Friday Squid Blogging: Using Squid Ink to Detect Gum Disease

A new dental imagery method, using squid ink, light, and ultrasound.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on September 22, 2017 at 4:07 PM • 104 Comments

Comments

JFSeptember 15, 2017 6:20 PM

"The method begins by rinsing the mouth with a paste made of commercially available food-grade squid ink..."

I did not know there was such a thing. Maybe I need to get out more.

SpookySeptember 23, 2017 12:18 AM

Another exploitable breach reported for Intel ME (RCE by Mark Ermolov and others):

Intel ME 11.x (Skylake) Arbitrary Code Execution

As more time passes, it is not hard to see why ME was universally panned here for years; if this exploit turns out to be easily repackaged for malware, millions of others are going reach the same understanding albeit through a far more traumatic and costly process. The price of ignorance these days is often paid in Bitcoins, lol. On the other hand, enduring yet another global ransomware event (and massive purge or patch of vulnerable systems) might be the best possible advertisement for a fundamental need to improve our entire approach to security, starting with the damn hardware. Here's mud in your eye, Intel...


Cheers,
Spooky

Ergo SumSeptember 23, 2017 7:35 AM

@Anders..

Latest Finfisher

Quote from the referenced link:

We discovered these latest FinFisher variants in seven countries; unfortunately, we cannot name them so as not to put anyone in danger.
So, how do we know if one of the countries is not the US? For that matter, how do we know that the FinFisher just had not been "discovered" in the US? And if the ISPs in the US already support FinFisher for LEOs, how do we know that a foreign state actor do not use this "feature" for their surveillance needs?

Maybe the CCleaner is innocent after all:

https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/

The FinFisher HTTP 307 redirect could easily be responsible for the malware laced CCleaner update.

While this is bad, Spooky's posting about exploitable Intel ME 11.x is a lot worse.

None of free/commercial security software can protect against these kind of exploits. So, what is the average Jane Doe supposed to do? For that matter, most "security expert" wouldn't know how to address these it seems...

While the link below has nothing to do with the subject above, it seems appropriate:

https://www.youtube.com/watch?v=Z0GFRcFm-aY

It's The End Of The World as we know it...

GregWSeptember 23, 2017 7:57 AM

Re: Cuba sonic(?) phenomena

Random thought...

If the physically felt behavior was for some so spatially defined that the phenomena stopped when they got off their bed, couldn't the person move their head around the room(+nearby areas?) to map out the boundaries of the signal in such a way that the origin of the emitter was revealed?

Clive RobinsonSeptember 23, 2017 9:01 AM

@ GregW,

... couldn't the person move their head around the room(+nearby areas?) to map out the boundaries of the signal...

Yes and no.

If the signal persists after they move then yes. But... if the signal is under the control of an observer --as would be the case with a covert weapon-- then no, because the observer would either redirect it or turn it off.

JG4September 23, 2017 10:49 AM


further facets of the understanding that surpasses all peace. a half bottle of Chateau St. Michelle 2014 Merlot will bring some temporary peace of mind, but the sun isn't past the yardarm. I'm going to stop writing "this makes the hair on the back of my neck stand up." please assume that most of the news does

empire is a machine with gears made of guns and words. guns really is too narrow, because some of the gears are jet fuel, cobalt-nickel superalloys, vanadium-aluminum-titanium, lithium-aluminum, napalm, dark matter from the hearts of dying stars, and carpet bombs. and now spinning rust, silicon, aluminum and silicon dioxide, with the attendant malware, spookware, freeware and openware. I try to avoid getting bogged down in semantics. guns reads very cleanly and dovetails to the real Chairman Mao's quote, "All political power comes out of the barrel of a gun," which is only half right. without the bioenergetics of carrots, there would be no one to point the guns and threaten to pull the triggers, at least until solar PV runs the servo-pointing mechanisms and the slappers. the advent of cooking was a critical step in human evolution, because it unlocked the calories from plants that are required to grow and operate the large tribal brain. not that animal calories won't give you some good mileage, as a TED talk showed. the advent of servomechanisms is one of the roots of machine intelligence.

cooking may be the pivotal moment in deep time that brain growth came into conflict with bipedalism, and murder as an evolutionary strategy became a business model. the reason that they pooped blood on the Long March is that they were chewing and swallowing raw brown rice, operating as they were under heavy schedule pressure from Chiang Kai-shek. that rivals the hard living by Jerry Garcia, Keith Richards and others in their time. I saw the claim recently that Chiang Kai-shek breached a dam in an attempt to defeat Mao. if the claim that 800,000 civilians died in the ensuing flood is correct, the US didn't even come close to the costliest day in human conflict. many of the top ten or twenty world war two battles ranked by casualties were between the USSR and Germany, well into the hundreds of thousands. the claim has been made that the overarching US geopolitical goal of the last century was to drive a wedge between German technology and Russian resources. you can bet your last piece of fiat paper and any that you can borrow on credit cards that they are trying to drive some wedges now.

one man's full spectrum dominance is another man's Orwellian nightmare. they'll do whatever it takes to hang onto it.

a peek behind the curtain reveals that stealing your data and identity is the surest path to perpetual profits. using the power of the state to create perpetual profits should at least be put out for bid, but without a Q clearance, you won't be reading the rfp. a good investment if you can buy some power.

https://www.nakedcapitalism.com/2014/06/maine-crosshairs-penobscot-east-west-corridor-globalization.html

the only hope of understanding the thousand pages per day of new regulations is machine intelligence. you'll be depressed once the full implications of the words are revealed. if you aren't depressed, they will change the words until you are. btw, the Shannon book is excellent. he cut his teeth on analog computing engines for solving differential equations with elaborate continuously variable metal transmissions, substantially the same technology as the Norden bombsight. world war ii is not discussed in the beginning of the book, but the use of analog computers for naval battles was a critical application of mechanical/analog computers. the battle of Jutland was fought with entirely manual aiming. Shannon's first major abstraction was recognition of the power of switches as digital logic at age 21. by 32, he had made the abstraction that founded the information age. a favorable combination of genetics, epigenetics, diet, exercise and culture leading to the rise of empires within empire. he was highly introspective, which is a trait found in some very good writers.

gears made of heavy nucleons forged in the hearts of dying stars, then reforged in a neutron furnace and run through a chemical gear system called purex, for plutonium-uranium-extraction. that's enough plutonium to kill everyone on the planet ten to a hundred times over and it is only the tip of the nuclear iceberg in a country with a long and storied history of magnitude 9 earthquakes. the spent nitrate liquor in the tanks leftover from a deal with the devil are so hot that radiolytic decomposition of the water makes them burp hydrogen. they don't mention it, but the burping may include oxygen in stoichiometric proportion, making it far more dangerous. the contents are leaking into the Columbia River. my cousin studied Russian literature and tells me that Chernobyl translates as wormwood. did I mention that my friend in the imperial forces was waiting for the school bus in Anchorage in 1964? the road looked like a blanket being shaken and he was knocked to the ground. Seattle has a long and unstoried history of magnitude 9 earthquakes. unfortunately, much of Seattle was built before anyone realized the implications of the orphan tsunami. just another day of plate tectonics on the old blue marble of molten rock and iron. the Native American folklore in the Northwest did capture the earthquake and tsunami history, but not many of them survived the genocide.

the only problem with Switzerland, other than the insular culture, is that it is on the same planet as this clusterf^@k. cue Planet B. the next best thing is the southern hemisphere, which takes us to Australia and New Zealand.

http://www.atimes.com/article/japans-plutonium-proliferation-energy/
...
On Thursday, a shipment of 700 kilograms of plutonium arrived in Japan after a journey by sea from the French port of Cherbourg.
...
It restarted in May 2010, but weeks later a 3.3 metric-ton fuel exchange device fell into the reactor, which shut it down again for good, though to add to the fiasco its computers were later hacked and data stolen.

this runs a bit cleaner than the other link. Thanks to whoever mentioned "End of the world as we know it." REM have done a lot of other good work

R.E.M. - It's The End Of The World
https://www.youtube.com/watch?v=Z0GFRcFm-aY

some profound words by Madison, "If men were angels..." can be read as a computer security primer. the operating system of a computing engine is a dynamic resource allocator. government also is a dynamic resource allocator, with gears made of wetware. war is the health of the state. the Constitution was meant to be a sort of BIOS that would frame the booting of a new government, with appropriate safeguards against going to war. it did an admiral job of managing conflicts of interest for a long time. if the powers of the hardware, firmware and software are correctly divided, no one piece can achieve full spectrum dominance, and the other branches can shut down and correct errant processes. the result is a robust and resilient system. of course, if the all of the key government processes are conducted in the dark, it will be quite difficult to detect errant processes. Madison was shrewd enough to understand why division of power was a requirement in a system of wetware. luckily, they spent a lot of money brainwashing us in the cold war as to why the US system of democracy was so much better than the Soviet system. that makes it easier to tell when they are lying, but the boomers don't have a lot of time left to convey the message.

Microsoft's security error in the 1980's into the 1990's was assuming that Windows existed in a world with no threats, inside or outside.

governments use propaganda to brainwash the public into believing that justice is served, but the reality is a weak approximation, corrupted as it is by a quagmire of conflicts of interest. unfortunately, government and community are all that we have as political tools for navigating Grinspoon's gauntlet. government is going to need some improved feedback paths to get through the shitstorm that is unfolding as trust devolves. I recommend a seat in the rear of the plane, which is the most survivable section. the reason that they take your footprint is that the most identifiable body part is your foot in a flight boot. prior to the advent of DNA testing. now anything that you can pick up with a stick and a spoon will do.

If Men Were Angels
https://mises.org/library/if-men-were-angels
10/15/2010 Robert Higgs
[Excerpted from "If Men Were Angels," Journal of Libertarian Studies, 2007.]
...
The great security against a gradual concentration of the several powers in the same department, consists in giving to those who administer each department the necessary constitutional means and personal motives to resist encroachments of the others. The provision for defense must in this, as in all other cases, be made commensurate to the danger of attack. Ambition must be made to counteract ambition. The interest of the man must be connected with the constitutional rights of the place. It may be a reflection on human nature, that such devices should be necessary to control the abuses of government. But what is government itself, but the greatest of all reflections on human nature? If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary. In framing a government which is to be administered by men over men, the great difficulty lies in this: you must first enable the government to control the governed; and in the next place oblige it to control itself. A dependence on the people is, no doubt, the primary control on the government; but experience has taught mankind the necessity of auxiliary precautions.1

Nick PSeptember 23, 2017 10:53 AM

@ All

Thermal, Side Channel via Air Conditioner

I gave Clive credit elsewhere as always for predicting most of this stuff with his matter/energy, root-cause analysis. Also the need to energy gap. I added that the shielded rooms couldn't even have toilets due to the water and pipes propagating signals. They can't have wireless devices such as cellphones due to the radio waves causing secrets to leak. Now, the poor bastards occupying secure rooms have to go without their smartphones, toilets, *and air conditioning*. With constant noise in the background to mask their conversations. Which of you privacy lovers want a secure facility now? ;)

WaelSeptember 23, 2017 3:01 PM

@Tatütata,

Does it imply that one must carry some sort data carrier [...] at all times?

Ask and you shall receive! Yes, one will have to drag it along all the time. That's the block chain they© have in mind for you. Any questions?

Dystopia is now, repentSeptember 23, 2017 4:07 PM

"Does it imply that one must carry some sort data carrier [...] at all times?"

Injectable DNA-coded binaries that live for 48 hours in your bloodstream. "Ow, hey.."

"Thank you for using Paypal against your will, prisoner 852-6824" - Darth Thiel

/Trapdoor opens/

Bob Dylan's Wobbly KneeSeptember 23, 2017 4:47 PM

One of the downsides of autonomous trust is the way that it leads to a lack of self-autonomy in end users. Over at Global Guerrillas John Robb has some interesting data regarding Facebook.

http://globalguerrillas.typepad.com/globalguerrillas/

The data point that struck the most profound chord in me was that 70% of all internet users outside of China/Russia are on Facebook and that by 2025 FB will have access to 1/2 of all people on the entire planet.

What is the point of encryption if everyone is saying the exact same thing?


albertSeptember 23, 2017 5:35 PM

@Wael, @Tatu,

I always thought the British (now UK) auto ID system was kinda cool. In general, the vehicle number* is given at first sale, and stays with the vehicle for life (there are exceptions). This number appears on the vehicle as license plate numbers do in the US.

All that remains is to apply a similar system to human populations. There are, no doubt, villainous rapscallians hidden deep within the bowels of the Secret Government, working on just such a scheme.

. .. . .. --- ....

---------
*This is similar to the VIN in the US

WaelSeptember 23, 2017 7:31 PM

@albert, @Tatütata,

The article cites Estonia's block chain based ID system as a model, but I can't find meaningful technical details about it.

The WP article is well written! The link to the Estonian blockchain information is light on details. long topic, but what's implied in some use cases is that ID holders have the ability to view, and sometimes approve "queries" or "service transactions". So it implies users need access to electronic media (smart phones, email, browsers, etc.) Serms there is also an accompanying physical card to that system that users may need to carry around?

I always thought the British (now UK) auto ID system was kinda cool.

Wasn't aware of that! Vehicle identification numbers (VIN) are too long for a license plate numbers! They must have police officers with super human memories.

65535September 24, 2017 12:30 AM

@ Spooky

“Another exploitable breach reported for Intel ME (RCE by Mark Ermolov and others)… if this exploit turns out to be easily repackaged for malware…”

Nasty stuff. I be checking my clients CPU versions for Skylake. I am not sure what the fix is.

@ Anders and Ergo Sum

“…how do we know if one of the countries is not the US? For that matter, how do we know that the FinFisher just had not been "discovered" in the US?”-Ero Sum

That is a very good question. If is it discovered in a major USA ISP, cough ATandT… SBC, is using it for various reasons the fall out will be horrible.

On the CCleaner Trojan, that looks much targeted and well crafted. How do the C2 servers inject code into memory without a file?

@ Tatütata

The USA Social Security Number is a key component of financial, tax, individual tracking. It has been a thorn in the side for all who have one. There is no easy solution for replacement.

It is entrench so deep in government and the financial system it would take dynamite to dislodge it. It is used as the one of the main selectors in business records, Phone records, tax records, loan records, medical records, old student ID records, credit card scams and tax scams.

Wikipedia:

“History

“Social Security numbers were first issued by the Social Security Administration in November 1935 as part of the New Deal Social Security program. Within three months, 25 million numbers were issued… November 24, 1936, 1,074 of the nation's 45,000 post offices were designated "typing centers" to type up Social Security cards that were then sent to Washington, D.C. On December 1, 1936, as part of the publicity campaign for the new program, Joseph L. Fay of the Social Security Administration selected a record from the top of the first stack of 1,000 records and announced that the first Social Security number in history was assigned to John David Sweeney, Jr… Before 1986, people often did not obtain a Social Security number until the age of about 14,[but not in all cases -ed] since the numbers were used for income tracking purposes, and those under that age seldom had substantial income. The Tax Reform Act of 1986 required parents to list Social Security numbers for each dependent over the age of 5 for whom the parent wanted to claim a tax deduction. Before this act, parents claiming tax deductions were simply trusted not to lie about the number of children they supported. During the first year of the Tax Reform Act, this anti-fraud change resulted in seven million fewer minor dependents being claimed. The disappearance of these dependents is believed to have involved either children who never existed or tax deductions improperly claimed by non-custodial parents…”

https://en.wikipedia.org/wiki/Social_Security_number#History

It's a nice tracking and ID scam. I don’t see the SSN or TIN disappearing anytime soon.


Lille Marching AuthoritariansSeptember 24, 2017 3:50 AM

I am unsure if this has already been posted on this blog. If it has, sorry.

http://crackedlabs.org/en/corporate-surveillance

Corporate Surveillance in Everyday Life Report: How thousands of companies monitor, analyze, and influence the lives of billions. Who are the main players in today’s digital tracking? What can they infer from our purchases, phone calls, web searches, and Facebook likes? How do online platforms, tech companies, and data brokers collect, trade, and make use of personal data?

In short, a quite exhaustive list of various nosey bastards.

JG4September 24, 2017 5:36 AM


my long and tedious rant from yesterday may have gotten lost in the system. it reported "Comment Blocked" if the moderator is taking the weekend off, maybe it will appear later

if it has fallen out of the system I can repost. I can't say that it broke any new ground, but it was well received in various quarters. it was a slightly more lucid rehash of the origins of the need for security, with comments on nuclear security wrapped around the recent news that 700 kilograms of plutonium were shipped from France to Japan, a country with a long and storied history of magnitude 9 earthquakes.

I'll keep it short today. The Shannon book is excellent. I am halfway through. I highly recommended it for anyone who reads this blog. standard Amazon disclaimer applies. I am going to stop saying, "this made the hair on the back of my neck stand up" it is safe to assume that the majority of things that I read in the news or comment on make the hair on the back of my neck stand up. I saw in the book the sinews of war, which always have high stakes.

A Mind at Play: How Claude Shannon Invented the Information Age
Hardcover – July 18, 2017
by Jimmy Soni (Author), Rob Goodman (Author)
4.3 out of 5 stars | 41 customer reviews
https://www.amazon.com/Mind-Play-Shannon-Invented-Information/dp/1476766681

see also:

Feedback Control of Dynamic Systems (5th Edition) it's only $10
https://www.amazon.com/Feedback-Control-Dynamic-Systems-5th/dp/0131499300

Facebook's Frankenstein MomentSeptember 24, 2017 8:39 AM

The USA press is FINALLY covering Silicon Valley shenanigans. This past week has been a watershed delight for those tired of being hoodwinked!

“Days after Donald Trump pulled out his disorienting win, Zuckerberg told a tech conference that the contention that fake news had influenced the election was “a pretty crazy idea,” showing a “profound lack of empathy” toward Trump voters.
But all the while, the company was piling up the rubles and turning a blind eye as the Kremlin’s cyber hit men weaponized anti-Hillary bots on Facebook to sway the U.S. election. Russian agents also used Facebook and Twitter trolls, less successfully, to try to upend the French election.
Finally on Thursday, speaking on Facebook Live, Zuckerberg said he would give Congress more than 3,000 ads linked to Russia. As one Facebooker posted: “Why did it take EIGHT MONTHS to get here?” https://www.nytimes.com/2017/09/23/opinion/sunday/facebook-zuckerberg-dowd.html
Embarrassingly the Canadians Remind Yanks that Facebook violated USA law :
This week, Facebook’s chief executive officer and creator, Mark Zuckerberg, flipped from his stance a year ago that Facebook was not manipulated during the 2016 U.S. presidential election. Last November, he dubbed that notion as “a crazy idea”.
Foreigners are prohibited from making contributions or spending money to influence any election under U.S. federal laws. Clearly, Facebook must take responsibility for taking money from advertisers working for foreigners to place political ads on its site.
This latest flap is only the tip of an iceberg concerning ethical questions surrounding Facebook and legal ones as well.
The fact is that Facebook’s underlying business model itself is troublesome: offer free services, collect user’s private information, then monetize that information by selling it to advertisers or other entities.” http://business.financialpost.com/diane-francis/why-theres-nothing-to-like-about-facebooks-ethically-challenged-troublesome-business-model
https://theweek.com/articles/726004/why-washington-turning-silicon-valley
Thank you press!

JG4September 24, 2017 9:53 AM


Thanks for all of the excellent links and discussion. A good movie:

Catch Me If You Can (2002)
http://www.imdb.com/title/tt0264464/

The anti-hero of the film had a real talent for recognizing and exploiting cognitive limitations of humans and their systems. He later turned away from the dark side.

https://www.nakedcapitalism.com/2017/09/cybersecurity-aint-only-game-town-scams-multiply.html
...
The Wall Street Journal yesterday ran a jaunty– albeit a bit hair-raising– interview with Frank Abagnale Jr.– the subject of the biopic 2002 Catch Me if You Can, ‘Catch Me if You Can’ Scam Artist Has a Warning for Today’s Consumers that says it ain’t so.
Once a top class scam artist– successfully posing as pilot, doctor, and lawyer– before getting caught, doing five years’ time– Abagnale and has subsequently spent the last forty years as a security consultant, advising the FBI and others on ways to avoid and counteract scams, particularly those involving cybercrime, fraud, and identity theft.
I realize that the interview is paywalled, and for those who don’t have a WSJ subscription, it’s probably too late to buy a copy of yesterday’s paper.
So I’m going to share with you a few of Abagnale’s thoughts, and some more of my own.

It looks like we have another unsung hero of the nuclear age.

http://www.airforcemag.com/MagazineArchive/Pages/2017/October%202017/The-One-Way-Nuclear-Mission.aspx
...
Gary Barnhill, then a pilot and a lieutenant, related that these relaxed nuclear alert procedures were changed sometime in 1959, after he overheard a visiting general ask an alert pilot if he thought he could start the aircraft without a crew chief, taxi out, and take off on his own. After thinking about it, the pilot replied that he could, indeed—and conceivably start World War III on his own.
Shortly thereafter, a very detailed “two-person concept” was mandated. This procedure required the presence of armed guards equipped with dogs at the alert aircraft. They were to have eight-by-10 headshot photos of the alert duty pilot and the crew chief.

A nice metaphor for the forum here:

The History and Evolution of the Commons
http://commonstransition.org/history-evolution-commons/
On: Sep 19Categories: Articles, Michel Bauwens, P2P Foundation No Comments
...
In this context, the commons has been defined as a shared resource, which is co-owned and/or co-governed by its users and/or stakeholder communities, according to its rules and norms. It’s a combination of a ‘thing’, an activity, commoning as the maintenance and co-production of that resource, and a mode of governance. It is distinguished from private and public/state forms of managing resources.
But it’s also useful to see commoning as one of four ways of distributing the fruits of a resource, i.e. as a ‘mode of exchange’, which is different from the more obligatory state-based redistribution systems, from markets based on exchange, and from the gift economy with its socially-pressured reciprocity between specific entities. In this context, commoning is pooling/mutualizing a resource, whereby individuals exchange with the totality of an eco-system.
A number of relational grammars, especially that of Alan Page Fiske in Structures of Social Life, are very useful in that regard, as he distinguishes Authority Ranking (distribution according to rank), Equality Matching (the gift economy, as a social obligation to return a gift), Market Pricing and Communal Shareholding.

pi userSeptember 24, 2017 10:06 AM

@r, Clive, Wael, et al

Regarding ARM devices, would any of you chaps be willing to set me in the proper direction regarding its fundamental security hazards? I've read posts over time, and have seen many references to the inherent insecurity of ARM. Could it possibly be as bad as intel? Really want an odroid with freeBSD on it, or... do I?

Thanks in advance.

WaelSeptember 24, 2017 10:29 AM

@pi user,

Regarding ARM devices, would any of you chaps be willing to set me in the proper direction regarding its fundamental security hazards?

Read the excellent link @r just posted here, then lets discuss what you're talking about. We'll take a balanced, methodical approach.

ShmuckerbergSeptember 24, 2017 11:48 AM

Anyone who thought Zuckerberg's theft of a social media website idea, that he has subsequently turned into a CIA-mined data pool for anyone anywhere to pay to access the inane peccadilloes of every single user's life, friends network, profession details, habits, likes, hates, political motivations and other metadata, was somehow ever interested in building a stable meritocratic online society... well, you're rather easily mislead aren't you?

It's comical to me that they'd be upset that he "adjusts" their news feeds, given that they're basically walking around naked in his slave gallery on a daily basis.

Putin has simply opened a door that was always unlockable with a relatively little bit of money. Who trusts Zuckerberg to keep it closed? He's a proven liar and eager thief.

Until there is an audited, privacy-conscious, well-lead social media alternative to the massive sellout that is FB, those addicted to the sharing-with-profiteers paradigm will continue to be slaves to that system and there's little hope of extricating them from it. Zuckerberg laughs all the way to the bank and then on his way to give Congressional handjobs.

Foreign manipulators will simply move their money to the US mainland. Poof, no longer a "foreign" manipulator, just a "local" with "a viral opinion to share."

pi userSeptember 24, 2017 11:59 AM

@Wael
Noting that my post was first directed at r, and directly beneath r's last post, you might have assumed I had. Are you suggesting that r's link summarizes the fallibility of ARM entirely and sufficiently? Maybe I will look elsewhere.

WaelSeptember 24, 2017 12:51 PM

@pi user,

you might have assumed I had...

No assumptions. @r posted a link, worthy of it's own thread and you asked a question that the link covers to some extent relevant to a subsystem construct within ARM, although the attack class may apply to other platforms and architectures. It's a flaw in power management that allows normal world resident software to affect secure world components to breach confidentiality, disturb availability, and bypass integrity checks.

Are you suggesting that r's link summarizes the fallibility of ARM entirely and sufficiently?

No. It's just a good paper that gives an overview of weaknesses because of some design flows. If you watch the video presentation, you'll see that some manufacturers were present and asked questions about the attack mechanism, supposedly to mitigate it.

Maybe I will look elsewhere.

Your preference. But nothing I am aware of will describe the fallibility of anything "entirely and sufficiently".

Things that make you say rrrrrrrrrSeptember 24, 2017 12:51 PM

Multithreaded gotcha.

Single core rtos on a tamper resistant open source sim anyone?

RachelSeptember 24, 2017 2:05 PM

Piuser , Wael

@ Thoth has repeatedly posted some extremely thorough critical analysis of ARM and inherent weaknesses. Absolutely essential reading if thats what you need. I fear he may have left these fair shores. I'm about to simply because of the new imposition in Top 100- impossible to keep reading

RachelSeptember 24, 2017 2:09 PM

Piuser

Search the ' Friday Squid' for 'Thoth ARM' for the last two years. You'll thank me. ( You won't limit search to Friday Squid but thats where the relevant essays by Thoth will mostly bge)

WaelSeptember 24, 2017 2:18 PM

@Rachel,

I'm about to simply because of the new imposition in Top 100- impossible to keep reading

I think it's a good mechanism that accommodates especially long posts that quite a few readers complained about. It's only a click away that'll take you to the proper thread, where you can follow the whole discussion without the limitation imposed on the "100 Latest Comments" section. I Like it. Do you have other suggestions?

SpaceLifeFormSeptember 24, 2017 2:25 PM

That would be factoring semiprimes.
Don't be Bill Gates please.

In this attack, it is changing the N, N=P*Q into a different N, call it M for Modified, and it most certainly has smaller, easily findable prime factors.

Turtles all the way down from that point.

RachelSeptember 24, 2017 2:43 PM

Wael

My issues with the new feature are
- it truncates most posts thereby removing any pleasure from the flow of reading. And then requiring a physical interaction with device.
- One is not taken to the comment. One is taken to the original blog entry at the TOP of the page. One must then locate the comment. Further, scrolling
through a couple of hundred comments can take ages with a handheld screen. Oh. There was only one more irrelevant sentence. Okay back to tge Top 100 I go
- I only observed a couple of complaints
about lengthy posts. I was bewildered. AND last year there was a huge outcry when someone complained about Markus Ottelas long TFC post- heaps of folks chimed in to say ' build a bridge'
This is a technical blog. We have attention spans.
- Take any post from Ab Praeceptis Clive Nick P Thoth - heaps of people - all detailed and relevant and yet all to be truncated after 7 lines or something
- I read the Top 100 offline, and enjoy the comments through the day, picking up more as able. Impossible now.

pi userSeptember 24, 2017 3:05 PM

@Rachel
TY for the sugs, i'll explore Thoth's comments. Any other suggested reading is welcome too. I guess it's the elephant in the digital living room, all modern hardware is borked and bungholed and nothing anybody can do about it.
Regarding Top 100 (no idea what this is yet), why not offer an option to view in both|multiple formats?

WaelSeptember 24, 2017 3:14 PM

@Rachel,

One is not taken to the comment. One is taken to the original blog entry at the TOP of the page

On my devices, the link takes me to the proper thread entry -- not to the of the page.

Bruce SchneierSeptember 24, 2017 3:51 PM

@Rachel:

Thanks for this. I am trying various options out, trying to reduce the toxicity in the blog comments. I understand that there are plusses and minuses to everything I try.

Please delete this silly jokeSeptember 24, 2017 4:47 PM

"scrolling through a couple of hundred comments can take ages with a handheld screen"

But.. bravery! :D

Clive RobinsonSeptember 24, 2017 7:43 PM

@ Wael,

It's only a click away that'll take you to the proper thread, where you can follow the whole discussion without the limitation imposed on the "100 Latest Comments" section. I Like it. Do you have other suggestions?

It's only a click away if you have connectivity...

I'm guessing that US readers don't use Public Transport. In quite a few European cities it's not an option, you are either not allowed to drive into them or you are not allowed. When on PubTran it's kind of "dead time" and doing something productive with the two to five hours a day is important to a commuters sanity.

Unfortunatly in quite a few places the mobile network is not reliable, so it's not "only a click away". In London for onstance you can easily spend an hour or more without access to a mobile operators network in the "Underground". Likewise quite a few suburban rail networks as you aproach the central zones, and don't get me started on busses or taxis...

With regards @Rachel's problem where you say,

On my devices, the link takes me to the proper thread entry

Mine does sometimes but not always, depending it appears on when the page was last accessed. If I then just nudge the display up a little it has sofar taken me to the correct place.

Such are the joys of a non Apple OS...

@ Bruce,

Perhaps having a button at the top of the 100 latest marked "full" (using say the "post method" not javascript) that fetched the page the way it used to be might solve the problem for all concerned.

WaelSeptember 24, 2017 8:27 PM

@Clive Robinson,

It's only a click away if you have connectivity...

That's a valid observation, but like all problems, there are also solutions. Allow me to introduce you to some nice Firefox browser extensions:

  • Scrap Book Plus With this extension, you can save web content to a depth between 0 to 3 or more (it follow the links to the specified level.) Then you can operate on the content that's cached locally when you have no data connectivity. You also have several options as what type of content to capture. Default will work fine if you specify a depth level of 1, which will cache the content under "Read more →" link ;) The option you need is: Capture Page as (then specify a depth of 1 or more.) Then push start. It's a good extension if you plan to be in an area without data connectivity for a long time. I can capture enough content from the typical URLs I visit to last a 12 hour flight. Try it sometime!
  • Wired-Marker
  • With this extension, you may highlight any text section with various colors for easy reference in the future. The highlighting metadata is saved locally to your device.

There are a few more extensions that I find very useful... but they're not related to this topic.

tongue_in_cheekSeptember 24, 2017 8:50 PM

@Wael, and others not pleased with the new newcomments

You're all over-thinking this. Just use forcomments and take note of some distinct search string to find where you left off before refreshing... :-P

WaelSeptember 24, 2017 8:58 PM

@tongue_in_cheek,

I'm pleased, dawg! I'm pleased :)
I don't need to search for anything! I type the URL directly and it takes me to the comment I need,

tyrSeptember 24, 2017 10:30 PM


@Clive

That's part of the one size fits all way
humans do things. If you have fulltime
connectivity and a massive and expensive
comp it takes awhile to realize that not
everyone in the world mirrors your setup.
This tends to balkanize the userbase to
the point there are folks who are no longer
on the radar, having dropped from sight
rather than deal with someone elses arcane
worldview.

I remember sitting behind a Unix shell and
having various websites trying to push me
upgrades because they thought I was a
windows user who obviously needed the new
version of crapware 3.004 or I'd be deprived
of their wonderful experience.

You'd think the massive failure of central
planning that ruined the USSR would have
made people notice that forcing all the eggs
into one basket is a sure recipe for a disaster.

You see the same thing with the data aggregators
mad plan to expose everyone to some random flaw
or script kiddy with an idle hour or two.

@Bruce

I'm sure you'll get it comfortable after a bit.
That may make it less of a pain to follow.

Nick PSeptember 24, 2017 11:12 PM

@ Rachel

There have been complaints on and off about long posts. Most were about those that had no substance that were here purposefully to drown out discussion. The others that didn't might or might not be affected by this rule. The moderation changes are in an experimental phase where Bruce and the Moderator are keeping a close eye on how changes effect discussions in practice.

Far as offline reading, you can also open up the stories on the front page in separate tabs before going offline. It's what I do. I then go through one at a time noting what's interesting or worth commenting on. Closing it after I do to save battery life. Airplane mode if not allowed to use the phone. Given how it's organized, Last 100 is mainly good for a quick glance at what's going on as a survey with clicks to the actual threads for real reading in chronological order with context. Combined with Find feature of browsers, it can also be used throughout the day or via a script to see if anyone is mentioning you by name on a topic.

And Thoth did leave to focus on developing smartcard tech he was describing. That segment of INFOSEC is mainly oligopolies trying to stop competition along with lots of technology thieves. He's doing a lot of interesting stuff that's probably best as a trade secret for now.

@ Wael

"And if anyone has the time, they can develop their own Schneier blog extension that adds all the features one desires."

Yes, we've brought this up in the past. Some things like moderation usually have to happen at the site level. Presentation is something anyone really concerned with it can roll on their own without a lot of expertise. Just time invested. It helps that Movable Type makes the front page, the articles, and comments similar with probably some template. Those are easiest to parse with basic Perl, SNOBOL, and so on.

RachelSeptember 25, 2017 12:25 AM

What a pleasure to wake and find all these supportive responses. Part of it is my problem, I am too poor to use anything but an e book reader for internet presently.
Mr Schneier , thanks & you are welcome. I respect your right to not host a democracy and act as you see necessary

Tyr
Nice comparison with USSR. Regularly amazed by bloggers or sites whom consider themselves 'Internationalists' but whose pages are so laden down down with scripts and graphics the browser crashes. My constant refrain - can someone with no bandwidth in Timbuktu still receive your news?'

Nick P
thankyou,appreciate nice tips yes used to do the multi tabs thing offline. fascinating comments about smartcard industry. I wish Thoth the best. I always had decidedly mixed feelings about how generous he was with his protocols and innovations. it was as if it would be wasted on the Gits and just ripe for plunder instead. He was throwing gold around!

Wael
Cool extensions, voila and indeed diy script- a -solution sounds like perfection to me. I am dying to know what other extensions you rely on! I do find browser ad-on's scarily leaky more often than not so i've learnt to keep them minimal

Mr Schneier
The development at Facebook to prevent 'disruptive info' by hirng tens of thousands of censors to monitor and potentially delete offending posts, is worthy of an Op.Ed for one of your MSM employers?

WebberSeptember 25, 2017 3:33 AM

Maybe we should not forget that a lot of people come here for comments and not only for links to ArsTehnica articles.
A lot of comments convert to a lot of visitors and a lot of visitors sometimes sell books.

LPA-11KSeptember 25, 2017 6:19 AM

@ Webber, @all

Yes, the comment section here is valuable as well as popular. It takes time for dominant voices to emerge on a web blog like this but they always do given time. In the case of a technical blog like this, the most valuable and admired commentators always have good chops technically along with career experience to add weight and wisdom to their words. Unfortunately for Bruce and longtime readers, Schneier on Security is getting more popular. Bruce thinking about new measures to keep the environment under control is a terminal sign of success.

Another well established website known for its comment section is ZeroHedge. In its original version, members had to solve a math captcha in order to leave a comment or vote. Membership took a long time to get and the ranks of posters at that time were mostly financial industry insiders, along with active traders and serious investors. In those days, about 7-8 years ago, moderation wasn't needed as the comment section was self-policing and constantly on the lookout for phonies, posers, or people talking their book. Most of the articles were pretty technical with plenty of "chart porn" and analysis. The average reader couldn't penetrate most of the material but the general public wasn't the audience, much like here.

ZeroHedge did some groundbreaking reporting on fraud at the big banks along with the spread of HST (High Speed Trading) networks, topics which are common knowledge now. As a result, they developed a cult-like following that eventually put them on the media radar. The death knell was Drudge Report linking to their articles which resulted in a huge influx of people who joined up and conducted themselves like they were on the YouTube or Yahoo comment sections.

It's gotten worse recently - members with 7-8 years are rarely heard from although certain topics bring them out of the woodwork to excoriate some of the more annoying pests. There's very little to recommend the ZH comment section these days. The expert and often witty commentary is gone. Hopefully that won't happen here due to Bruce's efforts but it's a tough problem to deal with and satisfying everyone probably isn't an option.

Secure PhoneSeptember 25, 2017 6:41 AM

Russia gave asylum to U.S. fugitive Edward Snowden, who revealed that the National Security Agency had access to Google’s data centers worldwide

“Most smartphone apps collect certain data on users and send it to outside servers,” said Natalya Kaspersky, head of InfoWatch. “When people use personal phones at work, their corporate emails, documents and job-related photos come under threat of being -- maliciously or accidentally -- leaked to third parties.”

The Taiga phone runs its own Android-based firmware that lets apps run on the device but stops them from collecting data. The phone also has a built-in agent that gives the administrator -- such as a corporate IT department -- control over what apps will work on the device and what content the user can access or share.

Why can’t someone do these type of phones in the west?
The demand could be huge. As others have stated the current security model needs a lobotomy.

https://www.bloomberg.com/news/articles/2017-09-25/natalya-kaspersky-s-snoop-proof-phone-helps-putin-thwart-spies

JG4September 25, 2017 6:59 AM


further comments on the new Shannon book

Alan Turing probably was the first to implement a hypervisor, using an audio channel. he had his nested loops each send a pulse to the speaker per iteration. he could tell by listening if the code were running correctly. in the early '90's, I used a similar technique where an interrupt service routine running around 10 KHz on a 50-MHz 486 toggled an i/o pin at entry and exit. that made it easy to pick up the duty cycle with a Tektronix 2205, and to make sure that the entry was tightly clocked. the isr used the DOS 6.2 time-of-day function, with a different divisor to speed up the cycle rate. I can't recall what the native rate was, but I'd guess around 20 Hz. the new divisor would have been around 500 times smaller to get to 10 kHz. it would increment the time-of-day counter every 500th iteration. later we ran the ported code on c3x and c67 DSP boards. TI's DSP hotline was an interesting crapshoot, because they made the engineers rotate. some of the discussions with senior engineers were fascinating, others not so much.

Shannon's mechanical mouse, Theseus, implemented a form of system identification and an OODA loop, where the map of the maze was stored in a bank of 75 electromechanical relays. Shannon was a solid chess player and also built an electromechanical computer that could play an endgame with up to six pieces. chess also is a maze problem, with many more dimensions. Shannon correctly foresaw that chess is an ideal case for testing AI. the book is worth the price of admission.

some of the credit card companies offer one-time-use numbers, which is a great idea. unfortunately, none of mine. it's not farfetched to propose one-time use derivatives of social security numbers, so as to be able to track the trackers and avoid (permanently) poisoning the credit well. not so different from the digital security IDs (keyfob PRNGs) from RSA that Lockheed-Martin used to let the Chinese military waltz off with the crown jewels. it is amazing that the financial psychopaths haven't managed to permanently poison the housing well in the US (yet) in spite of having damaged the integrity of the 200+ year-old deed system.

the new comments tool is working OK for me, but a new discipline is needed to get the keywords into the first 5 to 10 lines. I right click and open in new tab anything that looks interesting.

Clive RobinsonSeptember 25, 2017 8:58 AM

@ Secure Phone,

Why can’t someone do these type of phones in the west?

Ignoring for the moment the "How secure is secure?" question, which requires extensive testing etc.

The simple fact is, as far as Service Providers who give you a phone as part of a contract, and manufactures who usually sell only to Service Providers, the phone is theres not yours. Read that again and realise you have no rights other than those they chose to give you, which is usually worse than zero.

That is they see you as an additional income stream by which they can profit without you usually being directly aware of it.

The clasic example of this was the CarrierIQ "tech support" software. It basically did an end run attack around the phone security and sent unencrypted copies of all you typed in or received across the Internet to Carrier IQ's servers.

Now I can not say if Carrier IQ had an arrangment with the NSA or not, but we know from the way the NSA tapped into Googles unencrypted back haul between their data centers that ANY PLAINTEXT the NSA can see they will slurp into one or more of their databases for an unknown period of time (they are supposed to delete plaintext after a period of time, but as they have been caught not doing what they are supposed to do on numerous occasions, it's probably safe to assume "indefinately").

Thus it realy does not matter how secure you think your phone is it's wisest to assume it has no security at all. For two reasons, firstly the ignoring of public legislation as indicated above, secondly because legislators will give the SigInt agencies what they want when there is "an emergancy", and I'm sure the NSA or other parts of the IntCom are not above creating an emergency when they need one. Even if not they are certainly not going to allow any incident emergency or otherwise go by without attempting to exploit it.

Thus as I've indicated a few times before you need to investigate ways to mitigate the end run attacks that are way way to easy to do on any communications connected device. The obvious and best way is to extend the security end point beyond the communications end point by taking it "off device" to either another noncoms device or even a paper and pencil encryption. That is you can use a One Time Pad/Phrase system, which in theory does not give an attacker any real advantage as all messages/meanings are equally probable.

Clive RobinsonSeptember 25, 2017 9:09 AM

@ JG4,

I can't recall what the native rate was, but I'd guess around 20 Hz.

It was in effect a frequency a little over 18Hz[1] given the name "ticks" it did not go evenly into a one second time which could and did lead to time jitter issues for the unwary.

[1] supposadly ~18.204Hz, but due to a number of issues it was neither accurate or stable, as it was CPU heat temprature sensitive. Oh and messing with the serial port Symbol Bit Rate (Baud) could cause your System "wall" Clock to be incorrect.

WaelSeptember 25, 2017 9:50 AM

@Clive Robinson, @Secure Phone,

The simple fact is, as far as Service Providers who give you a phone as part of a contract, and manufactures who usually sell only to Service Providers

"Usually" is a good disclaimer. First, some terminology and brief premier:
When an OEM manufactures a phone, they go through a process called "Ranging". This means the OEM works with the Carrier (MNO; Mobile Network Operator) to make show that the new phone conforms to the carrier's specifications. This process has several stages that include third party test houses, onsite testing, negotiation with the carrier on which features to prioritize and .... When the carrier accepts the phone, then the type of device is called a "Ranged" device. If the carrier does not like the device for whatever reason (within the limits of the original contract,) then the OEM has several choices: Drop the phone and work on a new one, fix the problems and ship a delayed product, try with a different carrier (sometimes the OEM tries to range the phone with several carriers within a short timeframe, or sell the phone to the enduser directly through a dedicated store or online like through Amazon, etc.... This is called a "Trade" phone. Trade phones are not subsidized by any carrier, and they are typically unlocked. Boot loader is also typically unlocked, or can be unlocked with instructions and tools published by the OEM. A ranged phone may cost you $0 - $100+ because it's subsidized by the carrier that ranged it. The same exact Trade phone may cost you upwards of $600. A Samsung Galaxy S7 Trade phone was sold for around $1000 late last year, whereas the subsidized ranged same phone sold for less than half the price.

I would imagine a Secure Phone would be the Trade phone type, not the Ranged type. And in this case, the end user "owns" more of the phone, although other factors you brought up may need to manually "handled" by the end user.

Clive RobinsonSeptember 25, 2017 10:13 AM

@ Wael,

I would imagine a Secure Phone would be the Trade phone type

I would suspect it would,

1, Be "Trade ++" price wise.
2, More expensive to connect.
3, SP may block it.

The cash some SP's, make from selling your data etc would buy you a lowish end Smart Phone trade wise. Thus the SP is not going to give a revenue stream up unless it can be suitably compensated and paid extra for the "exception" to their usual business model. Further they may block the phone working partly or fully for "Technical Reasons" which are a blanket immunity in most phone contracts.

The usuall YMMV for the jurisdiction you are in of course applies.

RachelSeptember 25, 2017 10:20 AM


Waek, Cliv
i have had no neednor desire to use a blackphone but I always wondered what their real world reality was - how successful, who uses then, how reliable, cost benefit ratio in real terms. and etc. I vaguely recall they lost some credibility with mark 2 - at least on this forum LOL

RachelSeptember 25, 2017 10:25 AM

Masters Clive Robinson and Wael
sincere apologies for misspelling your names. I lose enough posts on public wifi after hitting submit its always a race against time
Blackphone really is a funny niche when viewed in context of the various converging forces, economic and societal and other

Nick PSeptember 25, 2017 10:46 AM

@ Secure Phone

The West led in that with it starting as COMSEC in militaries, esp UK and US. Then, there were so-called "cryptophones" that were used in defense and private sector. Recently, a bunch of companies are making hardened smartphones with mainstream OS's to get that cheaper, have modern features, and faker security. Examples.

WaelSeptember 25, 2017 3:05 PM

@Clive Robinson,

You are correct on the three points with the exception of the SP blocking it. I haven't seen that happen, but my mileage does vary.

gordoSeptember 26, 2017 12:40 AM

Mr. Schneier reminds us here that a subliminal advertising technique outlawed in the 1970's "is child's play compared to the kind of personalized manipulation that companies do today."

In that light, not getting enough attention in the USA’s election-meddling imbroglio is meddling of a different order.

AI MATTERS, VOLUME 3, ISSUE 3 SUMMER 2017
The Ethics of Automated Behavioral Microtargeting
Dennis G Wilson (IRIT, University of Toulouse)

One day AM woke up and knew who he
was, and he linked himself, and he began
feeding all the killing data, until everyone
was dead, except for the five of us, and
AM brought us down here.
I was the only one still sane and whole.
Really! AM had not tampered with my
mind. Not at all.
I Have No Mouth and I Must Scream
Elli-
son (1967)

Developing political strategies based on citizen information such as demographics is neither novel nor ethically questionable. However, the use of AI has enabled profiling to a degree that violates citizen privacy. It is founded on a basis of data that some would argue belongs first to the citizens and only to political campaigns with explicit consent. Most importantly, though, when this form of analysis is used to deliver personalized political content, the diversity of opinions citizens are exposed to becomes artificially limited. (PDF, p. 3)

https://sigai.acm.org/static/aimatters/3-3/AIMatters-3-3-12-Wilson.pdf

Touching on this, as well:

Will Data Destroy Democracy?
15 Sep 2017 by Internet Summit Team.

Lawrence Lessig, Roy L. Furman Professor of Law and Leadership, Harvard Law School and Darren Bolding, CTO, Cambridge Analytica
Moderator: Matthew Prince, Co-Founder & CEO, Cloudflare

[very rough] Transcript:
https://blog.cloudflare.com/will-data-destroy-democracy/

Video [35 Minutes; 6:59:38 ff]:
https://youtu.be/nCWSvnYskYQ?t=25178

Clive RobinsonSeptember 26, 2017 1:24 AM

@ Wael,

I've seen a UK SP block a specific equipment type before, using the excuse of "technical reasons".

I'm not allowed to name the companies involved for the usuall reasons, but the cause and effect are publically documented as changes to the phone standards.

In essence the standards a phone had to meet got changed, a new phone that had gained full approval to the new standards was placed on the market. The phone started to cause one --and only one-- SP problems. This was due to the SP having not updated (patched if you will) their network in a timely fashion. The SPs soloution block the phone from their network, rather than do the upgrade and give the customers a free change of phone.

This obviously caused the phone manufacturer reputational damage, because although "industry insiders" knew full well it was the SP to blaim, for not updating the software in their equipment, customers were kept in the dark.

Something similar happened when the iPhone first came out but that was more for marketing reasons not technical. Similarly some SPs have in the past blocked phones from their network for supposadly "anti-fraud" reasons but in reality because the SP were running a walled garden. The same SP got into trouble with the UK Parliment, when evidence of their trickery and highly questionable business practices with regards customers moving to other SPs were presented in evidence.

Due to the way mobile phone market economics have changed I know from industry insiders that the same questionable if not illegal activity has happened in other countries. Basically to punish "leaving" customers SPs have disrupted the number hand over and also damaged the customers credit rating.

On the non technical side the mobile phone market has been a quite nasty place, hence various EU rulings to curb their excesses. Something Brexit will no doubt cause again further causing pain to UK and European business and individual customers.

WaelSeptember 26, 2017 3:49 AM

@Clive Robinson,

This was due to the SP having not updated (patched if you will) their network in a timely fashion.

Almost always true because updating the network costs a lot of money. Almost all MNOs are several levels or revisions behind the specification.

By the way, acceptance of a new device is different for each carrier, but generally as follows: 1- conformance testing (according to 3GPP spec) this is either through GCF or PTCRB process 2- Regulatory testing, like FCC or 1725 for battery, etc. 3- Carrier Specific testing (specific testing designed by operators to test compatibility with their network.) If the device is to carry the MNO brand, it will need to pass all tests on step 3 along with step 1 and 2 as well, before it is accepted.

RachelSeptember 26, 2017 8:00 AM

Who?
unlije some intrusions no one claiming responsibility however which may (or may not) indicate motive.
And theres the SEC also, hopefully Mr Schneier can cover it

Clive RobinsonSeptember 26, 2017 8:46 AM

@ Wael,

A thought occurs, whilst I know what the alphabet soup of acronyms you use are, I'm guessing that although some could work out what MNO's are... The rest are but interesting bits in the soup you would not normally ask the cook about just in case they told you it was sheeps eyes or worse.

We are getting to the point where this blog needs a glossary.

RachelSeptember 26, 2017 9:15 AM

Clive
your comment about acronyms makes me laugh because you and Wael were both referring to SP. which at first I thought meant Secure Phone, however granting a brand new shiny context to the points you were making and rendering them void. I quickly realised you meant service provider ;-)

WaelSeptember 26, 2017 9:37 AM

@Clive Robinson, @Rachel,

We are getting to the point where this blog needs a glossary.

I hear ya! Started the list in alphabetical order right here!

PTCRB, GCF

RachelSeptember 26, 2017 9:59 AM

Wael
Dawg! i mean, er , bloke!
I'm sure a few of you have funny and not so funny stories about acronyms misappropriated causing critical failures. It was years before I learnt LOL did not mean ' Lots Of Love'
I was the installer for a sophisticated technical art installation worth a fortune, travelling the globe and needing to be accommodated by the varying sizes and shapes of rooms in respective galleries also requiring extensive international communication around measurements well in advance. The US contingent took everything we said and converted it into imperial- despite our clear instructions to the contrary- causing a small and expensive catastrophe and shutting down the exhibition in their country- it couldn't fit into the space. No reflection on that fine country of stars just an indication of how things can go wrong. Was a similarly inclined story true about the Hubble Space Telescope mirror?

Who?September 26, 2017 10:21 AM

Running unsigned code in Intel Management Engine

Does someone has additional information about this bug?

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

I have read it "cannot be patched," but I can hardly believe it. Staff at Positive Technologies say this bug, that seems to affect Intel ME 11 and newer, was introduced in a change to an Intel ME subsystem. I have seen no links to patches or security advisories from the main hardware developers, but there should be a way to fix it even if it means breaking some "cool feature" on recent Management Engine releases. Right now there is no much information available about this new vulnerability.

Who?September 26, 2017 10:26 AM

@ Rachel

There had been too many intrussions in recent months where attackers have not claimed responsibility. It seems that saying "hey, I had been there!" is not the current trend. Perhaps they are even state actors. Perhaps someone is testing the security of high-profile corporations to assess the security of valuable targets. But I am just guessing.

Clive RobinsonSeptember 26, 2017 10:50 AM

@ Wael,

Started the list in alphabetical order right here!

I know you like to think of yourself "As a straight A student" but did you have to have 17 of them there ducks in a row 0:)

@ Rachel,

The acronym process can get very fraught at times...

You might see "International Organisation of Standards (ISO)" and think hang on a moment why are the S and O or the words swapped. Especially if you have heard it called --incorrectly but commonly-- the International Standards Organisation...

Well it has to do with an issue that became a standing joke before actually being a joke. Officially the French are very touchy about their language and French names being used. Thus they got a reputation for being a little quarrelsm about it. Somebody who got past the pain barrier on it was alledged to have observed "If you let the French name the organisation, they will agree to anything else". Which became a stock phrase of "Name it in French for a quiet life" or similar.

Thus many people think incorectly that ISO is an acronym of a French name and are realy supprised to be told that ISO's French name is "Organisation Internationale de normalisation" which would be OIM as an acronym.

The story is in reality oh so much more fun. ISO is based in Switzerland and is actually independent of any government (hence some of the cloak and dagger stuff). It has three official languages, given alphabetically are English, French and Russian (although it happens to be the same order for the usage, you are not supposed to mention it "concorde" and all that ;-)

Thus the founders had a problem in that any sensible name in all three languages would not give the same acronym... So supprise supprise ISO is not an acronym.

It supposadly happend thus, somebody had an idea, Greece is --alledgadly-- the birth place of democracy which is the essence of concordance, thus they went to a fourth language, Greek...

In Greek the word for equality or being equal is in the roman alphabet --acceptable to the English, French and Russians because of the ITU-- "isos". Thus the name they adopted is abbreviated from it... So big smiles all around political agreement and many hand shakes for being smart a55es. But of course the obvious English name could not now be used... Thus raised eybrows and shakes of the head at the politicsl madness for those in the know or confusion otherwise in the rest of humanity that comes across ISO...

Just to add to the fun and bring it back in line with computer security. In the late 1960s and through the 1970's people were laying the ground work for what would later become the Internet. In the US the DOD took a pragmatic very short term view. Whilst in Europe ISO built on the British Telecom System X ideas for digital telephony. The overal idea being everything was grouped under the Open Systems Interconect standards which gives us the palindrome of ISO OSI, and the "Seven layer model" that every one gets taught not the DOD ARPA four layer model...

Did most people wonder why, probably not. The answer can be found amongst the cursed mutterings from proffessional engineers who know a thing or three about both scalability and security which OSI had whilst BBN IP did not. Which is largely why we are in the mess we are in today. Put simply "pragmatism is a bad idea due to legacy effects" unless you ruthlessly plan in enforced obsolescence at the point of the proverbial gun.

But even the ISO OSI seven layer model was insufficient. When we talk about the "computing stack" these days you hear jokes about "layer 8 problems" meaning the users or layer 9 being managment and so on upwards. Whilst that Physical layer has been so split up you would need a room full of CERN Scientists to explain them all.

CallMeLateForSupperSeptember 26, 2017 11:04 AM

@Clive

I was a bit disappointed that your discussion of acronyms and touchy French persons did not include "UTC". ;-)

Clive RobinsonSeptember 26, 2017 11:08 AM

@ Who?, Rachel,

It seems that saying "hey, I had been there!" is not the current trend.

This is actually quite an old trend I noticed years ago. Put simply the first crackers[1] did their thing for "ego food not profit" as back then there was no real way to make money by cracking. The first attempt widely documented in Cliffod Stool's book "The Cuckoo's Egg" ended up with a corpse in a burnt out car after supposadly selling information to the Russian's.

Much to the anoyance of someone over at the Cambridge Computer Labs, I indicated that what we now call "bot hearders" were failures because they had no idea how to effectively monetize their illicit assets. Eventually people woke up a little some years later with the "China APT" hitting the US political arena.

The thing is these big volume hacks we hear about like OPM and recently Equifax are actually "the failures not the successes" thus in reality are now a quiye small part of what is realy going on in the way of "knowledge theft".

[1] I use "cracker" hear because it gives a quite clear difference not just in ethos but also time from the earlier hackers.

Clive RobinsonSeptember 26, 2017 11:17 AM

@ CallMe...,

... acronyms and touchy French persons did not include "UTC". ;-)

I'm old enough to remember 1972, and that dastardly French "Bureau in Pounds Metric" (BIPM) stealing good old Greenwich Mean Time. But atleast we got to keep the meridian after the three failed US attempts to drag it to Washington ;-)

But for the sake of concordance let's just shed our tears discreetly :'(

TatütataSeptember 26, 2017 3:49 PM

Thanks for the chuckles... The meaning of my question about Estonia's system is pretty basic: the SSN system is to provide an ID to banks, employers, tax, and social security authorities to keep track of earnings and benefits.

How do you do this with a distributed system? Hopping madly and saying "blockchain, blockchain!" doesn't really answer it.

My perception is that the individual is responsible for keeping records, and that the blockchain is there to make sure that transactions are properly registered. Something harking back to the "Lohnsteuerkarte" I became acquainted in Germany, which was eventually replaced by electronic reporting by the employer a few years ago.

I understand that if you lost that card, you were in trouble. Dito for electronic record carriers?


CallMeLateForSupperSeptember 27, 2017 7:44 AM

@Clive
I heard "GMT" from Naval Observatory and Colorado broadcasts for at least fifteen years before it was changed to "UTC", so for decades I have stumbled: "GMT...err UTC". Things we learn and practice from a young age are very hard to shake. Take bigotry, for example. No! Verboten here! Never mind. ;-)

For the edification of any readers who do not know, "Greenwich Mean Time" ("Zulu" to US military) was changed to "Coordinated Universal Time" (for various technical reasons). As even a casual, English speaking observer should notice, the acronym for the latter would most likely be "CUT", not the official acronym "UTC". What gives? Well, "UTC" was a compromise between English speakers and French speakers who were hammering out the details, a compromise that made both happy because neither got what it wanted.

Full disclosure: from time to time I write "CUT" and immediately note that it looks wrong.

TatütataSeptember 27, 2017 12:06 PM

Your tale about the origin of "UTC" reminds me of the story someone told me about the reason
of the Asynchronous Transfer Mode (ATM) 48 byte cell size.

European PTTs and American telcos respectively wanted 32 and 64 bytes, or 64 and 32, don't remember exactly who wanted what.

So they settled on a compromise...

TatütataSeptember 27, 2017 12:48 PM

Another sloppy compromise: TIFF file readers, which must read both Intel and Motorola ordered words.

At some point I stopped bothering, and my home-brewed shlockware ain't compliant anymore, as I have yet to see a file with anything else but the "II" prefix. I'm sure I'm not the only one.

Clive RobinsonSeptember 27, 2017 2:57 PM

@ Bruce and the usual suspects,

You might find this security story from the UK's Evening Standard Newspaper[1] of interest

https://www.standard.co.uk/business/collapsed-forensics-firm-s-boss-the-police-ruined-me-now-i-fear-for-terror-probes-a3645006.html

It appears that a UK Telecommunications Forensics company calld FTS had industry leading software (FTS Hex) that brcause of it's abilities was only sold to certain Intelligence Services, but most definitely any police forces (of which there were 40 or so).

One Int Service that had a licence was the UK MI5. For some reason only to be guessed at an Officer of MI6 handed over FTS's proprietary trade secrets to West Yorkshire Police[2]. The policeman who has not said why chose to publish the trade secrets on an open web site... The result is that FTS has had police forces all over the place take it's trade secrets and develop their own poor imitations...

Which has in effect had three effects,

1, It's put FTS out of business
2, It's given criminals and various states information they would not otherwise had, to many peoples detriment.
3, Those who have used the data have not sought correct accreditation or done the required research, thus have caused cases to fail in court...

All most odd, but not exactly unexpected all things considered.

[1] DISCLAIMER : For those who don't know the newspaper is owned by a Russia Oligarch nicknamed "Two Beards" and the Editor is the ex UK Chancellor George "gidiot"/"White lines" Osbourn sacked by the current UK PM. So many stories have real political vitriol, let alone slant, but this story appears to be somewhat free of that. Unless of course people remember the current UK PM used to be the Home Office Minister and her less than steller performance on Police funding may be behind the selection of the story by the editor.

[2] West Yorkshire Police have been repeatedly in the news over their very many failings, some realy and utterly appalling. Which can easily be looked up on the Internet.

anonySeptember 27, 2017 3:38 PM

mobile app and web face for fully encrypted comms, without having to add keys, done automatically.

"Every file you write in there is signed. There's no manual signing process, no taring or gzipping, no detached sigs. Instead, everything in this folder appears as plaintext files on everyone's computers. You can even open /keybase/public/yourname in your Finder or Explorer and drag things in."

https://keybase.io/docs/kbfs

"The Keybase filesystem (KBFS) is a distributed filesystem with end-to-end encryption and a global namespace. The KBFS code is open source.

“Distributed” means you can access it from any device.

“Filesystem” means that there is no sync model -- files stream in and out on demand. Among other things, that means that files on KBFS don’t permanently take up space on your devices. (KBFS does use the local disk for temporary and transient data; see the "Local disk usage policy" section below for more details.)

“End-to-end encryption” means that all data stored in KBFS have guaranteed integrity and authentication, and also confidentiality when desired, and that only the people intended to read or write a piece of data can do so. In particular, we (Keybase) cannot change, read, or even know the names of your private files.

“Global namespace” means that each file on KBFS has a single unique path, regardless of the device from which you access it."

Miss PiggySeptember 27, 2017 6:46 PM

@Gordo Will Data Destroy Democracy?
Thanks for the info and video link, but I think it's too late. Data/mind manipulation appear to me to have already destroyed Democracy.

Clive RobinsonSeptember 28, 2017 1:51 AM

@ Tatütata,

Your tale about the origin of "UTC" reminds me of the story someone told me about the reason of the Asynchronous Transfer Mode (ATM) 48 byte cell size.

I remember ATM proposals, and it was an infight left and right, as the result showed (I'm guessing it's at best niche usage these days).

The big problem was not the block size but that it had to allow both circuit sitched and packet switched behaviour with the former not blocking...

When I first saw the proposed specs I said something along the lines of "You have to be joking" but not quite in those words...

The realy daft thing though which shows it was designed by committee was the name... Try googling "ATM cards" to see why. Anyone with a working brain cell could see that one coming like a runaway rhino[1].

But although I'm sure their are one or two who like ATM, it had other problems, one of which was trying to get it to be compatable with estsblished telecom protocols that were "End Of Lifing". It was like putting real handcuffs on an immersion escapologist... The likes of Boston Networks had already seen which way the wind was blowing and had put ethernet in their switches. Then British Telecom anounced their IP2000 initiative and others followed suit. What was EOLing got ripped out by all but a few. ATM was way to little way to late and had real effectively insurmountable problems deep down in it's core. Now of course it has a niche financial cost penalty...

[1] Oh RHINO is it's self an acronym, that I believe started in education about absentee pupils. As it stands for "Realy Hear In Name Only".

Clive RobinsonSeptember 28, 2017 5:18 AM

For those with "big data" issues this might be of interest,

https://lemire.me/blog/2017/09/27/stream-vbyte-breaking-new-speed-records-for-integer-compression/

It is a way to speed up the VByte algorithm[1] at least as fast as Amazon's patented "varint-G8IU" variety (but without the Amazon encumbrance ;-)

Integer compression algorithms designed to keep daya "in cache" with the minimum of branching using SMID instructions, are of great interest to those who collect data on indivuiduals, mbe they Gov IC or Big data Corp. They can also be used for a number of otherthings security wise so are worth getting to know.

[1] https://www.codeproject.com/Tips/1080308/An-Introduction-to-Integer-Compression

https://upscaledb.com/0009-32bit-integer-compression-algorithms.html

Who?September 28, 2017 7:01 AM

@ Clive Robinson

This is actually quite an old trend I noticed years ago. Put simply the first crackers[1] did their thing for "ego food not profit" as back then there was no real way to make money by cracking. The first attempt widely documented in Cliffod Stool's book "The Cuckoo's Egg" ended up with a corpse in a burnt out car after supposadly selling information to the Russian's.

Sorry for the delay, I found your post today.

Indeed, I read that nice book in the nineties too. A great book, full of valuable information. Cliff Stoll did a great job documenting the attacks from the perspective of someone working at LBL, the right place to get a full coverage of the incidents at that time. You are right, at that time the Chaos Computer Club was one of the few teams that were able to make money by cracking computers. But it was just a window of opportunity, they were on the right place to stole the source code of the OpenVMS operating system and sell it to people on the other side of the iron curtain.

[1] I use "cracker" hear because it gives a quite clear difference not just in ethos but also time from the earlier hackers.

Indeed, sorry. As time passes I am more accustomed to think on "hacker" (on the original TMRC meaning) as some arcane word that only few people understand. I missed the point that people on this forum are amongst the few that really know what it means.

Much to the anoyance of someone over at the Cambridge Computer Labs, I indicated that what we now call "bot hearders" were failures because they had no idea how to effectively monetize their illicit assets. Eventually people woke up a little some years later with the "China APT" hitting the US political arena.
The thing is these big volume hacks we hear about like OPM and recently Equifax are actually "the failures not the successes" thus in reality are now a quiye small part of what is realy going on in the way of "knowledge theft".

Are you aware about how worrying, but credible, your words sound? If we only read about failures and operations that go wrong how much information is being compromised without revealing evidence then?

Clive RobinsonSeptember 28, 2017 9:16 AM

@ Who?,

Are you aware about how worrying, but credible, your words sound? If we only read about failures and operations that go wrong how much information is being compromised without revealing evidence then?

They should be worrying, not brcause of the crackers, but the complacency even the largest of organisations show towards such attacks. The only reason they don't get hit more often is that currently it's a very target rich environment and the crackers only have a limited number of resources by which they can make money from their cracks.

That is it's not the technical resources or ability the crackers have, but safely making money from such activities... That's why a lot of people have their fingers crossed that truely untracable crypto-currency never happens.

But there is a secondary limitation, the old basic economic rule of "supply and demand" critically effects the crackers "risk reward" calculations. It's quite clear that there is a burgeoning market for personal data, you just have to look at the Big Data Corps to see that, the problem a cracker has is credibly laundering the data to get into the premium payment game. Otherwise they will make next to nothing, and the more "black data" there is in a blackmarket the lower the price the few people who will buy it will pay for it.

So,

1, Money laundering.
2, PII laundering.

It is realy only these two constraints that stop the carnage being a lot lot worse.

Now I can not put figuers on just how bad things are, but we have seen bot herders with 1-2million computers in their zombie nets. We can thus safely assume that as this is around 1% of the permanently connected computers at the time that about 1/3 were in SOHO upwards organisations that had data worth stealing.

So yes it's probably only the tip of the iceberg we see, through gaps in freezing fog.

MarkHSeptember 28, 2017 5:17 PM

High-Energy Fire at Ukrainian Ammunition Depot

The explosion (or rather, series of explosions including one of great violence) took place in the western half of the country, about 250 km from the capitol in Kyiv.

The inventory of the depot was about 200,000 tons of ammunition, which I suppose must have chemical potential energy of something line 100 kt TNT-equivalent. It's not known what proportion was consumed in the fire, but the damage to the surrounding area was very extensive.

More noteworthy than the fire itself, is that this is the third ammunition depot fire in Ukraine within the last 6 months or so. Ukrainian officials attribute all three of these incidents to drone attacks.

The first two were quite close to the Russian border, but the town of Vinnytsya (where the new disaster occurred) is hundreds of kilometers from any territory controlled by Russia. A Ukrainian official noted that so far, none of these fires have occurred in depots where the ammo is sheltered from attack from above (for example, in concrete bunkers).

By the principle of least hypothesis, I would be inclined a single case to suspect accidental fire with a cover-story intended to avoid embarrassment. However, the clustering in time of three such fires after many years without such incidents, renders deliberate action a much more likely explanation.

I am not aware of evidence that a drone was used in any of these cases, or drones were used, by whom.
____________________________________________

We can expect the Conspiracy Theorists to shout "False flag! False flag!"

MarkHSeptember 28, 2017 5:40 PM

Meta

A couple of previous comments refer to this as a "technical blog."

I don't see it that way. In his writings, Bruce seems to consider security comprehensively, including psychology, economics, law and government policy, with some sociology thrown in for good measure.

More than once, I have seen irritation expressed (often toward the host himself!) about failing to keep it strictly technical.

This sentiment might be approximated as "why don't you stick to bits and silicon?"
_____________________________________________

My father (who earned a degree in engineering) was fond of quoting words he heard in a speech, characterizing engineers as "intellectual moles."

To a man with a hammer, most problems look like a nail. To most technology specialists, security problems look like technical problems. In both cases, it's a distortion to the point of hallucination.

Real-world security problems all exist in the domain of human desires, fears, relationships and moral strengths/failings. We try to use technical measures to respond to these problems. And often, we find that our technical solutions accomplish only a minute fraction of what we had hoped ... or even make the problem worse than it was before.

I suggest that this is security blog, not a technical blog.

Clive RobinsonSeptember 28, 2017 7:15 PM

@ The usual suspects,

Both @Nick P and myself warned ages ago about why "signed software" was by no means secure, and what that ment in the supply chain. But as normal we were a little --all right a lot-- ahead of the crackers, so most will have forgotton about supply chain malware.

Well events over the past quater suggest that supply chain attacks are increasing for a number of reasons. Not least of which is supprisingly to many better security on PCs in the way of firewalls and AV software and even "patching".

But another indicator that supply chain attacks are problematical is that the attacks are being reported in Main Stream Media.

Well this in turn has woken up other more technical journalists and we are starting to see articles like,

https://www.wired.com/story/ccleaner-malware-supply-chain-software-security/

So folks need to regard supply chain attacks via software updates a threat that is starting to bite.

The problem of course is the "Damed if you do, damed if you don'" issue. Currently it appears that such attacks have a two week to a month grace period before they are noticed, by which time you might be on the end of some Ransomware or worse.

It needs to be said there is no certain defence against supply chain attacks when you have a computer with access to or from a communications link that for obvious reasons can not be in any way trusted.

The best you can do is by seperation/segregation with the important data sufficiently "gapped" to prevent external contact. Then play the "wait and see game" by doing the patching of a gapped machine two or more months late.

But at the end of the day communication is what computers are realy all about. Thus with what people --incorrectly-- think from the repeated security advice they get given are "secure behaviours", actually turning around and causing them harm, the old advice is now kind of out of date. However there is no correct advice for the majority of users when it comes to supply chain poisoning.

Which is kind of problematic, not just for the majority of users but more so for those that have to support them...

Clive RobinsonSeptember 28, 2017 10:34 PM

@ Wael,

The problem is in OpSec.

That is a more than slightly broad statement ;-)

A lot of the issues trace back to non technical middle and above managment. But as well the technical managers at the low end of the managment structure. They may be qualified in certain areas of technology but security in it's many forms rarely makes it out of the noise floor with them.

As I've said in the past it's not to difficult to slip the equivalent of a major key leaking side channel into crypto code. Primarily because those writng much of the code reviewing it and testing it knew next to nothing about crypto. In essence they just selected algorithms of a wish list found example code or library code and wrote a fancy UI around what was in reality a midden of code fragments.

Thus it was all to easy to sell a tail about "shift registers" and how the parity bit was "known plaintext" that leaked key info. Thus the parity bit had to be replaced with a secure random bit generator. Which was bassed on what was supposed to be a Blum Blum Shaub RBG, but was infact the equivalent of a public key signing the real key bits...

The trick to get the key into the generator was to use the old malloc / free / malloc trick. You put the key in a malloced buffer to perform an action. You then free the buffer. Then the next thing to do was malloc a new buffer of exactly the same size. Thus you got the same bytes back and thus the key... The malloc trick can be found in "Deep C Secrets" where the accidental use of the trick caused part of the password file to get put in the dead space at the end of a tar file...

The point is the "productive" tier one programmers get to write the code, the second or third tier --in managments eyes-- got to review the code almost as punishment duty. Thus the code review process was doomed from the get go.

Something I capitalized on to put the covert channel in to prove a point. As I already had a new job to go to there was little risk (I was leaving because the company was crap in so many other areas as well). My last task was self appointed which was to tell managment about the covert channel just as it ended going through "Final test before release"... To say managment was disbeliving was an understatment... And yes I did pull the covert channel code with a single change of malloc to calloc and a small change to the RBG.

Anyway I'd made a point and left with a clear conscience ;-) it's most certainly not what I would do these days if I went back to code-cutter style programming. I'd just be head down 9-5 and out clean at the end of the contract gig. I've got to an age where "smile, take the money and leave them happy" is the least stressful way to go.

WaelSeptember 28, 2017 11:40 PM

@Clive Robinson,

That is a more than slightly broad statement ;-)

Some would say it's elequoent and concise.

A lot of the issues trace back to non technical middle and above managment.

Right on.

The point is the "productive" tier one programmers get to write the code, the second or third tier [...] change of malloc to calloc and a small change to the RBG.

I am not sure I have seen that constalation before. Second-tier programmers never review code written by first tier programmers! They may look at it to learn - not to correct. There is no way we can cover this in a single post. But the summary is: to be a competent developer in a given domain, one must have programming language mastry, technology domain expertise, solid understaning of the underlying architecture, conepts, Operating system relevant frameworks, OpSec, best programming practicies, and a ton of other things that one learns from experience, training and failures of self and of other's. To be continued...

I'd just be head down 9-5 and out clean at the end of the contract gig. I've got to an age where "smile, take the money and leave them happy"

Have you ever considered that others do that as well, hence the dismal state we're in? :)

My turn to say "Got yer" - go to sleep.

WaelSeptember 28, 2017 11:55 PM

I wish @Moderator would reveal to us the delimiter where our posts are truncated. This way we can end our post on a cliffhanger or use the new feature for other innovative or cutesy tricks. I counted characters but the output was inconsistent.

WaelSeptember 29, 2017 12:06 AM

Actually, I’m kind of lazy. Better make it someone else’s headache: a truncation mark in the preview screen would be super!

WaelSeptember 29, 2017 7:55 PM

@hint,

The results depend on the definition of “word”, no?

Yes, it’s what I suspected.

This seems to confirm my hunch:

Thanks for the link.

It's gonna be something like that. (Laziness...)

Rats, no way out! More stuff to read: when everything else fails, RTFM.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.