Schneier on Security

Clive Robinson • May 23, 2019 2:59 AM

@ Bruce,

… all unclassified but under the Chatham House Rule.

Some years ago now I was increasingly seeing the “Chatham rule” comming up. So not only did I look it up, I spoke to the corporate lawyer. I won’t repeate their full reasoning but the upshot of what they said was “you would be significantly ill advised to go”.

Essentially the reasoning rested on legal “privilege” or more correctly the imbalance of it.

Since then I’ve looked into those who have asked for such meetings and it can be a bit of an eye opener. Whilst those meetings that are “amongst equals” you can usually see a clear need, it’s the others. All to frequently it is used by those who have “privilege”[1] already, where as you have little or none thus they are effectively further hand-cuffing you, as they can use it against you in more waus than there are hours in the day.

The gaging of those reporting on Government in various ways is becoming more and more insiduous every day. It should not matter if you are an activist, WasPo journo through to an ageing History proffessor writting a book that few will ever read, your credability rests on the verifiability of your sources. If your source asks for deniability then either drop them or find other ways to get verifiability before alowing what they tell you to taint your senses.

At the end of the day the credability of a reporter of record is defined not by what they have acurately reported in the past but what they have not accurately reported, the reason for any inaccuracy does not matter, it is still a rock on which reputation will flounder.

I know that modern MSM appears to nolonger play by those rules, but just because one clique behaves like a group of thugish drunks at a party, it does not excuse anyone else behaving that way. Thus it’s perhaps best to refrain sipping from that poisoned chalice.

[1] Who has privilege and who does not in any jurisdiction can be difficult to work out. But as has been reported about senior military and intelligence officers having the right for “national security” to lie or misleed judicial proceadings, it’s fairly safe to assume that as a result they have in effect have a level of “privilege” most do not.

Clive Robinson • May 23, 2019 3:18 AM

@ JonKnowsNothing,

Today’s You Can’t Believe It but It Might Be True

Knowing what went on in the UK after “tin pot jodsworths” got investigatory powers under the UK Regulation of Investigatory Powers Act (RIPA) I am more surprised that we have not heard of such behaviour befor.

The real question now of course is where does the trial go from here, in essence the defendent has had their “privilege rights” violated, thus can nolonger receive a fair trial. At one time judges were not averse to declairing mis-trials when such behaviour occured. However in this current “hang em high” environment when it comes to whistle blowers a certain mentality for “Show Trials” has set in, in which judges will play their part willingly or not, less they face “starvation”.

Clive Robinson • May 23, 2019 11:24 AM

@ All,

Whilst I can quite understand the feelings many have against the SigInt agencies, they do unfortunatly have two sometimes three or four mandated personalities, some from the outset others get aquired with time.

It often ends up that these multiple personalities are in conflict and rather than rendering the organisation a visable “basket case” as you might expect, the stress and fracture lines exhibit in other less seen ways. Thus you get internal “organisational capture” and “turf wars” that are fed by personality type issues exacerbated by the missuse of internal security procedures etc to cover up such rank abuses and “illegal orders”. Thus these places are not healthy to work in above a certain level, and many of the staff are there because they are keeping their heads down and “ticking over to pension”. Which makes them not only easy to abuse, they are also compliant with such abusers, to avoid getting hamnered down.

A lot of this came to light in the UK back in the 1980’s shortly after I had left “employment from the public purse” because I could see the way the wind was blowing. The then UK Prime Minister “Mad Maggie” Thatcher, was determined to destroy trade unions, and with GCHQ tried to introduce further draconian measures that would have made the abuse worse. This was we later found out actively encoraged by the US under the so called “special relationship”. A significant number (something like 150) of employees refused and were preasured in various ways, including loss of pension and the sacking of others selected because they had little chance of equitable re-employability (only one of whom made it back into ordinary employment).

It became a very bitter and longterm dispute as a result a lot of “dirty laundry” came into the light in various ways. Including insight as to managment style and behaviour in the NSA who believed that they should have full rights over UK civil servants to abuse and sack them but of course no responsability or liability towards them. Part of which was epitomized in Mad Maggies demands that GCHQ staff could never have legal standing of any kind. This got watered down to no standing under employment law or access to tribunals, no matter what the complaint. This shocked not just Mad Maggies own party, it caused all other parties to combine in universal condemnation.

Such behaviours are very indicative of the type of personalities and their types incharge of SigInt organisations at the time, and from what has leaked since little appears to have changed.

This needs to be remembered when talking about the bulk of those working in SigInt agencies, and one of the reasons why those with abilities and more normal personality types realise they would be better off outside of such organisations. Which is just one reason why the SigInt agencies lack the talent they need. Oh and politicians deciding the direct staff numbers need cut backs does not help. Further how can you expect those left to perform let alone consider “lawful order” ethics when they are continuously having to look over their shoulders just to get health care and living pensions…

Oh and don’t forget it’s open season on not just whistle blowers but those who bring these “embarrassments” into the light for public scrutiny…

Clive Robinson • May 23, 2019 6:58 PM

@ James T,

I would really like to know what Clive thinks about this

Depends what you mean by “this” some of my thoughts would require more “Not Suitable For Work” asterisks etc than I would care to type 😉

However of your specific questions,

The ability to do so much with so little. Computers getting more powerful with so many places to hide memory. Who can keep up?

Not even the NSA, GCHQ et al can keep up with every chip etc, and they very likely don’t bother. That is they would take a more select view on certain key components like faults in RNG’s in embeded systems. Which is what most routers basically are. They would then get into “the next node up” from target systems. Because routers especially at the consumer level are very rarely if ever either turned off, upgraded or checked in any way. Thus they make ideal places to “hide and observe” because often with SoHo systems all comms goes through them anyway even if it’s just from your local NAS box file server to your WP on your PC and back to your printer etc.

There are ways to mitigate this if you know what to do with actual “configurable switches” and the likes of Intrusion Detection software running via an “invisable data diode”[1] on the connection between the switch and your gateway router. If you have a search on this site for “Gardrn Path” you will find a description of a similar set of mitigations for your gateway router.

At the end of the day nobody can know all the “individual instances” of hiding locations or vulnerabilities. What you stand some chance of keeping up with is the “various classes” of locations and vulnerabilities. If you then mitigate “classes” not “instances” you stand a chance of keeping up in a full time job. But that’s not necessary if you mitigate at a higher level. For instance keep your sensitive work on a “gapped system” then use a carefully mandated “gap crossing method” where you first encrypt on the gapped machine then use some easily disposed of carrying medium (print to paper and OCR and checksum for errors on) to the comms PC. You can easily liquidize the paper into “fire brickets”. With a little care / OpSec your risk goes down considerably, but such methods don’t scale above “personal” use. With such systems you also need to practice a hightened level of “physical security” because if you become a “targeted” person of interest, “They will come-a-knocking” there are various conversations with @Nick P and others about how to deal with this. In principle they come twice, the first to “intel gather” armed with intel they develop various hardware implants etc and then come and implant them. The older or rarer the kit you use, the harder you make their task. Like a number of hardware engineers and quite a few makers I have lots of custom prototypes just littering the junk boxes and other places, any one of which might serve a security function… It is after all a little difficult to “implant” a hand wired open PCB contact (dead flesh) keyboard and a little thought makes that even harder for an attacker (open switches are kind of immune to various Hi-Pot tests whereas the best of electronics are either not immune or show up as part of those and other tests). They would then almost certainly try another approach such as one of many “end run” attacks like hiding sound or audio equipment to try and catch you in the process of entering/reading your private communications.

While understanding that a “Air Gapped” Computer means nothing anymore.

It does and does not, it’s the old traditional name, and some which are also in locked server rooms with power conditioning and sound proofing are actually fairly well “energy gapped” as well. Energy gapping is a more appropriate term because it is “energy” in all it’s forms and all it’s “transportation methods” that carry your private information out inadvertantly. The point being is that it’s the laws of physics that determin what can and can not be done by an attacker. Most of the fundemental laws are well within the grasp of anyone who did highschool science classes and passed. Some further things like “radiation transport” where very high frequency high energy particles or radiation work their way down to the ultimate form of polution (heat) undergraduates get to grips with mathmatically but the average person can understand enough just by reading about the process. However there are other “gotchers” which is the bi-directional behaviour of basic transducers. That is speakers are also microphones, motors are also generators and the likes of transformers and their more esoteric equivalents of baluns and circulators also reflect what happens at their loads back to their sources and back again as the laws of thermodynamics dictate. This also effects the hardware and software, people tend to forget “errors and exceptions” are in effect “inputs at the output” and crafted errors can work their way very far back into a system in various ways (they are a subset of “fault injection” and “system transparancy” attacks). Even supposed “Data Diodes” can be made to work backwards in various ways.

What could be done with Kernal level access or maybe would could not be done? Can anyone tell me that this is impossible?

Kernal level access is actually “old school” these days for various reasons. You first have to realise just how many layers there are in the computing stack. The kernel sits above the ISA level which is above the CPU which is above the MMU which is above DMA and other I/O layers and below this the memory with quite a few layers below that where attacks can “bubble up” from below gate and transistor level (think cross talk injected to cross between tracks on the metal layers in a Chip layout macro for say an ARM core or other licensed “macro”. But there are also the hidden CPUs and OS’s. Appatently thanks to Intel’s “Managment engine” there are more *nix OS’s running than Microsoft OS’s… According to who you talk to the ME can access features and places in the computing stack that the kernel running on any conventional core would never ever get to see let alone change (think microcode store in the CPU instruction decode logic etc). The fact that the US Gov alledgedly has some “secret sauce” to at the very least disable the Intel ME has caused one or two security stories and speculations. Lets put it this way if you wanted to add a “backdoor” for the IC rather than LE then the ME is in a very good position to do it with, and outside of using very high precision timing you would not be able to spot such a backdoor in operation using anything from above the ISA level in the computing stack. That is you would have to use some very expensive test equipment in specialised test arangments to “maybe” find the way data was being leaked if it was… Such a backdoor could use “Spread Spectrum” hardware techniques to add data leakage via “timing jitter” to parts of the CPU hardware such as the AES encryption. The data added could be encrypted by using a hidden “public key” in the ME, which could hide data such that only the person who had the private key could read it[2]. Therefor the likes of the AES key could be concatenated with a counter encrypted and pushed out instead of true random numbers, thus end up being used as nonce’s etc in crypto algorithms.

The thing about “timing jitter” is with care nearly all systems are transparent to it due to “Security-v-Efficiency”. Unless you realy know what you are doing, the more efficient you make a system not just the more potential timing channels you open, but the greater bandwidth you give them. Obviously all standard consumer computers be they PC’s or the microcontroler in your most basic electrical appliance are designed to be efficient, therefore they are transparent to data leakage. Thus your PC or TV could leak say key data via the powersupply which would travel around your house wiring to the “Smart Meter” the instrumentation in which could pick up the key leak data and then using it’s other protocols send that off anywhere including over the Internet. The thing about timing jitter is, that it is uneffected by encryption because it’s the timing of the packets of data not the data that gets encrypted that carries the information. Ironically those measures carried out to stop key or data leakage via software implementations of encryption that actually make the system even more transparent than it was before. So a “Damned if you do, Damned if you don’t” problem for a system designer to mull over (the cure as anyone who has been taught TEMPEST / EmSec design is “data re-clocking” which removes the jitter upto a point by effectively closing the channel bandwidth down but not totaly…).

So by now you are probably thinking “what hope for privacy” as I said above you need to mitigate by proper segregation and implementation of the communications across the effective “gapping”. Which in effect moves the problem to how you implement “energy gapping”. It’s one of the reasons Sensitive Compartmented Information Facility (SCIF) rooms/tents exist in Government agencies. Whilst their design is supposadly secret in the US other governments don’t regard it that way, therefore much of what is involved not just in the design but testing / certification proceadurs are fairly easy to sniff out. Just looking at the Wikipedia pages on Acoustic and Electromagnetic Anechoic chambers and EMC will give you enough of a headstart to understand what it is that SCIFs do, also “sound/vibration” proofing by making “mechanical gaps” on sailboat engine compartments will give you more insight. Put simply your aim is to turn all energy be it acoustic, mechanical or electromagnetic into very low bandwidth heat via suitably large absorbing masses.

So yes if your privacy is important to you and others you wish to have contact with there are steps you can take to protect it against fairly high level attackers who don’t have the resources to start bouncing $5 wrenches off your body parts in dim distant lands where canvas overalls and black hoods are the fashion items to be seen in.

As the latest news on Julian Assange shows some governments are prepared to spend the better part of a billion dollars to get somewhat petty revenge for being shown in their true light rather than that they try to project…

[1] An “invisable data diode” is not invisable to you, only from the external network. In essence they are a “Vampire tap”, “Star tap” or just a cable that has the TX pair from the monitoring equipment cut. The monitoring equipment is a *nix box which has a couple of network cards in promiscuous mode that records every packet that goes in either direction on the monitored network cable.

[2] See the work by Adam Young and Moti Yung on Kleptography which is a subset of their Cryptovirology research. Their book is realy quite well written and quite readable and understandable by even security novices.