Schneier on Security

Clive Robinson • February 28, 2016 9:48 AM

@ ianf,

How this by design fraudulent business practice alone hasn’t landed anyone from the AM management in jail…

Firstly I’m not sure if “ego stroking” in a subscription service is illegal. For instance being given free drinks at the bar from time to time as a regular visitor, is not illegal in several jurisdictions that I know of (not sure about US with both Federal and state legislation).

Secondly what about US Bankers how many have been individualy fined or jailed for FC1 or FC2?

Only Iceland appears to want to put their heads on spikes over the city gate as a warning to others.

Clive Robinson • February 28, 2016 4:32 PM

@ End of Inocence,

Auto updates… Are they really a good idea, or are they the “golden key” backdoors?

Auto updates, are a collection of methods to put new software onto a piece of hardware, as such each method is agnostic to it’s use.

Thus you have to look at the “controling mind” and currently I would say that due to other revenue streams, Government and Judicial incentives and other perversities the more obvious controling minds are far from trustworthy.

At the center of an auto-update system is the same loader that is used by all executable images stored within the file system. As such it should be the first line of defence when it comes to security issues.

There is no reason why the loader can not be augmented to make the entire system more secure. Not just against malware, bad apps and bugs, but against changes to other security related software. That is the loader can be designed to not load new code that bypasses or overwrites existing security code.

One way it could be done is when the security asspects are “factory installed” when “hidden variables” used for encryption are installed. The code can be associated with the hidden variable in such a way that it prevents later code updates unless the hidden variable is known. Whilst this is fairly straightforward to do, secondary mechanisms need to be in place to stop the loader being used for a DoS attack.

I’m on record of having a low opinion of “code signing” as people conflate what it actually does with the notion it somehow signifies some kind of “code quality” which it most certainly does not.

It is this “code signing” that you are thinking of as a “golden key”. Because the general use currently is most definatly overly permissive and there is absolutly no reason why it should be. Which brings us back to the “controling mind”, at some point in time the overly permissive option solved a lot of issues to do with “returns” and “customer support”. It was in effect “pandering to user wants” of the time, however users views are likely to be changing.

The question is will the likes of Apple and Google take the steps to make a software update to close this particular security loop hole…

Clive Robinson • March 1, 2016 6:12 AM

@ Nick P,

The reason is I’m not sure if the firmware/DMA/whatever of the wireless part can affect the main CPU.

The long answer short, is YES.

But… Whilst that is fairly obvious, the question should be “By how much and is it exploitable in some way?”. Which is a much harder question to answer and you would expect to vary on a case by case basis from “Not at all” to some suitable pithy measure of uselessness. Unfortunatly there appears to be little variance except in the choice of pithy expression. The reason is “progress” as guessed at by those who should know better..

Back when men were men and radio equipment came in it’s own battle ship or tank, any adjustment or modulation was achived mechanicaly with knobs, dials, keys and switches being the “user interface”. Thus when things went wrong you had a better than even chance you could actually see thr problem, and likewise fix it. Since then mechanics have been replaced by sequential logic and now fully programable software where neither logic or engineering gets a look in. It is a throw back to an “artisanal” world, where fixing issues is 10% “fault analysis” 90% “bolt a bit on” and the myth of “patterns” persists. Rather than the more informed scientific engineering aproach where analysis is often more than 90% and the fix as likely to be the surgical removal of bad, than the artisanal add on a “blind man’s toss”[1] till it stops being broken. Thus science and engineering achives the robust balance, stability and efficiency in systems, which the artisanal approach aspires to.

But worse yet, comes the modern evil of “mindless marketing droids” who insist against all reason that all things have to be “all things to all men” thus the dish washer should also vacuum, dust, cook the dinner and excercise the dog… But, as should be clear such systems are going to be prone to all sorts of unintended consequences do you realy want the dinner walked and the dog cooked due to artisanal errors?

The suspension of reason when things are “out of sight” to non engineering managment is a major underlying cause of many issues that become attack vectors, even when artisanal coders are themselves saying “there be dragons”…

This “all things” attitude has become very pervasive under terms such as “inbuilt flexability”, “future proofing” and “usage diversity”… So any and all aspects of the radio system become software available via as many IO mechanisms as possible. Which means more impenetrable setup options than any five hundred page datasheet can mention let alone detail. Thus the not unexpected resulting dogs breakfast is going to give us “dog dinners” rather more than we would like. Whilst “rover turnovers” are not very palatable, it’s what you can not see that can be considerably more harmfull to your well being.

Software reliability is as we know difficult at the best of times, but that is but a tiny fraction of what is required for security thus privacy. Whilst you might see evidence of a tangible physical intrusion (black bag job) you can not see the intangible information equivalent. That is in many cases the fundemental rule of forensics Locard’s Exchange Principle[2] does not hold, for the obvious impermanence of intangibility and non locality. Thus the requirment to “instrument” such that the intangible information movement is made tangible, thus more perminant.

But how do you instrument that which can be neither seen nor approached such as the heart of a SoC device, it is effectivly not possible within the usual constraints. The engineering approach is to “take a step back from the problem” and define it as a “black box” the inputs and outputs of which you can instrument.

The security view point is the same as the next logical engineering step, which is “If you can measure you can control.”. Most frequently this is via a feedback or feedforward mechanism, but sometimes with the energy equivalent of an axe. The hardest part of the process security wise is identifying all the input and output channels whilst also remembering that despite appearances to the contrary ALL channels are “four way”. That is not only is each end of the channel bidirectional, the channel it’s self both emits and is susceptible to information in the channels surrounding environment.

Thus information security is about eliminating or limiting unintentional information paths, AND preventing or limiting intentional paths having secondary unintentional paths which unfortunately is a “lesser flea” problem.

For instance the “cut wire data diode” used frequently for connecting logging equipment to both the transmit and receive channels of a network segment effects the transmission quality of the network segment in various ways. Thus what appears to be “invisable” can be seen by others if they know how to look and can get in a position whereby they can see. One way of “seeing” a cut wire data diode is with “Time Domain Refection” measurments. It is known amongst communications engineers that if you put a pulse or rapidly rising edge onto a transmission line, any imperfection in the line will cause energy to be reflected back towards the generator. This can be seen by a “stepped response” in the voltage level on the transmission line. What is less realised is that this step in voltage level effects all circuitry connected to the line. In the simplest case the step change can cause buffers input voltage comparators to misread the line level creating “jitter” or pulse edge changes/noise at the buffer output, hence onwards to other parts of the system. Which an attacker could detect. In more complicated cases it can cause the signal spectrum to change which can via various mechanisms cross modulate to other channels.

Thus whilst the “energy” of a compramising signal might start in one domain and channel, any form of transducer can change it to another domain or channel, each change sending the signal outwards untill it is eventually reduced to thermal noise.

Thus the main method of security is to absorb unintentional signals whilst reducing their information carrying potential by cutting signals off from transducers and other information paths and controling the bandwidth and timings of intentional channels.

The “cutting signals off” is usually done by a mixture of “screening” and absorbing materials, whilst the intentional signals are “conditioned” by limiting, reclocking or regeneration with the bandwidth controled by various forms of filtering, as well as detecting faults and errors by failing “long and hard”. Cross coupling and cross modulation is also reduced by segregation of various types including both distance and orientation of parts of a system.

However such preventative measures deal mainly with the tangible physical asspects and a limited few of the temporal aspects of intangible information that has been impressed onto tangible physical media for transmission.

The area “software” deals with is the transformation or processing of information by manipulation of the physical media it has been impressed upon. This opens up a new domain in which sensitive or secret information, the protecting of –our privacy and freedom relies– comes into play.

Software security especially that relating to information leakage is an area which traditionally has not been well researched academically, though that is changing. The consiquence of this however is that most of our existing software has not been crafted let alone engineered for security. As history shows, there will be software written that will still be in critical use long after the security methods at the time of it’s creation have long since been rendered obsolete if not broken. For example “single DES” is still in use in financial systems, whilst even less secure methods are still very much in place in infrastructure logistics and control systems for energy, water, telecommunications and transportation. Likewise in other critical areas such as food production, manufacturing, medicine and societal record keeping (OPM et al).

In part this sorry state of affairs is down to the way the creation of software is taught and practiced. The theory side is frequently ignored or suppressed by the students creative side during education and when in industry the grind of “sausage machine” production further suppresses any theory thus real engineering which is a very basic and important part of “software security”. You only have to look at the many and varied development methodologies in use to see they are at best artisanal patterns not engineering practice. Hence bug riddled code goes out as a product, with only those bugs that cause most user noise getting fixed via patches. Each new release adding a whole raft of new bugs to create further complexities. The results so far have been monumental monolithic software that it is doubtfull any single individual understands. Attendent with this is “code reuse” and “backwards compatability” any bug in reuse code will probably not get fixed for backwards compatability issues, which means that corrective code gets bolted on at higher levels, which in turn creates it’s own bugs and reuse/compatability issues (gclib / SSH / TSL amongst a myriad others).

Thus software development needs to change, it needs to become an engineering not artisanal domain. As part of this the lower levels of the computing stack also need to be sorted out. SoCs should have acurate comprehensive data sheets that can be understood by ordinary mortals in sensible timescales. Likewise parts within a SoC should have little or no interaction with each other except in well understood and sensible ways. We realy don’t need to “shoehorn” a myriad of parts into an SoC on the “all things” principle, especially when the result is complex or obscure interaction (a point @Figureitout will no doubt have a few more war / horror stories to illustrate).

Thus from a security asspect “all things” SoCs are unnecessary complexity, causing not a reduction in effort but an almost exponential increase in effort. Due to the segregation, screening and channel identification and mitigation work involved.

Unfortunately as @ Markus and others are realising sourcing non “all things” parts is becoming steadily more difficult. Thus there is no choice, those designing security products they themselves can trust means “stepping up to the plate” and being “an engineer” in many apparently disparate domains.

Which brings us back to the point “Nobody said security is easy”.

[1] A “blind man’s toss” is an old expression going back to times when a popular game was to throw horseshoes at a stake in the village green. As a probablistic measure it makes the “drunkards walk” look more straight and true than the “flight of times arrow”.

[2] https://en.m.wikipedia.org/wiki/Locard's_exchange_principle

Clive Robinson • March 4, 2016 10:14 AM

UN weighs,in against FBI

http://techcrunch.com/2016/03/04/fbi-forcing-apple-to-weaken-ios-security-could-endanger-lives-warns-un-commissioner-for-human-rights/

Basicaly the human rights commissioner says it’s a bad idea potentially effecting the Human Rights of millions world wide adversely. Not as the FBI portray it as “Just One Terrorist Phone”.