Schneier on Security

Clive Robinson • January 5, 2019 3:08 PM

@ Alyer Babtu,

for an extra fee, a blue button to get things back to the way they were.

The universe is neither as avaricious or as forgiving as Daffy Duck. So there will be no “blue button” or for that matter Matrixy “blue pill” option…

Clive Robinson • January 5, 2019 7:03 PM

@ Rach El,

It’s about the problem with the TSA

Hmm “problem singular”…

I guess that would be that “The TSA exist”, I suspect I’m not the only person who thinks,

Whatever the rational solution to aviation security is, the TSA is not it.

The TSA is a fine example of US tax dollars being used most inappropriately…

Clive Robinson • January 5, 2019 8:08 PM

@ ALL,

Speaking of Germany and mobile phones and other electronic data.

It appears that various politicians and personalities in Germany have had some of their communications leaked to the public over December and the New Year. However the German Federal department responsible (BSI) for notifying people appears to have been somewhat tardy, and those effected have been fonding out through the media…

It’s been noted that there are no “Far Right” people that have had their communications leaked. Thus various people are plaiming far right activists in Germany and Russia.

Unsuprisingly who is actually behind the disclosures is not currently known (publically). So such attribution is at best knee jerk posturing. Hopefully there will be some credible evidence presented in court, if the authorities can actually progress that far.

Clive Robinson • January 6, 2019 7:20 AM

Another Side Channel to Worry About.

If it were not for the serious security implications this would just be jolly good fun.

First a little history, in times long past half a century ago, in the days when main frames ran “batch jobs” and had clock speeds down in the kHz range, you would often find as a “debugging aid” an AM radio on or next to the “opperator console”. The reason is the CPU activity could be picked up on the AM radio as a series of clicks, buzzes and tones as a program run. Tones were made by loops, buzzes often by I/O and clicks by the CPU waiting on input. As an operator a long tone was indicative of a program getting stuck in a loop etc.

Well at some point somebody started to write fun little programs that played jingles and melodies as ammusment.

Spring forward to this century and Software Defined Radio (SDR) started to become practical without dedicated DSP chips. What realy got things going was the “RTL-Dongle” that was ment to receive FM Broafcast and UHF Television but the chip turned out it could receive just about everything from 10MHz to 1.5GHz all for around $10…

Whilst that was a receiver there is another side to SDR which is that of a transmitter. Slightly more expensive dongles can also produce 0dbm to +20dbm of transmitter signal, which with just a length of wire and the right VHF/UHF signal can be received at 100m to more than 10kM away from the dongle.

If you look back over this blog you will find that when I’ve talked about TEMPEST/EmSec and side channels that I’ve said is all you need is a serial data signal that you can modulate in some way such as timing jitter etc.

Which brings us onto this,

https://hackaday.com/2018/12/06/your-usb-serial-adapter-just-became-a-sdr/

What Ted Yapo has done is just that. He has taken an ordinary USB-Serial dongle and used the serial data signals to radiate out a lowish frequency carrier wave. That like the CPUs of half a century ago can be modulated to play music or in Ted’s case control a 27MHz Radio Control car.

Whilst something similar has been done with USB 3.0 to VGA adapters they are not very common as dongles, and many people won’t have seen them. However the USB-Serial dongles are so ubiquitous that there is a very serious market in counterfeit FT232RL chips[1].

From a securiry perspective, if you can control an RC model car upto 10m away then it is going to be fairly easy to send a low bandwidth data signal two or three times that range with more than sufficient bandwidth to leak KeyMat for AES or PubKey etc[2]

It’s just another usefull “air gap” crossing trick for attackers and yet another thing to remember and to check for when trying to set up a secure system. It’s why upto date security specialists should not just know quite a bit about SDR they should also carry suitable kit in their tool box to not just find such tricks but also put preventative measures in place[3].

For security professionals you need to be up on RF and complex modulation systems from software. The “steed has left Pandora’s horse box” on this and it’s no mule it’s a full on racing thoroughbred. We will see more and more such attacks work their way down from clued-up hackers down to the likes of the SigInt agencies and maybe the academics in the next year or so. After all why go to all the troubl to make and install “hardware implants” when you can “re-purpose what’s already there”… It’s way more stealthy and with a little care very difficult to find (look up LPI and DSSS systems all of which are simple software mods).

[1] Quite a few people will remember the howls of protest when FT quite deliberatly changed the FT Driver code sent out with Microsoft updates that stopped so much external hardware working… They were forced into a climb down much to their understandable disappointment.

[2] To see what is truely possible with SDR have a look at the Amateur Radio FT8 slow data mode that gives something like +30db over morse code which can give you over thirty times the reliable path length to operate over. Thus if you can get the FT232RL to transmit it you are looking at over half kilometer or around a third of a mile range…

[3] One thing I would recomend is all “security specialists” get their full Amateur Radio / HAM certification. Much of what you have to learn in the more advanced levels will teach you the things you need to know. Likewise following what some areas of Amateur Radio experimentation is all about will help you “think hinky” which will put you quite aways in front of those also ran security bods…

Clive Robinson • January 6, 2019 7:43 AM

@ Usual suspects,

I can not remember if we have covered this or not…

Bit Facebook has a patent for identifying images take by the same camera die to physical artifacts such as dust on the lense,

https://gizmodo.com/facebook-knows-how-to-track-you-using-the-dust-on-your-1821030620

Clive Robinson • January 6, 2019 8:59 AM

@ Usual suspects,

A number of us do not like all in one monolithic kernel OS’s like the majority of “Commodity Computing OS’s” such as BSD, Linux and Microsoft and Apple offerings.

One reason for this is security. Monolithic kernels have a massive surface, thus a significant complexity where in lies many attack vectors, where just one success gives the keys to the kingdom.

Well there are other options which os a surprise for many. One of which is HelenOS,

http://www.helenos.org/wiki/FAQ

Which has just anounced it’s 0.8 release. Yes it’s a University OS which is both good and bad. But does mean it’s more likely to be around for some years to come.

But another perceived issue with comercial computing OSs is “bloat”…

I’ve given up on MS after XP thus can not tell you of the top of my head just what is needed for the latest Win10, but it’s likely to be immense. Likewise Apple and to a certain extent Linux and BSD.

However both Linux and BSD can be striped down a lot such that both will run on quite small and very inexpensive microcontrolers.

One striped down Linux many will of heard of but not thought of as a usable “user system” is OpenWrt. It has a very small footprint and is a good place to start looking if you want to build your own IoT or Wireless microcontroler project as it supports about fifty platforms many of which you can pick up second hand including 486DX motherboards for penuts so have no worries about experimenting on,

https://openwrt.org/docs/techref/targets/start

The downside is OpenWrt is designed to run headless which means you need “terminal access” be it an actual terminal, telnet/ssh or web browser. So for the slightly more advanced. But if you can hack HTML etc then you can make “network servers” quite easily.

If you feel you need more than Web or CLI access then another project for Intel/AMD platforms from 486DX upwards, Raspberry Pi and ARM7 is TinyCore Linux,

http://www.tinycorelinux.net

When the Damn Small Linux (DSL) team imploded three of them set out alone and Tiny Core in it’s various forms is the result.

It runs out of RAM which makes it a whole lot faster, and also reduces wear on any Flash ROM storage you might be using. I know a couple of people swear by it for use on their Raspberry Pi’s and various Armature Radio programs because it runs quite a bit faster than other Linux Distros for the Pi.

Then if you’ve an old 486DX hanging around with sufficient RAM and a couple of DVD drives (possibly not) or one of the new 486 clones as the patents etc have expired then there is the old faithfull all singing all dancing “live-DVD” Knoppix,

http://knopper.net/knoppix/index-en.html

However like others I’ve noticed a few problems with the latest version which suggests the maintainer needs to be doing a little “spring cleaning” on their build system to fix links etc. Being a mainly CLI user that’s generally not an issue for me, however it probably will be for those newish to Linux.

I won’t go into the stripped down BSDs but in general they have been easier for Product Engineers of FMCE and other Commercial offerings, not just because they are “more traditional” but because the licencing issues are usually acceptable where as those for Linux tend to use are not…

Clive Robinson • January 6, 2019 1:14 PM

@ gordo,

I can’t say I’ve been out protesting or done anything more than share my opinion and look on in sadness.

All things concidered it might be best if you stayed that way. It would appear the US has some quite nasty legislation that any sitting President can use to “attack” all maner of humane behaviour in US citizens should the sitting President decide to call a “National Emergancy”. To see what some of them are you might want to read this article from the Atlantic,

https://www.theatlantic.com/magazine/archive/2019/01/presidential-emergency-powers/576418/

Remember although the author, Elizabeth Goitein is clearly trying to incite by the continued use of “Trump”, what has been written applies to any sitting president current or future…

Untill that is Congress gets it’s act together and forfills it’s legal obligations which it has singularly failed to do with respect to enacted emergancy powers in our life times.

It is something the author whilst indirectly mentioning noticeably skips around calling Congress out on, for what ever reason.

That is how the article comes across to a non American without any real skin in the game, so I’m not going to get into that aspect any further.

The main point how ever is to see what fairly nasty legislation Congress has provided a POTUS with over the years and how easy it would be for an ordinary US citizen to fall afoul of them.

Clive Robinson • January 6, 2019 2:25 PM

@ Bruce,

One to add to your folder on “security and games”.

https://github.com/jes/chess-steg

However unlike the usual stuff about catching cheaters, this is about steganography. That is encoding data in the moves of a chess game, by first converting the data to a single number then using the number to produce the moves in the chess game.

Clive Robinson • January 6, 2019 2:51 PM

@ gordo,

… is whether the legislative has sufficiently immunized itself from overthrow, “at the stroke of the pen,” by the executive.

Based on the little I know, the answer appears to be “no” because Congress leave themselves liable to the often capricious whims of SCOTUS, who inturn can be brought under the whim of thr executive in various ways.

Clive Robinson • January 7, 2019 3:52 AM

@ Alyer Babtu, 65535,

And let us not forget QNX !

It’s a funny beast from memory, being an RTOS with POSIX Real Time Extensions compatability. I’ve not had anything to do with it for years though.

What it got right was a very tiny microkernel that did as little as possible giving a low attack surface. All it realy did was setup initial process space, scheduling, timers, interupt handeling and the magic glue that held it all together Inter Process Communication (IPC) which it combined with part of the scheduler (basically all the stuff that got lumped under POSIX.1b real time).

What QNX had right was the IPC they kept it simple, low latency and importantly not causing issues with the scheduler.

Not getting IPC right is what makes most *nix clones “chocolate teapots” when it comes to even Soft RTOS work.

As I said it’s been quite some time since I looked at it seriously, well it was actually last century… I kept a watching brief on it untill QNX got sold off the first time. Usually such activities sound a “Death knell” for the subsumed companies technology inovation. Then when it got sold to RIM I realy lost interest as RIM had a certain reputation and well lived down to it as usual.

The big problem is “licensing” prior to the RIM take over QNX were starting to go down the Open Source route. RIM slamed that shut and started playing with licencing in ways that did not bode well.

So rightly or wrongly I’ve regarded QNX for the last decade as more closed source / walled garden than even Microsoft OSs. What the actual current state of play is I’ve no real idea.

In part because my attention has been shifted to L4 microkernel systems some of which are Open Source, others such as PikeOS are closed source but with “bullet proof Hard RTOS” credentials.

Clive Robinson • January 7, 2019 5:44 AM

@ Rach El,

Most Polive Forces fail to meet forensics fingerprint evidence standards

But it’s not just finger prints…

From the article,

This institution is kind of a “flag waver” for forensics… Thus for them to say that it’s realy indicating that basically forensics is a bad joke in the UK and most probably everywhere else.

But that should be nothing new for readers of this blog, I’ve only been mentioning it for oh the last decade or so 😉

But for those who need that academic opinion in case they think “I’m killing the golden goose” yet again,

However what she has not mentioned is that most forensic science is actually not science in the accepted sense. And no it’s not just the issue of the “opinion” of individual investigators, it’s way more fundamental than that.

People in forensics come up with some quite bizarre ideas, that realy “do not pass the smell test”. They get away with it for two reasons,

1, Nobody wishes to challenge a new revenue idea.

2, They argue from effect to cause thus can make it up as they go along.

It’s that second point that’s important and the classic example was the idea of “pour patterns” as proof positive accelerents were present at a fire thus it was arson etc.

Put simply burn patterns on floors and other surfaces looked to some investigators eyes to be just like patteners you get with liquid accelerants such as gas/petrol etc burning. But the standard and actually scientificaly reasoned tests for indicating hydrocarbons or other fuel sources failed…

Thus you had a pattern but no fuel traces. So rather than say “hang on a moment why no fuel traces?” the reasoning was the fuel must have fully vaporised or was something the tests did not pick up for some hand waving reason. Thus the entire forensic community simply said “pour patterns are proof” positive fuel tests are a nice bit of corroborative information, but not realy required (so why pay for the test at all…).

Well this went on for years till somebody actually tested the idea that a room could be engulfed in fire with only a point of ignition like a cigarette. Guess what they found, not only could a gigarette do it but as a concequence of the way the fire actually burned you got scorch / charcoaling that looks just like pour patterns…

Ops god alone knows how many false imprisonment or fourced plee deals…

That is what happens when you go from either effect or assumed effect backwards to a cause of your choice. It’s why it’s not science, never was nor ever will be.

And it’s not just pour patterns theres a whole load of now discredited forensic proofs that have been used to jail people… The more memberable ones “Cocaine traces in bank notes” meaning you arr a dealer or user, then it was found that something like eight out of ten bank notes in circulation had cocaine in them. Then the “bullet alloy” it was argued that a match on bullet alloy metals proved that a bullet came from a certain batch. Well even the industry knew that one was not true as did any scientist, molten metals still have different densities thus “settle” just as other liquids do. Depending on where you chose to cut and sample a bullet you will get a different ratio of metals. Thus the test was a compleat nonsense, but it carried on as a forensic test, because it was just another way to get a conviction at trial.

And that’s the real point about forensics, they are used by prosecutors to get convictions not by the defence to find people innocent. Because forensic findings do not get properly challenged you can get away with just about any kind of nonsense test as long as it sounds “sexy” and has “CSI appeal” with big flashy names and long words…

It’s also why supposadly independent labs cut corners and get away with it. Prosecuters want things to convict with, police have scarce budgets, labs want that budget, thus implicitly the effects of any over supplied market comes into effect. You get a race for the bottom as price has to go down whilst profit has to be made which means costs thus recources have to be pared to the bone and often beyond… As long as the police get the positive matches they want the will regard the money as,well spent, but not otherwise, such is the nature of the human condition. Therefor there will be an incentive to “spend where it gets results”, those with a financial interest in labs know this, and they will aim to please on way or another to get a slice of that Police Pie…

There is an effect called “millers thumb” from an old trick mill owners used to make more profit[1] the modern equivalent is “thumb on the scales” which when allied with cognitive bias is a very very dangerous thing for justice, but not for prosecuters or politicians who see the faux results as career enhancing.

[1] The miller used to give “measure for measure” not “weight for weight” when grinding peoples corn to flour. The measure was actually by volume using a “scoop” that supposedly held a pound of grain or pound of flour. The miller would demonstrate this if challenged and it would be found to be correct. However the design of the scope was such that you could hold it in a number of different ways, one of which was with your thumb actually in the scoop, so the customer got maybe half an ounce less per scoop or a loss of around 3% of the flour they should get. Obviously a miller with a fatter thumb would make more profit.