Schneier on Security

Clive Robinson • May 9, 2019 8:48 PM

I realy wonder sometimes if the bulk of people in government actually know anything about computer security…

Maybe Ed Snowden was the last?

But just to make it clear,

1) In this day and age ALL file access is fully audited, in rather more than just Government levels. Even those that are alledgedly unclassified[1].

2) In some places the file each person gets is subtley altered in any number of ways to effectively “serial number” it against the user ID.

3) There is no easy way to delete files off of thumb drives, they are designed in such a way that data only gets erased when there is no more “free space”. Even trying to “overwrite” a file does not work either, and the actuall capacity of the device internally is likely to be a percentage or ten bigger than what it tells you again by design.

So remember if you are going to use a thumbdrive,

A) Buy a new one from somewhere and pay cash not card.

B) Use BSD or Linux to do an erase of the device by wiping the directory then writing sufficient large data files that you fill the drive as best you can with random data, this could take several hours.. And with cheap Amazon and other outlet sourced famous name “knock offs” the drive could well break.

C) When you have copied files under a username not associated with you onto the drive and have got it out, copy the data to media that is relatively easy to destroy. Once you have read the data of the thumb drive destroy it[2] immediatly and dispose of the bits “far far away”[3].

D) Get a cheap throw away combined printer and scanner. Get hold of an older “boot disk” CD/DVD that can work with the printer/scanner, remove the hard drive from the computer and boot from the CD/DVD.

E) Sanatize the files by converting to text format then print them out from a programers editor, redact details with a modeling knife and scan back in as an image file. If you can move the printed out redacted copy whilst it is being scanned in so much the better. Humans can ignore quite bad distortion and read text that watermarking systems can not make sense of.

F) Having saved the files to an easily destroyed piece of media such as a CD/DVD destroy by burning and ash&water paste making the print outs and redacted pieces. You also need to dispose of the printer/scanner. The easiest way to do that is clean it up put it back in it’s shipping box add a note that says “Working, nolonger needed please take” and leave it outside a corner house in an urban street that does not have CCTV or particularly good street lighting.

G) Clean the media using soap water and mild solvents twice to remove finger prints DNA etc and deposit in a clean envelope from a fresh packet you have not touched, then put it inside a ziplock plastic bag. Hide it in the equivalent of a “dead letter drop” where it will not be found.

F) Wait several months at least. Then if nothing changes at work and you see no sign of “oddities” that might suggest surveillance, retrieve it.

G) Use an anonymous way to post it. I won’t go into this because there are too many differences from place to place.

The above is by no means the best way to do things, because what is best in one set of circumstances is not in others. It’s just a base way that will probably work in many cases if you are not already under surveillance. However there are other things that are almost certainly missing from the above list you will probably need to do, that are particular to the situation of your location etc.

The most important thing to remember is “Don’t Use Any Kind of Electronic Communications” no matter what journalists and others might think or say, they will most definitely get you caught. Even carrying a mobile phone around is as good as putting the noose around your neck. Oh and they have a “Catch 22” element, in that not carrying one suddenly is deeply suspicious as well. Get into the “gym-bag habbit” that is turn the phone off and put it in your bag or car glove compartment when you go to the gym. Be eratic about if and when you turn it back on again. Go to the gym on a Friday and leave the phone off in the bag untill “wash sunday” or similar. Develop slightly odd hobbies such as geo-caching or orienteering or just bike riding all without your phone or with it off.

Yes it looks difficult to do and easy to mess up, and it is. Whistle blowers and leakers to journalists realy are seen as “public enemy number one” currently and more resources will get used to find them than to find serial killers.

As the old saying has it “If you can’t do the time, don’t do the crime”

[1] Remember it is not beneath the NSA seniors to reclassify a document and make it classified even though it might have been unclasified when you looked at it. They’ve done it before just to nail someone for apparently no better reason than somebody thought his face nolonger fit…

[2] Destroying thumb drives beyond recovery is not easy, many use the same chips/technology as the more modern “Black Box Flight Recorders” that are supposed to survive a plummet from 50,000ft, burning at 1500degrees and submersion to a significant depth amongst other things. You will need various tools including a hammer and center punch and an intense source of heat. There are other ways but most have similar disadvantages to those such as fuming-nitric, Hydrofluoric or aqua-regia acids. They are not things you want around, not just because they are dangerous they are quite suspicious unless you have certain established hobbies such as glass or plate etching. Nitric acid is a known precursor for “anarchist cook book” type explosives and in it’s fuming form will cause many organic materials to catch fire and has been used as part of rocket fuel in the past. Some of the more serious “hobby” rocket engines use strips of old rubber tires and nitric acid, to produce what looks like explosive thrust.

[3] You realy don’t want even tiny fragments of a destroyed thumb drive anywhere near you, your home or other locations they are way way to suspicious. So not only do you want to do the destruction away from home, you also want to disperse the parts as far and wide as possible. Chucking them out as dust on a well used road or freeway would be good if it were not for the fact that if you were under surveillance you would almost certainly be photographed “chucking it out the window”. Certain drug dealers have solutions to this particular problem but I won’t go into them because many are mechanical contrivances that would be found on the sort of vehical search you would get if you were under suspicion.

Clive Robinson • May 10, 2019 10:04 AM

@ dumb pilot,

An airplane’s FDR/CVR is generally protected by its casing, not by the specific chips it uses.

There is no case on earth that could protect the chips in a flight data recorder from the deceleration G-force of a sawn dive from five miles up, that is all down to the chip, it’s bonding, encapsulation, lead-out and fixture to it’s mounting on the PCB or equivalent used.

That is fundementally it’s the chip it’s self that survives the G-force. A number of chips have been tested at more than 100G for use in all kinds of electronics including fuses in munitions fired from howitzer and larger[1] weapons. The chips used are mechanically and electronically no different than those used in man-carried infantry equipment and simplistically little different other than burn in testing than components used in industrial and some consumer equipment. The reason for this lack of difference is actually “inventory cost”. However I’ll let others work out the required acceleration in the M777 howitzer’s just over 5m barrel to get a 155mm M795 47Kg shell to travel more than 30Km.

As for salinity most chips are manufactured in a way where it’s only hydrogen or helium ingress you have to worry about but only with some device types,

http://file.scirp.org/Html/1-4200102_40952.htm

You’ld be surprised just where the problem has shown up, search the Internet for stories of failing Apple iPhones in hospitals with NMRI systems that have had the cryo-cooling dumped.

With plain salinity, if there is no power on the chip then all you realy have to worry about is dis-similar metal anodic corrosion. With modern packaging and construction you would be waiting a quite a long time for that to get through the package and in to the chip.

As for “extream heat” as any graduate physics student should be able to tell you it’s not the “heat” extream or otherwise you need to actually worry about, it’s the energy against time and the conduction path characteristics between points along it. There’s a reason why heatsinks are measured and rated the way they are and in very high power RF systems they use graded metals from chip to anodization on the air interface in the air ducting. Doing the calculations are more tedious than they are chalenging, and most times design engineers just “over-spec” by a factor of two or more. It’s only when designing systems where there is a lack of “working fluid” that things get interesting. For example have look at the background temprature above 100K(1e-4N/m^2) you’ld be surprised at just how much thermally unprotected electronic equipment runs up and beyond there with expected “no-service lifetimes easily exceading thirty years.

But it’s not just low density high temprature plasma that chips survive in, chips in mobile phones can and do survive the plasma you get from quite large quantities of various types of high explosive going “high order”.

Whilst the exact details are classified in the US (but not other jurisdictions) you will find that the old secure destruction techniques used by the likes of the military and IC communities of thermite and concentrated acid are known not to work at all well with electronics. Likewise shaped charges on or in the equipment deployed from a “destruction kit” are unreliable at best with chips. Thus actual chip packaging has been specially designed with shaped charges built in designed not to melt or burn the chip but to shatter it into pirces way way smaller than grains of sand… and guess what, they were found not to be sufficiently reliable not just to use in equipment but actually to destroy the chip. Thus the idea of “full encryption of data at rest” was extended such that anything outside the microcontroler chip such as RAM and Flash chips were included. Having such encryption on the microcontroler buses is not just a real bottle neck it’s power hungry which causes a multitude of other issues. Which is why more recent research has involved actually designing structures into the actual chip,

https://www.researchgate.net/publication/261455019_Study_of_ASIC_self-destruction_technology_based_on_MEMS_initiator

As I have said secure erasing of the chips in thumb drives is hard very hard it takes a lot of energy and time which ever way you do it. In comparison writable CD/DVD is quite a bit easier other than the “toxicological disadvantages”…

[1] The M795 and other 155mm shells can be fused with the two dimentional ‘Corse Correcting Fuse’ (CCF). This all electronic fuse uses GPS navigation to provide what is refered to as “near-precision accuracy”, which generaly means tighter grouping such that the a ‘circular error probable’ (CEP) –average radius– is reduced by around a factor of three to ten depending on the system used. The CCF can be employed on all types of U.S. 155mm projectiles in the U.S. Field Artillery inventory, not just the newer longer range HE/frag M795. There are however other much more accurate and longer range shells, have a look at the M982 Excalibur, they are looking for a CEP of 5m (16ft) and a range of 57Km. So as one member of the military was heard to remark “Designed to drop in your sitting room from half a state away”… in short you can run but never rest.

Clive Robinson • May 14, 2019 5:25 PM

@ TIARA GNOME,

If they can no longer do their duty, especially because they are suddenly violating the U.S. Constitution, for example, then they should sign that non-disclosure agreement and walk away.

Also if they do get caught, breaking the public law or rules there should be real penalties not a “tut tut scouts honour”. For instance those who get caught, should get the same penalties the USG is pushing onto what they see as whistle blowers upto and including those punishments various senior politicians have claome the likes of Snowden and Assange should receive.

That is there is a social contract, as with all contracts there should be equity. Further the politicians, and government entities work for the people not the other way around, and the judiciary has no right to chease pare or salami slice the rights of those domiciled in or withon the boarders of the USA. Further US legislation and it’s aplicability should be held within it’s boarders. The US legislators have no right to impose their view on the rest of the world, I should have thought they would have understood this because as far as I am aware every US school child is taught about “No Taxes without representation”. Further there should be no secret laws or judicial decisions, they are totally and uterly destructive to society. Further no Federal or State law enforcment or other agency employees, subcontractors or others working directly or indirectly for them should in any way expect immunity from their actions. That is they should not expect an automaric “get out of jail free card”.

But more subtly every time they bring action to caught against individuals they must prove their case or be subject to significant sanctions. At the very least they should not only pay all the defendents legal and other related costs, they must pay significant sums for damaging an individuals reputation, social standing and mental harm.

If this is not done then there is no incentive for officials not to use faux charges to destroy individuals or get perverse judicial decisions. Repeated offences should have a “three strikes and out” where the individual is then prevented from not just bringing, but be involved with any prosecution by federal or state entities, nor should they be alowed to stand for any political office.

But formost is that ‘striking deals’ by Plea Bargaining should be stopped entirely, it is inhumane as it is a significant and unjustified method of coercion by method of mental tourture, that we know has driven people to suicide. Therefore it has absolutly no place in any judicial system at any time.

Oh and any judge found to have had contact with comercial organization that run prisons should automatically be disbared and such organizations should likewise be barred permanently from running any prison or related system. Further the officers of the company should be prosecuted and given jail time for corruption and bribary, and they should not be able to buy their way out with fines because they will only be paid from inflating costs at the tax payers expense.

Unfortunatly none of the above will happen, as should be obvious to most in the US who care to read and think for even a few minutes must realise that with very little exception the folks on the hill are corrupt beyond any excuse. As the old saying has it “Birds of a feather fly together” and they look after their own and those enriching them in various ways.

As I mentioned a few days ago John Bolton, was responsible for getting no limits put on election funding. Thus he is almost single handedly responsible for opening the flood gates on political corruption.

Clive Robinson • May 14, 2019 7:57 PM

@ throwaway190514,

I heard that CD burners write their serial numbers in the CDs burnt.

It’s not an unreasonable suposition to work from for all data storage technology. Think about various programs from Microsoft etc writing headers with huge amounts of identifing data hidden away in file formats.

However CDs and DVDs are fairly easy to destroy with a glass with a 100ml of water in it and a microwave oven. Just put it on max power max time and hit the start button. Then get out the door before the fumes raise your cancer risk or have other “Toxicological Disadvantages”.

You can even have fun with some “liquidisers” and some flamable spirits. Which can fairly quickly turn CD/DVDs into “fire starters”. Even a kitchen electric toaster set to max will have unfortunate consequences on their subsequent readability.

Older floppy disks such as 5 1/4 and 8 inch that don’t have the annoying metal bits are even easier to destroy very quickly and with little or no remains.

Even hard drive platters that are often made of thin glass can be destroyed with a pocket lighter as you get the coating well above it’s Currie point, and almost as quickly can be crunched/splintered into tiny fragments.

Which brings us back around to Solid State Storage such as the chips on thumb drives and hard drive replacments. As you observe,

If you drill a hole through the chip, or use a rotary tool with a grinding stone to grind it into dust, it should be neigh impossible to recover any info in it.

Have you tried it? I have and although it can be done you have issues to do with getting a drill of sufficient size to do the job without it “snatching” and tearing the flesh from your fingers. Worse is some solid state memory devices contain “thermally conductive potting compound”. Put simply it gets it’s thermal conductivity due to using a loading material like powdered quartz. Quartz is known to eat even dimond and carbide tipped tools.

But also it’s a very slow potentialy dangerous and unreliable process, all of which makes it not appropriate for most people to use. It’s also not a method you can use in a hurry or at the flick of a remote switch unlike many of the above. Thus you are not going to be able to do “data destruction” whilst they beat down your door nor are you going to be able to use your escape route (you do have one don’t you?).

There’s a lot of thought you have to put into your OpSec if you don’t want to rot in jail on a fifty year –effectively life– tarrif. Drills and grinding bits just don’t fit in with the OpSec.

Oh and one last thing, PC’s with USB are almost guaranteed to have lots of Flash ROM in them, kind of ideal for surveillance-ware to be hidden in, that even most experts would miss. Older hardware that has only floppy drives and Parallel IDE –not serial– hard drives are no where near as likely to have hiding places for Surveillance-ware. It’s knowing little things like this that keeps you ahead of the hounds in “The Great Game” which whistleblowing has now become.

Clive Robinson • May 16, 2019 8:44 AM

@ onoff,

Seriously, just put the damn thing in a blender and dispose of the powder down a drain, into the air, into your lawn, etc.

Not “your” clothes, drill, vice, blender, drain, lawn or anywhere else related to you, as I originaly indicated you do have an issue with proper disposal disposal.

The dust from IC packaging is fairly unique chemical wise, and easily gets embeded in places where cleaning it away is at best difficult. The likes of the FBI will nodoubt at some point make claim as they did with bullet metal composition[1] and numerous other “trace” evidence that it can be used as positive proof. That is not just a “fingerprint” but one that is not just comparable in a vey limited “batch” but also “traceable” to a range of manufacturers etc, so is in effect a “serial number” so conclusive proof for tracability back even to purchase. So you don’t want it around you, your cloths, your property or work places or any other place where people know you have been. You also don’t want to have the tools no matter how cleaned up in your posession, because they are not “common household items” in the minds eye of the majority, so unlike a Microwave oven possession of tools can easily be portraied as suspicious, if not argued to proof positive.

The problem with the “dust” is trace analysis and contamination and how far many career oriented people will go to prove a case. Look up the “Jill Dando Killing” and the man[2] first convicted then cleared of the murder (and the judicial “old boy network” kicking in to deny compensation).

The man appears to have not only had several mental disorders, but a low IQ and could easily become not just confused but suffer significant physical pain when put in anxiety producing situations. As with many wrongfull convictions the police had picked him up as a suspect simply because he lived in the area and was known to them. They fairly quickly droped him from their enquires only to come back to him later as they got despetate to show results and the adverse publicity ment they had to have a “suspect” and as they say “any suspect would do”. They then went about not building a case based on the facts of the case but by building a case against the man and his differences to the mythical “normal man”. For instance there were claims he kept newspapers with pictures of female celebraties in suggestive clothing in them, which of course ment he was a pervert / stalker… Well what they did not mention was that he lived in what some would consider a slovenly state and had lots of newspapers stacked around a hording habit is common with many forms of mental illness such as depression that efects around a quater of the population. Also that not all the newspapers had “girlie pics” in them or that “girlie pic” pictures of female celebraties in minimal cloathing in free and cheap red top newspapers are very very much the norm rather than the exception as they increase circulation figures (look up Rupert Murdoch of News Internationals comments about “tits and bums”).

The only pieces of alledged “evidence” from the actual crime was a single microscopic speck of alleged gun shot residue and a questionable fiber of fairly common origin. As proof of anything, they only real proved the failings of the “bad science”[3] of forensics and likrwise that of “handeling of evidence” rules and real implamentations[4].

Which brings us around to your point of,

He didn’t have any CP. He had a destroyed USB stick. They called it destruction of evidence and convicted him of CP anyway based upon the destroyed USB stick.

This is the way “get the perp” or “show trial” prosecutions work, “Justice has to be seen to be done” not actually done, it’s little more than a formal lynch mob. Usually conviction is not by evidence but character assassination and turning minor behaviours into “sign of guilt” and argue it up to “proof of guilt” in a form of bear-baiting mass media entertainment. The UK had one with “wierd faux science” and worse that was “Operation Ezdell”[7].

The more news worthy the crime or the less ability the accused has to defend themselves the more likely it is to happen. Also the more resources will be devoted to “get the perp”. As a possibly extream example work out how much money the US Gov has used in it’s pursuit of Whistle blowers and journalists this century. It easily exceads billions of USD when you add in the “political manipulation” of entire countries.

Thus if there is even a microscopic item of IC packaging dust, it will be found, and worked up to “proof positive”, because “heroic officers fighting the odds” makes good copy, and great publicity not just for the officers careers, but the agency, and most importantly the politicians…

The reality is that all too frequently innocent people get rail-roaded into jail or plea deals and those responsible walk away even when their misconduct has been found to be criminal.

It’s why more and more people in the US are loosing faith in the US Justice process, and raising not just eye brows but questions about the number and types of people in prison and the safety of their convictions. Similarly the UK and other countries where politicians beat the “hard on crime” drum.

[1] The FBI forensics labs have a history of “bad science” and it knows this and just laughs it off. Thus in effect the FBI has no qualms about committing perjury, as more recent cases have shown. The example of “bad science” forensics that some will remember is the claims the FBI made about the composition of the alloys used in bullet manufacturing. When “good science” was used the FBI forensic lab claims evaporated as they had with their other exposed “bad science” (expect this to get orders of magnitude worse with Computers and Communications, especially AI).

As I’ve remarked before forensics is littered with examples of “bad science” for a number of reasons. Firstly bad science is almost always a lot less expensive than good science. Secondly science good or bad is mumbojumbo to most judges and juries thus can be talked up from compleate nonsense to absolute proof by prosecuters with the charisma and averacious mentality of Cargo Cult Leaders. Thirdly bad science techniques are almost always very far from robust, thus can easily be “fritzed” with just a little knowledge that first year undergraduates in the physical sciences would have, or the more curious high school students.

There are quite a few more reasons but most importantly forensic science works in the wrong direction, that is it moves from effect to cause… Which is very much the wrong direction, not just for science but deductive logic. Because it is not a “reducing” but “expanding” process and very quickly becomes an argument of “opinion” not “science”.

The clasic examples of such bad science forensics are the old gold standards of “pour patterns” and “fingerprint matching” as prima facia evidence argued as proof positive… When in fact they are anything but.

In order “not to kill the golden goose” those involved failed to carry out “disproving experiments” for generations. When they were carried out both “pour patterns” and “fingerprint matching” were found to be sevearly wanting at best and down right dishonest in the main. Both failed the simplest of proving tests that is the “Double blind test” so routienly used in other branches of science that you have to honestly ask why “forensic science” does not use it…

[2] https://en.m.wikipedia.org/wiki/Barry_George

[3] One of the examples of bad science in forensics is the implimentation of the “contact/exchange principle”. Dr. Edmond Locard’s Exchange Principle is concidered the primary if not foundation touch stone of forensics and although intuitively obvious it’s actually used as quite bad science and it’s implementation usually rests on several false assumptions. Basically it says that if objects come into contact they exchange trace evidence, which can be shown to be actually not true in all cases. Thus the first failing or false assumption on finding any trace evidence is the trace evidence is actually indicative of contact. It’s actually nothing of the sort, if you find blood on two objects, it does not in anyway mean that the two objects had contact at a given point in the space and time of the crime scene. This ambiguity holds even if the blood is the same as far as your forensic tests alow checking. Thus you actually have to rule out several things. The first is there was no other point in time and space the two objects could come into direct contact, secondly that the contact was not indirect at another point in time and space, third that the “trace” that is exchanged did not independently come into contact with the two objects, fourthly that your tests are sufficient to make the contact “trace” uniquely identifiable, not just in of it’s self but also in time and space, fifth your tests are robust in the presence of contamination. All these points are usually “glossed over” or quite deliberatly ignored and thus deliberately hidden from the “tribunal of truth” that the jury is, which is a form of lying thus perjury.

[4] Another couple of bad science issues with forensics is “system noise” and “result interpretation”… Importantly as any communications engineering first year undergraduate can tell you, measurment uncertainty increases as you aproach the noise floor. It applies to all tests no matter what they are. As a number readers on this site know when the quantity tested is sufficiently small it can be used as a method of “perfect secrecy” in Quantum Cryptography. Thus as the size of the “trace” decreases the contact principle drops rather rapidly from “maybe” to “impossible to know” more quickly than forensic practitioners would in the main care to admit. But this is where more bad science enters when it comes to interpreting the results, probabilities are involved and you have to ask what they are both in the sample being tested but importantly in the general population (remember the FBI argument about trace cocain in US paper currancy, that eventually was thoroughly debunked). But you also need to ask the same question along the entire “chain of evidence”. It turns out somewhat unsurprisingly that the risk of cross contamination goes up significantly with the length of the evidence chain and time in it prior to test. Likewise it gets way way worse with decreasing size of trace tested. In other words the principles of entropy apply not just in time but distance of handeling.

Often cross contamination or degredation is worst at the forensic lab where they “play at science” and cross contamination prevention techniques quickly become a sick joke[5]. Due to “competative tendering” the test labs minimise costs, thus one of the first things that gets thrown on the cost reduction bonfire is correct handeling techniques for evidence, especially microscopic trace evidence. But obviously the prosecution, police and test labs don’t want the “tribunal of truth” that the jury is, to know this. Because “justice has a cost” and politicians want two things, increased imprisonment with hard sentancing, to show they are “tough on crime” and “minimal spending” so they can save taxpayers money for more important things like “bribes” of various forms.

[5] Consider the standards used in even the best of forensic labs to the cross contamination proceadute of Level 4 labs used for chemical weapons development labs, and contagious disease labs. Where those working in the labs have a very realistic appraisal of cross contamination risk because getting it wrong could kill them or others rather quickly and very very unpleasently. But have a look at the last death related to lab environments in the UK with small-pox (Janet Parker [6]) and diethial mercury (Prof. Karen Elizabeth Wetterhahn PhD in 1997)

[6] https://www.birminghammail.co.uk/news/health/smallpox-death-locked-down-birmingham-11322667

[7] https://en.m.wikipedia.org/wiki/Rachel_Nickell_murder_case