Comments
The Ooga Booga Man • June 23, 2017 4:55 PM
https://twitter.com/justin_fenton/status/875761289603239936
Evidence that the government doesn’t have any magic powers.
FBI tried to brute force password using 24 computer array guessing 32,000 passwords a second for two months.
They failed.
Oh and they did this in combination with a dictionary attack.
Ben A. • June 23, 2017 5:04 PM
@The Ooga Booga Man
Not necessarily. They may want the court to believe that there’s no other way absent compelling the defendant to disclose his password or they may not wish to disclose their methods/real capabilities in a document on the public record.
32,000 guesses per second isn’t fast considering supercomputers can perform 2-4 trillion guesses per second which leads me onto the second point: if the encryption software employed a proper hash function then you should be looking at a maximum of 10-30 guesses per second. Argon2 can significantly reduce even that and massively increase the requirement for computational power.
If the hash function allows 32,000 guesses per second then I’d wager it’d allow a significantly higher number of guesses per second which brings me onto the third point: why did the FBI not seek the assistance of the NSA/CIA?
Daniel • June 23, 2017 5:08 PM
While we are on the topic of passwords NIST has released their new Digitial Identity Guide which contains advice on making strong passwords.
https://www.nist.gov/itl/tig/special-publication-800-63-3
Passwords should accommodate 64+ chars, not force special/symbols, not force arbitrary changes, forms should allow pasteKenn White added, etc.
Trenton • June 23, 2017 5:16 PM
@The Ooga Booga Man
In support of @Ben A.’s observations on topic…
Deputy Attorney General Asks Congress For $21 Million To Solve The FBI’s ‘Going Dark’ Problem
https://www.techdirt.com/articles/20170615/09020337600/deputy-attorney-general-asks-congress-21-million-to-solve-fbis-going-dark-problem.shtml
“Take, for instance, this quote from the Washington Times article:
Days before leaving office on May 9, Mr. Comey said federal investigators had legally seized more than 6,000 smartphones and electronic devices during a recent six-month span but found that 46 percent couldn’t be opened “with any technique.
This stat is almost completely unbelievable. Documents obtained from local law enforcement agencies with much smaller budgets show investigators are finding multiple ways to obtain data and communications from locked phones.”
https://www.muckrock.com/news/archives/2017/jun/05/tulsa-tucson-cellebrite/
stevens37 • June 23, 2017 5:45 PM
The Bundestag frees state Trojans for the daily prosecution
original – german
Bundestag gibt Staatstrojaner für die alltägliche Strafverfolgung frei
Eight • June 23, 2017 6:01 PM
Perhaps Ahmed is not wholly alone in the world?
Naked panic has the effervescent bouquet of the finest Szampan.
Michael O'Donnell • June 23, 2017 7:20 PM
Heard this on NPR’s Science Friday today:
The Cephalo-Inspired Technology Of The Future
https://www.sciencefriday.com/segments/the-cephalo-inspired-technology-of-the-future/
Godel • June 23, 2017 10:21 PM
@Daniel
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
Section 5.1
I’m surprised that they allow as little as 8 character passwords.
Unrelated, to all, from a poster in Krebs, photos of some ATM skimmers. Check out the first one.
Joshua Bowman • June 24, 2017 4:24 AM
Perhaps not the most exciting story, but Microsoft has a spat about just how large a botnet actually is: https://arstechnica.com/security/2017/06/security-firm-claims-malware-infection-hit-250-million-microsoft-says-it-didnt/
JG4 • June 24, 2017 6:40 AM
I missed the most important news at NC yesterday. A remarkable miscarriage of justice, highlighting the fact that there are three different sets of laws. Those for elites (only enforced in egregious cases and political cases), those for the peasants (mostly plea-bargained) and those for darker-skinned people (mostly imprisoned).
http://www.nakedcapitalism.com/2017/06/links-62317.html
…
In Opinion Mostly Rejecting Jeffrey Sterling Appeal, Fourth Circuit Criminalizes Unclassified Tips
https://www.emptywheel.net/2017/06/22/in-opinion-mostly-rejecting-jeffrey-sterling-appeal-fourth-circuit-criminalizes-unclassified-tips/
June 22, 2017/10 Comments/in Leak Investigations /by emptywheel
http://www.nakedcapitalism.com/2017/06/links-62417.html
…
Grenfell Tower
Camden flats being evacuated over cladding BBC. Lead story as of now.
Grenfell: A Symbol Of All That Is Wrong? Russell Brand, YouTube (resilc)
Canada Ponders an Unusual Drug Problem: a Shortage of Marijuana Bloomberg (resilc)
New Cold War
Smoking Gun Proof that Russia Hacked the Entire World George Washington (RR)
Ineligible Votes Swung Democratic Party Chair Election to Bauman Facebook. UserFriendly: “I know, it’s Facebook, but that is the only place I’ve seen it yet.”
Under pressure, Western tech firms bow to Russian demands to share cyber secrets Reuters (resilc)
Frustrated Dems say Obama botched Russia response The Hill
Syraqistan
The mukhtar DJT, Saudi Arabia, Qatar and Israel Sic Semper Tyrannis (resilc)
Historic Rivalry for Regional Dominance at the Root of Saudi-Qatar Crisis Real News Network
Why Saudi Arabia hates Al Jazeera so much Washington Post (furzy)
Imperial Collapse Watch
CIA examined the possibility of assassination of the Iranian PM Mohammad Mosaddegh before the 1953 coup failed evolution
Freighter Was On Autopilot When It Hit US Destroyer
Big Brother is Watching You Watch
Google is going to stop reading the mail in your Gmail inbox to target ads to you Business Insider
Vault 7: CIA Has Malware for Hacking Air-Gapped Networks via USB Thumb Drives Bleeping Computer
…
Russia Hacking Allegations Driven By a Serial Liar Washington’s Blog
The Trump Obstruction Case Is Gathering Momentum Vanity Fair (resilc). As Alan Dershowitz has pointed out, Trump can pardon himself.
JG4 • June 24, 2017 6:44 AM
…
Police State Watch
Mistrial in Shooting of Black Driver by Cincinnati Officer New York Times
Cops Sent Warrant To Facebook To Dig Up Dirt On Woman Whose Boyfriend They Had Just Killed Techdirt (Dan K)
Teen killed by stray bullet while police fire at dog during response to ‘loud music’ Guardian
Clive Robinson • June 24, 2017 7:09 AM
DOJ trying to short circuit congress.
Around four years ago Microsoft was served so that access could be gained to data stored on a server in Eira (Southern Ireland) in Europe. The data of which is protected by both Southern Irish and European data protection and privacy legislation.
Microsoft quite rightly baulked as the server was not in US Sovereign territory, nor was the data requested an asset of Microsoft or it’s Southern Ireland subsidiary.
It’s important to note that there are already existing treaties and international agreements on the sequestering of entities and assets, and the process has stood the test of time. Which is why they ensure a manner of protection against unwarranted access and seizure.
Unsurprisingly the US Congress is in the process of sorting out the base legislation for a similar framework as those that already exist. Which would allow the US government to enter into legal reciprocity agreements with other sovereign nations so that each nation has the legal right to get access to data on servers in other sovereign nations jurisdictions. But… with the all important valid warrant, that could be challenged.
The megalomaniacs in the DOJ do not like this as it puts “foreign oversight” on their actions and those of the FBI etc.
So last Friday the Justice Department submitted the equivalent of a “think of the children” appeal via the “war on drugs” mantra by petitioning the Supreme Court of the United States (SCOTUS).
Put simply the DOJ follow the “might is right thinking” that is gaining further prominence in the US currently. It is an extension on the much hated “American exceptionalism” whereby the US Government believes it can do as it pleases in any other sovereign nation without let, hindrance, oversight or even notification. In essence giving the likes of the FBI more snooping powers than the NSA.
As we know from experience the DOJ will try for the broadest scope and a hidden / secret court system with “nod it by” judges along broader lines than the FISA courts.
To see why this is so inappropriate consider a similar legal viewpoint in say China or Russia…
It is yet another example of the DOJ stupidly throwing the toys out of the pram. Their argument is “national security” but the reality is the opposite. Because over time one of three things will happen,
1, US companies will find they are not wanted abroad, thus will lose out to foreign competitors.
2, Under the principle of “A dog can only have one master” US companies will decide the dual legislative risk is too high and will pull out of foreign nations effectively ceding business to foreign competitors by default.
3, US companies will to maintain their standing business wise, will vacate the US for foreign shores thus reducing US jobs and much more so the US tax take.
It’s something we in the UK are having to start to face due to Brexit…
ARS Technica as does it’s readers has it’s own view at,
Which also contains links to the petition and Microsoft response.
CallMeLateForSupper • June 24, 2017 8:16 AM
“Gmail will no longer scan e-mails for ad personalization”
That triggered cognitive dissonance here: what?! Gmail displays targeted ads?? I know they used to do that, but I have not seen “creepy ads” in … well, years. The no-scan story was as surprising as would be … I dunno… a notice in NYT that the City would no longer fire a cannon at sunset each day (which would puzzle a heck of a lot of New Yorkers).
Thinking on it for a while, I concluded that the creepy ads disappeared as a result of my installing NoScript.
Who will rid me of this turbulent fake priest? • June 24, 2017 8:33 AM
Well what do ya know, EzCheese is a Stuxnet subroutine. MS10-046. Proof of CIA sabotage, illegal warfare under GCIV Article 5, which provides for suspension of rights of the CIA saboteurs.
https://www.flashpoint-intel.com/blog/wikileaks-brutal-kangaroo-lnk-exploits/
Hey chin up, Fadda Brennan, you still have rights of trial!
@Clive Robinson, all
Re: DOJ’s pathetic agreements
Encryption is one part of the answer. How it is encrypted is another part of the answer. How the keys are generated is yet another part of the answer. Who controls the encryption key and key management is yet anther part to be answered.
In short for the lay reader, the simplistic use of encryption is useful but as I mentioned above, encryption comes with a whole sleuth of other issues.
For those who simply want the simplistic way, do not post your senstive stuff on the Cloud (i.e. Instagram, FB, Youtube….). If you want to post multimedia to someone, encrypt and send is the simplistic answer that has lots of dark corners. One example is encrypt the zipped photo album with images and multimedia and either email it on use some sort of Cloud service. Encrypt with GnuPG/PGP or some other file and mail encryption service is suitable. Use a OpenPGP smart card if you want additional security of your PGP private keys.
In simple, whatever you transmit might be used against you and stored forever. Be cautious of your personal data and stay away from as much social media as possible.
Sabotaging Critical Communications Infrastructure Is Exactly What We Want Them To Do. • June 24, 2017 8:47 AM
OMFG Cyber-threats!!! Worldwide 40 countries!!!1!! Don’t just stand there, DO SOMETHING!!!!!!!
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
Uh, nevermind its CIA
Ergo Sum • June 24, 2017 9:04 AM
@The Ooga Booga Man…
FBI tried to brute force password using 24 computer array guessing 32,000 passwords a second for two months.
Did they try “qwerty”, “123456”, etc.? 🙂
32K per second on a 24 computer array does not sound right, or the FBI was doing it wrong.
GPU arrays are much faster, quote:
The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols.
Source from 2012: https://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
That not to the level of Ben A. mentioned supercomputers 2-4 trillion guesses per second, but probably cost a lot less than supercomputers….
Tatütata • June 24, 2017 9:40 AM
I know this will maks me look very slightly pedant, but I can’t help it…
As a result, it can try an astounding 958 combinations in just 5.5 hours
That should read 95^8 (95 to the 8th power), i.e., 6.93e+15. That would be all possible combinations of any 8 printable 7-bit ASCII characters.
The product 350e95.53600 is 6.6342e+15.
vas pup • June 24, 2017 10:36 AM
Good step by step analysis. It confirms my initial gut feeling that HUMINT was key for sanctions, not cyber forensics.
Andrew • June 24, 2017 10:54 AM
“FBI tried to brute force password using 24 computer array guessing 32,000 passwords a second for two months”
It was most likely a truecrypt/veracrypt encrypted disk, the key derivation function is hardened with scrypt or is using a big number of loops. If it was the typical md5 hash they could try trillions per second, indeed.
Any encryption based on passwords derivation (not on long stored binary keys) and using simple hashes is breakable within hours, even if the password is 15-16 characters. Most systems are like this.
In veracrypt you can wait several seconds for the encryption key to be generated from password so an attacker would spend more resources too. You can also configure this in Password Safe.
The longer the session key is generated, the safer against brute force attack.
But very few systems are like this and wont allow stored keyfiles…
Ergo Sum • June 24, 2017 11:18 AM
Hello all…
I am looking for some information/statistics for ACH fraud. More specifically, fraud related to externally initiated ACH debit fraud for small and mid-size businesses bank accounts. Yes, there are a number of sites that talk about this, but they are mainly pointing finger at the business end point being hacked and initiating an ACH transaction.
Some background for my question…
I do have a small business and business checking/saving account in the US. Couple of weeks ego, someone from the UK had issued an ACH credit to my checking account, for around $150. My business has no clients by the name presented in the ACH transfer and/or after calling the banks and the clearing house the identity remained a mystery.
While credit is good, of course, but after looking into ACH, I was surprised how business accounts work in the US. That’s given that these type of account does not have much of protection in the US. But bank allowing any ACH debit from anywhere to my business account had been eye opening.
After discussing this issue with my bank, the guy from etreasury had some interesting statements. One which is that they had started to see “unknown” deposits to business account for about the same amount as mine was. Some of the accounts may receive two or three of these deposits in 6-8 month, before there’s a debit issued to the account from the same entity. This seems to work, due to the fact that people don’t complain about credits and they don’t really check their account often. Two days after the debit had been paid, takes that long to clear the transaction, it’s nearly impossible to recover the lost funds.
I am not certain that the guy was trying to sell protection services, or this thing is actually going on? In either case, Since I don’t use it, I did opt for blocking ACH debits from anywhere. I do allow ACH credits, since more and more of my clients are opting for ACH payments.
Ergo Sum • June 24, 2017 11:30 AM
@Tatütata…
That should read 95^8 (95 to the 8th power), i.e., 6.93e+15. That would be all possible combinations of any 8 printable 7-bit ASCII characters.
The 95^8 looks fine to me. The keyboard’s 95 printable characters to the power of eight, it’s accurate and simple. It’s also easy to change for 22 character password, 95^22…
Ben A. • June 24, 2017 11:44 AM
@CallMeLateForSupper
“That triggered cognitive dissonance here: what?! Gmail displays targeted ads?? I know they used to do that, but I have not seen “creepy ads” in … well, years […] Thinking on it for a while, I concluded that the creepy ads disappeared as a result of my installing NoScript.”
You’re right, it’ll be down to NoScript which is why you’re not seeing ads. Google were/are still scanning your emails; you just weren’t/aren’t seeing them.
My reading of Google’s announcement is that they’ll stop scanning your emails but they’ll still deliver targeted ads through their acquired knowledge of you.
I assume most people on here don’t use Gmail but those who do will probably use a traditional POP/IMAP mail client (Thunderbird, Outlook, Pegasus Mail). I seem to recall Bruce writing an article about his use of Eudora!
The majority of the population who use Gmail will use the web interface, and by staying signed in, Google will still sell your searches to advertisers (i.e. from Google web search) which will then be displayed in Gmail.
They give with one hand and they take with the other.
@Ergo Sum
I’m with you – the FBI are probably not telling the court the whole truth. Knowing what we do about their technical incompetence it could be attributed to malice or ineptitude.
Even modern GPUs offer a fantastic improvement over the 32,000/sec so there’s something not right.
@Andrew
Any encryption based on passwords derivation (not on long stored binary keys) and using simple hashes is breakable within hours
Good encryption software generates Data Encryption Keys (DEK) and Key Encryption Keys (KEK) to overcome this problem. If they don’t then they run into the problem you mentioned.
VeraCrypt allows you to set a user defined PIM which is another term for iterations. They implement it differently than most and require the user to input their PIM upon decryption. Therefore without knowing both the PIM and password an exhaustive key search (against the password) would fail.
Software like KeePass allows the user to select something like Argon2 and then use their own parameters for parallelism and memory use. By conservatively increasing these values you can create a database that can’t be broken (through exhaustive key search) any time soon. You can also use ChaChaCha20.
mostly harmful • June 24, 2017 12:38 PM
@JG4
A while ago, in an earlier thread, I believe you requested a simple guide to creating hyperlinks:
Can someone explain in one or two sentences how to make the title be a hot link? That would give a cleaner presentation.
Just in case it escaped your notice, you received a reply, in that earlier thread. Two replies in fact.
Rachel • June 24, 2017 12:50 PM
Protonmail VPN is out of beta and officially launched today
https://protonmail.com/blog/protonvpn-launched-free-vpn/
Anyone trying it able to provide feedback? Dirk?
Rachel • June 24, 2017 12:53 PM
RE: Protonmail VPN
I meant, Protonmail are making a very concerted effort, so if you have experience with their new VPN product sharing it may be of benefit for others
Who? • June 24, 2017 1:01 PM
@ Rachel
Re: ProtonMail VPN
As usual in this company it is a paid service. I do not really trust a corporation that is intentionally weakening the security of non-paying customers.
ProtonMail is another sad example of the highly profitable business of fear.
Who? • June 24, 2017 1:41 PM
@ Rachel
From what I have read ProtonVPN is just a OpenVPN network. See the Linux VPN setup instructions to get an idea of how it works.
It does, however, have so many artificial restrictions in the free version that I would say it does not worth the effort. As said before, ProtonMail business is the fear of users. Anything free from them is just a “demo,” ProtonMail/ProtonVPN does not even provide support for serious bugs on their own code. You need to be a paying customer if you want they listen to you even when you show their own authentication code is broken.
herman • June 24, 2017 2:14 PM
@Joshua Bowman: Note that there are only about 1 billion Windows machines out there. Therefore it is very unlikely that a botnet could span 250 million computers.
JG4 • June 24, 2017 2:17 PM
@ mostly harmful
Thanks for the heads up. I miss a lot of stuff these days. I was disappointed that no one commented on my request for books on programming and related topics. I’d feel even worse if people had responded and I missed it.
@ Rachel
BTW, GoodReads isn’t a front for Amazon, it was bought outright in recent years.
Visualizing The Jeff Bezos Empire In One Giant Chart
I’m not really an Amazon hater, but I want to see a profoundly dynamic balance of power. When one 800-pound gorilla starts to have market dominance, it would be helpful if another 800-pound gorilla started to pound on them.
Walmart has a reasonable chance, but the data disadvantage may be crippling. The worst-case scenario is that Amazon, Google, Facebook, Microsoft and Walmart actually are a single entity that owns the US government.
ab praeceptis • June 24, 2017 2:38 PM
@Andrew
I agree. I have worked with implementing KDFs and those numbers sound indeed reasonable and credible.
Short explanation: With KDFs one mainly has to screws to tune. One is the amount of memory used (mainly to thwart massively parallel approaches) and the other is time. Regarding the latter one must find a sensible compromise such that the lower end machines of what might be described as “typical computing power spectrum” of legitimate users experience a tolerable delay while high powered enemy players experience a not insignificant delay.
The problem there (which to deal with is one major factor in designing a good KDF) is that there is a quite considerable spread. A user of, say, somewhat older lowend smartphone might experience a delay of 2 seconds (which most consider unacceptably long) while an attackers ASIC farm might have a delay of just 10 ms (or even way less with a bad KDF).
Considering that encrypted drives/partitions are non repeating one off actions, that people encrypting their partition(s) are usually security focussed, and that modern OSs can continue to load in other threads, a delay of even 3 – 5 seconds is quite common. Also considering that good KDFs are agressively single threaded and that ASIC solutions (except for prohibitively expensive ones with huge memory) both the fbi’s approach of using a (relatively small) array of COTS systems and their cracking rate seem quite sensible.
@Who?
Bandwith and colocation still still a very major cost factor in hosting. Why would one expect a company, in particular a not very big one, to burn thousands and thousands of $ each month for free riders? Also consider that most problems in hosting (incl. abused into snail-slow hosts) stem from exactly that clientele, the free riders and the lowest end customers. Finally, one can also turn around the question and ask “How would you as a paying customer like the idea of financing free riders who on top of it make your infrastructure slow?”.
@all
More EMINT goodness. Stealing AES-256 keys from a distance but it has not been tested in environments with tonnes of EM emission except in clean rooms.
albert • June 24, 2017 4:45 PM
@Tatütata,
“…958 combinations in just 5.5 hours…”
The author is correct, it -is- astounding:)
……
Latest from CRS,
https://fas.org/blogs/secrecy/2017/06/aircraft-oxygen-crs/
Please note, there are many more CRS reports at the link cited. Even listing the titles takes a lot of space, so check the list for anything of interest to you.
I try to post cyber-security reports, but I may miss some.
. .. . .. — ….
Daniel • June 24, 2017 5:23 PM
@Rachael @ Who?
The larger issue is that there is almost no security threat where a VPN is useful. The only one I’ve ever been able to think of is avoiding geolocation blocks and if that is what the VPN is for any VPN will do, even those free ones.
I took a look at the VPN page for ProtonVPN and I thought it was misleading in one significant respect and that is their bragging about their Swiss jurisdiction. The fact of their jurisdiction is an important point when in comes to mail servers because the mail servers are located in Switzerland but it is irrelevant to VPN service. Whoever controls the machine physically control the data on the machine and so the ultimate control of your data rests not with the Swiss but with whatever country the server is located in. This is why the constant claim by so many VPN providers that they don’t keep logs is marketing fluff. Sure /they/ don’t keep logs but what about the hosting provider who is running the server in country X? A company like ProtonVPN has no control over what the hosting provider does. If the server is in the US the FBI doesn’t care that is contracted to ProtonVPN–they are going to serve the subpoena on the hosting provider in the USA and that hosting provider is going to comply, even if they have to lie to ProtonVPN about what they are doing. If the hosting provider is in some place like Cuba or some other third world country you are running around the internet with a “Kick Me” sign nailed to your back.
The VPN industry today is the virus industry of fifteen years ago. Lots of people making money off the rubes and the ignorant.
Clipper • June 24, 2017 11:45 PM
Brutal Kangaroo – Wikileaks
Thoth • June 25, 2017 12:14 AM
@all
How to invite nation states to hack software companies ? By allowing them to walk in and read source codes.
Security by obscurity may not be the best idea but at leasr it is still a useful barrier against possibly hostile state actors.
Link: http://www.theregister.co.uk/2017/06/24/tech_companies_show_russia_their_code/
Andrew • June 25, 2017 1:05 AM
@Troth
It doesn’t work like that. The source code is just not sent to them. It can be inspected by researchers on the company computes, under special conditions etc.
…and in the end a different backdoored version is compiled and put on market.
@Nick P
I have figured out how to implement the Prison model’s checking mechanism in theory with my current product setup via some additional modifications and enhanced hardware for such purposes. There are theoretical downsides like speed but it does not matter if you have a server that is built to hold 2400 pieces of Secure Element chips inside (already commercially available).
In theory, I could modify my existing setup to make it Prison model capable if I deem that my money and time would be worth that effort for now that my enterprise is still new and young.
ab praeceptis • June 25, 2017 2:16 AM
Thoth (June 25, 2017 12:14 AM)
I think that is easy to get wrong. Pretty much every country with enough muscles (read: revenue potential) will demand at the very least to check sources in a controlled setting (typ. at the supplier) or even to build their own version or have their product built under their control.
Moreover with tech savvy countries like Russia or China you bet that they have the sources anyway albeit inofficially.
Also keep in mind that the us of a has quite consistently been ignorant and aggressive towards some countries like Russia so the Russian government would be idiotic and show a grave lack of responsibility and professionality if they accepted any software from nato countries, particularly from us of a, without demanding to see or have the source.
Btw, Russia is known for being very correct in international dealings. One example is them always paying any debth in time and fully without trouble.
As for “knowing the source equals a large entry door to putting who knows what into a software”, well, that part has already been taken care of to the extreme by the us of a agencies …
So, no, I’m not at all worried about Russia having access to windows source code (other than the fact that Russia shouldn’t use windows in the first place).
Gerard van Vooren • June 25, 2017 4:11 AM
@ Thoth,
Security by obscurity may not be the best idea but at least it is still a useful barrier against possibly hostile state actors
The barrier is right up until the obscurity has been figured out. No, the crypto has to be strong and uncoupled to the machine. That is the only way to get it right. How to do that in an elegant and easy to use way, that is the question.
Of course it is quite easy, albeit a bit labour intensive, to do that with OTP but then you are limited to the persons who you shared the OTP with previously, which means that this perfect security is only for people who need it and because of that are willing to take time and resources in order to use it, so that is limited to dissidents, journalists, cabals, military and criminal organizations.
It’s much harder with pub/priv keys for non-tech savvy people (read: the masses), who want to store these keys onto their machines and at the same time expect that these keys are safely stored in a place where the keys can’t be stolen.
Clive Robinson • June 25, 2017 4:42 AM
@ Clipper, ALL,
Brutal Kangaroo – Wikileaks
From what I have so far seen of “Brutal Kangaroo” the idea is quite an old one.
More importantly the mechanism behind it is similar or the same as Stuxnet. But perhaps more importantly if you go back far enough you will find the method was discussed on this blog as a method to hack electronic voting machines long prior to Stuxnet.
Thus the question arises yet again as to just how much of the CIA equivalent of the NSA TAO as well as the TAO it’s self just copy method ideas from here?
The reason to ask the question is important, as it effects us all.
As I’ve said in the past,
- For some reason I find “people are not learning from history” thus many many people are condemed to relive it.
But even though I’ve worked out how to stop this general class of attack used in “Brutal Kangaroo” on my systems years ago, I’m also condemed to “relive it” as well…
- Because the defensive side of the Computer Security industry needs to stop living only in “the moment”, with the unfortunate consequences that come from such short sighted behaviour.
We have repeatedly seen attackers reuse attack methods from the past, so we know some of them atleast are learning from the past.
Thus the “Brutal Kangaroo” trick of infecting USB drives to get at issolated systems is far from new, because at one point all systems were issolated…
The air-gap hopping trick is the same as it was back in the late 1970’s with archive tapes, and the same as in the 1980’s with floppy disks.
Sadly it is still true today for all removable, external or externally accessible media today, which includes all NAS, SAN and Cloud storage
So, unless you or those that design the systems you use have learnt from history, this trick or class of method will keep working against you and come back to haunt you (which I will come back to below).
This keeps happening because for by far the majority of attacks the “classes” of methods used are not new, even with new technology. This is true because new technology is usually designed as an improvment on an old way of doing things (otherwise there would not be a perceived need for it in the market). Thus whilst you may have a new “instance” of an attack with a new technology importantly the method class has not changed.
The problem the defenders often have is “blinkered vision” they see the “instance” and solve that. What they tend not to see is the “class” of method the instance is from, so they don’t solve that. Importantly nor do system designers like for instance Microsoft (as we shall see later).
Thus the defenders run around endlessly fighting new instances and providing fixes for each instance, rather than fixing the general class and thereby killing of new instances before they are even conceived.
So I and others such as @Nick P, @Thoth, @ab praeceptis and others have had to repeatedly remind people of history. Thus my latest repeat yesterday,
https://www.schneier.com/blog/archives/2017/04/jumping_airgaps.html#c6755053
Importantly if we want “our systems” to be secure then history can be a guiding light into the future. But even more so because it can also tell us what solutions may be a very bad idea.
One such bad idea is “walled gardens” not only do they not work except occasionaly against “low hanging fruit”, you also lose control of the system, it’s nolonger yours it’s theirs.
We went through this very bad idea in the with “Big Iron” and the likes of IBM, which deservedly got a very bad reputation and a court case that nearly ripped them into pieces. What finally killed of that was the Personal Computer with “Open Interfaces” in both software and hardware (pioneered by Apple).
Microsoft are claiming currently that if people had been using their “Windows 10 S” Operating System then WannaCry and similar ransomware would not have happened to them, and that no other known ransomware would have either.
Whilst possibly true in the instance of WannaCry it’s far from true in the general case Microsoft appear to claim.
In fact Microsoft Windows 10 S is vulnerable to exactly the same class of attack as mentioned above.
You can get malware onto external storage and the OS treats it as trusted and thus it “end runs” around all the “walled garden” which thus only restrains the user not protects them.
Apparently it took a “white hat” attacker about three hours from their “first contact” with Microsoft Windows 10 S to do this…
http://www.zdnet.com/article/microsoft-no-known-ransomware-windows-we-tried-to-hack-it/
So it’s nowhere near secure to non low hanging fruit attacks. But much worse Benjamin Franklin’s famous words,
- Those who give up their liberty for more security neither deserve liberty nor security.
Still apply. Those that use such “walled garden” security will not just loose their liberty of ownership and choice, they will not gain security. All they get is a faustian bargin of empty words and a 30% tax they would otherwise not have had to pay…
So as a general word to all “Do not buy Microsoft Win 10 S products”, because you will regret it at some point when you find you don’t own it Microsoft do, and they will make you pay endlessly for that mistake.
Winter • June 25, 2017 5:19 AM
Leaked GOP Data On 198 Million Americans Wasn’t Even Protected By A Password
I ask myself whether the GOP is excepionally careless and/or incompetent compared to other ruling parties? In Europe, the privacy laws are becoming pretty draconian. But how are things elsewhere?
This was already posted last week in squid:
https://www.washingtonpost.com/news/the-switch/wp/2017/06/19/republican-contractor-database-every-voter-exposed-internet-12-days-researcher-says/?utm_term=.7c500eb4087e
@Clive Robinson
I have thought up of a highly abatract theoretical blueprint on practical implementations of the Prison model in commercially available smart card system.
Problem is people stealing designs in this place.
Clive Robinson • June 25, 2017 9:41 AM
@ Thoth,
Problem is people stealing designs in this place.
I see three basic problems with putting ideas on this blog,
1, Theft of the IP.
2, Lack of recognition.
3, Misuse of the information.
The first two are in effect “harms of loss”. The third however could in theory land you in jail the way some courts are idiotically behaving these days.
The first two are a fact of life with Governments, especially the IC agencies some of whom I know have stolen my ideas without either acknowledgment or compensation. This is I gather not unusal, the NSA has a track record of it as does the UK’s GCHQ and MI5. The latter of which purchased surveillance equipment I had designed and then passed the design off as their own to a major UK manufacturer of the time. At least I got one sale out of it, the Journalist Duncan Campbell just had his idea of using TDR to detect bugging equipment on land lines by TDR stolen and given to the same manufacturer…
The third has become a political hot potato, especially under Obama’s terms as POTUS. It’s a rehash of the “public disclosure” argument, and whilst having a major political element, much of it was driven by commercial organisations on both the east and west coasts. That is Silicon Valley and Disney’s and similars “rent seeking behaviour” way beyond that which is morally and ethically beyond what is acceptable in society in general.
But the special sauce Obama brought to the table is pursuing those you disagree with beyond measure. This infested the likes of the DOJ and the FBI with megalomaniacs and sociopaths. Who see their way to the top on how many criminals they convict using dubious legislation or pushing the scope of legislation beyond any kind of reasonable bound.
It’s one of the reasons I became more hesitant about disclosing even broad details on classes of attack, let alone the specific details of instances of attacks. As I said long prior to Stuxnet it was clear that either there was extrodinary levels of coincidence or people were using the ideas discussed here for harm. Thus whilst I gave broad details of how to go about crossing air-gaps to get at voting machines, and how to make headless command and control systems using the likes of the Google servers, I made it clear at the time I was not revealing the trick behind exfiltrating data in a way that was not tracable by even the NSA and GCHQ et al.
That is I decided I would reveal details that I think will benifit the ITSec community make things more secure, but hold back on things that would help criminals including the Five-Eyes etc. So I pointed out various failings on TOR and broad brush stroke methods on the changes that should be made to it to reduce if not eliminate the issues of traffic analysis. However as with my warnings to the likes of the Honeynet developers, those doing DNA forensics, developing biometric devices and seceral others, it fell on the “deliberatly deaf ears” of those who suffer from “Not Invented Here Syndrome”.
Any way the world keeps turning and as far as I can see the lag behind stuff being talked about on this site to actually being used is four to eight years at the more practical end and still not getting investigated by the academic community after a decade…
Nash • June 25, 2017 10:27 AM
“exfiltrating data in a way that was not tracable by even the NSA and GCHQ et al”
Little hints are just fine. Under the Teheran Consensus that speaks for 80 per cent of the world’s population, civil society includes them and them too. There’s plenty of technical capacity to free information from Western bloc Stasis. We haven’t heard much of the hack that burned CIA cutouts Solomon and Azima – odd, innit?
Rachel • June 25, 2017 11:27 AM
JG4
I was disappointed that no one commented on my request for books on programming and related topics.
Nick P, about 12 months ago, provided a very generous response to someone asking how he and Clive knew so much and did they have any tips for starting.
Nick made all sorts of great suggestions including naming some of his preferred or foundational programming texts. He did refer to himself and Clive as savants and that it’s not a state of being worth aspiring to because of the inevitable tradeoffs. A search of the site will not reveal the post.
mostly harmful • June 25, 2017 12:20 PM
@Rachel
Nick P, about 12 months ago, provided a very generous response to someone asking how he and Clive knew so much and did they have any tips for starting.
As did several others. My personal favorite was this one. I particularly like how it isolates a certain sort of learning phase and dubs it “spray and pray”.
Anyways, the supplicant went by the memorable handle Dumber than Nick P and Clive Robinson. Three cheers for them!
Nick made all sorts of great suggestions including naming some of his preferred or foundational programming texts. He did refer to himself and Clive as savants and that it’s not a state of being worth aspiring to because of the inevitable tradeoffs. A search of the site will not reveal the post.
The entire squid thread in question is here: https://www.schneier.com/blog/archives/2016/07/friday_squid_bl_536.html
Also, at the tail end of that thread, Nick P helpfully points to another post of his in the subsequent week’s squid thread: https://www.schneier.com/blog/archives/2016/07/friday_squid_bl_537.html#c6729770
Rachel • June 25, 2017 12:36 PM
mostly harmful rocks
ab praeceptis • June 25, 2017 1:22 PM
Gerard van Vooren
Security by obscurity …
The barrier is right up until the obscurity has been figured out. No, the crypto has to be strong and uncoupled to the machine.
Actually this whole “obscurity is not security!!1!” on dit is a striking example of smart looking sound bytes are valued higher than insight. wikipedia is a rich source of that kind of “wisdom”…
Two points:
- crypto is but highly professional obscurity. In fact, the obscurity we strive for is to have (encrypted) message that are indistinguishable from random bytes.
It is saddening to see (but explaining a lot) that even professionals(?) of the guild repeat that nonsense. Warriors of diverse sorts in diverse cultures, for instance, have thought for millenia about the very essence of their trade and the same can be said of other professions. To be a true master of ones trade one must achieve that level of enlightenment.
It seems to me that (like in other fields, too) we have a lot of mechanics and technicians but very few masters …
- has open source, open crypto, etc. really brought us forward? Do we really have better kept state, corporate, and private secrets, more privacy, confidentiality etc. then we had in the “dark ages” of, say the 70ies? I strongly doubt.
The typical arguments are wrong or flawed. Example “The germans lost due to Enigma’s obscurity (being lost/broken”. Flawed. The german (looking at only that issue) lost a) due to bad OpSec and b) to a crypto flaw/weak crypto in enigma.
Which brings me back to the true meaning of security/obscurity and I shall word it carefully:
Good crypto protects even in the extreme worst case of the opponent knowing everything except secret keys.
That does not mean that only open transparent crypto is acceptable. It is merely a criterion and stating the fact that the predicate “opponent doesn’t know my mechanism” by itself does often not hold, as we know from plenty experience.
However, and that is an interesting case of (often) ignoring ones own dogmas as well as a prescription for secret services: That can also be applied to the secret keys! For them, too, the predicate doesn’t always hold (which is the reason why I work on mechanisms where the secret key can and should be unknown to the (or at least most of the) users of a system).
Finally, looking from a pragmatic perspective:
a) The vast majority of potential attackers are not able to crack even primitive layers of obscurity. Even machine aided disassembling isn’t of much help against anything but the most primitive layers of obscurity.
b) It is well known that the vast majority of attacks are not against crypto but simply “go around it”. Keep in mind that even today state agencies are frequently successfully hacked with ultra-primitive means like phishing.
c) For most programmers crypto is as sealed a book as a bose-einstein condensate. Typically programmers use crypto about the same way as bachelors use 5 minute meals for the microwave. Have a look back at (a).
d) I have but a contrived example but please accept it. Like all protection devices crypto can actually turn against you if you don’t know it well enough. I’d dare to say that (contrived example that, however is nice for the purpose) more us-americans end up in emergency rooms or even the morgue due to misusing a gun that was meant for self protection than actual attacks are successfully defended against.
One major part of the problem is in human psychology and the – de facto – assumed to be outsourced problem solving à la “I use XYZ-256 which is made by the finest people in the field (plus recommended by the “IT for idiots” gazette) hence I can be careless.
@Rachel, JG4
While I commend Nick P and others for providing reading lists I myself rarely and hesitatingly provide such hints. Two main reasons. a) (deducing from the comments here) the vast majority of readers is on a level so far below people like Nick P, Clive Robinson, Thoth, that it would simply be wasted. b) (and more important) The most important things I have to say are things that I must say myself because they aren’t simple mechanical recipees (and btw, the recipee books are quite frequently mentioned anyway).
Clive, for instance, might certainly most easily come up with a list of a dozen good books on the subject but I wouldn’t care a rats a** – what I care about and what makes people like him so valuable here are what he made out of those books plus a big pile of experience plus what his bright mind is making out of all that.
I’m interested in insight, preferably deep and profound and real life proven insight. “The best 10 books about xyz” lists are a dime a dozen on the internet.
@Clive Robinson, Nick P
Just to give a highly abstract method with just enough information, my method of practical implementation of the Prison model with execution verification mechanism is to use array of SIM cards installed into commercially available “SIM Servers” which are simply PCIe cards with a ton of SIM card slots loaded into commercial servers. This serves as the basis for array of low cost chips that the Prison model uses. Also the properties of SIM cards I have mentioned before made it suitable for such use cases.
For the “trusted verifier chip” that is part of the Prison model, it is not simple to design and manufacture specific board designs and also designing something specific and not purchased off the shelf will definitely raise eyebrows so in order to keep to my usual habit of using COTS items, all the SIM cards will take turn in round robin fashion to be verifiers. This means that you can use a variety of SIM card brands.
A few SIM cards other than the verifier SIM card would execute the instructions and the verifier SIM card would verify. After that, the verifier SIM would be re-assigned to the next SIM card.
Using only purely COTS items with the SIM card load balancing and job handling technology, a Prison model with the ability to perform verification can be done.
I have an extended verification method to keep the SIM card performing verification duty honest but that will be as much as I will describe for now.
Clive Robinson • June 25, 2017 3:46 PM
@ Rachel,
mostly harmful rocks
If hurled against a glass house… But any more so than “potentially portentous pebbles”?
name.withheld.for.obvious.reasons • June 25, 2017 4:37 PM
Spoiler alert, using heuristic behavioral analysis and machine learning, Clive’s words are often just that, “A spoiler alert, been here–done that”, and represents a restatement of FACTS that were well understood prior to our entry into the 21st century.
@ Clive Robinson
<
blockquote>So, unless you or those that design the systems you use have learnt from history, this trick or class of method will keep working against you and come back to haunt you (which I will come back to below)
Might I suggest that within the local group, using a locally compact “fact”, a relatively unseen particle has become increasingly prominent and may soon subsume many other basic particles. The electron, photon, neutron, pi-meson, and others seem to have decayed in parallel to the lower state and energy particle–the moron. Is there a Moron-Collider under development or any planned construction…
I understand this to be the first order component in your observation/assessment Clive–this has been hashed to SHA1 death here and elsewhere. As I don’t have to remind you, make good products, enjoy the benefits and results. My HPCV-1, using a total of six sets of batteries, has run flawless for the past 37 years. I am suggesting that the previous paragraph contains insightful information, at the very least an alternate hypothesis.
Looking at the design, layout, construction, fabrication, integration and quality control that WAS part of the product cycle (irrespective of “agile” methods or life-cycles) in the 70’s and 80’s seems unapproachable but in all but the most expensive systems still available (let alone new) regardless of the market sector.
Thoth • June 26, 2017 12:49 AM
@all
The Western world could gladly stick to using weak crypto, backdoors, golden keys and such system while China, Russia and other parts of the world are striving to use strong security and developing higher security assurance technology.
If the 5Eyes or more important the USA does not want other non-Western powers and countries to over-take them, they do have to stop the nonsense of escrow, backdoors and such attempts to hinder the growth and development of such techniques and it’s uses.
China and Russia are getting stronger in the field of technology and hacking and if the Western societies wants to resist such cyberattacks, they have to allow every citizen to be individually strong and secure and also as a whole instead of advocating weak crypto, backdoors and such which will allow agents from China, Russia and such multiple options to strike at the information systems uses by the West via attacking the weakest link.
@all
Type your responses into a notepad for curation before pasting them into web-based HTML forms to prevent JavaScript from reading every keystroke in the HTML form. Another way is to just disable Javascript altogether.
@all
More drama of Linus Torvalds vs. GRSecurity by firing verbal salvo at GRSec team calling their work nonsense and the people as clowns.
About time that people should migrate in bulk away from Linux to OpenBSD and FreeBSD and start to enhance the user experience of OpenBSD and FreeBSD and making it more widely accepted.
As per usual, the hopes are on Redox OS and Genode for some sort of safer and little more secure computing but it is still light years away.
Clive Robinson • June 26, 2017 3:02 AM
@ Thoth,
Another way is to just disable Javascript altogether.
People should realy have asked the question years ago when Google’s search engine started doing word auto-compleat in the text entry box.
It was the final nail in the coffin for Javascript as far as I was concerned, and as some readers may have gathered I’ve had it disabled for some time now.
The downside of course is I don’t get the malvertising be it good or bad 😉 Some content suppliers are getting a bit upset by this and blocking their content if you don’t take the malvertising they serve up.
Condie Nasty being one such that is now “out of Vogue” as far as I am concerned. But lets be honest here, the content they provide is never worth the cost of the malvertising, few sites ever are. Further they still alow search engines in to index their sites, which means you can usually get at the content other ways either directly or indirectly. If not similar is available from other sites such is the copy-n-paste online behaviour of what passes for journalism these days on line.
To show how daft it is getting, a year or so ago their was a major tragedy a couple of miles down the road from where I was in London at the time. I first heard about it on the radio, then got most of the details via the Australian ABC news site before getting other details an hour or so later from a local free newspaper website. The rest of the UK MSM especially the Murdoch empire even though treating it as a major news story failed on detail or if they had it put it behind a paywall.
Sometimes I get the feeling that those incharge of MSM especially newspaper outlets, do not realise just how much they are painting themselves into a corner with paywalls and malvertising.
If they want to earn money from advertising then they need to get a grip on it. By stop using click bait or the scum line online malvertisers and ditching the need for javascript to be on. Otherwise they will join the dodo like other soon to be extinct entities.
ab praeceptis • June 26, 2017 3:06 AM
Thoth
When I read that I couldn’t but think “No, thorvalds, the clown were you when you back then stupidly and arrogantly thought you’d know better than Prof Tanenbaum, and the clown still is you again today”.
But then, thorvalds never cared a rats a** about safety and security. Probably we should call him linus kardashian from now on as he reliably confuses being famous and being intelligent.
Clive Robinson • June 26, 2017 3:23 AM
@ Thoth,
Linus Torvalds vs. GRSecurity by firing verbal salvo at GRSec team calling their work nonsense and the people as clowns.
This is not the first time Linus has made a poor behaviour choice when it comes to security and Linux.
No doubt some here remember his behaviour over the random number generator in Intel Chips and his incorrect claim to security expertise… Oh and the later climb down.
The simple fact is it is nolonger possible for an individual to be master of all the facets of modern OS’s especialy the arcane aspects of security. However the Linux kernel is his baby, thus we should realise his sense of proportion with respect to it is most likely going to be effected.
If he’s not carefull he will paint himself into a corner. I guess rumours the likes of Google are going to replace Linux don’t help either…
Anyway it’s a nice morning in London for once, it’s a shame I have to go in and get on with things to meet others expectations. I guess there are some advantages to being your own boss, but I was not that ambitious when I tried it when younger…
Clive Robinson • June 26, 2017 9:47 AM
@ Thoth,
It would appear there are other reasons to disable Javascript, not just security wise but because of Google’s AMPantics.
https://www.alexkras.com/i-decided-to-disable-amp-on-my-site/
All ready having Javascript off by default I did not realise just how bad Google AMP is as I never see the links. However a little play around on another mobile device with javascript just now confirms it’s definitely bad news. At the very least it’s slow in comparison with going directly to the site you want to look at (BBC) worse it’s part of Google’s Walled Garden Ethos and in the process enables further user activity tracking. But there are the security issues… Nuff said, Javascript stays off.
Thoth • June 26, 2017 12:19 PM
@Clive Robinson
Re: Being one’s own boss
I guess in this age where the jobs available and the products are so boring, there is no choice except being ambitious and daring to break the norm of working for others and try to create something hoping it will be useful.
Thoth • June 26, 2017 12:26 PM
@ab praeceptis
I am still very surprised at the open source and commercial world being very tolerant to Linux kernel’s “design to be insecure and unsafe” and Linus’s leadership.
There are attempts to break away from the usual Windows and Linux combo with Mac and BSD variants but in the end most people are still on Windows, Mac and Linux.
Unserstandably most people want the easy option of the 3 main flavours mentioned above for computing and are too lazy to break out of the usual stuff and the price is quite obvious which is insecurity and unsafe computing environment.
furloin • June 26, 2017 5:18 PM
@all
Am I paranoid to block all images now? I worry someday alphabet will start auto editing images to exploit flaws in image proccessing libraries(if they do not already).
Also those media companies will hopefully realise that many people do not like being stolen from to read ((their)) news.
k15 • June 26, 2017 6:01 PM
Once again: why is it that businesses you interact with online don’t grasp the security benefit of offering a communication channel for notifications only?
tyr • June 26, 2017 10:09 PM
@Clive
The MSM reminds me of the Omar K
poem about the moving finger moving
on. Once a business has decided to
move in a mistaken direction turning
the clock back to where you can make
a good decision is almost impossible.
OT:
That DUP bunch is a marvel to see,
I hope May gets her moneys worth for
the Billion. I wouldn’t trust them
to stand behind me in a crowd.
mostly harmful • June 26, 2017 11:05 PM
@furloin
Am I paranoid to block all images now?
Consider it from a different angle: If all you seek is textual information, why download (distracting) images and embed them according to the whimsy of strangers (thereby arbitrarily displacing the text you sought in the first place)?
When you pick out some items for purchase at a store, have you “boycotted” everything else in the store?
You aren’t “blocking” anything. You are selecting what you want, and sensibly ignoring what you do not need.
Clive Robinson • June 27, 2017 2:25 AM
@ tyr,
I wouldn’t trust them
to stand behind me in a crowd.
Or anywhere in a crowd for that matter… Their leaders may not be “Disposable DNA” but in past times those with connections to their foot soldiers did behave that way.
Oh it’s a lot more than a billion by the way, have a look at the other stuff like the tripple lock and winter fuel bill subsidy, that’s going to cause the chancellor to wince and wince badly.
You possibly don’t know that ex PM David Cameron’s chancellor George “giddiot” Osborne has joined forces with a Russian known as “two beards” who owns the London Evening Standard newspaper. Giddiot has become “editor” of the newspaper and to put it simply has been quite overt in his critisism of Mrs May (and probably cost the Conservatives more than a few votes).
It will be interesting to see what he is going to let the journalists say today…
Oh Giddiot’s predecessor at the Standard was Sarah Sands, she had left to become editor at BBC Radio 4’s “Today Programme” and in the process took a significant pay cut.
Which begs the question of “Why?”… Well one immediate effect was an easily perceived change in “partiality” on what is –now was– BBC Radio 4’s premier news programme. It was clear even to die hard Conservatives that the impartiality rule had been broken not just a few times but almost entirely. To put it simply Conservatives being interviewed were given an easy ride, allowed to put over their party piece and were not questioned on obvious incorrectness of their statments. Other parties were subjected to continual hectoring, being talked over and mindless repeated accusations, nit picking and worse. In fact way worse behaviour than caused the Conservatives to get “all up arms about” a few years ago. So maybe “The lunatics have taken over the asylum” and “The rats have left the BBC” to quote two songs 😉
@all
World warhawk govts got what they have wanted with the formation of some dubious Global Internet Forum to Counter Terrorism by the usual MNOs that are in bed with the warhawk govts.
Another win to censorship and world population control.
More thought have to be put into the field of distributed communication via some form of broadcast style to be able to gain more control over how we want to communicate and to significantly reduce the powers of the warhawl govts and MNOs.
@all
I have been advocating Box-in-a-Box style secure messaging where you use a hardware or software encryptor that is not natively integrated in a messaging app to secure your messages before transmitting over encrypted or plain chat messaging channels.
One example is an encrypted keyboard plugin to a chat app where the encrypted messages are separate from that of the chat app’s own security thus making the escrowing or meddling or coercing of the chat app developers not a feasible option.
https://www.theregister.co.uk/2017/06/27/telegram_warned_by_russian_regulator_roskomnadzor/
Clive Robinson • June 27, 2017 6:18 AM
USCO indicates a rethink on DMCA is needed.
The US Copyright Office is raising a couple of flags about the abuse by commercial entities by the DMCA TPM clauses (1201).
That is they think the right to repair should not be made a way to get “lock-in” by companies.
However their thinking is about repair and orphaned / abandoned products NOT freedom to tinker / improve.
Thus the likes of Wireless Routers, mobile phones, IoT devices and possibly even OS’s will kind of be forced to “maintain and support or loose prevention rights” if such changes are made.
https://www.copyright.gov/policy/1201/section-1201-full-report.pdf
Clive Robinson • June 27, 2017 6:38 AM
@ Thoth,
I have been advocating Box-in-a-Box style secure messaging
You and me both 😉
Though my prefered solution is an external system –device/method– to limit the potential for “end run” attacks against I/O drivers for keyboards and displays.
When I say device/method I’m not just talking about electrical or mechanical devices or “crypto-engines” but also those human driven devices that implement KeyGens for stream ciphers, like book ciphers, packs of cards, book and One Time Pad / Phrase systems.
The point being that our modern communications systems terminals are based almost exclusivly on computers running overly complex and bloated OS’s, Driver’s, libraries and applications, none of which are bug free. Thus as the systems invariably lack true segregation and monitored/instrumented “choke points” between segregated components the system can in no way be trusted.
It was amongst other things the lack of segregation and instrumentation that made me think up the Castle -v- Prison model.
Hopefully your implementation of such a system will prove popular, thus profitable, then you can buy Bruce or myself a drink 😉
I guess one of these days I should publish my test designs based around MicroChip devices, but as with all such things “I’m still tinkering”.
JG4 • June 27, 2017 7:08 AM
http://www.nakedcapitalism.com/2017/06/us-copyright-office-wimps-out-on-right-to-repair.html
there are some gems in here, but I’m short on time
@Clive Robinson
Yes indeed the both of us mentioned that technique of Box-in-a-Box. Sadly most people are stuck with the security the app gives them and most apps don’t have fine grained interfaces for keyboard apps to intercept received ciphertxt to decrypt and plaintext to encrypt and be injected.
Regarding the Prison model, it has a theoretical overhead that might not be pleasant although it is theory and untested. I will buy @Bruce Schneier a drink if he is present during the RSA Conference 2017 in Singapore which I have an entry pass purchased and will be going there.
@Clive Robinson
Due to people’s laziness, it is best to start with a software encryptor keyboard although it is best to go for a hardware enabled variant with energy gapping whenever possible.
Most people are lazy to copy some hex encoded or probably a base64 encoded ciphertext sent over to the receiver’s screen to copy it and walk to a standalone cipher module and then encrypt the response and copy the ciphertext manually to the transmitting device for transmission.
JG4 • June 27, 2017 9:25 AM
need some memory help – I seem to recall a long series of comments about Elsevier and other predatory publishing shops that have outsized profits. I couldn’t find it with a simple search. I would guess that it was last fall.
The premise was “charge ’em coming and going.” This is an attempt to protect the business model.
http://www.nature.com/news/us-court-grants-elsevier-millions-in-damages-from-sci-hub-1.22196
We might note that Aaron Schwartz was a victim of the efforts to protect that same business model. I really like what the physicists have done with their on-line, open-source journals and real-time reviews.
I thought that I had in my notes, and may have posted, a stunning work by Aaron Schwarz detailing how doctors could not accept the work on purpurea showing that they were killing their patients in droves, for lack of basic sanitation. Ironically, the social ostracism that resulted killed the doctor who saved thousands or millions of women from disease.
@Nick P
Crypto AG (formerly Hagelin) has a Crypto SmartProtect product which is a microhypervisor with crypto module.
Links:
– https://www.crypto.ch/sites/default/files/crypto-ch/magazin/025_CryptoMagazine_EN_1704.pdf
Rachel • June 27, 2017 10:49 AM
Ab Praeceptis
“It is saddening to see (but explaining a lot) that even professionals(?) of the guild repeat that nonsense. Warriors of diverse sorts in diverse cultures, for instance, have thought for millenia about the very essence of their trade and the same can be said of other professions. To be a true master of ones trade one must achieve that level of enlightenment.
It seems to me that (like in other fields, too) we have a lot of mechanics and technicians but very few masters …”
I like the reference and your finishing upon an ellipse (if grammatically incorrect. Don’t worry – misusing the ellipse is ubiquitous) The first thought I have however is the relative newness of, if not the overall field, then large and common areas of speciality within this field. Which, amongst other issues, creates all kinds of delusion and established cliques of mastery. Or worse – proclaimations amongst ‘leaders’ of what is irrelevant. Linus comes to mind. Which can not be said for profesionals amongst blacksmithing of swords, boot making, theraputic massage, or even locomotives.
“contrived example that, however is nice for the purpose) more us-americans end up in emergency rooms or even the morgue due to misusing a gun that was meant for self protection than actual attacks are successfully defended against.”
not contrived at all. An excellent example which conveys the message in a helpful and relatable way. Physians have real data on these incidents – wounded buttocks from poor carrying practices being extremely common
“While I commend Nick P and others for providing reading lists I myself rarely and hesitatingly provide such hints” etc
well said and a response that could be said to relate to many disciplines. Some in which, reaching for a book instead of a teacher will cause incalcuable harm.
What comes with experience, is what not to read, and by a process of elimination, not a reading list but perhaps one single title wisdom has indicated to be reliable. Having said that, it was everything else other than books Nick and Clive said I found refreshing, their experience being directed to a newcomer focusing their perspective considerably.
the worst troll ever to haunt this arena actually commented in that thread, upon the need to read all available fiction on the subject of ones pursuit as it opens avenues of enquiry not available in text books. that struck me as uncommonly insightful. Which just goes to show the need for an open mind
Thoth also responded on that thread with a list of practical projects to tackle in order of difficulty, that was priceless.
Who? • June 27, 2017 12:38 PM
Some people says Windows is not secure yet…
https://www.wired.com/story/petya-ransomware-outbreak-eternal-blue/
(this one uses EternalBlue.)
we do not break the law • June 27, 2017 1:07 PM
The Age of No Privacy: The Surveillance State Shifts Into High Gear
http://original.antiwar.com/jwhitehead/2017/06/26/age-no-privacy-surveillance-state-shifts-high-gear/
The government has become an expert in finding ways to sidestep what it considers “inconvenient laws” aimed at ensuring accountability and thereby bringing about government transparency and protecting citizen privacy.
…
Case in point: the National Security Agency (NSA) has been diverting “Internet traffic, normally safeguarded by constitutional protections, overseas in order to conduct unrestrained data collection on Americans.”
It’s extraordinary rendition all over again, only this time it’s surveillance instead of torture being outsourced.
…
By shifting its data storage, collection and surveillance activities outside of the country – a tactic referred to as “traffic shaping” – the government is able to bypass constitutional protections against unwarranted searches of Americans’ emails, documents, social networking data, and other cloud-stored data.
The government, however, doesn’t even need to move its programs overseas. It just has to push the data over the border in order to “[circumvent] constitutional and statutory safeguards seeking to protect the privacy of Americans.”
…
Credit for this particular brainchild goes to the Obama administration, which issued Executive Order 12333 authorizing the collection of Americans’ data from surveillance conducted on foreign soil.
…
Using this rationale, the government has justified hacking into and collecting an estimated 180 million user records from Google and Yahoo data centers every month because the data travels over international fiber-optic cables. The NSA program, dubbed MUSCULAR, is carried out in concert with British intelligence.
No wonder the NSA appeared so unfazed about the USA Freedom Act, which was supposed to put an end to the NSA’s controversial collection of metadata from Americans’ phone calls.
…
Thomas_H • June 27, 2017 1:55 PM
UK defence secretary threatens military strikes against hackers
What could possibly go wrong? How long will it take before someone uses this to command a military strike on people they don’t like, akin to swatting but with potentially destructive results?
Clive Robinson • June 27, 2017 4:22 PM
@ Thoth,
Due to people’s laziness,
It’s a perennial problem, that causes all sorts of tech to fail to be accepted by users. @Nick P and I had a longish conversation about it a number of years ago when looking at how to authenticate transactions not the comms channel[1] for banking apps. The simple fact is the length of hex or base64 chars a user would have to type in flawlessly was way way to long. Nick also had a discussion woth someone else –whos name escapes me– and they were talking about a USB based system (similar to one IBM talked about later).
My problem with that is it just extends the comms channel in a way an attacker could potentialy attack it.
Around that time one of the bods at the Cambridge Labs put a post up on the lightbluetouchpaper.org blog about using a hand held device with a camera in it that would read a two dimensional –diamond shapped– array of coloured dots up on a screen so you could transfer a thousand bits or so. They also had a smart phone app, I kind of spoiled things by showing how easy it would be to put in a covert channel by varying the intensity of the dots slightly. Enough for the camera and app to pick up but not be visable to most humans.
Since then we now have easy QR codes etc. And it should be possible to do OCR on a smart phone equivalent.
The problem though is still putting the human between the comms end point and the security end point in the token. If you don’t then it will be open to a covert channel attack.
Ignoring that for a moment I’ve been playing around with an old Smart phone and a WiFi connected tablet to an old server. If you arange things right it can OCR whats on the tablet screen sufficiently for the smartphone to recognise the letters and present the information up on it’s screen over the top of the camera image (think how the Nintendo trick with virtual Pokemon worked).
What I’ve tried doing is displaying a green on black image on the tablet and the smartphone overlay in transparent red. The idea being that any differences would show up easily to the human eye. The prob though is getting alignment…
It won’t solve the covert channel issue but it’s a start on getting things a bit more user friendly.
[1] For those reading along, banking apps just used to authenticate the user/comms channel, and then assume everything was OK. Obviously with Man In The Middle attacks this leaves the transactions open to any kind of abuse the attacker wants to perform.
tyr • June 27, 2017 5:17 PM
@Rachel
The idea of reading all relevant fiction
might have worked in the Victorian era
but once you get 7 billion monkeys with
keyboards it isn’t even possible to do
so. Much better is to read the originators
works and pay attention to the network
effects. Then you will be a lot more
aware of relevant things. Mark Blyth said
Piketty wrote a good book but the Kindle
tracking said the purchasers only read
to page eight before gadflying off to
the next fad.
Proclamations are like experts. Experts
are people fifty miles from home. If you
find one considered an expert in his home
town he maybe worth listening to. Doctors
aren’t the go to folk for gun safety all
they see are those who never learned any.
When I was a pup the big fad was quick
draw and there were many a dummy tale of
note about the results. That in turn made
them switch to wax loads with primer only
instead of full power. Then your mistakes
hurt without crippling you. There is no real
substitute for experience with tech of any
kind.
@Nick P, all
Redox OS have reached version 0.2.0 with Live CD. Going to download a copy of the LiveCD to give it a test run when I have the time.
@all
Another idea I envisioned that is realized by someone. An NFC ring equipped with fingerprint scanner. Fingerprint authentication can be used as a Who You Are while the signing key in the ring as a What You Have and a PIN code as a What You Know thus enabling three types of authentication methods.
Clive Robinson • June 28, 2017 6:55 AM
@ The Usuall Suspects,
This may raise a wry smile.
It would appear that the systemd has a remote execution on Ubuntu…
- An out-of-bounds write was discovered in systemd-resolved when handlingspecially crafted DNS responses. A remote attacker could potentiallyexploit this to cause a denial of service (daemon crash) or executearbitrary code. (CVE-2017-9445)
https://www.ubuntu.com/usn/usn-3341-1/
I’m no fan of systemd and have a special place reserved for it in the netherhells.
Clive Robinson • June 28, 2017 7:02 AM
MIT Drone can stay up for 5 days
With it appears a 50lb payload.
Question : how far do you think a Mexican drug lord could make it fly?
@Clive Robinson
re: Remote Code Exec in systemd on Ubuntu
That will make @ab praeceptis would be extremely thrilled and overwhelmingly happy to see this news. It yet again proves that Linux is not built for security at all and Linus calling the GRSec guys out doesn’t know what he is talking about.
Bob Paddock • June 28, 2017 10:27 AM
@Clive Robinson to your drone link add:
“I Could Kill You with a Consumer Drone”
“As a former intelligence soldier who now sells drones for a living, I can tell you that this problem is bigger than almost anyone realizes.
Right now, I’m holding a drone that can fly thousands of feet in air in less than 30 seconds, getting it to an altitude where no one could see it. My drone could be up in the air, ready to strike a target before you even had time to blink.
A range extender I’ve added to the antenna allows me to control it up to seven miles away. Or I can click a button to activate a tracking device, ordering my drone to follow a vehicle or person, filming every movement in 4K high-definition video. If it ever loses its radio link to the controller, it can automatically return to its launch location. Except — this drone is not meant to come back. It is not meant to take nice photos of my vacation. It is meant to strike. A small mechanism allows it to carry and drop a 2.5-pound payload … “
zulu begumokokoo • June 28, 2017 11:05 AM
How To Track People By Their Cell Phones
https://www.youtube.com/watch?v=eZavx9oaKq4
With the aid of the internet and tracking sites (many or which even offer the service for free) it is actually possible to know how to track people by their cell phones even without the use of GPS or the global positioning system.
JG4 • June 28, 2017 1:30 PM
@Bob Paddock
I’ve commented before on what I termed “projected intent.” The drones are scary enough, but that is the tip of the proverbial iceberg. Any machine with motors/actuators/mobility/ability to influence the environment can be repurposed for mayhem. The regulatory framework is light-years behind the criminal possibilities.
ab praeceptis • June 28, 2017 2:31 PM
Clive Robinson, Thoth
I’m not even mildly surprised. I’m taking systemd to be a “build funny disasters!” toolkit and it matches linus’ makeshift OS quite well.
But it goes further than that. Example: devuan. At first glance a smart approach. “fork debian and create an debian without systemd”. The problem, though, is that there is a reason both for the systemd plague having being “designed” and for having been accepted into major linux distros.
That reason is a mix of “don’t waste time designing anything. Just hack away!”, plain stupidity, utterly mistaken democratic ideas, and large corps as well as intelligence agencies being deeply involved (plus, of course, the blown up ego and merciless cluelessness of a mediocre self-declared wunderkind).
Just another reason for me to amusedly giggle when reading smart advice like “Don’t use windows, use linux instead. linux is secure!”.
Not that I’m somehow a fan of windows – I’m most definitely not – but looking closer I see linux to reliable get worse and more insecure while microsoft might actually one day come up with a relatively solid OS. They’ve spent truckloads of money for security research and they have solid experience in how to not to it.
Clive Robinson • June 29, 2017 12:08 AM
@ The usuall Suspects,
A spot the errors in MicroSoft. net crypto support docs…
https://support.microsoft.com/en-us/help/307010/how-to-encrypt-and-decrypt-a-file-by-using-visual-c
https://msdn.microsoft.com/en-us/library/5e9ft273%28v=vs.80%29.aspx
For some of the answers and the article that pointed them out,
https://medium.com/@bob_parks1/how-not-to-encrypt-a-file-courtesy-of-microsoft-bfadf2b0273d
Clive Robinson • June 29, 2017 12:53 AM
@ Bruce, and the usual suspects,
This Guardian article on the scientific paper publishing business may be of interest,
What the article does not mention is another trick publishers are doing. They are finding bubling up scientists and publishing their work in book form. The scientist is lucky to get even the basic payment per volume sold. The publishers however only print a few hundred at most, that are only ever sold to University libraries for eye watering prices. The last estimate I saw was that each of their sales and marketing droids was pulling in excess of 2million USD each year.
To say “Scientific Publishing” is a racket is an understatment, and for all Elsiver’s complaints about Sci-Hub their profits keep rising faster than inflation yeat on year.
Clive Robinson • June 29, 2017 1:00 AM
I forgot to mention that O’Reilly appear to be heading down a similar route to journal publishers,
Clive Robinson • June 29, 2017 1:09 AM
@ All,
I’m not sure what to say about this one…
But it appears that a producer of adult content has developed a way to link the action to how do I put it delicately “personal toys” to improve their utility,
https://techcrunch.com/2017/06/28/pornhub-now-supports-interactive-toys-proving-porn-paves-the-way
This begs all sorts of questions about the security of the interface to these toys…
@Clive Robinson
Now hackers can get really personal and physical if they gain access to IoT enabled sex toys. I really wonder when will there ever be a defined limit as to the circumstances they will stop integrating IoT. Toilet bowls, dish washers, fridge, rice cookers, light bulbs, doors are all IoT enabled and now even sex toys.
Wael • June 29, 2017 3:19 AM
@Clive Robinson,
This begs all sorts of questions about the security of the interface to these toys…
Which is worse from a security/safety perspective: a digital virus or a biological one? Were these toys available in 2009 (not that you would intimately know)? Poor David Carradine didn’t know what hit him! And they called it auto-erotic asphyxiation. Somehow I’m questioning the meaning of the “auto” part. Seems it refers to auto firmware update 🙂
PS: would a USB condom help to practice safe hex? Ooooh… uuuuh… zzzzzzap.
Dirk Praet • June 29, 2017 3:43 AM
@ ab praeceptis, @ Clive Robinson, @ Thoth, @ Wael
I’m not even mildly surprised. I’m taking systemd to be a “build funny disasters!” toolkit and it matches linus’ makeshift OS quite well.
Systemd started out as a good idea, but somehow along the way turned into a bit of an abomination. Any informed opinions about OpenRC, as found in TrueOS and a number of Linux distributions like Gentoo ?
Now hackers can get really personal and physical if they gain access to IoT enabled sex toys.
I just for the life of me can’t imagine why anyone with even half a brain would purchase IoT-enabled sex toys, unless for framing someone else.
Clive Robinson • June 29, 2017 4:11 AM
@ Nick P,
Another paper you might want to add to tour collection / link farm if it’s not already there,
http://spw17.langsec.org/papers/chifflier-parsing-in-2017.pdf
Wael • June 29, 2017 4:12 AM
@Dirk Praet,
I just for the life of me can’t imagine why anyone with even half a brain…
Their marketting people are worth their weight in gold.
Clive Robinson • June 29, 2017 7:15 AM
@ r,
With regards the FBI, Kaspersky Labs and Democrate Senator Jeanne Shaheen’s anti-Kaspersky ammendment to the Spending Bill, it’s realy a load more of the same old same old on the face of it.
However if you think back in December last year, according to the Russian newspaper Kommersant, Ruslan Stoyanov, the head of Kaspersky Lab’s Computer Incidents Investigations Unit, was arrested on Treason charges, along with Sergei Mikhailov, a division head of the Russian intelligence service FSB.
And this year there has been a managment shuffle allegedly FSB operatives moved in.
This has kind of set the stage for a 1950’s style “OMG there’s Reds under the lab” type moment. Thus now we get the “anti-American” response.
The fact is that I suspect that the real reason is a little closer to home. Kaspersky are not just independent business wise from the Russian Government, they are also independent of US Government IC entities as well, and appear to have shown no fear or favour when it comes to finding and neutralizing malware, much of it cyber-crime related, but IC entity related stuff as well.
Thus Kaspersky Labs are not liked by the US or Russia for their activities.
What does not help is the partisan behaviour of the FBI over “Russia Inside” political mantra. The Russian’s are doing far less spying and political manipulation on the US, than the US has and is doing on Russia. It’s probably a point Putin will bring up with Trump if and when they next formaly meet.
The thing is the US pilitical establishment are following the Orwell playbook, and thus have decided the US needs an enemy to scare the US Citizens with. The enemy needs to be such that their can be witch hunts to get rid of home political openents and the like.
Let me put it another way, I would far sooner trust Kaspersky Labs AV etc than I would Microsofts… Not that I’m going to start using either of them for technical reasons.
Oh I would also expect similar ammendments in the future with European and Far Eastern products. This is basically economic warfare, US Corps have lost and expect to lose further business to non US Competitors thanks to Ed Snowden and Wikileaks. US products are looked on by many outside the US as having been produced by wet lepers and thus shuned with other countries products given more favour. One way to fight back is the old FUD game where things are not stated but implied and politicos acting on it on cue.
It will be interesting to see what the rest of the world does. After all it was not long ago that the US blocked their use of two Chinese Telco companies products. Other Five-Eye nations carried on using the two companies products and one company set up a special facillity in the UK to work with the UK Gov on issues and concerns they might have. I can see Kaspersky setting up similar arrangements in the near future.
JG4 • June 29, 2017 7:35 AM
http://www.nakedcapitalism.com/2017/06/links-6292017.html
…
Big Brother IS Watching You Watch
Facebook’s Secret Censorship Rules Protect White Men from Hate Speech But Not Black Children ProPublica (Chuck L)
Berkeley Capitulates to Police Militarization and Spying Counterpunch. ChiGal: “And so it goes…”
NSA Appears To Be Seducing Sen. John Cornyn With Personal Tours And One-On-One Meetings Techdirt (Chuck L)
The Age of No Privacy: the Surveillance State Shifts into High Gear Counterpunch. ChiGal: “Maybe mostly known to NC readers but a good catalogue of all the ways we are tracked and makes the point that the surveillance state is a springboard for the police state – and law-abiding or not, everyone in a police state is a target by definition.”
Rachel • June 29, 2017 8:07 AM
@ Clive
Let me put it another way, I would far sooner trust Kaspersky Labs AV etc than I would Microsofts
thanks Clive, as usual, for your outstanding contributions.
I get your point on the impartiality of Kaspersky – also considered by many to be technically superior in its category of software – but wasn’t there something in the Snowden files about Kaspersky being compromised by NSA? i vaguely recall their code was backdoored to not detect IC-bred malware. My memory also seems to indicate it was covert backdoored, not with the will or knowledge of Kaspersky. I could be wrong on the latter.
On a related note, hinted at in the above post, i appreciate your comments about your choice in avoiding AV altogether, described previously
Tommy • June 29, 2017 9:28 AM
@ Bruce
@ All
speeding cameras in Australia switched off, fines cancelled, after Wannacry infected entire speeding camera intranet
Tommy • June 29, 2017 9:37 AM
@ Bruce
@ All
australian defence force to launch cyber warfare unit for peace time, acknowledges paying the recruits is an issue, as is getting them to pass fitness test:
Clive Robinson • June 29, 2017 10:53 AM
@ Tommy,
speeding cameras in Australia switched off, fines cancelled, after Wannacry
In every storm cloud, there is a silver lining B-)
Who? • June 29, 2017 11:11 AM
@ Clive Robinson
I forgot to mention that O’Reilly appear to be heading down a similar route to journal publishers,
That is sad. Last week I bought eight O’Reilly books on a local bookstore. I had these books on my list for years. I hope Safari will not replace printed books, ever.
ab praeceptis • June 29, 2017 12:47 PM
Dirk Praet
I dislike all widely used init systems but systemd is clearly the worst of all. The reason I dislike them is that they are a hodgepodge and utterly misunderstood.
What are init systems (the name alone is misleading)? They are de facto the control layer of a system – which makes them highly desirable attack targets. Of course, that didn’t seem to be a significant concern in the 70ies and 80ies. Today, however, init systems are open bleeding wounds.
Unfortunately the safety aspects have been rarely considered and instead the old mechanisms have been extended in irresponsible and rather massive ways, usually driven by featuritis. Today we have even insane aberrations from the freedesktop people (like dbus) in it or tightly linked.
(Sidenote: an old and very well confirmed rule of mine is “Even an obscenely drunk and half unconscious system developer with seriously evil intentions will not be able to produce code of such abominable bad design and quality as that of gui developers everydays work. If he could, the gui people would print that code and hand it around as an example of unnecessary excellence”). In other words “Don’t listen to gui people and keep a solid distance from their “code”. As for “ux” people, shoot them on sight”.
You might have noted it already; I’d better refrain from answering your question and keep a modicum of politeness. Let it suffice when I state that you won’t find anything like unixish init systems in any reasonably safe OS.
Silent Bob • June 29, 2017 2:31 PM
@ Clipper
Promiscuous use of USB in air-gapped settings can be defeated by use of non-writable DVD. Go low tech.
pots or not • June 29, 2017 2:43 PM
@r
@Clive Robinson
A few years ago, or so, Java based malware on osX (around the time of Snow Leopard or Mountain Lion) was spreading rapidly in Silicon valley and elsewhere, iirc. Iirc, Apple let a contract to Kaspersky regarding this Java malware. I thought it was interesting, at the time and currently, that Apple went with a foreign firm. Perhaps Apple wanted a less biased or constrained analysis than domestic firms could give.
perhaps this is a relevant link
https://threatpost.com/apple-fixes-flaws-updates-java-6-os-x-090612/76978/
Dirk Praet • June 29, 2017 5:30 PM
@ ab praeceptis
Sidenote: an old and very well confirmed rule of mine is “Even an obscenely drunk and half unconscious system developer with seriously evil intentions will not be able to produce code of such abominable bad design and quality as that of gui developers everydays work.
So when is this very secure Microsoft text-only, init-free operating system of yours going to materialize ? Perhaps we should also send a note to the Redox crew to dump Orbital 😎
gordo • June 29, 2017 6:00 PM
Cyberwarfare and the shape of things to come?
Why NotPetya Kept Me Awake (& You Should Worry Too)
Posted on June 28, 2017 by hacks4pancakes
This is obviously not a new thought pattern – attackers have leveraged popular, commonly deployed software for exploitation for decades. Adobe Flash and Java were two of the more abused programs in recent history because they had extremely wide installation bases. However, that was within the context of commodity malware and crimeware which typically infect victims fairly indiscriminately. NotPetya delivery combined elements of a targeted watering hole attack we’ve traditionally seen used by nation states with traditional software exploitation to devastate a specific user base. Obviously, the potential of this avenue of attack can be explored further in the context of nearly any country or demographic.
https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/
ab praeceptis • June 29, 2017 6:08 PM
Dirk Praet
I assume that was meant to be a joke.
I do not think that any microsoft OS is more secure than any unix (in fact, I avoid windows like the plague). What I do occasionally mention is the fact that Microsoft pumps a whole lot of money into security research and that they have shown quite some tangible efforts towards safety/security.
Ratio • June 29, 2017 9:31 PM
Awww, confusing effort and result is just sooooo cute.
Dirk Praet • June 30, 2017 3:56 AM
@ ab praeceptis
I assume that was meant to be a joke.
Indeed, but you could add some mild sarcasm to the equation. You know by know that I’m less into ultimate security to fend off state actors, but rather into security risk mitigation against nosy family members, employers, script kiddies, cyber criminals and corporate spying for those who for whatever reason are stuck on COTS operating systems and cannot/will not take their defenses to the next level.
@Dirk Praet
Just use a ChromeBook if you want to counter Low Strength Attackers (LSA) type adversaries. It has the dedicated support of Google, it is a hardened Linux with pretty good GUI and most importantly it has a built-in TPM for Verified Boot and also access to Full Disk Encryption by default. Data encryption on ChromeBooks are bound to TPM generate RSA key for key wrapping of the FDE’s AES 128 bit key for hardware based security.
Now you are much more secure via ChromeBook.
Links:
– https://support.google.com/chromebook/answer/3438631?hl=en
– https://www.chromium.org/developers/design-documents/tpm-usage
JG4 • June 30, 2017 6:23 AM
I enjoyed the irony that the traffic cameras were offline from a virus attack.
http://www.nakedcapitalism.com/2017/06/links-63017.html
…
Syraqistan
How America armed terrorists in Syria American Conservative
Qatar Looks to Iran and Iraq LobeLog (resilc)
Why Is Afghanistan the ‘Graveyard of Empires’? Diplomat. Resilc: “Nor is Yemen kind, ask the Egyptians.”
Ex-Weapons Inspector: Trump’s Sarin Claims Built on ‘Lie’ American Conservative (Kevin M)
Imperial Collapse Watch
Sinkhole swallows car in St Louis BBC
Big Brother is Watching You Watch
AT&T GigaPower plans to charge extra per month again if you want privacy, no ads Privacy Online News (Chuck L)
Andrew Cuomo calls a state of emergency for the MTA, which is in a state of emergency because of Andrew Cuomo. New Republic. Featuring since Cuomo no doubt fantasizes that he is a Prez contender for 2020.
Clive Robinson • June 30, 2017 7:02 AM
@ Gordo,
- NotPetya delivery combined elements of a targeted watering hole attack we’ve traditionally seen used by nation states with traditional software exploitation to devastate a specific user base.
There is a story doing the rounds that both WannaCry and NotPetya are from a US entity. Depending on which version you hear it’s either an IC or a Corp entity.
Part of the argument is the US has more or less been untouched by either, whilst Europe and eastwards have been hit quite hard. But in both cases the US has benifited be it “political” or “corporate” mileage gained.
Which only goes to show how difficult attribution can get…
Clive Robinson • June 30, 2017 7:32 AM
@ Bruce,
You might find this an interesting read,
http://comprop.oii.ox.ac.uk/wp-content/uploads/sites/89/2017/06/Comprop-USA.pdf
It’s one of several reports from the UK’s Oxford Uni on the use of Comptational Propergander (ComProp) around the world. The above is an analysis on the effects in the USA.
Dirk Praet • June 30, 2017 9:54 AM
@ Thoth
Just use a ChromeBook if you want to counter Low Strength Attackers (LSA) type adversaries.
Yes and no. ChromeOS is a cloud-centric OS and as such primarily suitable for low-end users and organisations that have gone Google all the way, and which represents a class of risks of its own. As a general purpose OS for power and gizmo users, I wouldn’t recommend it.
Clive Robinson • June 30, 2017 12:19 PM
@ The usual suspects,
The founder of Chinese trading site Alibaba, has this to say about peoples futures,
However he’s missed the mark a bit.
Whilst the future will be about “information” data will only be a part of it.
There are three basic things you can do with data / information,
1, Communicate it.
2, Store it.
3, Process it.
He is only talking about the third function and ignoring the other two which is silly because the third is critically dependent on the other two.
I’ve been known to give a basic piece of career advice for over thirty years now,
- People will always want to talk, it’s inbuilt in our genetics, thus communications in all it’s forms will be with us as long as we exist.
That has not changed if anything it gets more relevant daily.
However something else is also of relavance since the mid 1990’s. I posed a question which was,
- What is the value of data in transit, how do you calculate it and how do you stop others gaining advantage by it.
Back then High Frequency Trading and Privacy were barely thought about, but both are very relevant today and likewise gatting more so daily.
Thus three words arise Secure, Optimal and Fast, they apply to all three functions of data/information and easily have the ability to be worth rather more than Big Data Processing.
Rachel • June 30, 2017 2:53 PM
I’d like to acknowledge Bruce for being somewhat unusually prolific with posts recently. Thanks for the quality content, Captain.
@ JG4
thanks for the entertaining and accurate
’17 cultural clashes this european had in America article’
there could have been more added to the list! The author is a somewhat well known multilinguist
Anonymoose • June 30, 2017 9:45 PM
@ab
Not that I’m somehow a fan of windows – I’m most definitely not – but looking closer I see linux to reliable get worse and more insecure while microsoft might actually one day come up with a relatively solid OS.
Windows getting better and better? You mean like the new mandatory key escrow in Bitlocker, and key escrow of WiFi passwords? Linus is a POS but if he pulled something like making LUKS have a key escrow anyone could revert the offending change. It’s not like that it’s harder for bad guys to do bad things to FOSS, it’s just that it’s legal to undo those bad things. Legal and easy.
They’ve spent truckloads of money for security research and they have solid experience in how to not to it.
Are you saying that COTS will always beat FOSS because money is the only way to motivate people to write good code? If that is your argument, then what do you say about FOSS projects that pay their developers? You know, bug bounties, donations, crowdfunding, paid support, and so on?
ab praeceptis • June 30, 2017 10:56 PM
@An
Windows getting better and better?
You are obviously not discussing with me but with yourself and some frozen hard belief system.
Are you saying that COTS will always beat FOSS because…
Stop already to put things into my mouth that you actually picked from your own head!
I was saying – and quite clearly I’d think – that there are tangible, appropriate, and workable efforts visible from microsoft while I do not see anything significant on the linux side that could lead to a reasonably safe and secure OS. In fact, quite the contrary is the case re. linux which again and again has been seen utterly unwilling to even care about the safety and security.
It just so happens that microsoft is commercial while linux is (officially) not; that does not mean that I think that only companies can produce good software. To name just one example, OpenBSD, a believably open source endeavour does care about safety and does succeed to do remarkably good work.
Unlike many (f)oss fanatics I personally do not think that commercial vs open source is a major factor. I’m interested in good results and constructive steps in the right direction, no matter whether commercial or oss. Hence I look in both directions – and I see microsoft, no matter how I despise them, engage in a strong and credible manner and produce useful results. z3 is but one example.
Being at that, the (f)oss fanatics might want to think about why it is that much (if not most) (f)oss work at academic institutions in our field tends to end up either neglected and belly up or commercialised through spin-offs.
In other words: How come that a significant segment of (f)oss players choose to turn commercial as soon as they have something actually useable and useful? Maybe you should preach to them rather than to me.
Ratio • July 1, 2017 12:10 AM
Still conflating effort and result.
I see no value in technical debates for a long while.
It had already long devolved to some sort of emotional and not mental processing.
That is exactly why many FOSS projects turn into COTS because they feel their efforts are better off allocated somewhere I guess.
Dirk Praet • July 1, 2017 7:41 AM
@ Thoth
That is exactly why many FOSS projects turn into COTS because they feel their efforts are better off allocated somewhere I guess.
Unless you somehow manage to get an active community buy-in, maintaining a somewhat decent FOSS project is almost never worth your while, especially from a financial vantage. We all have bills to pay. I’ve seen plenty of cool FOSS projects that eventually stalled or took the commercial road because their developers got fed up spending time and money without ever getting anything in return but disrespect and criticism by whining freeloaders engulfing their lives with never-ending support and feature requests.
ab praeceptis • July 1, 2017 1:36 PM
Thoth, Dirk Praet
Another major problem is lies (and lots of it), ideology, and social ignorance.
Lies like “linux is a foss project”. Well that very much depends on how you look at it. Many if not most of the more active developers are payed for doing linux. Plus there is lots and lots of large corp. involvement (which usually brings some quick and nice looking results but also loads of very ugly problems in the bowels).
Or look at all the ideological movements such as “more women!”, “diversity!”, etc (often with money in their back).
Another grave problem is that (f)oss is widely not or misunderstood. What is (f)oss? Is it stuff that corporations give away for whatever reasons? Is it Jakes small stuff that he wrote to scratch his own itch? Is it what those 5 people do who have decided that it’s about time to do XYZ properly and well? Etc, etc.
Funny btw. that we have proof (example kickstarter) that gazillions of people are willing to pay for the development of stuff (incl. software) they find desirable. A quite considerable part of them btw. not caring at all about source being open.
So oss projects could have some financial support – that is IF they care about marketing themselves and their project. Unfortunately, it seems that being a good developer and being interested in marketing are traits mother nature usually doesn’t hand out in common; typically it’s one or the other (kindly note my attempt to put that excessively polite).
And then there is, of course, the 30 ton mega-gorilla in the room, namely an immensely and utterly ultra-capitalism and its pal brainless consumerism infested society.
That i.a. leads to people expecting (read: demanding) good manuals, good support, warranties, etc. No problem for large corps; in fact, they spend billions every years to keep that mega-gorilla alive and strong. For single developers or small groups, though, that gorilla is a major demotivator or even a killer.
The result? Among others capable, knowledgable, and experienced developers who could create safe and secure software, who do, however, not feel like dancing with that gorilla. And, of course, billion $ snake-oil vendors who keep the gorilla well fed.
Ratio • July 2, 2017 3:28 AM
Taxonomy alert: hobby horses are red herrings.
ts • July 7, 2017 2:59 AM
https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html
seems like an issue,. even if comps arent connected to internet directly, stuff like wannacry has shown us that many systems are still connected internally.
Clive Robinson • July 7, 2017 5:31 AM
@ ts,
Firstly why this –not current– squid page?
Secondly,
… stuff like wannacry has shown us that many systems are still connected internally. [thus visable from the Internet]
There are a number of sides to the argument. The first is managments mindless drive for short term increases in productivity (arguably due to company law giving a duty to shareholders not the actual corporate entity).
Productivity increases mostly translate in their minds to an idiotic chase for making “efficiency savings” that logic dictates are self limiting[1]. Not the more sensible and long term cost saving, but short term costly “innovation”. Because share holders are fickle and want jam today not cake tommorow, and to them business success is measured in very short sighted measure of quaterly returns…
But as I’ve pointed out on more than one occasion in the past, the general case is the more efficient a system is the less secure it is, or more simply “Security -v- Efficiency”.
The simplest way to view this is the higher the efficiency the greater the effective processing bandwidth, thus the side channel leakage bandwidth likewise goes up. It’s actually more complicated than that, but another way to look at it is if you take out security processes the system gets an increased processing bandwidth, thus appears more efficient but is consequently less secure. However whichever way you look at it, it is difficult to get more security without reducing efficiency in some way.
So the chase for “Higher Productivity” ends up being a race to the bottom on security more often than not.
So if a manager sees a production system issolated from managment systems by a traditional air gap and employees using payed time to act as a bridge to transfer data from one system to the other. In their eyes an obvious cost saving is to remove the human bridge and replace it with an electronic bridge. But more importantly put the control of this bridge on the managment side or similar security faux pas. In most cases they will not brook argument, their way or the highway lest their star gets tarnished in shareholder eyes.
Thus we have regulation, but as the likes of Enron showed regulation is ineffective when those who regulate can be kept at a long arms length, by paid for consultants who are also from the accountants…
Thus if Trump want’s security in infrastructure he is going to have to “stump up” for better than effective oversight.
[1] It is well known that nothing can be 100% efficient, otherwise working perpetual motion machines would be common everywhere, instead of conspicuous by their absence. What is less well known but equally true is every increase in efficiency comes at an increasing cost which follows a power law. as an exanole taking a system from 50% to 75% would cost say X from 75 to 87% would be 2X and 87 to 93% 4X and so on, whilst cost savings from the increase in efficiency would in effect be near linear at best. Thus at some point the two cross and that is the point when costs will increase not decrease, so would be pointless to continue, if cost saving is your objective.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Ben A. • June 23, 2017 4:26 PM
32TB of Windows 10 internal builds, core source code leak online
https://www.theregister.co.uk/2017/06/23/windows_10_leak/
Practical waterholing through DNS typosquatting
https://blog.0day.rocks/practical-waterholing-through-dns-typosquatting-e252e6a2f99e
Former intelligence employee caught selling top secret docs to Chinese
https://arstechnica.com/tech-policy/2017/06/former-intelligence-employee-caught-selling-top-secret-docs-to-chinese/
Russian hackers selling login credentials of UK politicians, diplomats – report
https://www.theregister.co.uk/2017/06/23/russian_hackers_trade_login_credentials/
Social Cooling – How big data is increasing pressure to conform
https://www.socialcooling.com/
Microsoft PatchGuard flaw could let hackers plant rootkits on x64 Windows 10 boxen
https://www.theregister.co.uk/2017/06/22/ms_patchguard_flaw_rootkit_risk/
Why So Many Top Hackers Hail from Russia
https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russia/
OpenVPN Patches Critical Remote Code Execution Vulnerability
https://threatpost.com/openvpn-patches-critical-remote-code-execution-vulnerability/126425/
Stack Clash Vulnerability in Linux, BSD Systems Enables Root Access
https://threatpost.com/stack-clash-vulnerability-in-linux-bsd-systems-enables-root-access/126355/
It got too difficult to censor livestreams, so China bans it altogether
http://mashable.com/2017/06/23/china-bans-livestreaming/
Cisco Bets on Security to Drive Switch Sales
The networking giant on Tuesday revealed a new security service it says can identify and stamp out malicious software cloaked by encryption on computer networks.
https://www.wsj.com/articles/cisco-bets-on-security-to-drive-switch-sales-1497981600
Gmail will no longer scan e-mails for ad personalization
https://arstechnica.com/gadgets/2017/06/gmail-will-no-longer-scan-e-mails-for-ad-personalization/