Schneier on Security

Clive Robinson • November 2, 2018 5:54 PM

@ Faustus,

Are people afraid to admit they’ve been had or has nobody actually been successfully hacked here?

Yes where I’ve had control I’ve been hacked, but only in the tar pit I’d set up, to test bits of instrumentation kit I was developing.

All of my personal machines are not connected to the Internet, and I have a number of self designed data diodes, sluices, pumps, protocol converters, and instrumentation via microcontrolers and *nix boxes to get untrusted data into a trusted state prior to then getting it into a DMZ network where it can be preped for “energy gap” crossing.

However in the past where I’ve not had control I’ve had problems with work computers… Where I took steps to harden those I used I sometimes got told it did not fit in “organisational policy”…

Policies that were set up for ease of admin and internal software developers who had “Must have holes punched through for the latest tech nonsense to look good on a C.V.”. In such places security came a very long way down the priority list about the same place as getting stickers that said “Numbnuts Inside”.

One of the things I ask for when acting in a consultant role is “The business case for each computer connected to the Internet” most places don’t have one, and even when pushed they usually can not make one that has any real business validity…

And that’s one of the primary reasons we have computer crime, because computers that are not sufficiently “locked down” are visable on the Internet like pigeon holes on a dove-cot.

Clive Robinson • November 3, 2018 6:18 PM

@ echo,

My security is Swiss cheese. I may be lucky I haven’t been hacked in a noticeable way.

For most individuals who want some level of privacy more than security I usually recommend a variation on the “two computer” approach. One you do all your private stuff on, that you don’t connect up to the Internet or even WiFi. The second being a striped down machine you use for the Internet. By stripped down I mean it lacks a hard drive or other easily mutable persistant memory in which malware etc can be put by a run of the mill cyber crook, and it runs of a “Boot CD OS” such as one of the linux distros aimed at older less powerfull hardware.

However, you are not only concerned about the average cyber criminal that’s just looking for low hanging fruit to make a quick buck out of. You are also concerned about being targeted in one way or another. As you note,

I’m personally more concerned with my narrative being hacked by officials when within a bureaucratic regime.

Which brings up the old CIA triad question what are your levels of concern with “Confidentiality” and “Integrity” of your data? I’m guessing that as a “sole user” your only interest in “Authentication” is letting you in but keeping everyone else out.

For some organisations in similar positions I’ve indicated that actually they are better off with their information on a more physical form than a computer hard drive especially if it’s not entirely under their control or not at all in the case of “cloud” storage.

Again I reiterate that humans can only do three things with information,

1, Communicate it,
2, Store it,
3, Process it.

Whilst the first two are amenable to privacy via quite high/strong levels of encryption because the data is not being changed. The processing of data however generally requires information to be unencrypted and this means it is vulnerable in various ways both for confidentiality (a read process) and integrity (a write process).

Again a minimum of a two machine approach is recommended but with extras such as both full disk encryption and application/file level encryption and the use of “write once” media like CDs/DVDs. Along with both volume and file checksums similar to those used to protect forensic file copy integrity.

Then there is “physical security” which involves the use of safes which are not just fire retardant but also tamper evident. The easiest being a fire proof safe with “audit counter” into which a laptop can be put and a similar “off site” safe for storing encrypted backups etc.

There then arises the question of what type of backup to store. That is copies of volumes, folders, and files, or the fotensically more usefull images of disks. And how far back in time you want to keep them.

All of which needs a certain degree of capital input as well as OpSec both of which many would find difficult.

Which brings us onto your observation of,

There is nothing more dangerous than a thin skinned petty minded inadequate with a pen. I believe Cyberwar and kenetic action are merely symptoms of this.

Whilst the inadequate are frequently venal, they generally only become dangerous when they have access to either more competent individuals or the fruits of the labours of more competent individuals. Which is one of the problems with the UK’s National Crime Agency (NCA) and it’s seven sub-directorates one of which is Inteligence.

The NCA was a “Mrs May” project that basically is “Policing done on the cheap”. It is the result of supposadly combining various independent organidations over several steps. Each time the workload goes up but the funds get halved… The result is at best under qualified over worked staff who are at best mismanaged and thus little or no oversight. In their first year a judge had cause to rebuke them over attempted over reach of their powers. In essence there are insufficcient checks and balances in the system poor or no auditing and over sight…

Which means it would not be that difficult for a venal but incompetent pen pusher to “work the system” and get others to do what they can not… This includes getting access to the product of state level SigInt entity technology…

Clive Robinson • November 4, 2018 7:46 PM

@ Faustus,

Do you really have a threat model that necessitates such heavy precautions?

Are they realy “heavy precautions”?

I tend to view some as being the only “practical” way to ensure a degree of privacy, but more on that later.

How do you work out what the threat model realy is these days?

I have developed systems that are of critical importance for projects that are over the $1billion mark on several occasions. Likewise I’ve been involved in other activities where the knowledge involved is worth up past the $100billion mark. And that’s just the Petro-Chem industry, where it’s rumoured certain nations use their SigInt and IC entities to gain a “competative advantage”.

Thus that would necessitate precautions against a “state level” or “level three” attacker.

I’ve also worked on the less reputable side of the fence as it were and I have developed all sorts of covert surveillance devices and their counter measures.

And I know from practical experience just how easy it is to deploy such devices. So what some might consider “state level” are almost “younger brother level” or a “level one” attacker.

So I’ve an idea of what lengths people will go to when they think it is warranted, and how easy technology has made it for them to do so.

But it’s not just Intellectual Property we need worry about there is also the human side. Technology has made stalking, doxing, trolling, and other similar crimes almost trivial. Which is why they are very much on the rise.

Thus I get remined of a saying that used to get drummed into you when wearing the green, and how it applies in a broader sense,

Don’t leave ammunition for the enemy!

Also the falseness of that old nursery saying of,

Whilst sticks and stones may break my bones, but words will never harm me.

If seen people totally destroyed by words and driven to self destruction.

Many people this has happened to in no way thought they were of any importance. Almost like being in a car smashup, you don’t think it’s going to happen to you then it does, only then do you question why. It’s just the flip side of “the luck of the draw” in a zero sum gaim every win is balanced by a loss of equal magnitude.

In the physical world life we are familiar with however, the magnitude of the loss is almost always greater than that of the win, it just tends to get spread over greater numbers.

But when it comes to the information world the rules are different because those who win do so by theft in one form or another. But there are so many ill prepared people that there are so many potential targets that the thieves can not keep up. Thus it appears the odds of being a loosing target are random…

But the reality is slightly different. Whilst you might get selected at random to be attacked whether you loose or not is far from random. Even a small amount of self defence quickly makes you a target not worth pursuing when the attacker can exploit many more who are not defending themselves in the same period of time.

We glibly talk about it as “low hanging fruit” effect and forget there are a couple of catches. The first is what might be an adiquate defence today may well not be tommorow or the day after. Secondly people are building “informational time machines” and it’s not just National SigInt and IC entities doing it. It’s also all those transnational corporates down to even “mom and pop enterprises” practicing “Collect it all” or just “collect what you can”. Even tenagers who can barely understand an SDK are pulling code snippits from all manner of Internet sites and building apps to go in those “Walled Gardens” the phone OS and smart device OS companies run, so they can steal any data you put on the device.

I’m of a mind that they only “collect what they can” because it’s so easy to do and there is a market for it even though it might only pay pennies. But it’s actually worse than that, people throw information on the Internet one way or another without a care or thought. That is they put information blindly into cloud storage and social media, thst they would not share with other people that live in the same street they do, or the same building they work in..

Quite a few years ago in fact back last century I realised the dangers of both cookies and javascript and similar internet technologies like Flash, Java, etc. I chose to stop using them, and got told by many I was being paranoid. Well more and more people are following in my footsteps these days even if they don’t go all the way and just install add blockers etc.

Thus I could argue I’m not paranoid just being between a decade and a quater century in front of most people. Whilst others might argue that I don’t need to be that far in advance, they are kind of forgetting those “information time machines” and how they can come back and haunt you. Thus I actually think that maybe I should be a little more forward looking or as some might think “a little more paranoid”.

The point is I have more than a third of a century of as our host @Bruce puts it “thinking hinky” proffessionaly. I am infact cursed with a mind that is not just eternally curious, but as far as systems are concerned down right malicious. Just about every where I see a system my first thoughts are “how can this break or fail” followed shortly there after be of how to “subvert it” so that in effect “I make it work for me, not for the people who designed it”. The problem is not only is it almost subconscious it’s just way too easy to succeed in most cases, and there’s no fun in that. Especially when you know there is no easy way to fix it due to the way modern technology has been designed.

Which brings me back to “practicle”, as you’ve noted the easy way to protect your information is,

If I really want something to be secret, I don’t put it on a computer, I don’t write it down, and I don’t tell anybody about it.

But it’s actually not that practical a solution, due to the failing of the average human mind. That apparently these days can not remember it’s own phone number, many can not remember a four digit PIN without writing it down or changing it to something obvious. As for trying to remember five words in a random order, most can not so will rearange them to make remembering easier, thus throwing security margins down the drain.

But though you and I might be better than quite a few, even the best of us can not remember a 128bit crypto key. Worse we have trouble remembering a poem or similar sufficiently accurately, that we might get the maybe thirty to fourty bits of realistic entropy in them after the predictability has been removed.

In the main modern “technical measures” are way beyond what most can do safely, and the required underlying OpSec just gets in the way. Thus practical security has to be better than “fool proof”, it has to be “ordinary user proof” to have a snowball in hells chance of working.