Friday Squid Blogging: When Squid Evolved

Squid evolved during an "evolutionary war" -- the Mesozoic Marine Revolution -- about 100 million years ago.

Research paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 3, 2017 at 4:16 PM • 65 Comments

Comments

Ross SniderMarch 3, 2017 4:51 PM

@Bruce

You wrote fairly extensively not that long ago (in 2014) about the public private partnership that exists in the surveillance industry - through which the laws that constrain private and public spaces, respectively, can be circumvented.

https://www.schneier.com/blog/archives/2014/03/the_continuing_.html

I was wondering if you would be willing to resurrect these issues, over say IoT regulation.

It seems to me that legal accountability of serious civil issues (such as mass surveillance) is a far more crucial intellectual and societal contribution.

Ross SniderMarch 3, 2017 7:12 PM

@Rhys

Wonderful link, thank you.

Gone apparently are the days of trying to establish cyber norms and treaties?

The conclusion of the report is - I think - actually pretty deep strategic thinking about cyber warfare. One of the issues facing the United States and others in this area is that it isn't gamed particularly well, and there are not good precision playbooks for retaliation with an appropriate level of force.

They also recommend creating less vulnerable "second-strike" capabilities - deterrents (and conventional attack capabilities) that can't be taken out as easily: basically thinking similar to nuclear triad/survivable capability.

ModeratorMarch 3, 2017 8:58 PM

@notsufi and @all: The squid post is open for general discussion of security matters; it is not intended for reviving non-security-related forks of past discussions.

Justice: Civil Servants Self-Censor TooMarch 4, 2017 7:32 AM

"Several officials in different agencies who spoke to Reuters on condition of anonymity said some employees fear their phone calls and emails may be monitored and that they are reluctant to speak their minds during internal discussions."
www.reuters.com/article/us-usa-trump-secrecy-exclusive-idUSKBN16A0GD

It's richly rewarding to hear of civil servants also practicing self-censor.
I’ve been self-censoring for years because of govt proxies (data-mining corporations under secret contract) written by these same civil servants.
Self censoring harms or punishes human beings. Little wonder today one out of eight people have no close friends.

The point being security officials decisions degrade human lives. In the classified world Program Managers would never allow security officials to make program decisions.
It was proven time and time again they weren't too smart. In fact they got the most security violations for foolishness like leaving unattended safes open.

Absurd but True Example
Guys why not start a new career as a TSA genital fondler? Seriously new TSA directives unbelievably make this come true. Why not make Congress and the POTUS sign-off on these new perverted 'security' directives?

Solutions
1) First get some common sense. Don’t let Big-Data into the White House to secretly author laws or invite eager-beaver Congress to Big-Data lobbyist sponsored champagne brunches

2) Second learn to respect one another and protect each other’s privacy - especially when you disagree with them

3) The long term solution is to cut and paste the Eurpoean data-protection laws:
https://www.theregister.co.uk/2017/02/08/stop_its_the_data_police/

JG4March 4, 2017 7:43 AM


approaching peak irony, mind the event horizon

corporation uses profiling to defeat government surveillance/entrapment

just another day on the blue marble of unintended consequences

http://www.nakedcapitalism.com/2017/03/links-3417.html
...
Syraqistan

Iraqi Federal Police Are Weaponizing Off-the-Shelf Drones, ISIS-Style Motherboard (resilc)

https://motherboard.vice.com/en_us/article/iraqi-federal-police-are-weaponizing-off-the-shelf-drones-isis-style

...
Imperial Collapse Watch
...
Air Force Wants to Test a Laser on an Attack Plane Within A Year Defense One (resilc)

http://www.defenseone.com/technology/2017/03/air-force-wants-laser-aboard-attack-plane-within-year/135864/

...

Trump Transition

The Deep State vs President Trump: We are witnessing a no-holds-barred clash between two warring camps. ZCommunications (Sid S)

https://zcomm.org/znetarticle/the-deep-state-vs-president-trump/

...
Scary Putin Monster

Obama Ordered Abuse Of Intelligence To Sabotage Trump Policies Moon of Alabama (Chuck L). Important.

http://www.moonofalabama.org/2017/03/obama-prodded-abuse-of-intelligence-to-sabotage-trump-policies.html

...[this is very forward thinking, but Newton's law action and equal opposite reaction left out the host of unintended consequences, like kidnappinng robots, and reprogramming them to commit crimes]

Class Warfare

Virginia is the first state to pass a law allowing robots to deliver straight to your door Recode (resilc)

https://www.recode.net/2017/3/1/14782518/virginia-robot-law-first-state-delivery-starship

...

How Uber Used Secret Greyball Tool to Deceive Authorities Worldwide New York Times (NotSoSure, martha r)

https://www.nytimes.com/2017/03/03/technology/uber-greyball-program-evade-authorities.html

...

Uber used secret tool to evade authorities Reuters (furzy). Some additional detail.

http://www.reuters.com/article/us-uber-greyball-idUSKBN16A2IL

Jim KMarch 4, 2017 10:38 AM

Does disclosure of a wire tap (as opposed to the content) count as disclosure of classified information, much as disclosure of a code word can, of itself, be sufficient for a breach of confidence? Or is it all down to context?

uber greyballMarch 4, 2017 10:51 AM

from Guardian:
https://www.theguardian.com/technology/2017/mar/03/uber-secret-program-greyball-resignation-ed-baker

The New York Times reported that for years Uber used a tool called Greyball to systematically deceive law enforcement officials in cities where its service violated regulations. Officials attempting to hail an Uber during a sting operation were “greyballed” – they might see icons of cars within the app navigating nearby, but no one would come pick them up. The program helped Uber drivers avoid being ticketed.

Greyball used geolocation data, credit card information, social media accounts and other data points to identify individuals they suspected of working for city agencies to carry out the sting operations, according to the Times. It was used in Portland, Oregon, Philadelphia, Boston, and Las Vegas, as well as France, Australia, China, South Korea and Italy.


from New York Times:
https://www.nytimes.com/2017/03/03/technology/uber-greyball-program-evade-authorities.html?_r=0

Greyball and the VTOS program were described to The New York Times by four current and former Uber employees, who also provided documents. The four spoke on the condition of anonymity because the tools and their use are confidential and because of fear of retaliation by Uber.

Uber’s use of Greyball was recorded on video in late 2014, when Erich England, a code enforcement inspector in Portland, Ore., tried to hail an Uber car downtown in a sting operation against the company.

At the time, Uber had just started its ride-hailing service in Portland without seeking permission from the city, which later declared the service illegal. To build a case against the company, officers like Mr. England posed as riders, opening the Uber app to hail a car and watching as miniature vehicles on the screen made their way toward the potential fares.

But unknown to Mr. England and other authorities, some of the digital cars they saw in the app did not represent actual vehicles. And the Uber drivers they were able to hail also quickly canceled. That was because Uber had tagged Mr. England and his colleagues — essentially Greyballing them as city officials — based on data collected from the app and in other ways. The company then served up a fake version of the app, populated with ghost cars, to evade capture.

1-small stepMarch 4, 2017 12:11 PM

Windows 10 et al tries to phone home thousands of times everyday to login.live.com, by default. It's a small thing, but there's an easy way to stop it.

Go to Windows services and disable "Microsoft Account Sign-in Assistant". Poof! The outbound contacts are gone. Apparently, the historical purpose of this service was to check hotmail for you. What is does now is somewhat debatable. Note: This might mess up MS email, if you use it.

While you are at it, also disable "dmwappushsvc" which is a push message service.

To be honest, I don't think Trump has anything to do with this. Or Clinton. Or Obama. Sorry.

TõnisMarch 4, 2017 6:22 PM

@Justice: Civil Servants Self-Censor Too

I don't self-censor. I routinely say words like "president" and "bomb" in telephone conversations and in internet posts. I live in America, the Land of the Free and Home of the Brave. Freedom of speech, baby. I'm not even using TOR to make this reply.

ab praeceptisMarch 5, 2017 2:07 AM

Ismar

buzzfeed (a.k.a idiots water hole) as source? An "article" containing but "would", "could", "some are wondering whether" as source?

Listen, I have a very attractive offer on the Eiffel Tower this coming week. Just 1.5 Mio$ for the original Eiffel Tower! In case you take two, you'll get a third one for free. Don't miss that opportunity!

Clive RobinsonMarch 5, 2017 3:53 AM

Rip off Smart Meters

As I've commented in the past, I don't like Smart Meters due to the way many of them work as well as the fact they can enumerate you via your electronic device usage[1].

Part of the problem is "efficient devices"... Modern devices like LED lights use so little power that they use complex waveform switch mode power supplies. To accurately measure the power usage with a sampling sensor takes quite a large number of samples "of a stable signal". The problem is the LED and similar devices to meet various EMC and other requirments quite deliberately do not use stable signals to "get under the noise mask".

Thus the problem that the Smart Meter reads the power consumption of these devices quite inaccurately. Whilst some might read lower than usage, which would give a consumer a corespondingly lower bill. Others however will read high by as much as six times, which would give the consumer a very much higher bill, corespondingly giving the power supplier something like 2500% more profit[2].

http://sciencebulletin.org/archives/10940.html

[1] It has been shown that your home entertainment system has a power signal that can be used to very accurately identify what you are watching / listening to. And a smart meter sensor system has the sensing bandwidth to make the required measurments as well as the communications bandwidth to forward that information...

[2] That is the quoted profit on electricity supplied to home consumers in a number of places is about 20%. If the meter reads six times actual consumption, the consumer rather than paying 1USD giving 20cents profit to the supplier, would pay 6USD giving them 520cents profit instead. Which gives them 500cents or 2500% increase due to the faulty meter, (nice business if you can get it...).

GabrielMarch 5, 2017 4:34 AM

Here you see again how popular science reporting is sensational and distorted. The new study didn't discover the "evolutionary war". The scientists just take it as a given. What they did was determine *when* it took place.

CallMeLateForSupperMarch 5, 2017 10:23 AM

@Clive Re: "smart meters"

These things got on my radar a year or two ago when a pair of them were installed on my house in place of the decades-old, spinning-disk type meters. The Village popped off the old and popped on the new without so much as a friendly knock and "by-your-leave" first. The email I was writing was lost.

I like the old meter. It's like an analog speedometer in that it gives a clear indication of "rate"; a disk spins faster/slower and a needle climbs/falls. The new meter, with only a (don't-I-look-cheap) LCD, gives no such "rate" indication.

In the mean time, I have asked many local friends and acquaintances if they experienced any issues with their smart meter, and every one of them gave me a blank stare. None knew that their meter had been changed. None knew that their electricity usage is monitored every few minutes, 24/7/365. None knew that certain makes/models of smart meters were shown to have caused structure fires. The first person I asked didn't believe that his meter had been changed. Before the blank stare had left his face, he levered himself out of his lounger and strode out to look.

@All
Wiki provides some information:
https://en.wikipedia.org/wiki/Smart_meter

I think the alleged 'benefits" of smart meters as touted by proponents don't stand scrutiny. Two in particular: "Alert the supplier to power outages". What? Customers don't phone in the fact that their house is dark?? "Help customers save money by shifting their usage to off-peak periods". My smart meter doesn't tell me anything beyond KWH consumed, and to get even that much I have to go outside and read the thing, just like with the old meter.

Smart meters collect data about users' energy usage, and that data can be monetized by suppliers. That could benefit the supplier, probably not the customer. Smart meters make human meter readers redundant, which benefits the supplier.

Clive RobinsonMarch 5, 2017 11:16 AM

@ CallMeLate...,

"Help customers save money by shifting their usage to off-peak periods"

I think I've mentioned befor that that "political line" is compleat bovine excreter in huge steaming piles. Those uttering it in Government and the industry should be taken out and neutered with a hammer and anvil prior to having all their assets and those of all their living relatives sequestrated.

As you note it's a huge saving not just by the cost of employing meter readers but all the equipment etc used as part of their job. In effect an annual saving of about ten times what the --soon to be unemployed-- meter reader actually gets payed.

That's just the start of it, the next part is infrastructure maintanence and upgrade savings. Putting in new high voltage high efficiency primary network is not just eye wateringly expensive, you could buy several countries with the money they are going to save on that.

But the number one rule in the energy game is never give real savings to tied in customers, bleed them every which way you can. Thus if you reduce the unit price up the supply component to recover the loss of income from unit sales. This is why those energy companies are spending millions on bribing politicos and fighting mega battle court cases to stop people "going off grid".

I could go on but by now people should be thinking "hang on a mo, let me check that out" and when they do they might just suffer a pain in the chest or head from realising just how badley they are going to get worked over.

Oh and another trick they will pull will be installing the cheapest crapiest most unreliable piles of junk they can then charging you ten or twenty times the price. Either the first time or every subsequent time, pluss even though you will pay through the nose for it they won't alow you to buy your own on the open market...

WinterMarch 5, 2017 12:04 PM

Re: Smart meters

Smart meters are supposed to be an essential part of the "smart grid" where "consumers" can sell back renewable energy to and over the grid. There are also plans to use batteries of electrical cars to store and re-deliver (solar) energy.

The plan is to electrify all of society's energy use with decentralized production and storage. That requires smart meters. And if that has to be achieved in 20 years or so, they should start now.

Smart meters are not very secure. But it rather paranoid to assume this insecurity is the reason they are pushed so hard.

CallMeLateForSupperMarch 5, 2017 12:52 PM

@Clive
"sequestrated"

:-O

NewWord==gin("sequester","castrated")

albertMarch 5, 2017 1:43 PM

@Clive,
Didn't we have a big discussion on smart meters a while back?r

While it's theoretically possible to glean some information from power monitors, the real problem is overcharging the customer, without any recourse for them to disprove it.

It would be a simple matter (only for those with electrical knowledge and safety practices) to connect a power monitor to the 220V bus in the breaker box. I wonder if anyone makes a little one that could fit inside? Two voltage connections, a ground, and clip on current sensors should do it. A wifi connection to your PC would be kool, along with automatic data logging.

. .. . .. --- ....

My InfoMarch 5, 2017 2:43 PM

@Clive Robinson

Oh and another trick they will pull will be installing the cheapest crapiest most unreliable piles of junk they can then charging you ten or twenty times the price. Either the first time or every subsequent time, pluss even though you will pay through the nose for it they won't alow you to buy your own on the open market...

That is what they do with DSL modems in the U.S., as well as VoIP phones and any consumer-level VoIP equipment. SIM cards in cell phones, WiFi for computers, etc. It's cheap, insecure, proprietary, and unsecurable, and they charge a lot of money for it because they have monopolized it by force of law.

ThothMarch 5, 2017 7:19 PM

@Clive Robinson

One point you have forgotten to mention about smart meters are the fact that they are miniature computers as well and what would prevent them from spreading or injecting stuff into the electrical system they are connected to ?

Another alternative way to compromise an entire city/ies or country/ies would be to gain access to smart metering system, flash the firmware and get them to pump out nasties. Maybe the Govts want covert listening modules and pervasive CNE capabilities against everyone, they could just use smart meters as the next generation of Govt CNE injection system since every household would technically need a smart meter in the near future for rip-off of energy usage.

That would also likely mean that energy gapping have to include off the household grids and working off a portable battery pack (laptops using battery and not plugged into wall sockets) and then the battery packs have to be inspected for probable backdoors as well since most battery packs these days includes some sort of IC chipset to manage the power consumption.

This would likely mean that alternatives for high assurance security system would not only need to be energy gapped and off the main power grid, the systems must consume very little power and last a long time if possible (Raspberry Pi or $9 CHIP as endpoints) that run off easily available AA or AAA batteries to prevent battery level backdoors. Now it gets even more complicated to create a high assurance security system with so much constraints and pervasive surveillance powers and capabilities that all Govts are abusing.

Just a short news, Singapore's MINDEF decided to bring in 2,600 full time National Service soldiers as "Cyber Warriors" that sit in front of SNORT IDS web consoles, Palantirs and the likes. For us Singaporeans, we call these people White Horses which means that these 2,600 kids whose parents are likely to be high ranking SG Government officials are given "Light Duties" because it would not look nice to the SAF to subject these White Horses (children of high ranking SG Govt officials) to the tortures of full out military and combat training like the rest of us (including myself) who have to serve 2 full years of our young adult life (I was conscripted about 22 yrs old) and then after 2 full years of grueling conscript training, we had 10 full years of mandatory reserve for normal troops, 15 years for NCOs and 20 years for officers (who mostly suck at warfare and planning anyway). So, in short, 2,600 White Horses serving the "newly minted" SG Cyber Command while relaxing off 2 years of conscript in front of computer screens while we ordinary citizens have to sweat and bleed it out :) .

We are literally wasting our tax money on a totally useless "Cyber Command" unit that can't protect any infrastructure whatsoever and to top it off, the 2,600 new White Horse Cyber Warriors weren't even able to protect the SAF/MINDEF system from being hacked into which caused a leak of ~ 800 - 900 credentials of active servicemen and servicewomen.

I suspect the hack isn't so simple to lose only ~ 800 - 900 servicemen/women credentials but well, the Govt have a tight control over who speaks and what is spoken but everyone knows it's just nonsense and a false figure to make the situation look not too bad.

Below is the link to the news.

Link: http://www.ibtimes.sg/singapore-mindef-internet-system-hacked-850-national-servicemen-employees-data-compromised-7975

Jonathan WilsonMarch 5, 2017 7:32 PM

The FBI have decided to drop charges against someone who downloaded child pornography rather than reveal their supposed backdoor into the Tor browser.

https://arstechnica.com/tech-policy/2017/03/doj-drops-case-against-child-porn-suspect-rather-than-disclose-fbi-hack/

As someone who thinks people who download and share child pornography (actual child pornography with actual children who have been exploited, not all those cases where someone is prosecuted over a cartoon image or some baby photos or a consensual photo of a teenager or whatever) are scum of the earth and deserve to rot in a not-so-nice federal hellhole prison I am disgusted that the FBI would rather protect a backdoor exploit in a software program (one that may well leave anyone using that program vulnerable to attacks from all kinds of bad people should the exploit be discovered by cyber criminals) rather than sending a pedophile to jail where they belong.

If I lived in the USA I would be writing to whichever politicians or other entities I can write to demanding the FBI not let these people off the hook.

John SmithMarch 5, 2017 7:53 PM

Re albert:

"While it's theoretically possible to glean some information from power monitors, the real problem is overcharging the customer, without any recourse for them to disprove it."

I have worked with smart meters, running EMC tests in GTEM cells and so on. Part of my tests was to blast the meters with pulsed RF, intense enough that the h/w and s/w on the meter stopped. Stopped as in ... no metering of electricity passing though the meter.

Of course, I am not advocating anyone else try this. I rest easy, knowing that no-one here would dream of hacking a smart meter for personal gain.

NystagmusEMarch 5, 2017 10:02 PM

I feel like the biggest pseudo-"man-in-the-middle" type of attack we are currently enthralled with is coming from within the White House. Can America withstand a corporate takeover from a neo-feudalistic sociopath who claims himself to be a modern day Robin Hood?

Our infrastructures and protocols and social norms don't seem to be equipped to deal with this.

I honestly feel like people need to stop waiting for permission to do the right things.
America shouldn't be willing to rot from within, even if it came from the top.

I don't blame the Russians, I blame the US Electoral College and everyone who assumed it was fair.
Hillary won by several million votes. And yet here we are, subject to one of the biggest threats to US and geopolitical security in decades--the redheaded stepchild known as Mr. President.

Clive RobibsonMarch 6, 2017 4:05 AM

Smart readers show ~3,000,000 times usage.

In the UK Metro newspaper this morning there is a story about some Smart Gas meters reading ~3million times what they should do... With a price of 33,000GBP (~50000USD) for just one days usage...

http://metro.co.uk/2017/03/05/customers-shocked-to-find-theyd-used-33000-worth-of-electricity-in-a-day-6489077/

o boubt there will be some nonsense from the supply company about the smart meter company and vice-versa. The point is if it could go up by that amount in one day, it could also be done for an hour or so by a smaller amount to "up profit" and then be put down again. So if a customer complains and the meter gets tested it will be shown to be finctioning normally...

So as @Thoth notes above, they are effectivly computers on an insecure network with a great deal of reach in a house. Which begs the question how long before "forensic examination" is required for "overreading" and all manner of other nasties...

Clive RobinsonMarch 6, 2017 4:27 AM

@ John Smith,

I have worked with smart meters, running EMC tests in GTEM cells and so on. Part of my tests was to blast the meters with pulsed RF, intense enough that the h/w and s/w on the meter stopped. Stopped as in ... no metering of electricity passing though the meter.

Welcom to the world of "EmSec Active EM Fault Injection Attacks" it's a fun world to play in.

I independently discovered it back in the 1980's when designing telemetry systems. It only took holding the "rubber duck" antenna a few inches from the CPU chip (1802 rad hardened) to cause it to lock up entirely, and also stop a brown out and timeout circuit from reseting the CPU...

As you note it's no better more than thirty years later.

Why the academic community have not investigated it further is a real puzzle, there are many PhDs and papers to be made in the early stages of a new domain of interest...

AnuraMarch 6, 2017 4:53 AM

@Clive Robinson/Robibson

Department of weights and measures requires that all measuring equipment be regularly tested and calibrated. It might be time to have them regulate the meters to ensure regular testing and calibration, as well as audits of hardware and software similar to how we audit slot machines - adding metering at substations, and checking the balances to make sure everything adds up and the utilities don't charge for what their customers don't buy. Or we can just not allow utilities and other natural monopolies to be for-profit to begin with so we don't have to regulate them in the first place, but that's just crazy talk.

I'm not sure exactly what's in place, but there should be ways to check that.

JFMarch 6, 2017 6:09 AM

@ Anura

"Department of weights and measures requires that all measuring equipment be regularly tested and calibrated. It might be time to have them regulate the meters to ensure regular testing and calibration, as well as audits of hardware and software similar to how we audit slot machines - adding metering at substations, and checking the balances to make sure everything adds up and the utilities don't charge for what their customers don't buy."

The most intelligent comment on the thread.

"...Or we can just not allow utilities and other natural monopolies to be for-profit to begin with so we don't have to regulate them in the first place, but that's just crazy talk."

Unfortunately, any organization will eventually go off the rails without some accountability, so I suggest we stick to accounting practice and auditing by an independent agency to insure accuracy.

OtherMarch 6, 2017 7:07 AM

Talking about smart meters, did anyone read the novel named Blackout by Marc Elsberg? It is fiction, sure, but the audience of this blog will probably find it realistic or at least quite plausible.

Clive RobinsonMarch 6, 2017 9:09 AM

@ Anura,

It might be time to have them regulate the [Smart] meters to ensure regular testing and calibration, as well as audits of hardware and software

Unfortunately many Smart Meters would pass the tests, but fail in real life.

It's due to conflicting standards requirments.

Low power low output voltage SMPSUs designed to run off of 80-300V 45-70Hz AC and used in LED lights and most IoT devices have issues. Basically they turn on only for very small fractions of a cycle. This turn on/off generates a waveform with high harmonic content up into the hundreds of MHz and is especially bad if the on/off is regular in frequency. Thus they fall foul of EMC directives and their "noise limit masks". The easy solution component cost wise is to move the on/off times in what apprars to be a random pattern, thus spreading the harmonic content into wideband slots thus bring down the Energy per Hz inside the mask. Thid is realy a quite complex signal as in effect it's a Direct Sequence Spread Spectrum (DSSS) signal.

The meter standards however are based on measurments decided to measure the phase relationship between the AC Voltage waveform and the AC current wave form and multiplying their magnitudes to give the "complex power" then by the cos of the phase difference to get from the "apparent power" to the "real power"... Whilst this can be done relatively trivially for sine waves with a lookup table and interpolation between points, other "sampled" waveforms fail realy baddly.

THus the difference between the real power (what you should pay for) and the complex waveform "apparent power" can not only be immense but immensely difficult to calculate.

The more "low power low output voltage SMPSUs" you use the worse the problem and the more likely you are to end up paying for some mangled complex waveform "apparent power" which is many times the real power.

How we are going to resolve this "clash of standards" I don't know, but what I do know is that the Likes of LED bulbs are going to cost you many times the real power they use... "Treebles all round" for the suppliers "Rip off misery" for the low energy user...

JG4March 6, 2017 11:16 AM


@Clive and @Thoth

You both have posed power/powerline filtering problems. One filter seeks to convert the complex waveforms from the newfangled devices back to sine waves for the meter to read accurately. The other filter seeks to do the same thing in the opposite direction. It would be advantageous to block the high-frequency signals from the smart meter modem that are querying appliances in the structure without consent and without authorization. I have commented before on robust approaches to such filters. Can't recall if I went as far as to post the bill of materials, but it would make a nice open source project.


Clive RobinsonMarch 6, 2017 2:08 PM

@ JG4,

It would be advantageous to block the high-frequency signals from the smart meter modem that are querying appliances in the structure without consent and without authorization

It would but as in all things there is a price to pay...

A simple solution I've mentioned when talking about setting up a "poor man's SCIF" is to put a couple of EMC style mains filter blocks in series. Unfortunatly there are a couple of problems. Firstly the cut off frequency is quite high, secondly they shunt not reflect the unwanted energy thus generating heat and power usage you have to pay for.

You can partialy resolve the cut off frequency problem by increasing the value and thus size of the filter components. To see where this takes you have a look at a Line Issolating (LI) Line Impedence Stabilisation Network (LISN) used in EMC testing. They are designed to have a cut off frequency below 9KHz to mret EMC masks/test requirments[1] but alow the pasing of considerable mains power, the design of such beasts[2] often surprises people.

To get the cut off frequency lower down below 600Hz would require the components especially the inductors to be many times the size (around twenty times the size for air-core single winding inductors). I've built filters using ferrite toroidal audio transformers of the type used in Class A Bridge amplifiers, that some jokingly refer to as "Battleship anchors".

One problem as I've indicated is that they "shunt not reflect" the energy of the signals you are trying to remove, usually into a low impeadence such that they get turned into heat. Thus "real power" that costs money is being used.

To reflect the energy back to the source can greatly increase the efficiency, which is what you see in the design of Class F amplifiers (of which I have one that produces in excess of 1KW at a VLF "very low frequency" Amateur Radio band not far below the old Long Wave band). In essence a class F system works by presenting a short circuit to odd harmonics and open circuit to even harmonics by using a quarter wave line from the supply and a half wave line to the load, the result being a square wave voltage on the FET drain but a sinusoidal current to the load. Thus no harmonic power is dissipated in any load.

Thus you can reflect the signals back into the mains supply such that whilst their may be a voltage present, no current flows for it thus no real power is used thus you don't have to pay for it. Further if there is no power at those higher frequencies they are not radiating out either (current through a loop etc).

[1] https://en.m.wikipedia.org/wiki/Line_Impedance_Stabilization_Network

[2] http://www.feng.pucrs.br/~fdosreis/ftp/publicacoes/Conferencias/IECON/IECON2003/lepuc6elio.PDF

furloinMarch 6, 2017 3:58 PM

@Thoth


"We are literally wasting our tax money on a totally useless "Cyber Command" unit that can't protect any infrastructure whatsoever and to top it off, the 2,600 new White Horse Cyber Warriors weren't even able to protect the SAF/MINDEF system from being hacked into which caused a leak of ~ 800 - 900 credentials of active servicemen and servicewomen"

Singapore get in line behind the European union, Australia, United states, and Canada for only letting rich and official people's twerps into places where you need a brain. Few kids having one, most kids are as smart as a rock. Now narrow the field to spoiled kids coming from wealthy famillies and your percentage of brains thins even further. I am pretty sure Russian trolls get promoted similarly. China may or may not promote based on merit, anyone know?

Also webassembly has made it into the main four browsers. If your machine was not compromised before I suggest moving from webkit, chrome, firefox, and internet explorer/edge this moment because it will be compromised very soon.

rMarch 6, 2017 5:46 PM

@JG4,

I spoke with one of the installers of the smart meters here in the states, actually a close family friend as it turned out who is licensed in far different areas than simple electrical installation. While I haven't taken one apart the way I understand it to be set up is similar to how my 1st gen kindle operates: a 2g radio only.

Have you seen other information to the contrary as to their exact feature set?

JG4March 7, 2017 6:46 AM


something interesting may be in the works

Wikileaks Releases Encrypted "Vault 7" Torrent, Will Unveil Password Tuesday 9am
http://www.zerohedge.com/news/2017-03-06/wikileaks-releases-encrypted-vault-7-torrent-will-unveil-password-tuesday-9am

Last month, following a series of seemingly random tweets by Wikileaks, we reported that starting on February 4th, each day Wikileaks began sending out a series of cryptic question Tweets teasing the world about “Vault 7”. The questions were framed in Who, What, When, Where, Why, and How format (but not in that order). Each came with an image “clue”.

What: The first tweet shows a picture of the Svalbard Global Seed Vault.
Where: The second tweet shows a picture of a vault in a former salt mine in Merkers, Germany where Nazis stored money, gold, paintings, and other valuables during World War II. This mine vault was captured by the United States in April 1945.
When: The third tweet shows a picture of a Pratt & Whitney F119 airplane engine, which is the engine for the Lockheed Martin F-22 Raptor. The picture in the tweet was taken on April 9th, 2010 at Langley Air Force Base as part of a story published on April 12th about the soundproof "hush houses" used for jet engine testing.
Who: The fourth tweet shows a picture of the Manning, Assange, and Snowden "infamous spies" posters released by the Defense Security Service.
Why: The fifth tweet shows a picture from the article Keeping Structures Strong, which discusses the 509th Civil Engineer Squadron's work repairing infrastructure on Whiteman Air Force Base. The specific picture tweeted is captioned "Staff Sgt. Adam Boyd, 509th Civil Engineer Squadron structural supervisor, welds a box blade for a snow plow, Feb. 27. Structures Airmen perform jobs such as this one to save the Air Force from having to possibly spend money on parts made by civilian companies."
How: Or, more specifically, "How did #Vault7 make its way to WikiLeaks?" The sixth tweet shows a picture of "Surveillance of mailboxes in Berlin". The picture is caption "When mailboxes were being observed by Stasi agents, every person posting a letter was photographed. Some films found in the Stasi archives also show persons dressed in civilian clothing emptying the mailbox after the conclusion of the surveillance action."

JG4March 7, 2017 6:54 AM


I don't have any particulars on the smart meters. It may be quite helpful to filter from MHz down to kHz. What I had in mind for a filter was considerably more robust than 600 Hz passband, and would easily fill a small closet. One of the more colorful characters in our industry has quipped, "Overkill is a whole lot cheaper than underkill." An additional benefit of DC-coupling is that it provides a convenient feed-in point for erratic power inputs like solar PV. The filtering mechanism could include rotating machinery to make a very robust chokepoint for powerline transients up to and including EMP.

Plenty of interesting news today

http://www.nakedcapitalism.com/2017/03/links-3717.html
...
Big Brother is Watching You Watch

Dangerous backdoor exploit found on popular IoT devices TechRadar (Chuck L)

http://www.techradar.com/news/dangerous-backdoor-exploit-found-on-popular-iot-devices

WankaMarch 7, 2017 7:44 AM

@ JG4,

sounds like some sort of puzzle. am wondering how these smart meters get their signals out, I've had a hard enough time trying to get a mobile phone to get a good signal in my neck of woods.

GregWMarch 7, 2017 8:01 AM

Wikileaks starts to disclose the 5000 people working on CIA hacking attempts and the fruits of their work that rivals the NSAs in some regards:

Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.

The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina.
...
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

https://wikileaks.org/ciav7p1/

CallMeLateForSupperMarch 7, 2017 9:25 AM

@Clive

(article) "Smart readers show ~3,000,000 times usage."

Thanks so much for the link to that article. It's a beauty (arguably an ugly).

vas pupMarch 7, 2017 12:56 PM

@all: some hacking groups have same feature:
http://www.bbc.com/future/story/20170303-how-collective-narcissism-is-directing-world-politics
A lot of us are familiar with the psychological construct of narcissism as applied to an individual: someone who is grandiose and overconfident on the outside, but needy and vulnerable underneath. But collective narcissism is something different: it is when someone exhibits an exaggerated belief in the superiority of their in-group, be that a gang, religion or nation, but deep down feels doubtful about their group’s prestige and therefore craves its recognition by others. This ‘fragility’ makes it different from simply having pride in one’s country – in much the same way that a narcissist is quite different from an individual with healthy self-esteem.

Other evidence suggests that certain aspects of collective narcissism emerge as a way to compensate for feelings of personal inadequacy – in much the same way that individual narcissists may vaunt their self-importance to hide their anxiety. Aleksandra Cichocka and her colleagues at the University of Kent at Canterbury recently found that people who felt less in control of their lives were more likely to show signs of collective narcissism, for instance.
The concept of collective narcissism isn’t new – it was first proposed by the psychoanalyst Erich Fromm and sociologist Theodor Adorno in the 1930s – but social psychologists’ increasing interest in the idea is especially timely given the political upheaval going on in the world right now.
It is also intriguing – and potentially relevant – that collective narcissists tend to be more inclined to believe in conspiracy theories, especially those involving outsiders.
Worryingly, Golec de Zavala and Cichocka suggest that collective narcissism could fuel hostility between countries – since collective narcissists are also more likely to endorse revenge, when they feel that their group has been insulted.
Another study with US students found that those scoring higher in collective narcissism were more likely to favor military aggression.
Despite these findings, it’s worth underlining that collective narcissism is quite different from other kinds of national pride – and positive feelings about one’s own country can bring many benefits. In fact, in her recent review of the field Cichocka explains how feeling a strong sense of identification with a larger group can be constructive. People can find great purpose and meaning in doing things for the greater good of their group, and healthy patriotism is associated with more tolerance and understanding of other nationalities. What makes collective narcissism distinct is its defensive and paranoid tone, and the insatiable desire for due recognition from others.

I like this definition:
"…constructive patriotism (loving one’s country while also recognizing flaws and seeking ways to help bring about improvements)."


trsm.mckayMarch 7, 2017 1:40 PM

@Clive But the number one rule in the energy game is never give real savings to tied in customers, bleed them every which way you can. Thus if you reduce the unit price up the supply component to recover the loss of income from unit sales.

California has a mostly successful regulatory bypass, giving the regulated for-profit energy companies incentives for customers being more energy efficient. It sounds kind of crazy, why would an energy company want customers to use less electricity. But they worked out the incentives (both to the energy companies, and to the electrical customers), and after a couple of decades California households average dramatically less use of electricity than the rest of the USA. Here is a link with more details: https://www.greentechmedia.com/articles/read/California-Is-Proof-That-Energy-Efficiency-Works

Of course it has its problems as well, California electricity tends to be more expensive than most of the other states (for a variety of reasons). They also had some famous issues during energy deregulation (Enron and others manipulating energy prices). But the reality is that the state got customers to be more efficient (avoiding the need to build new power plants) even while working with for-profit regulated energy companies.

tyrMarch 7, 2017 9:12 PM


@trsm.mckay

The real reason for their wish to conserve is
that building the extra infrastructure to keep
up with the expansion of population is expensive.
With an overloaded system which is always having
growth pains it is better to cut back the demand
from existing customers instead of doing massive
rebuilds of your grid.

Having spent a lot of time in the trenches with
PG&E I got to see their problems up close. They
would prefer to milk their cash cow without a
larger investment in hardware if possible. The
comp setup they had was hilarious due to similar
thinking. Since they could amortize and write off
a mainframe over time the solution for upgrades
was to buy a new one and do the same thing later.
Eventually they had about 5 each running one of
their programs but no crossdata capability. We
did a physical inventory and crosschecked it
with their records. None of their records could
match ours and all were different from each other.

I knew a service tech who had been in their comp
facility and he explained how they were setup.
It was the kind of thing you see in big organizations
when everything is run by bean counters and coupon
clippers. In addition they had just barely enough
I/O for one mainframe. The five generations of
comps were total overkill for any rational business.

Sometimes it is better not to know what is under
the shiny facade of big utilities, governments, or
businesses.

gordoMarch 8, 2017 8:30 PM

Congress may overturn Obama internet privacy rules
By David Shepardson | Reuters | Mar 8, 2017

Republicans in the U.S. Congress are moving to repeal regulations adopted by the Obama administration in October that would have subjected internet service providers to stricter scrutiny than websites to protect customers' private data.


[...]

Under the rules, which were scheduled to take effect last Thursday, internet providers would need to obtain consumer consent before using precise geo-location, financial information, health information, children's information and web- browsing history for advertising and internal marketing.

[...]

Republican [FCC] commissioners including Pai said in October the rules unfairly give websites like Facebook Inc (FB.O), Twitter Inc (TWTR.N) or Alphabet Inc's Google unit (GOOGL.O) the ability to harvest more data than service providers and dominate digital advertising.

[...]

"With this move, Congress is essentially allowing companies like Comcast, AT&T, and Verizon to sell consumers’ private information to the highest bidder," ACLU general counsel Neema Singh Guliani said.

http://www.reuters.com/article/us-usa-fcc-privacy-idUSKBN16F2UT

Wesley ParishMarch 9, 2017 1:33 AM

I've just rewatched Terry Gilliam's Brazil. It's another of those Deja Vu moments. A remake of it nowadays would be regarded as speculative journalism, not satire.

Clive RobinsonMarch 9, 2017 7:12 AM

@ r,

You might want to look into the background of the author of that ZDNet article you link to.

Whilst there is in part a degree of truth in the article, there is no mention that many smaller commercial companies suffer from exactly the same if not worse problems.

Thus it's not realy an Open-v-Closed software argument but one of Little-v-Big team argument.

Which brings the argument to one of resources, little teams suffer disproportionately in the resources issue. One large team issue is the issue of in house experts. In a large organisation a single experts abilities get spread across a much larger surface than they do in small organisations, thus the number of experts actually required does not change much with the size of an organisation.

CallMeLateForSupperMarch 9, 2017 10:51 AM

@Wanka
"am wondering how these smart meters get their signals out, I've had a hard enough time trying to get a mobile phone to get a good signal in my neck of woods."

Admittedly, my study of smart electricity meters hasn't reached very far to date, relative to the amount of information I suspect there is to discover. That said, it appears to me that one method of communication between meter and "mother ship" relies on both cell phone and landline technologies. A group of meters that talk/listen via cell phone tech. form a mesh network with one meter that also has a landline connection. It's the landline that carries data to/from "mother ship", thus the mesh and mothership need not be close to each other. A town/city that sprawls over a large area might need tens (hundreds?) of meshes.

As has already been mentioned, energy suppliers love the fact that these meters self-report, no expensive humans are needed. Another feature is popular for the same reason: mothership can shut off service to specific meter(s) by simply sending a command; no more sending two humans out to do the one-human job of yanking meter(s) off walls. Just think how much more interesting life will be when - yes, *when*, not if - reprobates have crasked operational and security protocols of smart meters. We have "doxing" and "swatting". What would be a suitably snappy term for the act of plunging a target into darkness?

Clive RobinsonMarch 9, 2017 1:06 PM

@ CallMeLate... And others,

Just think how much more interesting life will be when - yes, *when*, not if - reprobates have crasked operational and security protocols of smart meters.

What "operational and security protocols"?

A ways from my home down the street is a grey post in the pavement. When the top is off and a service technition is there it is very easy to see what is in the post and from glancing at the screen connected by the serial port what is going on.

It was fairly easy to find what frequency the UHF radio used and then using a similar post elsewhere with a data collecting device work out the simple unencrypted protocols... Having made this info available to others that do red team work on industrial equipment, other information became available including passwords etc...

I have no reason to belive that the designers of such systems would put any effort into real security, just a bit of obfuscation at best.

As with much infrastructure equipment the only way you will get any kind of security is by legislative and regulative means and currently that's not happening.

Clive RobinsonMarch 9, 2017 4:15 PM

Is Android the OS equivalent of FEAL

Back in 1987 a couple of people --who probably still cringe today-- designed the Fast data Encryption Algorithm (FEAL)[1] to replace DES. As with all new encryption algoritms of the time presented at conferances it got analyzed... And it's design was such that it became the "go to" algorithm to attack. It was the algorithm where several new crypto analysis attacks were found and honed two of which were linear and differential cryptoanalysis...

Well it appears you can not pick up a conference paper today that is not attacking Android in some new way. Which is probably good for the design theory and practice of OS construction, but do you want the latest "go to target" in what is begining to look like the looser in an 455 kicking contest?

Well even if you don't have an Android device the title of this paper alone should make you curious,

    MaMaDroid: Detecting Android malware by building Markov chains of behavorial models
    We evaluate MaMaDroid’s accuracy on a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it not only effectively detects malware (with up to 99% F-measure), but also that the model built by the system keeps its detection capabilities for long periods of time (on average, 87% and 73% F-measure, respectively, one and two years after training).

https://www.internetsociety.org/sites/default/files/ndss2017_03B-3_Mariconti_paper.pdf

[1] https://en.m.wikipedia.org/wiki/FEAL

Clive RobinsonMarch 9, 2017 4:46 PM

JavaScript worse than we guessed

As a few know, I don't take kindly to sites that insist on using JavaScript. In fact I shun them big time.

The reason is that when I've looked I've found that out of date and insecure libraries are usually involved. So I stopped looking and just turned JavaScript off (which despite the hype does have advantages).

Well it would appear that my reasoning based on a small sample applies rather more generally than I thought. In a paper called,

    Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web.
        Perhaps our most sobering finding is practical evidence that the JavaScript library ecosystem is complex, unorganised, and quite “ad hoc” with respect to security. There are no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability.

      http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf

      The authors have taken a much more indepth look than I did, "And folks it sure ain't pretty" so you might just want to turn it off and delete it from your systems for good where you can.

ab praeceptisMarch 9, 2017 11:35 PM

Clive Robinson

Ad javascript: I have a seriously sad story to tell.

There is a language called Haxe. Looks very promising at first sight. Offers good typing and even (some, probably modest) static checking. Compiler written in Ocamls.

Now, obviously when judging something like that, one must keep in mind, that one is looking at the idiots league. Keeping that in mind Haxe comes close to being the next best thing to sliced bread.
Even better, it not only compiles to javascript but also to some other targets (most of them worthless). One of those and probably the 2nd interesting target is neko, a vm from the same french author. Very nice little thing, really, and the bridge to system scripting (with typed and checked vars!).

So, I took a closer look - and misery began.

Next to no tools, documentation looking plenty at first but being all but worthless because pretty much everything, tools, docu, (plenty) videos, is done with flash (yuck) and gaming (more yuck) in mind.
About the only half-way useable dev. environment is flash based and, to make it even more ridiculous, runs only on windows.
Pretty much all communication and dev. efforts turn around games and funny web-crap.

Result: I use it anyway but look at my reasons to fully get how sad that story is:
- typed and type checked vars
- generates good quality and pre-checked javascript
- generates good quality and checked neko VM code.
- neko can wrap itself and the code into a simple executable containing everything needed.
- neko code runs on many and all major platforms
- reasonable set of libraries available
- very good (C) FFI. I tested that and created a binding to a PRNG in quite little time.

In other words: Haxe (and neko) deliver what I was looking for for a long time. A *small* basic toolset running pretty much everywhere creating *small* and *reliable and safe* code running pretty much anywhere.
No more super-fat Python bloat, no more typeless Python, great.

In fact so great that I still use it for scripting, no matter for web or for systems.

But also a whole community that is utterly brainless dancing around a brillant center whom they don't understand in the least and a basically non-existing dev. environment made by idiots for other idiots whose holy stars are node js, flash and game creation.

Now, I personally don't care too much; I'm used to work with utterly poor tool chains but I would have loved so much to have something to generally recommend. What a sad failure.

Clive RobinsonMarch 11, 2017 8:42 AM

@ ab praeceptis,

Now, I personally don't care too much; I'm used to work with utterly poor tool chains but I would have loved so much to have something to generally recommend.

I'm of an age where I had to build not just my own toolchains but also my own BIOS equivalent and reduced set OS or RTOS, the later two for virtually every embedded project I worked on as the chip designers were shall we say not the users of their products...

There are three basic things to say about this,

Firstly it starts as a great waste of time, and even after you learn the tricks there is still effort involved that might be better used else where.

Secondly you learn quite a lot you would otherwise have no reason to learn. Importantly it has knock on effects that helps you write better and certainly more resiliant and secure code (skills that are rarer than the proverbial "hens teeth".

Thirdly, it makes you a creature of habit, like a blind gardener, you are more atune to your own environment than most others are to theris, but sadly you don't get to see how other gardens and their environments work. So whilst you are quicker off the mark and faster than the ordinary you are nether the less limited by your own horizons and falling behind as you do not come into contact with new ideas in a way you have to realy evaluate them. Thus like an old dog you are good at the tricks you perform but hapless with those that have become vogue.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.