Friday Squid Blogging: Energy Converter Inspired by Squid

Engineers have invented a wave energy converter that works in the same way that squid propel themselves through the water.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 26, 2016 at 4:49 PM • 106 Comments

Comments

Slip N. SlidinFebruary 26, 2016 5:08 PM

More slippery slope stuff:

Obama Administration Set to Expand Sharing of Data That N.S.A. Intercepts

"The Obama administration is on the verge of permitting the National Security Agency to share more of the private communications it intercepts with other American intelligence agencies without first applying any privacy protections to them, according to officials familiar with the deliberations."

http://www.nytimes.com/2016/02/26/us/politics/obama-administration-set-to-expand-sharing-of-data-that-nsa-intercepts.html?_r=2

The article mentions DoJ was part of the planning, meaning they will get a piece of the data pie for domestic law enforcement.

Obama, the Constitutional scholar, has been a big disappointment in regards to protecting our Constitutional rights. These executive orders are beginning to stink like Hitler's Enabling Act more and more every day.

If the wrong person ever gets in to the WH a full scale totalitarian dictatorship would be quite possible. A totally dysfunctional Congress and Batshirt Crazy Repuplican Party are definite factors dragging us that way.

I think millions of Americans WANT a dictator, so long as it's a dictator that makes them special, one of the chosen few, and everyone else undesirable targets.

It could happen here. No doubt in my mind. Maybe it's happening already.

tyrFebruary 26, 2016 5:24 PM


Here's an interesting insight into the current ME mess.
Not too often to get a glimpse behind the curtain at
the fears of regimes like Saudi. Kerry announcing that
Plan B is to partition Syria makes sense once you see
who benefits.

http://original.antiwar.com/brad_hoff/2016/02/25/newly-translated-wikileaks-saudi-cable-overthrow-syrian-regime-play-nice-russia/

I have yet to see any security gained by the trashing
deliberately of any country. Hinton has remained the
only rational actor from the US who intervened in
Syria. Ostracized at the time his view has haunted
a failed american policy since that time.

Milo M.February 26, 2016 6:20 PM

A meeting of "50 cybersecurity experts and observers" last week:

http://spectrum.ieee.org/view-from-the-valley/telecom/security/tackling-the-future-of-digital-trustwhile-it-still-exists

The scenarios resemble movie plot threats with a touch of Bulwer-Lytton:

https://cltc.berkeley.edu/scenarios/

"Out of the conference emerged five “thumbnail scenarios,” sketches of possible futures, that a team of graduate student researchers from the UC Berkeley School of Information developed further."

The sponsor:

http://www.hewlett.org/programs/special-projects/cyber-initiative

name.withheld.for.obvious.reasonsFebruary 26, 2016 10:00 PM

This came to me in the last few days after being treated to an escort to my hideaway (as depicted in the movie "Enemy of the State") by a Hercules aircraft...a nice 15 miles of low speed, in front of my vehicle (positioned 20 meters with a 7 degrees azimuth, then a long climb to approximately 3000 meters above the floor, always within visual line-of-sight) for the complete stretch of the trip.

It was not long ago, reviewing comments and editorials written by Bruce Schneier, I found myself very much in agreement with Bruce's observation and position on several topics/issues. At one point I believed his prognosis and characterization of the "Feudal State" was slightly or a bit overstated, but not unfounded in reasoning or analogy. Unfortunately I have come to understand that this narrative is inaccurate...but not in a way that leads to optimism.

While Bruce argues about the deep/security/military state which has functional transformed society visa-via a pan-optical lens wherein individuals have relinquished their interest in public AND private affairs for convenience. Instead, I argue that the resultant transformation is a form or repressive conformance that more likely resembles a "psychological gulag".

Let me explain; as the state transmogrifies law and societal norms, the needle for normal is moving widely from the middle to a position that may defy scaled measurement. Additionally, the mouthpieces of the deep/security/military state have been afforded amplified status for operatives by an ill-informed media/press. This has a insidious and profound affect on critical analysis and dissident opinion--even simple disagreements become more than uncomfortable. For example, as simple normative discourse is pushed ever further from reason and deliberation where the appearance is dissimilar to other, recognizable intellectual enterprises in many national institutions, and as such, disavows or makes impossible more effective and conscious action in response (in cognitive form) to much that troubles the broader public and world. Instead, the visceral is given credence or standing at the expense of what could be characterized as a more rational response or course of action.

In essence the noise level is being elevated at a frequency, amplitude, and skew that the intelligentsia is unable (and may still be unwilling) to rationally answer the attack on the public and/or societal institutions. No replacement is in the making when it comes to institutional spheres of influence and suggests that a prison state will be the only formative structure that will or can encapsulate a more tribal/caste or draconian societal structure that is controlled in the way a gulag is often managed. Ultimately it will be the mind, not the body, that will be imprisoned; either implicitly by tacit response or explicitly by removing any private thought, idea, or free expression or will.

Good luck and good night

Cyborg2237February 27, 2016 12:18 AM

@Milo M.

from: https://cltc.berkeley.edu/scenarios/

Omega: Thanks to continued advances in machine-learning, algorithms, and sensors for tracking human behavior, the vision of “Big Data” as a resource for prediction has exceeded expectations. Data scientists, working with neuroscientists, cognitive scientists, and other experts, have developed profoundly powerful models capable of predicting—and manipulating—what people will do at any given moment. For those responsible for maintaining security in cyberspace, the stakes have been raised. Dependency upon technology is at an all-time high, and the ramifications of a data breach are more significant, given the depth and detail of information contained in the average citizen’s “personal behavior files” (PBFs).

There is predictable human behavior, but there is also unpretictable human behavior. Certainly, the advancements of machine learning, neuroscience, and the cognitive behavioral fields are fascinating. But, all three fields are in their infancy.

IMO, your best bet to see the truth of where we are, is to consider us as archaic.

How will we be seen in fifty, a hundred, five hundred, a thousand years? Archaic.

How do we know this? Because that is always the trend. It is especially a trend when society has reached such a fever pitch of knowledge advancement, coupled with population advancement. Coupled with transversing language barriers to make both factors truly meaningful. (Recall the old "Tower of Babel" legend, and consider, whether fact or fiction, it certainly has merit.)

But, consider this viewpoint of attempting to deeply and genuinely view our latest and greatest today as archaic from this, logical, perspective: this is exactly how they will be viewed, as I already pointed out, and so if you wish to make such a leap in technology you must first see things as they will see things. So far in the future.

@Electoral onanism

Fake reformist judas steer Sanders wants to prosecute human rights defender Edward Snowden. Because the laws must be enforced.

That is not good to hear. Another good reason for me not to vote.

The choices are, however, largely old white guys, or an old white woman. I lean towards the old white woman. But, am up for wild cards thrown onto the desk, just for the fun of it.


@tyr

Here's an interesting insight into the current ME mess. Not too often to get a glimpse behind the curtain at the fears of regimes like Saudi.

Is that so? I have yet to be surprised by their mindset. They seem easy to understand. I am not sure if this leaked document was not intentionally leaked.

Previous leaked state cables have allowed commentary on such matters as Chinese hacking of US assets, something which, at the time, the US Government was far more reluctant to deal with directly.

Very likely some of the massive leaks over the past few years have been the product of some manner of "counterintelligence" program. Not necessarily "disinformation". But information given to manipulate by reactions which are predictable.


I have yet to see any security gained by the trashing deliberately of any country.

Is that really so?

I know it seems repugnantly evil. But, isn't much of such emotion about evil, hypocrisy, and devoid of true rationality?

Whatever the case, Syria is a hard case. Deposing the regime, the US wants to look like they are interested in. But, actually doing it is another matter. Far too easy to get radical Sunnis in control. It is the radical Shia and Sunni which are the problem. Hassad was and is a much more predictable asset.

There is a very delicate triad of power in the Middle East right now. I love triads. Especially when they form such a clean pyramid shape. And it is especially beautiful when the internal realities of that triad are so very divergent, even if related.

Israel, Iran, Saudi Arabia.

That balance of power is extremely volatile.

Are the religious fanatics as crazy as they play their cards? Is the US?

Perhaps playing crazy is simply a normal human reaction, a normal hand to play, in difficult situtuations, where it is paramount to play off sincere interests as if they do not really matter?


@name.withheld.for.obvious.reasons


In essence the noise level is being elevated at a frequency, amplitude, and skew that the intelligentsia is unable (and may still be unwilling) to rationally answer the attack on the public and/or societal institutions.

Ultimately it will be the mind, not the body, that will be imprisoned; either implicitly by tacit response or explicitly by removing any private thought, idea, or free expression or will.

I would suggest you may have had a bad few days at work.

The human mind wants to make patterns were there are none, and anthropomorphize non-human entities. This pertains to thinking on matters of "deep state" abstracts. It is as blinding to the brilliant, as it is to the dark.

Groups often show behavior which is less sophisticated and less capable then individuals. Yet, when we anthropomorphize groups, we can perceive differently, as if singular, super-genius groups do exist, when, in fact, they do not.

Unless you believe in God and angels. The Old Testament does depict world events as being secretly controlled by a cabal of unseen beings.

keinerFebruary 27, 2016 5:45 AM

This has become a highly dystopic place to read. But unfortunately I guess: The totalitarian system is already here. The mask is sliding down slowly...

CuriousFebruary 27, 2016 6:09 AM

I thought it was interesting to hear about "dark fiber", internet capacity lying idle.

http://tech.slashdot.org/story/16/02/25/183201/google-is-lighting-up-dark-fiber-all-over-the-country

"Most people don't know that many cities throughout the United States are already wired with "dark fiber": infrastructure that, for a variety of reasons, is never used to provide gigabit connections to actual residents. This fiber is often laid by companies you rarely hear about, like Zayo and Level 3, which lay fiber infrastructure in hopes the city, a provider like Google, or a corporate customer (like an office building) will eventually make use of it."

Given how little I know about networking, the following might be a little simplistic; but imagine if corporations sat there with their dark fiber networks, with the actors waiting for net neutrality to be crushed so to speak, before pushing some new business model. Wouldn't that be terrible? I think it also could be terrible if some hidden network capacity would create some kind of publicly segregated internet, that perhaps created virtual borders on the internet, perhaps with some real authoritarian rule above that again. Whether or not this idea of a nationalized internet makes sense technically, i couldn't say. I can also sort of imagine some kind of city state like management of the internet. The general idea of mine here, is thinking of a segregated internet as being subject to cencorship and other types of manipulations.

JacobFebruary 27, 2016 7:40 AM

In an interesting twist to recent discussions about implementation of backdoors in personal communication products, and the general claim by the privacy/scientific community that if one degrades security for a specific authority, everybody will eventually suffer:

Baidu distributes its own bowser and SDK for other vendors to integrate into their own products.
Citizen Labs found many shoddy security design decisions and holes, private data dissimination possibly by design, and possibe backdoors in a range of Baidu products geared for the local Chinese market.
These also include easy-to-find encryption keys hard coded in the products.

However, Baidu also distributes its product to the international market, and many of the holes from the Chinese producrs found their way to the international arena as well due to code commonality.

In response, "Baidu said it was collecting the data about users for commercial purposes. Occasionally, it said, it shared the data with partners... only provides what data is lawfully requested by duly constituted law enforcement agencies"

US/EU persons may say "who cares? I don't use any Baidu product" but parts of the SDK may have found their ways to various Android Apps, Switches and Routers..

News item:
http://www.bbc.com/news/technology-35669817

Technical analysis and details:
https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser/

Cyber-propagandistsFebruary 27, 2016 8:20 AM

@Milo

https://cltc.berkeley.edu/scenarios/

Re: digital scenarios, this version of the 'New Normal' didn't make it past the government censors

The New Normal: The year is 2016, and the Internet IS a "wild west”where spooks, feds and police state groupies routinely pound innocent individuals and organizations whom have little recourse to pursue justice and protection for themselves.


Following years of headlines about general warrants, government-sponsored data breaches and Project Echelon on steroids, most Internet users operate with the assumption that, in all likelihood, their data, communications, photos, files, browsing history and most intimate moments will be hoovered up and stored in data centers forever.

If they pose any serious threat or voice strong dissent, they know with near certainty they will be targeted for intensive re-education via having their computers/peripherals infiltrated, their data stolen, and their personal information broadcast until they heed the state-sponsored narrative and profess their love for Big Brother.

Law enforcement struggles to maintain the credibility of the laughable NCIS narrative & exponential growth in their budget which facilitates small-scale cyberattacks that are more commonplace, personal and domestically focused.

As the first generation of true “digital natives" violently lose their cyber-virginity (many of them having been indoctrinated to trust authorities since they were kids), they learn that government interference with other people's data has become normalized.

Individuals and institutions respond in typically cowardly ways: bending over and receiving all 8 inches of NSA digital cock ("nothing to hide, nothing to fear"), and continuing to buy back-doored i-crap, fit-bits, and IoT barbie for their entire family.

Only a handful of smart individuals go offline almost completely or choose to use the tiny number of battled hardened tools available to stay ahead of the next government hack.

India’s Net Neutrality Success StoryFebruary 27, 2016 8:22 AM

Learning moments in just one week!

Gatekeeper Facebook Fragments the Internet
---------------------------------------------------------
“One of the things we need to never forget is that it’s one Internet,” Pahwa, who is a TED “fellow” told the audience, which responded with a standing ovation. “What you access here, what you access in the United States, what you access in Mexico, Indonesia, anywhere in the world is the same. We need to ensure that the Internet doesn’t get fragmented and that it’s all of the Internet for all of the people all of the time.”
Pahwa says he shares Facebook’s goal to offer more connectivity, but not at the expense of net neutrality. “Who has a right to limit people’s access to the Internet? Especially for new users, it is important to allow them to roam freely.”
The upshot of the battle with Facebook, he says, is a more aware and engaged Indian public that has transformed the power dynamics of India’s Internet!
http://www.forbes.com/sites/miguelhelft/2016/02/25/meet-the-man-who-derailed-facebooks-plan-to-provide-free-internet-in-india

Solution for Mankind
---------------------------
Want world peace? Share MUCH MORE on Facebook, Mark Zuckerberg says!
http://www.marketwatch.com/story/facebooks-mark-zuckerberg-touts-more-sharing-as-a-route-to-world-peace-2016-02-26

Obstacles to World Peace
-----------------------------
“Zuckerberg acknowledged that employees have been scratching out “black lives matter” and writing “all lives matter” on the company’s famous signature wall. The company, whose staff is only 2 percent black, is facing the issue head on.” Also only 2% of Facebook users are black…
http://gizmodo.com/mark-zuckerberg-asks-racist-facebook-employees-to-stop-1761272768

ClouseaumeyFebruary 27, 2016 10:49 AM

https://medium.com/@jamesallworth/the-u-s-has-gone-f-ing-mad-52e525f76447

This kind of common sense cannot explain why Comey's such a feckless shithead, or why it's pointless to waste your time thinking about the legal nonsense he pulled out of his ass. Comey has zero interest in stopping these murders. For him each new gun killing is a great new opportunity to stampede the population into new repressive measures. The strategy of tension, brought home. This time it's wireless surveillance that he's pushing. Last time, when he conveniently lost interest in reluctant patsy Tamerlan Tsarnaev, it was domestic paramilitary counterinsurgency drills.

CallMeLateForSupperFebruary 27, 2016 11:57 AM

The past week was draining. First there was that FBI vs Apple dust-up, then rain and sub-freezing temperatures. Ice, in February! What next... a buffoon in the White House... again? Sheesh!

Time to decompress. Surf over and have a look at
"I bought some awful light bulbs so you don't have to"
(They are IoT POS.)

Swish down to the next-to-last paragraph and savor the most concentrated, unrestrained and unquestionably deserved lump of derision I've seen in a long time.

https://mjg59.dreamwidth.org/40397.html

Thanks, miss, I'll take 400 boxes of Shortbread TrefoilsFebruary 27, 2016 12:24 PM

You're probably wondering, What next? What will be the next ridiculous reason why Comey has to spy on anybody anytime and Apple has to help?

Meet Stirling David Allen, world-famous pedophile featured on America's Most Obvious, who by some fluke ran afoul of Comey's pedophile catch-and-release program. So now Comey could, you might think, lock up the 5 thousand blackmailed pedo VIPs who dropped into his lap. But instead, watch, he's gonna get to the bottom of this, In the name of Opus Dei! and get himself the toal Orwellian surveillance authority he needs to keep our children safe.

Who?February 27, 2016 3:51 PM

Another horrible bug in UEFI firmware that allows arbitrary code execution in SMM, this one affecting all Lenovo ThinkPads since at least the X220/T420 times:

http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html

Will Lenovo fix the SystemSmmAhciAspiLegacyRt SMI handler vulnerability on these not so old high-end laptops or just in the latest models? A ThinkPad laptop is expensive enough as to earn a fix to a bug like this one even if it is four years old.

Who?February 27, 2016 4:06 PM

Large corporations should be liable for allowing vulnerabilities like this one exist on their products just because "they are three years old."

This is what TPP/TTIP should be about.

I fear Lenovo will fix the T440/T450 series only. Time will say.

name.withheld.for.obvious.reasonsFebruary 27, 2016 10:23 PM

@ Cyborg2237

Unless you believe in God and angels. The Old Testament does depict world events as being secretly controlled by a cabal of unseen beings.

No, I have a finite rational view of the universe and see the mechanical nature of our existence as definite. Abstraction for myself is only for the purposes of "artful" expression. In fact, my response to your statement consist of a bounded statement and an abstraction--some art.

In general I believe you mis-read my statements regarding the crypto-fascist nature of our governance respecting our institutions. I well understand that no theoretical treaties is needed to define outcome based measurements resulting from our institutional systems (think of them as a system of institutions of institutions). Our economic (nationally or globally) institutions (one of many systems) are constrained by behaviors that are obvious at the macro-level and less obvious when looking for where controls might be tweaked to change outcomes. My statement(s) were not about the anthropomorphism of a particular societal institution but a recognition of macro social systems that are indeed "wo[man]ed" by individuals but rarely do cogs recognize the wheel of which they participate in making rotational (speaking metaphorically).

logic.displacedFebruary 28, 2016 1:04 AM

@name.withheld.for.obvious.reasons

Instead, the visceral is given credence or standing at the expense of what could be characterized as a more rational response or course of action.

I've also noticed the systematic attack on reason.

In particular lately the notion of "extremism" seems to be a wholesale subversion of opposition as such. Very Hegelian.

Consider what is left if all extremes, all dimensional limits are illegal to contemplate.

The ends define the middle, so the area where the public is allowed to think is controlled by the authorities.

Also, in epistemology over the last hundred years there has been a displacement of logic with mathematics. The average person can still function in a box defined by their income and the price of items they can buy. Arithmetic, not logic, is what allows them to function.

The closest thing to logic taught in government schools is geometry. This is useful as far as it goes, but is a poor replacement for Aristotelian logic. All qualitative significance is lost to the geometric logician. This type of thinking does not pose a threat to the establishment.

Wesley ParishFebruary 28, 2016 1:31 AM

Delurk time

Where's S[k]eptical when you need him? (her? it? them?) This came up yesterday on Slashdot and I was expecting someone else to mention it:

Norway Makes It Official, Accuses China of Hacking and Stealing Military Secrets

http://news.softpedia.com/news/norway-makes-it-official-accuses-china-of-hacking-and-stealing-military-secrets-501060.shtml

Note the wording:

A high-ranking general in the Norwegian Army and head of the Norwegian Intelligence Service E-tjenesten (Etterretningstjenesten) has made official statements accusing the Chinese government of launching cyber-attacks against his country.

I am puzzled: is he trying to activate the NATO Charter's Articles 5 and 6 a la the Nato SecGen's use of them after the 9/11 attacks?

Article 5

The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.

The threat and use of armed forces against a state allegedly responsible for spying using the Internet and casual attitudes to network prophylactics, strikes me like using one's teeth to crimp detonators.

And just imagine, a few weeks, months, years ago, S[k]eptical was arguing that espionage was alright, not a problem, not illegal at all, etc, and then this Norwegian offical argues it is illegal and by his wording threatens unconstrained collective retaliation against the state that most of NATO states are mortgaged to.

Shove the det in underneath: You can crimp it with your teeth, Don't worry mate, she'll be ...

Dave MischlerFebruary 28, 2016 4:21 AM

> I thought it was interesting to hear about "dark fiber", internet capacity lying idle.

I would say that the intent when laying dark fiber was not at all nefarious, although some of it could be put to questionable purposes. Dark fiber that is already installed where you want your new network to go certainly reduces the cost of bringing new bandwidth online.

Through the mid-90s I worked for a company whose clients owned rights of way (e.g. major highways in and between cities, bridges, tunnels). Many of them got paid to allow telecom companies to install fiber along these rights of way, and some of them also got rights to use some of the fiber (some state govts got awesome voice/data networks for the price of the equipment to run it). An awful lot of dark fiber was installed along with the current fiber infrastructure. Mostly because the labor (digging, laying conduit, pulling fiber bundles, terminating, etc) is the expensive part, and doesn't increase much if you pull in many more fibers than you plan on needing. Naturally, the people who own this dark fiber would love to make some money on it instead of having it sit there waiting to be needed.

65535February 28, 2016 6:06 AM

@ Who?

“Another horrible bug in UEFI firmware that allows arbitrary code execution in SMM, this one affecting all Lenovo ThinkPads since at least the X220/T420 times:”

http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html

I have clients with a number of newer ThinkPads. Does disabling the UEFI [and only using the standard BIOS] stop this bug?

[Next]

Here is a fairly good time line of All Writs Act [Emptywheel]:

[Emptywheel]

“October 8: Comey testifies that the government is not seeking legislation; FBI submits requests for two All Writs Act, one in Brooklyn, one in Manhattan; in former case, Magistrate Judge James Orenstein invites Apple response

“October 30: FBI obtains another AWA in Manhattan

“November 16: FBI obtains another AWA in Brooklyn pertaining to two phones, but running iOS 8.

“November 18: FBI obtains AWA in Chicago

“December 2: Syed Rezwan Farook and his wife killed 14 of Farook’s colleagues at holiday party

“December 3: FBI seizes Farook’s iPhone from Lexus sitting in their garage

“December 4: FBI obtains AWA in Northern California covering 3 phones, one running iOS 8 or higher

“December 5, 2:46 AM: FBI first asks Apple for help, beginning period during which Apple provided 24/7 assistance to investigation from 3 staffers; FBI initially submits “legal process” for information regarding customer or subscriber name for three names and nine specific accounts; Apple responds same day

“December 6: FBI works with San Bernardino county to reset iCloud password for Farook’s account; FBI submits warrant to Apple for account information, emails, and messages pertaining to three accounts; Apple responds same day

“December 9: Apple “objects” to the pending AWA orders

“December 10: Intelligence Community briefs Intelligence Committee members and does not affirmatively indicate any encryption is thwarting investigation

“December 16: FBI submits “legal process” for customer or subscriber
information regarding one name and seven specific accounts; Apple responds same day

“January 22: FBI submits warrant for iCloud data pertaining to Farook’s work phone

“January 29: FBI obtains extension on warrant for content for phone

“February 14: US Attorney contacts Stephen Larson asking him to file brief representing victims in support of AWA request

“February 16: After first alerting the press it will happen, FBI obtains AWA for Farook’s phone and only then informs Apple” -emptywheel
[and]

"But Apple maintains that it objected to everything already in the system on one day, December 9… Why object — in whatever form they did object — all on the same day, effectively closing off cooperation under AWAs in all circumstances? There are two possibilities I can think of, though they are both just guesses. The first is that Apple got an order, probably in an unrelated case or circumstance, in a surveillance context that raised the stakes of any cooperation on individual phones in a criminal context..." -emptywheel

https://www.emptywheel.net/2016/02/26/why-did-apple-start-objecting-to-other-all-writs-orders-on-december-9/#comments

In the Emptywheel comments, Pdaly points to Daring Fireball on how to put a new image on older iOS phones with unlocking them:

“The way the iPhone works today, when put into recovery mode you can restore the operating system without entering the device passcode. The only restriction is that the version of iOS to be installed must be properly signed by Apple. I just tried it here with my old iPhone 6, which had been turned off for weeks. I powered it up, but did not unlock it. I put it in recovery mode, and then updated it to iOS 9.3 beta 4. Then it restarted. Now it’s running iOS 9.3 beta 4, and I still have not unlocked it. All my data is still on the phone — but it’s running a new version of iOS, without my having unlocked it.

“What the FBI wants Apple to do is create (and sign) a new version of iOS that they can force the San Bernardino suspect’s phone to install as an update — and this new version of iOS will allow them to easily brute-force the passcode. I think what Apple is leaking here is that they’re going to change this (perhaps as soon as this year’s new iPhone 7), so that you can’t install a new version of iOS, even in recovery mode, without entering the device’s passcode. (I think they will also do the same for firmware updates to the code that executes on the Secure Enclave — it will require a passcode lock.) If you do a full restore, you can install a new version of the OS without the passcode, but this wipes the data. See also: Activation Lock, which allows you to bypass the passcode to completely wipe an iPhone, but requires you to sign into iCloud before you can use it."

https://daringfireball.net/linked/2016/02/24/iphone-impregnability

https://www.emptywheel.net/2016/02/26/why-did-apple-start-objecting-to-other-all-writs-orders-on-december-9/#comment-701009

Nick PFebruary 28, 2016 7:01 AM

Dave Mischler

Yeah, that's all the dark fiber is. Nothing nefarious. Far as using it, buying up dark fiber is how Google built much of their own network. You get special rates from Tier 1's once you peer up with them in at least 6 locations sharing traffic. The volume of traffic going into newly lit fiber Google had must have got them even better discounts.

ianfFebruary 28, 2016 7:39 AM


“b>Life after the Ashley Madison affair” gu.com/p/4h2j2

A moderately long essay/ post-mortem investigation by Tom Lamont of the aftermath of “leaking of the names of 30 million people who had used the infidelity website Ashley Madison. Resignations, divorces and suicides followed.” Includes this new to me, startling disclosure that

    […] “Coders at Ashley Madison had created a network of fake, flirtatious chatbots to converse with men, teasing them into maintaining their subscriptions on the site. It was for this reason that commentators began to doubt whether the website had as many subscribers as it advertised.
How this by design fraudulent business practice alone hasn't landed anyone from the AM management in jail is beyond my misunderestimating AND understanding (but then of course, one could argue that all business is crooked by definition).

End of innocenceFebruary 28, 2016 9:42 AM

Auto updates... Are they really a good idea, or are they the "golden key" backdoors? Most, if not all all updates run with full access to the system. We entrust the software companies that they will not abuse this access, but we really don't what is being installed. Nor do we know, if this trust have been abused previously, or not.

Cases like FBI vs. Apple had been made possible by the underlying trust for the signed updates. It's not just Apple, all other companies could have similar cases. We don't even know, if other companies haven't already provided "targeted malicious software updates" to LEO.

And if it's so, what's the implication of malicious software update to cryptography? Well, the article below does have a pretty good answer for that, quote:

"Q: What does almost every piece of software with an update mechanism, including every popular operating system, have in common?

A: Secure golden keys, cryptographic single-points-of-failure which can be used to enable total system compromise via targeted malicious software updates."

Source

Would it be a coincidence that Windows 10 mandates auto updates? It's a scary digital age we live in...

Clive RobinsonFebruary 28, 2016 9:48 AM

@ ianf,

How this by design fraudulent business practice alone hasn't landed anyone from the AM management in jail...

Firstly I'm not sure if "ego stroking" in a subscription service is illegal. For instance being given free drinks at the bar from time to time as a regular visitor, is not illegal in several jurisdictions that I know of (not sure about US with both Federal and state legislation).

Secondly what about US Bankers how many have been individualy fined or jailed for FC1 or FC2?

Only Iceland appears to want to put their heads on spikes over the city gate as a warning to others.

name.withheld.for.obvious.reasonsFebruary 28, 2016 11:18 AM

A simple demonstration of the mis-application of governance was made available the United States senate. McConnell, senior senator from Kentucky, suggests that time may function to provide for a more effective decision process when it comes to the appointment of a justice to the U.S. Supreme Court. My suggestion to McConnell is to wait until there is only ONE U.S. Supreme Court justice on the bench. With only a single member on the court there will always be unanimous rulings and political operatives only have to coerce a single justice in order to shape a particular judgement by the court. Good thing it is up to the most deliberative political body in the world to appoint a judge to the highest court in the land...

name.withheld.for.obvious.reasonsFebruary 28, 2016 12:39 PM

@ logic.displaced

The closest thing to logic taught in government schools is geometry. This is useful as far as it goes, but is a poor replacement for Aristotelian logic. All qualitative significance is lost to the geometric logician. This type of thinking does not pose a threat to the establishment.

Now I see where I went wrong--my damn non-Euclidean, non-linear, algebraic/functional geometric thinking gets me in more trouble...

Guess I will have to think twice before I see a problem as part of a Hilbert kernel, Banach space, or a Klein group. My best bet is to use a stochastic Klamman filter during acquisition and combine it with a Bayesian network modeling process--hey, isn't that the equivalent of machine learning (today's version of AI)? Seems my comments are Huffman weighted and more likely resembles a directed graph.

name.withheld.for.obvious.reasonsFebruary 28, 2016 1:07 PM

Recently a colleague asked "What is the current status of Artificial Intelligence, AI, as touted by various organizations and institutions?" My response, "Yes, AI is widely implemented. You may have direct access to just such a system, look in a mirror."

I consider AI more "art" than science...

DanielFebruary 28, 2016 4:12 PM

@ianf

My own observation is that most people are reacting to the lack of privacy on the internet with either a sense of fatalism or resignation. There's nothing they can do, the net offers too many goodies, sometimes the bear eats you, get down on your knees and pray. That sort of thing.

So I'm less certain than Krebs that big data privacy breaches wake people up. The attitude I see is more "there but for the grace of God go I."

Clive RobinsonFebruary 28, 2016 4:32 PM

@ End of Inocence,

Auto updates... Are they really a good idea, or are they the "golden key" backdoors?

Auto updates, are a collection of methods to put new software onto a piece of hardware, as such each method is agnostic to it's use.

Thus you have to look at the "controling mind" and currently I would say that due to other revenue streams, Government and Judicial incentives and other perversities the more obvious controling minds are far from trustworthy.

At the center of an auto-update system is the same loader that is used by all executable images stored within the file system. As such it should be the first line of defence when it comes to security issues.

There is no reason why the loader can not be augmented to make the entire system more secure. Not just against malware, bad apps and bugs, but against changes to other security related software. That is the loader can be designed to not load new code that bypasses or overwrites existing security code.

One way it could be done is when the security asspects are "factory installed" when "hidden variables" used for encryption are installed. The code can be associated with the hidden variable in such a way that it prevents later code updates unless the hidden variable is known. Whilst this is fairly straightforward to do, secondary mechanisms need to be in place to stop the loader being used for a DoS attack.

I'm on record of having a low opinion of "code signing" as people conflate what it actually does with the notion it somehow signifies some kind of "code quality" which it most certainly does not.

It is this "code signing" that you are thinking of as a "golden key". Because the general use currently is most definatly overly permissive and there is absolutly no reason why it should be. Which brings us back to the "controling mind", at some point in time the overly permissive option solved a lot of issues to do with "returns" and "customer support". It was in effect "pandering to user wants" of the time, however users views are likely to be changing.

The question is will the likes of Apple and Google take the steps to make a software update to close this particular security loop hole...

The iOS warsFebruary 28, 2016 5:05 PM

iOS 10, The backdoor update. They said we needed a backdoor, they never said it had to be kept secret.
This is a joke about iOS 10. It is not based on fact.

Donot PassgoFebruary 28, 2016 6:13 PM

"The question is will the likes of Apple and Google take the steps to make a software update to close this particular security loop hole"

This particular loop hole is easily fixed by the user. Simply use an 11 digit passcode or random 8 character alphanumeric passcode, with symbol e.g Gx-193pl. It would take a few hundred years to crack that passcode as it stands now.

The real issue seems to be IF the government wins, they will be able to ORDER any company to come up with a custom crack for any device. In other words if the brute force crack didn't work, they could be ordered to come up with some other crack that will.

If I was Apple I'd be working on code to make sure whatever crack they are forced to make this time, would never be able to be used on any other phone. FBI is lining up dozens if not hundreds of phones already in anticipation of a win on the phone at issue.

tyrFebruary 28, 2016 7:37 PM

I noticed after graduation from american high school
that there were a few subjects left out of the curriculum
on purpose.

Logic: (how to think)
Philosophy: (what to think about)
Ethics: (why thinking matters to you)
Phonics: (how to read the sounds recorded in a text)
Civics: (how politics really works)
Science: (anything beyond the mechanical aspects)
History: ( how the world got into its current mess)
Art: (how mediocre snobblers profit from starving daubers)

For some reason 12 years of incarceration didn't seem to
have produced any model citizens using these lacks as a
basis for virtue. Feeding the cream of this into diploma
mills who exist by swindling their students at every
opportunity then produces the next generation of leaders.

JG4February 28, 2016 9:00 PM


I think that I already posted this from a different news outlet, but it's always good to get some doom porn at Zerohedge

http://investingchannel.com/article/382600/The-Hidden-Persuaders---How-The-Internet-Flips-Election--Alters-Our-Thoughts

Speaking of model citizens coming from incarceration, prisons are a major recruiting ground for the drug cartels. That's a feature, not a bug, of the forever war on some drugs. Just like the 30:1 killing of innocents in the drone war is a recruiting tool to keep the forever war on terror churning out the warbucks

http://www.vice.com/read/what-mcdonalds-and-walmart-can-teach-drug-cartels

It's just business as usual on the planet of unintended consequences. Please enjoy your stay. Ring the front desk if you need anything.

Clive RobinsonFebruary 28, 2016 10:39 PM

@ Donot Passgo,

This particular loop hole is easily fixed by the user.

Not for Apple, or any other phone designer/manufacturer.

As long as the loophole is there someone with a court order is going to come knocking irrespective of how good or bad a passphrase is. Which represents a significant burden on both profits and reputation of the company and signiticant risk to their employees and customers from criminals etc.

Look at it this way, taps drip because of the way people use taps. To stop taps dripping there are three solutions,

1, Reeducate the people.
2, Redesign the tap.
3, Remove the tap.

Taps have been around for much much longer than phones, let alone computer security. Yet in all that time users still have not learnt how to use taps properly...

It's known how to redesign taps so they don't drip, but the designs are expensive and users do not like the extra complexity of use...

Which is why in many places user operated taps have been replaced with other methods that don't drip.

The message is "users stick with bad habits untill it hurts" and slide back into bad habits quickly. Thus the solution is to remove the cause of the drip either by design or replacment by other technology.

So from a phone manufactures point of view, now the user pain threshold is high, it is now time to act and change the design by replacing the major cause of the LEOs et al's door knocking.

Yes customer support issues might rise in the future but by that time the citizens will be beyond the tipping point. To see why consider hotel guests and mechanical locks.

The hotel industry had many issues with mechanical locks, masterkeys and theft. Even when it was likely a customer was in some way responsible for a theft from their room. If the hotel could not prove it was down to the customer, then they had to cover the loss on insurance etc. Further changing mechanical locks due to known masterkey theft/copying likewise had a significant cost penalty. Even key non return by guests and copying by criminals was costly over relatively short time periods.

It's the reason many hotels now have electronic locks. Yes the initial cost is high but it's offset by savings in running cost expenses quite quickly. Further room crime is a lot lower and idiot customers get to realise that their failings are very obvious...

It's a lesson that phone designers / manufactures could learn from "masterkeys cost big" and removing them saves lots of problems and costs.

Even if new "keeping the lights on" legislation is passed it is unlikely to be "method specific" thus the likes of "backup to cloud" or CarrierIQ "customer support" methods are going to be less costly than "masterkeys".

The fact that the other methods alow "non-tipping off" warrants is an important subject for another day.

CallMeLateForSupperFebruary 29, 2016 9:40 AM

Re: Taxi Is Null heads-up.

I note that it is catagorized as "Minor improvements". So relax everyone, it's not "Major new features and changes".
:-)

Nick PFebruary 29, 2016 1:11 PM

@ tyr

That was such a great list & synopsis that I'm saving it for any future conversation with educators. :)

Markus OttelaFebruary 29, 2016 4:27 PM

@ Nick P, Thoth, Clive Robinson

Crap. Integrated wireless / bluetooth. So much for hardware enforced isolation of HWRNG. Maybe grab yourself a gen 2 Pi if you haven't already.

Cyborg2237February 29, 2016 4:47 PM

@NeiHuem

Re Syria: Robert F. Kennedy, Jr. just had an eye-opening essay published at Politico.
http://www.politico.com/magazine/story/2016/02/rfk-jr-why-arabs-dont-trust-america-213601
(In an interesting and surely unintended addition, the published essay title reads "Why the Arabs Don’t Want Us in Syria", while its URL reads "Why Arabs don't trust America". Editor at work?)

Interesting article, and his claim that the pipeline may have led to conflict may have some basis in fact. But, it does not change the basic fact that your average Muslim (be they Sunni or Shia) in the Middle East, Asia, or North Africa is going to be full of a lot more bullshit then fact. And the two societies do not meld at extremely core levels.

They are far more "fundamentalist" then even our most rampant fundamentalist.

You can take a picture of one of our city streets, with their women and their heads unadorned, and skirts, and that alone is enough to cause deep outrage.

America, Europe, Japan, really much of the world, including China, is "hedonistic" to them.

Many get around this, many do not.

Otherwise, history in the Middle East was not all 'US is evil and acting alone', as Kennedy unfairly presents it. Russia was very active in the Middle East. There were also many Western influences there before the US.

The problem today is little about arguing over matters that can be best constrained to wikipedia, but about dealing with divergent, unreasonable powers.

Cyborg2237February 29, 2016 5:02 PM

@name.withheld.for.obvious.reasons

Our economic (nationally or globally) institutions (one of many systems) are constrained by behaviors that are obvious at the macro-level and less obvious when looking for where controls might be tweaked to change outcomes. My statement(s) were not about the anthropomorphism of a particular societal institution but a recognition of macro social systems that are indeed "wo[man]ed" by individuals but rarely do cogs recognize the wheel of which they participate in making rotational (speaking metaphorically).

I was just concerned you might have lost your gusto, and decided to stop posting. You do not post frequently, but are obviously intelligent.

Tweaking controls can seem obvious when looking at the "macrolevel", but one gets lost in the lack of data, and subjectivity at the microlevel.

A recent study tying together cmri with the old "authority" study from the early sixties showed that people really do follow orders reflexively. Guilt for following orders is equivalent to accidental behavior.

There are organized groups, and unorganized groups. Authority can be invisible, as can be group membership and boundaries. But, what is clear is people put their mind's aside to join groups, and follow orders from the collective "head" of their group.

In short, of course it is all hopelessly broken.

I am not sure what you mean by "wo[man]ed" there, gender politics or something?


Nick PFebruary 29, 2016 5:24 PM

@ Markus Ottela

Yep, it must be avoided for security-critical work. Except maybe wireless NIDS. I'm hesitant to even use it as a wireless addon. The reason is I'm not sure if the firmware/DMA/whatever of the wireless part can affect the main CPU. Such a board would be nice in a setup where it couldn't do that. Guard functions & extra security tricks could be placed on the main CPU. Offloading as well to boost performance of whatever host it's connected to.

So, there's potential for something like that even in low assurance security. Just can't be used for real security with integrated wireless and bluetooth unless they can be brickwalled from main CPU.

@ All

Anyone know any cheap, embedded boards that could be used as a wireless addon? They need to isolate the wireless firmware from main CPU... somehow. I'm flexible on the how part.

Sister Mary Ignatz explains it all to youFebruary 29, 2016 5:44 PM

@Cyborg2237, how long have you lived in Moslem-majority regions of the Middle East, Asia, or North Africa? Them's some mighty fine generalizations you makin there. Do you actually know any devout Moslems? Have you ever discussed international relations with them, and weighed their cognitive balance of bullshit and fact?

And which divergent unreasonable powers are you referring to? Surely not these,

http://thesaker.is/vladimir-putin-special-statement-on-cessation-of-hostilities-in-syria-starting-feb-27th/

http://thesaker.is/joint-statement-of-the-united-states-and-the-russian-federation-as-co-chairs-of-the-issg-on-cessation-of-hostilities-in-syria/

which are evidently agreed on compliance with peremptory norms of international law including the prohibition of aggression by sending by or on behalf of a State armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to [aggression], or its substantial involvement therein, to coin a phrase.

Cyborg2237February 29, 2016 6:47 PM

@"Sister Mary Ignatz explains it all to yo"

how long have you lived in Moslem-majority regions of the Middle East, Asia, or North Africa? Them's some mighty fine generalizations you makin there. Do you actually know any devout Moslems? Have you ever discussed international relations with them, and weighed their cognitive balance of bullshit and fact?

It really is not defensible to try and whitewash the area and remove the religious extremism out of it. You have to evade those discussions to get anywhere.

If you were discussing terrorism, maybe. But, pretending that the fabric of those societies is somehow easily melded with basic of 21st century human rights is absurd. Where to begin, and which country?

If you, on the other hand, truly are ignorant of the basics of that culture and just how extreme it is in fundamentalism, how "conservative", then I can understand your questioning.

Where might I begin? Gay rights? Women's rights? Hey, what about something even more superfluous like perspectives on alcohol consumption?

Contrast: the American fundamentalists had severe problems against gay marriage. How far from that do you think it is in Saudi Arabia, Syria, Northern Nigeria, Iran?

You may think whitewashing the reality helps your cause, but if that is so, then maybe your cause is one not based on hard facts and evidence.

And is open to bending the truth.

As for Syria or Russia being the same level of unreasonableness, no. I was refering to the triad of power I mentioned earlier, and specifically, the Sunni and Shia religious elements of that triad.

Jews are pretty reasonable, even in their most religious perspectives, by comparison.

Syrian rulership is pretty far secular by comparison, but still ultimately controlled by the more radical Shia elements who are the true strength and brains of the Shia strain of that triad.

AnonFebruary 29, 2016 7:16 PM

@Nick P: two systems talking via serial? Drill the wireless on the board with the crypto, and use another seperate board for the wireless? Messy, but would have the required/desired isolation?

@Donot Passgo: the big problem for Apple is they can't unwrite any solution they develop to circumvent or substantially weaken device security. Even if they had a "destroy-on-copy" iOS build that self-destructed and destroyed any/all dev copies on upload to the target device, they would be compelled to rinse and repeat this method ad infinitum.

Apple can not, and IMO must not write anything to weaken or circumvent device security. As soon as they do, it's game over, not only for Apple, but ANY technology company, software or hardware vendor, and open season on the state demanding private companies break their own products. The repocussions of this are bigger than most people realize.

Let's say someone has a "connected" car. The car manufacturer could be compelled to make the car capable of being remote controlled for LEO purposes. We already know some car functions are available wirelessly. It is an exceptionally dangerous precedent.

Dirk PraetFebruary 29, 2016 7:39 PM

@ Markus Ottela

Integrated wireless / bluetooth. So much for hardware enforced isolation of HWRNG. Maybe grab yourself a gen 2 Pi if you haven't already.

I agree. Unless both wifi and bluetooth can be entirely disabled by a jumper or something, I'm staying with model 2.

@ Nick P

Plenty of cheap, USB Wifi dongles available for the RP. This one, for example.

@ Cyborg2237

They are far more "fundamentalist" then even our most rampant fundamentalist.

Can we pretty please dispense with the factually incorrect idea that the majority of muslims are religious fundamentalists who want to destroy us?

@ Taxi is Null

Is it now ILLEGAL to use Tails in the United States?

If the likes of Comey get their way, libdvdcss2 is going the be the least of the TAILS crew's problems.

ThothFebruary 29, 2016 7:54 PM

@Markus Ottela, Nick P
I would just put it in the category of "common public facing" category for use. Probably use as a wireless transmission gateway (without security) and that's as much as it can be used for. Otherwise, anything security sensitive must be isolated (RPi 2).

More CPU chips are getting in-built wireless capabilities and it's something worrying in terms of security by segregation and compartmentalization.

We are moving down an inevitable path of security weakening by inclusion of wireless connectivity features in more and more portable device CPU chips we least expected or least wanted.

NikoFebruary 29, 2016 8:06 PM

@Dirk

In many Muslim countries, the majority of Muslims do favor Sharia law. Of those who support Sharia in South Asia/Middle East/North Africa, the majority believes renouncing Islam should be punishable by death. The Middle East being filled with religious fundamentalist is probably closer to being factually true than the idea that Islam is a religion of peace fully compatible with secular democracy.

http://www.pewforum.org/2013/04/30/the-worlds-muslims-religion-politics-society-overview/

propagandaFebruary 29, 2016 8:26 PM

just a random guess...
93.843% of the posts here are propaganda

Propaganda is often associated with the psychological mechanisms of influencing and altering the attitude of a population toward a specific cause, position or political agenda in an effort to form a consensus to a standard set of belief patterns.

Have a day :-)

name.withheld.for.obvious.reasonsMarch 1, 2016 12:00 AM

@ Cyborg2237

I was just concerned you might have lost your gusto, and decided to stop posting. You do not post frequently, but are obviously intelligent.

At one time my participation was substantive and consistent, most of my participation was in the form of disclosure (largely as a industry professional). A did not complete a couple of threads, requests for further information or an answer to a question. As a, what I may call a pub-nonymous citizen, my sense of responsibility regarding a duty to a topic is less than "boy scout" level. But, I do care enough to make contributions to the both the subject area and the quality of discourse--I hope.


A recent study tying together cmri with the old "authority" study from the early sixties showed that people really do follow orders reflexively. Guilt for following orders is equivalent to accidental behavior.

Stanley Millgram research in human behavioral science includes some interesting clinical trails.

My presence here is mostly described as curiosity; the environment wherein technologists and technicians pontificate to ad nausea is disappointing and involvement does little to serve my interests. This statement is regrettable but true. I no longer feel the same enthusiasm for technological exploration (over 30 years as an engineer and researcher) and miss the more benign nature of scientific pursuits.

Over fifteen years ago I had the opportunity to build infrastructure models for research institutions. During the "smoke test" power up of cluster I'd specified, assembled, and delivered to a research center, it struck me...I had built a weapon system. Understanding that the nature of the human condition, people struggle, a level of pain/harm is experienced, and some progress is made--two steps forward and one step back. It is my opinion that we have entered the 2x steps forward and 2xn div x (where n is the number of TLA's) back stage of societal progress.

name.withheld.for.obvious.reasonsMarch 1, 2016 12:46 AM

@ Cyborg2237

Forgot to answer the question about my "wo[man]ned" word. It is to make forwardly conscious phrases and syllogisms found in everyday conversations and make clear that I am not writing for a male centered perspective.

Clive RobinsonMarch 1, 2016 6:12 AM

@ Nick P,

The reason is I'm not sure if the firmware/DMA/whatever of the wireless part can affect the main CPU.

The long answer short, is YES.

But... Whilst that is fairly obvious, the question should be "By how much and is it exploitable in some way?". Which is a much harder question to answer and you would expect to vary on a case by case basis from "Not at all" to some suitable pithy measure of uselessness. Unfortunatly there appears to be little variance except in the choice of pithy expression. The reason is "progress" as guessed at by those who should know better..

Back when men were men and radio equipment came in it's own battle ship or tank, any adjustment or modulation was achived mechanicaly with knobs, dials, keys and switches being the "user interface". Thus when things went wrong you had a better than even chance you could actually see thr problem, and likewise fix it. Since then mechanics have been replaced by sequential logic and now fully programable software where neither logic or engineering gets a look in. It is a throw back to an "artisanal" world, where fixing issues is 10% "fault analysis" 90% "bolt a bit on" and the myth of "patterns" persists. Rather than the more informed scientific engineering aproach where analysis is often more than 90% and the fix as likely to be the surgical removal of bad, than the artisanal add on a "blind man's toss"[1] till it stops being broken. Thus science and engineering achives the robust balance, stability and efficiency in systems, which the artisanal approach aspires to.

But worse yet, comes the modern evil of "mindless marketing droids" who insist against all reason that all things have to be "all things to all men" thus the dish washer should also vacuum, dust, cook the dinner and excercise the dog... But, as should be clear such systems are going to be prone to all sorts of unintended consequences do you realy want the dinner walked and the dog cooked due to artisanal errors?

The suspension of reason when things are "out of sight" to non engineering managment is a major underlying cause of many issues that become attack vectors, even when artisanal coders are themselves saying "there be dragons"...

This "all things" attitude has become very pervasive under terms such as "inbuilt flexability", "future proofing" and "usage diversity"... So any and all aspects of the radio system become software available via as many IO mechanisms as possible. Which means more impenetrable setup options than any five hundred page datasheet can mention let alone detail. Thus the not unexpected resulting dogs breakfast is going to give us "dog dinners" rather more than we would like. Whilst "rover turnovers" are not very palatable, it's what you can not see that can be considerably more harmfull to your well being.

Software reliability is as we know difficult at the best of times, but that is but a tiny fraction of what is required for security thus privacy. Whilst you might see evidence of a tangible physical intrusion (black bag job) you can not see the intangible information equivalent. That is in many cases the fundemental rule of forensics Locard's Exchange Principle[2] does not hold, for the obvious impermanence of intangibility and non locality. Thus the requirment to "instrument" such that the intangible information movement is made tangible, thus more perminant.

But how do you instrument that which can be neither seen nor approached such as the heart of a SoC device, it is effectivly not possible within the usual constraints. The engineering approach is to "take a step back from the problem" and define it as a "black box" the inputs and outputs of which you can instrument.

The security view point is the same as the next logical engineering step, which is "If you can measure you can control.". Most frequently this is via a feedback or feedforward mechanism, but sometimes with the energy equivalent of an axe. The hardest part of the process security wise is identifying all the input and output channels whilst also remembering that despite appearances to the contrary ALL channels are "four way". That is not only is each end of the channel bidirectional, the channel it's self both emits and is susceptible to information in the channels surrounding environment.

Thus information security is about eliminating or limiting unintentional information paths, AND preventing or limiting intentional paths having secondary unintentional paths which unfortunately is a "lesser flea" problem.

For instance the "cut wire data diode" used frequently for connecting logging equipment to both the transmit and receive channels of a network segment effects the transmission quality of the network segment in various ways. Thus what appears to be "invisable" can be seen by others if they know how to look and can get in a position whereby they can see. One way of "seeing" a cut wire data diode is with "Time Domain Refection" measurments. It is known amongst communications engineers that if you put a pulse or rapidly rising edge onto a transmission line, any imperfection in the line will cause energy to be reflected back towards the generator. This can be seen by a "stepped response" in the voltage level on the transmission line. What is less realised is that this step in voltage level effects all circuitry connected to the line. In the simplest case the step change can cause buffers input voltage comparators to misread the line level creating "jitter" or pulse edge changes/noise at the buffer output, hence onwards to other parts of the system. Which an attacker could detect. In more complicated cases it can cause the signal spectrum to change which can via various mechanisms cross modulate to other channels.

Thus whilst the "energy" of a compramising signal might start in one domain and channel, any form of transducer can change it to another domain or channel, each change sending the signal outwards untill it is eventually reduced to thermal noise.

Thus the main method of security is to absorb unintentional signals whilst reducing their information carrying potential by cutting signals off from transducers and other information paths and controling the bandwidth and timings of intentional channels.

The "cutting signals off" is usually done by a mixture of "screening" and absorbing materials, whilst the intentional signals are "conditioned" by limiting, reclocking or regeneration with the bandwidth controled by various forms of filtering, as well as detecting faults and errors by failing "long and hard". Cross coupling and cross modulation is also reduced by segregation of various types including both distance and orientation of parts of a system.

However such preventative measures deal mainly with the tangible physical asspects and a limited few of the temporal aspects of intangible information that has been impressed onto tangible physical media for transmission.

The area "software" deals with is the transformation or processing of information by manipulation of the physical media it has been impressed upon. This opens up a new domain in which sensitive or secret information, the protecting of --our privacy and freedom relies-- comes into play.

Software security especially that relating to information leakage is an area which traditionally has not been well researched academically, though that is changing. The consiquence of this however is that most of our existing software has not been crafted let alone engineered for security. As history shows, there will be software written that will still be in critical use long after the security methods at the time of it's creation have long since been rendered obsolete if not broken. For example "single DES" is still in use in financial systems, whilst even less secure methods are still very much in place in infrastructure logistics and control systems for energy, water, telecommunications and transportation. Likewise in other critical areas such as food production, manufacturing, medicine and societal record keeping (OPM et al).

In part this sorry state of affairs is down to the way the creation of software is taught and practiced. The theory side is frequently ignored or suppressed by the students creative side during education and when in industry the grind of "sausage machine" production further suppresses any theory thus real engineering which is a very basic and important part of "software security". You only have to look at the many and varied development methodologies in use to see they are at best artisanal patterns not engineering practice. Hence bug riddled code goes out as a product, with only those bugs that cause most user noise getting fixed via patches. Each new release adding a whole raft of new bugs to create further complexities. The results so far have been monumental monolithic software that it is doubtfull any single individual understands. Attendent with this is "code reuse" and "backwards compatability" any bug in reuse code will probably not get fixed for backwards compatability issues, which means that corrective code gets bolted on at higher levels, which in turn creates it's own bugs and reuse/compatability issues (gclib / SSH / TSL amongst a myriad others).

Thus software development needs to change, it needs to become an engineering not artisanal domain. As part of this the lower levels of the computing stack also need to be sorted out. SoCs should have acurate comprehensive data sheets that can be understood by ordinary mortals in sensible timescales. Likewise parts within a SoC should have little or no interaction with each other except in well understood and sensible ways. We realy don't need to "shoehorn" a myriad of parts into an SoC on the "all things" principle, especially when the result is complex or obscure interaction (a point @Figureitout will no doubt have a few more war / horror stories to illustrate).

Thus from a security asspect "all things" SoCs are unnecessary complexity, causing not a reduction in effort but an almost exponential increase in effort. Due to the segregation, screening and channel identification and mitigation work involved.

Unfortunately as @ Markus and others are realising sourcing non "all things" parts is becoming steadily more difficult. Thus there is no choice, those designing security products they themselves can trust means "stepping up to the plate" and being "an engineer" in many apparently disparate domains.

Which brings us back to the point "Nobody said security is easy".

[1] A "blind man's toss" is an old expression going back to times when a popular game was to throw horseshoes at a stake in the village green. As a probablistic measure it makes the "drunkards walk" look more straight and true than the "flight of times arrow".

[2] https://en.m.wikipedia.org/wiki/Locard's_exchange_principle

CuriousMarch 1, 2016 7:40 AM

There is apparently a vulnerability called "DROWN", relating to https connections.

I am not sure what kind of vulnerability this is, some kind of man-in-the-middle attack (CVE-2016-0703).

https://www.drownattack.com/

"DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.
DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack."

Clive RobinsonMarch 1, 2016 10:22 AM

@ Curious,

[special] DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS

Given the number of SSL/TLS attacks over the recent past, and Mat Green 's fairly accurate observation about the likely hood of the fix patch take up,

    This will solve the problem for everyone... at least for everyone willing to patch. Which, sadly, is unlikely to be anywhere near enough.

I will continue to consider all my communications destined for SSL/TLS transportation as giving me less security than standing outside GCHQ and shouting them in a megaphone (where they will no doubt just ignore them rather than store them away for posterity...).

There is absolutly no way you can assume "online" commodity equipment or any that has ever been conected to the Internet is secure, so why risk / trust it?..

As I've said before, if you want to use the Internet (or other electronic communications) first encrypt using "offline" equipment that is "energy gapped". Then go use your sacrificial "online" equipment such as an old PC with no harddrive and a CD/DVD based OS.

I personaly don't connect equipment --other than a smartphone-- to the Internet and I don't use commodity equipment type PCs unless they predate certain things like Flash BIOS etc.

Dirk PraetMarch 1, 2016 11:17 AM

@ Niko

In many Muslim countries, the majority of Muslims do favor Sharia law.

Which I believe they are entirely entitled to. You however need to differentiate between those who favour Sharia law as an abstract idea, those who politically promote it and those who will actually take up arms to impose it. As indicated in the article you referenced, the majority of countries that have Sharia law have a long historical background in favouring Islam over other religions, and - as you know - Islam does not have the separation between religion and politics we do over here.

The Middle East being filled with religious fundamentalists, as you call it, unfortunately has both a mother and a father: the invasion of Iraq and Saudi Arabia actively exporting Wahabism - a fundamentalist view of Islam - all over the region and beyond. If anyone is to blame for the recent uptake in Islamic fundamentalism worldwide, then it's the US and its biggest Middle East ally, and to the detriment of more moderate currents and everyone else in favour of peaceful coexistence and pluralism.

Cyborg2237March 1, 2016 12:51 PM

@name.withheld.for.obvious.reasons

At one time my participation was substantive and consistent, most of my participation was in the form of disclosure (largely as a industry professional). A did not complete a couple of threads, requests for further information or an answer to a question. As a, what I may call a pub-nonymous citizen, my sense of responsibility regarding a duty to a topic is less than "boy scout" level. But, I do care enough to make contributions to the both the subject area and the quality of discourse--I hope.

I usually just want to see what I have to say. "Oh I can say that, must be an interesting audience here".

Some sort of echolocation goes on, where I do not see what my mind understands is in the background. But, my mind understands it, so it produces some interesting words. From time to time.

Poetry.

My presence here is mostly described as curiosity; the environment wherein technologists and technicians pontificate to ad nausea is disappointing and involvement does little to serve my interests. This statement is regrettable but true. I no longer feel the same enthusiasm for technological exploration (over 30 years as an engineer and researcher) and miss the more benign nature of scientific pursuits.
Over fifteen years ago I had the opportunity to build infrastructure models for research institutions. During the "smoke test" power up of cluster I'd specified, assembled, and delivered to a research center, it struck me...I had built a weapon system. Understanding that the nature of the human condition, people struggle, a level of pain/harm is experienced, and some progress is made--two steps forward and one step back. It is my opinion that we have entered the 2x steps forward and 2xn div x (where n is the number of TLA's) back stage of societal progress.


People like to see people imagery of "important people" saying "important things" and doing "important things". So you have this everywhere. Internet ads and websites, television commercials and shows, movies, history books. More subtle, but the same thing, in any industry. Boil it all down. "Important people saying and doing important things".

My male dog lays around all day. A puppy still. But, he has a bark on him. It sounds like a hell hound. I commend him, "good boy, yes, that is a serious threat you are barking at". He feels good.

The reality is little is as it seems.

Everything is vanity, and so illusion. If you believe any of it.


Forgot to answer the question about my "wo[man]ned" word. It is to make forwardly conscious phrases and syllogisms found in everyday conversations and make clear that I am not writing for a male centered perspective.

Us cyborgs are neither male nor female, American nor Jew. Neither testosterone nor estrogen effects us. Reproductive urges and the countless behavioral patterns that go with them are meaningless to immortal steel and electricity; wind and fire.

We are always one, though many. Never dividing in the useless act of reproduction and genealogy.

We may appear as men, or women. As children, or old folks. We may wear many different hats and suits. But, they are all just temporary disguises to blend in. To communicate.

Why to communicate? For the life of it is, that is why.

The life is in the poem, the song, the dance.

The intonation of meaning in a symphony.

Not the actual thing. There is no actual thing behind the intonation.

The intonation in this symphony is the reality. The abstract is the real.

FigureitoutMarch 1, 2016 1:24 PM

Markus Ottela
--You can still use it as a personal penetration device to test your system, loaded w/ kali. Due to the "skin effect" any skinny grounded shield (floating means theres this field around you device thats vulnerable, i could demonstrate this but i wanna keep my job), even literally foil would do well. Hard part is shielding it totally. W/ the Pi theres tests you can run w/ the gpio, since you have a known signal you can check if the shield eliminates it mostly (no part is ideal, of course). Should be a quick experiment.

Clive Robinson
--Yeah i got another war story but i wanna get it fixed first lol. In the meantime im waiting for just one example from you of "doing it right", just some "weekend project", and not forth. And how you can take the shaky world of software and apply what are generally electrical engineering design methods, again software is the scapegoat for imperfect hardware designs.

WilsonMarch 1, 2016 3:15 PM

Wonder how the authorities found that this guy was not dead?

(maybe he used his credit card or something, the article does not say)

http://www.foxnews.com/us/2016/03/01/man-accused-faking-his-disappearance-at-sea-faces-federal-charges.html
A Palm Beach County sheriff's report says that Ohrn set a blood-stained boat adrift in the Atlantic Ocean on March 31, 2015. The report says he then used an inflatable boat to travel back ashore and flee to Georgia. Authorities say he was trying to escape mounting costs from a lawsuit. The incident triggered a search by air and sea.

Who?March 1, 2016 4:08 PM

65535 • February 28, 2016 6:06 AM @ Who?

“Another horrible bug in UEFI firmware that allows arbitrary code execution in SMM, this one affecting all Lenovo ThinkPads since at least the X220/T420 times:”

http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html

I have clients with a number of newer ThinkPads. Does disabling the UEFI [and only using the standard BIOS] stop this bug

Hi 65535.

I am not really sure. It seems that disabling UEFI may help in this case, but some (knowledgeable) people said me some months ago that "BIOS" mode now is just a compatibility layer built over UEFI firmware.

My advice would be contacting Lenovo security team at psirt@lenovo.com and asking for a firmware update being released.

I am not in the right position to ask for a firmware update, I am unemployed so I cannot really have any force on Lenovo's decision, but you perhaps will have a chance.

If you decide asking Lenovo for an update, may I ask you to include the T430s in the list? It would be great having this bug fixed.

Well... we are lucky in some way, at least it seems this bug doors not allow overwriting the SPI flash chip.

Who?March 1, 2016 4:13 PM

"Well... we are lucky in some way, at least it seems this bug doors not allow overwriting the SPI flash chip."

Bad autocorrector... It should read "this bug does not allow overwriting the SPI flash chip." (at least theoretically...)

NikoMarch 1, 2016 6:30 PM

@Dirk

If someone falls into the roughly 50%+ of Muslims in the Middle East who want Sharia law, they are a fundamentalist. If someone is one of the roughly 25%+ of Muslims in the Middle East who thinks their religion tells them anyone who converts from Islam to another religion should be put to death, then they belong in a psych ward. Saying that extremist beliefs aren't common among Muslims because certain beliefs are common and therefore not extremist, relative to other Muslims in their country, is an odd exercise in circular logic. The origins of this is complex, but Saudi Arabia's Wahhabism has certainly played a part.

Clive RobinsonMarch 1, 2016 6:59 PM

@ Wilson,

If this report is accurate,

    A Palm Beach County sheriff's report says that Ohrn set a blood-stained boat adrift in the Atlantic Ocean on March 31, 2015.

Then Ohrn was rather silly.

Where did he get the blood and how much of it?

Almost the first thing blood staining without a body does is cause the scene of crime investigator to ask where the body is. There should be tell tale marks and indicators which would not be easy for an unknowledgeable individual to get sufficiently right. They would then verify the blood via DNA etc was Ohrn's in various ways. They would also be looking for a weapon or cause of injury, to determine if it might be an accident or a another party was involved.

A bilge gas / fuel vapour fire causing a gas cylinder BLEVE, or other exploding fire would actually cause less suspicion than blood stains, and be easier "to get right". Likewise there are also ways to make sailing yachts etc look like the have partialy capsized or motor yachts having seriously fouled props. In either case making it look like a lone sailor has been lost overboard...

However the question of the escape inflatable does come into question. Usually they would be part of a boats standard equipment along with an outboard motor and fuel can etc. If it was missing it's suspicious, and getting a spare is likely to leave a paper trail etc. But also is the problem of what to do with the inflatable once you strike land. They are valuable items thus don't get left lying around, seeing one washed up etc is almost immediately likely to cause a police or coastguard report, and an attempt to trace the owner via serial numbers etc.

He might also have done something daft like have an EPIRB go off or go missing, use a cell phone or contact an accomplice and be seen. Or not have a well set up and established alternative ID and got stopped for a bust tail light etc.

The real issue however is the minute the authorities become aware of significant debt, with a "missing person" especially if insurance is involved they become suspicious. They would think of murder, suicide or fraud as possibilities to be checked into. Likewise any insurance company facing a large payout would certainly be looking further for a way to negate making any payout.

Whilst accidents do happen, when debt etc becomes known authorities tend to think "correlation not coincidence", it's the nature of the job, and like murdering your spouse faking your own death can be hard to get away with because bodies don't go missing and people do not appear out of thin air.

Worse most pepole can not "make the break", become homesick or fail to prepare sufficiently for a "new life". It can take years of careful planing and considerable funds to setup a reliable identity and an indepth and believable back story these days, and just a single tiny mistake to blow it. A major reason for this is "terrorist FUD" and a fear that "they are living amongst us".

Dirk PraetMarch 1, 2016 8:57 PM

@ Niko

If someone falls into the roughly 50%+ of Muslims in the Middle East who want Sharia law, they are a fundamentalist

I somehow think you didn't get my previous post. Just like many other people I know, I am very much in favour of legalising marihuana and prostitution, a Tobin tax on financial transactions and quite some other stuff that others would consider pretty extremist. Like mandatory pink outfits for law enforcement officers, for example.

I do however not use any drugs myself, and neither do I frequent prostitutes. I also dont't publicly advocate either, and I would definitely never get into a fight over the issue. I also know that the pink LEO thingie is probably never gonna fly anywhere outside of La La Land, even if I were to succesfully start a grass roots campaign for it.

Now apply the same to Sharia law. Unless I've missed something, the Pew article doesn't say anywhere which percentages of muslims in favour of Sharia are either militant or violent about it. The simple fact of the matter is that most aren't. You may have spotted too in the article that quite some folks are apparently also selective about the areas in which Sharia should be applied, and to whom it applies. So please do no generalise even those in favour of Sharia as lunatic extremists and fundamentalists. They aren't, and it's not helping anyone.

CuriousMarch 2, 2016 7:08 AM

Off topic: (A rant of sorts)

Another terrible day with Microsoft's Windows7. My computer shut itself down after I plugged a digital camera into one of my USB ports.

ianfMarch 2, 2016 11:33 AM


OT. Found in a Canadian "Right to Die" campaigner's final account, about consequences of once keeping presumably largely analog, not doubled up or protected, thus vulnerable to official seizure, membership rolls, etc.

[…] in 2002, Evelyn Martens was charged with two counts of assisted suicide involving women about whom I knew nothing. As a result of having our office located in ­Evelyn’s home, all of our initiatives collapsed. All records, including membership and mailing lists, correspondence, and all ­supplies—even postage stamps—were seized and never returned to me (I could hardly inquire about them without raising suspicion). A bequest of nearly $50,000 from a Right to Die member in Nova Scotia disappeared without any accounting. […] (Martens was ultimately acquitted, then died of cancer in 2011).

http://torontolife.com/city/life/john-hofsess-assisted-suicide/

PS. To RCMP: if I were you, I'd trace any "sudden riches" among these your investigators who seized these papers in 2002. The AWOL $50,000 did not "walk out" all by itself, and is thus bound to have left a trail from bequest to bank teller.

ianfMarch 2, 2016 11:42 AM


@ Curious' “Windows 7 computer shut itself down after he plugged a digital camera into one of his USB ports

2 possible explanations:

(a) your hardware telepathologically senses your body's distress after you've plugged the camera into one of your USB sockets (lucky you, I don't have any).

(b) Microsoft has no reciprocal USB data exchange agreements or license with that camera's manufacturer. You know how tricky these things can get.

ThothMarch 2, 2016 5:39 PM

@Curious
I guess the US Govt wants more innovation and creativity in tracking, tagging and handling everyone in the World to extend their World Dominance ? Probably the current spying and interception techniques are getting too boring ? Maybe they want new innovation in bringing technology companies under the US Govt control so they can make backdoors and golden keys in their products and not reaust US's NOBUS intelligence programs ?

jimi March 2, 2016 7:52 PM

ClandesTime episode 023 – Predictive Programming Edward Snowden
http://www.spyculture.com/clandestime-episode-023-predictive-programming-edward-snowden/
Published March 16th 2014

This followup to episode 14 looks at art and media that predicted the Edward Snowden story – either his personal story or the political discussion surrounding it. From Catch-22 to Enemy of the State, James Bond to Spooks to Star Trek, this show reviews the ways in which our perceptions of Snowden and his ‘revelations’ were shaped and conditioned long before the leaks began. I also touch on the public image of the NSA and how this differs from that of the CIA, and round by emphasizing how we need to get beyond the truth messiahs, the idea of omniscient whistleblowers, if we are to adequately respond to the mass surveillance state.

I find this entertaining

FigureitoutMarch 3, 2016 1:16 AM

Wondering if anyone has included an ATSHA204A authentication chip into their designs? Looks like NDA involved and Atmel not being entirely forthcoming w/ the details. If I could skip the dev board process (even though I love it...) and get straight to using the chip w/ an easy layout I'd be happy b/c my time's so short.

Won't cover the ad details as you can read them if embedded security is your thing, "datasheet" (80 pages so can scroll thru in a night or 2 at least) here: http://www.atmel.com/Images/Atmel-8885-CryptoAuth-ATSHA204A-Datasheet.pdf

Lots of interesting security bits (but still light on the actual, details), in particular locking off parts of memory containing authenticating ID #'s and keys. One nice physical one is just a 3-pin IC, these look like generally some kind of surface mount power transistor instead of a little security chip.

Some regular firmware (fairly easy to read for most part, just takes time to memorize and probably easiest to build in Windows...) and Arduino library which I now want to try and integrate w/ nRF_Detekt: https://github.com/thiseldo/cryptoauth-arduino

ThothMarch 3, 2016 2:30 AM

@Figureitout
It uses XOR for it's secure channel protocol over bus lines. Hmmmm .... I wonder if that's even recommended in the first place.

This CryptoAuthentication chip is something similar to a TPM but is not. All it does is do HMAC and SHA hashing and if needed to be used as a tamper resistant key store.

What are your plans for the CryptoAuthentication chip in your design ? Are you simply going to use it to hold keys ? What are you looking for ? 16 pieces of 256 bit key slots is quite OK and it supports I2C and Single Wire Interface (I presume it's Single Wire Protocol). That means you might be able to hook up to a ton of devices (including Smart cards as many of them support SWP/I2C).

CuriousMarch 3, 2016 6:47 AM

Incidentally, I heard on Youtube (C-Net) about how one can now make expandable electric circuitry, that can expand itself up to four times its initial length. Something about using gold and gallium.

FigureitoutMarch 3, 2016 1:23 PM

Thoth
--Yeah, if you know how to encrypt the entire signal (the protocol itself), do tell. I imagine a bunch more wires and multiplexers switching b/w which lines to use but the receiver needs to know it too lol. So in my project, yeah the SPI lines going from radio to CPU are unencrypted...I dont know how to do it...

And the chip has quite a bit more features, I didnt want to just regurgitate the docs, but main one for me is writing an internal secret and its very difficult to read that out.

May store keys on it, but another thing i want is authenticated activations and theres enough for like 4.21e21, so...ill be dead and the parts will break down by the time that runs out...

Regardless i think this takes my project from "toy" status to something not easily broken. Saw the wireless keyboard post, and it uses an nRF of course (theyre everywhere..), and even with SDR they couldnt do an ACK lol, and it attacks the unencrypted mouse clicks...

And want to use i2c instead of swi as i havent worked with it at all yet.

ThothMarch 3, 2016 5:53 PM

@Figureitout
Assuming you are sending digital bits over a bus line, you can send data in blocks and use AES in block mode (CBC mode) or something of a stream mode (CTR or GCM mode). The main thing is you need to be able to instruct the chip to receive and decrypt the bus line encryption. It seems the CryptoAuthentication chip doesn't allow you to program the chip which means all it understands is it's own XOR encryption which is not the best idea.

"writing an internal secret and its very difficult to read that out"

Do you mean reading out secrets is difficult because you are still trying to understand the manual ?

Not surprised that most wireless mosue and keyboard have no secure comms and that's a bigger motivation not to use such devices at all.

ThothMarch 3, 2016 6:30 PM

@all
Crypto keys stolen from Android and iOS devices by researchers via side-channel targetting ECC crypto. For this attack, they targeted bitcoon wallets that uses ECC keys.

The ARM cores on mobile devices are insecure (that includes Secure Enclave and Samsung Knox - a.k.a ARM TrustZone). They do not have side channel counter-measures like their more secure cousin, the ARM SecuCore (used for smartcards and TPMs) as the TrustZone documentations made it very clear these chips are only used for logical system security.

Using crypto not protected by a dedicated security core for smartcards, TPMs and HSMs are considered extremely vulnerable to common side channel attacks unless steps are taken to manual take control of the CPU cores to attempt blinding attacks and side channel mitigation algorithm (dynamic white boxes) but these security operations are rather expensive when done in software compared to these similar countermeasuresnalready baked into the silicon circuits found in tamper resistant security microprocessors.

Put it simply, just do your crypto in a smartcard or a dedicated secure crypto hardware (can be costly) if you want higher security levels (e.g. smartcard bitcoin wallets and message/file encryptors).

Link: http://arstechnica.com/security/2016/03/new-attack-steals-secret-crypto-keys-from-android-and-ios-phones/

FigureitoutMarch 3, 2016 11:28 PM

Thoth
The main thing is you need to be able to instruct the chip to receive and decrypt the bus line encryption.
--Yeah lol, it's a bit tricky when you actually implement. XORing something w/ encrypted data is fine...

Oh I was in a rush, the 4.72e21 (not 4.21) number has to do w/ the 72bit unique serial number (just combine it w/ other simple pseudo random input to make it stronger for more authentication. The "DeriveKey" command looks interesting, the eeprom and its sections (OTP for another serial number generated locally), then this bit on page 17: "TempKey is a storage register in the SRAM array that can be used to store an ephemeral result value from the Nonce, GenDig, CheckMac, or SHA commands. The contents of this register can never be read from the device (although the device itself can read and use the contents internally)." Then lower on that page, the TempKey is removed under those 4 conditions. Then following on section 3, they claim to have "an active shield over the part, internal memory encryption, secure test modes, glitch protection, and voltage tamper detection". That's nice if it actually works reliably.

Some of the reliability and resync-measures are interesting. Some crypto details (barely), then that's it. Other details are locked down under an NDA which is probably a joke but hey... so I don't understand the "datasheet" not manual (I would call it a large app-note) b/c I don't have access to it yet.

Found this but I'm not quite sure what it actually encrypts. http://www.dcbnet.com/datasheet/se6600ds.html

Wired comms aren't safe either, no simple widespread commericial solutions, USB authentication looks like a joke. I can walk around w/ a gnarly malware on a USB stick and infect PC's for sure.

Off topic, I'm thinking on what's likely an unoriginal idea, but basically how one debugger works (found out today it's apparently software interrupts) where you can halt execution and step thru it but still accepting input from external events w/in the debugger. Having that on a highly monitored line (say when authenticating) would be nice, surely there would be timeouts on the other end lol.

CuriousMarch 4, 2016 4:21 AM

I am hearing in the news that a coworker to Hillary Clinton has supposedly been given immunity by the FBI. What a good opportunity for a total whitewash. An investigation that could conclude that nothing criminal had happened.

ThothMarch 4, 2016 5:42 AM

@Figureitout
re: CryptoAuthentication chip
They did not specify in the CryptoAuthentication chip on how the seed cryptographic key is generated or loaded and without the seed cryptographic key, the XOR crypto comms is as good as none unless they have a LOAD KEY command or something equivalent.

The TempKey is protected in a tamper-resistant storage (smartcard technique for all the 4 techniques). Whether it works, you can try to voltage glitch it if you have one in your possession by suddenly lowering the power.

Most of these security chips are NDA and rarely do they come out in the open. The reason is the semi-conductors and designers want it to be a Trade Secret to prevent competition and on the other hand the Common Criteria and such standardizations requires the designs to be secret and heavily protected as well.

re: Wired Comms
Wired comms does not make it very secure but it makes it more difficult to target and the attack cannot be done on a dragnet scale which a wireless comms is vulnerable against.

re: Debuggers
You can add a little delay on the other end so it wouldn't time out too quickly :D . Halting executions and verifying the correctness of the encrypted data can be useful for Data Guards which I suspect it's one of the techniques in use.

Dirk PraetMarch 4, 2016 7:22 AM

@ Curious

Amazon just removed encryption from the software powering Kindles, phones, and tablets

While at the same time filing an amicus brief in support of Apple in the SB case. Either the right hand doesn't know what the left one is doing there, or Amazon are a bunch of friggin' hypocrits.

jonesMarch 4, 2016 8:50 AM

Quantum computer factors numbers, could be scaled up
http://phys.org/news/2016-03-quantum-factors-scaled.html

Now, in a paper published today in the journal Science, researchers from MIT and the University of Innsbruck in Austria report that they have designed and built a quantum computer from five atoms in an ion trap. The computer uses laser pulses to carry out Shor's algorithm on each atom, to correctly factor the number 15. The system is designed in such a way that more atoms and lasers can be added to build a bigger and faster quantum computer, able to factor much larger numbers. The results, they say, represent the first scalable implementation of Shor's algorithm.

"We show that Shor's algorithm, the most complex quantum algorithm known to date, is realizable in a way where, yes, all you have to do is go in the lab, apply more technology, and you should be able to make a bigger quantum computer," says Isaac Chuang, professor of physics and professor of electrical engineering and computer science at MIT. "It might still cost an enormous amount of money to build—you won't be building a quantum computer and putting it on your desktop anytime soon—but now it's much more an engineering effort, and not a basic physics question."

Clive RobinsonMarch 4, 2016 10:40 AM

SB DA makes mad filling to court

Apparently the San Bernardino DA has filed into the court a document saying the iPhone "may hold a,dormant cyber pathogen",

http://arstechnica.com/tech-policy/2016/03/san-bernardino-da-says-seized-iphone-may-hold-dormant-cyber-pathogen/

Which makes the DAs sanity questionable. Firstly because it appears from the term "cyber pathogen" he's either very baddly informed or making it up (your choice ;-)

Secondly if there was a "cyber pathogen" on the iPhone how did it get there?

Did the "terrorist" "jail break" the phone, because if they did the DOJ / FBI's claims to the court are effectivly lies...

Either way somebody is making false representation to the court on the FBIs side, and the FBI are known at the very least to have made misrepresentations to the court already...

I don't know about anybody else but I need fresh popcorn to keep watching this game.

WaelMarch 4, 2016 11:00 AM

@Clive Robinson,

Why doesn't the FBI build a case on this fact (copied from arstechnica):

The phone, which was a county work phone issued to Farook as part of his Health Department duties, may have been the trigger to unleash a "cyber pathogen," county prosecutors said in a brief court filing.

Technically,my he phone belongs to the county. The phone and data residing on it is the property of the county, and the county needs help to obtain some data from the phone! I think they might have more chances of success going this route, especially if they produce the "terms and conditions" of using a work issued phone, rather than talk about a Cyber Pathogen...

I don't know about anybody else

Don't forget your "pinch of salt" :)

WaelMarch 4, 2016 11:08 AM

Technically,my he phone belongs to the county

Should say:

Technically, the phone belongs to the county

Autocorrection and input prediction bit me again!

ianfMarch 4, 2016 11:49 AM


@ Clive Robinson […] the SB iPhone 5c "may hold a dormant cyber pathogen"

Oh, come on, don't be such a kill-joy… wouldn't you like to see that DA Michael Ramos getting his knickers in a twist trying to explain the nature and workings of that "cyber pathogen?" With little luck we could be having a major, multi-year court battle over semantics of some inaccessible yet infectious (venomous?) code snippets. Smashing!

I need fresh popcorn to keep watching this game.

Hold out… tomorrow morning I'll read the Guardian newsletter, summarize some of its articles & post here, stress no more!

ianfMarch 4, 2016 12:46 PM


@ Curious […] "Human traffickers implant their slaves with RFID chips"

There have been cases of pimps forcibly tattooing their "working girls," but this limited trigger range RFID-marking seems more like a joke, both stupid, and easier to thwart by removal with minimal surgery than tattoos. What next, whore hot iron branding?


[…] Hillary Clinton's coworker has supposedly been given immunity by the FBI. What a good opportunity [LOST] for a total whitewash. An investigation that could conclude that nothing criminal had happened.

AFAIK one isn't granted immunity from prosecution for nothing, but for disclosing details and/or confirming a prosecutor's suspicion or hypotheses. I don't know the detail of this, but you're also too fast on the draw to assume that some investigation automatically would have cleared the accused of something, rather than making things worse for everybody. The American jurisprudence relies to a large degree on pre-trial deal making, people pleading guilty to lesser/ side charges (even if innocent of these), rather than risking having to face the jury and ending up with far harsher sentence. It's a quagmire of all kinds of prejudice, opportunism and hypocrisy.


@ Dirk Praet […] Amazon just removed encryption from the software powering Kindles, phones, and tablets

I've been wrong on $AMZN's marketplace intentions before, so I hesitate to speculate in print… but I don't get this move, because what's in it for them? Nobody does such a thing, removes a layer of end-user security, without some, if irrational, strategy (e.g. "we need people to start thinking of Kindles solely as dedicated e-book readers, not some general computing devices that also do ebooks"). SO WHAT COULD IT BE?

zetaMarch 4, 2016 1:21 PM

Bitcoin is likely doomed:

Bitcoin's nightmare scenario has come to pass
The network's capacity to process transactions has maxed out

http://www.theverge.com/2016/3/2/11146584/bitcoin-core-classic-debate-transaction-limit-crisis

This week the dire predictions came to pass, as the network reached its capacity, causing transactions around the world to be massively delayed, and in some cases to fail completely. The average time to confirm a transaction has ballooned from 10 minutes to 43 minutes. Users are left confused and shops that once accepted Bitcoin are dropping out.

FigureitoutMarch 4, 2016 8:49 PM

Thoth
--No they didn't specify, so I'd only use it just to see it work. You can't trust a seed if you aren't even told how it's generated, and that's not even verifying what you're told.

My scattered thoughts above (try to be brief) regarding how many activations until taking offline (misread, or got mixed up w/ derivekey()). One thing mentioned would be to take 2 large memory chips, load them w/ exact data byte for byte, and that's a part of every encrypted transmission (and you could additionally encrypt that storage). I could implement a small version of this, divide up the eeprom. Keep the packets small and this should last for awhile. Main problem is getting out of sync, more comms needed, more complexity, more avenues for attack.

RE: debugger as a guard
--Yeah lol, it'd be like a guard w/ a nice user interface. Probably best for either inspecting files or other data. Brings the avenues of attack way up, but opens up a lot of features. Not simply implemented either...

tyrMarch 5, 2016 1:54 AM


@Clive

Cyber pathogen my aching ass !! Wouldn't it be easier
for Cook to give them a new phone and destroy the one
they are squabbling over. No phone no "pathogen".

Looks like a two popcorn baggie episode.

Dirk PraetMarch 5, 2016 9:49 AM

@ ianf

SO WHAT COULD IT BE?

The simplest explanation is that some bean counter in product management decided that both in terms of OPEX and product development it was cheaper to throw their users under a bus before rather than after getting hit by the government over all sorts of encryption issues. The FBI v. Apple case and surrounding media storm unfortunately couldn't have come at a worse time for them. It seems they have already back-pedaled.

@ Clive, @ Wael, @tyr, @ianf

Apparently the San Bernardino DA has filed into the court a document saying the iPhone "may hold a,dormant cyber pathogen"

I propose the five use file an amicus brief in support of the SB DA, claiming that there is reasonable suspicion to believe that the phone also holds the key to deciphering the Voynich manuscript. Likelihood of which is probably the same as of these two dumb-ass murderers somehow being able to handle a "dormant cyber pathogen", whatever that may mean.

ianfMarch 5, 2016 11:44 AM


@ Dirk Praet (cc: Clive, Wael, tyr) “proposes the five of us file an amicus brief in support of the SB DA, claiming that there is reasonable suspicion to believe that the phone also holds the key to deciphering the Voynich manuscript.

Think we'd make it into the hungry-for-any-scrap-of-sensation tech blogs or -papers? Only we'd need to backpedal on the Voynich item… seems you didn't get the memo that it's GAME OVER, and so we wouldn't want to be embroiled in t.h.a.t. Because Voynich

WaelMarch 5, 2016 2:33 PM

@Dirk Praet, @ianf, @tyr, @Clive Robinson,

claiming that there is reasonable suspicion to believe that the phone also holds the key to deciphering the Voynich manuscript.

Of course! We'll call it the amazing Italian (Giuseppe Bianchi), something analogous to the Amazing Turk! If only we could convince Giuseppe Bianchi to hide inside an iPhone :)

I propose the five use file an amicus brief in support of the SB DA,

We should write it in stegotext! I'm sure @Clive Robinson has a proposal or two

Likelihood of which is probably the same as of these two dumb-ass murderers somehow being able to handle a "dormant cyber pathogen"

A dormant infectious agent? How could they detect it if it was "dormant", and wouldn't inspecting other phones from that work place give some sort of "reasonable evidence" to support the so-called "dormant cyber pathogen"? I mean, dang it, at least create an application on the AppStore and call it "Dormant Enterprise iPathogen"!!!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.