Schneier on Security

Clive Robinson • April 20, 2017 9:09 AM

Although this attack is new, people might wonder what else would be controled by others…

There is a Digital Video Recorder built into a set top box that people used to use. Called TiVo it suffered from the problem that due to DRM etc you did not own the functioning of the box. This came ad a bit of a rude shock to users to find that the BBC had payed TiVo to force the recording of a fairly cr4p comedy show…

The thing is that the designers of such products regard the “air side” to be in effect secure, so they don’t add security to the control channels, they go for obscurity at best…

Thus I would expect a lot more of this sort of SNAFU in future. Along with the compleate loss of ownership of anything with a DRM / Computer chip in it.

But it’s nothing new, a couple of decades ago, this was funny,

http://dilbert.com/strip/1995-12-29

Clive Robinson • April 20, 2017 2:01 PM

@ Keiner,

Why do Microsof or Adobe get away with this kind of trash?

Because, you are not “purchasing” but “leasing” the software…

Clive Robinson • April 20, 2017 2:37 PM

@ Albert,

Are you implying that MS is a def facto lessor?

It depends on the actual legal definition in your jurisdiction, but yes that’s what they are doing with the EULA if you read through what your rights are you will find that you don’t own the software, and MS can order you to cease using it at any point in time. The only way they can do that is by leasing or renting it to you. As some jurisdictions decided it was not leasing they went down the Office365 route where you rent, with even less rights.

Oh and check the status of the files generated, whilst the copyright of the contents might be yours, the files are not as Microsoft in effect owns the format thus when they tell you to stop using the software you lose the right to use the file…

Clive Robinson • April 21, 2017 3:59 AM

@ keiner,

NO disclaimer in the whole world can keep me from being responsible for my product. End of story!

No it’s not the end of the story.

The law is about restitution for harms caused by others be it criminal or civil sanctions.

For most of the history of legislation it has been about assessing the harms, as evidenced by damage to physical objects or by degenerate or immoral behaviours.

The idea of Intellectual Property protection in modern law first started in England back before 1331 by royal “letters of patent”. By Elizabeth the First’s reign the process was more formal. However she famously rejected a patent application for a machine to knit stockings allegadly because it did not work with silk[1]. However the requirment to disclose or publish the idea for all to see, to get the legal protection was a Venitian idea from around 1450. And arguably it was this that made litigation for harms possible, and the ideas of primary and secondary patents.

However in Europe and most other parts of the world you could only patent physical designs and processes not intangible information (which was protected by copyright and trade mark legislation). The US however decided to be different which still causes significant problems to this day.

But in general the idea that ideas “belong to all” still holds, thus the notion of liability for an idea’s use belongs to the user of the idea not the originator of the idea.

The idea of software is arguably less than a hundred years old (ie Church/Turing not Babbage). The notion of atomization by electrical devices such as motor driven actuators is also of a similar age. It was not untill the 1960’s that “ladder logic” started to be replaced by Turing machines, but it’s general acceptence in “industrial control” was as late as the 1980’s. Thus the idea of harm by computer is in legal terms very modern being less than fifty years old.

The likes of Adobe, Google, Microsoft, Oracle etc do not want the idea of “software liability” to happen by either direct legislation or case law, and soend a great deal of money to prevent that happening. Thus much of the EULAs is “tap dancing around” product liability and fitness of merchantability legislation. Part of this is trying to force such action into the US court system, where deep pockets can outspend lesser resources, and keep things out of civil court more or less permanently thus stoping case law. Then being real chummy with the US legislature on both sides and “spreading the love with a free hand” via lobbyists and other backhanders keeps detrimental legislation being formed.

If you want that to change then you need to become a serious activist in the EU legislature to stop the same US corrupt practices taking hold.

[1] The reverend William Lee (1563 – 1614) was an English inventor who devised the first stocking frame knitting machine. He was refused a patent in 1589 by Tudor Queen Elizabeth the First, allegedly as the stockings were of course wool and not as fine as silk stockings from Spain. However the reality was because she could see the likely result on the workers that hand knited stockings. He built an improved machine that increased the number of needles and by 1598 he could knit silk, however James the First likewise refused to grant a patent.

Clive Robinson • April 21, 2017 7:46 AM

@ keiner,

So: Fu**ed. Big money buys all our politicians.

To borrow an American euphemism,

“If when you slap it down on the table you have a larger measure you win…”

It should not work that way but unfortunately it does. The problem with hierarchies like political structures the closer you are to the top the larger the bribes you can command if so tempted. Most politicos and senior civil servants these days go for the “nest feather” where they do the deed in return for a 20,000USD / hour speaking engagment or when they retire a 5hours a year directorship on the “ethics committee” or “salary and renumeration board”.

Clive Robinson • April 24, 2017 5:28 AM

@ Albert,

A contract cannot force one to do something illegal, nor can it sanction an illegal act.

Whilst true, it is NOT the issue under consideration here.

A contract can and often does contains limitations, that restrict the activities of one or both parties quite legally and bindingly.

Under normal circumstances if a party breached one of those restrictive terms the options open to the other party was to pursue remediation by civil action. This happens regularly enough not to draw much comment when it does happen.

The problem in this case is as I noted above, that the Computer Fraud and Abuse Act (CFAA), is overly generalised or to broad of scope. Thus under it the contract that is the Terms of Service forms the basis of the “authorisation” to access a computer. The CFAA makes such unauthorised access to a system a criminal act.

Thus a limitation such as usage of a service that would not cause comment in other domains of business and would have only civil action remediation, has through the CFAA become a matter of criminal prosecution…

The same issue arises under UK law due to the legislation (1990 Computer Misuse Act) brought in after the Crown -v- Schiffren and Gold, that was used to try and cover up significant security failings by the UK’s British Telecom. This week marks the 32nd aniversary of their arrest and long series of trials.

The reason I remember it so well was not only was I very much involved with it but that BT had tried a similar trick on me in Sept/Oct 1983 a while before their arrest. Thus the only reason it was not my name in the court papers, was “my gut feeling” and luck.

Though others now say it was timing as well. I was quite sensitive about it as I’d written a piece to a Micronet 800 closed user group from Len Stewart’s front room very shortly after the hacking of BT Gold had become known to around 20 million viewers of the BBC Micro live program one sunday. When the head of Acorn Computers Hermann Hauser’s –now KBE, FRS, FREng, FInstP, CPhys– BT Gold account ACN001 was logged into and “The Hackers Song” from Oz and Yug scrolled up the screen, and reputedly made “The Big Red Mac” even reder than he normally was. The account had had the password changed to something short and simple so that the demonstration would go well on television…

However at that time BT was being denationalised and UK Prime Minister Margret Thatcher was very keen that all should go well as she had big plans for the cash windfall that was expected. So BT senior managnent took out very expensive full page advertorials in the “important newspapers” in which there were some glaring factuall inacuracies. Which was what I wrote up to inform people in my article in the closed “editors group” on the BT Prestel system. Essentially I said that BT was “being economical with the truth” in their advertorials and this could be seen by the use of a systems command that had been changed to in effect hide the guilty and blaim the innocent.

The word came back via Dave Babsky of Micronet 800 that BT would like me to go up to their London office to demonstrate what I had said. This struck me as odd as I had provided sufficient information that a blind one legged dog could demonstrate it so I told Len Stuart and Vernon Quaintance of the ACC that there was no reason for me to demonstrate it to BT Gold staff, especially as I was not going to get paid for my time… Thus for once me sticking my heels in had “saved my bacon”.

Some months later the problem with the BT Prestel test system called Pandora came up and I told various people involved not to demonstrate it to Micronet 800 and especially Dave Babsky in particular as it was not just me that thought he could not be trusted in any way, but also another person involved Simon Williams who’s girlfriend just happened to be Dave Babsky’s personal assistant, thus had the inside track on the wretch and was happy to say what a creep Dave was.

But Robert Schifren was a journalist working for Acorn User and having “a big story in his sights” was concentraiting on the story asspect not the ludicrous and quite suspect behaviour of Micronet 800 and BT engineering staff and their managers, and as we later found out the UK Priminister Margaret Thatcher, who some now claim was incandescent and beeting up senior BT managers. Thus it was Robert and Steven who had their collars felt not me.

What went wrong with BT Prestel in the mid 1980’s is an abject lesson in things not to do. Basically there was two glaring security faults that should not have happened then but a third of a centry later still happen with regular monotony…

Firstly all the passwords including that of the administrators were stored in plaintext in files that were accessable to anyone with even lowely credetials such as those of tech support workers on the end of a telephone line…

Secondly Prestel had public and private pages all of which were addressed by a number. Thus the reason Micronet 800 was called that was because it’s route page was 800. The second system security fault was if you tried to go to a page on Prestel and you couldn’t reach it for some reason, you’d get a standard “Page not found” error at the bottom of the screen. But depending on whether the message started right at the far left of the screen, or 1 character in, you would know whether the page really didn’t exist or whether it was a private page you weren’t allowed to see it. This “feature” was independently discovered by quite a few people, thus teenagers with time on their hands started “private page hunts”.

Prestel had more than a few technical problems and it’s structure was such that they needed a number of servers that you accessed by “local number” dial in, thus they appeared to be all over the country and each server had a name. You could by looking for private pages work out which server realy held your account and which ones did not, and any anomalies were also noted by teenagers with time on their hands.

One big technical gripe with Prestel originally was content providers had to go online to put in content by hand and with 75baud up and 1200baud down this was slooow… Thus BT was looking for software on home micros to take this pain out and thus the idea of “Bulk Upload Software” came to peoples minds.

However someone related to Micronet 800 convinced somebody at BT that these same teenagers with time on their hands would write the code for free if BT provided them with a server to test on…

Well somewhere the message got lost in translation. BT Prestel did indeed setup such a server and it was called Pandora… The people setting it up were lazy, ill informed or both, because what they did was take a backup off of a live server and copy it onto Pandora, then edit the front page and add an administative account ID and Password on the front page…

So not only did all those private pages become available, but also that text file with all the user paswords in, including that of HRH Prince Philip the Queen’s husband who has always been a bit of a techno buff…

Thus when Robert and Steve told David Babsky about it, and that they were writing a story about it, my earlier actions came back to haunt both them and BT. Now Margaret Thatcher is dead people are pointing the finger at her not the incompetent BT managment, and they are saying it was her insistance that prosecutions be made…

I guess the truth of it will never realy become known. I’ve already had a run in with one University accademic back in the 90’s because he conflated the two seperate incidents together in a book he published. And he was far from happy to be told he should have done his research better, as in come out of his office walk a very short distance to the office I was in and ask me… Since then the conflation and other inacuracy issues have got worse. Neither I nor Robert are getting any younger and Steven is sadly nolonger with us, and I suspect most if not all those BT managers are likewise gone thus the ability to “correct academic research” mistakes is quite literally “dying out in front of our eyes”.

Clive Robinson • April 24, 2017 7:32 PM

@ ,

Prestel computer network operated on a distributed basis and was intended to act as a hot standby in the event of the UK going to war — in the event that the primary UK military computers were down, the Prestel network could be used to control and launch the UK’s nuclear missiles.

Whilst the first bit is true, don’t read to much into the second bit.

Back then Maggie Thatcher was in power and spending lots and lots of money on hardening the UK seats of both central and regional power in case the cold war went hot as the CCCP started to colapse. Nuclear bunkers were being built anew or being refurbished and they were equipped with all sorts of communications systems. Part of which was an old fashioned manualy switched telephone network one hub of which I was shown by Vernon Quaintance when at a meeting in a BT building in London just around the corner from the Barbican Center.

That network was to replace that of the old Automobile Association (AA) telephone boxes, that a long previous government had decided after WWII would be used by the Prime Minister to communicate launch commands if away from Whitehall. It always ammused me because due to one of those quirks of human existance the switching points in the AA network became radio based, and nearly all the nodes were next to stratigic targets. One that I used to see several times a week was at the south side of Tolworth Railway Station at the junction of Jubilee Way. The Government had a top secret part of their map makers to the north of the railway and just south of the A3 and a large coal depot (now a bus storage/maintanence and industrial park) to the west of this was Decca Radar’s special research facility where they tested military and then later civil radar to their sports ground just east of the coal depot. Jubilee way went around to what was called the Chesington Industrial Estate that in the 70’s and 80’s still had a number of manufacturers of top secret equipment including diving gear. Funnily enough one of them later became the office/workshop of FOCA who now run Formular One racing and Bernnie Ecclstan tried to do cloak and dagger feeding of information into the sports press. During the second world war Tolworth Railway station was frequently attacked by the Luftwaffe and as a child playing in the farmland to the south I used to find live ammunition that had been dropped by those providing anti-aircraft emplacment protection and shrapnel from the German guns and bombs. My father used to escort me down to the local police station on a Saturday morning to hand in any “live ammunition” I had found, and the desk sergeant used to ask what I had brought him in almost as though I was bringing him a present. It was a far cry from what happens these days where they would close down a 100meter area around the police station and call in the bomb squad in the name of health and safety…

As for some of the larger bunkers I snuck into when a bit older they had their own TV and Radio studios and transmitters. They also had millitary networks based on an “all valve” D11 transmitter/receiver and the likes of the BID610 and later 700 family crypto equipment, as well as masive generator sets to provide light and power and importantly the air scrubbing systems and recycling facilities as well as the sewerage cannons that blasted emacerated waste out of the facility.

Thus due to Maggie Thatchers apparent –to our modern eyes– paranoia an easy way for BT to get very large amounts of funding for their BT Gold and Prestel communications systems was to sell it as part of the seat of government solution, because Maggie was hemorrhaging spending in that direction.

Somebody I used to know through the South West London Pirate Radio station “Radio Jackie” had other interests in finding out about these secret nuclear bunkers and getting into them to photograph them. Let’s just say that if you travel from London to Bath by train you go through a two mile long tunnel built by Brunel where if you look carefully you can see an underground station sidings and spurs that go off into the old stone quarry (mine). Known as “The Box Tunnel Complex” they were originally used as underground munitions storage and factories built into the quarry complex. It was here that the central seat of government was to be evacuated to on one side of the tunnel and the south west regional seat was “on the other side of the tracks”. It became a vast underground city in the 1950’s and code named “Burlington” it could house 4000 civil servants for three months and had someyhing like sixty miles of passages set out on a grid system.
Oddly perhaps these “ultra secret” locations were quite well known around where they were and it was not difficult to find them, nor were they actually well protected thus getting into them was not that difficult. In the case of Box you just had to find an opportune time to walk through the tunnel or an entrance by the railway… As a result one heck of a lot of photographs of not just the facilities but books and papers inside them were taken and spread around like minded people. The city was so vast it even had officers clubs and a pub called the Rose and Crown, workshops, a hospital –with a maternity section– and major catering facilities. It also had a huge manuall telephone exchange. It finally got decommissioned in the 1990’s but rumours persist that some parts of the vast complex of mine tunnels are still a secret base. When it was an ammunition factory in WWII they had a problem of how to get people up and down 100ft effectively, much to the anoyance of the then London Underground two escalator systems were taken and installed in the complex.

Even the “Post Office Railway” that went under London from the Mount Pleasent sorting office to other sorting offices got an injection of cash for upgrades so it could transport rather more than mail bags. Then there were the “BT Deep Tunnels” with the Kingsway underground telephone exchange where the US-Russia “hot-line” went through and were used for a time by SOE/MI6 for some realy “sneaky beaky” stuff prior to the construction of Pindar. Also the likes of closed underground tunnels got converted to secret bunkers. They even put a couple of parallel tunnels in under Whitehall that are still there today and one end is very close to Westminster Underground Station. This is over and above the “dock” network of tunnels under what is now known as “The Churchill War Rooms”. During their design to help make the tunnels shock proof for the communications equipment they held they had a tunnel in a tunnel design with the inner tunnel built with a cork shock absorber a couple of feet thick on the inside of the outer tunnel. The public became aware of these tunnels existence, when during “renovations” somebody using a metal cutting torch set the cork on fire, and it could not be put out. So it was alowed to burn it’s self out, and for many days a huge pall of acrid black smoke hung over Whitehall bilowing out from ventilation shafts. The big problem with digging such tunnels is who does it and how do you get the dirt out without comment. Which is probably why the building of Westminster underground station is rumoured to be a hub / nexus for secret tunnels…

A lot of the WWII underground facillities such as the Dock are conveniently close to Whitehall and mostly now not known in their extent. However tunneling is known to have continued and it’s known that there are new “atom bomb proof” underground networks well well below the hundred feet or so deep level of the 1980’s and WWII systems. These are known as “Pindar” and is where one of the COBRA crissis romes is situated. It was started in the 1990’s and cost over 125million GBP back then. It’s known to have a number of street level exits as well as being rumoured to have connections out of the bottom of Westminster Underground station away to the MI6 building at Vaxhaul Cross and one or two other similar but less well known places, much like the old tunnel from St Ermin’s Hotel lobby in Caxton Street.

Maybe as with the BT Deep Tunnels we will get to know one day when they get sold off.

What I do know about Westminster underground station is that if you go there when it’s quieter you could easily believe the stories because it does look oh so much like a Bond Villain secret base. It has the heavy concrete walls and columns, the stainless steel walkways and odd doors etc to look the part. Which almost certainly means it’s not 😉 as the bunkers I’ve been in realy are,just like sections of underground tunnel run in parallel with smaller cross tunnels as this is a very strong construction design. They don’t have large open areas inside except for the old home radar command centers with their plotting rooms.

Any way most of the 1980’s and earlier secret bunkers have been repurposed or sold off a number just “capped off” like subteranian tombs or time capsuals awaiting archiologists in some future time, one of which now has a school playground on top of it. However not all have suffered such ignominious fates one in Epsom Surrey south of London got refitted as a rather plush training center inside, but still looks like a drab repository building at the entrances. Some that have been sold off have become “data centers” for modern computer networks and data exchanges. With a new craze for commercial “Cyber Command Bunkers” and EMP proof data repositories for banks and the like some of the old “holes” may see new commercial life, and get decked out looking like the bridge of the Enterprise in Startrek.

But one part of the British Nuclear deterrent is fairly well known. On coming into office each new Priminister hand writes letters for the captins of the nuclear subs that are sealed in the old fashioned way and locked in a safe on each submarine. There is a flow chart convention of how the captins get to the point of opening the letters, one step of which used to be to surface and listen for the BBC World Service. But as that has now been decimated by cut backs it’s likely that this step has be replaced or augmented in some way. Hopefully we will never have to find out in anger.

You might find the photographs if the Dock in this article of interest,

http://londonist.com/2015/02/the-secret-bunker-below-londons-secret-bunker