Friday Squid Blogging: 1887 Animal-Combat Print with Giant Squid

Great Victorian animal-combat scene featuring a giant squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on March 31, 2017 at 4:29 PM • 151 Comments

Comments

Ben A.March 31, 2017 4:32 PM


Yet another LastPass "major flaw"

In addition to the LastPass and 1Password leaks uncovered last week a "major flaw" has been discovered by by Tavis Ormandy which allows malicious code execution. No patch is available.

Stop using online, closed-source password maangers and use tried, tested and trusted open source software like Bruce's Password Safe or KeePass.

https://www.theregister.co.uk/2017/03/27/lastpass_confirms_major_flaw/

https://arstechnica.com/security/2017/03/potent-lastpass-exploit-underscores-the-dark-side-of-password-managers/


Huge data breach sees thousands of MPs' staff personal data published online

In the same week the UK Home Secretary was lecturing technology companies about the dangers of encryption the government have inadvertently published "names, salaries, rewards, working patterns and holiday entitlements of the more than 3,000 staff."

http://www.mirror.co.uk/news/politics/huge-data-breach-sees-thousands-10135238


Amber Rudd's 'showdown' talks with tech firms on extremism are pure PR

...the tech companies get called in for their ritual berating, hang their heads and say they’re sorry. The government gets to say it’s tough, without losing its powerful friends. And the whole thing goes on as it was before.

https://www.theguardian.com/technology/2017/mar/30/uk-government-tech-firms-extremism-pr-win-facebook-amber-rudd


Setting a custom FileVault (macOS FDE) passphrase

"Overloading the login/unlock/sudo password is an understandable UX simplicity choice, but makes it very hard to manage the security tradeoff: you want an easy to type password for login (which can't be bruteforced offline), but you want a complex long passphrase for FDE."

https://blog.filippo.io/filevault-2-custom-passphrase/


Android handsets could have soft-button fingerprint sensors by year-end

https://arstechnica.com/gadgets/2017/03/synaptics-new-fingerprint-sensors-support-force-sensitivity-soft-buttons-and-more/


Telegram now supports voice calls

General consensus is that it's great [Telegram] despite their homebrew crypto for secret chats. Telegram's available on almost all platforms including Windows, Mac, Linux, command line, web-version, Android, iPhone/iPad, Windows Phone.

Voice quality is improved using AI and instead of using verification words to detect a MITM they use emjois (to overcome any language barriers - neat concept.)

https://telegram.org/blog/calls

https://core.telegram.org/techfaq#q-how-are-voice-calls-authenticated

https://news.ycombinator.com/item?id=13994154


Wikileaks releases CIA's Marble: Malware obfuscation tools

https://wikileaks.org/ciav7p1/cms/page_14588467.html?marble=1

https://www.theregister.co.uk/2017/03/31/wikileaks_cia/


Reverse Engineering Malware 101

https://securedorg.github.io/RE101/


Is this a solution to Trump signing away your digital privacy? We give Invizbox Go a go

You're stuck with one VPN provider and they don't support OpenVPN

https://www.theregister.co.uk/2017/03/30/invizbox_solution_for_digital_privacy/


Thinking about switching to Windows 10? Now’s the time to act

Windows 10 Creators Update is due to be released and it'll likely wreak havoc on users' systems.

http://www.infoworld.com/article/3186869/microsoft-windows/thinking-about-switching-to-windows-10-nows-the-time-to-act.html


The American M-209 cipher machine

https://chris-intel-corner.blogspot.co.uk/2012/06/american-m-209-cipher-machine.html

nicotineMarch 31, 2017 5:39 PM

@Ben A I've used password safe but I never did find checksums or cryptographic signatures to verify the downloads. Where are they? Also how do I know the Bruce isn't being nefarious with the password generator selecting from a small dictionary of random looking passwords or with clever statistics to make them easy to crack? ;)

ok I guess I could vet the source code and compile it myself.

what's the problem Apple?March 31, 2017 6:16 PM

regarding Apple's websites
-2 many Apple websites aren't accessible using Tor; for example,

https://support.apple.com
https://discussions.apple

-1 Apple security updates (I presume) aren't available using Tor; make this +1 if I am wrong

No I don't trust vendors. Regardless, my life, and family members' lives, are tied to a variety of Apple products (+1 for Apple's privacy policy, although I have never read it; and +1 to standing up to fbi director comey; maybe it takes big business or big government (ie. the military; I don't think the war department want's hackable cots) to tell Comey to go get a grip on reality and quit babbling like 'it's just hard, not impossible to reconcile')

and

+1 for providing timely, and cia relevant (maybe) updates in a timely manner

+1 for semi-functional on-line Tor orders (occasional calls from Apple or the credit card vendor; hey interdiction scares me, yet ordering with Tor may make the situation worse (for example email confirmations can't be turned off, afaik, etc.)

Cheers,
From a coffee shop using Tor in the usa

ps. Does anybody have anything bad to say about the product or using

https://itunes.apple.com/us/app/onion-browser-secure-anonymous-web-with-tor/id519296448?mt=8

+1 Tor accessible
-.25 images not secure using Tor

HyderMarch 31, 2017 6:36 PM

Anyone taken a gander at the Marbel leak? These cpp files are amazing. The obfuscation program specifically runs through a string of languages, Russian, Farsi, Arabic... few more. It also looks like it can take pieces of the string to scatter in spots. My c++ is a little weak, looking for any other insight.

The DudeMarch 31, 2017 6:45 PM

A. In the wake of Congress passing its bill to allow ISP to sell user data there has been a vast amounts of chatter recently--most of it completely ignorant--about VPNs by people who should at least know better.

Here is the best VPN rating site available.

https://thatoneprivacysite.net

It's worth noting that despite compiling detailed data on more than a hundred VPNs there is not a single VPN service that wins awards in all categories and only a few that win excellence awards in more than one category. The fact remains that most VPN providers are worse than not using a VPN at all.

B. After an extended hiatus the ixmaps web project is back on-line

https://ixmaps.ca/

"ixmaps is an internet mapping tool
 that can help you learn more internet privacy issues: "


The Ha Ha WomanMarch 31, 2017 6:53 PM

@what's the problem Apple?

I would not trust any Apple product to run Tor. Apple OS is a proprietary operating system. Apple seems to be excellent for protecting data at rest given all the trouble the FBI has had in hacking the iphone. But data in transit? I want an OS where I have total control over issues like the MAC address and other endpoint considerations that iOS forces me to lose.

lanceMarch 31, 2017 7:30 PM

@nicotine
> I've used password safe but I never did find checksums or cryptographic signatures to verify the downloads. Where are they?

pwsafe.org looks kind of iffy to me, with no direct download/signature link and a lot of image links that give me flashbacks to download.com and other 90's stuff. "Mirror #1" has "File Signatures" links but they lead to "javascript:void ()" and I'm not enabling scripting just to see what those are.

Coming at it from another angle, Debian lists passwordsafe as a reproducible package: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/passwordsafe.html
And of course they have signatures on all packages. There are SSL Debian mirrors and even a Tor service (install apt-transport-tor and see onion.debian.org's entry for ftp.debian.org).

Being reproducible is good evidence against a Trojaned binary. The source could still be bad, and they say "many eyes" will make the bugs shallow but how do we know how many eyes have looked? That would be a good project: some site to hook source code needing audits up with developers who can do them. It'd have to say what parts of the code were audited so far, and for what. Maybe the reproducible build people would be interested in organizing.

For now you're stuck searching Google for previous audits or doing it yourself. Or if you're paranoid, organize a paid audit like people did with Truecrypt (crowdfunded in their case).

What's the problem AppleMarch 31, 2017 9:44 PM

@The Ha Ha Woman

What hardware, or hardwares, should one bet ones life on?

I think Apple stores claim to be able to reset your hardware to factory settings, and this could be useful, ymmv, with all the malware out there; but I haven't seen any firmware updates for 2012 Macintoshes thunderbolt firmware hacks since the cia leaks

Regardless afaik on some Intel Apple hardware, you can partition and run, or run from live dvd/cd

tens or lps (usa dod)
tails
openbsd
qubes
pcbsd/trueos/freebsd
linux in general
bsd in generaal
etc.

not to mention running guest vms (installed or as live dvds)

To run Whonix (regarding Whodidit) with
macOS I had to turn something on regarding the processor, I think, in the virtualbox guest settings.

Running 'little snitch' and macOS is interesting, but begs a lot of questions. It's interesting to see some guest OSs wanting to call out during bootup.

For
some isp connections you might try surfing with mdnsresponder turned off in 'little snitch' and just use Tor somehow (haven't tried this lately) and really don't know what went on when I did that; I do recall that what worked seems
to have worked well though.

@spooks and @nonspooks
anecdotal stuff and Tor
things went more shi**y, Cloudflare and the like, about a year ago dec/jan
and again more shi**y since Trump was elected

finally there are a lot of Apple Security updates, including for windows users, too,

https://support.apple.com/en-us/HT201222 -1 not accessible using Tor


ThothMarch 31, 2017 11:32 PM

@The Ha Ha Woman, Clive Robinson, Open Source Smartphone et. al.

While I was typing the post on my Android smartphone, the browser suddenly glitched the entire phone. Maybe "they" do not want me to post about their negative side or maybe "Heaven" or "Deity" wants ARM, Android et. al. to live longer without people like me commenting about their rotten side.

Whichever the case, here's a re-type the post to rat out the nasty side of so-called Open Source phone OSes.

Firstly, there is no such thing as an open source phone with open source OS. Well, you might think Android AOSP and things like the mostly dead Meego OS might be counted as open source phone OS but the fact is the Linux kernel that runs the phone might be open source but there are a ton of proprietary extensions and drivers that the phone needs to use which are still kept closed source.

Things like the phone modem, camera and microphone modules, NFC controllers and so on are NDA-ed and proprietary. Even if you have a open source kernel, it is quite pointless as an open source kernel for smartphones by themselves are useless without the proprietary components/drivers binaries and so on. Thus, the phone (all smartphones) are NOT open sourced in the strictest term.

Maybe you are fine with only being able to review the open source phone kernel and you might be lucky for find other components manufacturer (i.e. phone modem, SIM module, NFC controller, flash memory controller, etc...) that have open source drivers, then one thing you might not realise is that the ARM chip, the ARM A series architecture is complex and can be used as a backdoor that has even more privilege than your userspace kernel.

Most smartphones are using Qualcomm these days and even if you use TI OMAP or some Allwinner Chinese chips, as long as it is an ARM A series chip, it contains something called a TrustZone partition. You chip literally has two kernels. One is the userspace kernel and the other which has the highest privilege and can inspect your userspace process calls, intercept your access to peripherals and flash storage is the TZ partition which has been positioned as a "Secure Enclave" for "Trusted Boot" on ARM A series chipsets.

The ancestor of Intel SGX and ME nonsense can be traced back to ARM TrustZone and it's through this that we slowly get what we know as "Secure Enclaves" which is a very subjective matter.

Running an ARM A series chipset is akin to running Intel with ME/SGX because they share very similar designs. The ARM TZ partition ensures "Trusted Booting" and proves "Secure Enclave" where code execution can be protected from the userspace kernel. That means even if you have an open source phone OS running in userspace and you are lucky to have all the phone peripherals open sourced, the one part still in the dark is the very ARM A series chipset you are using which is the TZ partition.

The TZ partition is actually a HW and SW implementation with it's own CPU, it's own memory block and stuff similar to Intel ME/AMT/SGX. The TZ partition runs it's own process by having the instruction set a "Secure" bit and the TZ parition and the TZ's kernel cannot be inspected from userspace unless the manufacturer botched up and release the TZ kernel codes and firmware in the userspace unencrypted which Qualcomm did botched up by doing precisely that. In fact, Qualcomm's TZ implementation, called the QSEE and now re-branded to call the Qualcomm Haven Security Suite (QSEE for simplicity and legacy reasons) has been known to be the most analyzed by researchers and also the one that makes the most mistakes (probably due to more reviews done on the QSEE compared to those done by Broadcom, Samsung Exynos, Apple's Secure Enclave and so on). Because of the QSEE firmware not properly secured, researchers could pry open at the kernel for the QSEE's TZ partition and do some partial review of the binaries.

Realizing that TZ parition have immense privileges which includes intercepting your process call to peripherals (i.e. Flash memory, SD card, SIM card, camera, microphone, phone modem, NFC controller ...etc..) and even your userspace processes can be inspected and managed by the TZ partition by the ARM A series chip, now you can suddenly see why Intel's ME/SGX/AMT which follows ARM's TZ footprints is so potent and is causing waves of paranoia whereas ARM TZ is not causing so much media uproar because it is still a niche area to research and there isn't so much media attention.

TZ is sold as a feature of the ARM A series chipset as a bundle of patents and reference implementations. It will be rather silly to buy a bundle but exclude features so most companies will just buy the entire "kitchen sink" load of patents and reference designs to implement on their ARM A series mobile platform chipset and Qualcomm actively promotes it's TZ implementation and even re-branding it. It makes little sense to implement only selected designs on chips and when these features that were left out need to be added, they have to re-fab and this is costly so most implementors would simply push the entre "kitchen sink" which includes the TZ feature into the ARM A series chipset and simply roll them out.

Thus, from the above perspective, all ARM A series mobile platforms are a gone case in terms of HW and firmware backdoor via the ARM TZ partition no matter if the peripherals and OS are open sourced. The only exception to this is you fab your own ARM A series chip and implement your own TZ partition with your own TZ firmware on your own HW. This is impossible for most normal people like us or for most companies they wouldn't go to the extend of spending so much money on fabbing their own chipsets and rather just shop for ready made ARM A series chips from Qualcomm, Samsung, TI et. al. and use in their mobile platforms. Thus, the above exception I mentioned is pretty much useless unless you can fulfill that exception I stated.

Now thinking about smartphone Android FDE, @Clive Robinson, I think I want to make a nasty statement pointing out that Android FDE is pretty useless. If you think along the lines of the paradigm of FDE regarding how best to secure the data, Android FDE uses software level which is like using a Linux FDE on the hard disk.

Taking into consideration that TZ partition has the final power to compromise the software-based FDE that Android uses and can even just write plaintext into the Flash device (by intercepting the process call to the Flash controller or SD card) while pretending that encrypted data is written (of course this is too obvious assuming user will inspect the Flash or SD card data), smartphone FDE is only useful at preventing Low Level Attackers where they can't control TZ to do their bidding.

Under the assumption we always make where the chipset makers are in bed with the ICs and War-mongering World Govt, I wouldn't be surprise that powerful LEAs and ICs can decrypt Android FDE with ease with one of the methods using the beloved TZ partition to escrow the cryptographic key or manipulating it.

The more secure method of data encryption would be specialized MicroSD card with embedded Smart Card chip that must contain Transparent Data Encryption feature enabled. This is akin to a memory device having FDE built into it's core. But this opens another huge can of worms where how is one going to securely enter the Security-enabled MicroSD card's User PIN code to encrypt and decrypt the Security MicroSD card's secured data.

Entering it from a traditional keypad that has to pass through the CPU would be dangerous assuming the TZ can intercept and log the PIN and what about the decrypted data produced by the Security-enabled MicroSD card ?

Back to the usual answer that both of us always rant about which is to separate out the data and not bunch them on a single device. Use a physically separate secure encryptor. For convenience sake (but lower in security), I would say a USB tethered HW encryptor that provides secure display and input would be good enough for now although @Clive Robinson would want more paranoid options to prevent USB nasties and side-channels and prefer to manually "walk" the data from point A to point B.

Too many cans of worms being opened and spilled here :) .

Ben A.April 1, 2017 4:30 AM

@nicotine

You can find the cryptographic hash sums at the download site:

https://www.fosshub.com/Password-Safe.html

I found the hashes as:

Password Safe Installer - 11.55 MB | version: 3.42
MD5: 3b183eaa7a0f8c9ffcb37e6a6983d948
SHA1: 3c601f2b290745beaee2c0dd6973fa2965f5c540
SHA256: 6ff27a4e04c94e02dd1472009f89c8b5c8a0cdb17fe125c284e5f13f3a27da7f

Unless both your connection and mine have been tampered with (or the hosting site itself - and that uses SSL) you can be fairly confident that these are the genuine hash sums.

If you're really paranoid you can visit the VirusTotal website:

https://www.virustotal.com/en/file/6ff27a4e04c94e02dd1472009f89c8b5c8a0cdb17fe125c284e5f13f3a27da7f/analysis/

In addition to the hash sums the software is also signed with an Authenticode signature. When you download it and right click on Properties you can view the digital signature. It's signed by a Rony Shapiro.

The software is no longer maintained by Bruce; it was taken over by another developer. You can have a look through the source code and compile it yourself if the possibility of reduced entropy is a concern to you. Or you can generate your passwords using another application, by some manual method or via an offline password-generating webpage.

There have been independent audits of it and it was deemed extremely secure. Nevertheless there was some feedback on making the database format even more secure and this was actioned by the developer. Link to the most recent research (that I know of) in my reply to @lance.


@what's the problem Apple?

The TOR application you list is one of the best for iOS but beware that your traffic is always being tunnelled over TOR. Using a VPN before connecting to the TOR browser would be the best way of achieving the highest level of security (for a smartphone) and hopefully avoid leakage.


@lance

Those reproducible builds are another good way of being satisfied with the software. Because it's relatively small (compared to KeePass) reviewing the code yourself is achievable.

Here's the results of an independent audit.

https://www.cs.ox.ac.uk/files/6487/pwvault.pdf


@All

LastPass say they've fixed the problem. They claimed it was a highly sophisticated exploit, it wasn't. It was something that any competent developer should have noticed.

I really cannot recommend online password managers any more despite their convenience.

https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

Clive RobinsonApril 1, 2017 5:08 AM

@ Thoth,

Too many cans of worms being opened and spilled here :)

Yup and there are a few more you did not have space for ;-)

One of which is a nasty and can be seen in SmartTVs (Samsung), a number of Pads/Tablets and even in desktops via the hardware (Lenovo) or Software (Microsoft) as well as being "standard" in IoT devices.

It's the "off line functionality fall back" to near uslessness. That is the producer has but the equivalent of "On-Line DRM" into the devices. So they either can not be used "Off-Line" or the user is forced to periodically go "On-Line" so the device can "do an E.T." and phone home with the "instrumentation collected data" as well as the "Enforced software updates".

I've seen this comming for some years which is why I've talked as much as I have about "Embbeded / MCU" security solutions via an easily instrumented interface such ad RS232 etc to form a security choke point you --not others-- 100% control.

As I've also indicated repeatedly "Users don't need windows to communicate". The command line or at a push mic/speaker are sufficient. The advantage being that the data thus produced will go down a serial interface thus such embedded devices are well within most "Maker" abilities, even if it is only using the chip manufacturers development boards.

Clive RobinsonApril 1, 2017 6:30 AM

@ Ben A.,

Smart TV hack embeds attack code into broadcast signal

This sort of thing is not exactly news...

You may remember TiVo and it's set top digital video recorders? They had quite poor "air-interface" security as well

What brought that possability to the public eye back a decade and a half ago in the UK --and US-- was that the BBC paid TiVo to force DVRs to download some realy crap drama. Many users then found that as part of that deal they could not deleate it only TiVo could...

http://www.metafilter.com/17418/TiVo-and-the-BBC-force-programming-on-consumers

There were discreet "industry gosip" about the protocols and their failings including security.

However TiVo and the marketers more or less got away with it so I would expect any SmartTV producer to include all the software hooks to alow this sort of unsolicited 5h1t on people. Thus with security of such systems being fairly crap, it is the sort of thing you would expect a curious mind to investigate, Im just suprised at how long it's taken to become public this way.

Just expect every thing "consumer" you buy from now on to contain similar as standard, along with all sorts of other nasties in the way of privacy invading "instrumentation". It's what entertainment and other marketing execs and their bean counters call "The bright future of consumer partnership". To cover up the fact it is a preditor/prey or Master/slave relationship they are realy talking about because consumers are owned and thus "scr3w3d blu3 and tattoo3d"...

Ben A.April 1, 2017 7:05 AM

@Clive Robinson

I remember that although what is particularly concerning about this hack is the ease at which it can be executed by a malicious actor:

Scheel's approach, by contrast, can work against many TVs at once and eliminates the need for the attacker to physically control the device. Instead, the hacker need only turn on a transmitter that's within range of a large number of sets, say, in a densely populated apartment building or from a balcony that's near a TV of interest. The approach could also be modified in ways that give it greater reach..

For instance, in the event a TV station or network was compromised—for example, a more extreme version of the 2015 hack that blacked out 11 channels belonging to French broadcaster TVMonde5—the attackers could surreptitiously embed malicious code into the signal being broadcast to millions of TVs.

I see that Sky Q boxes have an in-built microphone for "convenience".

http://www.techradar.com/news/sky-q-voice-commands-are-finally-ready-and-launching-today

lanceApril 1, 2017 8:59 AM

How easy is it to embed something into a TV station's broadcast signal? If I give an ad to a TV network, would they send out the raw MPEG stream I provided? (Lots of networks don't send TV shows "clean" but they turn off the crap overlays when showing ads.)

Can any part of the TVs be reprogrammed to create a non-internet worm? Like, could the wifi or TV-receiver chips broadcast something on a TV frequency to talk to other "smart" TVs that had internet connectivity disabled?

(And while not all TVs have microphones, they all have speakers. It may be possible to use those as microphones.)

Dirk PraetApril 1, 2017 9:45 AM

@ Ben A. , @what's the problem Apple?

Using a VPN before connecting to the TOR browser would be the best way of achieving the highest level of security (for a smartphone) and hopefully avoid leakage.

Please stop saying that before you get either yourself or others in serious trouble. You have to do it the other way around, i.e. tunnel your VPN through Tor. Don't even take my word for it, but that of @thegrugq instead. Look up any of his writings on the matter.

@ The Dude

The fact remains that most VPN providers are worse than not using a VPN at all.

This is the sort of absolutist thinking that is getting us exactly nowhere. Of course there are a lot of really lousy VPN providers out there that don't give a rat's *ss about your privacy and will happily turn over your logs to whatever LEA, either voluntarily or under subpoena. I again refer to the link above, and summarize as follows:

If you are US citizen who wants to to thwart ISP, other corporate and local sheriff's office snooping, you proceed as follows:

  1. Go shopping for a VPN provider in good standing, outside of US, and preferably 5 Eyes jurisdiction.
  2. Select one that allows you to both register and pay anonymously, preferably in bitcoin or some other digital currency.
  3. Install Virtualbox and the Whonix Gateway and Workstation VMs on whatever COTS OS it is you are running. Fire up the newly acquired VPN from the Whonix Workstation. Alternatively, set up a Tor gateway on your LAN (a Raspberry Pi will do quite nicely) and start your VPN from some live DVD (not TAILS).
  4. Configure Tor to use OBFS bridges, even if your ISP is not censoring Tor. Rotate said bridges on a regular basis. If you know what you're doing, configure Tor to avoid known US based exit nodes. Yes, you can do that.
  5. Never ever use your VPN stand-alone without tunneling through Tor. Why? Becausing using VPN/Tor as described above will hide your real IP from your VPN provider. They will just see a Tor exit node.
  6. Use https where ever possible (HTTPS Everywhere browser add-on). Dump Java, Flash and Shockwave. Use paranoid NoScript settings, which you can still temporarily loosen on a site by site basis.
  7. Use a traditional MUA instead of a web based interface for your mail. Configure it for TLS if your ISP mail server supports it. Dump Gmail, Apple, Facebook and Outlook addresses. If you and your correspondents can't be bothered with using PGP correctly (Enigmail), get a free Comodo email certificate instead to sign and encrypt your emails with. Yes, mobile apps support that too.
  8. For IM, dump Skype, WhatsApp, Snapchat and the like. Use Signal, ChatSecure or iMessage instead. On non-mobile platforms, go for anything that supports Tor/OTR (Pidgin, Tor Messenger) and a service that is preferably accessible as a Tor hidden service.
  9. If for whatever reason you are using Microsoft Windows 7-10 and Office, grab a (free) utility to tweak your privacy settings, disable M/S telemetry services and sinkhole (known) telemetry hosts. While you're at it, also grab a copy of Windows Firewall Control, a nifty utility that allows you to block unknown processes or services from calling home. It's the equivalent of Little Snitch on MacOS.
  10. Get rid of anything Android, especially if you have obtained it from an ISP or carrier that most probably is injecting its own spying and tracking stuff in it. The entire ecosystem is broken beyond repair, and from a privacy and security vantage a complete nightmare.

CAVEAT: if you're up against a resourceful state actor, none of the above apply from the moment you become a person of interest to them, and at which time you will need to resort to techniques and methodologies as described by @Clive, @thegrugq, @Thoth, @Nick P, @Wael, @Figureitout, @RobertT et al. They basically boil down to the following:

  1. NO digital communication is secure. All of the above can be attacked by subverting the endpoint either at the hardware, BIOS/EFI and ME layer, or through exploitable flaws and backdoors at the OS, networking, application and presentation layer.
  2. Whatever vendors and marketeers are claiming, All COTS operating systems, applications, programming languages, compilers and hardware from a security vantage are cr*p. Some s*ck less than others. Everything IoT s*cks more.
  3. High assurance (micro)kernels, systems and hardware are either difficult to come by or impossible to operate by the layman. Much of it never reaches full maturity or is killed for lack of commercial viability.
  4. ALWAYS separate - as in energy gap - the encryption from the communication device, secure transfers between the two over mechanisms like data pumps and the like.
  5. Use pen, paper and OTP's whenever possible.
  6. Whatever technology your are using, pre-digital age OPSEC is your best friend.

KApril 1, 2017 9:56 AM

With regard to the recent story about banning tablets/computers on certain airlines. Did anyone read: https://yro.slashdot.org/story/17/03/27/140254/laptop-ban-on-planes-came-after-plot-to-put-explosives-in-ipad

Personally, I'm skeptical. Tablets have so little room in them. Getting it to pass the turn-on test would be a challenge.

On the other hand, here in this country, we take state of the art gear for granted. In other nations, where folks are not as well off financially, older gear is commonplace. You take one of those old clamshell laptops, from the 286 or 8086 era, you could fit a lot into one of those and still make it work right. For a lot less money than an iPad. And a lot easier than working on a tablet.

So, well, hmmm...

---

The comedian Jeff Dunham, a ventriloquist, used to do a bit about airline security. Apparently the TSA wiped down one of his dolls. More precisely, they swiped the butt-crack of his doll. It tested positive. TSA waved him through. Apparently they get a lot of false positives from, amongst other things, "lotion". In his act, Jeff expresses his desire to turn himself in as a terrorist rather than be thought of as putting lotion on his doll's buttocks.

The waving him through part aside, this has some interesting connotations for secondary fallout from humiliating false positives. I wonder how that would have gone had he been black, or islamic.

---

On another tack: The media paints a big picture about certain explosive compounds, generally nitrogen based, powerful but always difficult to manufacture or obtain. A lot of our security people, especially the TSA, seem to follow along in this mindset. That's all they look for.

I went through TSA security some years back with 100 feet of cat6 (ethernet) cable in my carryon, along with routers, switches, computers, and other gear. It was a one-day trip out to fix a remote site. The TSA guy said they only worry about my cat6 if it didn't have wire in it. I'm thinking, wait, I extrude 100 feet of cable, print a label on it every few inches, and I forget to include the copper wire? Wouldn't it be one heck of a lot easier to manufacture my own luggage, and make all 6 sides an extra couple of millimeters thicker? But of course, you can't say anything back, you can't point out how utterly worthless all this security theater is, without getting majorly harassed, missing your flight, spending the night getting strip-searched at the local hoosegow, etc.

This is how democracy fails. You can't challenge the orders. You can't call folks out for being idiots. Oh we'll laugh at them behind their back, but that just increases the schism between us & them.

Me, I'm terrified to speak out. Even here. And I do wonder about it all. It just seems so easy, so utterly trivial to make any of a number of explosive mixtures that will react faster than the dispersing pressure wave, that don't involve nitrogen compounds, that're based on solids or powders, all from materials that are largely readily available in our trash (such as aluminum cans). Take a look at what's in fireworks sometime. I used to read a homemade pyrotechnics newsgroup back in Usenet days. They don't all involve nitrogen compounds.

It just seems like it would be a lot easier to turn a beany-baby into an explosive device than a tablet...

I do wonder what is going on here. This agenda, does it protect us, the people? Or does it just serve a few very wealthy individuals?

Ben A.April 1, 2017 11:13 AM

@Dirk Praet

Please stop saying that before you get either yourself or others in serious trouble. You have to do it the other way around, i.e. tunnel your VPN through Tor. Don't even take my word for it, but that of @thegrugq instead. Look up any of his writings on the matter.

You make an excellent point but that's not how iOS works hence why I didn't mention it.

You can tunnel TOR through a VPN but not a VPN through TOR.

vas pupApril 1, 2017 11:14 AM

Tag: e-mail financial fraud:
http://www.bbc.com/news/business-39429819
Cybersecurity firm Proofpoint reports that its 5,000 clients saw a 45% rise in BEC fraud in the last three months of 2016.

Two-thirds of these attacks used the simple trick of spoofing the email address to make it look like the message came from someone senior within the organization.

But often, if you reply to such emails, the "To" address will show a completely different domain name, or a company name that looks very similar but has an extra letter added or two letters flipped around.

DroneApril 1, 2017 11:22 AM

TL;DR: A (very-likely) "April Fools" Post by The Register. Link & my-take below - or just move along now...

The Register says it is now using YOUR CPU CYCLES (unbeknownst to you) while you are on their site to Mine Bitcoin in the background via their PATENTED HTML5 method that runs in your browser. The proceeds will be altruistically used to pay for their Poor Underpaid "Journalists". The details are here:

www.theregister.co.uk/2017/04/01/invisible_bitcoin_paywall/

I wish I could read the Comments to their post, but alas I can't - because I would have to enable JavaScript to see them. I'm tempted but... Nah. In-fact, I have now decided that I will NEVER visit The Register site again FOR THE REST OF MY LIFE! I hope my decision makes the "Real-Time Malware Vultures" at The Register understand their error.

EsauApril 1, 2017 11:23 AM

RE: Ben A Setting a custom FileVault (macOS FDE) passphrase

What is being described in that blog post is called "Disk Password—based DEK". It is mentioned on the Wikipedia page on FileVault [1] and in the document "Best Practices for Deploying FileVault 2" [2].

Neither document, however, describes how to accomplish it. I had to figure it out for myself last year, although I used a bootable flash drive installer to get the process started.


[1] https://en.wikipedia.org/wiki/FileVault#Starting_the_OS_with_FileVault_2_without_a_user_account
[2] http://training.apple.com/pdf/WP_FileVault2.pdf

Dirk PraetApril 1, 2017 1:02 PM

@ Ben A.

You make an excellent point but that's not how iOS works hence why I didn't mention it.

iOS is a rather restrictive environment that doesn't let you do whatever you want. It's the Apple way or the highway. You can't even create a system-wide Tor daemon on it as you would on other platforms. That's what iCepa is trying to work around, i.e. by implementing it as an iOS VPN. It's still in alpha, though.

Currently, AFAIK, there is no reliable iOS method to VPN over Tor. But since Tor over VPN remains a bad idea anyway, you have to shop for a VPN provider that allows you to connect through a SOCKS proxy. The SOCKS proxy in this case being the Tor gateway on your LAN.

lanceApril 1, 2017 1:30 PM

@Drone
> The Register says it is now using YOUR CPU CYCLES... to Mine Bitcoin in the background... I wish I could read the Comments to their post, but alas I can't - because I would have to enable JavaScript to see them.

You can read the article without JS? All I've seen from the Register for the past few years is "Please turn JavaScript on and reload the page. DDoS protection by Cloudflare".

It's a weird idea to use as a prank because Google can find real projects claiming to do the same (some 6 years old, back when CPU mining was more practical). One claimed it was an alternative to banner ads. Older projects like hashcash used similar ideas.

mere mortalApril 1, 2017 1:43 PM

@Dirk Praet

"This is the sort of absolutist thinking that is [...] and summarize as follows: ..."

Your guidance is much appreciate. Thank you for writing that up.

mere mortalApril 1, 2017 1:58 PM

@ Dirk Praet

Also...

"6. Whatever technology your are using, pre-digital age OPSEC is your best friend."

Could you list some "pre-digital age OPSEC" topic headers that I could use as search terms to learn more about this topic. Whatever thoughts you have to get me started would be much appreciated.

Dirk PraetApril 1, 2017 2:16 PM

@ mere mortal

Your guidance is much appreciated. Thank you for writing that up.

You're welcome. It's by no means an exhaustive list, but that post was already getting much bigger than I intended it to be. There's probably two more golden tips from @thegrugq I forgot to mention:

  1. Only idiots and idealists are gonna go to jail to protect your privacy or anonimity. Corporations by definition don't give a damn about it. Expect to be ratted out by anyone who knows what you're doing.
  2. If one way or another you mark yourself as a person of interest to whatever LEA, remember that there is no such thing as a famous hacker. You're either famous or a hacker. The combination of the two is a direct path to jail.

And of course credit to @the usual suspects, our host and lots of others on this blog. I didn't just woke up one morning knowing all this stuff.

Could you list some "pre-digital age OPSEC" topic headers that I could use as search terms to learn more about this topic.

Do a search for "OPSEC" and "thegrugq".

mere mortalApril 1, 2017 2:32 PM

@ Dirk Praet

"Do a search for "OPSEC" and "thegrugq"."

Excellent. Thanks again.

Clive RobinsonApril 1, 2017 2:55 PM

@ K,

Personally, I'm skeptical. Tablets have so little room in them. Getting it to pass the turn-on test would be a challenge.

You're not quite thinking about this right...

Why put explosives "in the pad"?

If you look up the early history of what we know call "plastics" they were made from organic substances that had been subject to certain acids. For instance "Casin" was used to make buttons, knife handles, and piano keys etc. It was basicalky made by adding acid alcohol to milk and heating. Part of the reason casin became used for making more than butons --which it's still Used for today-- is "exploding billiard balls". A better plastic like substance was celluloid which got used for just about anything you can imagine including ping pong balls. But it has a problem... Not just is it highly flammable it can change chemically under impact shock. Put simply it's made by taking cotton and treating it with two acids one of which is concentrated nitric acid. This gives you various "Nitrates of Cellulose" one of which is called "Gun Cotton" and is a very powerfull explosive... Thus the billiard balls turned from highly flamable celluloid to highly explosive gun cotton and scared the heck out of people who did the likes of a power "cannon shot" to discover thinks went bang bigtime with flaming shards of billard ball flying around the bar room.

So you don't need to stuff the miniscule space in a tablet with explosive, when you can make a case out of explosive paint and varnish it...

The point most people have not woken up to is the shoe / pant and similar bombers never had enough explosive to do much more than make a loud bang and spread bits of them around the cabin. In all probability the shoe bomber if it had worked would have ended up as a cripple on crutches, not a martyr.

They don't have to bring down a plane, kill pasangers or themselves or for that matter have anything go bang or produce smoke. People just have to read or hear three words terrorist, plane and explosive" in a news item/article...

So a case made out of a nitrate of cellulose with a polyurethane or similar coating would be sufficient for politicians sphincters to loosen explosively and thus demands for a ban on anything cellulose or made from it etc etc, even if there was no fuse or detonator...

ab praeceptisApril 1, 2017 3:24 PM

Dirk Praet

(fictional)

I'd like to introduce myself. I'm LTC V. (name witheld) and leading the "21k dangers" group in the IT department within our national and state security directorate.

I'm glad that you recommend tor.

We, like most partners, run a rather large set of (not only) exit nodes and we grant each other access to our findings. Working together in this way we have a rather high hit rate.
But potential OOIs (objects of interest) using tor is attractive to us for another reason, too. Let me explain:

As we learn again and again by our colleagues in the national police very many simply use "standard" communication means, such as IRC or https based chats; this is true even for many of the people who are later found in front of a court bench.

From our POV there are basically 3 groups of tor users:

a) (typically small) criminals buying or selling drugs, weapons, etc. Those fall within the regime of normal police although we are sometimes asked for help. Generally though both our own and our partners police forces have quite capable IT groups.

b) tin foil hats, i.e. citizens who have nothing to fear from us (that might be different in uk and us of a) but who for diverse reasons feel that they need good OpSec (as they think) for boringly normal everyday internet usage.

c) - and that's our main field - OOIs who use networks, in particular the internet, as a tool for crimes or for the planing and preparation of crimes (note: this also includes state actors).

I'd like to note that we simply assume that group b) is part of group c).

I'd like to close with 2 notes.

- Unfortunately we can not suggest reasonable alternatives. We simply don't know any good and reliable ones. Actually, even we ourselves have none for our work and hence work with crooks like sending police cars with DVD or reams of paper around as couriers.

- We found that, while it's next to impossible, at least currently, to create secure communication means for our state, it's quite well feasible and even attractive to considerably invest into what's commonly referred to as hacking.

Obviously I can't tell you operational details but I can tell you that using tor is a good way to end up in our files and maybe even in our interrogation facilities.

Clive RobinsonApril 1, 2017 3:47 PM

@ mere mortal,

Could you list some "pre-digital age OPSEC" topic headers that I could use as search terms to learn more about this topic

There are standard terms of refrence such as "field craft", "trade craft", "Dead letter drop / box" that will usually pull in sufficient links for you then to be able to drill down or get others.

Back in 2006 the British legation in Moscow alledgedly came up with a high tech dead drop, but it was made public by the Russian FSB[1].

It got a mention here,

https://www.schneier.com/blog/archives/2006/01/wireless_dead_d.html

The thing is there are two basic levels of fieldcraft, the lower level is for those with diplomatic cover or "residents" and the higher level is for the "No Official Cover" (NOCs) or "illegals".

The same applies to the likes of Law Enforcement Agents who work under cover and those under deep cover.

One main difference between the two levels is "back stopping the legand" Somebody under official cover does not realy require a legand, if they get caught the worst that's likely to happen is they get expelled etc. When a NOC / illegal if you get pulled by the police etc you need a very solid legand back stopped for several years so that all but a very intensive "first person" examination will come up OK.

Thus if you think you are ever going to require an alternative identity, the time to start it is now...

[1] Many regard the whole incident as a joke, and some say it was a lame attempt by the FSB to create some diplomatic noise. Real ot not it was a five minute wonder in the news

tyrApril 1, 2017 7:13 PM


Your bill has been computed for security.

"Official budgetary expenditures and projections provide a snapshot of this enormous military machine, but here again numbers can be misleading. Thus, the “base budget” for defense announced in early 2016 for fiscal year 2017 amounts to roughly $600 billion, but this falls far short of what the actual outlay will be. When all other discretionary military- and defense-related costs are taken into account -- nuclear maintenance and modernization, the “war budget” that pays for so-called overseas contingency operations like military engagements in the Greater Middle East, “black budgets” that fund intelligence operations by agencies including the CIA and the National Security Agency, appropriations for secret high-tech military activities, “veterans affairs” costs (including disability payments), military aid to other countries, huge interest costs on the military-related part of the national debt, and so on -- the actual total annual expenditure is close to $1 trillion.

Such stratospheric numbers defy easy comprehension, but one does not need training in statistics to bring them closer to home. Simple arithmetic suffices. The projected bill for just the 30-year nuclear modernization agenda comes to over $90 million a day, or almost $4 million an hour. The $1 trillion price tag for maintaining the nation’s status as “the most powerful nation on Earth” for a single year amounts to roughly $2.74 billion a day, over $114 million an hour.

Creating a capacity for violence greater than the world has ever seen is costly -- and remunerative.

So an era of a “new peace”? Think again. We’re only three quarters of the way through America’s violent century and there’s more to come. "

ThothApril 1, 2017 8:02 PM

@Clive Robinson

How is your current research into the Broadcast style messaging ? Would be interesting to here about any new developments made in that area.

Here is my idea of Broadcast. Probably you can just incorporate it if you see anything you have interest in.

The Broadcast system would use P2P network that are commonly available for finding peers and maintaining connectivity. Common P2P networks like Bittorrents' DHT network and other openly accessible DHT networks can be used.

Identity can be uploaded to P2P networks in the form of a session-based public certificates that is used only once. This is called a Session Cetificate. The endpoint will have a long term certificate which is not immediately used until a "friend" has been established.

The broadcast messages that are intended for public will use the session-based public certificate to route "public messages". Messages will not be sent off to a single endpoint or node but will have a few nodes as target node to send off messages for routing in a "Broadcast" similar style or more accurately a Multicast.

Messages for friends will use an additional security layer. Friends are established by signing each other's private keys (and hopefully securely stored and used). When a node just connects to the network, the node will look for trusted friends on the network by doing a challenge via generating a headerless encrypted challenge to a friend which the friend will attempt to decrypt the challenge. The challenge should be small enough so that every packet sent over the network should equally be suspected of embedding a challenge for a friend to ensure that packet types be it normal public messages, F2F secure messages or F2F challenges cannot be differentiated.

Once a friend asserts that a suspected packet is a challenge, it will generate it's own suspected nonces and continues to follow through the procedure of challenge and once the entire procedure is done, a F2F secure session is either established and confirmed between the two nodes or a invalid session is found and discarded.

The public message protocol will use commonly available protocol like HTTPS as a cover and use a custom message format that has seemingly no headers similar to the F2F messages. In fact a node to neighbouring node will also initialize it's own challenge and add to the neighbouring node list but not regarded as friend so that the F2F protocols are the same as the peering protocols and this makes it very hard to distinguish a peer from a friend.

There is no central authority so the public certificates downloaded into one's certificate cache should all be considered suspect. The HTTPS cover layer would use the certificates from the cache only to prevent simpler deep packet inspection techniques.

Messages can be configured to be store-and-forward over certain amount of seconds or time and the messages can be made uniformly padded or random whichever the user feels more comfortable and safer. By default, all messages should be random length and the store-and-forward time will also be random to simulate a natural occuring network traffic and network usage when seen from the ISP's view since very few traffic ever are timely and uniform which will cause suspect of the connection.

rApril 1, 2017 8:54 PM

@Fat Piig,

What does anyone know about any vpn short of reverse engineering or abductions?

SpookyApril 1, 2017 8:55 PM

If national governments manage to corrupt the Internet beyond all possible redemption (by turning it into a permanent surveillance network), you should not be afraid to abandon it. It is far better for the Internet to die quietly, than allow it to become an abomination used by corporate and government interests to continuously monitor, target and manipulate you. Your best strategy is not an endless series of inadequate half-measures, it is complete separation from those systems that have been intentionally turned against you.


Cheers,
Spooky

Ergo SumApril 1, 2017 9:45 PM

Some April fool humor...

The Russian Ministry of Foreign Affairs posted a spoof voicemail today:

"You have reached the Russian embassy, your call is very important to us.

To arrange a call from a Russian diplomat to your political opponents, press one.

To use the services of Russian hackers press two.

To request election interference, press three and wait until the next election campaign. Please note that all calls are recorded for quality improvement and training purposes."

For some reason, the US MSM did not find this funny. I am still laughing at the last one....

rApril 1, 2017 10:01 PM

@Ergot Sum,

Oh believe you me they thought it was funny, didn't you know it's internationololol misinformation day?

FEye wonder who gave them the idea.

Ergo SumApril 1, 2017 10:07 PM

@Spooky...

If national governments manage to corrupt the Internet beyond all possible redemption (by turning it into a permanent surveillance network), you should not be afraid to abandon it.

Correct me, if I am wrong, but...

Didn't Apple, Google, Facebook, Microsoft, etc., corrupt the internet prior to the government utilizing the vast amount of data for their surveillance needs? Not to mention that these corporations continue corrupting not just the internet, but platforms and applications as well. The best way getting plain-text data is at the point of consumption via hardware, platforms and applications on computers, tablets and smartphones. Who needs the internet, where smart people can actually develop/use encryption that would be nearly impossible to decrypt, hide their source IP, etc. Get it done on the user's system by the corporations with the help of the "call-home" feature.

I do hope that it won't be that bad, but there's little chance for that...

Pvt. YorkApril 2, 2017 3:59 AM

"If national governments manage to corrupt the Internet beyond all possible redemption..."

My thought is "the Internet" itself cannot be corrupted. After all it's just a "series of tubes". It's the people who control the internet who are the corrupters. And those same leaders, owners, managers corrupt everything they touch, including our businesses and government.

So, I think the safe bet is to assume the internet, businesses and government are all corrupt and operate from that mind set taking an occasional lapse of evil as pennies from heaven. Maybe a savior will appear to lead us from corruption, but that doesn't seem to happen often. In the meantime:

Resist. Any way you can. It means you are alive.

Thus ends my sermon. Pass the plate.

Spooky and da GroupiezApril 2, 2017 5:09 AM

@ab praeceptis

You forgot Tor user group D:

d) Malcontents who like to shaft the corporate scum (Google, all ISPs et al.) hoovering up all bits on the internet as a means to profile every single connected mouth breather and make money from selling their personal data and communications to the highest bidder for advertising purposes.

Oh yeh - we know this attracts spooks like flies to shit, but we just don't care. If you hadn't noticed (PRISM, XKeyScore, BoundlessInformant etc etc) -> we're all targets now coz (drum roll) "Terrorism!" TM.

So, spooky and da groupiez can work for the data, instead of it being handed on a silver platter. They can pin a silver star on their breast when they retire in 30 years and tell themselves the lie they protected da Homeland (not helped to create a turn key totalitarian state), when we all know that is bullshit based on available data.

DroneApril 2, 2017 6:05 AM

@lance

"You can read the [Register] article without JS? All I've seen from the Register for the past few years is "Please turn JavaScript on and reload the page. DDoS protection by Cloudflare"."

Yep I can read The Register posts OK with JS blocked, but not the comments. I have FireFox running in Linux Mint with the NoScript plug-in enabled and the NoScript white-list emptied out entirely. I don't see Cloudflare trying to run in the top-layer list of blocked scripts at all, just theregister.co.uk and regmedia.co.uk. I'm in S.E. Asia so it may have something to do how their CDN is setup out here. I've seen that happen before. For-example, to get Disqus to work I have to I have to enable more nested CDN sites than people in the U.S.

ab praeceptisApril 2, 2017 6:16 AM

Spooky and da Groupiez

No, your group d) is part of my group b). And please kindly note that my post was written from the spook perspective, not from mine.

As for "let them work for their money" - a) it's *ours*, we, the taxpayers pay for that, b) forget it. tor is a crap pile.

To make your day funnier: There seems to be only one solution, now, namely to have more secure hardware and software that is designed and implemented better than the crap 99.9% of Joes and Janes are to do with.

What "we" are producing is known: crap. Maybe we should be worried about what they can produce - and why we, who pay for all that, don't get to use it.

JG4April 2, 2017 7:28 AM


some humor to brighten your day

https://www.wired.com/2017/02/famed-hacker-kevin-mitnick-shows-go-invisible-online/

http://www.nakedcapitalism.com/2017/04/links-4117.html
...
Big Brother is Watching You Watch

Marble Framework WikiLeaks. Bill B: “‘Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.’ This is why attribution is a lost cause despite the assurances of security vendors and government spies. Operational signatures can be mimicked, attacks staged, and forensic artifacts forged. All to the greater glory of U.S. foreign policy objectives. Welcome to the wilderness of mirrors.”

https://wikileaks.org/vault7/?marble#Marble%20Framework

WikiLeaks says CIA disguised hacking as Russian activity Daily Mail Online (martha r)

http://www.dailymail.co.uk/news/article-4367746/WikiLeaks-says-CIA-disguised-hacking-Russian-activity.html

WikiLeaks Assange’s fate hinging on close Ecuador election this Sunday Fox (furzy)

http://www.foxnews.com/world/2017/03/31/wikileaks-assanges-fate-hinging-on-close-ecuador-election-this-sunday.html

Two Middle Eastern airlines are loaning laptops and iPads following electronics ban Verge (resilc)

http://www.theverge.com/2017/3/30/15127916/laptop-ban-qatar-etihad-airways-loaner-ipad

Russia and China Catch Security Council in a Devastating Lie Russia Insider

http://russia-insider.com/en/russia-china-call-wests-bluff-uk-rejects-resolution-investigate-allegations-chemical-weapons-used

Clive RobinsonApril 2, 2017 8:07 AM

@ Pvt. York,

My thought is "the Internet" itself cannot be corrupted. After all it's just a "series of tubes".

Whilst it is a collection of "tubes" you have to consider the topology they are aranged in.

With few exceptions economics and history have dictated a more or less "All roads lead to Rome" configuration with the US sitting like the proverbial "black widow spider" in the middle.

Dirk PraetApril 2, 2017 8:45 AM

@ab praeceptis

There seems to be only one solution, now, namely to have more secure hardware and software that is designed and implemented better than the crap 99.9% of Joes and Janes are to do with.

Which is not going to happen overnight - if ever - so Tor, Signal and VPNs is what the average user pushing back against corporate surveillance at least for now is stuck with.

Whatever the resources of the Five Eyes and the attention using Tor and VPNs may draw, I have no knowledge of any current capability to unmask in real time all Tor traffic at any given time for further collection, storage and analysis. And even if they could, it would be a massive waste of resources, not to say an exercise in futility. Using Tor or ad blockers in itself is NOT a crime.

Frankly, I do not understand your relentless Tor bashing as - despite all of its deficiencies - what we've got here is a perfect use case scenario. In today's hyper-connected world, it doesn't make sense to let an ordinary user choose between either getting off the grid or surrender any and all privacy and anonymity when there are tools to at least mitigate the digital trail you leave whenever going online.

Of course Tor is not a perfect solution. But if my choice is between an imperfect solution and no solution at all, then I'll always go with the first option. Your mileage may vary.

WinterApril 2, 2017 9:56 AM

"Frankly, I do not understand your relentless Tor bashing as - despite all of its deficiencies - what we've got here is a perfect use case scenario. "

Maybe, just maybe, the use of tor does make his work too difficult to actually eavesdrop on everyone?

What would those wanting to eavesdrop on everyone say about a method that defeats them, even partially? Dissuate people using it, of course.

This is the same argument that was used to get people off using https before Snowden showed why you should use it.

Unless people can come up with real statistics that random ISPs, companies,and police forces can reliably crack browsing sessions with tor, I will keeps using it, and advice others to do so with caution. And if I am targeted by the NSA and their ilk, why bother NOT using it. If it cannot protect me, it can make their lives a little harder.

John GaltApril 2, 2017 10:43 AM

@ THOTH

[[[ "TRUSTZONE" --- OFFICIAL LITERATURE -- The primary security objective of the architecture is actually rather simple; to enable the construction of a programmable environment that allows the confidentiality and integrity of almost any asset to be protected from specific attacks. A platform with these characteristics can be used to build a wide ranging set of security solutions which are not cost-effective with traditional methods. ]]]

Microcode Based Rootkit.

Unstoppable.

Clive RobinsonApril 2, 2017 1:15 PM

@ JG4,

Marble Framework WikiLeaks. Bill B: “‘Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.’ This is why attribution is a lost cause despite the assurances of security vendors and government spies. Operational signatures can be mimicked, attacks staged, and forensic artifacts forged.

I've been saying this for some time on this blog as have a couple of others... But there have been several who have insisted we are wrong...

I wonder if they are going to apologize or just hide away for a while and say nothing as they have in the past...

John GaltApril 2, 2017 3:33 PM

[[[ I wonder if they are going to apologize or just hide away for a while and say nothing as they have in the past... ]]]


They'll blame the Russians... just like the DNC who had Hosted Exchange email at AppRiver.

The DNC was NOT hacked. That's why "CrowdStrike" only reviewed the DNC workstations AND... the DNC ** DID NOT ** permit their server(s) to be analyzed. Why? Cuz the DNC didn't have any servers!

But, I am pretty sure I know where the emails really came from. Would you like my forensic analysis? It wasn't Russians.

Let's start a nuke war over this, right?

AnuraApril 2, 2017 4:15 PM

@Clive Robinson

I've been saying this for some time on this blog as have a couple of others... But there have been several who have insisted we are wrong...

I wonder if they are going to apologize or just hide away for a while and say nothing as they have in the past...

There was a disagreement over whether the CIA used string obfuscation in their malware?

John GaltApril 2, 2017 5:52 PM

[[[ We have the Feds going after kids for developing code. ]]]

Maybe the FBI can arrest Bill Gates because hackers use Windows and Remote Desktop Client.

Maybe the FBI can arrest the people at Puppet Labs and TeamViewer, too. Hackers use them, too.

ab praeceptisApril 2, 2017 6:36 PM

Dirk Praet

"relentless tor bashing" - No more relentless than the relentless "tor is what we have and what can save us!" appraisals.

But OK, let's have a look.

"perfect use case scenario." - Is that so? So, tell me, what is the "perfect use case scenario" - is it protecting communication or is it protecting source-target info or is it maybe more about protecting servers selling drugs or weapons?

I would have an easier time looking at your claims if tor at least had a *clear profile or use case* rather than, as Joe and Jane (not completely unjustifiably) assume, being "the secure internet thing".

With all due respect, I do not even recognize our host (whom I consider being one of the foremost experts) being on some tor board as a plus, as I fail to see concrete contributions or the tor project even just carefully listening to what Bruce Schneier (reasonably and correctly) "preaches". All in all I take his name being involved there merely as a sign of activism along the lines of "we must work towards a more secure world". Moreover it's well known that projects, particularly those related to certain circles are in the habit of getting big names on board.

OK, so let's look at the technical merits - which is a rather short trip. I'll name just two major problems:

Just recently the tor developers showed an interest, possibly even an intention, to get away from C so as to get a safer and more trustworthy code base. And what did they consider? go and rust. Uhum.
That clearly shows that they failed to understand properties of major importance to their work. It comes down to the (very poor) "better C" approach. Let's not talk around it: Anyone using C for anything than low level stuff (and then with proper spec. and at least acsl annotated and checked) is *not* really concerned about safe code, simple as that. I'll spare you the question of proper specs, let alone verifiability ...

It's relying much on ssl. No need to say more. All in all tor probably creates more problems than it promises to solve.

Sorry, I'm getting tired by the "but! but it's all (or "the best" we have") line.

Clive RobinsonApril 2, 2017 6:38 PM

@ Dirk Praet, ab praeceptis, Winter,

Frankly, I do not understand your relentless Tor bashing as - despite all of its deficiencies - what we've got here is a perfect use case scenario.

I likewise do not like recomending Tor, and I think I better explain why.

The history of technology with respect to security shows that atleast two bad effects happen,

1, People do/can not upgrade.
2, Due to 1 fallback issues arise.

Thus we end up with a number of insecure systems that hang around for a significant lengths of time due to 1. But rather than deal with replacing those the market provides systems with "backwards compatability" prolonging the issue. But in the process others use the systems with "backwards compatability" the market provides. Thus larger numbers of new systems have the old vulnerability "built in".

Unfortunatly due to supposed "ease of use" issues the new systems will in all probability will be designed to "auto negotiate". Which allows a man in the middle attack or similar to force the new system to "fallback" and the vunerability to be accessible in systems that would otherwise not have been vulnerable.

Tor has known issues, but to gain market share new systems will have to be compatible. Which will mean unfortunatly, with a high probability, the known issues of Tor will become "built in" to new systems. If they do, the Tor issues will become perpetuated considerably longer than they would otherwise be.

This "built in" issue with technology is a lot worse with the Internet because it does not have a "distance cost metric". In conventional markets the distance cost metric means that several solutions to the same problem can arise because the cost of moving a physical solution reduces the profit thus puts a bound on how big the market is. With the Internet the distance cost metric is so small that it results in the entire Internet being "local" at any point. Thus first to market is often the only solution provided they continue to keep developing new features etc (hence MicroSoft, Oracle, Alphabet, Facebook, twittet etc). It's only when something is sufficiently different to the current incumbents that it creates the equivalent of a "new" product which in turn creates it's own market, at which point an incumbent usually makes a sufficiently large offer that it aquires the market (rather than the actual product).

Thus we are kind of stuck with Tor and it's known deficiencies, rather than having comprating products with different views on how they want to address security that don't have the same deficiencies...

Thus rather than recomend Tor in general, I only say what it works for or does not work for.

As I've indicated on another thread,

https://www.schneier.com/blog/archives/2017/03/congress_remove.html#c6749563

There are things that a service provider can do "at the next node upstream" such as datagram tagging that will deanonyomize traffic through a Tor node under certain minimal conditions. There are ways mixnets etc can eliviate this and similar problems that will arise with Tor in the future due to some of it's fundemental architecture choices.

My personal prefrence is for Tor to fix these problems rather than have a competitor divide the market with an incompatible product.

Here we go againApril 2, 2017 10:13 PM

This technical perfectionism boils down to Resistance Is Futile. Of course states can throw money and talent at your privacy, and eventually breach it. It does not follow that you should choose to be the soft target.

There are two fallacies of composition embedded in cavils like C is no good or SSL sux. First, the user is viewed in reductive isolation. If the user is a needle in a haystack, cost/benefit constraints apply. Search consumes resources. Even if it's automated, it consumes resources - the balance of initial and recurring cost varies, that's all. Overreaching states attack association, not individuals. Individuals in association defend themselves collectively.

Second, Tor is viewed in isolation. Tor is complemented and supplemented by multiple technical and procedural privacy protections. Diversifying privacy protections means that states need the much scarcer resources of TAO, or Humint, which do not scale. Tor alone is not a panacea. Duh.

So use what protection you can get and encourage your associates to use it, in diverse ways. If they want to sniff your panties, make them work for it.

Tor worked for Snowden, the canonical threat, the Ur-target. It worked for Hal Martin for years. Giving heroes like that a crowd to hide in is simply your civic duty.

SpookyApril 2, 2017 11:35 PM

@ Elf Spice,

What a sad situation, I hope Huddleston eventually prevails. Would that they would prosecute the developers and users of XKeyscore with the same zeal. In contrast to a garden variety RAT, Xkeyscore was designed (and actually used) for the express purpose of bypassing the constitutionally protected rights of several hundred million US citizens (including sitting members of the judiciary and legislature). Not a criminal act, apparently...


Cheers,
Spooky

ab praeceptisApril 2, 2017 11:49 PM

Here we go again

You are based on a series of assumptions which may or may not be true. As OpSec is not based on good weather but on hail-storm days we have to assume that your assumptions are not true.

"Snowden did" - maybe he did, maybe not. intelligence agencies don't play by common rules and lots of strange things are going on. It might, for instance, be more attractive to look like an idiot and to not let the world know about your capabilities. "Snowden successfully used XYZ" is sounding nice and giving hope - but it's not a verifiable proposition.

And then there is the issue that "XYZ can't be cracked, at least not in virtual real time or on a massive scale" is but an assumption. And even if you could prove - and you can not - that it's true today that tells us precious little about tomorrow.

Not even talking about (xyz)ssl/tls, which has shown itself to be crappy over and over again (and is used in tor, too, tor runs on nodes and nodes are? Right, crappy boxen with OSs that are everything but reliable and safe. And it runs over networks that are built upon? Right, crappy routers and other systems.

You see, if it is to mean anything then "xyz is secure" must be more than religious blabla. It must be built on certain properties that are reasonably checked.

When we build a bridge, we don't say "It's safe!" just because me believe so or because a famous man, say, Bruce Schneier, was on it advisory board. No, we say that because it was properly specified and based on proper research of the underground, environment, etc. and because it was built according to reasonable and well established standards and because an independent assessment of all the work (incl. the planning) by an external expert party has been positive.

In IT we are very lousy bridge builders. For us "but I saw Bruce Schneiers face on their web page" *is* some kind of "quality certificate" and we build bridges using utterly poor material and tools, etc.

If tor is a religious thing for you, fine with me; you believe whatever you please. But if we are talking as professionals then I'd expect adequate statements - similar to what I expect from bridge or ship builders.

Show me in a way that is adequate for engineers that tor is reasonably secure. After all I offer professional statements, too, and not merely belief.

What tenable statements can you offer concerning the hardware, the OSs, the libraries, ssl/tls, what tenable statements can you make about C code?

Well noted, I do not ask for that evil spirited. I *am*, for instance, ready to accept that code in rust *can* offer much better quality than C code. But let me give you an example: These days I'm working on re-implementing some nice and fast prng that has attractive qualities and looks solid as far as the math behind it concerned. But code is *implemented* algorithms. So - quelle surprise! - I found a off-by-one error right away that could and would have been caught even by very old Pascal compilers. So, kindly stop implying that C is great and that I am merely on some kind of vendetta. That's bullshit.

ab praeceptisApril 3, 2017 2:11 AM

As we just talk about tor and accomplices ...

Jamie Zawinski (Ex netscape) -> https://www.jwz.org/blog/2017/03/signal-leaks-your-phone-number-to-everyone-in-your-contacts/

Amuse geule: When you install Signal, it asks for access to your contacts, and says very proudly, "we don't upload your contacts, it all stays on your phone."

And then it spams all of your contacts who have Signal installed, without asking your first.

Happy sailing with an utterly leaking boat ...

Clive RobinsonApril 3, 2017 3:55 AM

@ ab praeceptis,

And then it spams all of your contacts who have Signal installed, without asking your first.

Tut tut, I realy should remonstrate with you ;-) Don't you know that's a "Usability Feature" to aid users to make Signal a better experience...

Joking aside this sort of misbehaviour happens all the time...

Anyone remember "Linked In" they pulled the same spam your contacts trick. They later apologised --sort of-- after it had significantly grown their business. Then of course they had to apologise --sort of-- yet again after each of their planed actions caused more security vulnerabilits and losses.

But for them it appears that they followed the maxim of "All news is good news", even when it was compleatly shameful. Which made people if they were doinging it on purpose...

It looks like Signal is trying to emulate the same tactics to grow their product usage/market... Does not inspire confidence really.

ThothApril 3, 2017 4:53 AM

@Clive Robinson

re: Contact List Spamming

I did think of using a sort of separate workspace along the lines of modern "Enterprise Container" concept to encrypt and only give access phone contact list to certain apps.

It might be useful if the user know how to swap contacts into the container to prevent apps from listening and accessing it but I guess nobody would be bothered enough to do so. I brought this idea to my previous employer but it did not gain traction and was never attempted anyway.

Regarding Signal, Signal ain't all angels as many Signal fanbois may like to put it. Just like any products and products of a corporate company, it needs to feed it's employees and one way to do so is to simply collect one's telephone list although Signal claims the contacts collected are hashed and not plain. Who knows what's really going behind the scene. Signal does not inspire confidence either once someone decides to sift through the details and uses a paranoid point of view like us.

Any privacy and security hoped to be achieved via smartphones is simply pointless and this point never ever goes into people's thick skulls somehow as they tout the benefits of Signal, ChatSecure (another phone "secure" IM and installs a smartphone version of TOR and touts MILITARY GRADE SNAKE-OIL !!!) and so on...

To put it in a very crude and very disgusting way for many people's taste buds, probably they might learn a thing or two (hopefully) only when their "secure" chat gives them up to certain "interested parties" that decide to put their mortal life to an end (i.e. with a kinetic projectile or some lethal means) and hopefully at that time of their last breath, they might or might not realize that those tools they thought was to secure them from being hunted down because of their political activism fails them from certain agencies that wishes to silent their critics in not so friendly ways.

Link:
- https://chatsecure.org

ab praeceptisApril 3, 2017 4:54 AM

Clive Robinson

But! But, it's foss and ev-er-y-bo-dy of course reads and checks the sources, so confidence isn't needed!1!

On a more sad/serious note, that's a classical situation for "thanks, your honour, no more questions".

But I don't expect the religious believers to start thinking rationally, let alone like engineers. They'll continue to be pissed off and to explain us the amazing world of security and safety and, of course, how trustworthy their vodoo is ...

CzernoApril 3, 2017 6:21 AM

@ A(b\) praeceptis :
«It [Tor]'s relying much on ssl. No need to say more. All in all tor probably creates more problems than it promises to solve.»

I think you already said that earlier once at least; with due respect it's *wrong*, Tor does not use SSL and Tor encryption is nothing to do with SSL.

ab praeceptisApril 3, 2017 6:36 AM

Czerno

Directly from the (up to date) official tor faq (->https://www.torproject.org/docs/faq.html.en):

If your Tor relay is using more memory than you'd like, here are some tips for reducing its footprint:

...
If you're running a fast relay, meaning you have many TLS connections open, you are probably losing a lot of memory to OpenSSL's internal buffers (38KB+ per socket). We've patched OpenSSL to release unused buffer memory more aggressively. If you update to OpenSSL 1.0.0 or newer, Tor's build process will automatically recognize and use this feature.

Dirk PraetApril 3, 2017 7:36 AM

@ Clive

Thus rather than recommend Tor in general, I only say what it works for or does not work for.

I believe we are on the same page here.

There are things that a service provider can do "at the next node upstream" such as datagram tagging that will deanonyomize traffic through a Tor node under certain minimal conditions.

Which will require additional effort on their behalf, and may - or may not be - subject to legal action on behalf of users and civil liberties organisations.

@ ab praeceptis

So, tell me, what is the "perfect use case scenario"

I think I have been perfectly clear about this: pushing back against corporate surveillance and tracking. Which goes for both ISPs and the Googles and Facebooks of this world.

There is no such thing here as a "religious belief" that somehow Tor, Signal or whatever other tool are magic bullets. That's a straw man argument. They're tools that - when used properly and in combination with others - mitigate against mass surveillance by some actors while offering little to no protection against targeted surveillance by others. No more, no less.

When somebody is eating his soup with a fork, you tell him to use a spoon instead. When he's also using the spoon to try and cut his steak, you tell him to use a knife. What you don't do is tell him that the spoon is utterly useless and that he should either continue to use the fork or not eat the soup until someone comes up with a tool that can be used to eat both.

Blind promotion of Tor et al as one-size-fits-all security solutions is a horribly wrong message to send anyone seeking better online security, privacy and anonimity. But so is telling them they should just continue business as usual until the mystic arrival of a brave new IT world rebuilt from scratch.

Your "resistance is futile" position is unreasonable to the point that I'm not even surprised that people like @Winter are starting to suspect ulterior motives.

... there is the issue that "XYZ can't be cracked, at least not in virtual real time or on a massive scale" is but an assumption. And even if you could prove - and you can not - that it's true today that tells us precious little about tomorrow.

There is no reason to believe that TLA's are currently able to massively deanonimyze Tor traffic on the fly, let alone ISPs or combined with a VPN. If you want to use that as an argument not to use Tor, then the burden of proof is actually on yourself, not on me.

What you are suggesting here is that we should also give up certain types of encryption because it could be broken by quantum computers in some foreseeable future. That's racing beyond technology, and not helping anyone. From a military vantage, underestimating your enemy leads to certain defeat. Overestimating him equals surrender to slaughter or slavery.

When we build a bridge, we don't say "It's safe!" just because me believe so or because a famous man, say, Bruce Schneier, was on it advisory board.

Let me offer a counter example. When at the end of WWII the allies against the odds captured the Ludendorff bridge at Remagen, it was badly damaged after a failed German attempt to blow it up. Though in really bad shape, engineers stabilized it as much as possible and which allowed six divisions to cross the Rhine until it collapsed ten days later. In parallel, the sappers constructed a pontoon bridge. General Eisenhower later described that battered and arguably very insecure bridge as "worth its weight in gold".

Am I correct in assuming that under your command nobody would have crossed the Rhine until a new up-to-specs bridge would have been completed, probably prolonging the war for several weeks or even months?

HWGAApril 3, 2017 9:36 AM

@a.p. you have done me the honour of crediting me with lots of things which I was not clever enough to say and painstakingly debunking them: A categorical statement that something cannot be cracked, when Who cares, macht nichts. A statement with Snowden in the subject, conditioned on elaborate conjecture about his true, hidden role, when Snowden was actually the predicate. A religious affirmation regarding Tor. A statement that C is great. An accusation regarding a vendetta against some sort of eye-glazing technical minutia that no one on earth cares about. All straw-manning in questionable faith.

You are fixating on individual components, when protection comes from systemic reliability based on the topology of serial or parallel components, and from the ineluctable rules of hide and seek, which are inherently probabilistic. And anyway, the system is not the network of gizmos. The system is the outraged population of a criminal state.

Tor did nothing for Snowden because Greenwald was a technical boob. But Tor worked for Snowden once he got referred to Laura Poitras (a high-profile target herself, by the way.) Tor worked for Snowden - in conjunction with GPG, and CIA tradecraft, and practical knowledge of NSA's profound ineptitude. Tor worked for Snowden, a key employee in a position of trust - once he withdrew to the margins of a far-flung, sprawling, unmanageable conglomeration of beltway bandits. Tor worked for Snowden because intelligence agencies were full of people with grave ethical misgivings about criminal conduct by the state. Tor worked for Snowden because the US government was discredited and held in contempt worldwide.

Ouch BruceApril 3, 2017 11:17 AM

That squid link leads to an eBay page with some seriously NSFW images.

keinerApril 3, 2017 11:35 AM

Idiotz as far as the eye can see....

https://www.euractiv.com/section/data-protection/news/eu-to-propose-new-rules-on-police-access-to-encrypted-data-in-june/


Other question:

Wouldn't it be nice to locate any computer (with wifi card or any kind of "antenna" built-in to the motherboard) based on the network grid of wifi access point around it? By knowing the locations and signal strength of all networks in the neighborhood/country you could approximate the location of a computer, I guess?

Google Earth was caught in the act some years ago while taking pictures also mapping all wifi networks (and GPS data anyway :-D ) . So would be a nice data tool if your wifi driver leaks the networks around its current location, let's say via Windows telemetry?

Anything known about something related?

ab praeceptisApril 3, 2017 3:03 PM

Dirk Praet

pushing back against corporate surveillance and tracking

More of a side effect. There are better ways, mostly in the form http related tools as well as of a behavioural nature. And, of course, staying away from them as far as possible.

There is no such thing here as a "religious belief" that somehow Tor, Signal or whatever other tool are magic bullets.

That might be true here, to a degree. In more general IT fora, however, as well as in even way more not IT related ones tor *is* praised as a magical bullet. I've seen many, many posts à la "user tor and be secure!".

Your "resistance is futile" position is unreasonable to the point that I'm not even surprised that people like @Winter are starting to suspect ulterior motives.

As you bring up that guy, frankly, I just thought "idiot!" and deemed him not worthy of an answer. And now I think just the same ("idiot!") about you; not generally but regarding tor. I know that you are intelligent and that you can do much better than ad hominems of the lower kind.

And btw: I have evidence on my side and I try to put things in an objective way; I don't just take a religious position and ad hominems and name dropping when the ice gets thin.

There is no reason to believe that TLA's are currently able to massively deanonimyze Tor traffic on the fly

Let me help you out: "there is no reason to believe (that sth. isn't secure, in this case)" should be left to auntie Hilda pondering whether she should (or must not) lock the garden hut.

In our field a) we are not in the business of *believing" (as related to security) b) we f##cking **always** assume that security isn't a given, unless we have solid evidence of the contrary. c) see below.

If you want to use that as an argument not to use Tor, then the burden of proof is actually on yourself, not on me.

Nice try, but you see, this is not a pro- or anti trump discussion but one about our field. Please, keep that in mind and act accordingly.

Your statement is gravely flawed and you are trying to play it as if you said earth is sphere (as everyone knows) while I see it's a flat. Doesn't work because there is a grave difference: "Earth is a sphere" is established science, "tor is secure", however, is but something you (and many others) like to believe.

It's quite simple, actually: Can you reasonably submit that tor is secure? Based on what?

What you are suggesting here is that we should also give up certain types of encryption because it could be broken by quantum computers in some foreseeable future

Bullshit! What I say is that there is still now proof that tor is secure - while there is quite some evidence showing it to have major flaws. Here and now.

Remagen bridge

Contrived example, but probably showing quite well how you and many tor users feel.

We are not in a war zone, we have other "bridges", and maybe a bridge is the wrong option anyway.

I'm bewildered to see a man like you getting so personal and sectarian.

I'm still waiting for tenable evidence of tors security. "We are under fire and must, must have some defense" does *not* proof tors security.

Sancho_PApril 3, 2017 5:43 PM

Re: Tor

@Dirk Praet

”I think I have been perfectly clear about this: pushing back against corporate surveillance and tracking. Which goes for both ISPs and the Googles and Facebooks of this world.”

+1

@ab praeceptis

Rude postings don’t substitute for content.

rApril 3, 2017 5:57 PM

Mere https is hardly effective against corporate bots and spies, you really believe a single layer to be effective against the likes of our much more than average information store providers?

I'll third this seconding of my first.

Dirk PraetApril 3, 2017 6:05 PM

@ ab praeceptis

I don't just take a religious position and ad hominems and name dropping when the ice gets thin.

But that's exactly what you are doing. I didn't say I agreed with @Winter's suggestion, just that I understand why some people are finding your position rather peculiar. And no one but you is using words like idiot and bullsh*t.

Can you reasonably submit that tor is secure?

That is not the question. The question is "against what". As long as you cannot or will not differentiate between different opponents, it's pretty much pointless to continue this discussion.

Let's just leave it at this. I guess we both have better things to do.

ab praeceptisApril 3, 2017 6:35 PM

@Sancho_P

So, what keeps you from providing content?


@Dirk Praet

He didn't simply "find my position rather peculiar". He implied that I'm on the evil side. It doesn't get much more dirty than that.
*Of course* Sancho_P didn't notice that and preferred to accuse me of what not.

"(Me) Can you reasonably submit that tor is secure?
(You) That is not the question." - of course, it is. That's what many evangelists preach and hence what is to be demonstrated.

"As long as you cannot or will not differentiate between different opponents ..." - Pick your choice. And then kindly provide evidence for tor providing security against that threat of your choice.

You are bound to fail - not because you are dumb (you aren't) but because there is no foundation.

You see, if anyone asked me whether one should protect people from large corps tracking, or about wanton and hardly legitimate eavesdropping, or ... I'd clearly say yes.
So I *agree* that what tor is said to deliver is desirable. I disagree, however, that tor actually does deliver that. Even worse, I submit that providing that security either never was tors real intention or else that they were designing it very poorly.

And I have evidence for that: tor is a closed system. Unlike the http world and others who *must* work with ssl/tls, tor is on all involved nodes from start to end. So they *could* have avoided ssl/tls which was well known to be a nightmare and of poor quality.

They could have started fresh, using well researched and well established algorithms. They could have properly spec'd and they could have used a language better suited for that field, say Ocaml (to avoid being accused of Ada evangelism); that would have been easy as pretty much every language would have been a better choice than C.

But they didn't. They chose C and they chose ssl/tls.

You are free to show me proper specs for tor. You are free to show me how they at least undertook best efforts to create safe code, say by any reasonable means to statically verify it. But you can't because they didn't.
As I mentioned earlier it is only now that they are making first attempts to rewrite (portions of?) it in rust. Don't you get it? That's a confession that their current code base - according to their own estimation - is plagued by pointer related problems and that they do not trust their code base.

So, no, I do not need to differentiate between opponents because, no matter the opponent or the use case, tor can *not* be shown to be safe and secure - or to provide any reasonable protection against anything.

Slime Molld with MustardApril 4, 2017 5:06 AM

@Dirk Praet

"When somebody is eating his soup with a fork..."

You don't have "sporks" in Belgium?
https://en.wikipedia.org/wiki/Spork
; >

Of course you are correct, they are useless.

Sorry to be picky, but the US Army calls us "Combat Engineers", or just Twelve Bravo if you like. "Sappers" sounds so, well, sappy.

Slime Mold with MustardApril 4, 2017 6:00 AM

Concerned about being tracked online? This may expand your threat matrix.

Employees get implanted with microchips
http://www.cbsnews.com/news/cyborgs-at-work-employees-getting-implanted-with-microchips/

"The company offers to implant its workers and startup members with microchips the size of grains of rice that function as swipe cards: to open doors, operate printers, or buy smoothies with a wave of the hand....
.........
Sandra Haglof, 25, who works for Eventomatic, an events company that works with Epicenter, has had three piercings before, and her left hand barely shakes as Osterlund injects the small chip.

'I want to be part of the future,' she laughs"

Oh, she is, she is.

JG4April 4, 2017 6:46 AM


http://www.nakedcapitalism.com/2017/04/links-4417.html
...
Big Brother is Watching You Watch

AIG taps into consumer fears with new cybersecurity product Reuters (Chuck L). You cannot make this up. The answer to deficient products (in this case hackable software and devices) isn’t to make the manufacturer liable or have the Feds all over them to get them fix the problem. It’s another level of grifting called insurance (although in some cases the insurer will seek to recover from the tech co).

http://www.reuters.com/article/us-usa-insurance-cyber-idUSKBN1751E0

Trump Transition
...

Blackwater founder held secret Seychelles meeting to establish Trump-Putin back channel Washington Post. Note the Post has to concede that there’s no evidence Prince was authorized by anyone on Team Trump. Looks like an entrepreneurial/influence currying effort to me.

https://www.washingtonpost.com/world/national-security/blackwater-founder-held-secret-seychelles-meeting-to-establish-trump-putin-back-channel/2017/04/03/95908a08-1648-11e7-ada0-1489b735b3a3_story.html

Dirk PraetApril 4, 2017 7:53 AM

@ ab praeceptis

I submit that providing that security either never was tors real intention or else that they were designing it very poorly.

It would appear that there is some common ground between us after all.

Although I cannot look into the heads of the Tor development team, I think it's a more than reasonable educated guess that they first and foremost had anonymity against state surveillance in mind. Although rerouting of traffic to hide its origin conceptually is a sound idea (cfr. cypherpunk remailer networks) , there is no discussion that both design and implementation suffer from serious flaws and deficiencies. @Clive and others have pointed those out in the past, and in great detail. There's also plenty of papers out there describing the same. On that subject matter, there is no discussion.

While some of these have been, are being, or will be addressed in some foreseeable future (e.g. C -> Rust), Tor developers have made it clear that others (padding, latency) will not because it would negatively affect UX (as in speed and bandwidth usage). Which makes Tor vulnerable to traffic analysis, especially by those who control exit nodes. Add to that peripheral problems like DNS-leaking and crappy browser plugins giving away your original IP anyway. Is this my idea of a "secure implementation"? It most definitely is not.

Tor's biggest marketing boost came with Snowden and the NSA slide that described Tor, PGP and some other utilities as a pain in the lower backside. Which, at least in my eyes, elevates it to a different level than the "utter cr*p" you designate it as. It's reasonable to assume they have meanwhile developed more advanced capabilities, and we know for a fact that even the FBI has been successful in deanonymizing Tor users (Silk Road, CMU etc.).

The implication thereof being that no one in his right mind can currently consider Tor as an effective means to protect against targeted efforts of a resourceful state actor. Assuming they can also do it on a massive scale and in real time, however, is a capability I have so far not seen any tangible proof or even remotely credible allegations for, so for now remains a pink unicorn to me.

Which brings us to actors like ISPs and big league data harvesters. While probably not the original target Tor developers had in mind, there are two elements we need to consider. Would they be technically capable of deanonymizing Tor users? They most probably are, and ISPs would be in a really good position to tag traffic above or below the TCP level and share that with 3rd parties. Verizon and AT&T have already done it in the past. It would however come at a serious cost, especially when MITM'ing encrypted traffic on a large scale.

There is however a second element to ponder, and which I already brought up previously with @Clive, i.e. the legal ramifications thereof. While under current US legislation it may now be legal for ISPs to "share" customer data with authorities and commercial parties alike, I believe there is also legal ground to differentiate between passive collection and active subversion of user traffic, even in the US. However difficult it may prove for a plaintiff to demonstrate unreasonable business practices, personal harm or injury, it would take only one successful case to set off an avalanche of class action suits. Including the public backlash that previously caused AT&T and Verizon to discontinue their "supercookies".

To complicate matters further, there is no way in hell such practices would fly under existing EU legislation. Neither Google, Facebook, Apple or Microsoft are waiting for yet another EU ruling against them, their reputations already sufficiently tarnished by previous convictions, their PRISM associations and further jeopardizing the fragile US-EU Privacy Shield arrangement.

Even if they had the technical abilities to deanonymize Tor users, doing so would not be in their best legal or reputational interest until such a time that Tor usage is declared illegal on both sides of the Atlantic.

In a nutshell: however insecure Tor may be against resourceful state actors, I have absolutely no doubt that - especially in combination with a VPN - TBB is a great tool to push back against corporate spying until anyone comes up with conclusive evidence to the contrary. If for whatever reason that puts me on some US TLA sh*tlist, then US CBP are most welcome to interrogate me next time I arrive at some US airport. Which is not gonna be anytime soon.

WinterApril 4, 2017 8:04 AM

@Dirk Praet
"But that's exactly what you are doing. I didn't say I agreed with @Winter's suggestion, just that I understand why some people are finding your position rather peculiar. And no one but you is using words like idiot and bullsh*t."

Exactly. It are always the ones that curse, insult, and accuse others at the drop of a hat that are most easily offended when someone questions their motives.

This Tor bashing does remind me strongly of the relentless SSL/HTTPS bashing we saw pre-Snowden. Then too it was widely believed that the TLA's were behind this propaganda to keep web-sites from using HTTPS because it made their surveillance work harder.

And if it walks like a duck, sounds like a duck, and looks like a duck, I have strong motives to investigate whether it indeed might be a duck.

@ab praeceptis
"tor can *not* be shown to be safe and secure"

You can show me wrong, but as far as I know, *absolutely nothing* is shown to be safe and secure. Half the comments on this blog are expressing just this single message: There is absolutely no safe and secure communication channel on the internet, none.

So, the question is not whether Tor is absolutely secure, but how it stacks up against the alternatives. And as you have not proposed a single one that is better (no one has), I must assume that Tor is the best option there is.

And no, any non-existing un-debugged theoretical replacement code that still has to be written does not count.

Miss PiggyApril 4, 2017 9:19 AM

The Dirk / ab preceptis discussion reminds me of when Kofi Annan went on the Muppet Show to sing with Oscar the Grouch.

vas pupApril 4, 2017 10:14 AM

Tag: psychology and security
http://www.bbc.com/future/story/20170403-the-hidden-upsides-of-revenge

Revenge is a powerful emotional trigger that mobilizes people into action. "It's this very pervasive experience in human lives, people from every society understand the idea of getting angry and wanting to hurt someone who has harmed you," says evolutionary psychologist Michael McCullough, of the University of Miami, who has spent over a decade studying revenge and forgiveness.

It drives crime – up to 20% of homicides and 60% of school shootings are linked to revenge, studies show.

CabbageControlApril 4, 2017 1:02 PM

@ab praeceptis

TLS is just the top level, camouflage against Deep Packet Inspection Censorship. Sometimes it doesn't work, because Iran and others have a way of detecting which IP addresses belong to TOR relays and block those.
Below that, there are fixed length packets encrypted in several layers of AES. To do otherwise would be absurd, as the relays in the circuit would have access to the metadata (and the cleartext in case of HTTP). These are like the layers of an onion (The Onion Router).
TOR design document

@Dirk Praet

Tor->VPN is not only difficult but also insecure. The correct way to access it is VPN->Tor.

https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN

ab praeceptisApril 4, 2017 2:34 PM

Dirk Praet

You started by pulling an interpretation trick. In the context of tor, and particularly looking at what Joe and Jane tor user feel and say, "security" and "anonymity" are equivalent.

"there is no discussion that both design and implementation suffer from serious flaws and deficiencies." - unless, of course, it's me who says so and dares to mention the conclusion.

"Is this my idea of a "secure implementation"? It most definitely is not." - to quote you, -> It would appear that there is some common ground between us after all.

But again you don't make the next step, which is to say that tor is largely worthless. Or do you think that nsa,fbi,cia, and other spooks would say "He is using tor. OK, we can just push it aside like we could do with a doorlock made of cheap plastic, but hey, tor is conceptually sound and well meant, too; it's just crappy due to poor implementation. Let us therefore respect that targets desire as well as tors conceptional quality and walk by without touching it!"?

"Tor's biggest marketing boost came with Snowden and the NSA slide that described Tor, PGP and some other utilities as a pain in the lower backside. Which, at least in my eyes, elevates it to a different level than the "utter cr*p" you designate it as."
No, that's what made you come to a wrong conclusion due to mixing up diverse fields, taking for granted what the nsa leaks said, and being impressed by big names.

For one, that information largely came from powerpoint slide shifters, from clueless managers and they were targeting the same. Moreover, just assume for a moment that the spooks *wanted* us to believe what you believe. What would be a) a very effective way to make us believe and b) a very typical M.O. of spooks?

Of course I can't proof that hypothetical option - but neither can it be excluded. *Fact* is that we have been presented with some information; that information may be true or not or in part. The cardinality of the set both of the potential reasons why it has been leaked/stolen/provided as well as the set of intentions is not 1.

To put it differently: No, we do *not* know that e.g. the nsa is running all the leaked programs. What we *do* know is that there are documents indicating such. But then, playing with information and what is perceived as reality is the very domain and to a degree the raison d'etre of intelligence agencies.

What does all that mean for us? Simple: It means that we must act based on *both* major possibilities, namely, that Snowden's and other information is true as well as that it's a psycho-/social OP.

Which leaves us at designing and implementing properly - which tor devs didn't.

As for corporate spying tor seems indeed to work to a degree. However, corp spying (e.g. tracking) is not based on "we know his/her source IP, hehe!" but on a quite large set of mechanisms, most of which are http, javascript, flash etc related. The fact that to seems to work as a cure/protection is less to do with tor than with the poor, primitive, shooting from the hip approaches from the large corps.

That said, again: I'm *not* against tor. I'm against assumptions that have shaky foundations and I'm against lousy implementation.

ab praeceptisApril 4, 2017 2:47 PM

Winter

Anyone submitting that XYZ is safe, secure, or [whatever property] should be able to provide evidence and proper reasoning.

tor created and still creates - certainly not without any intention - the wide spread impression that it's "secure" (as most non ItSec users would put it).

And btw, one *can* prove both models and code to have certain properties (incl. ones that are usually summarized as "safe" or "secure").

Just ask Bruce Schneier. He didn't come up e.g. with his fishes by praying to the gods in his bathtub. He did math. He carefully checked the relevant domains, the mechanisms/algorithms, etc. Plus and importantly he finally *carefully* and solidly implemented those algorithms. Plus he submitted his work to his peers for analysis - a step that is utterly missing in most security related products; in fact, it seems that they do not even do adequate inhouse testing.

Granted, Bruce Schneier couldn't prepare against attacks from time travelling aliens with quantum computers in their wrist watch but then, that wasn't reasonably part of the domain within which his work was supposed to be used. Within our domain, however, his fishes stand solidly even after many, many years - unlike tor.

BRENNAN'S HOURISApril 4, 2017 3:06 PM

Simple algorithm for identifying IBM Resilient clients:
1. Denounce organization
2. Monitor arbitrary comment deletion

So far the algorithm has established that IBM Resilient performs mission-critical technical repressive services for FBI and CIA, along with staff pro bono work for the hapless naifs of Tor Project.

To Replicate: cite named sources to instantiate CIA interference in US 2016 elections:

http://dailycaller.com/2017/04/03/susan-rice-ordered-spy-agencies-to-produce-detailed-spreadsheets-involving-trump/

i.e. surveillance distribution to John Brennan and Ben Rhodes, CIA's handlers for former spy brat, BCI intern, and presidential puppet Barack Obama.

And... It's gone!

Dirk PraetApril 4, 2017 4:11 PM

@ CabbageControl

Tor->VPN is not only difficult but also insecure. The correct way to access it is VPN->Tor.

No, it isn't. Works fine for me, and as long as you don't use your VPN without Tor, they have no idea who you are because they only see Tor exit nodes. VPN->Tor is a direct ticket to jail. Do look up @thegrugq's presentation on the issue.

@ ab praeceptis

But again you don't make the next step, which is to say that tor is largely worthless.

Yes, because I still have no reason to do so. Neither do I believe that Snowden was a psyop or Obama born in Kenya.

The fact that to seems to work as a cure/protection is less to do with tor than with the poor, primitive, shooting from the hip approaches from the large corps.

Feel free to think those megacorps's spying methodologies are utter cr*p too. I rather prefer not to underestimate them and use whatever means at my disposal to counter them.

@ Winter

This Tor bashing does remind me strongly of the relentless SSL/HTTPS bashing we saw pre-Snowden.

Like you, I remember it well.

@ Slime Mold with Mustard

Sorry to be picky, but the US Army calls us "Combat Engineers", or just Twelve Bravo if you like.

I like Twelve Bravo. Thanks for the heads-up, and I certainly meant no disrespect. We have sporks too, btw. Mostly in jails and lousy Chinese take-aways.

@ Miss Piggy

The Dirk / ab preceptis discussion reminds me of when Kofi Annan went on the Muppet Show to sing with Oscar the Grouch.

That was on Sesame Street.

ab praeceptisApril 4, 2017 4:57 PM

Dirk Praet

Regrettably you - again - don't deliver on facts or logic but prefer to again and again paint me, the person, in a bad light (e.g. obama born in Kenya). That may work well in the given setting but it's intellectually inacceptable. I therefore end that non-discussion with you.

Another reason for that decision is the amply demonstrated fact that you are desinterested in or unwilling (or not prepared) to looking at the relevant facts, particularly the technical ones.

Example: Rather than even looking at the question how large corp. tracking actually works (and hence what would be a proper defense/mitigation) you instead without any actual basis imply that I have a certain (ridiculous) position that I do not have.
To make it funny you talk about "any means ... to counter them" - while refusing to even analyze them superficially (see above).

Sancho_PApril 4, 2017 5:56 PM

@Dirk Praet

”If for whatever reason that puts me on some US TLA sh*tlist, then US CBP are most welcome to interrogate me next time I arrive at some US airport.”

Sadly, this is a chicken and balls problem.
The more users, the Tor better.
When we chicken are afraid to stand out / up for privacy we all will lose it.
We have to stand up, all of us. It is not risky.
Criminal conduct hidden by Tor is, as is without Tor.

Don’t be afraid to meet the “(We are the) face of our nation”.
When you happen to be white, straight and fairly good in English they can’t harm you. Allow at least 3 hours for your connecting flight, my average is 2 hours there.
Bureaucracy at work. It is amusing.

But to see the tragedy: “I had been sobbing in my sleep”
https://www.theguardian.com/commentisfree/2017/feb/28/in-that-moment-i-loathed-america-i-loathed-the-entire-country
… and now: Hear me roar.

furloinApril 4, 2017 6:28 PM

@Sancho_P

"When you happen to be white, straight and fairly good in English they can’t harm you."

That was sarcasm right? From what I have read online about American airports, walking through them in those conditions is suicidal. If you are a person of interest or even express slight awareness of the corruptness of their corporation it is literal suicide then. Better get on a boat if that's your condition and you need to travel to America while not being famous like our host. Actually I haven't traveled in a while. What is the security of boats in general? I'd imagine the industrial software not being openbsd 'secure' but not quiet windows insecure.

Dirk PraetApril 4, 2017 6:41 PM

@ ab praeceptis

Regrettably you - again - don't deliver on facts or logic but prefer to ... paint me, the person, in a bad light

I believe that all throughout this discussion I have put up a civil and well-balanced argument about what Tor can and cannot defend against. And which I have done without calling anyone an idiot or labeling any counter-argument "bullsh*t". Arguably, I have provided little technical details or references for my position, but neither have you.

Conversely, any argument I have brought up has consistently been met with undifferentiated variations of "Tor is worthless". Not once have you brought up any type of alternative, instead putting forward that essentially for the common user all resistance against surveillance is futile until we rebuilt the entire IT industry from scratch.

Referring to Snowden's NSA slides, you want us to consider it was all a psyop. If Tor is any good against corporate surveillance, then that's because transnational internet behemoths that have made surveillance their business model are just "shooting from the hip".

And then you wonder why some people are starting to question your motives or make comparisons to Obama birther theories?

I'm very sorry, but I'm buying neither your logic nor your facts. If that offends you, so be it, and I'll just leave it to those who have followed our exchange to judge who made the better argument here.

ab praeceptisApril 4, 2017 7:18 PM

Dirk Praet

"I'll just leave it to those who have followed our exchange to judge who made the better argument here."

Of course, that was very evident.

As far as I'm concerned I'll leave it to the reality as it will develop - either showing that tor a) honestly was/is well intended and b) reasonably well working - or not.

Please, feel free to visit arrested people who were not protected by tor in their jail cell and to explain to them how right you were and are. Some already lost their freedom betting on tor.

So much for the difference between proper security/safety/anonymity and fierce evangelizing.

We'll find out who is right.

RatioApril 5, 2017 12:20 AM

@ab praeceptis,

Please, feel free to visit arrested people who were not protected by tor in their jail cell and to explain to them how right you were and are.

That's a straw man.

Please re-read @Dirk Praet's comments. (For example, the caveat here may prove relevant.)

ThothApril 5, 2017 1:50 AM

@ab praeceptis

I think if we were to discuss further about high assurance security, we would be told that we wear tinfoil hats and wear tinfoil jackets and live in faradays cages all day long.

The trend is low/no assurance security.

Keys in RAM memory while executing security critical codes in backdoored chips (Intel ME/ARM TZ/AMD SP et. al.).

As I have said many times, the insecurity is due to us shooting our own foot or more accurately strapping ourselves to a bunch of grenades without pin willingly.

There is nothing that me, you, @Clive Robinson or anyone of us who dabble in higher assurance security says that would matter anymore. Convenience and hype is the menu of the day. The experience from deployments of higher assurance security and so forth by myself, @Clive Robinson et. al., people prefer not to listen while they prefer those without experience. Nothing can be done about it. We have warned but people prefer to listen not. So be it.

Good luck to whoever trying to implement high assurance security on your own.

ab praeceptisApril 5, 2017 1:53 AM

Ratio

No, it's not. Unfortunately that's simply the consequence and the price to be payed if tor doesn't do as well and what it's supposed to deliver.

WaelApril 5, 2017 2:25 AM

@Thoth,

Keys in RAM memory while executing security critical codes in backdoored chips

A properly implemented White-Box Cryptography component should provide "Data In Use" in addition to "Data at Rest" protection in many cases. Keys are never exposed in the clear and do resist static and dynamic analysis; calculations are likewise performed in white-boxed format. No one says certain implementations of WBC will not be "broken" by a determined adversary, but if that component is coupled with other OpSec procedures (appropriate rotation of WBC algorithm details...), then the barrier could be suitable for some use cases. In fact, WBC was specifically designed to operate under the assumption of a "Hostile Execution Environment", and that includes HW/FW/SW backdoors!

Good luck to whoever trying to implement high assurance security on your own.

Engineers don't believe in good luck[1]. Methinks there is no such thing as luck. Besides, aren't you implementing something "high-assurancy" on your own? :)

@Ratio,

That's a straw man.

Sometimes I wonder if you ever divide by zero (sefr) :)

@Dirk Praet,

and I'll just leave it to those who have followed our exchange to judge who made the better argument here.

You always make the better argument unless you happen to be engaged with me, then you stand a 50/50 chance :)

[1] There is only bad luck in Security, haven't you heard?

WaelApril 5, 2017 2:33 AM

@Thoth,

we would be told that we wear tinfoil hats and wear tinfoil jackets and live in faradays cages all day long.

Then whomever tells you that is someone who believes the darkness of the night will protect you :)

ThothApril 5, 2017 2:37 AM

@Wael

re: WBC

Well, that does not include WBC. Maybe I need to be more specific as in default implementations which is the norm across almost every other cipher libraries. No effort made to obfuscate or hide the keys whatsoever.

re: High Assurance

Yes I am doing something along that line with the exception that I prefer to spend my time these days on putting them into products. Creating them and leaving them on Github is unlikely going to help me get an income especially when I am running my own business these days.

WaelApril 5, 2017 2:47 AM

@Thoth,

WBC is already used in many shipping commercial products. The obfuscation is happenening at the mathematical levels, not the compiler level (which is usually called code and data obfuscation.)

As far as I know, some of the more robust WBC implementations have not been broken by any red team. The same isn't true for code and data obfuscation techniques. Couple the two plus a half dozen other controls and you're good to go for sometime ;)

Thomas_HApril 5, 2017 4:49 AM

Trump administration wants to expand extreme vetting to all visitors of the USA:

El Reg article, second half contains the insane bit

The proposal includes asking people not only for their social media passwords (against Social Media EULA's), but also their email and banking log-in information.

This will destroy the US tourism industry and possibly also the rest of the US' industry. It could also be misused to plunder bank accounts or plant suspicious emails in people's mail box, leading to the arrest of "terror suspects" who then disappear down the crapper in an orange jumpsuit.

RatioApril 5, 2017 4:53 AM

@ab praeceptis,

No, it's not [a straw man].

Your comment about people ending up in jail despite their use of Tor argues against the idea that Tor provides perfect security / secrecy, while presenting that as being the position advanced by @Dirk Praet. It is crystal clear from multiple comments on this page that it's not.

That's a textbook example of a straw man.

@Wael,

Sometimes I wonder if you ever divide by zero (sefr) :)

We need to find you some better questions to spend time on. ;)

(Division by zero? … أبدن، يعني — Now, who taught me how to write that first word? Remember?)

RatioApril 5, 2017 5:20 AM

@Wael,

Ehmm... I wasn't implying that's how I was taught to write it. I know, I know: tanwīn. I'll go stand in the corner now. #)

ab praeceptisApril 5, 2017 5:55 AM

Thoth

You are obviously right. But I keep this short because I do not want to disturb the laudationes for dirk praets arguments and the arabic games and rituals of the old pals network.

After all, that's what it seems to be all about here and we ItSec outsiders shouldn't interrupt them.

JG4April 5, 2017 6:33 AM


http://www.nakedcapitalism.com/2017/04/links-4517.html
...
Big Brother is Watching You Watch

IoT garage door opener maker bricks customer’s product after bad review ars technica

https://arstechnica.com/information-technology/2017/04/iot-garage-door-opener-maker-bricks-customers-product-after-bad-review/

ARE YOUR FEELINGS GETTING IN THE WAY OF YOUR ONLINE PRIVACY? JSTOR

https://daily.jstor.org/are-your-feelings-getting-in-the-way-of-online-privacy/

The Nasty Truth About the CIA Veterans Today (Judy B). The claim is pretty extreme, so I wouldn’t take this as gospel. However, the author allegedly had a front row seat.

http://www.veteranstoday.com/2017/04/04/neo-the-nasty-truth-about-the-cia/

Dirk PraetApril 5, 2017 8:10 AM

@ Thoth, @ Wael

I think if we were to discuss further about high assurance security, we would be told that we wear tinfoil hats and wear tinfoil jackets and live in faraday cages all day long.

You both know that at I am generally paying close attention to whatever it is you guys are discussing. I have previously pillaged your Github corner and spent an entire evening looking into WBC the first time @Wael brought it up. Same thing with real-world stuff @Clive, @Markus Ottela, @Figureitout, @Nick P and others touch on.

Whether we like it or not, HA is a niche segment precious few people care about because they are not familiar with either the underlying technologies and methodologies or the threats it protects against. Much of which sounds as outlandish to them as Galileo's proposition that earth was not the center of the universe to the then clergy and astronomers.

In my experience - and unless there is some gun-to-the-head business case - it is utterly pointless to try and convince people that everything they know is utter cr*p and needs to be replaced with stuff that no one has ever heard of, isn't commercially mature or available, not in the least bit compatible with what their business partners are using, or best case scenario comes at a cost that makes your pants drop.

Anyone who has ever worked in a capacity of CSO or overseen an ISO/IEC 27001 or higher program knows that this is not how it works, the technical side of things being a walk in the park compared to the political and PR aspects of the job. More than once have I found myself in a position of having to pick things up where a predecessor either had given up or been given the boot for going too fast ticking off the entire company in the process.

Whether you are an individual or a company with specific security requirements (or a company implementing such a service), tools and methodologies generally come LAST. What you always start with is a proper risk analysis, business impact analysis and establishment of clear goals, policies and procedures for which you need unequivocal CxO level support. If you don't have the board on board, forget it, and don't waste any time trying to talk them into solutions they don't understand, want or need. Which applies both to a CSO and a vendor.

The person typically least suited for a smart security marketing strategy is an engineer with a black and white vision, limited soft skills and a discourse nobody in management understands a word of. If that's you, you'll need some slick politician or spin doctor to assist you. Give up if you don't find him.

Once you have set your goals, you take things forward slowly, passing through a number of transition stages you have carefully planned in advance, never losing out of sight that security is not a goal in itself. If it doesn't serve a previously agreed upon goal or purpose, it is pointless. Change, unfortunately hardly ever comes overnight. Not only do you have to win the hearts and minds of all stakeholders, you'll also have to take intermediary steps patching your existing environment before you can replace it, and often in less than perfect ways.

What I mean to say is that nobody here (or elsewhere) that is familiar with HA security thinks of you as tinfoil hats. Those that don't just need education, and which indeed is often a long and frustrating road in a landscape filled with snake oil vendors sporting cooler hairdos and flashier costumes than yours. What I have learned over the years is that you never achieve that by shouting from rooftops and calling BS on every technology and methodology that doesn't fit the perfect picture, especially if you have no feasible or affordable alternatives to propose. It will just doom you to a lonely life as a bitter basement geek with a Darth Vader action figure on his desk.

The smarter way to go about things is not to take absolutist positions but to try and work your way up with stuff people are already familiar with, gradually raising the bar as you slowly acquaint them with more exotic threats, tools and concepts they will eventually adopt out of their own free will as their understanding of the subject matter and their specific security requirements grows.

WaelApril 5, 2017 8:38 AM

@Dirk Praet, @Thoth,

the technical side of things being a walk in the park compared to the political and PR aspects of the job.

Spot on! 20% technical challenges, 80% people challenges (people includes self.)

@r,

Ma plesaure, ma man.

WinterApril 5, 2017 8:41 AM

@ab praeceptis
"Rather than even looking at the question how large corp. tracking actually works (and hence what would be a proper defense/mitigation) you instead without any actual basis imply that I have a certain (ridiculous) position that I do not have."

I know little about large corp tracking. So please enlighten me. Why do you assume they only shoot from the hip? Why should I not worry about them?

WaelApril 5, 2017 9:11 AM

@Dirk Praet,

acquaint them with more exotic threats, tools and concepts

Been there, done that... Schedule slipped and got crucified.

Dirk PraetApril 5, 2017 10:18 AM

@ Wael

Been there, done that... Schedule slipped and got crucified.

Been there too. As with everything, time and budget constraints apply.

(name) withheld, maybeApril 5, 2017 3:25 PM

*
Draft
*

regarding @ab praeceptis and LTC V. (see above)

Attn: LTC V. (name) withheld

regarding your leaked memo:

"b) tin foil hats, i.e. citizens who have nothing to fear from us (that might be different in uk and us of a) but who for diverse reasons feel that they need good OpSec (as they think) for boringly normal everyday internet usage."
...

"Obviously i can't tell you operational details but i can tell you that using tor is a good way to end up in our files and maybe even in our interrogation facilities."

You got my attention. Would it help if during my interrogation an audit trail of my 'boring' activities included web searching the websites of: fbi, cia, odni, dea, local police, nsa, etc., if in the u s of a (assuming i am a u s of a person and at that time in the u s of a?

For example, recently my web surfing using Tor took me to numerous websites like those listed above while posting to SoS, amongst other things. A good audit trail might beg a lot of questions. For example:

Why did you go to website a?
Why did you go to website b?
***
Why did you go to fbi.gov?
Answer: i was curious. Did you know that the fbi just opened an office in israel? Do you think the fbi had anything to do with busting the us/israeli teenager who propogated ~150 mosque bomb threats in the u s of a? Do you think that would have been good for zionist fundraising or fundraising to fight anti-semitism? i know; now someone might claim i am anti-semetic. (subject blathers on)?

In other words might such potentially unusual web surfing help my interrogation? Or might the 'rubber hose' (or solitary confinement) treatment be more likely (after all he/she must have been using Tor to hide something)?

By the way do you have any dirt on ab praeceptis? Some others on the SoS ... (subject blathered on)

Cheers,
(name) withheld, maybe and i'll tell you everything i know and what you want to hear
from somewhere in the usa using Tor

(name) withheld, maybeApril 5, 2017 3:30 PM

@Miss Piggy

"The Dirk / ab preceptis discussion reminds me of when Kofi Annan went on Sesame Street to sing with Oscar the Grouch." edited by me

+1

ab praeceptisApril 5, 2017 3:59 PM

Dirk Praet

The person typically least suited for a smart security marketing strategy is an engineer with ...

Congratulations. It is *that* view and understanding that brought us from an industry driven by competent engineers (Diesel, Otto, ...) to what we have today: Smart marketing of crap.

It is *that* view and understanding that brought us the utterly insecure networks and crappy systems we suffer from today.

You and your marketing guys are good in creating images, nice brochures, looking victorious with "good arguments" - but it can only be engineers who repair the mess the "smart security marketing strategy" guys have created.

I'll stop here because being but a mere not at all smart engineer I humbly desire to not disturb the smart evangelists who are capable to turn "tor is great" into "don't trust tor" - and back - in the blink of an eye.

ab praeceptisApril 5, 2017 4:04 PM

Winter

a) wrong address. I'm but a measly engineer who actually knows what he's talking about. I suggest you address the "smart security marketing strategy" masters of the universe. And don't you worry, they have answers to just everything.

b) No, I won't tell you. Why should I? I worked hard and many years to come to know what I know today. And you don't need knowledge anyway for what you do here.

Just go on as usual and have your pals declare you smart and me dumb.

WinterApril 5, 2017 4:38 PM

@ab p
"I worked hard and many years to come to know what I know today. And you don't need knowledge anyway for what you do here. Just go on as usual and have your pals declare you smart and me dumb."

Sharing knowledge is growing knowledge. The fable of the bread and fish that multiplied without bound is about sharing knowledge.

That you profess to hoard your knowledge like Scrooge hoarded his money only strengthens the impression I already had of you.

ab praeceptisApril 5, 2017 5:00 PM

Winter

In other words: I'm the a##hole either way.

Try those stupid games with someone else! When I did share knowledge you were among those who crapped on it and argued and put yourself against me (with rather bare hands but who cares; you have people here taking your side anyway).

Don't get me wrong. I'm not angry with you; I don't care. I know what I know, no matter whether anyone here acknowledges that.

What *does* drive me angry, however, is that we are in the bad situation we're in because don't knows play arguing and social games and even dare to arrogantly lecture the engineers who have the capability and good will to repair the shit.

I've played that game many times, e.g. related to (open)ssl/tls. Each and every time I needn't wait long for the next ugly shit-explosion. And each and every time the smart preachers soon declared how great and good ssl/tls is and that one should use it.

I *have* my own "ssh" for my servers (completely free of ssl/tls and solidly implemented). It even mitigates (to a degree) DDOS attacks (tens of thousands of connection attempts per second as opposed to quite few with ssh) and makes sure that they can in the worst of cases achieve a denial of service but they can't hack the server and break the security. My next effort was to block them anyway and to be reachable only for authorized persons. That will be ready during the coming weeks.

I assume you expect me to share that, free and open source, of course. Forget it, won't happen, i.a. because just a couple of days later some "smart marketing, smart arguments" guy would play games with me, possibly even through a server using my work.

Nope. You guys have won the arguing - and I have securely remote managed servers. So, wen can both be happy, can't we.

Dirk PraetApril 5, 2017 5:27 PM

@ ab praeceptis

Congratulations. It is *that* view and understanding that brought us from an industry driven by competent engineers ... to what we have today: Smart marketing of crap.

You have no idea how many times I was that engineer, banging my head against the wall because I stubbornly refused to acknowledge my own shortcomings in getting ideas across nobody either understood or gave a rat's *ss about.

The reason we got in today's situation is because too many good engineers were and still are exactly the same, losing out to 2nd and 3rd rate douchebags who contrary to themselves do know how to work the system. If you want to make a difference, try to learn it too. The alternative is remaining locked up in a basement and the prison of your own angry mind. I stopped doing that a long time ago.

RatioApril 5, 2017 10:03 PM

@Dirk Praet,

[...] an engineer with a black and white vision [...]

Needs to be reminded what being an engineer is about.

WaelApril 5, 2017 10:10 PM

@Ratio,

Needs to be reminded what being an engineer is about.

Enlighten me! Does it have to do with Engines? Lol

ab praeceptisApril 5, 2017 10:24 PM

Yeah, right, that arbitrary attribution ("[...] an engineer with a black and white vision [...]"( was one of the excellent "arguments" used ...

If he would arbitrarily call me "jonny depp" or "tuna fish", would I turn into one of those? Just wondering.

So much for "good arguments" and blind fanclubs.

Dirk PraetApril 6, 2017 5:42 AM

@ ab praeceptis

If he would arbitrarily call me "jonny depp" or "tuna fish", would I turn into one of those?

Sigh. It's kinda telling that you're feeling singled out by something I said when I was in fact referring to a younger version of myself. Because it obviously resonates with you.

Let me put it this way: the only reason I am still engaging you is because I don't think of you as a troll or a TLA agent on a mission. You're obviously a smart guy and a competent engineer, but you need to wise up, drop the absolutist thinking (it's a Sith thing) and stop seeing imaginary old pal networks when it's your own words and behaviour that are drawing sarcastic comments from others. So can we please stop the sobbing before indeed you start coming across as Johnny Depp in some old movie with Iggy Pop and Traci Lords?

For what it's worth: I still think of myself as a rather outspoken, highly argumentative, sometimes overly emotional person with limited diplomatic skills. As much as such trades of passion may be an asset in certain situations, they invariably work against you when unchecked, to the point that they'll eventually cast a dark shadow both over your person and your tradecraft. Take it from someone who knows and regularly gets flak for his opinions on this blog (and in real life) too.

JG4April 6, 2017 6:23 AM


It isn't said often enough that security is a system and a process. I saw a great quote from Deming recently, to the effect of "If you can't describe what you are doing as a process, then you don't know what you are doing." Unfortunately, that also describes government and finance.

http://www.nakedcapitalism.com/2017/04/links-4617.html
...

New form of Android malware is the most sophisticated and dangerous ever discovered ThaiTech (furzy)
http://tech.thaivisa.com/new-form-of-android-malware-is-the-most-sophisticated-and-dangerous-ever-discovered/20822

...
Big Brother is Watching You Watch

Most Americans unwilling to give up privacy to thwart attacks: Reuters/Ipsos poll Reuters (EM). Translation: Most Americans have figured out that having the surveillance state hoover up their personal data is not about fighting terrorism, and efforts to position otherwise are no longer persuasive.

http://www.reuters.com/article/us-usa-cyber-poll-idUSKBN1762TQ

Workplace Surveillance Is The New Office ‘Perk’ Vocativ (micael)

http://www.vocativ.com/414570/workplace-spying-surveillance-dystopia-we-work-i

Messages show New York police surveillance of Black Lives Matter Reuters (EM)

http://www.reuters.com/article/us-new-york-police-idUSKBN1762KB

...

Beware of the return of the Clinton dynasty Edward Luce, Financial Times. A wild indicator of sorts. Luce was Larry Summers’ speechwriter and regularly carried Dem party water. This looks to be a sign that a lot of insiders are Not Happy about the Clinton’s plans to hang on to power.

https://www.ft.com/content/e63646c4-1962-11e7-a53d-df09f373be87

...

Policies believed to stabilize the financial system may actually do the opposite, study finds PhysOrg (Chuck L, Katharine). This sort of thing is maddening. Don’t these clowns bother looks at prior work? Richard Bookstaber wrote an entire book, Demon of Our Own Design, on the issue of “tight coupling” where processes run in a sequence too fast to be interrupted. Many other people, ranging from Andrew Haldane to Simon Johnson to your humble blogger have written about this issue at length. In a tightly coupled system, you must reduce the tight coupling first in order to reduce risk. Any other approach will increase risk.

https://phys.org/news/2017-04-policies-believed-stabilize-financial.html

vas pupApril 6, 2017 8:34 AM

@Clive: you may like this -
Researchers from the CNRS, Thales, and the Universities of Bordeaux, Paris-Sud, and Evry have created an artificial synapse capable of learning autonomously. They were also able to model the device, which is essential for developing more complex circuits
https://www.sciencedaily.com/releases/2017/04/170403140249.htm
Our brain's learning process is linked to our synapses, which serve as connections between our neurons. The more the synapse is stimulated, the more the connection is reinforced and learning improved. Researchers took inspiration from this mechanism to design an artificial synapse, called a memristor. This electronic nanocomponent consists of a thin ferroelectric layer sandwiched between two electrodes, and whose resistance can be tuned using voltage pulses similar to those in neurons. If the resistance is low the synaptic connection will be strong, and if the resistance is high the connection will be weak. This capacity to adapt its resistance enables the synapse to learn.

vas pupApril 6, 2017 4:20 PM

Predicting the future with supercomputers
http://www.dw.com/en/predicting-the-future-with-supercomputers/a-38216147
The K computer has already crunched several huge simulations of how a potential earthquake might play out in cities like Tokyo. The simulations look at how the buildings will react to tremors, but also at the potential behavior of people as they evacuate. From these simulations, researchers can design better emergency response and support for any buildings with detected weaknesses.
Artificial intelligence, or machine learning, is one method which some are trying out as a crystal ball. Others use types of filtering algorithms to eliminate the degree of uncertainty in a model, thereby obtaining more accurate results.

Dirk PraetApril 7, 2017 4:40 AM

@ r

Re. Einstein

Judging from the writing style, it would seem that that report was written by a 9-yeart-old intern.

@ Not Happy

Re. malware bricking IoT devices

I'm not sure if we should call it malware if it's bricking insecure IoT devices. Digicide or electrocide come to mind (as in insecticide).

JG4April 7, 2017 6:04 AM


http://www.nakedcapitalism.com/2017/04/links-4717.html
...

Syraqistan

...

Donald Trump Is An International Law Breaker by Publius Tacitus Sic Semper Tyrannis (Re Silc). “In the coming days the American people will learn that the Intelligence Community knew that Syria did not drop a military chemical weapon on innocent civilians in Idlib. Here is what happened.”

http://turcopolier.typepad.com/sic_semper_tyrannis/2017/04/donald-trump-is-an-international-law-breaker.html

...

Imperial Collapse Watch

We are the war on terror, and the war on terror is us Thanassis Cambanis

http://thanassiscambanis.com/2017/03/24/we-are-the-war-on-terror-and-the-war-on-terror-is-us/

60 Words And A War Without End: The Untold Story Of The Most Dangerous Sentence In U.S. History BuzzFeed. How the AUMF was drafted and passed with no sunset clause.

https://www.buzzfeed.com/gregorydjohnsen/60-words-and-a-war-without-end-the-untold-story-of-the-most

Meet The Martin Shkreli Of Defense Contracting HuffPo

http://www.huffingtonpost.com/entry/defense-contractor-monopoly-transdigm-mick-mulvaney_us_58d2f8dae4b0b22b0d19ad2a

Want to Buy an Old CIA Rendition Jet? Mother Jones. Lotta room on that 737. I’ve always wondered how many people were really rendered…

http://www.motherjones.com/politics/2017/03/cia-rendition-plane-for-sale

http://www.nakedcapitalism.com/2014/07/many-people-cia-process-stare-kiejkuty-black-site.html

Police State Watch

Why Cops Shoot Tampa Bay Times

http://www.tampabay.com/projects/2017/investigations/florida-police-shootings/why-cops-shoot/

When Warriors Put on the Badge The Marshall Project

https://www.themarshallproject.org/2017/03/30/when-warriors-put-on-the-badge

Southern Missouri Sheriff Framed 77-Year-Old for Kidnapping, AG Says Riverfront Times

http://www.riverfronttimes.com/newsblog/2017/04/05/southern-missouri-sheriff-framed-77-year-old-for-kidnapping-ag-says

New Cold War

Devin Nunes recuses himself as House Intel chair during Russia probe PBS

http://www.pbs.org/newshour/rundown/devin-nunes-recuses-house-intel-chair-russia-probe/

Hillary Clinton says Vladimir Putin must be held to account for election ‘meddling’ in first interview since election The Independent. “Held to account.”

http://www.telegraph.co.uk/news/2017/04/07/hillary-clinton-says-vladimir-putin-must-held-account-election/

RatioApril 7, 2017 6:40 AM

@Wael,

[...] an engineer with a black and white vision [...]
Needs to be reminded what being an engineer is about.
Enlighten me! Does it have to do with Engines? Lol

Not sure if you were being serious, but here's the gist of it in one word: trade-offs.

ThomApril 7, 2017 7:10 AM

I just sent OWASP ZAP 2.5 to your blog, it gives 4 warnings,. might be worth checking these yourself as well, just in case.

some minor XSS vulnderabilities, xframe options not set, n such.

Dirk PraetApril 7, 2017 7:19 AM

@ JG4

In the coming days the American people will learn that the Intelligence Community knew that Syria did not drop a military chemical weapon on innocent civilians in Idlib. Here is what happened.

From a political vantage, it doesn't add up that Assad would shoot himself in the foot in such an incredibly stupid way just as everything started looking really good for him.

The key question here is to determine whether or not it was sarin that was used. If indeed it was, most experts will tell you that it is highly unlikely that the Syrian Air Force - as both Syria and Russia claim - accidentally hit a rebel chemical weapons facility. A bombing and subsequent fire would actually destroy such weapons, not spread them around (@Clive, other chemical weapons experts ?). Also the timeline given does not fit the reality on the ground.

Which leaves three possibilities, depending on the outcome of an independent investigation: Assad is a complete moron who has just committed political suicide, the air force indeed hit a rebel chemicals depot (as in chlorine et al), or this is a false flag operation. Since Idlib is Jabhat Fatah Al Sham (former AQ affiliate Al Nusra) territory, it is highly unlikely that we will ever know the truth, but that instead every faction involved in the Syrian civil war will just go with whatever explanation that suits them best.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.