Friday Squid Blogging: 3D-Printed Underwater Autonomous "Squid"

Pretty neat.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 11, 2016 at 4:02 PM • 178 Comments

Comments

Ignacio CristernaNovember 11, 2016 4:36 PM

Good day.

With all due respect but I beg to differ: People are not illegal. They might or might not have the required papers to live in a certain country but they are not "illegal".

Thank you.

EricNovember 11, 2016 4:43 PM


So I first read the title as "3D-printed Underwear", and my thought was that this is going too far.

eindgebruikerNovember 11, 2016 4:46 PM

The Dutch Consumers’ Association is suing Samsung - the market leader for Android smartphones in the Netherlands - due to its defective software update policy for Android smartphones.

They request Samsung to provide security updates for at least two years after purchase, or four years after the phone has been placed on the market. They also request Samsung to provide sufficient information about software updates, so consumers can use this when choosing a new smartphone.

Dutch, English (PDF)

(Next: IoT manufacturers?)

TõnisNovember 11, 2016 6:46 PM

@Ignacio Cristerna,

It's not about having papers. If they entered the country unlawfully, they are "illegal" i.e. law breakers who deserve to be punished, then deported. If they entered the country legally yet overstayed, they are law breakers who deserve to be punished, then deported.

Recent Data-Mining SolutionsNovember 11, 2016 6:53 PM

High-tech corporations continue develop new methods to arm-twist and deceive to data-mine customers.
Recently the FCC ruled that ISP’s cannot eavesdrop and sell customer data. An analyst stated this ruling would change very little. His statement didn’t make any sense until I was suddenly locked out of administering the houshold Linksys wireless router (chained behind the AT&T/ISP router).

The router had been converted to a Linksys 'smart' device with forced firmware update. I would not allow me to sign-in to administer my home network without agreeing to allow Linksys/Belkin spy on my entire home network and web surfing.

The second case is Nvidia pushing customers to create an Nvidia account to use GeForce Experience. Not be too stupid, I only installed the drivers as I never agree to anything unless it benefits me.
Now however, Nvidia has sneaked added telemetry into its drivers. LOL!

The lessons here is sooner or later virtually all propriety software will spy on owners.

The solutions in both cases were already anticipated as the router is DD-WRT open source compatible. The Linksys software would only let me log-on ONE time after performing a router hard-reset. Even here I FORCED to agree to the term-of-service. However the router was NOT connected to the Internet and I had nothing to lose flashing in DD-WRT firmware.

The router DD-WRT OS is fantastic – one of the smartest choice I’ve ever made. My entire household now connects to the Internet ONLY through a secure VPN (no more VPN client software on each computer).
Further the unsecured wireless devices are isolated from each other and from the home network. I now have the piratically-perfect (Ms Poppins) security setup with sufficient encryption and isolation. Thank you Linksys!

Second recent proprietary Nvidia drivers are unsafe to install even with Linux. Thats fine for two reasons: first Linux is blessed with open source Nouveau drivers. Ubuntu warns of Nvidia driver risk.
Second the only reason I used Nvidia was because of 4K@60Hz capability. With Kaby Lake processors set to be released shortly the latest sneaky-snoop Nvidia can be discarded. I can save $400 from buying another video card. Thank you Nvidia!
http://www.majorgeeks.com/news/story/nvidia_adds_telemetry_to_latest_drivers_heres_how_to_disable_it.html

My next AIO printer will use open source software:
http://hplipopensource.com/hplip-web/index.html

ThothNovember 11, 2016 7:18 PM

@Recent Data-Mining Solutions

"The lessons here is sooner or later virtually all propriety software will spy on owners."

It is not a sooner or later thing. It is something that has already taken place and also the seed that spurred the FOSS and Richard Stallman movement. All proprietary software and hardware should be considered dangerous and backdoored which will inevitably spy and betray it's "owners".

JacobNovember 11, 2016 8:18 PM

Troubelsome prospects ahead.

from The Guardian:
----------------------------
Trump on the campaign trail: “I wish I had that power,” he said while talking about the hack of DNC emails. “Man, that would be power.”
.
.
John Napier Tye, a former state department official who became a reluctant whistleblower in 2014, warning of NSA dragnets, said: “Obama and Bush could have set the best possible privacy protections in place, but the trouble is, it’s all set by executive order, not statute.

“So Trump could revise the executive order as he pleases. And since it’s all done in secret, unless you have someone willing to break the law to tell you that it happened, it’s not clear the public will ever learn it did. Consider that even now, the American people still do not know how much data on US persons the NSA actually collects.”
------------------------

https://www.theguardian.com/world/2016/nov/11/trump-surveillance-network-nsa-privacy

ab praeceptisNovember 11, 2016 8:44 PM

Recent Data-Mining Solutions

"Nvidia ... sneaked ... telemetry into its drivers. ...!
The lessons here is ..."

I disagree. The lesson to learn is to *not buy anything from nvidia* and to avoid their products like the pestilence.

Security is way more multifacetted than "use open source and be secure". Quite many OpenSSL users confirm that.

hp, for instance, has supported and offered open source drivers for many years. Does that mean that hp products are secure or even just that hp is a friendly company respecting their customers? A single attempt to call their support may provide some more insight into that ...

Security can be in open as well as in closed source. Much of the diplomacy world, for instance, relies on closed source security and so does the vast majority of military.

Like security, the decision process whether someone or something is trustworthy (with a sufficiently high probability) is a complex and multifacetted one.

One last point I'd like to suggest for consideration: Unlike billion $ corps, many smaller companies just can't afford to give away the result of their work for free. What *can* (not "do" but "can") you get for your couple dozen $? For a start, a company, unlike most foss projects, *can* enforce good standards; they *can* enforce and they can afford good standards, reasonable research, proper engineering, good tools, etc.

I know it. I worked for some of them. They didn't just cobble together code, having whomsoever across the world working on it, being qualified or not, etc. They trained their developers, they had high standards of docu, of testing, of source text. I remember a case where one needn't even try to push code for which no proper formal spec existed or with a single compiler warning.

There world is more complex than "foss == good and secure". Plus, one should cut away the hype before deciding. Hype (like "foss rulez!!!") is an indicator of lack of quality more often than not.

MrCNovember 11, 2016 8:49 PM

@ Tõnis:

If they applied for DACA status, by definition, they were young children at the time they entered the country -- too young to have any say in the matter, much less form criminal intent in a legal sense. At worst, they were basically luggage for someone else's illegal border crossing.

DroneNovember 11, 2016 9:40 PM

@Ignacio Cristerna,

What is wrong with you? If a foreign citizen is in a country illegally, he or she is correctly termed an "Illegal Alien".

I have lived in at least a dozen countries all over the world during my lifetime (I am currently a guest lawfully in Indonesia). In every single country where I have lived the immigration laws were strictly enforced and flaunting those laws would buy you some very serious trouble indeed!

Only the U.S. seems to have a Progressive-Socialist/Marxist subculture which embraces uncontrolled illegal immigration, purely for political gain in the quest for a super-majority voting bloc, which inevitably leads to single-party rule. And unless you are poorly educated and/or you choose to ignore history, you must know that single-party rule always turns out badly for almost everyone, except the ruling Elite.

ab praeceptisNovember 12, 2016 1:12 AM

Drone

Whatever reputation and credibility brian krebs may have had is no shattered.

Reading the first pragraph of his grossly biased hit piece is sufficient to know what's going on.

I quote: "Less than six hours after Donald Trump became the presumptive president-elect ..."

"presumptive", I see.

More, quoting again: "...a Russian hacker gang perhaps best known for breaking
into computer networks at the Democratic National Committee...
"

Is that so? Is that gang "known to ..."?

What krebs - very clumsily and crudely - tries is to turn thing upside down. Orwellian "war is peace" speak.

Mr. Trump who *is* the president-elect, is painted as somehow still unclear, as "presumptive".
On the other side nothing but angered bla bla accusations by the dnc is painted as fast by krebs.

One may or may not like Trump or clinton - but one should respect the outcome of peoples will as expressed in an election process whose outcome, btw. has been accepted both by the incumbent democrat president and by Trumps democrat opponent.

I personally never held Mr. krebs in high esteem as a "security researcher" as, for my taste, there was too much tabloid detective type style "research" with too little actual technical research and data. But hey, no problem, others may have liked that or may have considered that relevant.

This, however, is worse than trash. It's poisoned heinous turning gossip into pseudo truth and clear facts into assumptions.

From what I see, krebs has now managed to descend from very vaguely security related gossip spreader to a pariah, an untouchable, for anyone with any adademic integrity.

ab praeceptisNovember 12, 2016 2:18 AM

Ratio

I know about that trick to explain that he is not the president-elect as long as he is not elected by the EC.
But first, that's hairsplitting, and second that's at least partially wrong. He has been elected (via EC ratio) and is hence the president-elect. clinton submitted, obama accepted the result, period, case closed.
After being formally elected by the EC he won't be the president-elect but rather the "incoming president".

More importantly - particularly for this technical blog - however is how conveniently you ignore the other, more technical issue.

We all know that attribution is a very hard to solve problem. And it's certainly not even a proper attempt, let alone evidence, when some political group in their own interest makes accusation noise.

Fact is that krebs simply pulled something out of his a**. We *do not know* whether it was a russian hacker group or whoever else.

Just one exemplary detail: there was a "yandex.com" email account involved. And that is construed as being "strong evidence" by some.

Bullshit!

yandex.com is in english. A Russian wouldn't go there; he'd go to yandex.ru. In case he wanted to create a "non russian" impression, he'd simply use yahoo, google, whatever.

yandex.com is, in fact if anything, rather pointing at non-russian hackers who wanted to make it look russian (in western eyes). And that pattern repeats, e.g. with having "fancybear" in there. So either we are talking about very, very stupid and incompetent Russians, who however, suddenly turn into very smart and competent - and successful - hackers, or we're talking about maybe hackers who rather clumsily painted it "russian".

Whatever. We do *not* know. Maybe it was Russians, may us-americans, maybe nigerians, maybe the cia, maybe even some democrats. We simply don't know.

And asserting accusations based on not knowing is called libel and a criminal action.

Clive RobinsonNovember 12, 2016 4:58 AM

@ Drone,

The only thing in the Brian Krebs article that struck me as "more interesting" is,

The Dukes have a well-earned reputation for coding and constantly improving their own custom backdoor trojans, but that they’re not known for using so-called “zero day” threats

It is the behaviour of a professional organisation rather than an amateur one. That is it is indicative of an organisation taking a pragmatic approach and putting their resources into the areas not just where it counts, but can not be as easily traced back or easily broken as a zero day attack can.

@ ab praeceptis,

With regards the "presumptive president elect" it was used as a time marker about a time specific period. Thus it's not a trick / hair spliting etc. Donald Trump was a presidential candidate as was Hillary, and became the "presumptive president elect" when Hillary Clinton in effect conceded the election to him. A while later he became "president elect" when all the Electoral Collage results came in and will if normal patterns follow at some point in the future become president, then expresident.

The point is each change marks a point in time just as being born, becoming a tenager, reaching the age of majority and eventually dying does for most people. As such each point in time is an epoch by which other times can be measured or recorded in just the same way as firing the gun at the start of a race does to the finishing times.

SpellucciNovember 12, 2016 5:32 AM

My favorite tweet of the week: "The S in the IoT stands for Security." - Oleg Šelajev

TõnisNovember 12, 2016 6:12 AM

@MrC, Out of 11 million illegal aliens in the US, 1.7 million might be eligible for DACA. First and foremost I blame the US fedgov for allowing the illegal aliens to come here. The fedgov has the technical and logistical ability to successfully invade countries ten thousand miles away yet it can't stop people from crossing the border into the US? No, it has been the policy of the fedgov to import an illegal alien slave class. Furthermore, it's an implementation of the dielectic. @Ignacio Cristerna mentioned papers. As a natural born American I don't need "papers" to be here or to live here. I'm here lawfully. Tyrants whose goal is to start checking peoples' papers create a problem (the illegal aliens), present a solution ("papers," driver's licenses for illegal aliens," national ID, etc.), and implement their goal: "Your papers please!" After all, it has to be ascertained that you're not one of these illegal aliens!

Clive RobinsonNovember 12, 2016 6:14 AM

VMWare workstation 12.5.1 gets hacked in seconds

In what is A "world's first",

    Another Qihoo hacker team and Lee both compromised VMware Workstation 12.5.1 in the world's first attacks against the platform, bagging $150,000 for the exploits.

http://www.theregister.co.uk/2016/11/10/hackers_remotely_pwn_win_10_microsoft_edge_gain_system_code_exec/

It will be interesting to see how long it will take VMWare to fix it.

However it may be a wake up call for some that even touted "security solutions" may not be secure, thus you still need to mitigate at multiple levels.

Clive RobinsonNovember 12, 2016 6:38 AM

Think Hinky Quiz of the Week

This article,

https://medium.freecodecamp.com/tor-signal-and-beyond-a-law-abiding-citizens-guide-to-privacy-1a593f2104c3#.ng2gfv9yj

provides security advice for the masses.

Now read through it and see what makes the short hairs on the back of your neck stir. Then see if you can find attacks etc where it fails.

The article explains why finger prints are nolonger any good,but there are others...

For instance "two factor by SMS" has been easily defeated, find out how and think of the implications of that.

MatthewNovember 12, 2016 9:16 AM

@Clive Robinson

The URL says it is a guide for the law abiding citizens, not for the security minded, prevent spying from government type of people. For law abiding citizens, they expect the police to knock on your door giving you time to switch off your iphone instead of the SWAT team's usual practice of smashing in.

I believe hacking the telco to intercept you 2-factor sms still requires more expertise than the usual script kiddies and crooks have. It is also a more targeted attack as the hacker reuqires not the just your username and password but also your phone number and which service provider you subscribe to.
I wonder why the major services like google do not switch to sending the 2-factor via whatsup or signal?

The advice on tor is questionable as its traffic is easily identified and mark you as a possible law breaking citizen by the authorities

MatthewNovember 12, 2016 9:22 AM

Regarding the Krebs article, it is interesting that the cozy bear's malware will shutdown if it detects the username as admin. I guess this will be my new username for my linux box and possibly for the new window machine I buy.

DanielNovember 12, 2016 10:41 AM

My favorite tweet of the week: "The S in the IoT stands for Security." - Oleg Šelajev

Ah, well-said.

MankadanNovember 12, 2016 11:20 AM

Clive Robinson,

"$x for law-abiding $y" on the tin seems to work quite well as a rubbish detector. As it has been before with any article about CompSec. I remember such articles in magazines about computing, Net and other things related. Same applied (and probably still applies) for articles about mending the OS (Windows mostly). Extra fun when the next issue would offer advice that goes contrary to advice given in the previous one.

ad astra per asperaNovember 12, 2016 1:51 PM

@Tõnis

You wrote:

It's not about having papers. If they entered the country unlawfully, they are "illegal" i.e. law breakers who deserve to be punished, then deported. If they entered the country legally yet overstayed, they are law breakers who deserve to be punished, then deported.

May I suggest that when an argument prominently features the fraught notion of who "deserves" things, then it is a weak argument, and unlikely to persuade any but those already persuaded.

You then follow up, to MrC, with an interesting observation:

First and foremost I blame the US fedgov for allowing the illegal aliens to come here. The fedgov has the technical and logistical ability to successfully invade countries ten thousand miles away yet it can't stop people from crossing the border into the US? No, it has been the policy of the fedgov to import an illegal alien slave class.

Indeed. Quite so.

The bosses, for whom the US government works (according to their refurbished motto "if it's good for FIRE sector, then it's good for the USA"), love illegal immigration. They love most of all that it is illegal; it enables their accelerating immiseration of the working class (those with and without citizenship alike).

Yet you yourself play straight into their hands when you righteously insist on terming these maximally exploited workers, who constitute the front line of the labor struggle, "illegal", and pretend to know, better than they themselves do, what they "deserve".

Banksters depend, every day, on these naïve nativist sentiments of entitlement to enable their continuing charade. You might not love them, but Boy do they love you.

As a natural born American I don't need "papers" to be here or to live here.

In many states (yours too, perhaps?) you certainly do need "papers" to cast a ballot. It's a done deal, and been done for some time now.

anonyNovember 12, 2016 2:47 PM

two factor authorization is a way to cross link ownership, from fone, to email, to site logins.

bug, not a feature

TheGuildsmanNovember 12, 2016 3:07 PM

This was posted yesterday in the "Automatically Identifying Government Secrets" comments and may have slipped under the radar.

To my untrained eye it looks like a very interesting solution for password entry and I can see a lot of applications for it. Banking pin numbers, for example.

I would appreciate it if some of the experts could have a look and comment please. I have been looking for something like this for an app I am working on.

-------------------------------------------
Frank • November 11, 2016 2:48 PM

A utility patent has just been granted for a breakthrough digital security innovation : Graphic Access Tabular Entry [ GATE ], an interception-proof authentication and encryption system and method, for detailed information, go to : nmjava.com/gate

http://nmjava.com/gate

There is a also a cool 5 minute youtube video demonstration.

https://www.youtube.com/watch?v=5tAGemIvUeI&feature=youtu.be

rNovember 12, 2016 3:15 PM

@anony,

There's other things in there aside from the second factor like biometrics that with recent advents either paint that article as naive or subversive imo.

It's helpful data, but sometimes people don't wash their hands after doing something dirty.

Is that something you're willing to risk? Being identified by some bug that passed over in his well willed handshake?

He's saying, that if you don't wish to run afoul of the law - leave a window open or a key under the mat.

Personally, with the questions of who's side the FBI was on for the election (if you'll look closely there were accusations of alignment prior to the major event) I'm actually curious if this guy's real name isn't Leo.

LisaNovember 12, 2016 3:16 PM

Currently I am working in the USA as a legal immigrant in a high skilled job, with a valid H1B, and making more than $250k / year. But as a refugee from my birth country, I cannot apply for a Green Card, and in a year or so, I will exhaust my 6 year H1B limit and will be forced to leave the USA.

So I have no sympathy for illegal immigrants, especially since legal ones like me who never had any trouble with the law, have been fully employed, always paid their taxes at about the maximum tax rate, and have followed all of the rules asked of me, are being kicked out of the country. I do not understand the political culture which provides benefits and support to illegal immigrants, while legal immigrants are treated like dirt.

In my profession, there is a huge shortage of qualified skilled people capable of modern chip design, so I am not taking anyone's job away. My company and others have had many open positions, which for many years they cannot fill.

Fortunately I work for a large multinational company, and my managers have offered to relocate me to an office of my choice in one of our Asia or Europe locations. Plus with the current political environment in the USA, it is making it easier for me to leave.

No matter where I end up, at least I know it will be in another country that does not treat its legal immigrants with such contempt as the USA does.

Can We Trade Places?November 12, 2016 4:04 PM

Lisa,
Every country has immigration laws. You've enjoyed six years as the USA's guest.
Why are you so angry? Did the laws change?
Why are you, as a millionaire, screaming victim?
250K x 6 = $1,500,000

There are 16 countries which have a higher standard of living than the USA. So think of this as an opportunity to improve your life, but ONLY if you research immigration laws. Such an opportunity!

Family relations:
Zuckerberg's immigration reform group targets Trump policies
https://www.cnet.com/news/zuckerbergs-immigration-reform-group-takes-on-trump/

Note: this blog is about security not immigration policies. Thank you!

albertNovember 12, 2016 4:13 PM

@Recent Data-Mining Solutions,

What model of ATT modem/router are you using? The newest Pace 5268AC doesn't have a bridge mode.

. .. . .. --- ....

Clive RobinsonNovember 12, 2016 4:17 PM

@ TheGuildsman / Frank,

I would appreciate it if some of the experts could have a look and comment please.

The actual idea is neither new or original, such techniques have been used for something over three hundred years with hand ciphers (see the use of nulls, homophones, grills and similar for similar and related ideas).

It is only the application to passwords that might be considered new... but even that is not a thoroughly new idea. Around the early part of the 1990's when graphics capable terminals were becoming common, someone had the idea of using photos instead of letters or numbers for an authentication system. They pictures would be presented randomly in a three by three grid, the user would enter the coresponding digit on the numeric (telephone) number pad. It was quickly realised that using photos of "people you knew" was not realy a good idea for a whole host of reasons, so photos of objects were tried which quickly evolved into photos of multiple objects, where the user would select the photo with the right object.

Needless to say that when presented academicaly it was greated with warm words, but failed to be implemented. The reasons given were various but boiled down to NIH syndrome along with the old chestnut of "users will not get..." or "accepted custom and practice" etc, etc, etc.

There were however other techical issues to do with the security of the storage thus the ability to hack the server was a significant issue, the same as it is with the storage of plain text passwords. With multiple symbols/objects you either have to store plain text or have multiple hashes running so four objects per entry starts with four hash candidates for the first entry that becomes sixteen with the second sixty four with the third and so on. So with eight entries you have 65356 hashes to check to find the right one to see if the user has entered the correct sequence, which obviously has other implications.

Clive RobinsonNovember 12, 2016 5:06 PM

@ Lisa,

Currently I am working in the USA as a legal immigrant in a high skilled job...

Your problem stems from the difference between political rhetoric and social need and it's very much the wrong way around. We also see it in many western nations and it's a subject of conversation that is quite contentious. Mainly because of a very real underlying "time bomb" problem that people are living to long and don't have very many children, or have them later in life which has increased disability probability, and spend to much of their early economicaly productive time, unproductively in education or unemployment, thus not building up a pension etc.

Put simply the west has way to few children to support the economy and an aging non working population. Neither immigration or longer working lives are going to solve the problem on their own and it will be touch and go even if we use both heavily now. If we thought the two banking crises of the begining of this century were bad what is going to happen in the next twenty to thirty years are going to make them seem like mear walks on a rainy day compared to the full grown hurricane that will happen economicaly.

Japan is already begining to see the problems as is China (due in it's case to it's "one child policy").

What the west needs is economicaly active immigrants to pay into our rapidly declining social and pension funds, just to tred water on the fund levels that are not currently growing due to a stagnating economy and to many hands dipping into the pot to early and for to long, litterly eating into the reserves.

What the west does not want or need is those with a sense of entitlement but who for whatever are not economicaly active. It is from this sort of area we get the "disaffected youth" that cause many of our social problems both from nationals and immigrants and as we come up to a year after the Bataclan attacks in Paris by disafected individuals from Belgium etc the authorities appear to have no more of a grip on the roots of the problems than it did a year ago.

Contraty to what many may say immigration realy is a significant security issue and it needs to be discussed honestly, because the present economic system is clearly failing and on the past that has almost always lead to significant conflict...

ThothNovember 12, 2016 5:39 PM

@Clive Robinson
I think the issue is more of a problem for developed nation that are facing aging problems with lesser fertility. This problem of having phobia to foreigners are rampant in Singapore as well. The current political topic here is the same as the West with local phobia of foreigners and calls for government bodies to limit or reject foreigner workers.

ThothNovember 12, 2016 5:57 PM

@TheGuildsman / Frank

What happens if all my passcode characters are the same ? Will it get confused due to all my passcode characters being the same.

Router Chaining Conflict ResolvedNovember 12, 2016 6:08 PM

DD-WRT
Setup-→Basic-Setup→Network Address Server Settings (DHCP)→Start IP Address=
192.168.6.100

The default 192.168.1.1 conflicts with AT&T modem.

BTW the AT&T router MUST be isolated from every device on the home network through the DD-WRT encryption. AT&T keeps ALL customer data even from back in the 1980s. Their customer data is for sale to thousands of law enforcement and federal agencies agencies without any customer knowledge or judicial oversight.
If Trump REALLY cared about average citizens he would...

Government In Action
China is only now catching-up to the USA mass surveillance with passage of its new cyber-security law. Thanks to Edward Snowden it includes certification of all proprietary software and hardware.

Clive RobinsonNovember 12, 2016 6:11 PM

@ Thoth,

This problem of having phobia to foreigners are rampant in Singapore as well.

All of recorded human history and archeological and primate studies strongly suggest that what might be called "tribalism" exists and with it comes a "herd mentality".

Interestingly, the development of language and later of secrecy appears deeply rooted in "tribalism" and can still be seen/ heard in "Criminal Cants" or slangs like "Cockny Rhyming Slang".

Secrecy can be seen as part of "mating privileges" in that being the person who has hidden food or other resources that can be produced without revealing the sourcr makes them more desirable as a mate for the next generation. Thus in a hunter gatherer society, those that know the ways of prey and where fruit/berries can be found or later know how to preserve and store food resources hidden from others had much greater survival ability.

For instance I would realy like to know which came first with taking large haunches of meat from a fresh kill, weighting with stones and submerging them in lakes. The need of secrecy or the need of preservation. Likewise the idea of what are these days called "potato clamps" but predate potatoes in Europe by many millennia. Basically they are deep holes in the ground lined with dry straw into which root vegtables that have "died back vegitation and have been lifted but left in some soil to dry" are placed in layers with more dry straw between then are then covered over to keep out the damp will still be both viable as plants or for eating upto a couple or so years. Again the idea of dry chalk pits for the storage of grains which also keep out various vermin. They all have major "hiding" or "secrecy" elements as well as those of preserving.

Similarly are the ideas behind charcuterie and smoking with storage in cool slightly damp caves etc where certain moulds grow well and thus form protective layers not just on meat but cheeses as well.

rNovember 12, 2016 6:12 PM

@Lisa,

Your mastery of English is incomplete, while you may have been a refugee on paper and likely remain technically so for the next year let me point out that if you're pulling 250k a year you're hardly a refugee - unless you're a refugee from socialists politely speaking ofc.

It sounds like you could fill out actual immigration stuff at this point and probably earlier points too, there's a guy in my town. 20? From Syria, all his friends are dead and he devotes 80 hours a week to his minimum wage job. He's seeking refuge imb, 250k a year? I'm lucky if I clear 10 personally, you should seek permanence unless you're playing the papers game.

rNovember 12, 2016 6:29 PM

@Lisa,

My apologies, I didn't read your full post.

Yeah that's nuts you've been here for 6 years and full membership isn't available. That could be related to your country not wanting to let you go, or the problem we had with visa jumpers from the eastern bloc way back.

Kind've a sticky area...

Anyways,

"I do not understand the political culture which provides benefits and support to illegal immigrants, while legal immigrants are treated like dirt."

Then you don't understand what just happened, some of the white work force feels mistreated and forgotten just like you that's why [[they]] voted the way they did. I understand your fear and sympathize. Good luck wherever life takes you.

rNovember 12, 2016 6:53 PM

@Clive,

That cold/cooler storage technique lived until the bronze age with partially submerged (earth) store houses in Eurasia. I'm pretty sure what you reference from what I've read was practiced at least as far back as the last ice age.

Dogs, are what interest me from that part of our timeline.

@Wael,

God is a master story teller/illustrator isn't he?

Big, Black NemesisNovember 12, 2016 7:01 PM

IoT has the same manner of problem as what we have long been seeing with proprietary hardware solutions, especially "embedded" ones ( a term which effectively is equivalent to "IoT", but now antiquated in favor of IoT except for some very specific areas ).

So you have routers, black box security appliances of a wide variety of types (ids, ips, encryption systems, network visibility and control systems, dlp, anti-spam, dynamic scanning systems, vulnerability management systems, anti-zero day systems), you have telephones and printers, and you have countless industry specific systems... down to even, effectively, old and new gaming systems, smartphones/handsets, tablets... televisions... and the ever increasing enormous range of new and old products.

Accessibility and ease of programming has made these systems also more accessible for hackers, of course, though countless systems are still as "black box" setups, they tend to often rely on primary protocols, such as basic wifi and bluetooth for communications, and basic authentication and administration systems.

Still, these products do tend to be far more difficult to hack then web applications, of course. You have to have linux skills, and the ability to develop applications in linux. And you have to have skills to develop your own custom black and white box systems to find vulnerabilities. It certainly helps to be able to have access to commercial grade code review systems, though increasingly, these systems are not tool based but operated in the cloud and what applications are therefore analyzed by them are closely controlled by the vendor.

To really get anywhere with finding iot and other embedded system vulnerabilities you need to have a relatively expensive SDR "scanner" (usually). Scanner in quotes because this is a word usually only used by old school gangsters.

Very decent ones do now run from just 300-1000 dollars, which is good, and they have a huge range of libraries available, especially via the GNU Radio Toolkit. So, most protocols you will want to attack, there will already be open source software, out there, available for it which you can work from to create your reconnaisance and attack tools.

Still, this level of expertise is mostly only available for professional hackers. (Security researchers, application security folks, vulnerability analysts, and so on.)

And, they tend to make pretty decent money, though many go through training and work at "government vulnerability farms" where they are not paid anywhere near as well as they can produce... and the black market is flourishing. These agencies also compete against each other, so the FBI gets em from one place, the CIA has other places, the NSA others, and so on, and so on.

Once you have the skills to do this, which takes quite some time for already folks who can just about do anything if they apply themselves to it... it will usually take another few months, to a year, to even find critical, extremely difficult to find, remote vulnerabilities that have 100% guarantee of exploitation.

Good news is, that using such vulnerabilities by one's own self is extremely risky, and the risk tends to be well understood by these sorts.

Government teams utilize farms, or specialized groups, to find vulnerabilities. Some other group plans hacks. Some other group performs reconnaisance. Another implements hacks. A whole different group creates specialized malware, and so on, down the line.

When I say "government", I mean, everyone does this.

China does it this way. US does it this way. Russia does it this way. Israel does it this way. Iran does it this way. France, Japan, do it this way. And so on. (Though, these are some of the main players with the highest level of professionalism.)

Believe it or not, all these sorts of folks are extremely smart and talented sorts. Very elite. So, they tend to be patriotic for their respective nations. Noble? They work for them, their identity is defined by the job. It is what happens when you get shit done and have that degree of sophistication and expertise.

Which means... you have nations fighting against nations as threat number one.

Threat number two? Is the fact that any exposed vulnerability gets, as it has been for decades now, put into the pool of tools and attacks for script kiddies to abuse.

These are the two major true problems.

Third problem is also major. The update problem. Over regulation can really be difficult to implement for many reasons. Many nations involved. The ease of creating these products enables competition, which enables higher quality products, and so on. Regulations, and enforcement are two very different things. Updates must be made, but if the vulnerabilities are not known...


And that is an issue, as nations increasingly rely on hacking: what happens when you are hacked by another nation?

Counterintelligence is called in.

What does counterintelligence do, as opposed to how law enforcement works?

CI wants to listen and keep quiet, to play dumb and stupid, and above all, if ever, besides figuring out what the other people want -- they want to be able to turn the hacks against the hackers.

(Which, btw, I might point out, one security topic I rarely see spoken much about is the fact that with windows systems, when they are compromised, an investigating administrator can their self be compromised merely by investigating it. Similar principles work with linux/unix/mac and other systems. Because coming onto any system "rooted/system" means invisibility and the possibility to compromise any new root/admin/high priv credentials of any new visitor.)


One "get through the bullshit" move is to enable suing vendors. Which is on the plate in some forms, in some areas.

But, this has significant downsides.


Best solution is for security providers to create niche security products addressing these concerns. Many of the issues are trivial, for instance, bad security with wifi router problem? There are only so many attacks. This has been there for years. IDS/IPS solutions very often fail at detection and certainly stopping these attacks. A lot of these wifi attacks are extremely loud. Yet, go on invisibily. They have key, small number of chokepoints which could be shut down, but where are vendors providing these solutions at affordable rates for everyday consumers? Home owners. Phone users. Small to medium businesses? And hell, not like there are so often affordable solutions offered to big businesses, though even big ones can not afford to buy everything.


For folks concerned with very high "op sec" (a term I put in quotes, because many most concerned about this never use such terms)... different strategies.


Shriekback, Nemesis

https://www.youtube.com/watch?v=6bMM61Y5CEU


TradtionalNovember 12, 2016 7:13 PM

Economic security is a form of security and it we think about economic security from a technological security point of view we begin to see the wisdom of some old-fashioned strategies. Marrying for love is a medieval invention, for most of human history people married for protection, survival, procreation. I find it difficult to believe that if Lisa is making 250/k a year that she cannot find some man to marry and cohabitate with for the required time period. Given the well-documented problems of homelessness in Silicon Valley and the San Francisco area she probably needs to do no more than take a stroll through Golden Gate park. Men have been "marrying down" for centuries but now that women are making coin some females perceive they are too good for such maneuvers. Lisa can stay if she wants too, she needs to hitch up her pantsuit and play the game the way it has always been played.

Big, Black NemesisNovember 12, 2016 7:56 PM

regarding, russia attribution, and immigration, and trump, and conspiracies


I will point out that I am a simple blue collar worker in my twenties. I am a white American citizen. I have worked on some software products, open source, free software. Not that anyone here is offering their linkedin up.

So, my post above, I mostly simply got from reading books. Now, someone who has actually experience with a government sponsored hacking team might find my resume highly suspicious, because they might wonder how I would be able to state these things. But, such people would not post here, and this is certainly just a product of my own paranoid imagination.

Krebs is an investigative journalist, he is not a "security researcher", as one poster claimed. He is pretty good at that, but a journalist is a journalist. They are outsiders to the fields they report on. They look for sources, and can hope to find good sources, and they report what sources say.

Very often I have found flaws in Krebs reporting. As with any journalist. Like with any journalist, they often simplify things, to put it one way.

Attribution on nation state level is difficult, but some credit should be given to nations that will dare to make official level proclamations. This is especially true with the United States. Why?

Because the United States has admitted to the fact that they are extremely good at both human and technical intelligence. Indirectly, usually. Sometimes directly.

Like any nation, especially a nation which has such an intelligence war budget, and such extensive experience in these areas, their counterintelligence normally keeps quiet on attribution and attacks, in general.

Wait? What!

This, I am sorry to say, is very true. There are high level reported instances where the US has reported on major hacks and nation state attribution. But, there are very, very far more where they have investigated and have not reported.

Again, as I noted in my last post, this is how counterintelligence works.

They are not like cops. Yes, some cops run long investigations, and employ extensive surveillance. But, CI is all that, all the time, and have the budgets and mandates to take their work very much further along these lines.

Very much of what they do is entirely covert, very often at the very highest levels.

Schneier has had a good blurb about the US capabilities, one time. He had just gone to a conference where a very high level NSA official spoke, and other high level government officials were present at.

He posted it some time after that, and did not tie it to that visit, but he stated, that one of them stated that he really was scared because the US had so thoroughly penetrated these other nations and they do not know it -- how can they really be sure no one else has done the same to them?

To paraphrase. Accurately.


Food for thought? You can guarantee the US is very deep in China, Russia, North Korea, and Iran.


Also consider, the US knew of the Russian directorate S moles expelled in 2010 in the early 2000s. Because the NY SVR officer was working for them well back then.

Ten some odd years of quiet.

Nothing compared to how many agents are out there, right now, working for the US. Operating as spies while working within their government. Nothing compared to the level of technical penetration you can expect on these nations.


Scary campfire story? Fuck no.

One reason is pure budget. So, what reader here has not seen some graph detailing the US military budget contrasted against other nations, and seen just how overpowering that is?

Yeah, okay. So, what is the black budget? Oh, you have seen some estimates. Because, that is out there. And this is funny, because I read and hear so many conspiracy theories. But the truth is often much more strange. And different.

Foresight is another reason. The internet and surrounding technologies were funded by the US government, specifically, military and intelligence. Much of the world's global communications infrastructure is US made or at the very least, touched.

And touched is all anyone ever needs. Here, many would not include all the world's software and hardware. They would be wrong to do so.

Even small city cops run extensive stingray systems and methodically plant surveillance cams on "telephone poles" by suspect houses. Really? How cheap is such a device? How cheap even for one designed for stealth, which holds a lot of data, and can actually relay that data to satellites and other systems without being detected? Ten years ago consumers could by pinhole video cameras that could hold multible gigabytes of data and be the size of a postage stamp. What did the US government have?

And hammering up wifi cameras? What about laser surveillance devices, which even consumers can cobble together for about twenty bucks these days?

None of this to even begin to mention the armies long set on finding security vulnerabilities in the world's code. What is the global stockpile the US probably has by now? Some other nations do produce products to find these vulnerabilities. Israel, for instance. That is about it.

And how much of what you read and see in the news about all of this is complete bullshit fabrication?

You know, I see some really far fetched trump stories. One is that the guy has been befriended by the Russians way back when he married Ivana, who came out of the Soviet Bloc countries. Who remembers funny old Trump posing as an employee to journalists, talking up about how cool Trump is?

Well, who is to say that Trump was not working against his very friends there all along?

Who would know? Russia? Oh superpower that it is? Though, Russia is not a superpower. And because of the funny and totally not controlled by the US plunge in oil prices, why, they are struggling to just make basic budgets.

China?

Iran?

Which is another thing. America, why not work for them? If you work in a corrupt Iran, China, or Russia, why not push for freedom and make a few... hundreds of thousands of dollars... to play spy for the CIA or NSA?

This would both be the best thing for their own country, and they would help world peace.

You know, like all those bullshit lines Communists used to be able to profess. Before everyone realized it was all a lie. But, the American, and Western line, is not.

Russia would be better free, Iran, China. These are nations obviously cannibalizing themselves. And, incidentally, forcing themselves into servitude to the world's superpower while doing so. Merely so they can continue to "afford" the unaffordable budget tyranny demands.

But, yes, part of a job of spies is to "lie", at least, to manipulate folks.

So, maybe the attribution and implied claims that "there is evidence we can not disclose, but it is hard evidence" statements are complete bullshit?

End of the day, distractions. All of it.

Trump was not elected because some doofus wannabes working for Russia hacked the DNC. Trump was elected because he told a lot of people what they so badly wanted to hear.

He could be the racist sexist he makes himself out to be. Or? He could have just played a role, worn a mask, to get those who actually buy into that crap doing what he wanted.


https://www.youtube.com/watch?v=6bMM61Y5CEU


Bob FNovember 12, 2016 10:02 PM

When will the Dems push for removal of the electoral college?

Gore would have won in 2000 and Clinton in 2016 if the election was by popular vote.

No other election in government has anything but popular vote as the determinate.

ab praeceptisNovember 12, 2016 10:54 PM

TheGuildsman

As you ask:

I don't think that we even reasonably *can* comment beyond some first observations.

- We don't know anything about the "token generator" which, however, seems to be important in your mechanism.

- We don't know the symbol set nor its cardinality or power.

- I don't think that a mechanism with "wildcards" is acceptable in that field.

In your example Eve would see 2 out of 3 "pins" (as you call them); plus a "wildcard". Doesn't look sound to me.

Moreover, I would expect trouble to come up with diverse code sets, at least if not both sides are limited to ascii. Then, however, you would have only extended the usual charset somewhat plus added some magic sauce.

Furthermore I expect trouble with peoples ability to chose the correct "pins". Complexity should be either avoided or hidden behind simplicity for end users.

All in all I see way better and simpler and more reliable mechanisms playing in roughly that corner. Simple Example:
Alice contacts Bob. Bob sends a random 16 bytes. Alice xors those with a 16 byte hash of her password and sends that to Bob. Bob who has Alice's pw hash (not her pw which is a weakness in your mechanism!) also xors his random bytes with Alice's pw hash. If they match, Alice is accepted, if not, she is denied.

Also offers your main sales point, namely that Eve can't easily sniff Alice's pw on the wire, plus better security (e.g. by Bob *not* having Alice's pw). And it's way better understood as it happens to be a variation of very very well studied challenge protocolls. In fact, it's but a rather modest (and very well understood) modernization and strengthening of commonly and widely used auth.

TheGuildsmanNovember 12, 2016 11:33 PM

@Thoth
"What happens if all my passcode characters are the same ? Will it get confused due to all my passcode characters being the same."

Apparently not. According to the create user id & pin screen you can "choose the same pin multiple times"

http://nmjava.com/gate/GATE_4_Create_Id_2.PNG

As far as I can tell it seems to work as follows for a login :

1) You enter your userid.

2) You are presented with a 4x4 array of 16 tokens. Each token contains 4 "pins" or characters. The "pins" of your password are contained on "some" of the tokens. It appears that "some" is from 1 to the number of pins in your password. i.e. the entire password is not necessarily visible in the array. Only you and the server know which tokens contain your pins.

3) You enter your password by selecting the tokens that contain your pins in the correct order. If any of your pins do not appear in the array you MUST select some token as a wildcard. So you must enter a password of the correct number of characters even if all the pins do not match your password. i.e if your password is 1A9C and the 1 and C do not appear in the array you must enter xA9x where x is any token.

4) The server verifies the pins and if the correct ones match you are authenticated. If they don't match the login fails.

5) Every time you login you are presented with a different 16 token array presumably with a different number of your pins visible. So if someone is watching you enter your password they will have no idea what it is because you will be selecting a different set of tokens with different pins each time.

(You can have 5 or 6 character passwords and the tokens in the array will contain 5 or 6 pins depending.) Assuming the server is secure, etc., etc., all the usual qualifiers, it seems pretty foolproof to me if the objective is to prevent someone from memorizing your password over your shoulder like what happens at bank machines. Or if someone watches you and then steals your smartphone hoping to sign in to your bank account.

What do you think?

TheGuildsmanNovember 12, 2016 11:57 PM

@ab praeceptis

Thanks for your observations. I appreciate you taking the time.

First of all GATE is not mine. I saw the link, had a look and thought I would ask for comments as it appears to satisfy what I consider to be a big problem with a service/app I am considering developing. The problem being the user giving up their password "over the shoulder" thereby allowing access to confidential information, stored on my server, which if divulged would have serious consequences.

I am reading the patent. I will keep an eye open for the answers to the issues you have raised.

Clive RobinsonNovember 13, 2016 12:15 AM

@ ab Praeceptis,

Simple Example: Alice contacts Bob. Bob sends a random 16 bytes. Alice xors those with a 16 byte hash of her password and sends that to Bob. Bob who has Alice's pw hash (not her pw which is a weakness in your mechanism!) also xors his random bytes with Alice's pw hash. If they match, Alice is accepted, if not, she is denied.

Err, you might want to walk through that example again, you've left something out, or it's insecure.

The problem is "Bob sends a random 16 bytes." (Br), Eve can pick that up off the wire, the same as Alice can.

Thus when "Alice xors those with a 16 byte hash of her password and sends that to Bob." (Br xor Ah) Eve can also pick that up off the wire, the same as Bob can.

If Eve then XORs the two together (Br xor (Br xor Ah) = Ah) she has Eve's password hash (Ah), and thus under the protocol you've given Eve can impersonate Alice from that point onwards... You need to replace the XOR function with a "true" One Way Function.

Clive RobinsonNovember 13, 2016 12:45 AM

@ TheGuardsman / Frank,

From your reply to Thoth

You indicate a "token" is made of "four pins". A problem arises in that in the case of the "End Run Attack" using a hidden CCTV/Observer even if the tokens are randomly formed (from the actual pin and three randomly selected pins) each and every login the valid pin will still be present in the same token place for each login. Thus an attacker would be able to determine the actual pin or fixed token fairly quickly.

The fact that the user might randomly pick a null token to replace a missing valid token actually does not stop the valid pin being identified within a few more observations.

The system is actually realy quite weak, when you start to dig into it and has a large number of subtal implementation issues that also make it quite brittle.

My advice to anyone thinking about using the system would be "Sharpen your barge pole and give it a very hard push away".

ab praeceptisNovember 13, 2016 1:09 AM

Clive Robinson

Absolutely correct. It is common, however, to use xor for illustrative purpose as a standin for a proper mechanism.

Evidently, in a real-world implementation one would use some proper mechanism, for instance sym. crypto.
You might want to note that the pw hash is very commonly, e.g. in unix auth. mechanisms and in countless web apps, openly sent anyway.

The really decisive factor in the scenario introduced here ("gate") is that Alice and Bob already do have some kind of preshared secret (which opens many possibilities).

Another major point I wanted to focus on is the fact that in the introduced "gate" system, Bob holds Alice's password which, of course, is a major weakness. The parties should *always* hold hashes only.

TheGuildsmanNovember 13, 2016 1:51 AM

@Clive

"even if the tokens are randomly formed (from the actual pin and three randomly selected pins) each and every login the valid pin will still be present in the same token place for each login. Thus an attacker would be able to determine the actual pin or fixed token fairly quickly."

Thanks for your comments Clive. I had the same concern.

The author covers exactly this point in the patent on page 47 of 61. His argument is that since each of the 4 "dimensions" contains 36 values and only 16 tokens are displayed there is no guarantee that more than 1 valid pin will appear in the array of tokens, and that since the user must enter a wildcard pin in the missing pin position(s), the attacker has a more difficult task to guess the pins even if he gets to watch many iterations of the login. He places the pins in the same position on the token to make it easier for the user.

So in your estimation how many login attempts would the attacker have to view a) if all 4 valid pins appeared somewhere in the array each login versus b) if the number of valid pins was also random each login?

Perhaps the number is large enough to outweigh the risk especially when compared to your typical 4 digit bank machine pin.

Clive RobinsonNovember 13, 2016 8:50 AM

Is the Cloud Realy 4U?

As some here know I've a bit of a downer on the Cloud due to the security issues (and they may say "No S41t Sherlock" ;)

However people who may not have many security concerns still find that the Cloud is without doubt not for them. Some even imply that they have been lied to on the performance aspects. And arguably they have a point due to lack of understanding being correctly communicated or interpreted.

This article, points out some of these issues in an unheated manner and it's well worth the read if you are likely to be heading down the Cloud route, due to prototypes looking good but not "field load tested".

FigureitoutNovember 13, 2016 8:57 AM

Thoth
--Like it, looking good. Thumbs up. Eventually Groggybox will be an executable .jar file?

MatthewNovember 13, 2016 9:19 AM

@TheGuildsman

I agree with Clive. The method in your link is very weak.
I estimate given 5 successful sucessful logins, I am able to guess the pins and their positions.

The method's creator and you fail to take into account that any unused tokens during the password challenge hints to the attacker which symbols are NOT in the user's pins. By elimination, I figure out which pins are probably valid.

Since I am a newcomer here as compared to Clive, I am sure he can see more flaws.

ThothNovember 13, 2016 9:25 AM

@Figureitout
Yup, executable JAR file indeed for the first iteration. Once I have gotten the basics up, then there will be more room to talk about more user-friendly deployment methods (i.e. EXE executables and so on).

Clive RobinsonNovember 13, 2016 11:17 AM

@ All,

As most are probably aware the election of Donald Trump has caused considerable disquiet in the "Silicon Valley Seniors".

Various explanations have come up including that "they can gull Democrats on IP misappropriation".

Well it's getting nastier by the day...

Someone has dug up a two year old report[1] that indicates "Silicon Valley" has illegal gangmasters feeding immigrant software engineers into sweat shop conditions working for the larger Silicon Valley" majors. Thus are not just profiting of illegal activity, but also using this activity to artificially reduce wages of US citizens (another illegal activity in California they have had their collar felt over in the past).

This is going to get nastier and nastier not sure what the outcome will be but it is unlikely to be sunshine and roses.

[1] http://www.theguardian.com/us-news/2014/oct/28/-sp-jobs-brokers-entrap-indian-tech-workers

TheGuildsmanNovember 13, 2016 3:39 PM

@Matthew

"I agree with Clive. The method in your link is very weak.
I estimate given 5 successful sucessful logins, I am able to guess the pins and their positions.

The method's creator and you fail to take into account that any unused tokens during the password challenge hints to the attacker which symbols are NOT in the user's pins. By elimination, I figure out which pins are probably valid"

Well Matthew thanks for your input but I'm not sure I agree with you. When you consider that each token is randomly generated at each login attempt from 4 sets of 36 characters, and only 16 tokens are randomly displayed, the number of token permutations is enormous. And there is no guarantee that all of the valid pins are displayed at any login attempt.

So just curious how you come up with 5 logins to guess the "probably valid" pins and are you doing this by eye or video?

tyrNovember 13, 2016 4:42 PM


@Clive

The silicon valley bigwigs have been right behind
Hilly all the way whipping up a frenzy against
Dump and cocksure that they could steer the gulled
any way they wanted to. Suddenly they are the new
targets for any of the vindictive roaches of the
other side and all their crooked dealings are of
concern to the new power gang. Trump says he will
deal so it's time for them to fold the tax dodges
and stop illegal immigration swindles and hope the
surveillance apparatus will look elsewhere for easy
victims.

I love the basis of discussions about who is the
"illegal'. The whiteman newcomers drew an invisible
line on the ground after stealing most of Mexico
then they turned the brown folk on one side into
Indians and those on the other into Mexicans.

I want to see the deportation take place so I can
watch the cityfolk come out into the central Valley
to pick their own crops or starve because beans
don't grow in cans or get to the supermarket by
magical processes. I doubt that Trump is willing to
pick the beans for his own dinner no matter how he
proclaimed it as a great idea.

If one of the requirements of a college education
was a years work on a farm or ranch there'd be a
lot less half-assed ideas afloat in the world.

One hilarious aspect of the election was the Neocons
enmasse signing of a letter condemning Trump before
he won. If I was him that list would be on the top
of my agenda for warcrimes prosecutions. But he's a
lot nicer than his enemies are.

Did you happen to notice that Assange was treated as
a minor nuisance until he said he had the goods on
the Banks? The response was immediate to shut off
the funding and hound him to shut him up.

My InfoNovember 13, 2016 5:01 PM

Regarding my P vs. NP posts:

I was somewhat joking in the last comment I made to the last Friday squid post.

Anyways, I wrote up a little paper on my investigation into the P vs. NP problem. Any ideas on what I should do with it?

David DaysNovember 13, 2016 5:51 PM

Hey, all.

Have a squid post general security question (for @bruce and any others who wish to chime in).

The Intercept just put out an article on "surveillance self-defense", and one of the most interesting things was the last item: Using an OS calls Qubes.

I hadn't heard of that OS before reading the article, but the premise sounds very interesting: Using VMs in different security contexts to run each individual application, and the underlying OS manages VMs and communication between them.

(That's my one-liner summary--I'm sure that it's probably nails-on-chalkboards to those who already know the system, so my apologies for poor wording.)

I'm going to dig deeper into this, but I wanted to see if Fans of Bruce (or the Man, himself) had any particular thoughts on this: Good, bad, ugly, or odd. I'm already considering buying another laptop just to play around with this. Nothing expensive, but that's the same way I started with Linux all those years ago.

Kim the WhaleNovember 13, 2016 7:41 PM

If nVidia is a security risk then who else is there?
yes I know there is other guy.

How do you build a new computer? with privacy and security in mind

Laptop, desktop, enterprise...

Hundred GatesNovember 13, 2016 7:45 PM

last I checked Qubes couldn't be run from a dvd-r because it wouldn't fit. maybe they should work on a lite-version

ab praeceptisNovember 13, 2016 11:42 PM

TheGuildsman

Nope. If I played the blind lottery approach the chance of hitting all 4 symbols were about 1 in 1.7 mio. In ITsec that's a ridiculously high chance.

Moreover with a (in our field) ridiculously low number of observed exchanges I would have your full symbol table. You see, your argument can be turned around to say "you *tell* Eve up to 16 symbols each and every exchange between Alice and Bob".

But in my personal opinion your major problem is wrong approach which ignores some basic "holy" rules. When working on such stuff you must keep those in mind.

- user unfriendliness and complexity directly translate to lack of security.

Strong example: Force the to use "strong" arbitrary password of minlen > 6 and the humans will put them on a post-it on their monitor.

The average user is used to 23 letters * 2 (small and caps) + 10 numbers plus, let's be generous, another 10 symbols -> about 75 symbols. Your symbol set includes uncommon symbols (not unknown but uncommon as in "I never typed that. It's not on my keyboard").

That will, at the very least, dramatically lower the acceptance of that "gate" mechanism.

Moreover you work with "wildcards" which are from both the math side and the users understanding/acceptance strongly undesirable and trouble ticket generators.

To make it worse, the user is confronted each and every time with different symbol choices. Won't work. The vast majority of users expects a fixed string to represent their password. Your system will be takes like "Not only are there weird symbols but on to of that they always change!"

Classical error. Computers are good a arbitrary and changing mappings. Humans aren't.

- one must include the crackers perspective.

That also means that many math/paper assumptions won't work. Example: In many if not most cases Alice and Bon won't be the only users, so the crackers chances to get hold of a) your full alphabet and b) lots and lots of exchances grow immensely.

What looks good with Alice, Bob, and Eve needs not look good with hundreds of Alices and Bobs.

"Gimme 5 exchanges and I'll crack it" was (IMO) a little adventureous but look, 1 in anything less than 2 to the 30 or so is really quite the same as "5" in our field.

Clive RobinsonNovember 14, 2016 12:48 AM

@ David Days,

Using an OS calls Qubes... but I wanted to see if Fans of Bruce (or the Man, himself) had any particular thoughts on this: Good, bad, ugly, or odd.

Qubes has been mentioned a few times on this blog over the years as well as the projects lead, you can "Google this site, through Duck Duck" for quite a number of comments, which point out various differences of opinion on the way the project has gone over the years.

One "big" question that comes up is the size of the code base and it's complexity, and what this means for it's potential for having attack vectors. Which boils down to the same arguments for the "known to be vulnerable" popular closed source "consumer OS's" and some of the more well known *nix distributions.

Whilst it is fairly easy to point out other non main stream OS's with more rigorous security evaluation and testing most rule themselves out as they do not support the application software most would want to use, and the few that do tend to have compatability layers can be eye wateringly pricey or have hardware requirments that are in effect unavailable.

So before diving off at the deep end of installing any non mainstream OS you need to ask yourself the "Why, When and What triad questions" that is Why you are doing it, What you hope to get out of it and importantly, When you will get sufficient skill levels in it to have been worth the effort. Even if it is just a "hobby project" there has to be "some payoff" as an objective and that is only achieved with a very real world project, with demonstratable mile stones. Thus knowing in advance what the "enjoyment / pay off" for you is, will save you a lot of otherwise soon to be lost time, because,

    Proficiency is a skill, and like all skills needs several thousand hours of time to become proficient.

To see why in this case first get yourself a fresh cup of coffee, sit down and think what is involved with being able to write your own OS from scratch, how you would go about it what knowledge and skills you would need how you would test it etc, then go and pop the coffee in the microwave to warm it up again.

Having had to write the equivalent of a BIOS/OS firmware several times in my career that has to be both secure and highly available (think safety critical very remote embedded that has to run unattended for decades without the posibility of maintenance). I can tell you for free the effort is a real time sink and does not have anything remotely like a worthwhile pay off... Nor has anyone managed to make it pay a worthwhile profit they could not have more easily, less riskly and probably more enjoyably made another way (but that is why the leading edge is often called the bleading edge by engineers doing the cutting edge design).

So in all seriousness draw up a "Project Plan" with hard milestones before you even start downloading anything or spending money.

TheGuildsmanNovember 14, 2016 12:59 AM

@ab praeceptis

Ok. Some interesting points but I think it all depends on the application.

You are standing behind me in line at the ATM machine every time I do my banking. And I'll even let you sit next to me at Starbucks and watch while I do some banking with my iPhone.

How many successful logins will you have to watch to be able to guess my 4 pin passcode? Or rather how many times will you have to meet me at the bank, or at the coffee shop, before you can make a reasoned guess? Or before I notice that you are always hanging around.

With a 4 digit passcode you would probably only need one peek to remember 1234 or 6395.

So far we have a low of 5 logins which you agree may have been a bit optimistic on Matthew's part.

Clive RobinsonNovember 14, 2016 2:25 AM

@ Kim the Whale,

How do you build a new computer? with privacy and security in mind

The simple answer is you can not, because it's out of date and thus become vulnerable before you finish specifing it let alone building it...

What you can do is accept that and the fact you will forever have to mitigate, thus design for maintainability and thus sustainability in a rapidly changing environment.

Easy for me to say, difficult to do, especially when some very valid security advice is do not use hardware manufactured after the first few years of this century due to increasing supply chain poisoning. The obvious solution to supply chain poisoning is to "jail the system" that is you somehow confine it such that aberant behaviour causes no outward data leakage at any point. This in turn means two thinks "energy gapping" and either no communication or heavily mandated and mediated communication, which in turn makes such as system effectively usless for many common uses.

Thus there is a very thin line between security and vulnerability, and you wander left and right of it like "a drunk doing the police sobriety test".

Clive RobinsonNovember 14, 2016 2:44 AM

@ TheGuildsman,

You are standing behind me in line at the ATM machine every time I do my banking...

That is not how ATMs are attacked these days, and as Google found high quality security CCTV systems are a permanant feature, as are driver level malware shims etc etc.

This idea might once have seemed like a good idea but we've probably moved on ten IT generations since then, which in human terms takes us back in time to before the invention of the electromechanical relay switch. It is a very very different world.

If you personaly think it's a good idea you build a product around it and if it gets sufficient users doing sufficiently valuable you will get a fairly good idea as to how fast it will get attacked. Put some real skin in the advocacy game you appear to be playing.

You will occasionaly come across security discussions about strength where you will see a spectrum between the lock on a little girls diary to keep out a nosey sibling and a diplomatic communications system designed to keep secrets against the strongest of opponents for more than a century or so. The system being discussed is very close to that little girls diary end of the spectrum.

My InfoNovember 14, 2016 4:54 AM

@David Days

The Intercept just put out an article on "surveillance self-defense", and one of the most interesting things was the last item: Using an OS calls Qubes.

I hadn't heard of that OS before reading the article, but the premise sounds very interesting: Using VMs in different security contexts to run each individual application, and the underlying OS manages VMs and communication between them.

Different VMs in different security contexts on the same box: in all COTS hardware, as far as I know, there exist vulnerabilites in the hardware support for virtualization that cannot readily be mitigated in software. The OpenBSD folks talk about this all the time.

I've even heard that NSA runs classified and unclassified VMs in the same box: way too much of a trust factor for me. Their reputation for keeping secrets is not that great lately.

For the kid sister security aspects, just installing a good ad-blocker and avoiding the questionable sites goes a long way. And if you run JavaScript or Flash or fancy HTML5 stuff or any of that other crap that modern websites depend on, your "surveillance self-defense" is definitely all for naught.

ThothNovember 14, 2016 5:08 AM

@My Info, David Days
Most people easily own multiple hardware. Just use different hardware for different levels of security and different levels of connectivity. Ranigng from connected for gaming and normal web browsing to air gaps with dedicated smart cards, data diodes and HSMs (if you can afford) for the most sensitive.

My InfoNovember 14, 2016 5:58 AM

@Thoth

Most people easily own multiple hardware. Just use different hardware for different levels of security and different levels of connectivity. Ranigng from connected for gaming and normal web browsing to ...

Yes, I quite agree with this part.

... air gaps with dedicated smart cards, data diodes and HSMs (if you can afford) for the most sensitive.

You don't need to "buy" all this stuff for security. Just keep your private stuff separate and shut up about it. Everything you "buy" you are trusting, and that's another point of weakness. The Europeans are more into that kind of stuff. There are even banks that require some sort of dongle for "two-factor authentication" to log into their websites. We call some of that stuff "Eurotrash" because we don't know who made it or what's in it or what it really does.

MartinNovember 14, 2016 6:54 AM

File Protected? Yes, No, Maybe a Little? Would appreciate your thoughts:

Microsoft Windows 10:

• BitLocker 128-bit with TPM - Boot Drive

• User ID & Password

• BitLocker 256-bit - Data Drive

• VeraCrypt Container

• TwoFish via PWS

• BlowFish via Braun

• LibreOffice Writer File Encryption

* All 7 passwords / phrases 14 or more characters.

* Local storage only; no cloud or network storage.

* NTFS file format on year old Dell laptop.

ThothNovember 14, 2016 7:14 AM

@Martin, all

If you want protection against the NSA et. al., the answer is ALL NO. If you want protection against unskilled siblings, the answer is ALL YES. Protection against Script Kiddies and everything in the middle, it's still ALL NO because once they pwned your memory and do a little keylogging magic, you are done with and all your software keys, PINs and passwords don't exist as your secret anymore. If they captured your TPM PIN code, they could effectively exflitrate the PIN and use it for something else next time.

Anything so secure will not even exist neither on paper nor on electronics. The very simple reason is most people don't bother to upgrade security beyond software keys combined with passwords entered from insecure input devices (no matter how complex it is) and the diseased Windows/Liunux/Apple combination of easy pwning (huge bloated codebase and tonnes of crap inside the codes). End game is security will continue to deteriorate and be even worse as time pass despite interesting security methodologies being invented as most of us simply want the easy way out.

The drive to do away with password is an adventurous yet fruitless endeavour. Poor authentication techniques with huge holes (i.e. biometrics) appear to attempt to take the place of passwords to no avail but to introduce even more holes in already crappy state of security.

The problem is not with the methodologies and techniques but with the people. The people are the weakest link in the chain of security and for many years, most people think that security is a burden or something of a compliance with the "I have nothing to hide" attitude. Try explaining security to one's elders and siblings and you might probably get a blank stare from them and the default respond of one being paranoid.

Societies, Industries and Governments will continue to be like the ostrich that hides it's head under the ground. I guess that's just life :) .

TedNovember 14, 2016 9:49 AM

David Axelrod talks to former acting director of the CIA Michael Morrell

Ep. 96 - Michael Morell
November 14, 2016: 6:00 AM EST

At 20:37, David Axelrod: “One of the greatest jokes at the White House Correspondence dinner was George W. Bush saying look I know people don’t think I’m smart. Even my aides don’t think I’m smart. They put this thing called an Intelligence briefing on my schedule every day.”

Of course, there’s more good discussion about prior presidents and national security.

Nick PNovember 14, 2016 1:11 PM

@ My Info

They don't just run it on the same box. They have special tech for doing that which probably eliminates some of the weaknesses they know about. HW or firmware level issues remain to quite a degree, though.

General Dynamics based on HAP, Red Hat, and VMWare:

https://gdmissionsystems.com/cyber/products/trusted-computing-cross-domain/trusted-multilevel-computing-solution/

Green Hill's based on separation kernel with some extra components:

http://www.ghs.com/news/20070501_integrity_intel.html

Sirrix in Germany uses this architecture:

http://www.perseus-os.org/content/pages/Overview.htm

The only FOSS one similar to high-security designs is Genode:

https://genode.org/about/

They're great at isolating the effects of malware, user-mode, or some kernel attacks. They stop behind effective at that layer or below against high-strength attackers. It's why I used physical separation with cheap boxes, ROM BIOS's, and KVM switches. Plus stuff like this where possible. High-assurance KVM + drivers + file transfer (esp UDT-like protocol) is still worthwhile investment for people looking for projects.

Clive RobinsonNovember 14, 2016 2:07 PM

@ When DDoS attacks,

Yes the UK's National Health Service (NHS) Email system was compleatly FUBARed this morning.

I used to be involved with services for NHSnet, and lets just say to many chiefs... And within the NHS itself the wrong type of managment for the practice of good ICTsec by the general employees. The managment style was in effect dictated by various UK Health Ministers out of Richmand House in Westminster. If anything those reading the news in the UK will be more than aware of the lack of ability of current UK Health Ministers, who are no doubt very crateful that Brexit and the US election are keeping the effect of their compleate lack of abilities to function off of the pages of UK newspapers.

David DaysNovember 14, 2016 7:30 PM

@Clive,

Thanks for the thoughts--and that's what I'm doing, at the moment.

I mentioned starting in Linux the same way because I'm now getting work doing *nix-focused development work. And though that worked out, not everything I have done has paid off, at least in the usual $en$e.

OTOH, I have found it useful to at least check out different ways of getting the job done. If nothing else, it makes me reinforce the basics of how computers and software work, regardless of the shiny OS that gets laid on top. Same goes for databases, network communications, and just about everything else IT-related.

I can't tell you how many times I've been able to find or fix a bug, not because I had some deep knowledge of that particular DB, but more because I had taken the time to futz around with a dozen different DB implementations until I could get them to work. I would imagine that you have more (and better!) war stories along the same lines.

I'm definitely going to consider why and how much time I might invest (and the possible usefulness) before I actually pull the trigger. I've got a pretty busy professional life, but this might be an opportunity to try out something new. I just have to guesstimate if it's going to be worthwhile.

AnuraNovember 14, 2016 8:52 PM

Just a reminder for all of you who care about things like freedom and democracy of who Rudy Giuliani, who may be our next head of the DOJ or DHS, really is.

https://www.washingtonpost.com/news/the-watch/wp/2016/11/14/the-terrifying-prospect-of-an-attorney-general-giuliani/

A corrupt and horribly petty "above the law, but will impose it as harshly as I can get away with" type. The need to protect yourselves and your (meta)data from your government may be more real than ever.

name.withheld.for.obvious.reasonsNovember 14, 2016 9:11 PM

Two things to mention; the use of the National Security Industrial Complex to manipulate "releases" of information (thinking e-mails) and bureaucrats that play ball with one or another party apparatus. Attribution of other nation states accused of meddling with the election process (again, the National Security Industrial Complex) could easily be a U.S. government funded dis-information campaign. On a side note, it is interesting Julian Assange has found refuge under the umbrella of pardon requests from Republican party operatives. The other point of interest is the use of propaganda (normalized under the 2014 NDAA), both press/media entities and individual political candidates exercised an abnormal amount of dis-information campaigns, clouding the space that was the U.S. election.

Given the aforementioned system corrupted by political parties, Donald Trump represents the classic bait-and-switch political hack. The Republican party finds a dupe, Trump, and instruments the patsy to carry out a campaign of mis-direction. Appearing to be a populist, his charter was sell the "commoner populist" spouting off about the functionaries of the DC professional political class as "Incompetent". Trump is operating outside the DC "swamp", or at least that is the cover story.

Oddly enough, those very "Incompetent" political hacks seem to have found a home in the Trump administration. In fact, it is the previous generation of "hacks" that have found a home in the U.S. Executive branch.

AnuraNovember 14, 2016 9:15 PM

If Trump or Giuliani butt heads with an organization like the EFF, be prepared for "leaks" about people with terrorist ties donating to them, or other attempts to smear them, along with them using any power they have to go after them, their board members or other employees and backers.

YapNovember 15, 2016 3:11 AM

@ Anura, "If Trump or Giuliani butt heads with an organization like the EFF, be prepared for "leaks" about people with terrorist ties donating to them, or other attempts to smear them, along with them using any power they have to go after them, their board members or other employees and backers."

That likely won't work and will only backfire, because it won't be a popularity contest like the election that was. The Clintonistas and Podestas made sure the world knew about those '"Incompetent" political hacks' surrounding Trump's campaign, but it did very little to sway voters.

Everybody loves to talk bout elections.

TedNovember 15, 2016 9:04 AM

@Clive Robinson

The sort of joke only a script writer could write

Quite true :)

Bruce Cherry was one of a team of writers who came up with material for W. and his comedic doppelganger at the 2006 White House Correspondence Dinner. If you feel like laughing here’s the video of the duo. Barbara Bush had seen the W. impersonator at an event before, and loved him :)

More: "The Writers Who Make Presidents Funny"

ab praeceptisNovember 15, 2016 10:05 AM

MyInfo

I glanced over your paper and besides the question "who is 'we' in that paper?" I found the same problems again that I had seen earlier.

One major problem I see is that you mix up compsci and math perspectives by, for instance, offering a typical compsci turing machine and oracle based description. Btw you also miss a decisive point in NP, namely the property that NP problems are not solvable in poly time but that any solution can be proven in poly time. A rather common misunderstanding but NP doesn't stand for _N_ot (solvable in) _P_olynomial time by [insert favourite definition, such as e.g. "a deterministic TM"].

So, for instance, to crack a given strong hash function is not solvable in poly time while proving such a (assumed) "cracker" working or not was in (typically even low) polytime (if it weren't the whole undertaking would be futile).

Also, an oracle *may* - but not must - be (rather wanton) defined by tape lookup.

As you happen to mention the SAT problem, it might be noteworthy that NP is but a subset of higher complexity classes such as, in particular Nexp within which some SAT problems are to be found.

I don't remember the profs name but I remember that they offer some rather nice introductory online classes at mit showing a good overview.

Principia HardwareNovember 15, 2016 11:36 AM

@ab praeceptis

Don't say provable, say verifiable.

If a proposed solution cannot be verified we say it does not belong to any computational complexity class.

Also, most hash functions are basically lossy compressors and map one-to-many. How would you verify that a given output is from a certain input? You can't, because most of the information in the input is unknowable (given only the hash).

Big, Black NemesisNovember 15, 2016 12:03 PM

@Yap

That likely won't work and will only backfire, because it won't be a popularity contest like the election that was. The Clintonistas and Podestas made sure the world knew about those '"Incompetent" political hacks' surrounding Trump's campaign, but it did very little to sway voters.

Generally, when folks are assigning all blame to Democrat powers that be, this signals they are Republicans. And, vice versa.

This is especially a good IOC (indicator of compromise), when the "facts" they state are verifiably untrue:

https://www.dni.gov/index.php/newsroom/press-releases/215-press-releases-2016/1423-joint-dhs-odni-election-security-statement

The DNI is the seat of US Intelligence. All US Intelligence.

So, stating Clinton-Podesta is the secret heads of all US intelligence is just downright stupid, and definitively naive.

If anyone truly believes that Clinton-Podesta, some "liberal conspiracy" control the US government... namely, the US Mil-Intel-LEO-Defense Industrial Complex... well, where do you go with that?

All one can do is repeat, repeat, repeat, but certainly not reason, if they wish to make such claims.

And, unfortunately, reasoning is acid on the brain for die hard politico sheep.


@name.withheld.for.obvious.reasons

Attribution of other nation states accused of meddling with the election process (again, the National Security Industrial Complex) could easily be a U.S. government funded dis-information campaign.

Sure, this? Is possible. Good thinking, from a CI perspective. Where CI means counterintelligence. But, that is also what I would say is a case of having your "Oliver Stone" hat on.

Did this happen, likely? Absolutely not.

Look, I do not think you are a friend of Russia. Are you American? European? I was thinking European. Europeans have very strong motive not to be a friend of Putin's regime.

So, don't let them laugh at you. They did a bad hacking job, as usual, and they got caught. It sure did serve to know down Hillary and prop up Trump. Anyway stating otherwise is throwing out logic and reasoning for what they know to be a lie.

Some posters are arguing that the DNC hack actually helped Hillary. Are these the sort that will detail their logic here for such a matter? These are the sorts that will rely on repetition of lies.

You want some corrective, scary truth?

See below.

iven the aforementioned system corrupted by political parties, Donald Trump represents the classic bait-and-switch political hack. The Republican party finds a dupe, Trump, and instruments the patsy to carry out a campaign of mis-direction. Appearing to be a populist, his charter was sell the "commoner populist" spouting off about the functionaries of the DC professional political class as "Incompetent". Trump is operating outside the DC "swamp", or at least that is the cover story.

You state.

The FBI definitely is wired into the DNI and the overall military-intelligence-leo industrial complex. And they went for Trump. They did a lot to help Trump win, this is certain. Their internal viewpoints of being "very pro Trump" is certainly highly likely to be true, as several FBI sources claimed.

But these sources also claimed this does not mean they really liked Trump, rather they had a "anybody but Clinton" viewpoint.

But, how is your statement here, close to the truth? It is true that whomever gets in the presidential seat is under the powers of the US military-intelligence-leo industrial complex.

I said, when Obama was first elected, with all of his crazy promises, that he would turn around. And I watched that happen. Trump, same thing. And Trump certainly did make promises that appeal to the true elite rulers. Who are not Republican, nor Democrat, but control both parties.

Trump stated terrorism would be his foremost priority, and that is what the real establishment wants. Trump stated that he wants to secure the border. They do, also, want this. And Trump stated he wanted to severely deal with Islamic terrorism and ISIS. All of this? Yes, yes, yes.

And so did a huge base of American voters.


Further, Trump has stated he will play hardball with China.

This too.

Major downsides? Well, for one, he has some claims to take some isolationist viewpoints. For two, he is certainly siding hard with Russia. But, fact with Russia is, ultimately, the US is sided with Russia in the Middle East. Neither wants Sunnis in power there, especially not in Syria.


FYI, I do not believe that power base in the US as evil, or anything like it. I do believe there needs to be checks and balances. I certainly agree with the intelligence and not LEO side of the encryption debate. Fact is the FBI is small and lazy, and backwards on vulnerability farming. The NSA, CIA DST, and military never have been.

Personally, I am not for following paranoid US Atty directorates for spying. I think such things should be done entirely 'off the books'. The checks and balances there are you have to not abuse it, so as to simply not get caught.

Bad side, issues like parallel reconstruction. But, that involves sharing information, and sharing illegal covert ops product to agencies under the control of political appointee hungry lawyers (whoose dat??) is Bad For Business.


You know, when I offer devil's advocate opinions, I know I am going to either get ignored, or attacked. I do not mind saying, I am then one of the bad guys. But, I do believe in security for people who are not criminals, who are not opposed to the primary aims and authority and power of the US Government.


@any or none

Now, something else, on different topic:

Has Trump truly given a seat at the table to the "alt right"?

Maybe the book "the red pill" by a white supremacist, the founder of that movement will become required HS reading. Maybe health care providers will be forced to have counseling options for men who believe they are being persecuted, and whites who feel left out and smashed down? Maybe pick up artists will be on everyone's health care plan by force from the federal government, and the supreme court will legitimize the concept of "cucks"?|

Forget about it.

Not going to happen.

Maybe, what these Americans really want and need is a better balance for American jobs. A lot of ways to screw that up.

But, Trump, like Obama, like Bush, are no longer truly their own selves when President. They have become the role, in their own, individual way. But the role has a massive power base behind it. And it centers around serving the interests of the nation.

These spies and cops and soldiers are servants of the nation.

Even the politicians are, many who come from the land of cops and spies and soldiers. Even if most come from the world of prosecuting attorneys -- prosecuting attorneys certainly are cops.

All are civil servants.

Even if all the President was controlled by was that daily intelligence brief, that daily intelligence brief most certainly exhibits enormous control over their decisions. As with every other brief.

But it is exactly those groups which start to come to them, and they are certainly the "cool kids". They have the power with them. Without them, there is no power for the President. They are his eyes, ears, and arms, and feet.


Big, Black NemesisNovember 15, 2016 12:21 PM

BTW, on "alt right", especially those who have been *so* anti-government, and anti-surveillance? What will happen to them now?

^^ I had meant to throw this into the above, last post of mine. Probably a lot of the alt right are not hyper focused on being anti-government, but everyone knows, a lot sure are. And plenty read and comment on this list. As we have all seen, and one can see above.

When the right is in power, the left wing extremists come out. When the left is in power, right wing extremists come out.

Who are the white supremacists and "sovereign" citizens? Very far right. Many of these groups are extremely against the US Government, and always have been. Even the very basis of being pro-Hitler and Nazi Germany is deeply anti-American. These guys are sitting around campfires and cursing that the Allies won the war.

Americans have the same sort of feelings about them, as if they were worshiping the Viet Cong or North Koreans bosses and political religion.

Also, while there are plenty of Americans and those around the world genuinely concerned about computer security done correctly, the fact remains: a lot of these alt righters are concerned about computer security and governmental powers there because they are engaging in illegal activity.

Trump has promised to offer intelligence-leo-military extreme powers to find and sort out this manner of activity.

So, as some have remarked about the DREAMers having signed up, probably only to find themselves in trouble, I wonder about the far right among us who are sticking their heads up and starting to wonder if they can not relax a lot.

Putting their names on paper and getting signed up in more public avenues.

Like eager leftists did in the 30s.

But this also takes the wind out of their sails, so they can probably expect a lot among them growing up, like never before, and turning CI on them. Where CI here stands for "confidential informant".


Below, et alNovember 15, 2016 12:33 PM

Get with the program Mr. Above, campfires are for homeless people. Real Americans burn not only money but houses and cars.

Campfires lol, REAL Americans have fire emplacements.

TheGuildsmanNovember 15, 2016 1:03 PM

@ Clive,

You are standing behind me in line at the ATM machine every time I do my banking...


That is not how ATMs are attacked these days, and as Google found high quality security CCTV systems are a permanant feature, as are driver level malware shims etc etc.


You've made my point. In today's world with a skimmer and a hidden camera all you need is one visit to the ATM machine with your 4 digit code and your bank account has been owned.

Which is why I have been asking how many times "they" have to see you enter your GATE pins before they can guess the pass code? Certainly more than one so isn't that a 100%+ security improvement?


If you personaly think it's a good idea you build a product around it and if it gets sufficient users doing sufficiently valuable you will get a fairly good idea as to how fast it will get attacked.

I do intend to follow up with the authors of the system to see what the licensing terms look like and how it would fit in the broader scope of my app.


Put some real skin in the advocacy game you appear to be playing.


Insult me if you like but asking for comments from the "experts" is not advocacy. As I said previously I have nothing to do with the system or its authors. Sorry I asked.

ab praeceptisNovember 15, 2016 1:29 PM

TheGuildsman

I don't see any reason for you to complain about Clive Robinson. He politely told you his view re. the technical aspects and - like myself - he seems to have hinted that you, let's put it like that, seem to be quite defensive about that "gate" thing, even to the point of making him (and certainly me) feel that you are somewhat out of your depth.

He like myself politely provided some food for thought and some hints. All you did was to ignore certain (important) points and to defend your view with, pardon me, no the highest level of expertise.

Whatever, I wish those "gate" people and you the best and lots of success but I reserve the liberty to say what I think. Maybe you shouldn't ask if you are not ready for answers you don't like.

My InfoNovember 15, 2016 3:43 PM

What do you folks think about the freedom to study academic subjects anymore?

I'm talking about this:

https://en.wikipedia.org/wiki/Cabal_(set_theory)
http://www.math.ucla.edu/~ineeman/cabal-seminar.php

And I don't like it a bit. That little clique of researchers is way, way, way too aggressive in protecting its "turf." I'm talking about Edward Nelson's death from a horrible disease when he dared to question Gentzen.

Namely Gentzen proved that Peano arithmetic is consistent based on his principle of "induction up to ε0." Edward Nelson was writing a book to prove that Peano arithmetic is inconsistent based on his principle of "internal set theory." Not only did he die a horrible death, but some of his writings are being suppressed.

https://golem.ph.utexas.edu/category/2011/09/the_inconsistency_of_arithmeti.html
https://web.math.princeton.edu/~nelson/books.html

I have particular difficulty accessing even something like https://arxiv.org/abs/1509.09209
from a university campus wifi. I don't like the sound of the wikipedia writeup, either.

In September 2011, Nelson announced that he had proved that Peano arithmetic was logically inconsistent.[4] An error was found in the proof, and he retracted the claim.[5]

Those references go nowhere helpful to back up the claims. The thing is, I don't like the tombstone symbol "▯" that appears at the end of proofs in modern math books. When Q.E.D. is changed to R.I.P., then another kind of proof appears, and that is beyond a reasonable doubt before "an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, ..."

Clive RobinsonNovember 15, 2016 4:20 PM

@ The Shining Sea,

Am I missing something here?

Possibly...

In some places "bits have real value" and I'm not talking just digital currency.

Some authorities --South Korea being one-- treat anything that can be traded for something of value as having value it's self.

Thus the bits that represent a "magical sword" in a game, where the sword bits can be exchanged for other things bits within the game amongst players or for real money outside of the game etc, the authorities recognise as "property". Thus "ownership rights" etc become valid and transgressions get the attention of the authorities...

The Shining SeaNovember 15, 2016 5:12 PM

@ Clive,

I just find it odd how I guess a public SDK and official software was used for the coin generation?

I think it's a little heavy handed compared to WoW hackers.

I would've expected a CEASE & DECIST considering EA negligently enabled the exploit.

ThothNovember 15, 2016 7:48 PM

@Clive Robinson, ab praeceptis

Frank, TheGuildsman is the inventor of GATE, thus his personal stake, interest and deep knowledge into the system.

Applying for license for a software to the inventor(s) of GATE in Frank/TheGuildsman's original request for help and evaluation is probably false since he likely owns the patent.

Maybe if he is a little more direct and honest, I am inclined to believe that @Clive Robinson and @ab praeceptis would have been a little softer on the approach. There is nothing wrong for patent owners and inventors asking @Clive Robinson and @ab praeceptis for help (especially @Clive Robinson - he's like a walking engineering database of sorts).

Since you (Frank/TheGuildsman) have asked for comments and help, harsh comments and gentle ones will definitely come and you should be expecting it as you have opened "a door of sorts" with an invitation for criticism (both harsh and gentle).

The tell tale sign is a 61 page patent document would not attract anyone's interest because it's too lengthy and unwieldy unless the person has very deep stakes and interest to actually bother to read 61 pages. Most software creators would simply write software and not be bothered about the patents and licenses (usually very carelessly) until they are litigated then do they bother to hire a law to find flaws in the patent documents and read through the 61 pages before mounting a defense.

Also, most common authentication and PAKE methods would still be static passwords because it's the easiest to implement and there is no worries of patent litigations as everyone's using static passwords and is the norm. A developer or a company going to way out of the norm to deliberately use GATE and not static passwords would have to have something so important to protect to consider reading a 61 page patent that cannot easily be found on the Internet web search and must know before-hand the existence of such patent and technology. To consider that they have something so important to secure, they wouldn't be using a generic purpose computer and would move to secure and dedicated hardware systems and special secure offices and environments (usually reserved for Governments) which most people wouldn't even be able to afford or come up with in the first place.

From the depth of your (Frank/TheGuildsman) knowledge of the GATE and your seemingly emotional attachment to @Clive Robinson and @ab praeceptis comments with the fact that your attempt touse alternate identity via first using Frank and then using TheGuildsman nickname while highlighting the comments of Frank and then referencing the Youtube video owner's name as Frank Ni, it is very likely Frank/Frank Ni/TheGuildsman are the same entity. Noting that the video on Youtube was posted on 10th Nov 2016 and probably in some parts of the world it might be 11th Nov or maybe as a preparatory for this discussion, the timing couldn't be so coincidental.

Coincidentally, the patent was filed in 3rd Nov 2015 which is about a year ago and the patent was issued 4th Oct 2016 which seems like the owner of the patent, Min Ni, had decided after 1 month of the issue of the patent to seek out advise I guess ?

It wouldn't be coincidental that the surname, Ni, is the same ?

We likely have the patent owner here asking about the security of the patent's invention and it's fine and good. Due to the secrecy requiring the patent not be exposed while filing (the ills of patent filing), now it's a little too late to look back since money have already been spent filing the patent and doing patent searches and verifications.

Security is an extremely hard field to get right with a 99.99% miss rate and that rare 0.01% that actually delivers good security. The reason that people have not moved away from passwords for weak security and using smart cards, HSMs, USB dongles or even specialized keyfill devices (in high security context) and may even carry security operations in classified security environments (SCIF buildings or rooms or even tentages), is the fact that these stuff works as they were designed. I am not discouraging new inventions in the security field, just that the process of patenting is problematic with the requirement of keeping hush hush and within that timespan, no one could review the security and when the patent passes, the end result is security that does not "cut" as well as intended after review and money has already been burnt during the process.

Should the patent system change ? Yes. It should allow security reviews at least.

Will patent system change ? No. Because the powers that be who profit from the ill and sickly patent system are making tonnes of money off it.

Link: https://www.youtube.com/watch?v=5tAGemIvUeI

WaelNovember 15, 2016 8:30 PM

@Clive Robinson,

It is only the application to passwords that might be considered new...

The disclaimer isn't needed! The idea isn't new even in password applications.

SECUREMATRIX (which I mentioned more than once in the past) has a robust implementation, although it had some minor weaknesses which are probably fixed by now.

TheGuildsmanNovember 15, 2016 11:47 PM

@Thoth


@Clive Robinson, ab praeceptis

"Frank, TheGuildsman is the inventor of GATE, thus his personal stake, interest and deep knowledge into the system."


What a pile of rubbish Mr. Thoth. You've been spending too much time on Breitbart.com or is it www.infowars.com?

I explained my interest in the GATE when I made my first post on Nov 12 asking for comments :

"To my untrained eye it looks like a very interesting solution for password entry and I can see a lot of applications for it. Banking pin numbers, for example.

I would appreciate it if some of the experts could have a look and comment please. I have been looking for something like this for an app I am working on."

Later you asked a short question about all the passcode characters being the same so I went and watched the video, read the website and looked at the patent before giving you a lengthy reply explaining how I thought it worked. Which you never bothered to reply to so I assumed you weren't really interested in continuing the discussion. (I also spent some time looking at your stuff, BTW.)

@ab praeceptis wrote some nice observations, for which I thanked him, but he was referring to the GATE as mine so I corrected him as follows:

"@ab praeceptis

Thanks for your observations. I appreciate you taking the time.

First of all GATE is not mine. I saw the link, had a look and thought I would ask for comments as it appears to satisfy what I consider to be a big problem with a service/app I am considering developing. The problem being the user giving up their password "over the shoulder" thereby allowing access to confidential information, stored on my server, which if divulged would have serious consequences.

I am reading the patent. I will keep an eye open for the answers to the issues you have raised."

@Clive made a comment to which I replied :

"Thanks for your comments Clive. I had the same concern....

So in your estimation how many login attempts would the attacker have to view a) if all 4 valid pins appeared somewhere in the array each login versus b) if the number of valid pins was also random each login?

Perhaps the number is large enough to outweigh the risk especially when compared to your typical 4 digit bank machine pin."

After that question which @Clive ignored I asked @ab praeceptis the same question :

"How many successful logins will you have to watch to be able to guess my 4 pin passcode? Or rather how many times will you have to meet me at the bank, or at the coffee shop, before you can make a reasoned guess? Or before I notice that you are always hanging around."

Then @Clive pipes in with what I considered to be non helpful comments about how things work today followed by a slight if not an insult : "Put some real skin in the advocacy game you appear to be playing."

To which I replied : "Insult me if you like but asking for comments from the "experts" is not advocacy. As I said previously I have nothing to do with the system or its authors. Sorry I asked."

And I also asked the same question again :

"You've made my point. In today's world with a skimmer and a hidden camera all you need is one visit to the ATM machine with your 4 digit code and your bank account has been owned.

Which is why I have been asking how many times "they" have to see you enter your GATE pins before they can guess the pass code? Certainly more than one so isn't that a 100%+ security improvement?"

So far crickets again on that one from @Clive.

Then @ab praeceptis wonders why I am complaining about @Clive and makes some disparaging remarks about my expertise, about which he knows zip, and which I am not going to lower myself to replying to. In fact I can't believe I have wasted this much time writing this reply to you Mr. Thoth.

I repeat I have nothing to do with the GATE system or it's authors. I am a longtime Schneier on Security reader, rarely a participant here. I go back to when it was a weekly mailing list many years ago. I am working on an app. I thought the method of entering the passcode that GATE uses would be good for my app and wanted some opinions. I view the GATE as a data entry solution for passwords, not a security application.

However my rather simple question, asked several times, remains unanswered. So if you feel like coming back to reality perhaps you could take a shot at it. All three of you are welcome and your input would be appreciated.

ThothNovember 16, 2016 12:48 AM

@TheGuildsman

"What a pile of rubbish Mr. Thoth. You've been spending too much time on Breitbart.com or is it www.infowars.com?"

"In fact I can't believe I have wasted this much time writing this reply to you Mr. Thoth."

Thread carefully on how the reply is structured as @Moderator would not always be this kind. You become seemingly attached when mentioned where you could have shrug off all my guesswork (which is not against the forum rules or any rules of sorts).

Back to topic, if you want a password entry, I still recommemd the old method. GATE is highly untested and not proven yet. If you want to risk it and use GATE, a gentle disclaimer on the technology and possible risks should be added. I doubt I would use it since it's security has not been formally reviewed by cryptographers and such.

ab praeceptisNovember 16, 2016 1:27 AM

TheGuildsman (Clive R., Thoth)

For a starter I also responded to your "5 attempts sufficient?" (which was introduced by someone else) and I did that politely and fairly.

We are humans and as such we ponder the motivation of others or their expertise, etc. Certainly a well experienced engineer needs another kind of answer than an amateur. That's neiher insulting nor glorifying, it's simply humand and it's practical.

I agree with Thoth that the way you handled this matter strongly suggest some kind of relationship with the "gate" patent holder. That's not an insult but talking about an impression.

About the only thing you could possibly complain was my "out of your depth" remark, which was in no way meant to insult, to hurt, or to belittle; I was merely telling you my impression based on a series of observations.

Back to zero: You *got* responses. That's quite a lot. I know quite some people of considerably less expertise than Clive R. or Thoth who wouldn't even care to respond. More importantly I know someone in the field with a very high level of expertise whose answer - which he wouldn't care to give to you but rather to his students - would be "If you need to ask questions like that then you should have stayed away from it in the first place".

Here, however, you got responses. Not too positive ones, sure, but you aren't a 5-year old boy asking whether we like the picture you just painted; you are a grown-up adult.

Thoth brought up another interestinmg point, the 61 page paper. Which I didn't read. You see, there is a reason for papers to start with an abstract. That abstract tells us lots; among others it hints at the expertise, the seniority, the capability to express himself and to lay out his thoughts. Expressed somewhat more bluntly it tells us whether we shouldn invest the time in a paper or not.

Whoever did "gate" had a a website for that. He had every damn chance to tell us why we should read the 61 pages and why his "new approach" at "much better security" were to be taken seriously - or not.

If there 1 minor flaw one might say "oh well, maybe a smart port-doc with his feet not yet solidly on the ground" and one might have given a friendly hint. With multiple grave problems, however, at least I saw no other way than to politely and as softly as *you* made possible tell you that you should look for another hobby.

And again you complain and, but that's OK, that amused me, you downgraded us even from experts to "experts". What's the english expression for that? "sore loser"?

I'm heart broken. "expert". Damn it. Now I'll have to try it in a PHP forum to be somebody.

Clive RobinsonNovember 16, 2016 1:31 AM

@ The Shining Sea,

considering EA negligently enabled the exploit.

There are a number of ways you can look at this but it boils down to two basic views,

1, EA got what they deserved.
2, A theft was committed.

The real question though is where does the line between the two exist. That is when does taking advantage of somebody elses error become theft?

I guess it all depends on who you ask and what interest they have in the matter. You ask the authorities and they are very likely due to self interesr pick option two. Many others will just find it funny, or "perks of the job" etc.

If you are a share dealing individual about the only worry you have is the authorities deciding it was "insider knowledge" in some way that you traded on. If however the bank left a pile of cash in a box on a counter and did not pay attention to it[1], and you walked off with it you would almost certainly be prosecuted if caught.

It's the degree that most people get hung up on not the principle. You find a £1 coin in the street, it's your lucky day and it goes in your pocket, but what about an envelope with £500 or there abouts in it, is it still your lucky day?

I've actually had the latter happen to me many years ago, It was lunch time and I was walking with a friend to get a sandwich, when I spotted an envelope on the path. I jokingly said it looks like it's stuffed with money only to have the smile drop from my face when I picked it up and found it was. I immediatly said to my friend "do you know where the local police station is?" as we talked I noticed there was a name on the envelope and as we started to walk down the street a house painter came running up he said who he was and it matched the name so I handed the envelope over. You have never seen a more thankfull looking guy, he had apparently started the job and was expecting a cheque, but the lady who he was working for gave him cash instead and it must have fallen out of his pocket when he was moving ladders and paint pots out of his van.

[1] Unbelievable as it sounds this has actually happened at a UK Post Office...

name.withheld.for.obvious.reasonsNovember 16, 2016 2:10 AM

A suggested topic of research for IoT devices, this will keep a few post-grad doctoral thesis students busy...

RESEARCH FIELD/DISCIPLINE:
Computer Science, Engineering, Systems Design

RESEARCH SUBJECT AREA:
Embedded Control Systems, Wide Area Networks, IoT Devices

RESEARCH TITLE:
Asymmetric Methods for Affecting Kinetic Events via Logical or Virtual Components

ABSTRACT:
The 21st century heralds an era where the proliferation of network computing devices capable of interconnecting with an astronomical number of other similar devices represents a need for robust investigation.

Under a scenario which includes a smart phone, tablet, and laptop as part of a residential environment, a method to use asymmetric capture of systems, networks, or devices within the prescribed environment.

1. Discovery requirements; known control or computation device which is commanded using audio signals (Siri, Lexi, etc).

2. Instrumented digital media recording/data store including a "cookie" or "tagged" audio channel. Encoded audio channel consists of audio command sets.

3. For deep penetration one stage of the scenario might include a passive audio sampling stage that characterizes the target's (used to put words into someone's mouth) speech patterns.

4.Simple phishing, including spear, linking victim to media source (embedded IFRAME for example) containing the URI for the aforementioned media component (phase 2).

5. Any series of control commands could be issued from a p0wned device (prescribed environment) uttering..."Alexi, start my Tesla X".

6. These vehicle in stage 5 is attacked from a device available in the prescribed environment (phone/laptop, etc).

To summarize:

Compromise a host contained with a "home network" comprised of other host devicess and includes an automated home control environment. Use the compromised host(s) to perform deeper penetrations by using the command responses to audio directives issued by the compromised host/device.

RatioNovember 16, 2016 2:38 AM

@ab praeceptis,

I know about that trick to explain that he is not the president-elect as long as he is not elected by the EC.

It's not a trick; it's the electoral process.

But first, that's hairsplitting, and second that's at least partially wrong. He has been elected (via EC ratio) and is hence the president-elect. clinton submitted, obama accepted the result, period, case closed.

Hairsplitting is making a whole big deal out of somebody writing presumptive president-elect instead of president-elect. Yes, in practice there's very little difference, but the former (not the latter) is the technically correct description.

He hasn't been elected: the Electoral College elects the President of the United States, and the electors haven't voted yet. (And no, they are not required to vote for the candidate for whom they've pledged to vote, although in practice they almost always do.)

What Clinton and Obama say doesn't matter. (Politically yes, legally no.)

Conslusion: Krebs is technically correct in his description. (Think all that's wrong? Look. It. Up.)

More importantly - particularly for this technical blog - however is how conveniently you ignore the other, more technical issue.

I conveniently ignored the name-calling and speculation without any evidence, yes. It doesn't add anything.

By the way, this is the paragraph you quoted and which you decided was sufficient to know what's going on:

Less than six hours after Donald Trump became the presumptive president-elect of the United States, a Russian hacker gang perhaps best known for breaking into computer networks at the Democratic National Committee launched a volley of targeted phishing campaigns against American political think-tanks and non-government organizations (NGOs).

But you (conveniently?) failed to mention the first sentence of the following paragraph:

That’s according to a new report from Washington, D.C.-based cyber incident response firm Volexity.

So, a journalist (Krebs) writes a story based on a report by some cyber-whatever firm. I'm shocked.

ab praeceptisNovember 16, 2016 2:59 AM

Ratio

I was already waiting for that from the man/woman who does not contribute much (to put it very diplomatically) but prefers to attack others and to split hairs.

As for "president-elect" - that's how the current still president called him publicly. As did hundreds of us-american "journalists" and politicians. Who am I to know better than them. Write them a letter how stupid they are and how they got it wrong.

As for krebs and your funny attempt to paint it nicely by explaining that krebs did not do his own research - which you implicitely stated - but that he rather merely blabbered based on the blabbering of some "cyber incident response firm" (volexity):

Oh well, now I'm impressed. You are simply trying to argue by "authority" name dropping.The problem being that blalexity is no authority whatsoever.

So, where's the proof that blalexity provided? They did provide proof for their attribution, right? Because if they didn't then blalexitys attribution is but blabla (which then was repeated and "enriched" by krebs).

So, where's the proof?

(Hint: There might be a reason real professionals knowing what they are talking about are explaining over and again that attribution is *hard*)

Clive RobinsonNovember 16, 2016 4:09 AM

@ TheGuildsman / Frank,

So far crickets again on that one from @Clive.

Are you paying me for my time and underwriting any liability I might incure?

No you are not, so there is no contractual agreement between us. As they say "Nothing offered, nothing gained". You could invest some time in learning some combinatronics and get the answer yourself, but you appear not to want to do (It might be pertinent to ask why that would be?)

So give me a valid reason, "Why should I do as you ask?"

Likewise "Why should I give you priority over others on this blog?"

As I said "Put some skin in the game" go pay somebody to do as you ask, but you might be shocked at what the commercial rate would be and the contractual terms. Or you could invest in your own future by doing some learning.

Or as you appear so keen on the system it looks like you are advocating for it, and you don't want to put skin in the game you could just take a flyer on it...

As I indicated just build a system on it and put it into use where value is involved. Then wait and see how long before it gets attacked and the value misappropriated successfully, it it does you then have some losess to deal with. But that is the way much of the industry appears to play it.

Of course if you are not the patent holder then you will have to organise a technology licence and that could be very expensive... If you don't you've already admitted to reading the patent so there is that three fold multiplyer to consider.

So if you think on it for just a few moments you will realise why our host has said in the past he does not read patents, and why many on this blog do likewise, and why anyone you approach is going to ask a lot of you financially and contractually. The simple answer is we do not want the downstream liability, or we wish to be covered for it.

So unless you drop the idea, it might not be skin you put in the game it could be your whole hide...

At the end of the day the choice of what you do is yours to make not mine or others on this blog, so go make it and move on.

RatioNovember 16, 2016 6:43 AM

@ab praeceptis,

I was already waiting for that from the man/woman who does not contribute much (to put it very diplomatically) but prefers to attack others and to split hairs.

No attack on anybody, no name-calling, no nothing. Okay, a tiny tease echoing the conveniently from your comment. If you think you saw more than that, cite me doing any of that. Otherwise, stop projecting and stop whining.

Hairs were split when more than half of a ~250-word comment was used to comment the presence of a single word. My initial reply was a suggestion to get acquainted with the Electoral College, in all of five words.

After another ~300-word comment from you, I provided you with a factual and more detailed response in less than 200 words (plus a couple of quotes).

So now I'm replying to another ~200-word comment. That's your metric for contributions? Bulk? De gustibus non est disputandum...

As for "president-elect" - that's how the current still president called him publicly. As did hundreds of us-american "journalists" and politicians. Who am I to know better than them. Write them a letter how stupid they are and how they got it wrong.

Nobody said anybody was stupid. Stop projecting.

Who are you to know better than Obama, "journalists" and politicians? That's what you say just before going on to claim you do know better than another "journalist"? Don't you think that's a bit transparent?

You could have found out how it all works if you'd cared to. I suggested you'd do as much in my initial comment.

As for krebs and your funny attempt to paint it nicely by explaining that krebs did not do his own research - which you implicitely stated - but that he rather merely blabbered based on the blabbering of some "cyber incident response firm" (volexity):

Oh well, now I'm impressed. You are simply trying to argue by "authority" name dropping.The problem being that blalexity is no authority whatsoever.

Krebs wrote his story based on somebody else's research, no?

When I say a report by some cyber-whatever firm, you think I'm trying to argue by "authority" name dropping? I don't even...!?

So, where's the proof that blalexity provided? They did provide proof for their attribution, right? Because if they didn't then blalexitys attribution is but blabla (which then was repeated and "enriched" by krebs).

Of course. I saw little hard evidence in Krebs' story (although I haven't looked carefully, for whatever that's worth). I've never claimed otherwise.

And that's precisely why I conveniently ignored the rest of your comment: there wasn't much substance there either. Blabla is the technical term you use, I think.

ab praeceptisNovember 16, 2016 7:39 AM

Ratio

"stop projecting and stop whining" - funny, coming from you who is wading in a stream of projections (like me whining).

But thanks for finally accepting that "president-elect" is not an inadequate term, albeit doing that rather indirectly. Anyway, you accept that the acting (pun intended) president and many other well known (assumedly not particularly stupid) us-americans use that term and hence it can hardly be held against me.

But hey, as it seems to mean so much to you, here you are: I can not prove that krebs malevolently used the term "presumptive". It just happens to fall in line with what I can and did prove, namely that he malevolently and very unprofessionally made allegation without so much as a shred of evidence, let alone prove.

As for krebs you also concede, albeit also rather indirectly and not without trying to spit some more poison.

Nice to see that we agree that krebs - which was the point I brought foward - has a) no proof whatsoever for his blunt and ridiculous allegation ("the russians!!!") and b) lousily fails to come even close to any acceptable high-school level.

As you like brevity, I'm wondering why you waste so many words to say that I was right and that krebs blabbered, just to somehow contort it in a way that makes it look as if you were right and I were wrong.

I suggest that we end this. You won't win your game, not even if hell freezes, and I have no interest whatsoever in private wars with what I perceive as an irrelevant but annoying "wikipedia beancounter editor".

Have a nice day.

TedNovember 16, 2016 9:41 AM

DHS releases “Strategic Principles for Securing the IoT” on November 15.

From the AP article: "In world of internet-enabled things, US says security needed"

“To prevent more attacks, the government must increase security regulations for "what are now critical and life-threatening technologies," according to Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School and a well-known cybersecurity expert.

"It's no longer a question of if, it's a question of when," Schneier said in prepared remarks for the hearing.

Nick PNovember 16, 2016 10:02 AM

@ Ratio, ab praeceptis

A nice video explaining the Electoral College plus why it existed in first place. We vote for which electors will be chosen. The electors then vote for who will be President. In some states, the electors can also vote arbitrarily where they contradict what the people wanted. It's happened a few times in history. That means Americans don't actually vote for President. Their votes also only count in states where electors are forced to vote same as popular vote. In others, only the electors' preference counts.

RatioNovember 16, 2016 10:15 AM

@ab praeceptis,

"stop projecting and stop whining" - funny, coming from you who is wading in a stream of projections (like me whining).

You claim that I do what I don't do, but you actually do do. (The post I'm replying to has new examples of you doing this sort of thing.) That's called projection.

You have also claimed (at various points, not just in this discussion) that I attack you. Since I'm neither attacking you nor have attacked you, that's whining.

But thanks for finally accepting that "president-elect" is not an inadequate term, albeit doing that rather indirectly.

Ehhhm, no. Did you read what I wrote? Here's the relevant part with added emphasis:

[...] presumptive president-elect instead of president-elect. Yes, in practice there's very little difference, but the former (not the latter) is the technically correct description.

You want to go off on a rant over the presence of one word and what those 11 letters imply and on and on...? Then you're all about details and it's presumptive president-elect. Can't have it both ways.

Anyway, you accept that the acting (pun intended) president and many other well known (assumedly not particularly stupid) us-americans use that term and hence it can hardly be held against me.

No, I don't. I think that's a ridiculous argument and I've told you as much.

It's especially ridiculous considering that it is what you're faulting Brian Krebs for: repeating second-hand information that may be wrong. (And that is at best, if his story turns out to be factually incorrect. At worst, it's a whole new level of hypocrisy.)

But hey, as it seems to mean so much to you, here you are: I can not prove that krebs malevolently used the term "presumptive". It just happens to fall in line with what I can and did prove, namely that he malevolently and very unprofessionally made allegation without so much as a shred of evidence, let alone prove.

Nonsense.

As for krebs you also concede, albeit also rather indirectly and not without trying to spit some more poison.

Not changing my opinion is hardly conceding.

Nice to see that we agree that krebs - which was the point I brought foward - has a) no proof whatsoever for his blunt and ridiculous allegation ("the russians!!!") and b) lousily fails to come even close to any acceptable high-school level.

We don't agree on what you describe here.

As you like brevity, I'm wondering why you waste so many words to say that I was right and that krebs blabbered, just to somehow contort it in a way that makes it look as if you were right and I were wrong.

Where do you get that? In a nutshell:

I said Krebs was technically correct about Trump being presumptive president-elect and that I found the evidence presented for his story rather underwhelming (although, again, I haven't looked too closely).

I also said your statements about the whole president-elect thing were factually incorrect.

That's it.

I suggest that we end this. You won't win your game, not even if hell freezes, and I have no interest whatsoever in private wars with what I perceive as an irrelevant but annoying "wikipedia beancounter editor".

Your disdain for factual information has been noted.

@Nick P,

I'm aware of that. Thanks all the same. :)

ab praeceptisNovember 16, 2016 10:59 AM

Ratio

So many words from you? One and a half buckets ...

As for the rest, believe whatever you please. Your personal kink has already got way too much attention and time - and contributed 0.0 to the discussion or the community.

WhiskersInMenloNovember 16, 2016 2:54 PM

Hacked inexpensive android phones from China... :(

Security researchers from Kryptowire discovered the alleged backdoor hidden in the firmware of many budget Android smartphones sold in the United States, which covertly gathers data on phone owners and sends it to a Chinese server without users knowing.
https://thehackernews.com/2016/11/hacking-android-smartphone.html
-- and --
http://www.kryptowire.com/adups_security_analysis.html

This is interesting... I can install a firewall and inspect all my outgoing data and
whitelist sites with a home or company router.
This uses the cell network and beggs a bad answer that cell networks should be managed
and filtered.

Researchers clearly need a managed cell router and filter but who else does.

This discovery should not be news to US TLAs. If it is news to the TLAs they have been asleep
at the wheel. The timing of the message dumps ....The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other PII data implies long term testing to discover traffic is necessary.

After checking the validity...
It seems that telco providers in the US should ASAP block these sites:
bigdata.adups.com (primary)
bigdata.adsunflower.com
bigdata.adfuture.cn
bigdata.advmob.cn

ThothNovember 16, 2016 7:17 PM

@WhiskersInMenlo

Not surprisingly. This could be one out of many companies engaged in such exflitration attempts. There is CarrierIQ and now Adups and who knows how many more of these firmware-based backdoors (or even hardware-based backdoors) would exist (even for well known phone makers).

Can we simply trust Samsung, Apple, Google Pixel, LG et. al. ? No. In fact the first reaction should be we cannot even trust them remotely. Expect anything on your phone to be a gone case.. as they are untrusted devices.

TimNovember 16, 2016 8:57 PM

Just reading the November IEEE "Spectrum" magazine (good issue!), there is an article about solar power inverters destabilizing the grid. Case study in Hawaii was mentioned, they are were able to tweak the "smart" inverters to solve the problem (hooray for solar)! But on pg 46, they casually mention that they remotely updated the programming in 800,000 inverters (customer owned I think - was there a contract clause for that?) to solve the problem.

I wonder how good their authentication is? Implied here is that a hacker could potentially do the same with malware, and cause the severe damage to appliances and systems that they were trying to prevent...

Tim

Who?November 17, 2016 4:09 AM

@ The Shining Sea, Clive Robinson

...not to say lots of stupid apes change real currency to "virtual" currency, making the owners of the game richer.

Clive RobinsonNovember 17, 2016 4:17 AM

This has all the hallmarks of a realy effective attack...

https://github.com/samyk/poisontap/blob/master/README.md

Like other "Evil Maid" attacks it requires what was once called "front pannel access" but these days should more rightly be called "Tradesman's Rear Entrance", due to the way what is a very low priority gets to control the system which leaves you totally 13u99ered.

Clive RobinsonNovember 17, 2016 7:44 AM

FORGOT to add to my above,

You can read another take on the Backdoored Android Phone here,

https://hackernoon.com/no-one-cares-about-the-security-of-your-unlocked-android-phone-cd8ad4aae4c5#.xvdmxs2g7

Note that it's the chip manufacturer and they are a repeat offender at this behaviour, and that Google have tried to stop them in the past...

It does not matter if the purpose of the backdoor is espionage or privacy breaching to market for profit it raises an issue that could get as bad as the IoT issues we have recently seen.

Unlike IoT devices where the end user can install a firewall or other --WiFi based-- instrumentation between the rogue device and the Internet, for most people there is no way to detect let alone stop rouge packets[1] from smart phones etc.

Of course there may well be a more serious secondary issue, any such software backdoor is not likely to get high quality review, therefore it is very likely it will provide others with fresh attack vectors.

[1] Yes you can use some kind of RF monitor close to your smart phone, but it's unlikely that anything most people can either afford or understand --enough to use[2]-- is going to give you sufficient information to take action on rouge behaviour.

[2] There are "Software Defined Radio" (SDR) dongles that cover the necessary RF bands, with enough IF bandwidth to decode the data (it's what your broadband modem is). However geting them to behave as "instrumentation" is not at all easy, and the manufacturers like the FCC etc strongly discorage such activities.

ThothNovember 17, 2016 7:45 AM

@Clive Robinson

Tor blog mentions:

"verified boot security"

I think you may have noticed my recent ranting about ARM TrustZone as insecure and potentially a plausible hardware-based backdoor if Qualcomm et. al. decides to do so. No such thing as verified boot or maybe verified booting of potentially backdoored system :D .

Forget about any ARM A series chip. Those are potentially dangerous if the user is not able to control the TrustZone bootloader RSA keys. Software security is pretty useless when the hardware chip (ARM A series) can hold double OS (userspace Android kernel and a TEE-OS TrustZone kernel) and the fact that the TEE-OS kernel is the "super duper root" and has control over the entire syscalls essentially and is beyond the user's control (if they do not have control over the TZ RSA key) is purely useless for any reasonable security.

The link above proposes a method that is already insecure from the outset.

Clive RobinsonNovember 17, 2016 8:02 AM

@ Thoth,

Forget about any ARM A series chip. Those are potentially dangerous if the user is not able to control the TrustZone bootloader RSA keys.

Yes and I suspect it is the case for most systems Android will be run on as well.

On a side note one of those jaded old neurons in my brain just lit up with an idea that might actually be doable in a short time...

You may have heard of Samy Kamkar's "PoisonTap", the details of which can be found at,

https://samy.pl/poisontap/

If you read down it you come to this interesting statment,

    Because of this, all Internet traffic goes over PoisonTap, even though the machine is connected to another network device with higher priority and proper gateway (the true wifi, ethernet, etc.)

Bingo how to give your phone a real firewall using a Raspberry Pi Zero and a cable for less than $10 of hardware...

PanopticonNovember 17, 2016 2:33 PM

@ Clive Robinson
Re: UK Snooper's Charter
In recent weeks in Canada, the RCMP (the Mounties, the federal police) have been lobbying for blanket surveillance powers, including bulk warrantless collection and archiving of all electronic communications of all residents of Canada. It's being touted as a common-sense law enforcement measure.
Few people in Canada seem to be aware of just how dangerous this is.
The police have also been asking for the power to request people's passwords and encryption keys, and there's talk of banning strong encryption.
I doubt much will come of it, but the fact that the federal police are floating these trial balloons is alarming.
I think there's a public comment period on this topic and on Bill C51 until December 1. Bill C51 defines "terrorism" broadly to include political advocacy, legalizes some forms of extrajudicial punishment, and relaxes some privacy protections. How quickly people have forgotten that the national security agencies can become a bigger security risk than the baddies they are supposedly protecting us from.

tyrNovember 17, 2016 5:26 PM


@Clive

I appreciate the ideas for Kamkars latest, that's
how to view such innovative things. make them work
for you instead of against everyone else.

The eminence gris of Trump showed up on RT TV today.
Woolsey, who didn't do to well as he exposed his
ideas as the propaganda of mid 20th century fables.
I wondered where the spook in the closet was after
the election results, now we know. Whether he will
update his thinking to what is needed for the 21st
century is highly unlikely. Politics like science
advances one grave at a time into a future no one
expects.

I am sad to see May saddle the UK with that snoopers
charter crap. I 'd like to see a measure of the loss
of bandwidth involved in these mad schemes of data
collection that all governments seem to think are of
some use. They all run afoul of Sturgeons Law as he
carefully explained "90% of everything is crap".
I'm not sure that still holds for Web/Net traffic,
my own estimate is closer to 99% is crap due to ads
and their bizarre tracking schemes.

I did have a thought that a DDOS launched from the
inactive cellphones might make the IoT attacks pale
into insignifigance by comparison.

ThothNovember 17, 2016 5:46 PM

@Panopticon

Good luck banning strong encryption. To ban strong encryption is like mashing up people's brains since if an algorithm is banned, people will eventually create even stronger algorithms with stronger properties. It's an arms race and intellectual creativity and expression cannot simply be restrained by a pointless ban.

The best way to not be able to release secret keys is to not know the secret key on the first place and smart cards can aid in this aspect by holding a randomly generated key while the user only needs to remember a password. The password gets stretched and hashed to the same length of a desired key length and merged with the random key held by the smart card via using the user's password to encrypt the random key and thus forming the master key within the confines of the smart card. This would effectively making knowledge of the password useless by itself. And to add a little spice, to setup a second "duress password" within the smart card. The smart card would quietly detect if the "duress password" was submitted and if so trigger a self-destruct function that wipes all the keys on the card out. Due to the smart card being a tamper resistant security device, no one including the owner knows the exact state of the card (whether duress function was used or not and he original states of the card). This provide the advantage of not being able to predict the smart card's current state and hence no one can tell if that card being used was the actual card holding certain keys which makes forensics a pain.

And for those who immediately jump on these cards and call it Eurotrash, it seems these people have no experience working with these cards, never read the ISO7816 standards documents and neither read the GlobalPlatform standards document either.

In fact, I am developimg a smart card based file encryption program called GroggyBox based on the above idea. It is still in development stage for now and slowly being worked on.

Clive RobinsonNovember 17, 2016 5:56 PM

@ tyr,

I did have a thought that a DDOS launched from the inactive cellphones might make the IoT attacks pale into insignifigance by comparison.

Yes because it will "bite both ways". The normal M.O. with a DDoS is for the botnet zombie to trigger a cascade via an amplification attack. However the difference in mobile broadband bandwidth and cable/DSL bandwidth is about the same as the ampification value.

Thus the result is a Double DDoS attack, the one after amplification at the intended target, and the unintended one of the mobile network service... As the old saw has it "Misery loves company".

ThothNovember 17, 2016 7:38 PM

@all

The best way to prevent a torrent tracker that has been taken down to cause a lost of content is to "Cross-Share" tracker information between all trackers. What is not available is a "Bridge" to allow different types of DHT schemes, trackers and nodes to be truely distributed and independent via being able to have their own format for their own tracker and DHT programs but also able to reach out to other trackers, nodes and DHT programs of different formats and schemes to cross-share information so that in the even a tracker is raided, the other trackers are there holds the most recently shared information.

To protect the integrity of the tracker information, cryptographic signing with RSA keys held in tamper responding smart cards with self-destruct functionalities can be used as an additional integrity protection mechanism so that when the tracker is raided, the owner can trip the tamper switch or the tamper mechanisms can be tripped by those who raid the server. Of course as per usual, cryptographic signing does not mean the contents in the torrents are safe from malware. All it does is telling the people who download it that the file's integrity is intact (or not).

Link: http://arstechnica.com/tech-policy/2016/11/worlds-largest-music-torrent-site-goes-dark-after-french-police-seize-servers/

WaelNovember 17, 2016 7:56 PM

@Thoth,

And to add a little spice, to setup a second "duress password" within the smart card. The smart card would quietly detect if the "duress password" was submitted and if so trigger a self-destruct function

Be careful! That spice might make you suffer the next day! It's a vector of DOS ;) use it sparingly, unless you have the digital equivalent of a Sitz Bath ;)

ThothNovember 17, 2016 8:32 PM

@Wael

That's the reason why smart card keys are usually backed up with another smart card that is stored offline. That brings in the question what happens if attackers manage to capture the second smart card and this is when the second smart card should have a different duress code that can be mostly similar to the first one except some changes (i.e. changing the last code digit). The PINs are retry limit protected so the worst case is you force the attacker to try all combinations until either they hit the correct password, the duress PIN or hit the limit of retries which if they are lucky to hit the password, that's good for them but if they hit the retry limit or duress PIN, it wipes the card.

The worst case is paper backup of the card hardware key and split sharing.

WaelNovember 17, 2016 9:29 PM

@Thoth,

That's the reason why smart card keys are usually backed up with another smart card that is stored offline.

Offline, or offsite?

The PINs are retry limit protected so the worst case is you force the attacker to try all combinations...

Under duress, the "captors" will not do that! They have you, the smart card, and a few shiny objects. They won't waste time and you had better play ball or... they'll make sure you have a groggy day ;)

The worst case is paper backup of the card hardware key and split sharing.

But you don't know the hardware key, remember? How would you put it on paper?

ThothNovember 17, 2016 10:39 PM

@Wael
re: Backup key
The key will sit inside the card and the card taken offline. Of it is a backup card, you can take it offsite and keep the backup somewhere else.

re: Hardware key
There will be a load key function in case users don't want to use a random key and on top of that it has a hardware to hardware backup feature planned.

re: Make one groggy
The attacker has to figure which card has the applet and which of the many cards a user carries is a GroggyBox capable card and on top of that if the user carry multiple cards with the same applet, the attacker has to figure out which of the many GroggyBox card instance is the one used and on top of that the user could carry the card without loading/setting up the card which essentially is useless in itself. The attacker when given a PIN or password will not know if it works or not until they try which have a high chance of tripping the security traps in place and talk about de-caps a ping, I have spoken to a person who run business in reverse engineering and chip decap and to decap a smart card chip, the known baseline is to supply at least 10 working copies and the hit ratio of recovering anything of the secret key is very low. On top of that, of the user mkes 1 backup card and has 1 main card, the chances of getting the hardware key is still too slim of a chance according to the person I spoke to. An attacker who really wants the key will not do decap and probably would use torture and that's where feeding them wrong PINs, passwords and such would make their life even harder. Sure, they can torture the hell out of their victim but there is a 'what if' the victim resist and dies during torture and they are back to square 1. Duress security is meant to be a Mutually Assured Destruction mechanism where the victim knows he/she would not make it out alive with good certainty and if they are willing will definitely ensure they make heir attackers' life a pain which would in itself achieve the goal it was set in the first place ... Mutually Assured goals. If the encrypted data is of extremely high value, the value of the sacrifice would be well worth in the data's protection.

If you are a journalist trying to protect extremely sensitive details that can impact lots of lives, the destruction of the key would probably be worth it at whatever cost it takes.

Clive RobinsonNovember 18, 2016 2:31 AM

@ Panopticon,

The police have also been asking for the power to request people's passwords and encryption keys, and there's talk of banning strong encryption.

This appears to be the original UK ACPO[1] "wet dream" that the then UK Home Office Minister David Blunket under the "grinning japanapes" Tony Blair PM tried to make law with the original RIPA back last century.

There are various ways around it that @Nick P, myself and one or two others discussed a long time ago. Since then other people have come up with their own ideas, some good some bad, and some sufficiently labyrinthine to be unable to say...

On the "ban strong encryption" side, what they realy mean is to stop mass production Fast Moving Consumer Electronics (FMCE) having strong crypto, and making the manufacture of such devices the equivalent of munitions or WMD. Thus step one in the ACPO "Rights Stripping" plan of "Do as we say or rot forever" which you find in the likes of tyrannies and far right states. However as I've pointed out in the past the strongest of encryption systems are the paper and pencil One Time Pads/Messages, which require no electronics to use.

Hence step two of the "Rot Forever" ACPO plan of "give us the keys" or do big time. Again there are simple ways around this, one of the prerequisites of OTPs is the immediate destruction of the KeyMat after use to prevent accidental reuse. Thus once decrypted the keymat is not expected to be reused, which leaves the "plain text" issue.

Plain text is step three in the ACPO plan of rights stripping, which is the whole point of the previous steps, they demand the right to all papers and documents that exist or "might have existed". Not having them means you have "Destroyed Evidence" contrary to other legislation. Thus they are using the usual anti-encryption argument of "If you've done nothing wrong..." in reverse, saying "If you are hiding information it must be because you are doing wrong, prove that you are not" otherwise "Rot forever"... which turns more than a thousand years of jurisprudence on it's head, something that Tony Blair and the man who he used to live with "Charlie Falconer" were only to happy to do with considerable overkill thus stripping of rights for the non elites...

There are ways around all these steps but, they require carefull planing and considerable preperation and faultless execution. Whilst not impossible to do, it's getting close which is the whole point of the ACPO plan. Which is much the same idea as the US has with stopping the non elites using their 5th amendment rights.

Such things are a logical conclusion when the faux democracy of "Representatives" who can be "influenced by a few" crosses the line into a tyranny. Where the abuse of power is such that a few place themselves above censure and wield guard labour and the judiciary as their personal weapons for maintaining their position.

[1] The Association of Chief Police Officers (ACPO) is "the public face" of a rather nasty cabal of lobbyists and think tanks, that on analysis has far right wing views and maffia like behaviour that is totally incompatible with any democratic society.

ThothNovember 18, 2016 4:23 AM

@all

Google lands ban hammers for those who "wittingly or unwittingly" trade or transfer their Google Pixel phones. E-Witch Hunt on the move. Those that have their Google accounts blocked by Google are not able to access their Google based cloud and social services and their Google email accounts (which is as good as crippling them from payments, important messages and more).

Links:
- http://www.pcmag.com/news/349675/resell-your-google-pixel-get-locked-out-of-your-account
- https://www.theguardian.com/technology/2016/nov/17/google-suspends-customer-accounts-for-reselling-pixel-phones

ThothNovember 18, 2016 5:34 AM

@Clive Robinson, Figureitout, ab praeceptis

I am thinking of adding another layer of security besides duress PIN to my GroggyBox smart card applet. I call it Black mode which takes the idea from the Red/Black separation where Black refers to an inert crypto key that is useless.

The idea is to allow users to set the card to Black mode where the card appears to be empty and the user has to re-initialize the card except for the fact that it is not truely an empty card. The user during the re-initialization would as usual supply card password/PIN (abbrev. to PIN) but the trapdoor is in the PIN. If the user supplies the same PIN as the actual PIN, it immediately breaks out of the Black mode and "unblocks the card". If the user supplies a different PIN than the actual PIN during the setup stage while the card is in Black mode (a.k.a lockdown mode), the entire card's keys are zeroized on the spot (hopefully the user has a backup card somewhere).

A sample use case is when a journalist is travelling through international borders, they can set the card to Black mode so that when they are searched, it will only reveal an empty card that has no keys in it and are generally safe. Even if the journalist has been coerced to setup the card in front of the captors and assuming the journalist have a backup of keys somewhere, the journalist could trigger the trap in Black mode via entering a different PIN (so as to wipe the card) and then when moved to a safer location, re-load all the old working keys in safety.

I think the logic codes should be rather simple (just a bunch of if-else in Java and a spare key slot and PIN slot).

ab praeceptisNovember 18, 2016 6:37 AM

Thoth

Careful, man! I see you getting near to the unwieldy zone. Complexity, e.g. by adding this and that, is bringing along slippery grounds.

This may well be my own failing to properly understand you, but: What's the threat model of your whole smartcard thing? Evil bordergards acting as frontmen for fbi, cia? Evil Hackers? The occasional criminal? And what do you want to protect?

We developers are all in danger of becoming prey to the luring "I could/should add this and that too" seduction. What were ropes and a mast for Odysseus (the sirens ...) for us is a clear cut threat model and a clear cut solution/defense model.

Moreover I see you somewhat crippled due to smartcard personality disorders (the smartcards, not yours). You can't get at the metal if I got that right. You'll have some layers between that (reasonably assumed to be) secure chip and your code.

As for your red/black mode I woudn't have black empty. Psychology. Give that inquisitive us american nothing and he'll stay hungry and in a bad mood. I'd rather feed him (with worthless sh*t). ("Yes sir, but you should ask/tell that to those idiotic jerks in our building management. Probably it's crap anyway, Me only know I have to plug in that card and to enter the PIN I just told you and the door opens").

Clive RobinsonNovember 18, 2016 6:57 AM

@ Thoth,

I am thinking of adding another layer of security...

Whilst from a security perspective that is an additional usefull feature, it may not be a good idea from the human side of things.

Human beings are both creatures of habit and creatures of "memory muscle" / "Monkey brain" behaviour.

That is "that we don't practice is awkward" and "awkward behaviour is easily spotted" by even a moderatly practiced observer.

Thus say a journalist will stop thinking "Press 1 then 2 then 3 then 4" for a common used PIN and treat it the same way as typing a word, fluidly without thought or hesitation.

This difference in behaviour can be easily provoked in others by someone who has seen such cards before and is thus suspicious. Thus the journalist or whatever inadvertantly "gives the game away" to the suspicious observer, who then knows to give the unfortunate journalist a "deep cavity inspection" or worse looking for the other card/cards. Which when found (and they will be) is an automatic "Go straight to jail do not pass go or pickup £200" if they are lucky, if not they may well become "pig food".

Some while ago @Nick P, myself and one or to others pondered this issue. I concluded that the only way to do it was to use "M of N secret sharing" techniques from two or more other jurisdictions than the one you were entering/in, done in such a way that you could not be coerced into doing things from that jurisdiction.

There are various ways that a hardware device can be designed to enable this behaviour such that it has no keys untill the M secret shares are received by it, which means even the luckiest of the most skilled de-cappers can not get the key untill after the keys are received, and more importantly the keys do not need to be persistent in any way.

Such hardware won't stop you ending up being a guest for dinner down at the pig farm, if that's what that jurisdiction thinks should be your chosen fate, but it will limit the damage, they can do to others.

ab praeceptisNovember 18, 2016 6:58 AM

Addendum:

Apologies. Last paragraph of my reply to Thoth ..."inquisitive us american nothing" should be "inquisitive us american border guard nothing".

I'm afraid some alzheimer or something is eating away from what little brain I had.

Clive RobinsonNovember 18, 2016 7:13 AM

@ Thoth,

Those that have their Google accounts blocked by Google are not able to access their Google based cloud and social services and their Google email accounts...

This may not be legal in some jurisdictions, nor for that matter Googles contract with gives the "Disputes have to be mediated in..."

Up untill recent times the third party doctrine used to be the touch stone of re-selling physical goods. It's also enshrined in WEEE legislation, where "bricking" a device or in some other way preventing it from being recyclable as a functioning unit is illegal.

At some point Google or similar will get their chain jerked by someone pushing it through court. HP had to recently backdown over third party / recycled printer cartridges, and I can see trouble brewing for them over pads and smart phones over locking out hardware owners by claiming US DMCA / 1201. I'm guessing it's more a question of "when" the get hit, not "if".

Nick PNovember 18, 2016 3:44 PM

@ Clive

I've been on it and Hacker News repeatedly since around noon. Mainly on the threads about Kaspersky's secure OS. Here and here. I can't wait to shred, err see, the details of how they made it so secure. ;)

ab praeceptisNovember 18, 2016 4:04 PM

Nick P

Indeed. I saw the code screen and just thought "secure? Yeah, right ...".

The problem is that major parts of the commercial sector in Russia seem to be pretty hooked on C/C++. Which in part makes sense as their bet is that their programmers are way better trained and disciplined than most western coders. But there is only so much being well trained and disciplined can compensate for...

What would indeed have interested me, however, was the box he held. That manufacturer is very well known there and well established and also builds quite some products based on russian processors.

Have a good shre^H^H^H^H inspection time and be sure to share the funniest parts with us.

ThothNovember 18, 2016 6:40 PM

@Nick P
With all those Secure OS, the world is still not any safer digitally. NSA is still a leaky ship with dozens of "exit holes" despite it supposedly fielding all those Data Diodes and maybe even microkernels which are more formidable than what civilians have.

Security is getting worse and nothing's getting better especially the introduction of IoT.

I wonder where did all the Secure OS and HSM/Smartcards/TPMs go to with all their promises. The problem with Secure OS is either the hardware is already problematic *shrug*, the software/OS is problematic *shrugshrug* or it's a problem to use *puts hands in the air*. Same problem with those secure hardware as well and yes, I am shooting myself in my own foot deliberately by making this statement on secure hardware.

Not many people and corporations use Secure OS and let alone truely secure spplications and hardware. What do we see in the market ? Insecure OS 99.99% of the time with Windows and Redhat for enterprises and Windows and MacOS for the home users and fashion industry.

Oh there is Qubes, OpenBSD, GRSecurity and PAX security enhanced kernel for Linux at the very least before we step into more secure architectures like separation microkernels with and without security ratings... most people don't care and don't use them. These are the minority 0.0001% of human population that bother to deploy them and even smaller that bother to live with them for a long time.

Secure hardware is not looking any better. Anyone bothers to even try to use a smart card for OpenPGP keys ? Just a minority of us even amongst smart card developers. HSMs are usually thought of as the panacea and are used only but corporations unless it's those smart card HSMs amd evem thise are a minority as well. HSMs are mostly used for crypto key security although they provide SEE environments that are purely a b***h to load and develop for most code cutters unless the code cutter have worked with embedded stuff and used to constraint resources presented in HSM's SEE. Protecting crypto keys are pointless when I could influence the critical applications and tamper with critical applications to not access the HSM for the security operation in a correct manner and even make ot export keys under certain circumstances that include poor configuration and user's mistakes (due to how esoteric most HSM interfaces are).

Why are we still insecure despite growing options ? The problems are mainly usability, funding, perception by users and investors and power/political play by industry and Governments. Not easy to solve indeed.

rNovember 18, 2016 6:51 PM

@Thoth,

Usability is cover for pre-compromised.

Look, 5 dollars we own a windows box unless we spend how many countless hours reconfiguring each and every oob experience to a 'secure' flavor. Then, when we do get it 'calmed' down there's another 100gb of executable code and data that is interfaced that hasn't been anywhere near audited.

Clive RobinsonNovember 18, 2016 9:39 PM

@ Nick P,

For some reason lobste.rs is not available on my smart phone since sometime yesterday. It looks like the session is being closed by an upstream router etc. The twitter feed https://twitter.com/lobsters is still fine however.

@ All in UK,

Anyone else using mobile broadband in the UK getting the same probs opening https://lobste.rs/ ?

Clive RobinsonNovember 18, 2016 10:19 PM

@ Nick P, The usual suspects,

Mainly on the threads about Kaspersky's secure OS.

I wish Kaspersky well on that endevor, but I'm not sure it's even possible to make a Secure OS that supports all that the majority of users have come to want or feel they need.

If you like there are two problem areas any modern Secure OS has to battle that we know they are going to loose at. Firstly apps like web-browsers that behave like insecure mini-OS's[1] and secondly network "upstream injection attacks". The two combined are usually the kiss of death for the security aspect that covers privacy when users get involved. The reality is this is not the fault of any Secure OS but that's not how users will see it.

So to be fair we need to see how it mitigates the issue by say using userland IO stacks running in a VM.

Likewise we need to "box in" other non OS security faults and see how it mitigates them. For instance the OS no matter how secure only reaches down to just below the CPU level in the computing stack the likes of Row Hammer exploit hardware deficiencies below those levels and thus can only be partially mitigated. For obvious reasons the likes of userland IO will only make this much more difficult...

Thus we need to examin the choices the OS designers made with respect to how IO is done and the side effects of the choice mittigated.

[1] If I remember correctly @Nick P and myself had a number of discussions on this about a year prior to Chrome, and again when Chrom was originally released.

Clive RobinsonNovember 18, 2016 10:47 PM

@ Wael,

I suspect the problem is at my service provider, they have a habit of treating certain technical oriented sites as "subversive" and block them along with the Girls/Gambaling/Games sites. You usually get the "Contact us to prove you are over 18" type messages but whilst they will allow you access to the "sins of the flesh" sites you don't want, they still regard technical sites as no-nos... Moronic I know but that is the way "Mrs May PM" want's it, just like the Holy Roman Empire back in Galileo's time.

As for U-tub, I've mentioned in the past I don't do it for various reasons, primarily because of it requiring either it's own privacy breaching app or "Satan alone knows what" javascript.

I guess a further investigation will have to wait untill I get back to the dead tree cave and can fire up a test rig I can trust (there are times when I wish Android had the usuall *nix network test tools built in along with a CLI).

ThothNovember 19, 2016 12:31 AM

@Clive Robinson
You just need to get an Android phone you are not using (an old one is fine) and root it and sideload some CLI and Network Toolkits.

The era of Mrs Snooper May would be very interesting. It's like the Western society are in a state of self-inflicted panic and shock that is soreading throughout the world like a plague. Every country looking at the precedent set in the "liberal" West are no tracking their citizens and taking their citizens as their enemies.

Vad BladNovember 19, 2016 9:52 AM

Do keep in mind that both Eugene and his (ex?) wife Natalia have fishy connections with security services and have made various statements reflecting their rather authoritarian-favouring stances. Those include internet access by ID, possible manufacture of corporate surveillance systems (for mobile phones; based on femto/pico-cells that act like a corporate SORM. This is actually ironic as Natalia paints herself as if she doesn't fancy gadgets, for they are surveillance devices) and so on.

Will probably give some links when I'll be on a more or less stable internet connection.

FigureitoutNovember 19, 2016 12:41 PM

Thoth
--I would make different versions rather than get feature creep in one device (that's just my approach to security). For instance, for my dataloggers (I'll have a nice wired one in the summer, want to layout my first boards), they're isolated to themselves. Besides my PC's I have, plan on having dev boards of powerful arm chips (basically like motherboards), each serving their purpose. At around oh, $150-$600, that's price of cheaper PC.

W/ low power chips, some new sensor tech (laser that measures distance, could code to trigger if distance is greater than 1 or 2 inches if door is opened) large battery, and SD card/code library, I think I could make a nice data logger that you could mount into door/window panels. Would need multiple doors and locks, of area you want to secure. It would give you evidence (a timestamp) of some kind of intrusion at the least. Combined w/ cameras everywhere you could check around those times, and depending on how much surveillance/traps you have setup, eventually catch a perp red-handed.

RE: your scenario
The security fail is getting to the point of being captured w/ that material if it matters that much. You should do false runs of working w/ the material and observe your surroundings; to a trained eye it's very easy to spot potential attackers. After going that far of kidnapping you and torturing you for a damn pin, if you reveal your pin and give them what they want, it'd be smart to kill you (a witness who would surely go to police and other independent investigatory agencies once released) and make sure your body would never be found...

That's not my threat model, besides there's other ways to operate in the clear, hiding in the noise.

Clive RobinsonNovember 19, 2016 4:10 PM

@ Figureitout,

Would need multiple doors and locks, of area you want to secure.

Err it's not "area" but "volume" especially if it is an enclosed space.

I'm not "nit picking" because you need to be aware there are "volumetric" sensors. In many cases you only need one volumetric sensor for a room, if anyone opens a door or window the alarm goes of. The advantage of such sensors --aside from you obly need one per room- is they do not need to be physically installed, so you can leave the device on a table, shelf or floor.

Some work by detecting a sudden change in air preasure [1] others by use of radient energy like ultrasound. The radient energy systems can be continuous wave --Doppler effect-- or pulse based where the multiple reflections in the room remain fairly constant and thus the "Time Domain Reflection" return signal can be compared to previous returns. If there is a sufficient change then the alarm goes off.

[1] https://www.amazon.com/Streetwise-Smart-Sensor-Volumetric-Alarm/dp/B00CEKMQB0

FigureitoutNovember 20, 2016 1:47 AM

Clive Robinson
--Area is assumed to mean volume in that context as a figure of speech (flaw in english language) as no reasonable person believes we're infinitely thin nor says "and here's this nice volume", so it's a pretty baseless nitpick, just to be annoying. I know of those sensors too actually, believe it or not (from a user not developer standpoint) and false alarms worry me.

Clive RobinsonNovember 20, 2016 7:02 AM

@ Figureitout,

I know of those sensors too actually, believe it or not ... and false alarms worry me.

False negatives and positives are a fact of life, it you try to eliminate one you get the other.

If you are getting no false alarms then the system is to insensitive which means with care an attacker can get past the alarm without it being triggered.

Whilst using multiple different detector types can help, they can also make things worse[1]. For a logging system you want to use seperate[2] multiple types of detector and log them all as well as having an IR sensitive CCTV camera running continuously. You then use the logging info to give you time refrences to view the video recording.

You can then write software filters with a bit of AI to learn which alarms are not likely to be false.

I know it sounds a bit like hard work, but with the detectors in the right place, not only can it detect intrusions it can also detect people doing an info gathering "dry run" which for various reasons is more likely to give you "positive identification" on those involved plus warning to tidy/set up to make the actual attack very expensive for the attackers and provide them with near zero intel etc.

Oh for obvious reasons, you don't tend to find these sort of field-craft techniques in books, just an article in some select "trade journal". Usually the article lacks hard details because it is more often than not a "pre-sales hook" showing "expertise" to gain quite lucrative business with those for whom money is rarely if ever an issue ;-)

As I'm out of that game these days I don't mind stiffing their hugely profitable business model (as I did with that catalog @Bruce blogged about, where I mentioned using the G7 walkie talkies). More importantly is that way more people can benifit from these sort of security measures and make certain agencies like Kroll Associates lives much more difficult, which is always good...

P.S. @Nick P another one to add to "the link farm" B-)

[1] For instance a combined Microwave and IR alarm, if set to OR the outputs the number of false positives goes up but if AND is used the number of false positives drop. However if as many did you had a "traffic light" of LEDS visable on each detector in the detector head unit[2], if set to AND (the default) then an attacker can move in slowely, if either detector is triggered the attacker stops waits a little and then moves more slowly, they can get right upto the detector head and put a carbon loaded foam --of the sort that used to be used for DIL antistatic protection-- infront of the detector head abd neutralize it. I know this from having demonstrated it a number of times to people that thought they were "doing the right thing" when they were not.

[2] The LEDs do not have to be on/visable to carry out the attack. The X-band doppler systems they use are both a transmitter and a receiver. You can use another doppler unit with minor mods to act as a very sensitive receiver. Due to the cheap nature of the detector heads when either detector in the head is triggered it disturbes the gunn oscillator in the doppler unit, and this can be heard on the receiver... Oh and of course the receiver can be used to find the detector heads in the dark. If the IR detector is "active" it to can be found with some high sensitivity black and white CCTV cameras or IR type thermal imaging head sets...

FigureitoutNovember 20, 2016 10:55 PM

Clive Robinson
--Recently set off the smoke alarms turning on the heater for first time (burnt dust set it off). As you know, smoke alarms in a house are all connected via a powerline comms protocol I know little about (intriguing b/c that's a good side channel for attack & defense...), set one off, they all go off (would want to log the first one of course). I'm convinced that could be spun into a security system somehow using pressure, temp, or audio sensors. Just have to watch out for false positives (even if unavoidable completely, can be driven down quite a bit), or just turn it off until when you sleep and you want to wake up if something triggers them.

Yeah, in an indoor, temperature controlled, and segmented room (shielding and sound proofing optional but recommended); the false detects from microwave and IR would be very unlikely (I get big wolf spiders and all kinds of other creepy crawlies that I would need to deal w/, just seal things off, no vents etc.). I would have as many as I could muster (and flash the firmware at least), so microwave radar, IR (inside pointed at door, and one in the door panel), laser (I'm not sure how this works exactly yet, but there's programmable modules on the market now), and capacitive touch (on the door handle, could also be mounted in door and detect a human body). Ideally I'd start w/ those 4, looking into others and open source camera modules and how long I want to store footage for. I know I can get the IR and cap touch battery powered and last a long time, my dataloggers all require AC now though and I haven't come up w/ a good battery backup method. Quick little losses of power are no biggie, but sustained power outage would shutdown logging so that's an obvious attack I want to shutdown.

RE: your story of and's vs or's
--It'd be useful to have that be a dipswitch or pot setting (how many "AND's") to adjust that setting according to customer needs. Few ways to program that I think.

RE: "if IR detector is active"
--Can it be found behind a door (and it's a brick wall all around, door's only way in w/o smashing a wall) or in the door panel where you don't have a straight path to the light. I've done small amount of tests, you can set an IR detector right by a door, it was fairly impossible to open the door w/o triggering the detector in my tests. I tried going super fast, super slow, and normal speeds.

Clive RobinsonNovember 21, 2016 1:41 AM

@ Figureitout,

... just seal things off, no vents etc.

Don't block all ventilation otherwise you might find headaches are the last of your problems before hitting the floor.

capacitive touch (on the door handle, could also be mounted in door and detect a human body)

Capaitive systems are very short range and whilst working well for keypads don't work much further. You get a greater range with "top coupling" two or more offset coils. If you have a standard internal wooden door, with a little care you can prise off the plywood face and find a simple wooden frame with what looks like those cardboard packing systems used for shipping fruit like oranges in boxes inside. Mounting three coils (left sense, right sense and middle driver) with a ~20% overlap is relatively easy. The hard part is actually making a reliable connection out of the door and into the frame or wall mounted conduit, as cables "work harden" as the door opens and closes and eventually break. I've actually seen such detection coils "plastered" into walls on either side of door frames. Such coils can also be used to fire up RFID tags in ID badges etc so can serve multiple purposes. They have also been used in picture frames to protect valuable paintings. The downside is that if you suspect they are being used, you can pick up the radiation from the driver coil that will most likely be in the HF band. You can use a variation of the transverse electromagnetic mode chamber (TEM cell) technique but use two coupled lines one for TX one for RX and use a VHF frequency sweep appropriate to human body size, which can detect absorbtion as well as coupling. Likewise you can create a linear field in a coridor using Helmoholtz coils with a one or two detector coils in the linear field. The point is what you are realy detecting is the human body as it causes variation in a standing EM field by it's dielectric effects or conduction effects.

Likewise you can use those realy cheap ultrasonic detectors people use on toy robots etc the change in reflection pattern can just like radar tell you a lot, especially if you also check for doppler effects.

"if IR detector is active" Can it be found behind a door

Simple answer is the door is unlikely to be transparent at IR, but... It can be detected "under the door" and "through the key hole" with modern endoscopic type inspection equipment designed for IR spectrum use. Currently such kit is expensive, but there is no reason why it could not fall in price or much cheaper endoscopic systems modified. Thus you could as a DIY detector mount an appropriate IR sensitive diode on a bit of soft copper wire as a probe to poke under the door or through the key hole, or if there is not one drill a small hole in the top hinge side corner (it's the part of a door least looked at ordinarily).

With low cost non pasive IR detectors they work by detecting a change in reflection. In essence they take the output of the detector and AC couple it then look for signals of a hundred milli Hertz and up to a few Hertz to avoid mains hum issues from lighting etc. They then rectify and integrate that signal for a while to decide if there is "movment". Thus the tip of a drill is not just to small, it's also too fast to be seen through the filtering. Which also indicates how you might go about jaming such low cost detectors.

rNovember 21, 2016 1:02 PM

@Clive,

That's kind've the feeling I got from @Figureitout's statement,


@Figureitout,

Your furnace just set off your smoke alarms when starting it?

The air in the burning chamber is supposed to be isolated from the air that passes through the heat exchanger, depending on where the smoke alarm was that was set off (e.g. underneath a register) you may want to grab a flexible scope and inspect your burning chamber. That aside, pick up some co2 detectors just in case bud.

I suppose your flu could have some holes in it, you'd better start checking for leaks. Of those type are more important than information leakage.

FigureitoutNovember 21, 2016 9:55 PM

Clive Robinson
--Well yeah, don't worry I won't sufficate myself lol.

Capaitive systems are very short range
--Yeah, there's a trick to get it to work up to 2-3 ft, which is plenty when we're talking about someone trying to pick a lock on a door. Can't give that trick up, but has probably been independently discovered a million times by other experimenters/engineers. Would take a minute to polish it up proper (rather than looking hacky). But 2-3 inches is more normal. Having that right next to a lock someone's trying to pick, will detect their fingers likely. Or soldering the wire right onto the door handle, will detect right thru latex gloves.

Yes I've played w/ those cheap ultrasonic detectors, these guys right? http://i.stack.imgur.com/X2dK8.jpg

Point of 4 or more sensors is, as you know, to not let any single remote attack work. A HERF gun of some kind may work to fry them, going to leave hella evidence of an intrusion though.... I've got my wired dataloggers now, to timestamp "resets", anytime they first power on; so that will at least timestamp when power comes back on if an attacker were to get a little assistance from the power company shutting off my power. If the power is low enough for a write to an SD card, (should be a few ms eh?), could get a battery version working good then that attack won't matter.

It can be detected "under the door"
--Know those things used in garage doors to detect if something is in the path of the closing door? That could mitigate that attack I'm sure. Assuming the door isn't monitored from outside as well. Any drilling or modifying of the door (someone forgot to put the door handle on right in my case lol, locks were tore up, umm...rookies...lol) would be noticed. Positive evidence like that would tip off victim.

All of these attacks require "prior intel", attacking it fresh will trigger alarms, tip off defender. I don't care for those games if it's not worth it, but definitely winnable for defenders here. Won't be like typical easy targets.

r
--Not sure how our furnace works, our air filters haven't been changed out...ever...very dusty.

hingesNovember 22, 2016 12:16 AM

@Clive Robinson

What are the disadvantages of using externally insulated door hinges as opposed to brittle wires? I see wear and tear being different and the conductivity maybe less reliable, but (I think) sensible intrusion techniques could achieve similar results either way. Why go for the wires over internal plates in this use case?

Clive RobinsonNovember 22, 2016 9:21 AM

@ Figureitout,

Yup those are the "dohickies" I was talking about. They generaly come in two flavours, those with out electronics, and those with a little IC that anoyingly gives out digital signals which often limit their usability. :-(

As for,

A HERF gun of some kind may work to fry them, going to leave hella evidence of an intrusion though....

High Energy RF guns are more myth than reality when it comes to covert opps whilst the RF generators can be small the waveguides and antennas are not and as for power supplies to generate MW pulses of a nanosecond or two to get the high field strength... As for CW types that work on the heating effect you are still looking at a KW for what feels like an eternity. Then there is the protective clothing, lest you want to look like a pork chop after a minute in a microwave overn at full power for a minute or with your eyes an egg still in it's shell after a few seconds... I've built a couple of HERF guns out of common microwave oven and yacht radar parts, and you can squeeze a very short range one into a large "maintanence man" size briefcase. For longer ranges you realy are looking at vehical mount not just for the device but to protect the opperator. To protect your alarm detectors against HERF systems dicast ally boxes and copper cloth are good for IR and up and with the exception of microwave doppler devices down to DC as well. You will need to add judicious use of line filter components on cable runs but you can build those with neon discharge rrsistors, resistors transorbs and inductors and capacitors in tin plate boxes (not that you are supposed to know this in the US with it's funny TEMPEST rules/legislation).

FigureitoutDecember 1, 2016 1:18 AM

Clive Robinson
--Well I've got one w/ 3 pretty good sized IC's, one of them is an op amp. Other 2 that's likely. 2 transistors, a bunch of resistors & caps, and a crystal. I've had a bigger version of these pointed at me at work, clicking away, annoying. Pointed it back at a coworker lol.

High Energy RF guns are more myth than reality
--Besides killing power, that's the main threat of detecting a physical breach, or just detectors of some kind. Battery operated sensors, super low power MCU's w/ an attached SD card or even just some EEPROM, those can last for years and years, embedded in just about any part of a target's residence. As I'm sure you're aware (or not :p), as an attacker, tasked w/ first breach of a target, you want to do it flawlessly, and not tip off a security conscious target when any little whiff of weirdness will set alarms off; and worse potentially start counter-intel and people need to be swapped out b/c their identities are burned (basing this off my experiments w/ spooks). All I want to do is trigger things from afar and observe patterns/reactions.

As usual, the game continues...the smart defenders protect whatever it is attackers want (if it's IP, if there's a secured building, a smart defender will protect it from basically all attacks), and the smart attackers get in and out undetected.

OT:
Seen the 1kB challenge on hackaday? I want to make an entry at least, figure that'll be a good use of my little pic16f18855 board.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.