mittigation.

Other hardware sources are microcontroler chips upto around 2010. Many of these at around 1USD each are more powerfull than minicomputers that the likes of BSD Unix was developed on. Thus if you know how to port early Unix (the source and other info is out there) and are happy with the command line and no networking then you can make a secure four terminal unix system or something similar (striped back plan 9 might be better).

You also need to think about what "Bastion Hosts" and "DMZ" networks are realy all about. You also need to research how you deal with security levels using data diodes / sluices / pumps / etc.

But to get to grips with that you also need a reasonable degree of knowledge on TEMPEST / EmSec design philosophy and physics.

As I've pointed out in the recent past "air-gaps" are insufficient you realy need to think "energy-gaps" and "human data diodes" if you are looking at the higher security levels.

But even this is not going to stop the high end snoopers who have effectivly "backdoored hardware" in the chips, the supply chain or by black bag job.

The way to deal with this is by mitigation and instrumentation, which is a quite involved subject.

Not being funny but one of those 1980's "fall out shelters" deep under your house is a good place to start if you want the higher levels of security. Building systems in safes with "auto zero" and other "bug-out" protection is another aspect of this along with the equivalent of SCIFs etc.

None of which of course helps with communications issues, which are an even bigger heap of problems.

But you also need to

rJanuary 31, 2016 9:44 AM

@all,

Clive is mentioning early bsd or a stripped down plan9 as embedded options for non standard hardware families... I would like to point out that NetBSD specifically has done the work and runs on like 30? platforms. It may make for a good starting point or reference.

WaelJanuary 31, 2016 10:04 AM

@r, ...,

Clive is mentioning early bsd or...

*BSD would be my choice for embedded projects. BSD support is one of the things I look for in new hardware. The topic has been discussed on so many occasions.

rJanuary 31, 2016 10:09 AM

Some of which like the m68k lack an MMU ofc (i think this is basically to what Clive is referring). You can source Motorola compat chips from just about everything. In addition to the official docs there's been lots of r/e work on the families think 6502 68k... Some of them have even made it into the ECU's of vehicles in the last 20 years.

So they are likely to be accessible, programmable, light weight, low power, industrially hardened & resistant to the environment.

You just gotta know where to look I suppose.

WaelJanuary 31, 2016 11:01 AM

@r,

I've had to find bsd support in old hardware. :)

One disappointing thing about *BSD is lack of support to newer hardware. Linux is far ahead in that respect. I still like BSD more. If I had enough time and money to retire (unlikely, since it looks I have to work until I kick the bucket[1]) I would start my own BSD based project.

[1] Kick the bucket: die, croak, checkout, retire, push up daisies, expire, get recycled, to take a dirt nap, .... Reminds me:

Kids to their grandfather: Grandpa, Granopa! Please croak like a frog!
Grandfather: Why?
Kids: Daddy says we'll go to Disney Land when your grandfather croaks :)

rJanuary 31, 2016 11:12 AM

@wael,

And if you lived where I lived you could buy your own house for a dollar. :)

I'm really hoping two things happen, #1 being Detroit has a renaissance... And the second being I get my butt in gear.

rJanuary 31, 2016 11:21 AM

@wael,

Also: fragmentation isn't always good the people in charge of the existing strains are qualified so if you don't have the time for your own branch, one can still contribute.

Ideas, patches, optimizations, hardware, requests.

BSD is ripe for commercial exploitation too.

It's funny what you said about bsd v Linux, that's how I've felt about Linux v Windows over the last 20 years... that specific gap is closing though.
I still don't think it's a proper argument against bsd, the rate at which Linux is introducing code and features leave the barn door open it makes me nervous...

SkepticalJanuary 31, 2016 4:14 PM

Clive, my understanding is that ISIL uses commercial and open source applications, but it's hardly surprising that ISIL would either rely on strong encryption or that this might actually pose a problem.

Should ISIL's cyber group still be operational, it would also be unsurprising if they were to attempt to develop their own applications. This would increase their stature within ISIL, and increase the reliance of others in ISIL upon them. In other words, there are strong self-interested incentives for individuals and groups within ISIL to develop such an application.

Of course, there are plausible scenarios in which the incentives of such a group might weigh against such actions, or in which other forces within the organization have cut off that avenue of advancement for them. So who knows. My point is simply that in the absence of contradictory information, it would be a strong hypothesis.

Regarding Glenn Greenwald's argument, he doesn't seem to understand the double-edged nature of it. The "family nature" of the ties between operatives in certain terrorist groups or conspiracies increases the difficulty of recruiting human sources of information within those groups - which makes other forms of surveillance and intelligence even more important.

While they may try their best to never utilize modern communications or technologies... to the extent they succeed, their operational capabilities will be drastically curtailed, and they will be unable to adjust quickly or in a coordinated fashion to unexpected circumstances. Their plans become static, rigid, and small. But it's not only the group itself that must practice such discipline - so too must their suppliers, those who know them, those they speak to, etc. And they will not know of their compromise until it is too late, if they ever learn of it at all.

(On the subject of ISIL and Syria, though, an interesting story surfaced in the last couple weeks regarding a request from Russia, communicated via the then head of the GRU in early December, to Assad, asking him to step down from his position in the near future. Although the Russian Government initially refused to comment on the story, Putin eventually denied it when asked directly. However, the story fits extremely well with Russia's operational style, and it fits with Russia's interests in Syria. Perhaps another episode of unexpected coordination between the US and Russia lies ahead.)

As to the "great debate" regarding the extent to which communications or information storage immune to government interception or decryption is a desired feature for widely available products - I think the answer continues to be highly contingent on particular facts which are not yet known. Fortunately as a policy question, it may not urgently require an answer, which allows space perhaps for policy experiments, and greater thought and research, to be given to the matter.

But as a matter of ethics, I would think that any individual or organization has a moral obligation under certain circumstances, if within their power, to enable the interception or decryption of particular communications or information. Surely we can all agree on that much.

PetterJanuary 31, 2016 5:06 PM

It seems that the DHS firewall system, the National Cybersecurity Protection System - aka EINSTEIN barely does it job.
The system scans for known signature to detect attacks but fails to detect 94% of the the common software vulnerabilities...

"Of five client applications reviewed — Adobe Acrobat, Flash, Internet Explorer, Java and Microsoft Office — the system was able to flag, to some extent, only 6 percent of all the security bugs tested. That’s 29 out of 489 vulnerabilities."

"“Regarding zero day exploits,” Homeland Security officials stated “there is no way to identify them until they are announced,” the report states. Once they are disclosed, DHS can mold a signature to the attack pattern and feed it into EINSTEIN."

"For example, the system can block malicious “domain name system” servers and filter emails, but “there are other types of network traffic (e.g., web content), which are common vectors of attack not currently being analyzed for potentially malicious content,” the authors said."


http://www.defenseone.com/technology/2016/01/us-homeland-securitys-6b-firewall-has-more-few-frightening-blind-spots/125528/?oref=DefenseOneTCO&&
http://www.nextgov.com/cybersecurity/2015/11/secret-dhs-audit-could-prove-governmentwide-network-surveillance-isnt-really-governmentwide/124018/
rapporten: http://www.gao.gov/assets/680/674829.pdf

Sancho_PJanuary 31, 2016 6:29 PM


@Skeptical

”But as a matter of ethics, I would think that any individual or organization has a moral obligation under certain circumstances, if within their power, to enable the interception or decryption of particular communications or information. Surely we can all agree on that much.”

Glad we agree on the ethical correctness and moral obligation of spying and uncovering secrets “under certain circumstances”:

There is no crime, no ruse, no trick, no fraud, no vice which does not live by secrecy. Bring this secrets to light, unveil and ridicule them to everybody. Sooner or later the public opinion will sweep them out.
Publication may not be enough - but it is the only means without all other attempts will fail.

(Joseph Pulitzer 1847-1911)

[Apologize my attempt to translate, didn’t find that in English]


@Moderator: 418 unused - The server encountered an internal error ...
(for several minutes)

Clive RobinsonJanuary 31, 2016 7:03 PM

@ Skeptical,

But as a matter of ethics, I would think that any individual or organization has a moral obligation under certain circumstances, if within their power, to enable the interception or decryption of particular communications or information. Surely we can all agree on that much.

It would be nice to think so, unfortunatly there are several flys in the ointment.

Firstly as you know there is no requirment for LEO's to tell the truth to anybody but judges and certain parts of the legislature. The fact LEO's regularly get caught out telling at best half truths to judges at worst very much purjury, must make you wonder what they would say to those with access to keys etc.

Secondly LEO's always have a "no tipping off" clause, thus those asked to make moral choices hear only the information LEO's decide to present them with. Which on current knowledge is inadiquate for a moral judgment to be made.

Thus I would argue that if it is known that LEOs making requests have lied then they have no ethics. In a court case the "fruits of the poison vine" doctorine would apply. Which logicaly means that the only "moral and ethical" choice is to deny them.

LEOs should be held to way way higher moral and ethical standards than ordinary people because of "the imbalance of arms" and the significant harms they can cause by even very minor deviations from high moral and ethical standards.

Unfortunately LEOs are rarely if ever held to any kind of moral or ethical standard even when it has been clearly demonstrated that they have lied to judges or presented evidence they know to be false...

The only ethical or moral action to take is to design systems such that you can not be put into a position where you come under any kind of duress.

It has been shown to be a huge myth about "going dark" and this alone should give people pause for thought (it is afterall LEOs lying and not being held accountable).

But "eavesdropping" or "surveillance" flys in the face of justice as does the use of "agent provocateurs" and "confidential informants", people have certain rights that should not be easily or recklessly set aside, and those that use deception to do so should be heavily punished.

The citizens should be able to "trust" the Government and it's agents and entities such that any interaction with them.should not just be legal but fair and without malice. Having uncertainty or doubt about if they can be trusted is a significant and chilling issue for all citizens.

I certainly have little faith in many of the UK's agents and entities, and have found some who are without doubt malicious in their actions. I suspect that a number of this blogs readers / commenters can also say that they "have little or no trust" of their Government. In such cases I can see good reason why third party "ethics and morals" do not and should not be questioned, and therefore there should be no way that such Government entities and agencies can lay such a duty with sanctions at a third parties door.

Slme Mold with MustardJanuary 31, 2016 8:07 PM

@Quite Funny

Can you name a Secretary of Homeland Security who claimed that she did not use email ? I did not find that credible at the time, after all, I know who Richard Windsor and even Diane Reynolds are.

We should not be surprised when a FOIA request is returned with the notation "no records responsive to your request were located" as Cheryl Mills, (Hillary Clinton's Chief of Staff while she was Secretary of State), responded to the Committee for Responsibility and Ethics in Washington (CREW) which specifically asked about aliases. Cheryl Mills had sent hundreds of emails to Clinton at her @clintonemail.com address and copied Clinton on this very request.

Quite Funny? Not so much to me.

tyrJanuary 31, 2016 8:30 PM


@Clive et al,

https://medium.com/real-life-stories/the-fire-alarm-is-ringing-what-are-you-waiting-for-87e825bd5a71#.gxzzz7z3c

I was struck by the beginning of this piece and
wondered how much of our problems with computer
security revolve around the same thing. Hoping
it will go away if we just ignore it long enough.

By that I mean trusting things far past their due
date on trust, since we know they are already in
a state of compromise. Why not do something? Is
it because we hope it was just a false alarum or
we can somehow put the evil genii back into the
bottle and continue to pretend it's not broken.

The story is also the essence of evolution in a
capsule, survivors survive. No amount of teleological
maundering or ideological absurdities will save the
ones who didn't respond correctly to the environment.

rJanuary 31, 2016 8:46 PM

@tyr,

You made me ask myself, what percentage of people never change their oil or check their tire pressure? Do they change it when a warning light or new sound is noticed? How long do they wait between noticing and visiting a qualified mechanic?

GrauhutJanuary 31, 2016 9:37 PM

@Clive, Who:

My personally preferred quickshot is bsd on allwinner a10/20 soc boards.

If you want to know how much a fresh install system talks, have a network limbo in your lab, two cheap routers (i prefer cheap openwrt patchable ones) and a cheap websmart switch with monitoring capability between them (mostly cheap tp-link crap, all together 50-100$ for a 1ge limbo route).

testobject
|
router1
|
switch - Network recorder on monitor port
|
router2
|
vpn
|
edgerouter
|
inet
|

In such a setup only testobject initiated traffic is visible between router1 and 2 and the testobject is isolated from your local net between r2 and edgerouter by vpn.

Sniff your stuff, will teach you a lot about it. :)

Alyer BabtuJanuary 31, 2016 10:05 PM

The near omnipresence of Disqus as the only way to comment seems invasive. Disqus's ubiquity and its comprehensive tracking means they can aggregate and analyze and probably identify most of the commentariat.

RadioStarFebruary 1, 2016 12:11 AM

@xyz

It's doubtful that their fighter jets would have had encryption applied in a brain dead fashion.

I don't think so. Could be implementation. Who would ordinarily be looking to hack such things, ordinarily? Their enemies are pretty stupid, and western powers are not their enemies.

Probably there are extensive security vulnerabilities in american jets as well.

Certainly ones which could be overcome by a dedicated nation state hacker.

(Note: as to my other statements in that post, that was a crock of shit, I was drinking, and don't even remember writing that crap.)

RadioStarFebruary 1, 2016 12:29 AM

@C U Anon

No, that was not "trolling", that was two posts drunk, before I had the good sense to go somewhere else. They were heavily sarcastic replies, yes.

Which I should avoid making in a place like this, lol...

@albert

With hobby drones, jamming techniques will become more popular and widespread, to the point of becoming dangerous to the heavier and more deadly commercial drones. A fatal (or just serious) drone-aircraft encounter will likely get the lead out of the FAAs efforts.

Could be, though the more serious drones, the military ones, have anti-jamming in them. The reason the DHS got jammed is because they obtained cheaper drones without that technology.

Don't know much about the ins and outs of jamming beyond that, except there are three gps systems systems which look to reliability use (Russian, chinese, and American). GPS has a very low power signal, so they probably do some trickery there to ensure that anything which is coming from the wrong direction or has a higher power signal is ruled out.

Amateur, or more likely, commercial jamming solutions should not take off the ground, as it is so highly illegal and trivial to track...

I suppose a saving grace with the hobby drones is their limited fly time, and that the more sophisticated systems auto-ban areas near airports.

(But as the systems are related at least to open source, they could be easily hacked.)


Clive RobinsonFebruary 1, 2016 1:23 AM

@ tyr,

Hoping it will go away if we just ignore it long enough.

There are evolutionary reasons why people do this.

Take "rain" for instance, peoples behaviour to it varies and slowly changes with time. Some people will not leave the building even in mid summer unless they take an umbrella or coat. Others however will in the winter "pop out" in shirtsleeves even in heavy rain, if it looks for a moment like it's going to let up.

In most places rain is more of a nuisance than a threat to life, and experience tells us in temprate climates rain is usually "short lived". Men are way more likely to discount the issue of getting wet more than women.

It's the same for nearly every "normal experience" in life, things change and from our perspective more often for the better than the worse. Because we tend to remember bad to good changes rather than the other way around (the "glass half full/empty" effect). It usually has to be a very major life changing event for most people to behave differently. Thus the safer we perceive our environment the less likely we are to react to rare or unknown risk, unless startled.

Which is the crucial point, our concious mind in most cases over rules our monkey brain that causes the "flight instinct". Evolutionary wise it makes sense in herd animals to keep eating rather than burn a lot of scarce energy taking flight. The herd provides normality and for the majority low risk, because preditors are actually few in comparison to the numbers in the herd, and thus as a prey animal you are generaly safer in the "target rich" herd than you are on your own.

For most of us a fire in the place we work which effects us is a very very rare event, as are floods mud slides and other environmental effects that can harm us... Thus "waiting for it to blow over" is actually the normal / sensible response based on life experience...

Exceptional and mechanical events hurt us because contrary to what we experience normally they don't improve, they just get worse till it's "too late".

I've actually seen proposals to resolve these issues where by the audible and flashing alarms are made so loud and so bright, they will make staying physicaly painfull. In one case an audible alarm being so loud it could actually damage your hearing if you got within a couple of metres of it... And guess what, in testing people still did "the herd thing"...

Clive RobinsonFebruary 1, 2016 1:34 AM

@ Grauhut, who?,

Sniff your stuff, will teach you a lot about it. :)

Instrumentation and mitigation, are my prefered methods of dealing with potential threat routes after "do not connect".

The system you outline is similar to the one I call "the garden path" method, for home users, to get around issues to do with ISP router backdoor behaviour.

keinerFebruary 1, 2016 1:59 AM

@Grauhut

I simply put such devices on an own network (router with pfSense and 3 or more NICs) and put a Linux box with two bridged NICs between the device and the router.

Let Wireshark listen on the bridge of the Linux box.

Do you see any advantages of your setup over this construction?

Clive RobinsonFebruary 1, 2016 4:11 AM

@ keiner,

Do you see any advantages of your setup over this construction?

It depends on your viewpoint, a single PC is a single point of weakness two routers, a data diode to an instrumentation PC is three devices, thus three points that have to be attacked.

That then brings up the "hardening" issue, which solution is going to be easier to defend against aknowledgable attacker?

If a "cut wire" data diode is used to the instrumentation PC then "from the unsafe zone" on the public side of the first router it is going to be very dificult if not impossible to detect and therefore enumerate. Which means that potentialy your instrumentation will be either left alone or pick up "blind attacks" against it as well as the second router behind which sits the device you want to protect.

keinerFebruary 1, 2016 6:12 AM

Hmmm, my setup is primarily to watch devices "phoning home" or other strange behaviour regarding internet activity...

Inside Threat ModelFebruary 1, 2016 6:53 AM

@Quitefunny
Looks like darktrace?
If it is darktrace, it would fulfill every opinion I had on the product.

CuriousFebruary 1, 2016 9:42 AM

Off topic I guess:

"‘Eyewash’: How the CIA deceives its own workforce about operations"
https://www.washingtonpost.com/world/national-security/eyewash-how-the-cia-deceives-its-own-workforce-about-operations/2016/01/31/c00f5a78-c53d-11e5-9693-933a4d31bcc8_story.html

"But others cited a significant potential for abuse. Beyond the internal distrust implied by the practice, officials said there is no clear mechanism for labeling eyewash cables or distinguishing them from legitimate records being examined by the CIA’s inspector general, turned over to Congress or declassified for historians."

It is unclear to me just what might be faked. From the article, it seems like this is about either "internal memos" and "cable traffic".

The article does afaik not reference any specific sources for this information, other than referencing "current and former U.S. officials".

Makes me wonder if there could be fake reports about fake reports, as if there could be no accountability or trusthworthiness with filed documents at all.

Bob PaddockFebruary 1, 2016 10:44 AM

@Clive Robinson

"The simple fact is you can not really trust the PC hardware from this century, thus you have a serious issue as old hardware becomes scarcer and scarcer with time."

They will be around for a long time, perhaps not in a quantity that is useful.

Everyone here might find these old Big Iron machines for intrest:

These are photos I took of the Large Scale Systems Museum (LSSM), Dave McGuire President/Curator, in New Kensington Pennsylvania on January 30th 2016.

See the quick walk through video: https://youtu.be/n9zCQMtYvj8

Still photos of the machines inside and out:

http://bpaddock.com/doku.php/lssm/start

The IBM 370 shown in the last shot runs at less than 4 MHz and is faster than Windows 8.1 at 3 GHz. Sad. I don't use Windows on my own systems...

The Museum is not officially open to the public yet. It is expanding to two floors.

CuriousFebruary 1, 2016 12:19 PM

Something I saw on twitter:

"Subject: Socat security advisory 7 - Created new 2048bit DH modulus"
http://www.openwall.com/lists/oss-security/2016/02/01/4

"In the OpenSSL address implementation the hard coded 1024 bit DH p
parameter was not prime."

I am no expert and can't comment on this, but I am guessing that even though p was hardcoded (bad enough?), it should perhaps had been a prime number?

X-RayFebruary 1, 2016 1:02 PM

@Curious


"eyewash"

I do not have much moral bones about that article, even if it does state that there are laws against entering disinformation in official reports. Because that is basic security, and not all laws are equal.

Contrast that with the issue of CIA torture, or with the looming issues of dragnet surveillance by other agencies (and state and local). I really do not think the issues compare, even if that does mean maybe State cable leaks or FOIA reports may have inaccurate information in them.

Perhaps, at worst.

Going to funerals for people who did not really die is not seriously a real problem for intelligence. How else can you reset your name or go truly undercover.

Interesting article, but I doubt much of what is reported there is the "real truth". Too much is compartmentalized, too much is secret, nobody would really know. Even the highest of administrators or the oldest of workers would never know much of anything, not simply from a secrecy level, but from a level of "there is too much" for them to know.

Out of touch top executives is not a problem only governments face. Though, with very old and very large organizations swamped with bureaucracy, surely, it is there the most daunting sort of problem.


rFebruary 1, 2016 2:35 PM

@Clive, grauhut

If you guys end up seeing this, what you guys are talking about a the router interception is good for wired for sure... But not so much on the topic of nation state, what I'm always paranoid about is a wireless transceiver in monitor more sending out low power packets with intentionally bad checksums. I guess I need to put my ears real close to the device for that w Wi-Fi huh?

GrauhutFebruary 1, 2016 2:58 PM

@Keiner: If you dont use learning routing engines, only static routes, a two router setup is much "quieter" in the test zone since none of these routers knows "for sure" what all is behind the other. Try it if you have some spare hardware for a test. Less noise, less triggers, sharper signal.

But your setup is of cause legit, if you know how to silence potentially triggering os generated packet activity on your linux bridge and freebsd router to near 100% silent (not trivial). You could also tcpdump directly on the pfsense routing Firewall. My home and lab nets are a little too crowded, lots of broadcasting etc. and i dont like to poison tests, i want to know what a box sends without being triggered by others.

But maybe i am simply sometimes too anal with snr if i test new software on dial home "features". :)

GrauhutFebruary 1, 2016 3:09 PM

@r aka Gnu S: Of how much value are you as a target? Should be easy for you to calculate with that nick :)

If some TAO guy comes with a manipulated cable to you in order to bug your TFT... Then you're already lost since they dont send a man if they can send a network rocket (bot) and if they send a human investment they send some physical security with him. :D

rFebruary 1, 2016 5:11 PM

No value here, a) I retired b) I'm no longer ahead of the curve c) because I'm mindful of being mislabeled by my government. It's bs the chilling effects laws have on even those responsible but what is one to do when you flirt with being labeled an international arms dealer or unlicensed vendor?

But I do appreciate you guys humoring me.

Just because they're not after you, doesn't mean we're not targets of opportunity: the question is also much bigger than just the omnipotent, there's others. Lots and lots of others.

Back from The Farm (E-i-E-i-O!)February 1, 2016 5:42 PM

Skeptical is trying a new angle to avoid being full of shit. This one involves floating off into empyrean levels of meaningless abstraction, then deductively proving that angels or equivalent entities dancing or otherwise capering on the heads of pinlike or less-than-blunt objects ought in principle to be potentially subject to surveillance by a benign and/or omniscient prime mover, should we grant that one exists.

And still the poor sod manages to stomp the blivet.

Skeptical ventures out into the world and immediately falls for yet another interesting story of the fall of Assad. Skeptical's insider sources have informed him that Assad's successors will be alien lizard men who David Icke identifies by wearing special maser-polarization hypergoggles. Skeptical is just so heart-warmingly gullible when his own cherished government dupes him. Then, having shown himself a total nube sucker for US government disinfo, Skep tries again to play the spy with this "family nature" nonsense. Skeptical's clearly dumb enough to work for CIA but his fake Walter Mitty leaks are extra clueless. Nobody told him how the Safari Club works.

He really is the perfect dupe to fall for all that lawfare shit.

ytirucesFebruary 1, 2016 6:30 PM

so it looks like the developers at Microsoft never checked whether their beloved browser works as coded? or is this intentional and now they are in PR-damage-control mode?

Stop using Microsoft Edge's InPrivate mode if you value your privacy
http://betanews.com/2016/01/30/stop-using-microsoft-edges-inprivate-mode-if-you-value-your-privacy/

Somewhat counterintuitively, Edge actually records browsing history in InPrivate mode. More than this, by examining the WebCache file it is a relatively simple task for someone to reconstruct full browsing history, regardless of whether surfing was performed in regular or InPrivate mode. These were the finding of infosec expert Brent Muir.

Windows 10 - Microsoft Edge Browser Forensics
http://bsmuir.kinja.com/windows-10-microsoft-edge-browser-forensics-1733533818

>Christopher Soghoian says:Pretty easy @FTC case.>
https://twitter.com/csoghoian/status/694255902292049920

FarSideFebruary 1, 2016 11:15 PM

@Who?


Analysis of latest firmware upgrade on the Lenovo ThinkPad T430s:

https://www.virustotal.com/en/file/0381a9d007d7c6343e1f9adcf7879fb07c6fa8cf45bbbd415769e6cfa938c751/analysis/1454242074/

Current results seem to be that the firmware is completely good:-)

VirusTotal says: Detection ratio: 0/54

So maybe they were just false positives(?)

Although the results under "File detail" tab do seem interesting.

One of the PE files listed (under the message "This ROM BIOS images not only contains standard BIOS Portable Executables, but also Windows OS executables") uses this root certificate:
CN=VeriSign Class 3 Code Signing 2009-2 CA

This certificate might be the same one that Google said they would stop supporting; Symantec had requested this so that they will no longer be obligated to abide by the Baseline Requirements for it.

Google post about this here:
https://googleonlinesecurity.blogspot.it/2015/12/proactive-measures-in-digital.html

ThothFebruary 2, 2016 6:26 AM

@Curious
In the terms of Diffie-Hellman KEX, P and G are public Prime and Generator values needed to calculate a shared secret. Hard-coding P and G is a common practice and with a large enough private key, it is safe to hard-code P and G. The problem with P not being a prime number when it is suppose to be a P (prime number value) defeats the purpose of having P. This is not a fatal mistake that will leak the private key. It will only cause irritation when trying to use DH-based KEX beause ... P is not prime number ...

They should use the standard Diffie-Hellman Groups recommended in multiple RFC standards with large enough private key size (>= 2048 bits) instead of trying to generate and P or G and find out that those aren't prime numbers. The security is not in the obscurity of public values but in the strength (key size) and secrecy of the private keys.

JacobFebruary 2, 2016 2:10 PM

Bruce, I wonder if you could blog on the new US-European "safe-harbor" agreement reached today.

A point of concern is a possible US self-interpretation of various clauses in the agreement and gaming the words e.g. spying for criminal activity, not for the limited "national security purposes" as in the following section:

"For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms"

Ref: http://money.cnn.com/2016/02/02/technology/data-privacy-europe-us/index.html

CuriousFebruary 2, 2016 2:57 PM

Off topic:

Btw, there was an explicit reference to Edward Snowden in one of the new X-Files episodes (I think it was ep.2). The context was someone working for the government, basically stating an intent to prosecute whistleblowers forcefully, to which Mulder quips and mention Snowden's name.

Btw, episode three of 2016 was very silly imo. I really didn't like that one.

Able DangerFebruary 2, 2016 3:26 PM

Crypto flaw was so glaring it may be intentional eavesdropping backdoor
http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/

An open source network utility used by administrators and security professionals contains a cryptographic weakness so severe that it may have been intentionally created to give attackers a surreptitious way to eavesdrop on protected communications, its developer warned Monday.

Socat is a more feature-rich variant of the once widely used Netcat networking service for fixing bugs in network applications and for finding and exploiting security vulnerabilities. One of its features allows data to be transmitted through an encrypted channel to prevent it from being intercepted by people monitoring the traffic. Amazingly, when using the Diffie-Hellman method to establish a cryptographic key, Socat used a non-prime parameter to negotiate the key, an omission that violates one of the most basic cryptographic principles.

The Diffie-Hellman key exchange requires that the value be a prime number, meaning it's only divisible by itself and the number one. Because this crucial and most basic of rules was violated, attackers could calculate the secret key used to encrypt and decrypt the protected communications.

According to article seems to have been created by someone named Zhigang Wang who worked at Oracle.

X-RayFebruary 2, 2016 4:34 PM

@Able Danger

Looks like it is plausible it could have been a mistake, as opposed to an intentional vulnerability, going by the erudition of the comments. :-)

To easy to argue, "anyone looking at the code should have seen this long ago", when that was far from the case. And, if it was, then it would have been a very poor backdoor, as there are so many ways to create vulnerabilities, not a few are very hard to find. (Proof is trivial, albeit anecdotal, consider vulnerabilities ever found anywhere, and then consider that **any** security vulnerability could have been intentional versus unintentional. Extrapolate back from that.)

There are security vulnerabilities plenty no one ever considered was intentional. In fact, very very rare when they do.

One poster noted the app likely wasn't used for anything interesting, just for debugging. Probably the one which stood out to me.

Of course, they could be a disinfo artist or simply ignorant.

Very unlikely on the former, certainly possible on the later.

WaelFebruary 2, 2016 6:23 PM

@Curious,

Btw, episode three of 2016 was very silly imo. I really didn't like that one.

Disappointing! Hibernate for 10,000 years? If they keep it this way, they won't make it.

Able DangerFebruary 2, 2016 11:49 PM

@X-Ray
This was not a "security vulnerability" although sure you can always claim it was.

This was a case of their stupid software simply not working as it should have been.

It's BS to claim that this is the sort of issue that's "easy to miss".

X-RayFebruary 3, 2016 9:19 AM

@Able Danger

You did not understand my statements and are responding with undue emotion. *shrug*

A backdoor is a security vulnerability. Not all security vulnerabilities are backdoors. The singular difference is if a security vulnerability is intentional or unintentional.

Any security vulnerability could be intentional or unintentional.

Mind bending, but true.

People generally assume security vulnerabilities are unintentional.

That is an assumption.

This particular security vulnerability appears to be intentional, and so a backdoor. From the article comments - I do not know, I have never programmed that manner of encryption in before nor utilized those classes - it appears likely that it is not a backdoor but a mistake. It may not be. But, I do not know. Another reason I came to this conclusion was because another poster in the comments pointed out the application is just used for debugging and not for anything critical. I also do not know if that is absolutely true.

What is curious is you can not see that any security vulnerability could be a backdoor.

You believe that this one is. Why? Because there was, not so long ago, two or more intentional security vulnerabilities made in the form of weakened encryption. These were known and proven by other means. Sources confirmed they were intentional.

This does not mean, however, all encryption vulnerabilities are intentional. Nor does it mean that all other security vulnerabilities are not.


MorranderFebruary 3, 2016 1:38 PM

Hello,

I am not sure this is the right place to post, but I have noticed a steep drop in the price of Blackphone BP1 coming out of China. Other than avoiding the phones where 3G is for some reason CDMA instead of GSM; the only issues I see are 1) 4G is limited to one common bandwidth for N.A. and whatever you think of the "China" issue.

I am a solo entrepreneur for the last three years and my experience is that having a desktop, laptop, website and smartphone entitles me to about 90% of the information security issues big companies have.

As i plan to watch very little video on the phone the 4G is of limited interest to me although I would like to know the common thinking. The other worry is that Private OS 1.1 has been tinkered with directly or through hardware connections and in theory, eventually there should be a fix.

The Blackphone currently suits my temperament and budget; is there any reason not to go ahead?

Also for people like me, the best resource I have found is the ABA technology guide for solo practicing lawyers and small law firms. It is really focused on small law firms and only about 50% of what a serious sole practitioner needs, but it is better than nothing. Does the community know of a better resource?

Remember, be nice to newbies.

Morrander

ThothFebruary 3, 2016 8:15 PM

@Morrander
re: Blackphone
It has been shown time and again that PrivatOS is not really secure although a little more hardened than most Android OSes out there. You are better off running any stock Android phone or if you are paranoid, load your own Cyanogen mods onto the phone which will void the phone's warranty.

Android was never designed to be secure in the first place and most security were add-ons and after-thoughts which is already bad enough and deem a compromise to security. Similarly, iPhones are also not any better (since their original design are more of a commercial insecure phone where security are added as needed). Blackberries were designed more securely from the drawing board but if you don't mind RIM and spy agencies they share data with to read your mails and messages, then it's all fine.

Ultimately, there is no phones that are secure due to international pressure to ensure insecurity in commercial communication devices by world Warhwak Governments and also there are lower interest and demands in secure phones around the world.

I wouldn't trust most of the recommendations and suspect that these might have been doctored by powers seen and unseen that wants to control world-wide communication lines and have a NOBUS attitude to read, collect, analyse and spoof all communication systems.

The first step Android can do to out-perform all mobile OSes is to use it's huge user base and setup higher assurance practices and security designs by re-designing a security microkernel layer (probably leveraging seL4 microkernel) as the first step and re-desgining it's programming language to something much more verifiable and suitable for high assurance applications like Haskell or Ivory with stronger application firewalls, memory protection and allocation using capability-based systems integrated into microkernel's memory management layer.

There are many things that can be done to improve Android but it seems that direction is affected by so many seen and unseen forces from both commercial, individual and government influences.

CuriousFebruary 4, 2016 5:56 AM

Off topic:

A local national newspaper (NRK), referencing BBC, tell today of a UN panel having made some kind of judgement/assessment of that Julian Assange had/has been arbitrarily detained, however I can't help but think that this local paper just can't help themselves, seemingly having ended up putting a negative spin on Assange as an individual, again, by simply stating that he leaked documents about the wars in Iraq and Afghanistan. Pretty sure Wikileaks was a publisher and not a leaker.

CuriousFebruary 4, 2016 6:10 AM

Off topic:

To add to what I wrote: Not sure, but it seems perhaps that BBC has reported on a story before any official announcements. Maybe the reported UN decision isn't true?

Nick PFebruary 4, 2016 1:40 PM

Great essay on amateurs, "experts," and masters by Zed Shaw. I've entered at least the mindset of mastery as I'm so tired of the endless complexity in systems, programming languages, libraries, security schemes, interfaces, etc. Unnecessary complexity most of the time. Give me amateurs that are well-trained and embrace only-hard-enough-to-work philosophy over "experts" any day. Besides, 80/20 rule says most of my staff can be amateurs and still get the job done anyway in commercial sector. :)

CuriousFebruary 4, 2016 2:57 PM

No idea what Botan is I must admit. On Twitter I found a comment about the following: Something about a remote code execution vulnerability in a crypto library I think, among other things.

http://botan.randombit.net/news.html#version-1-11-27-2016-02-01

"SECURITY: Avoid heap overflow in ECC point decoding. This could likely result in remote code execution. CVE-2016-2195"

"SECURITY: Avoid one word heap overflow in P-521 reduction function. This could potentially lead to remote code execution or other attack. CVE-2016-2196."

"SECURITY: Avoid infinite or near-infinite loop during modular square root algorithm with invalid inputs. CVE-2016-2194"

WaelFebruary 4, 2016 4:35 PM

@Nick P,

Great essay on amateurs, "experts," and masters by Zed Shaw.

Excellent essay. Now if I can get a hold of "The book of five rings"... I agree with most of his statements. Thanks for sharing! That's the kind of paper I like to read. Simple, short, full of wisdom!

Give me amateurs that are well-trained and embrace only-hard-enough-to-work philosophy over "experts" any day.

Right on! Some think experts, are a pain in the neck. I have an even lower opinion of them, if you catch what I mean ;)

tyrFebruary 4, 2016 7:28 PM


@the usual suspects

How about this snippet from history ??

The Okhrana, the Czarist predecessor of the GPU, is reported to have
invented a filing system in which every suspect was noted on a large card
in the center of which his name was surrounded by a red circle; his political
friends were designated by smaller red circles and his nonpolitical acquaint-
ances by green ones; brown circles indicated persons in contact with friends
of the suspect but not known to him personally; cross-relationships between
the suspect's friends, political and nonpolitical, and the friends of his friends
were indicated by lines between the respective circles.*^*' Obviously the limi-
tations of this method are set only by the size of the filing cards, and, theo-
retically, a gigantic single sheet could show the relations and cross-relation-
ships of the entire population. And this is the Utopian goal of the totalitarian
secret police. It has given up the traditional old police dream which the
lie detector is still supposed to realize, and no longer tries to find out who
is who, or who thinks what. (The lie detector is perhaps the most graphic
example of the fascination that this dream apparently exerts over the
mentality of all policemen; for obviously the complicated measuring equip-
ment can hardly establish anything except the cold-blooded or nervous
temperament of its victims. Actually, the feeble-minded reasoning under-
lying the use of this mechanism can only be explained by the irrational wish
that some form of mind reading were possible after all.)


From Hannah Arendt "the Origins of Totalitarianism"

Surprisingly the whole damn book resonates with examples of
things that are current news all over the planet. It looks
like we are living in this book today, a condition I resent
the Hel out of because I'm a Warbaby (WW2). These things were
supposed to have been purged by that war and the fall of the
Soviet Union, not re-invented by some asshole like Zuckerberg.

X-RayFebruary 4, 2016 8:15 PM

@tyr

It is very difficult to compare Czarist Russia to modern US or other 'free' nations. Russia, England, Germany, France all had extremely immoral, aggressive security services. But, of these, Russia topped the list.

You can absolutely see a straight line from the Okhrana to the later KGB.

There are severe problems in the 'free' nations, and they are fragile. In the US, I am not aware of them performing assassinations, as the Okhrana did, but both do trust openly in bait operations (even though this is supposedly illegal in the US).

In some ways, the US system is worse. In some ways, the European and other 'free' systems are worse. But, in some ways they are better.

Expressing contrary views, for instance. Criticism. That is a way of life. Everyone does it. It is a core part of the political system. Federal officers certainly do it. Left, right -- and really? Mainstream politics is even pretty damned kooky.

So, yeah, that is really where it is extremely different from Czarist Russia. Everybody badmouthing the regime would be in jail, murdered, setup, harassed.

Leaving about ten citizens left.

But, freedom is small and extremely fragile, and incredibly new (considering the tiny slice of time a coupla hundred years are against the massive ruler of time of human existence).


Extremely unlikely to grow and mature.


By any natural means, anyway. :-)

tyrFebruary 5, 2016 4:22 AM


@X-Ray

The interesting thing about history is that once an oppressive
regime comes up with a bad idea it slowly gets implemented by
those governments that should know better. Passports were used
by Tsarists to keep peasants tied in place by forcing them to
obtain one to travel to the next village. State forced schools
were used by the Prussians to generate the needed cannon fodder
to rent out as mercenaries. After a bloody civil war the US has
reinstituted slavery by selling prisoners to private corporations,
in some cases with an iron clad contract to keep supplying a
full load of prisoners.

The danger is quite real. The best way to wind up in the world
of Orwell is to ignore the signs or to read them as benign.
Current political rhetoric would have us turning Syria into
radioactive glass while demonizing any decent Moslem or
migrant in preparation for fencing in the US and putting the
innocents into concentration camps. thinking the US is too
nice to do such things is a failure to look at a very real
past. Like the German said I didn't complain when they took
my neighbors because I wasn't one of their groups. When they
came for me there was no one left to complain to. Once you
allow things to occur in secret as a blanket policy the toxic
nature of that policy will slowly erode everything until it
becomes a rotten lacework of facade.

One of her other books has a charming story of a French woman
who said she hoped Dreyfus was innocent so his punishment would
hurt him more. I have seen people express similar sentiments on
the subject of torturing prisoners who are Moslems. This kind of
shit is toxic to freedom, to decency, and contaminates everything
it touches.

One of our exercises in leadership school was to circulate a
mimeographed petition which was a list of the bill of rights
of the US Constitution and ask people to sign it. No one would
sign it because they thought it was too controversial for them
to agree to and actually advocate. This was done at a supermarket
in a major US city. So how much is your freedom worth in the
hands of such an informed citizenry ? Today I imagine finding
someone capable of reading and understanding it would be a
major undertaking.

Recommending Arendts work is my way of getting even with Nick P.
for his endless rain of technical books and ideas.

ianfFebruary 5, 2016 4:24 AM


@ Uhu comes up with a counter example to [thegrugq's] bumbling lone-wolf Generation Jihadi 2.0:

The Norwegian right-wing nut managed quite a tally on his own.

Yeah, like shooting fish in a barrel, live ammo target practice using children—a very mature objective on the road to White Rechristianization of Europe (or something, don't ask me). I've asked around… Breivik seems to be uniformly despised by "White Power" supremacists on account of showing their true colors, when they aim to be taken seriously.


[…] if the three Americans weren't on that Brussels train, the attempted shooting attack might have ended quite a bit different as well.

Maybe, maybe not. I'd say the threat scenario of a lone, even armed, attacker "showing off" in enclosed spaces ended definitely up on the United 93 flight on 2001-09-11. These Yanks were in the right place at the right time, no doubt about that, but others would have reacted similarly, if 2-3 seconds later than them.


glad that the people attracted to daesh are, so far, not too bright.

Above all, the EU terrorists to date (incl. Breivik) could but be mentally ill, whatever the verdict of the medical pros. Because there is no known logical/ philosophical construct that can explain their angst at the liberal West as a form of defense-warranting oppression of their beliefs.

ps. lowercase ianf or I call you Names.


@ BoppingAround

ianf: Security forces were caught off guard as no one was thinking of FIFA 15 as a terrorist communication tool.
In a sense, that's a reassuring sign that the ICs can not cope with the sheer (and constantly growing) number of potential online-yet-under-the-radar comms channels (endpoints and instances of), thus have to concentrate on following leads acquired by more traditional methods. In all probability even these FIFA 15-games exchanges have been captured, but, as they were "shared-context-encoded" [per thegrugq's definition], they raised no automatic alarms by whatever robot ears eavesdropping on and triggered by known "word-semaphores."


@ Jacob “Dutch police uses trained falcons to take down hobby drones that stray into forbidden zones.

Falcons, even eagles. In all probability, however, these are just temporary tests of feasibility of such deployment, which will end there. Reason: birds of prey are soft, while drones with rotating blades (not to mention evasive wobbly tactics) are both hard and deadly. In the end, there can be no other defenses against explosive terrorist drones in airport approach spaces than automatic targeted high-energy beam/ laser weapons. Because, when such an attack takes place, the sole thing that one can be sure of is that it will involve an array of, not a single drone. What then, unleash a flock of [in advance in dedicated standby local aviaries held] territorial defender-eagles?


how legal this would be if I open a rental business in the US for annoyed home owners - certainly better than shooting at the little peskies.

Can't see why it could be illegal, but, despite this single fundraising-success analogy, way too odd, non-scaleable and intermittent a business to carve out profit. Bullets aren't cheap, but presumably way cheaper than a on-demand visit from "24-7-Drone-Be-Gone" Falconeer Jacob (then again, what do I know of business? MBA.I.AM.NOT. Call The Ghostbusters [Who're you gonna call?], they may be game for expansion.)

X-RayFebruary 5, 2016 10:39 AM

@Tyr

The dangers are real. That is why I have studied them, and why I keep track of them.

Privacy concerns? I am concerned not with Joe Blow's fucking adventures getting seen by some intel folks. I am concerned about Presidential Candidate, Mayor, Sheriff, Corporate VIP, etc fucking adventures get hunted for and used against them, sidelining the entire democratic and justice process.

The workforce issues: those are real problems.

Syria: more of a "meh". Individuals in the US can talk, but the reality is Assad can not be replaced, because Syria is right next to Israel.

The State Department has more power then people think.

Moslems being interned: Only if Donald Trump gets elected. He won't be.


Syria and 'Moslems being interned', p2: Yes, events could decide otherwise. There could be a great conflagration in the Middle East. There could be an US domestic attack by Muslim terrorists of unprecedented or 911 scale which would turn the tide completely. The outrageous response from 911 does speak to that, and actually does act as a deterrent.

France has a worse problem there, banning headscarves is crazy. In the US, Muslims, like many of our very many first and second generation immigrants really integrate very well into society, looking at matters historically and globally.

Nobody here looks twice at headscarves, or treats anyone weird even with a full blown hijab. Not collectively, anyway. Freedom of belief, while often a point of great contention, is agreeable, and well understandable.

The incident in California did bad, overall, and was reacted to out of scope with similar incidents from those inspired by sheer lunacy. There is a deep backlash amongst some portions of the population, and they find Trump refreshing.

But, they are not the millenials.

They are not white collared, well employed professionals.

They are not the monetary and power backers.

They are alienated and frustrated partly because of their powerlessness.


One of her other books has a charming story of a French woman who said she hoped Dreyfus was innocent so his punishment would hurt him more. I have seen people express similar sentiments on the subject of torturing prisoners who are Moslems. This kind of shit is toxic to freedom, to decency, and contaminates everything it touches.

Very much so.

a list of the bill of rights of the US Constitution and ask people to sign it. No one would sign it because they thought it was too controversial for them to agree to and actually advocate. This was done at a supermarket in a major US city. So how much is your freedom worth in the hands of such an informed citizenry ? Today I imagine finding someone capable of reading and understanding it would be a major undertaking.?
Recommending Arendts work is my way of getting even with Nick P. for his endless rain of technical books and ideas

Not Nick P, lol. I work in a very technical area of security, but don't like to get specific, or too easy for asshole hackers to track me down and scapegoat me.

He also works in very different area of security then I do. Clive Robinson's posts are more likely to hit around my area, in terms of regulars here.


I am familiar with the Dreyfuss affair, and these other issues you mention. I have studied the Czarist regime and abuses there, albeit usually indirectly.

"The World That Never Was", great book on the crazy, terrible times of security and crazy political ideas at the end of the 19th century.

"M", and "MI5", good books also partly covering those topics.

(Just going from memory. The most fascinating books on security and freedom for 'around that time' I have found in studying the first world war spy wars and twenties, especially in regards to reactions to the October Revolution.)

(The Dreyfuss Affair comes up, however, in a lot of books and articles on much more general issues regarding security and liberty.)


My devil's advocate stance on the above topics, not withstanding - they are certainly very worthwhile to mention - there are severe outstanding and current problems in the 'free' nations, and certainly many foremost in the powerhouse of them all, the US of A.

One is workplace issues. Which is a wide and difficult topic.

A major one is the over all justice system, where the incarceration rate per capita is through the roof.

There are significant drug abuse problems involved in that, as well, which has created deep instability - and maintains deep instability - in Mexico. Mexico who has easy sea access to both oceans and many primary, core resources.

Easy and powerful sea access is a major, critical attribute for the intrinsic geographic value of a nation.

But, the drug problem in America is epidemic. And it is far from just "illegal drugs", it goes well into prescription drugs.

The ham fisted, blunt instrument, moronic "solutions" have devastated the communities even more then the drugs themselves have. Core communities.

And continue to do so.


The Democratic process is a farce, however, I do not view that as a core problem of instability.


The domestic intelligence issue of over reach is absolutely a core problem and danger.

That is exactly how to take down the freedom of a 'free' nation.

And it is even worse that they play exactly into the hands of the very terrorists they consciously tell themselves they are fighting when they push in these directions.

It is not terrorism which could destroy any last vestige of freedom in these nations, but the response to it.


Education is another core problem. The items you cite kids are not taught in school. They are overworked with meaningless tasks, and the methodologies are deeply contrary to known best educational technology.

In fact, you won't even find the items you cite well taught in colleges. People have to go out of their way to study the atrocities and tyrannies of the past.

One good point there: the fictional cinema media and their ever fascination with presenting future totalitarian dystopias, and the people's continued appetite for dealing with matters in that distant, metaphoric context.


Nick PFebruary 6, 2016 6:23 PM

@ Humans

Thanks a lot for that list! Been wanting a list of as many as possible in one place for use in study methodology. As in, does it account for common issue X?

Who?February 7, 2016 4:43 AM

Why Microsoft and Google remain on business?

Microsoft has:

  1. Windows 10, full of spyware.
  2. Telemetry patches ported to Windows 8 and Windows 7 that periodically change their IDs to be even more intrusive against these users that care to block them.
  3. A `privacy' option for `power' users (i.e., those users who pay a premium license for an `enterprise' toy operating system) that lie them and do not work.

Google has:

  1. A complete tracking infrastructure.
  2. Absolute despise for security and privacy (except their own).
  3. A `bug' that randomly enables some tracking options that users disable on their profiles and devices (let us say synchronization of certain Google apps on Android devices, or automatic log from Chrome into the owner's account a few days after disabling this `feature'). Unsurprisingly the bug does not work the reverse, randomly disabling tracking options.

On a civilized world there is no room for corporations like Microsoft, Google, Apple or Facebook.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.