Comments

Sherman Jay October 25, 2019 6:35 PM

@Mr. Peed Off,
Thanks for making us aware of these developments.

I read the first article and it seems to be very vague in regards to differentiating and protecting legitimate reasons to encrypt while accurately identifying and thwarting illigitimate reasons (spreading malware, circumventing just laws and for other criminal purposes). I know there are people of good and ethical intent that just want to use encryption or steganography or cryptography (or combinations of those) to protect their works/communications and I see nothing wrong with that. And, if it prevents the corporate and government snoopers from seeing everyone’s private property, too bad. I see the ‘need’ to catch all the ‘bad actors’, but I think using a huge clumsy net and snaring decent people’s private material (and keeping it just in case some corp or gov’t official might want to use it for their own purposes or gain) is unethical and unjustifiable.

I read the second article and it turns every device by g00gle, micro$oft and affle into a spyware platform. However, with all the spyware already in all the apps and O/S’s and browsers, it is very troubling, but, I guess objectively we might consider it’s (just) the government ‘piling on’.

The bottom line is that I see no truly effective yet non-invasive solutions being posed for these issues.

Ohm October 25, 2019 6:37 PM

Current Assange court hearings procedures reveal not just USA/UK criminal promiscous mode but also a clear violation of the right for someone to defend itself. Clearly Assange is being tortured in a so called democracy in the eyes of everyone. Being silent is being complicit and as such allow me to past this:

Craig Murray on Julian Assange case

lurker October 25, 2019 8:01 PM

@Ohm I guess the reason for all the security around Assange now is the point mainstream media have not picked up on: he is now charged with conspiracy to gain unauthorised access to a computer, and the conspiracy puts it right up there in US lawbooks with world-destroying crimes. Regardless of his various faults, he doesn’t deserve this treatment.

SpaceLifeForm October 25, 2019 8:01 PM

@Sherman Jay

“The bottom line is that I see no truly effective yet non-invasive solutions being posed for these issues.”

In the olden days, LE would actually do true investigative work.

They would actually get off their butts, talk to people, and actually collect information.

These days, most actual true investigative work happens on twitter and blogs. None being paid for the investigative work.

RG2 October 25, 2019 10:42 PM

One countries internal data is another’s external data.
While internal data is typically highly regulated, the sharing of mysterious, unverified, unchecked external data is ripe to deceive and abuse, especially in the political arena.
Its been used to dupe judges, law enforcement, generate open-loop fake news all the while wasting several years of everyones lives. Time no one can never get back.
Who’s tired of being played?

The European Union GDPR are designed to prevent exactly these types of abuse.
Authoritarian brute-force Russia and and China have operational country-wide network choke-points.
But what happens when privacy and national security defensives aren’t even on a countries radar? Pure continuous chaos

Misuse of Reverse Targeting
‘Reverse targeting refers to the targeting of a foreign individual with the intent of capturing external data on a U.S. citizen. During an Aug. 17, 2018 interview Brennan said the following:
“We call it incidental collection in terms of CIA’s foreign intelligence collection authorities. Any time we would incidentally collect information on a U.S. person, we would hand that over to the FBI because they have the legal authority to do it. We would not pursue that type of investigative, you know, sort of leads. We would give it to the FBI. So, we were picking things up that was of great relevance to the FBI, and we wanted to make sure that they were there—so they could piece it together with whatever they were collecting domestically here.”

However, under the laws governing U.S. surveillance, the identities of U.S. citizens are supposed to be protected. Provisions known as minimization procedures are intended to protect information “incidentally collected” on U.S. citizens in the course of foreign (external) surveillance.’

US Attorney General Barr and US Attorney John Durham are focused of the collection from unofficial foreign intelligence sources that doesn’t appear to have been incidental but rather targeted.
Now working with the Inspector General, they have enough facts to open a criminal investigation.
https://themarketswork.com/2019/10/24/focus-of-durham-probe-shifts-to-senior-obama-officials/

Without comprehensive privacy regulation, the typical (read desperate) politician can’t resist temptation of weaponizing sketchy/made-up external data to weaken or neutralize his opposition. Aided by bogus top-secret classification, the chances of getting caught are near zero especially if re-elected. Do the rewards outweigh the risks?

Besides good spycraft teaches how to create a steady stream of chaotic diversions to escape criminal prosecution and political suicide. Hmm…
Are spies spewing reams of bogus crap (within their own country!) to save themselves?

Lastly the anti-privacy leadership mindset are illustrated by Mr. Zuckerberg’s smirking testimony before Congress or the daily Roy Cohn professional misconduct defense[1].
https://en.wikipedia.org/wiki/Roy_Cohn

[1] while professional misconduct is not a crime it is basis for disbarment or employment termination

Sherman Jay October 25, 2019 10:44 PM

@ludite and @Mr. Peed Off,

@ludite is right. With the Ring cameras everywhere (even being given away by law enforcement because they can get the video with just a simple request to amazin who owns all the video captured), other business security cameras, cities with millions of law enforcement cameras, the sheople posting every detail of their lives on social media and the ‘possibility’ of backdoors in encryption, there is little need for real, physical investigation. And, it’s all so impersonal, there are ever fewer relationships between law enforcement and the populace, further alienating/disconnecting the two parties.

Another thing that I see as a true problem (possibly tangential to the digital security topic here) is the ‘militarization’ of law enforcement (both in equipment and mindset) throughout the u.s. Many segments of the populace see this as an existential threat and therefore respond too intensely (military police tactics illiciting violent responses). It’s getting scary, like living in an extreme police state or armed camp in many areas.

Clive Robinson October 26, 2019 1:35 AM

@ Mr Peed Off,

I can not imagine the second article going over well in the FOSS community.

The second article by Nicholas Weaver is in two parts. The first is a shock and awe tactic based around an abohrant to society behaviour but is actually not that relevant because you could just as easily replace it with “whistle blowing” documents.

Unfortunatly the first part has assumptions in it which tend to negate his argument.

For instance he says,

    the best policy is not to weaken communication security [ie encryption] but instead to mandate endpoint scanning of images as they appear on phones and computers.

I realy don’t think he understands about the relationship between the security end point and the communication end point.

It is not overly difficult to design a computer decryption and display device that has no transmit capability. Thus even if such a system did detect suspect images there is nothing it could do about it.

Importantly some may remember when Microsoft changed it’s file formats to make document files not display and self destruct as a security feature for some very large customers. Turns out that needed communications to work as well, so it ended up not working. This proposal sounds like a variation on that “anti-whistkeblower” idea.

But Nicholas Weaver also says, of hashing files specifically plaintext image files,

    The photo itself can’t be recovered from the hash, but the hash uniquely identifies the photograph.

No the hash does not uniquely identify the photograph and for Nicholas Weaver to say that is odd.

A hash is an integer number and only uniquely identifies an integer number smaller than the maximum number the hash can generate. Any file that equates to an integer number that is a bigger number than the hash maximum “folds back” into that integer number range. In effect the hash acts like a modulo function (mod N) followed by an approximation of a “One Way Function”.

But more importantly is the falacy of assuming that number the file equates to is some how an intrinsic function of the file, the photograph or the actual image, it’s not.

When a digital camera takes an image it then processes the image, and unless specifically told to output the massive raw image, it generally uses compression techniques to produce a much smaller output file. The format of such files is generaly soft so small changes can be made that do not effect the ability of the file to be uncompressed and displayed. Likewise somebody could uncompress the file make small changes to the resulting raw file and recompress it. Each time this is done the resulting file equates to a different number, therefor will the vast majority of the time not match the hash. However to a human the displayed images will be sufficiently the same that it makes no difference.

This idea of hashing is very little different to the ideas behind digital watermarking that was all the rage in the late 1990’s untill Ross J Anderson and others at the UK’s Cambridge Computer lab showed that very minimal 2D distortion rendered digital watermarking unusable. The real difference between hashing and digital watermarking for this argument is that digital watermarking was orders of magnitude more robust than hashing. So if digital watermarking was a failure, two decades ago what does this make hashing?

Even hashing not of the actual image as a number but a hash of some subset coding of the image is problematical. An early “porn filter” looked not at the image but for “flesh tones” in the colour table, and what percentage of those tones appeared in the compressed image block. Such a system has obvious failings which would lead to work arounds.

It turns out from the academic literature I’ve looked at that most “static” image classifiers of this sort have such issues. The usuall argument is that bad as they are you can as long as they are better than random you can chain them and thus multiply out their probabilities. Whilst there is a certain truth in this there is a caveat, it only applies if the clasifiers are truely independent of each other and function orthagonaly to each other. This tends not to be the case with many clasifiers, which might just provide a simple avoidence strategy.

Which raises a question mark about,

    The implementation details are kept secret [by Microsoft] to prevent someone from taking child exploitation images and tweaking them to evade detection.

This is “security by obscurity” at it’s best, and as we know from the digital watermarking and current malware if there is sufficient money in it then people will find out how to get around it.

But actually they realy don’t need to find out about how Microsoft’s system works or fails. Because raw image files can be encoded in place in a multitude of ways then still be compressible, the maths behind it has been known for a while. Likewise a compressed file can be encrypted but still have the correct format for such a file.

For instance a black and white image can be serialized and as data would be a file little diferent from any WAV file (think FAX machine). Apply a reversable filter transform then shove it through an audio compression system. Then include it within an audio file.

All of these tricks and many many more are available with public knowledge and a desire to make money and not care how. Which is a fair description of those who write malware etc, of which there are many.

The reason it has not happened as far as we are aware suggests that for whatever reason there is insufficient profit to do so, or too few doing it to come up on the radar.

But on to the second part of Nicholas Weaver’s article.

After a little discussion about political appointee Barr we find,

    … the ideal legislative solution would not try to weaken encryption. Instead, an effective proposal would go around encryption by mandating that everyone’s device examine every image—turning the current centralized mass surveillance system into a privacy-sensitive, distributed surveillance system.

As I’ve indicated above, it won’t work because the person who thought it up does not understand about the relationship between the security end point and the communications end point. Or is for ulterior reasons chosing to quite deliberatly ignore it or keep quiet about it. If the latter it would be interesting to find out why…

We eventually get to,

    This would offer several advantages over the existing system. Cryptographic protections would simply become a nonissue, as the scanning would take place when the image is displayed. It would also significantly reduce the number of companies that need to be involved, as only a few operating system vendors, rather than a plethora of image hosters and other service providers, need to deploy the resulting system.

As I’ve noted it will not be difficult to avoid by criminals who think ahead.

Thus we have to look at other uses the system might be put to, and catching “whistleblowers” would be one that current Anglophile nations, police states and tyrannies be they corporate or national would salivate at.

We get to the final paragraph and,

    Unlike complaints about “warrant proof” message encryption, however, this would at least work to meaningfully address the problem of known child exploitation images.

As I’ve said it won’t solve the problem Nicholas Weaver claims it will, initially some will be caught but fairly quickly they will evolve around it as most semi-inteligent criminals do. Even if it’s just carry on using current technology which does not have this idea in it.

Thus the people who will get caught by this system are people who are generally law abiding if not model citizens, that get sickened by the abuses they see by those in power, and thus try to stop it by “whistleblowing” or similar.

Thus I would rate this idea as being extreamly dangerous to the proper running of society as we currently know it.

Gunter Königsmann October 26, 2019 2:23 AM

As long as your government isn’t after you and none of the other governments has enough reason to harm you there is no reason to fear decryption of your data. Except in the likely case that one day criminals get hold of the master encryption key (or get gold of someone who has). Or that you run a business that is worth spying upon: American data is safe in America. German data in Germany, French data in France and (I guess) Russian in russia in case none of the other countries has an interest to spy there. Note that the 5 Eyes work together, though. Or that you fear that it is possible that elections change the government in a really wrong way. I am a German and I know that if the majority votes for the wrong party it might be only months before you are spied upon and perhaps a few more months before you believe this and find out what for.

Currently the biggest party in Germany plays with ideas to instate mechanisms against publishing lies that if the government is replaced by a Bad one (for example the one that currently publishes many lies) would be a mighty tool on the wrong hands.

Also if you make all online firms write backdoors they might be available for authoritative states, as well, where encryption protects the people from their government.

0402 October 26, 2019 2:29 AM

In Egypt (that currently is in fear of a revolution) the state circumvents WhatsApp encryption the following way: A police officer (that doesn’t wear an uniform) steps up and asks a cellphone user if he allows the officer to scroll through the messages. This happens frequently enough that any tourist knowing that this happens has a good chance to spot it. Don’t know, what happens if the cellphone owner refuses, tough. See also: https://www.xkcd.com/538/

Clive Robinson October 26, 2019 3:39 AM

@ Gunter Königsmann,

As long as your government isn’t after you and none of the other governments has enough reason to harm you there is no reason to fear decryption of your data.

Wrong. All you are reboiling is the long ago debunked “If you have nothing to hide you have nothing to fear mantra of crooked cops and politicians.

One of the biggest cyber-theft noises you hear from governments is that of “IP theft”, from national organisations “Identity Theft” and the clearing out of bank and similar accounts. Now we are hearing about a 37% rise in the instalation of “cyber-stalking tools”.

The proper use of encryption and related security measures can significantly reduce these issues.

So why on earth you would think any of these are not serious problems, I don’t know…

Clive Robinson October 26, 2019 3:56 AM

@ Ludite,

world’s smallest image sensor ends hope of ever being secure against Three Letter Agency intrusion

Have you read the specifications on the device?

It’s only 200×200 pixels with a 120degree viewing angle. Work out the size of each pixel just 1meter infront of the camera (hint 20 60/30 right angle triangles)

But there is another issue “sensitivity” such a small sensor will not get many photons per pixel unless the light is more than quite bright.

So the lack of resolution and sensitivity is not going to be of much use for general surveillance purposes.

That said sensors a quater the size of your little fingernail can work quite effectively through a 2mm diameter hole close in front of the sensor and give you 16 times the resolution at ordinary ambient lighting levels.

Ergo Sum October 26, 2019 8:17 AM

@Ismar…

Let’s start with some positive news regarding a mobile phOne OS privacy improvements

Mobile phone as in iPhone that is…

The very same “privacy improvements” had been available in previous versions of the iOS. Apple just did not emphasized these features in the past.

On my iPhone since at least iOS 11.x, there are three apps, that had access to location based on “While Using”:

  • Compass
  • Find My Phone
  • Maps

The WiFi only enabled for iOS update in my home network, when required, otherwise disabled. So is the BlueTooth. Siri is disabled across the board, Safari’s default search engine changed to DuckDuckGo, don’t use iCloud for email/storage and other settings intended for privacy protection. Having unlimited data plan certainly makes these settings more tolerable.

The fallacy of the privacy settings is the end users, who for the convenience, will select the “Always on”. This will not change, regardless how Apple try to convince people to pay attention for protecting privacy.

Apple could sound more sincere about privacy, if it does not make Google the default search engine for Safari and Siri. Google will not pay Apple high single or low two digits billions per year to be the default, without recovering the cost of investment and sizable profit.

Cynically, one could say that Apple outsourced data collection to Google and it would not be far from the truth. On the other hand, Apple still allows end users getting rid of Google on their devices, if so desired. There is that…

Gunter Königsmann October 26, 2019 11:05 AM

@Clive: Perhaps we should add more cases to my “you have nothing to fear, if”. How far I got until now is:

  • You don’t fear a government key to be stolen (Pro tip: If every gouvernment has an own government key at least one of these keys will be stolen.)
  • You don’t fear that if your government gets the right to read every single message every other government on this planet will get the right to read every single message, too. This will most probably include constellations in which the government is the Bad Guy.
  • You don’t fear that no-one in your government is corrupt enough to give away your vital information
  • You don’t fear that any other government will use their keys to spy on you (Pro tip: If you have nothing to hide from the government perhaps your working place will not want every other firm to be able to spy on them)
  • You don’t fear that your fellow citicens choose a bad government in the next elections.
  • You don’t fear that if cryptography gets more complicated by including hundreds of government keys that will lead to errors.

If any of the above might can go wrong you might want to opt for secure cryptography or opt against doing any digital business including using an ATM, a POS terminal, buying in an internet shop – and if anybody is against you they might still be able to impersonate you plausibilly authenticating using a broken crypto link.

Sherman Jay October 26, 2019 12:07 PM

@Gunter Königsmann,
“American data is safe in America”

Encryption might have helped protect all this “american data .. in America” —

hXXps://www.techdirt.com/articles/20191015/08012643194/whirlpool-left-appliance-data-user-emails-exposed-online.shtml

“This week it’s Whirlpool that’s under fire after a researcher discovered that the company had failed to secure a database containing 28 million records collected from the company’s “smart” appliances. The database contained user email addresses, model names and numbers, unique appliance identifiers, and data collected from routine analysis of the appliances’ condition, including how often the appliance is used, when its off or on, and whether it had any issues.”

We are all constantly under siege by the Internet of Things, trackers, cookies, spyware on all our phones, etc.

Even if “we have nothing criminal to hide” the complete loss of privacy reduces the quality of all our lives.

MikeA October 26, 2019 12:30 PM

@Clive:

An early “porn filter” looked not at the image but for “flesh tones” in the colour table, and what percentage of those tones appeared in the compressed image block.

I dimly recall a Register article about how an image of a pig farm was labeled pornographic because “too much pink”.

I do hope that the very possibility of having the security endpoint beyond the communications endpoint will not soon die.

@Ergo Sum: any strengthening of privacy on iOS (or MacOS) devices can, and in my experience often will, be “opted out” automagically by a later mandatory update.
Apple has many more person-hours available to compromise my privacy than I have to defend it. They can do it wholesale. As can Google or MSFT, of course, but my experience is with Apple.

Alyer Babtu October 26, 2019 1:33 PM

@many suspects

Re: chronic broken security

What they say, once is happenstance, twice is coincidence, three times is enemy action ? Confirmed by recalling don’t explain by conspiracy what can be accounted for by stupidity (by contraposition).

The consistent state indicates the cast of a mindset at work. The way this is is the way it’s wanted to be. Couple with economic and social practices and it is seen that the world is being nudged into totalitarian rule.

By all means try to do good in your domain, but solving the problem will require addressing things outside it for most.

Sancho_P October 26, 2019 3:35 PM

@Mr. Peed Off, Thanks for both lawfare links!

1) Rethinking Encryption, part I/II: Going dark, rinse, spin, repeat.
Nothing new, but another try.
OK, some points would be worth to follow, but … they don’t want, we don’t need.
For the rest:
”China’s wanton looting” is sanctimonious, ever heard of American history, up to today?
E.g. the cruel pressure at Cuba? For what exactly?

Oh, yes, in a couple of years the Chinese may be where the USA is today:
In everyone’s computer, network and communication.
But don’t blame the Chinese for that!

lurker October 26, 2019 3:42 PM

@MikeA

Apple has many more person-hours available to compromise my privacy than I have to defend it.

Indeed, and it was Safari’s major point upgrade obnoxious habit of resetting the option to “Automatically open downloaded files” that triggered me to give MacOS the heave-ho.

Sancho_P October 26, 2019 3:49 PM

2) Nicholas Weaver’s (really?) lawfare article is shockingly awkward.
Also it’s missing the very important distinction between the tangible and intangible world, a very common simplification, though.

First, I’d assume that today’s “image hashing” is still a viable way to automatically process a pile of image data, of course with errors on both sides. This is similar to fingerprinting of music files.
Granted, it reduces a bunch of boring workload in some central instances.
Flagged data must be manually inspected – Locally.
To work, it needs a database of known bad files – A serious disadvantage, and a can of worms on consumer devices.
Proprietary SW and security by obscurity hint to a weak solution + a very good business.
Similar to the AV industry: A scam.

So:
Do it on all insecure devices of John Doe? Dramatically increase the attack surface?
Upload a copy via Net from a consumer’s machine? Uh, really?
No friends to add fantasy and knowledge regarding abuse and exploits?

However, here is the main problem with the not so distant future:

Think of today’s capabilities to produce fake porn videos “with” celebrities.
So it is only a matter of time to have “just in time” productionof CP (or whatever) on consumer devices, without any need to store the data.
Probably one could configure what activities the SW should produce, based on preferences, using 3D imaging, touch sensitivity, …
Compare a database hash with such fantasy screen content?

There is always the same basic issue with the thought police: Thoughts are free!
If I think of murder, this is free! My brain, not yours!
Only when it comes down to the tangible world, outside of my brain, outside of my memory / device, when I tell or show someone, it may (!) establish a crime.
And if, there is (should be) LE and legislation to handle that.
Not in advance.

Re CP (see https://www.lawfareblog.com/child-exploitation-and-future-encryption )

Producers and distributors of CP are criminals, but consumers are mentally ill.
Assume the rising figures in the link are correct. Shouldn’t we, as a society, try to identify and fight the cause of the problem instead of counting the “vital stream of evidence”?

Clive Robinson October 26, 2019 5:13 PM

@ MikeA,

I dimly recall a Register article about how an image of a pig farm was labeled pornographic because “too much pink”.

Yes that was one, that kind of got famous, because certain media people had the opportunity for a bit of revenge with “red top” style headlines. But the one that made the algorithm look realy stupid but did not hit the general media was a rather glourious picture of a nebula… Yes I know nebulae might be considered “heavenly bodies” but lets be honest pictures of nebulae are not Rorschach “ink blots” so any supposed visualisation of the human form unadorned in part or whole realy is in peoples heads, not the reality of the picture…

I’ve been told that rather than static classifiers with their known problems, the latest idea is to throw AI at the problem… Heaven alone knows what sort of mess that will turn out to be after all I’m told most realy don’t know the difference between porn and erotic art… How we expect a computer to tell is I suspect going to be one of those unanswerable questions.

Mr. C October 27, 2019 7:14 AM

@ Clive & MikeA
I attended a party circa 2010 with a lot of Google engineers, including a guy who worked on filtering porn from the video search results. At the time, he told me it was “flesh tones and repetitive motion.”

Ergo Sum October 27, 2019 7:36 AM

@MikeA…

“any strengthening of privacy on iOS (or MacOS) devices can, and in my experience often will, be “opted out” automagically by a later mandatory update.”

None of the updates are mandatory. The end user can select “manual”, in which case, updates are not installed like “auto-update” does.

“Apple has many more person-hours available to compromise my privacy than I have to defend it. They can do it wholesale.”

Certainly, but it can be reversed for the time being, if people pay attention…

“As can Google or MSFT, of course, but my experience is with Apple.”

Lucky you…

Google and MSFT are worse from that perspective. Both of them have mandatory “telemetry” collections, that more or less can be controlled by the end users. Any update will reset the “telemetry” settings to defaults. By the time the end user reverse these settings after reboot, all telemetry data had been transferred to the mother-ship.

The telemetry generated income allows both of them to pay insane amount of money to Apple for the purpose to capture Apple device users data as well. While Apple can say:

What happens on your iPhone stays on your iPhone.

There should be a disclaimer in small print, something like:

Apple is not responsible for partners and third-party apps collection of your data, including your privacy data

CallMeLateForSupper October 27, 2019 9:54 AM

Is DNS-over-HTTPS (DoH) cat-scratch fever or rather the cat’s meow? If you read and trust was Mozilla says, DoH is the latter. If you read elsewhere, you might think otherwise. I don’t know, because the deepest probes of the subject incorporates a ton terminology that I’m not familiar with and not inclined to learn.

Interesting that “desktop version of Firefox has provided DoH support since Firefox 62” but was not actually operational in that version and still isn’t operational in version 70 today. (quoted text from https://nakedsecurity.sophos.com/2019/09/10/mozilla-increases-browser-privacy-with-encrypted-dns/)

Here’s what Mozilla says:
https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs

And here’s what Hackaday says:
https://hackaday.com/2019/10/21/dns-over-https-is-the-wrong-partial-solution/

CallMeLateForSupper October 27, 2019 10:40 AM

“Drivers’ Data Exposed in 7-Eleven Fuel App Breach”
https://www.infosecurity-magazine.com/news/drivers-data-exposed-in-7eleven/

“An app used by drivers to cut the cost of fuel has suffered a data breach that allowed USERS to view the personal information of OTHER customers.
[EMPHASIS mine]

“Names, email addresses, cell phone numbers, and dates of birth were exposed […]”

If I were interested in low prices on gas, 7-Eleven would not be a brand I’d consider.

CallMeLateForSupper October 27, 2019 10:57 AM

This looks like it would be fun to play with, though I can think of better things to do with US$ 60.

“‘Pwnagotchi’ Is the Open Source Handheld That Eats Wi-Fi Handshakes
The Tamagotchi-inspired device helps wandering hackers to crack Wi-Fi passwords while looking adorable.”

(I suspect that the writer meant to say, “[…] device looks adorable while helping wandering hackers crack Wi-Fi passwords.”)

https://www.vice.com/en_us/article/xwekw4/pwnagotchi-is-the-open-source-handheld-that-eats-wi-fi-handshakes

SpaceLifeForm October 27, 2019 2:25 PM

@Sherman Jay

I figured that I did not have to research it, but I did anyway.

99.9999% sure that the Whirlpool dump was found on AWS.

It’s not spelled out in the article, so I’ll just note that Whirlpool and Amazon are in bed together.

The writter has the receipts.

Lost count of AWS issues. Well into double digits last two years.

Sherman Jay October 27, 2019 5:59 PM

@SpaceLifeForm,

Thanks for your effort and info. I wouldn’t touch AWS or Amaz0n with a ten foot cattle prod. They started out very corrupt and have gotten much worse. I won’t go into their sordid history of which our art organization was a victim.

@all,
Regarding encryption, does anyone have info about using two dissimilar methods of encryption sequentially on a file makes it essentially un-crackable? I’ve tried that technique and some amateurs I asked haven’t been able to decrypt that file.

Sherman Jay October 27, 2019 7:01 PM

On the browser front, while far from perfect, waterfox browser (a mozilla product) is a step in the right (privacy/security) direction:

hxxps://www.ghacks.net/2019/10/25/waterfox-development-splits-into-classic-and-current-branches/

Waterfox continues to support (some) NPAPI plugins, comes without Telemetry, and bootstrapped add-ons. The classic channel, called Waterfox Classic, is the legacy branch of the web browser that will continue to support older standards. The developer of Waterfox has no plans to retire this branch according to a new blog post on the Waterfox blog.

I have yet to examine the Brave Browser, but it is supposed to be focused on privacy/security.

Alyer Babtu October 27, 2019 7:28 PM

@Sherman Jay

dissimilar methods of encryption sequentially

Doesn’t this amount in overall terms to one method, with sort of the moral equivalent of a longer key ? I.e., g(f(m)) = h(m) , where h is the composition of f folowed by g , and the “key” of h is similar in complexity to that of the total length of the keys of g and f ?

Full disclosure: not an expert 🙂

MarkH October 27, 2019 8:12 PM

@Alyer Babtu:

I’m also no expert! But I think I have a sensible answer.

Key length is only one facet of security for symmetric ciphers. Because it’s a really strong link in the chain, there’s practically no value to making it stronger.

For example, modern symmetric ciphers usually use keys of 128 bits or longer, whereas practical attacks (last time I read up on this stuff) are still limited to something like 2^70 steps. A million-fold increase in available computing power would still leave you at roughly 2^90, so a good cipher with 128-bit keys still has a very healthy margin of safety.

But ciphers can have weaknesses and suffer breaks, which reduce the cost of cryptanalysis — sometimes by an enormous margin. Using dissimilar ciphers in composition is an insurance policy: if a weakness is found in some but not all of the component ciphers, the plaintext remains unrecoverable.

Clive Robinson October 27, 2019 10:57 PM

@ Sherman Jay,

… does anyone have info about using two dissimilar methods of encryption sequentially on a file makes it essentially un-crackable?

The first thing to remember is that doing something that gives you a correct plain text is NOT proof of how an unknown cipher works or that you have found the key.

Whilst it might sound strange, it’s easy to see why when you consider the way the One Time Pad works. That is,

    Any and all plaintexts upto the length of the ciphertext are equally probable.

And that is also the proof of the OTP security ie “equally probable”. In essence it means they are all as equally improbable as well, that is there is no statistical proof that you can find to show you have either the correct key or plaintext.

The usuall argument given is that,

    The key is totaly random

Which is very dependent on your concepts of “random” and “bounded”. That is a random string could be all zeros, all ones or a simple repeating pattern of any length. Which if above a very short length would in the real world be very undesirable as it would show up either to the human eye or via simple statistical tests. Hence you have to in practice put a “bound” on the length of any given pattern based on it’s complexity (by some measure that could be quite complex).

In practice you counter intuitavely use a determanistic process to ensure your key stream is as close to nondetermanistic as it can be.

All codebook (block) ciphers are a mapping from the input set to the output set and form what is called “a simple substitution cipher”. Which no matter how complex the mapping or how large the alphabet is statistically a quite weak cipher which is why block ciphers should always be used in some type of mode.

To see why, imagine an old fashioned text based program where the user gets presented with a succession of menues to which they enter a single key selection be it numerical or alphabetical. The link between their display terminal and the computer is encrypted with AES128 in what is the simple code book substitution. Whilst what you see on the wire might be 128bits of ciphertext for each key press it still only represents a very limited alphabet of say ten keys, thus only ten 128bit patterns are seen on the wire. Thus working out which of the ten 128bit patterns represents which key is a relatively trivial task that can be done fairly quickly depending on how many times the user runs the program (that is the attack uses “messages in depth”).

That is the underlying plaintext statistics are clearly visable in the ciphertext even though the AES128 input to output mappings are highly complex.

Thus the way to make a cipher dificult to analyse is to reduce any statistics in the ciphertext as flat as possible so it is not possible to tell it from random by any statistical test, no matter how much ciphertext under any given key the cryptanalysist has to work with.

Towards this end one piece of advice given is to “compress plaintext befor encryption”. Because it has three benifits,

1, It makes the plaintext length unknown.
2, It reduces the size of the plain text.
3, It flattens the plaintext statistics significantly.

Unfortunately in practice trying multiple compressions on the plaintext becomes very quickly of little benifit due to the way most compression algorithms work. Further it has no effect on the complexity of the mapping of the encryption algorithm.

However if you do not compress the plaintext but encrypt it in an appropriate mode you will also flatten the statistics by a much greater extent with modern algorithms. Doing so twice will reduce the statistics slightly more but will also increase the complexity of the mapping function.

In the case of a block cipher using rounds it effectively doubles the number of rounds.

However if you use the same encryption algorithm the chances are you will not get quite the same benifit you would if you actually designed the algorithm with twice the number of rounds[1]. This is due in part to the fact you are using the key expansion the same way twice, that reduces the number of available permutations in the mapping. There is also the posability that you could actually reduce the complexity of the mapping (though if the base cipher has been designed correctly that should not be an issue).

If however you use two different algorithms with very different internal structures you are more likely to avoid some of the problems of using the same algorithm twice.

But at the end of the day you would still suffer from certain issues if you just chained the block ciphers on their own. It’s why you should use each block cipher in a mode then chain the resulting cipher-modes combinations.

But there is a limit to what you can achieve by chaining ciphers together in series. Think of what benifit you would get from chaining two OTPs?..

It’s why you should think about using differebt ciphers in parallel as well to form wider block sizes.

[1] If you want to know more on this have a look for why we have 3DES not 2DES.

Sherman Jay October 28, 2019 11:53 AM

@Alyer Babtu, @MarkH, @Clive Robinson,

I was thinking along the lines of this type of multiple dissimilar ‘obfuscations’:
encrypt with character substitution, then compress, then use blowfish with long key, etc. Or maybe: character substitution, then compress, then use steganography.

Full disclosure, I’m not an expert either as most of you already know. LOL

SpaceLifeForm October 28, 2019 7:34 PM

@Sherman Jay, @all

“Regarding encryption, does anyone have info about using two dissimilar methods of encryption sequentially on a file makes it essentially un-crackable? ”

The CIA can. And they can explain how it can fail.

See Vault7.

Mr. Peed Off October 29, 2019 11:29 AM

@ Sherman Jay
“Another thing that I see as a true problem (possibly tangential to the digital security topic here) is the ‘militarization’ of law enforcement (both in equipment and mindset) throughout the u.s. Many segments of the populace see this as an existential threat and therefore respond too intensely (military police tactics illiciting violent responses). It’s getting scary, like living in an extreme police state or armed camp in many areas.”

This article may be of interest:
http://www.tomdispatch.com/post/176620/tomgram%3A_william_astore%2C_the_militarization_of_everything/

@ all
Your thoughtful responses to my previous post are much appreciated. Thank you.

You Are There (50 Years Ex Post Facto) October 29, 2019 2:48 PM

ARPANET started 50 years ago today … late in the evening, as I recall.

It was hard to get an account ; as a student, I had to do a Personal Interview
with a Campus Computing Network Administrator. ( Various Biggus Dickus faculty
members had been kicked off already because they caused PROBLEMS for all System
Operators and Administrators concerned with managing this new Experiment. )

And you had to have a REAL GOOD REASON to be on it, and get time on it
( measuring in MUS : machine-unit-seconds plus other accessories like Line
Printer Output Paper, etc. ) to do Constructive Projects. My reason was The
Theory of Computation … could a Big Mainframe calculate algorithms and
special functions accurately in Double Precision using Floating Point and
with Assembly Language Compilers of the Day ?

I was a Good Boy and a responsible End-User … I was given a small amount of
time and my ToC Projects were Managed by CS and CCN people who were interesting
and interested …

A Good Time to Be Alive!

SpaceLifeForm October 29, 2019 3:53 PM

Random Fail

hxxps[:]//arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/

SpaceLifeForm October 29, 2019 4:21 PM

@Anders

It would be better if you would spend a minute or two, to actually provide a better, SAFER link.

Always, ALWAYS, try to get to the original source material.

Spend the time. Do the research.

Some research may take hours.

Some may take days.

Or weeks.

Or months.

Or years.

Or decades.

Or a Lifetime.

This is the cost of Security, Privacy, and Freedom.

People need to invest time in the research.

There are many that invest their time, but it would be better if more did.

hxxps[:]//id-ransomware.malwarehunterteam.com

SpaceLifeForm October 29, 2019 4:22 PM

@Anders

It would be better if you would spend a minute or two, to actually provide a better, SAFER link.

Always, ALWAYS, try to get to the original source material.

Spend the time. Do the research.

Some research may take hours.

Some may take days.

Or weeks.

Or months.

Or years.

Or decades.

Or a Lifetime.

This is the cost of Security, Privacy, and Freedom.

People need to invest time in the research.

There are many that invest their time, but it would be better if more did.

hxxps[:]//id-ransomware.malwarehunterteam.com

Anders October 29, 2019 4:36 PM

@SpaceLifeForm

You don’t need to click on it. You can select it, copy it
to command line window (this removes any possible formatting from it)
select it again and copy to browser.

I have limited time too and only one life 🙂

But read the story, it’s actually a sad one. Cancer, poverty, but
still a determined fighting against ransomware.

And we here are arguing about link formatting? What’s harder?

SpaceLifeForm October 29, 2019 5:02 PM

@You Are There

And 4 decades prior, to the day, the Great Depression started.

I’ll just note that 2 decades ago, that both the Federal Reserve AND the US Treasury shared the same exact web server.

Two domain names resolved to the same ip address.

And back then, there was zero web-hosting.

But, Federal Reserve is NOT a US Government Agency.

@Anders

That is your RESEARCH project.

Ask yourself, how would I know that?

And, if you do the research, you may actually figure out who I am.

Good luck.

SpaceLifeForm October 29, 2019 5:30 PM

@Anders

Yeah, I read your link.

Not complaining about the link itself, but what the site served up.

Yes, the Cancer, poverty, but
still a determined fighter against ransomware.

This person cares, in spite of the personal issues.

He did the RESEARCH !!!

Everyone needs to understand, that they are being MICROattacked, from various angles, in a SOFT manner.

Need more Researchers.

It really is about Security.

Anders October 29, 2019 6:30 PM

@Clive

Thanks. I think the important thing here is:

“The company leased servers — including servers in the United States — from Amazon and two other cloud services called Choopa and Quadranet, to help deploy its spyware, the lawsuit said.”

Anders October 29, 2019 6:36 PM

Check your registry keys against malicious persistence.

pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/

Clive Robinson October 30, 2019 1:16 AM

@ Anders,

The company leased servers — including servers in the United States

Yes, it does raise all sorts of questions when you move away from the purely technical, issue of, “What resources you need for a Malware deploying system?”

Not least of which is,

“How complicit Amazon and the two other cloud services providers Choopa and Quadranet?”

Back in the early days of Software as a Service (SaaS) befor the term “cloud” realy got going, being used for Malware distribution was one of the “security issue” reasons given for not getting into SaaS because of the “legal liability” reasons. People discussed what measures you would put in place for both a server and a client. I remember the major assumption pushed at the time that using a server to distribute malware would be done only by “intruders” who had gained illegal access to the servers not by “service providers”. Thus recommend solutions were all about intrusion detection, not the far harder task of verifying paying service providers were not pushing out malware quite deliberately.

As we know from both the big Mobile OS providers, stopping “Malware Apps” from being in their “walled gardens” is not at all easy, hence the number of times it has happend[1] and will I suspect continue to do so for quite some time to come.

But in this case just watching traffic flow patterns should have alerted the cloud providers there was something “hooky/hinky” about NSO as a customer. Which raises the question of

“Why were Amazon, Choopa,and Quadranet going along, for so long?”

Which is where it starts to get “all political” real fast…

[1] Part of the problem for Google, is that their OS browser is basically being turned into a “surveillance platform” to keep the “targeted advertising” revenue stream flowing into their coffers. Which means those downloading apps from their store do not have the tools readily available to them to detect such surveillance malware.

- October 30, 2019 1:42 AM

@ Moderator,

The above from “Cassandra D. Everhart” is unsolicited service advertising.

If memory serves correctly that phoney name has been used more than once but I think for different services. I’m thus guessing that the same people are behind the placing of the adverts.

Which begs the question as to if it’s some two cent per placed advert sweat shop in China, or if it’s a more criminal enterprise.

SpaceLifeForm October 30, 2019 3:35 PM

There is a reason to purchase hacking tools but never deploy. Note the location.

hxxps[:]//www.vice.com/en_us/article/59n4en/us-army-intelligence-bought-didnt-use-hacking-team-malware

Wesley Parish October 31, 2019 3:04 AM

@Sherman Jay

Regarding encryption, does anyone have info about using two dissimilar methods of encryption sequentially on a file makes it essentially un-crackable? I’ve tried that technique and some amateurs I asked haven’t been able to decrypt that file.

This question reminded me of the ADFGVX cipher, used by the Imperial German Army during the last stages of the Great War in 1918. It used two different forms of encryption, the Polybius Square and columnar transposition. The Imperial German Army considered it unbreakable.

Wikipedia covers it:
https://en.wikipedia.org/wiki/ADFGVX_cipher

It’s well worth a read.

Clive Robinson October 31, 2019 5:01 AM

@ Anders,

With regards the Indian nuclear power plant and the “North Korean” RAT, a question immediately arises of,

    Why would North Korea want to get in to any of India’s nuclear power plant computers?

If it was “China” then yes they have been having the odd ding dong over boarder disputes over several years.

But… what is not as well known as perhaps it should be, is that India and North Korea have growing trade and diplomatic relations much to the anoyance of certain other nations.

India maintains an embassy in Pyongyang, and North Korea has an embassy in New Delhi. India has had longstanding diplomatic ties with North Korea, which go back to and thus are a legacy from India’s non-aligned status during the Cold War. India untill very recently[1,3] was one of North Korea’s biggest trade partners and a major food aid provider. Even under intense pressure from the United States, India had consistantly refused to reduce its diplomatic relations with Pyongyang[2]. But with a recent political shift in India against Pakistan and Muslims in general by the newly emboldend Hindu political leadership India is now courting the US for advanced weaponry, supposadly to use against China…

However India has been a longterm opponent of North Korea’s development of nuclear capabilities. In part this is because North Korea like Iran and other countries on the old US Axis of evil list got their base technology via a company in Switzerland. The company was founded in part from stolen technology from Europe carried out by A Q Khan also known as “The father of the bomb” who developed a nuclear weapon capability for Packistan. In part because it is still unknown what resources North Korea provided to Pakistan. What is known is the North Korea traded short and medium range deliver systems technology to Iran as part of the longer term Iran – North Korea relations.

So unless Inda has some kind of specialised “must have” nuclear technology at that nuclear power plant, –which is probably unlikely– it would mean it is very probably not in North Korea’s interests to stir it up with India, lest all ties are cut.

But the India – North Korea relationship has another twist… Cyber-warfare. It’s been said for a few years now that more and more alledged North Korean cyber-warfarr attacks have originated in India. Some believe that Inda knows way more about this than thry so much so others think there is a quite firm relationship between India and North Korea on Cyber-Warfare…

All of which raises the question of,

    In who’s interest would a diplomatic and more importantly further trade falling out between India and North Korea be?

Just remember that the biggest opponent to the relationship that helped bring stability to North Korea is the US… But worse there has been a major falling out between North and South Korea over yet another round of US-South Korea war games. Oddly though as several will know at the begining of the month there were conciliatory noises from both the North Koreans and US sides over renewing the stalled US – North Korea talks…

Even though a certain fire-brand now ex-insider to the US administration has been mouthing off to any one who will listen about what a bad idea it is, and in effect pushing a hard-line if not start-a-war line…

Starting a war with North Korea or even making threats militarily is not realy a good idea, after all North Korea has two super powers at it’s north China and Russia both of which in effect back stop the Hermit Kingdom for various reasons. As people will know China has just been celebrating it’s 70th anniversary, what less will know is that China feels a deep debt of gratitude to North Korea over this. In essence Korea sent in not just supplies but many battle hardened soldiers to fight for the Chinese Communist army and thus changed the tide of battle. China has repratedly hounoured it’s debt to what is now North Korea and as a look at history will tell people China has no fear about backing North Korea militarily.

Russia currently has an odd relationship with both India and North Korea over China which further complicates issues, but if it comes to US hostile activities around North Korea and Russian territory then they are likely to come down on North Korea’s side. What complicates things is trade and currancy. Currrently China is the top trading partner fpr North Korea, but Russian trade is rapidly incrrasing in various odd ways[4]. Which can in part be explained by currancy issues within North Korea.

All in all it’s quite complicated to get your head around as it often is with the Hermit Kingdom. They know that their position is not to different to that of a gold fob watch at a pickpockets convention.

[1] https://in.reuters.com/article/tillerson-asia-india-northkorea-idINKBN1CU0XZ

[2] It’s no secret that some in the US State Dept blaim their failure to bring North Korea and it’s leadership down on India. Whilst certain “War Hawks” have been trying to provoke hostilities between the North and South of Korea, that have ended up in the Chinese taking economic actions against South Korea and a partial climb down of US intensions in the region.

[3] https://thediplomat.com/2017/07/indias-u-turn-on-north-korea-policy/

[4] https://thediplomat.com/2019/07/north-korea-turns-to-russia-for-cash/

tds October 31, 2019 4:21 PM

https://twitter.com/emptywheel/status/1189954950320807938

https://www.nbcnews.com/news/us-news/rudy-giuliani-needed-apple-genius-help-unlock-his-iphone-after-n1074241

“Rudy Giuliani [currently, AFAIK, still President Trump’s lawyer] needed Apple genius [bar] help to unlock his iPhone after being named Trump cybersecurity adviser [in 2017]

[…]

A forgotten password is among the most common missteps in the digital age.

But Giuliani’s handling of the situation calls into question his understanding of basic security measures and raises the prospect that, as someone in the president’s inner circle, his electronic devices are especially vulnerable to hackers, two former FBI cyber experts told NBC News.

“There’s no way he should be going to a commercial location to ask for that assistance,” said E.J. Hilbert, a former FBI agent for cybercrime and terrorism…”

Clive Robinson November 1, 2019 12:59 PM

@ All,

From time to time I say that all red team, pen testers, and security researchers should know and use Software Defined Radio (SDR) systems.

A very simple example of what you can do with an SDR to,do a replay attack on an electronic door bell,

https://m.youtube.com/watch?v=uIVBVd6yi_A

Works as well for garage door openers, and almost as easily for quite a number of electronic locks that use “Mobile Phones” as the key device…

You can also use them to create your own fake cell towers for just a few hundred Dollars,

https://m.youtube.com/watch?v=LV-CRJWC5_o

And all the fun that involves

The LimeSDR has a great deal of GSM software and firmware developed for it and you can do all sorts of “surveillancy things” with it.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.