Crypto AG Was Owned by the CIA

The Swiss cryptography firm Crypto AG sold equipment to governments and militaries around the world for decades after World War II. They were owned by the CIA:

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company's devices so they could easily break the codes that countries used to send encrypted messages.

This isn't really news. We have long known that Crypto AG was backdooring crypto equipment for the Americans. What is new is the formerly classified documents describing the details:

The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.

The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations' gullibility for years, taking their money and stealing their secrets.

The operation, known first by the code name "Thesaurus" and later "Rubicon," ranks among the most audacious in CIA history.

EDITED TO ADD: More news articles. And a 1995 story on this. It's not new news.

Posted on February 11, 2020 at 10:42 AM • 89 Comments

Comments

wiredogFebruary 11, 2020 11:16 AM

We knew they were backdooring, that they were owned by the CIA and BND is, I think, new. It gave the CIA and BND a nice little uncontrolled income stream, too.

meFebruary 11, 2020 11:24 AM

Same apply to yubikeys probably, but i use them anyway, i like them.
A bugdoor has been found and fixed (probably by adding a new bugdoor)

I just don't trust closed source and don't trust who give away replacement for free after a bug is found.
This just NEVER happens, quite the opposite: many company brick your iot devices from remote to force you buy new version.
They are the unique who give away millions of replacement for free.
This can't be explained and is not a business model that can be mantained whithout gov money as sponsor+backdoor

NorioFebruary 11, 2020 12:26 PM

From the Washington Post article:

The papers largely avoid more unsettling questions, including what the United States knew — and what it did or didn’t do — about countries that used Crypto machines while engaged in assassination plots, ethnic cleansing campaigns and human rights abuses.

"Unsettling" is putting it very mildly, especially since we are unlikely to ever learn the answers to those questions due to the "ethics cleansing" campaign waged on the CIA reports.

aFebruary 11, 2020 1:56 PM

Does anyone know how exactly they backdoored the machines?
Is anything about the algorithms known?

If the WSJ story is correct, and an engineer found the flaw, it couldn't have been very sophisticated.

Mr. Peed OffFebruary 11, 2020 2:07 PM

Given the huge amount of surveillance by governments, corporations, and others I suspect a large amount of insider trading is taking place.

Bruce SchneierFebruary 11, 2020 2:26 PM

@a:

"Does anyone know how exactly they backdoored the machines? Is anything about the algorithms known?"

The article says: "If 'carefully designed by a clever crypto-mathematician,' he said, a circuit-based system could be made to appear that it was producing endless streams of randomly-generated characters, while in reality it would repeat itself at short enough intervals for NSA experts -- and their powerful computers -- to crack the pattern."

Those early machines ran in output-feedback mode (key autokey in NSA language), so they did something to reduce the period of the keystream. In more modern machines, the obvious best way to backdoor a crypto machine is to reduce the entropy of the keyspace in some non-obviously detectable way. I wrote about this in general here:

https://www.schneier.com/essays/archives/2013/10/how_to_design_and_de.html

KaiFebruary 11, 2020 2:48 PM

And this, my friends, is one of the main reasons I don't use a VPN service. You're crazy if you think that the CIA aren't running a good, low-cost, security-conscious VPN service. Why try to break VPN traffic when you can have people pay you to give you all their traffic in the clear?

Sure, there are certain use cases for VPNs that make sense, but the current fad of recommending that everyone and anyone use a VPN because it's more secure completely misses the mark.

With the widespread adoption of cheap and free SSL certificates, even browsing on public wifi isn't anywhere near as much of a threat to your personal information as it once was.

CuriousFebruary 11, 2020 3:25 PM

Reading this made me think of how the British eventually found a flaw in Nazi Germany's navy enigma machines. I think I've heard that the breakthrough came from finding out that the German navy enigma machine never re-used a particular character (or something like that), and they managed to unravel how it all worked. Apparently the navy version of the enigma was more difficult to crack than other versions. Something I think I remember from a youtube video, hopefully I am not remembering this wrong, but feel free to correct me.

SpaceLifeFormFebruary 11, 2020 3:27 PM

Note the date: 1995-12-15

hxxps://www.baltimoresun.com/news/bs-xpm-1995-12-15-1995349003-story,amp.html

"The allegations are not new at all and just repeat tales which date back 25 or more years," Crypto AG said in a two-page statement. "A connection between the activities of Crypto AG and NSA is pure invention, obviously construed to discredit Crypto AG."

SpaceLifeFormFebruary 11, 2020 3:51 PM

1975-08-19 (and 20) meeting

CAG/IA/Motorola. 3,2,3

Any names ring bells?

Sture Nyberg
Oskar Sturzinger
Peter Frutiger

Herb Frank
Nora Mackabee

Jim Kirch
Keith Warble
Bob Pfeifer

PeterFebruary 11, 2020 6:22 PM

how does this impact ProtonMail? I.e. what 3rd party review label would assuage such worries?

JesterFebruary 11, 2020 7:06 PM

@Peter: how does this impact ProtonMail?
Spot on. Proton, financed by the Swiss government, funded by the EU and advised by the Man himself.

Threema's biggest customers are the Swiss government and the Swiss military (which controls the inland secret service).

Threema & Proton both are cancer. Closed source to us, open source to the government.

DBFFebruary 11, 2020 7:07 PM

@Kai,
Yes my friend, you are 100% correctamento on CIA running VPN services. They've had a good run though, gotta hand it to 'em. BUT, it's coming to an end as more and more people are finding out. Jeez, I knew I wasn't the only one who was 100% without a doubt aware of this scam. Long live this free speech blog where we can at least say things like this without consequences (I'll let ya know if I'm still alive next week).

DBFFebruary 11, 2020 8:11 PM

@Erwin,

"Schweizer Allzweck-Taschenmesser" = The Swiss All-Purpose Pocket-Knife.
I can't stop laughing. Does anyone else get the irony?

TatütataFebruary 11, 2020 8:27 PM

The ZDF ran several short segments in Tuesday's news bulletins, which was completed in the evening by a longer ~13 minute piece in the public affairs program "Frontal 21". Low-density TV delivery means that the contents falls way short of the WaPo article, but the essential points are conveyed. The more Germany-specific comments showed, if this was all necessary, the continued moral turpitude of successive federal governments, who were perfectly informed of the horror inflicted by many despots in their export markets. This affair also helps explain the feeling after the Snowden scandal that the German secret services appeared to be more in the service of US TLAs than of their own government, and that the latter were entirely OK with that...

One interesting item I haven't seen in the WaPo article was that the profits accrued from Crypto AG flowed into directly into the BND budget beyond the control of parliament. In other words: a slush fund. (LeCarré would write "Reptile Fund". This expression however wasn't his invention, but was created by Bismarck. But I digress.)

This piece seemed to me to have something of a stopgap character in view of the importance of the subject. I suppose that it was produced because of the immediate WaPo disclosure. In the concluding remarks by the moderator (not in the above clip), it was announced that a special documentary with the title "Geheimaktion Rubikon -- Der größte Coup des BND" will be broadcast in the evening prime-time on 18 March 2020. The title sound more admirative than critical.

I find it slightly curious that it was the ZDF (Mainz) who got hold of this story. This beat is usually covered by the NDR (Hamburg) "Panorama", or WDR's (Cologne) "Monitor", who also have much higher journalistic (or pretenses).

The WaPo article fails to mention that German Swiss TV was also a partner in this.

Tuesday's SRF nightly news bulletin had a 5-minute item, and a 100-minute special is scheduled this Wednesday evening, which will undoubtedly have a much more national angle. The question is: who in Switzerland knew? Swiss authorities were supplied with the better models, and not the backdoored export versions.

BTW, I found nothing yet on this story on the sister French-language service. La bourbine n'est pas prêteuse, c'est là son moindre défaut.

ErwinFebruary 11, 2020 8:36 PM

Tatütata

"The question is: who in Switzerland knew? Swiss authorities were supplied with the better models, and not the backdoored export versions."

Let's forget what happend with Crypto AG in the past. The past is the past & I don't want to know.

Let's rather focus on the two snake-oil merchants Proton and Threema. There, we got the real danger!

TatütataFebruary 11, 2020 8:57 PM

(missing quote in URL corrected)

The ZDF ran several short segments in Tuesday's news bulletins, which was completed in the evening by a longer ~13 minute piece in the public affairs program "Frontal 21".

AndrewFebruary 11, 2020 9:18 PM

Not a big surprise. It's more interesting who reveal this information days before US claiming that Huawei/China has backdoors in their gear.
Just another proof that nothing really can be hidden forever.

NorbertFebruary 12, 2020 2:44 AM

Strange, pcloud AG is also located in Switzerland, in Baar.

A few minutes from the former Crypto Ag

Clive RobinsonFebruary 12, 2020 3:20 AM

@ All,

I wrote a longish answer to @Curiois who original posted the WashPo link.

Please note that like @Curious I've had no access to the WashPo article, so what I wrote was from memmory and one or two snippets from the Internet,

https://www.schneier.com/blog/archives/2020/01/friday_squid_bl_714.html#c6805660

I also wrote another comment to @Curious about it and to @Bruce which is relevant to some of the comments above about more current Swiss based "security" companies,

https://www.schneier.com/blog/archives/2020/02/friday_squid_bl_715.html#c6805692

MBFebruary 12, 2020 3:22 AM

It is said that the son of the company founder was against backdooring and would end it once he takes over the company from his father. He died of a car accident in NY. Ref. https://www.infosperber.ch/FreiheitRecht/NSA-BND

Also of interest: The Lybians seem to have changed to crypo gear from the other Swiss crypto company at the time, Gretag. But "the NSA had that base covered as well" according to:

https://books.google.ch/books?id=BWGiBQAAQBAJ&pg=PA44&lpg=PA44&dq=Gretag+nsa&source=bl&ots=h2aIRBsf2G&sig=ACfU3U2zQAyleH-lvRYvjZoCOGEp8CsySA&hl=de&sa=X&ved=2ahUKEwiFlsqF1cvnAhXwyKYKHUsFB_kQ6AEwAHoECAYQAQ#v=onepage&q=Gretag%20nsa&f=false

Mushroom CloudFebruary 12, 2020 4:59 AM

This isn't really news. We have long known that Crypto AG was backdooring crypto equipment for the Americans.

I agree.

https://www.businessinsider.com/cia-secretly-bought-encryption-company-crypto-ag-spy-countries-report-2020-2?amp

The company, Crypto AG, sold gadgets and software to spies, diplomats, military officials, and private companies for decades.

CIA agents secretly listened in on all communications ...

Who is buying this stuff anyway? And who are these middle managers to listen to such smooth-talking salesmen and consultants? It's been well and truly called out as snake oil, time and time again. So the U.S. and Israel are not the only countries doing this — that's Germany, isn't it? I must assume the Holocaust is adequately minimized after what 76 years, and bygones are bygones, but the heavily censored and Machiavellian "Protocols of Zion" do appear to have come fully into effect this time.

Clive RobinsonFebruary 12, 2020 5:26 AM

@a,

Does anyone know how exactly they backdoored the machines?

Yes and no, what we do know is that some of the machines had to be both secure and insecure, so that they could interoperate without raising any "red flags" by not interworking with secure machines...

We know from the book "Spy Catcher" written by Peter Wright published in the early 1980's that one method was to supply an "algorithmicaly secure machine" but with an "acoustic side channel" that leqked key information in it. Basically MI5 had gained audio access via an "infinity device" to the "Crypto Cell" at the Egyptian Embassy in London. They could thus hear the mechanical cipher machine running. Whilst it did not give the "key" what it did do was give the "wheel" starting points, turn over points, and which were rotated at any time. This reduced the "attack space" GCHQ had to deal with from "months to minutes".

As for effecting the "key stream" back in WWII the stratigic not tactical German high level cipher machine was the Lorenz teletype cipher machine. It used 12 cipher wheels with "movable lugs" on the wheel periphery, that caused a "key stream" to be built by XORing the lug positions. The wheels sizes were essentialy "prime to each other" thus whilst they were only 30-60 steps each their combined sequence was the multiple of their step sizes which was immense. At Bletchly Park the traffic from these machines was codenamed "Fish" and the machine "Tunny". The work of two men broke the machine sight unseen due to a mistake made by a German operator. There are various pages up on the web that will give you as little or as much information on it as you would like.

But what you need to remember is that,

1, The failings of the Lorenz machine are shared by many other machine ciphers not just mechanical ones.

2, Virtually all machine ciphers pre AES have both strong and weak keys with a range in between.

The US Field Cipher based on the Boris Haglin coin counting mechanism suffered from the second issue, in fact it had rather more weak keys than strong. This was not a problem for the US military as they "Issued key scheduals centrally" thus knowing what were strong keys and what were weak keys they only ever used the strong keys. The knowledge of weak and strong was as far as we can tell worked out by William F. Friedman, and it was deliberatly implemented as such by him. That is, the big weakness of any field cipher machine is the enemy will capture it and may well end up using it or copy it's design to make their own machines (see the history of Enigma type "rotor" machines to see that in action).

Thus the reasoning was either the enemy is smart and will know about the strong keys and weak keys in which case nothing won or lost. However if they do not and assume all keys are the same, then your cryptanalysis team has just been given a great big bonus to make thier lifes easier. What was not known then and still not widely recognised was the British invention of Traffic Analysis in all it's forms and the huge card file database they used with it. This enabled them to identify specific traffic circuits and individual operators without the use of cryptanalysis. Which gave not just vast amounts of "probable plaintext" but also "probable cillies" and other bad operator habits. All of which made breaking of even strong keys very very much easier. Thus traffic under weak keys becomes a leaver to put in the cracks of strong keys...

What is also known is that Crypto AG supplied customers not just with the actual crypto machines but a whole lot of key generation support... This was in the form of manuals and machines, all of which pushed Crypto AG customers into producing either "weak key scheduals" or "known key scheduals" but the actual encryption machines worked identically to those who used "secure key scheduals" thus were fully compatible, so no red flags raised.

The thing that we forget these days is that designing crypto kit is actually a hard process. Whilst it's easy to come up with complex algorithms, they are almost impossible to implement in a mechanical system that is reliable in use. Likewise for their pencil and paper analogs. Also they are eye wateringly expensive to make. If you are ever lucky enough to get your hands on just a single Enigma rotor you will see it is superbly engineered from many many parts each one of which requires a great deal of engineering thus there are hundreds of hours of work in each Enigma machine even though the outer wooden box might look crude to modern eyes. Thus only fairly simple algorithms got implemented based on minor variations to odometer or coin counting mechanisms.

Untill DES came along nearly all "electronic" cipher machines were based on simple circuits like shift registers and SR latches. In most respects many were just simple copies of mechanical cipher algorithms. So the likes of a Lorenz wheel became a "ring counter with reset" and the lugs replaced by a "plug board" the algorithm remained the same, along with all it's weaknesses... Even when put in software in 4 and 8 bit CPU systems or later micro controlers those old defective mechanical algorithms came along as "counters mod N" driving "lookup tables"... In part this happened due to "inventory costs" if you've invested a fortune in mechanical cipher systems you want your new shiny electronic systems to be compatible, likewise those that are CPU based. It's the same old "legacy issue" that almost always works more for your enemy than it does for your security.

But acoustic side channels are known to be not the only ones. Even theoreticaly secure One Time Pad/Tape systems are practically insecure when implemented in machine form. The UK high level super encipherment machine known as Rockex used by the Diplomatic Wireless Service (DWS) and designed by Canadian engineer "Pat" Bailey suffered from this as I mentioned years ago on this blog. In essence the Pad/Tape "additive" was done in a circuit using Post Office Type 600 relays. Even though the open to close times could be adjusted there was always a slight time asymmetry that got out onto the telephone pair used to connect to the telex network. This time asymmetry could be used to determin the "addative" thus strip it off leaving the plaintext...

One solution to this is to use a "shift register" or secondary relay that "reclocked" the data signal so that the time asymmetry seen on the line was not that of the relay doing the encipherment, but the time asymmetry of the reclocking relay. In essence the contacts of the reclocking relay were "open" during the critical time period of the encipherment relay changed state.

Which in theory should have made it secure... But open relay contacts like open switch contacts can be "jumped" because in reality they are small value capacitors. This is what the "infinity device" was all about. It enabled you to put a high frequency signal on the telephone pair that would see the encryption relay change state through the open contacts of the reclocking relay... So you needed to add extra circuitry to prevent the time based side channel from the encryption relay being seen on the line. Thus leaving out that extra circuitry made a very secure system nearly totaly insecure to anyone with the appropriate device in line, yet it retained total data level compatability with it's secure counterparts, so again no "red flag" waved.

I hope that answers some of your question.

Clive RobinsonFebruary 12, 2020 5:35 AM

@ BND,

Danisch has since become quite a prolific blogger, unfortunately only in German:

You now have the opportunity to see if "Google Translate" is backdoored...

Put his blog pages through Google Translate and compare the English result to what you have read in German. Any differences you can serve as "warning flags".

Mushroom CloudFebruary 12, 2020 5:54 AM

@ all, re: "justin cleveland"

Contact; info AT scamsrescue DOT com

There's a website "scamsrescue DOT com".

It opens the OpenKeychain app from Google Chrome.

https://www.openkeychain.org/

I assume to steal private keys. What does that "scamsrescue" firm do with the stolen identities?

That's the problem. We're little people. We ain't got no protection when the big boys track us down.

MarkHFebruary 12, 2020 8:08 AM

@a:

You might care to look at my comment made on another thread just before Bruce made this post. It has a few quotes from the Washington Post article, including:

The NSA didn’t install crude “back doors” or secretly program the devices to cough up their encryption keys.

My non-expert inference is that the machines implemented stream ciphers, which I believe was common practice in those days.

As Bruce wrote above, rigging the keystream to repeat with a relatively short period makes cryptanalysis much cheaper.

No need for tricky side-channel stuff, which often requires kinds of access that won't be feasible.

Spies have pulled off great feats of skullduggery with planting bugs, beaming microwaves, and the like ... but it's foolish to assume success in such ventures, especially when the equipment in question was at dozens of secured locations (at least).

Also, such James Bond attacks carry a load of risks, including the very serious one that if they're detected, the target may infer that the equipment is compromised, with the result that you lose everything.

Weakening the encryption in ways that are hard to detect isn't sexy -- but in the big picture, it's likely to yield the biggest intelligence harvest.

aFebruary 12, 2020 10:09 AM

Thanks for the explanation, Bruce, Clive Robinson, MarkH. Makes a lot of sense and explains why an engineer found the problems.
I found an interesting article abou a Philips device that was backdoored as well:
https://cryptomuseum.com/crypto/philips/px1000/nsa.htm
The code is a very simple OFB stream cipher built from linear feedback shift registers.

The big question is: Why is this news now? Everyone has known this since the 90s. When the salesman was imprisoned in Iran, it was worldwide news. I still remember the reporting.

The state TV station ZDF is not known for doing journalism, all their leadership positions are filled with party hacks.

That makes me wonder, is the story just news to the ZDF, or is there a reason to publish this internationally now?

Do they want the people still using Crypto equipment to switch to another product? If my Embassy was still running these machines, what company would I switch to?

Let's not forget that this is an area where presumably a wax seal counts as the pinnacle of security.
If the Soviets were able to open the shipments with typewriters to the US Embassy in Moscow other countries will be just as vulnerable.

MarkHFebruary 12, 2020 10:36 AM

@a et al.

No, that Crypto AG was collaborating with U.S. intelligence is not news.

What IS news, is a wealth of detail which (as far as I'm aware) was never public before.

How many people knew that the Swiss firm had actually been acquired by the CIA, and that Western intelligence agencies were earning money from it?

Who knew the stages of evolution of the collaboration, and its timeline?

Was it public knowledge that Crypto made two versions of its products, weak for target countries and strong for allies?

For students of infosec, and of intelligence agency operations, there's quite a lot of fascinating news here.

ErwinFebruary 12, 2020 10:46 AM

The manual for the corresponding Crypto AG machine can be found on internet. Google it yourself. Am not babysitting today.


@Norbert: "Strange, pcloud AG is also located in Switzerland, in Baar."

Forget about them. Some Bulgarians trying do "something" with the "cloud". Just look it up on moneyhouse.ch.

(1) You all laughed at me when I said avoid encryption stuff from Switzerland and Germany. It is all backdoored! Seems, I was right. Just as I was right with TrueCrypt and will be right with VeraCrypt. There is only one serious encryption company in Europe. (The Man knows which one.)

(2) Gretag machines never were backdoored!

(3) It is not true that most encryption firms are located in Switzerland. In most cases, they just got a letterbox and everything else is "Made in Germany" or somewhere else. Again, Protonmail staff consists of more than 90 % foreigners (and is backed by a U.S. PE firm). But it really seems that this doesn't sink in. The Man (and his followers) just would not understand... (Even though as an "advisor" he should!)

(4) Kudelski is the only solid company that works with encryption. They have got a track record. The old name is Nagra Kudelski. Kudelski is top serious and in private ownership.

(5) The next ones to fall will be Protonmail and Threema. Again, for our German-speaking friends, check out Kuketz. The Threema shills already are in overdrive.

Threema, by and large, is a subsidiary of the Swiss secret service.
http://archive.is/M6ePX
Note: "VBS" is the new name of "EMD" or "Eidg. Militärdepartement", i.e. glorious / victorious Swiss Army.

The rule is: Avoid encryption software from companies located in the E.U. and in the 5-eyes. There is only one exception. And you know which company I am talking about.

Karma!

just meFebruary 12, 2020 1:02 PM

re: "Let's not forget that this is an area where presumably a wax seal counts as the pinnacle of security."

That time ended when MRI machines were invented, and it was probably ended when someone realized you could make a mold of the seal in gallium, and replace the entire letter with a new blob of wax imprinted with the cloned seal.

PaulFebruary 12, 2020 1:45 PM

Why is everyone being coy about the “only” company with secure crypto products from Europe? Are they based in Finland? Why can’t we say the name? Some of us aren’t in on the wink winks.

EvilKiruFebruary 12, 2020 2:17 PM

@Paul: I guess Erwin just didn't want to repeat the company name of Kudelski (item 4 in his morning post) for some reason.

ErwinFebruary 12, 2020 2:24 PM

EvilKiru: Sorry, but Kudelski is more into TV encryption cards and access systems for ski lifts. And Andre Kudelski is not a blue boxer! He's just the normal tech guy who wants the best for his employees and for the Company.

Clive RobinsonFebruary 12, 2020 4:37 PM

@ just me,

... it was probably ended when someone realized you could make a mold of the seal in gallium, and replace the entire letter with a new blob of wax imprinted with the cloned seal.

It's been noted by others that the Black Chamber did not make a mold of the seal if they could avoid it.

They did such things as cut the seal off of any surface it was attached to and remove any string / threads / ribbons from the lifted seal.

They would remove any corespondence from the bag noting order and orientation, lift the seals on letters carefully looking for any hairs etc folded into the letter. Then hand copy the letter as near being an "image copy" as they could, inspected for pin holes or other hidden marks then refold putting back any hairs etc and using a hot very thin piece of metal reattach the seal. Put all the letters back in the same order and orientation as they came out, along with any threads etc, close the bag and replace the string / threads / ribbons into the seal and reattach it to the bag.

All in just a few hours, then have it back on coaches etc so it would arive at it's destination promptly.

Oh as for making copies of the actual stamp used to make thr seal that can be done using a soft wax that could be rubbed gently into every mark in the seal pattern that had been lightly dusted with a very fine powder this soft wax would be lifted and used to make a hard mould using a slow process of drying out very dilute potters clay and egg white to it or later lacquers when dry any imperfections would be corrected and then this used to "cut a master" to avoid shrink back of metals etc.

It's fascinating just how much information "soft wax" records when at the right temprature and pressed correctly. As I've mentioned before on this blog it's what I used when very young to make moulds of peoples finger tips to get their finger prints as part of making artificial skin with rubber solution glue that had the persons fingerprint on that I'd then attach to "surgical gloves" of the time, around half a century ago.

Sometimes what looks like a "low tech" solution beats the best "high tech" solutions by quite a margin.

vas pupFebruary 12, 2020 4:39 PM

Question: Is Proton mail (Switzerland) encrypted content is subject to direct access by ICs of US and Germany in the same way as well?

SpaceLifeFormFebruary 12, 2020 6:33 PM

@ Thelastperson

I only asked because I do not know all the names. Maybe some can connect dots.

Nora Mackabee was NSA.

Clive RobinsonFebruary 13, 2020 4:43 AM

@ vas pup,

Is Proton mail (Switzerland) encrypted content is subject to direct access by ICs of US and Germany in the same way as well?

My advice applies to all applications with encryption in them irregardless of who or how they came to be.

Firstly I would assume that unless you generate and fully control the encryption keys, your encrypted content is at risk, from KeyMat loss/leak if not from National SigInt Agencies but others.

Secondly I would assume that unless you fully control the hardware and OS the application runs on your encrypted content is at risk via skiming and I/O shims, if not form National SigInt Agencirs but others.

Thirdly whilst we might be able to deal with "Known Knowns" and some "Unknown Knowns" the chances against "Unknown Unknowns" is probablistic and realy very low when you consider the number of new instancrs and classes of attack that brcome known each year.

So whatvto do?

Well as, you never realy have full control over modern hardware, or software, it's a safe bet you don't have control over any KeyMat. Thus you don't have security irrespective of how trustworthy or otherwise the source of the application.

However if you have physical control and you have communications control you can potentially mitigate the loss of hardware, OS and App software.

In brief you segregate encryption from communication by encapsulating the encryption method inside a protected zone and ensure that data in and data out across the zone is only carried out over guarded channels. Also that the guarded plaintext channel(s) and the guarded ciphertext channel(s) can never crosstalk with each other at any time.

Whilst dealing with "out of band" covert channels is conceptually simple (energy gapping) The fly in the ointment is "inband covert channels" that can be added to data that goes across the guarded channels either as direct channels or as side channels.

Dealing with inband covert channels "in the data" is what the guards on the energy gapp crossing "guarded channels" are there for.

However the guards suffer from the "Unknown Knowns" and "Unknown Unknowns" issue every bit as much as the OS and App software does.

The only way to limit this is to use very simple data transmission protocols that are full understandable and controllable by an individual. Which are then sent in a time controled manner to reduce the bandwidth of any time based side channels as well as reduce trancparancy across the system from the plaintext side to the ciphertext side.

However even using plain 7bit ASCII with only three "white space" control chars alowed (CR, LF, Tab) does not stop "semantic" and similar covert side channels being introduced.

There are also other issues such as what you think of as a "oneway channel" becoming "twoway" due to "errors and omissions" that can then walk backwards through thr system such that a covert channel is formed from the ciphertext output to the plaintext input.

Just a few reasons why security is conceptually easy but practically very very hard and as history teaches us fraught with failure.

TatütataFebruary 13, 2020 5:33 AM

Here is the SRF (German Swiss TV) special I mentioned above, broadcast at 8PM on 12 February 2020.

There is a quite a bit to unpack in those 100 minutes. (And a fair bit of dialect to decrypt...)

The starting document(s?) document appears to be a CIA in-house historical record/analysis of "operation Minerva", and the leak seems to have come through the BND to ZDF, who then got SRF involved. (The WaPo connection isn't mentioned, or I missed it). The SRF journalists researched this subject for about six months, so the initial disclosure would have occurred sometimes mid-2019.

CuriousFebruary 13, 2020 6:15 AM

@Clive Robinson

I am curious. If you can please elaborate, what do you mean by "unknown unknowns"? You mention the word 'probabilistic', but I see problems with that line of thinking (basically fearmongering and presumably things that aren't open for meaningful speculation).

The logical merit of such a phrase really seems like a meaningless point to me. This also happens to be a pet annoyance of mine, this phrase, which I first heard from Donald Rumsfeld in a video. I wonder what meaning you put into that phrase. It is entirely possible I would think, that I have somehow "overlooked" something about a meaningful way to use such a phrase, but I wouldn't dare attribute that to being an 'unknown unknown', because if one ever so slightly know what you don't know, it can't be an 'unknown unknown' as such.

If arguing based on ignorance after the fact, as in "I was initially ignorant of the facts that later was known" or "what was initially unknown to me was later known to be facts", it doesn't make any sense to think of a paired unknowns like 'unknown unknown' *in advance* while also claiming to be ignorant of that which is essentially the merit of the argument with the paired unknowns, your ignorance being literally "unknown" to you.

They only way I can make sense of such a phrase, is, if one belives in knowledge being 'apriori', which I would argue is a lost cause in modern times (basically a fallacy), something of a superstition in believing that facts are there *in* the world, as if there was this duality of facts and any conceivable thing in the world, mixed into an unrecognizable mush of descriptions and projections, in disregard of how language and culture make up knowledge. Presumably similar to fallacy in body-mind duality problem. Presumably being forgetful also wouldn't qualify for a thing or something being an "unknown unknown".

One can safely say that the world changes, or is known to be changing in all kinds of ways, all the time, however a claim of ignorance in making the point that there actually is something you don't know, that you can't know, doesn't make any sense at all if exluding such obvious explanations like wishful thinking, fear and forgetfulness. I also suspect that nobody would even dare claim to be stupid, and so explaining there being an 'unknown unknown' that way (meaning that one later learned something that one didn't know before, but also that one couldn't have known because one was stupid or maybe claimed to have an organization that was dysfunctional and unable to process information in a meaningful way.

I suppose one could try argue that, maybe one day an alien lifeform from outer space will visit planet Earth and cause trouble, but if one is merely disucussing the possibility of something to happen, or being, one ought to understand that there is a big difference between something A possibly existing and something B possibly happening. Two different problems. And so linking up 'unknowns' that way doesn't really become a meaningful endeavor, or, risk being disingenuous (would be a fallacy in politics, or, fearmongering).

I think a single 'unknown' is the only meaningful way to describe a given (explained) problem and to point out some kind of ignorance or lack of knowledge, without suffering from fearmongering, or, perhaps in terms of computer security, fatalism. Fatalism being, basically being unable to differentiate between wishful thinking and fear, or, from the point of a practitioner just letting bad things keep happening, on and on, again and again (computer security), but maybe also in simply arguing that this is unavoidable, because of the argumetative stance baked into this notion of there even being an 'unknown unknown'. Basically language wise, the phrase 'unknown unknown' could become both the alluring form of forming an argument (fear), and also an excuse for actually beliving in things that could be imagined to be happening later (religious fear). I can imagine one type of "regious fear" or perhaps "categorical fear", being similar to "the problem of transference" in psychoanalysis and maybe psychology (I don't know for sure about the latter). Actually believing in certain theories and certain ideas, could be so influential in that it basically makes one dumb (or stupefied and maybe forgetful), because of how you are supposed to stop caring for a particular problem, just because you believe there is a risk of you being influence by such problems and that such in turn would be considered to be categorically wrong.

Sry for this long post everybody, though I made sure to make it easy to read at least and I think I have explained myself fairly well, so hopefully this was informative, or at least interesting.

I guess there is one somewhat funny thing to say. That insanity is doing the same thing over and over again, expecting to different results. So I guess the proverbial insanity could be a close second to my idea of the possibility of the proverbial fatalism in people working and manufacturing and supervicing/managing networking and computer security. :) Meaning, if one expect things to keep breaking because society/world changes with time, it would be sort of insane to also expect things to work. This last paragraph is the weakest in what I wrote here, I didn't think too much about it, but I thought this was funny in thinking of that quote about insanity (attributed to a saying by Albert Einstein).

Anders RipaFebruary 13, 2020 6:26 AM

There is a Swedish book about this that was printed in 2016
Its called (translated):
Boris project: the biggest spy coup of the century - NSA and a Swedish genius tricked a whole world by Sixten Svensson

https://www.akademibokhandeln.se/bok/borisprojektet-arhundradets-storsta-spionkupp-nsa-och-ett-svenskt-snille-lurade-en-hel-varld-av-sixten-svensson/9789198218084/

Note: I have not read it yet, but it was mentioned in Swedish Radio yesterday
https://sverigesradio.se/artikel/7406255

Petre Peter February 13, 2020 7:37 AM

This was also covered in Romania by ProTV where it was revealed that CIA had no comment on the issue.

Who?February 13, 2020 11:44 AM

@ vas pup

Question: Is Proton mail (Switzerland) encrypted content is subject to direct access by ICs of US and Germany in the same way as well?

ProtonMail security is weak. Let us suppose it works as intended, using two passwords (remember that it currently defaults to a single one) for accessing the inbox (remotely) and decrypt it (locally, password never transmitted or stored on ProtonMail servers) respectively.

Anyone that wants to read you email has to send a simple script that downloads the cyphertext from ProtonMail, asks you for the decryption password, decrypts email blob on your computer (locally) and sends a copy of the decryption key iff decryption has been successful to a secure server of your favourite intelligence agency. Sending decryption password to a remote server is the only difference when compared to the default script provided by ProtonMail to decrypt email on your computer.

Not much safer than traditional email. Not let us start talking about the —now default— single password login.

PaulFebruary 13, 2020 2:25 PM

Where does this leave all the soft targets: airports, hospitals, transit, and utilities?
This would mean all their information is open.
This would mean all these systems are open to sabotage and manipulation.
Yes?

Clive RobinsonFebruary 13, 2020 3:44 PM

@ Curious,

I am curious. If you can please elaborate, what do you mean by "unknown unknowns"?

I look at it this way,

    Any ICTsec attack is an "instance" in a "class" of attack types.

There for you can have a new instance of a class of attack. That is a variation of a Master Boot Record attack would be an "unknown" instance in a "known" class (for obvious reasons you can not have a "Known Unknown").

It's easy to see that we don't have sufficient existing kbowledge to cover all instance or even classes of attack, simply because they've not been found and exploited yet.

Rowhammer for instance was effectively an "Unknown Unknown" even though it was entirely predictable from existing knowledge. It was not untill some one put "two and two together" and camr up with a Proof of Concept did it move from "Unknown unknown" to "Known Known". However because of the existing knowledge and that this type of Class of attack was proven it was fairly trivial to predict that there would be varients that at the time were "Unknown Knowns" that is an unknown variant which would become a new instance in the Class of this type of memory attack.

The same applies to Meltdown, my knowledge of CPU architectures at quite low levels (microcode and RTL it's dependent on) told me that there was going to be a lot more "Unknown Knowns" but also there were certainly "Unknown Unknowns" to come, quite a lot of them infact. Which is why I gave it the epitaph of "The Xmas Gift that keeps giving". And low and behold we've had quiteva few "Unknown Knowns" and "Unknown Unknowns" become "Known Knowns" and I fully expect quite a few more over the next three years at least, because it's "a target rich environment" that academics have not played in befor, thus there are msny papers, PhDs, and names to be made.

You mention the word 'probabilistic', but I see problems with that line of thinking (basically fearmongering and presumably things that aren't open for meaningful speculation).

Er no things are not open to speculation and nore is FUD.

If you can do the maths you will understand why, just like the halting problem a single Turing Engine can not attest to it's real state, only report what it's instructions tell it to do. This is not open to argument it's a matter of logic and mathmatical proof and people have done produced both.

Now consider the following,

I have a Turing engine system which consists of the CPU (engine) and memory (Tape) in addition to the standard Turing engine design is an extra input that when activated stops the engine and puts it in a held state, such that when the input signal is deactivated the engine continues exactly as though it had not stopped. I'll call this input line HALT. From this it should be clear that the standard Turing engine can have no perception of time. But also it should be clear that whilst the first engine is halted there is nothing to prevent a second engine modifing the tape.

The fact is that exactly the same effect can happen with a single CPU/engine, it's preciecly what happens when a CPU processes an interupt. The program in the process of running is halted the CPU switches state processes the interupt that will involve the changing of memory or IO and then it switches back to the program that was running, or in a multi-tasking system it can switch to another program and run that. Known as "context switching" none of the programs have any knowledge of when they were running or not or if the memory or IO they use has been changed unless the Interupt/context handler sets a flag to indicate any change. In fact a part of a program or all of a program can be switched out of core memory to secondary memory as part of a paging or swap to free up memory for other uses. When the memory has been restored the programe it belongs to has know idea that it has happened or that it has been started, stopped and started again. This is normal every millisecond behaviour in many personal computers and a lot of embedded systems.

Right having accepted that, lets take things a little further. It's possible for malware to hide in an existing program after it's been loaded in memory. For various reasons most OS's make absolutly no attempt to verify that memory that should not be changed has been changed. After a moments thought you will realise that this is a fundemental security failing.

So how to address it? Well the simplest way is for a second CPU to HALT the first CPU and walk the instruction memory either doing an image comparison or a xhecksum/hash and compare results. If there has been a change that is still there then you have found malware.

However two points arise,

1, The malware can be transitory.
2, Halting the first CPU reduces it's efficiency.

Thus for maximum throughput or efficiency you never check the memory but have zero security. For maximum security you never stop checking the memory but you have zero efficiency. Thus you have two endpoints of a line. Thus the rate of checking whilst effecting efficiency also inversely effects the security function.

But it's also --assumed-- to be "one or the other not both". Thus if the security checking rate is set very low, it is possible for transitory malware to get into memory carry out it's function and thrn restor memory to it's original state.

Thus there is a probability function based on the security checking rate and the transitory time required for the malware.

If your maths is upto it you will find that what you have is a "sampling function" against an unknown pulse or repetative pulse. For a known transient time and a known sampling rate and duration you can calculate a probability curve. Having done this you can further modify the curve by alowing for repeated transients at a fixed rate. You will find out you will end up with what engineers call a "sin X over X" distribution which shifts by the phase difference. That is if the transient time is small as you move it with respect to a plot of the checking time you will broaden out the plot by the width of the transition time. At the crossing points from processing to checking but the probability is based on the width of the transition time and the width of the processing time. If the transition repeats it will have a potential harmonic or sub harmonic relationship at which point the probability of it being detected will be due to the phase difference only. If however the frequrncies are not related then the probability is related to the starting phase and frequency difference "phase walk". This produces a "sin x over x" curve that then gets shifted by the starting phase. Thus it's easier to think in terms of the "waggon wheel" effect seen in old movies with stage coaches with spoked wheels where depending on the speed difference and shutter rate sometimes the wheel appears to turn forward sometimes backward and occasionaly not at all. This effect is used by car mechanics to align various timings in old "mechanical only" engines.

Hope that answers those questions.

SpaceLifeFormFebruary 13, 2020 5:45 PM

@ Clive, Curious

Great explanation.

But, what happens to the Turing Tape when there is a cpu *under* the two cpus that allegedly can inspect RAM state?

There is zero security without separation of encryption and comms. Zero. Paper.

BarratFebruary 13, 2020 7:17 PM

Where do those "documents" origin from? Who validated / verified them? According to what criteria?

Questions, questions, questions.

And nobody HERE is asking them.

AlexTFebruary 14, 2020 4:43 AM

Regarding Crypto AG, this was indeed already public info for 25 years. But the details are indeed interesting and newsworthy.

I have done some work for ProtonMail at their very beginning. As far as I can tell the guys were genuine and their idea sound. Of course far from perfect but definitely better that, say, GSuite... Now that they have VC / PE funds with offices in the USA I am much more prudent but I guess it is still a better solution than most.

As for Threma I'd be curious about the specifics ? What are the supposed (?) issues?

TRXFebruary 14, 2020 2:52 PM

> And this, my friends, is one of the main reasons I don't use a VPN service.

I use one that I'm fairly sure is compromised. But that's fine; it helps to keep the low-level data scrapers at bay. Which is all I ask of it.

Any data I have that's confidential stays on paper, not on a dubiously-secure machine wired to the internet.

SpaceLifeFormFebruary 14, 2020 4:03 PM

@ Clive

However even using plain 7bit ASCII with only three "white space" control chars alowed (CR, LF, Tab) does not stop "semantic" and similar covert side channels being introduced.

hxxps://en.m.wikipedia.org/wiki/Whitespace_(programming_language)

A consequence of this property is that a Whitespace program can easily be contained within the whitespace characters of a program written in [redacted]

parse [redacted] as html and javascript.


RachelFebruary 14, 2020 5:57 PM

Who?

( & vas pup & Alex T )


Who? firstly I really appreciate all your contributions here, I've told you before. You are one of a select handful of names reliably informative, clear, and pleasurable to read. i was sorry to read of your decision to self exclude based on what you interpreted as a closed, elitist culture here. I don't agree, quite the contrary. What you observed was merely a consequence of a group of posters who have been familiar over a period up to 10 years, yet who are welcome for anyone to include themselves.

Anyway, your comments point to a larger aspect of this blog, which is perfect security being the enemy of the good, as the cliche goes.
We are all indebted to Clive, to Thoth, to Nick P, and many others here with their contributions that go above and beyond.

There are surely brilliant engineers and infosec experts reading silently and carefully, quietly applying the genius here to their project operating on the sharpest edge. And, as Clive has considered, even professionals in the field can't apply such competence they soak up here and allegedly get themselves killed in their half baked attempt to follow along.

And there is the rest of us, like me, who understand about 50% of whtas written here and just want to keep climbing a few rungs higher on the privacy and security scale, and who don't have industrial secrets to manage.

Enter Protonmail. I take some exception to your comments.
Climbing the moutain toward perfection, as is so often discussed on this blog, excludes the rest of us who can never managed such, nor have need to. Threat modelling!
There is the nature of the adversary, and there is the nature of the data to be protected.

Your comments about Protonmail don't make a distinction between
NSA level/State level actor and everyone underneath
They don't make a distinct between targetted access, and mass surveillance. And they don't distinguish between top secret material and mundane comms

If you are targetted individually, and it's by a state level actor, then as Mr Schneier and most everyone else agrees 'all bets are off'
If you have top secret material, then why would you be using Protonmail to share it? Protonmail would agree, don't expect we are going to keep you safe from a state level actor.

Protonmail are not pretending they offer anything perfect. They are not pretending to offer a genuius security solution for secret material. They plainly point out all the things wrong with the email situation, in their FAQ's and blog posts. They are simply trying to offer something a few steps up the ladder from gmail and the like.
To offer respect to the user when gmail quite plainly says to its users ' we hate you'
Protonmail also do things like inform all users of certain vulnerabilities, when it could only actively harm them and bring them no gain - keeping quiet would have been more helpful to them personally.

They allow their back end to be inspected. We can never know for certain if something is a honey pot. We can only gather evidence in one direction or another.
Everyone else is being very blatant - could you call gmail anything else but a honey pot of sorts?
Sure, PM need funding from somewhere. If they are not going to engage in parasitic business models like gmail and friends.

By the way, RE: your suggested attack. Respectfully, can you try this for us with an account of your own, to show its possible?

Further, there are access logs available for the user. Indicating the IP, time and date of access. Not perfect but its something.

As for the two passwords/one password, I understand its still two passwords the default option is using a hash of one password to derive a second


SpaceLifeFormFebruary 14, 2020 6:06 PM

@ Rachel

No one should leak TS/SCI stuff to start with.

But, if one did so, over VPN or TOR, they will likely be caught.

Clive RobinsonFebruary 15, 2020 9:28 AM

@ SpaceLifeForm,

But, what happens to the Turing Tape when there is a cpu *under* the two cpus that allegedly can inspect RAM state?

Adding a third CPU, makes life more interesting. It depends on what it is doing...

Take Intel chips, the Memory Managment Unit (MMU) and surounding memory control systems are apparently "Turing complete", thus appears,as a "ghost CPU" that many would not expect[1]. The knowledge of this compleatness has been around for about a decade now[2] and it has some real odd property's about it which many programmers will not be able to get their head around without suitable assistence.

But programing tricks aside, that mechanism very probably has way more hardware issues tucked just out of sight of a clever mind.

But IAx86/x64 in it's more recent forms has one or possibly two more CPU's with what is called by some ad "Ring -3" access, one of which runs Minix[3].

In theory "Ring -3" gives you omnipotent "God status" over the CPU, which many would condider as bad as you could get... But no as I've mentioned before the real power depends on where you are in the computing stack... Ring -3 is actually quite high up the computing stack, and it is vulnerable, to low level omnipresent "Devil status" under all that those turing engines depend on those "tapes of instructions" we call "Memory". If you have access at memory level or below on the computing stack, there is little you can not do --except stop attacks at lower stack levels-- because like bubbles in a glass of champagne, such tiny tiny attacks "bubble up" getting bigger and more powerfull in an almost unstoppable way.

Which brings us around to the notion of "reach around/down" attacks. Most security protection in modern chips exists at the CPU or just below MMU level in the CPU stack, and both are critically dependent on the contents of memory at a lower level in the stack. What if you could find an attack that would run above the CPU ISA level stack in a compleatly unprivileged process, that could "reach around/below" the levels in the computing stack where we carry out security functions? Well RowHammer is a crude example of such an attack. It's a fourteen pound lump hammer attack not a precision gamma knife type tool but it makes the point well enough.

When you think about it, there is no way to stop a "bubling up" attack, because there is always a lower level in the stack you have no control over, and you can not put security in at those low levels, as a security function requires a certain level of complexity that components at those low levels do not have...

Thus the only solution is by mitigation at a level that can support it (which is actually lower than a level that can support security).

To see why, take thr example of "tagging memory" with a crypto protected value. All that is required to store the crypto tag is more memory. However to generate the tag requires way more sophisticated logic that runs at a higher level. If someone uses RowHammer or similar "blut instrument" the probability they will modify the memory and it's tag correctly is dependent on the size of the memory block and tag, but with a 128bit word and equally sized tag it's vanishingly small.

The problem is that you will only know when an attack has been attempted when you read a memory block where the decrypted tag does not match. Compared to the memory read speed the time required to decrypt the tag and verify it would be glacial[4]. So it would be a significant bottleneck on performance.

Is there a way to keep the speed up atleast within an order of magnitude of the read speed?

Well yes there are ways, one of which is to use the advantages of parallel operating and compare results in a voting circuit. This has the advantage that it can be done at a point much further up the computing stack where memory read speed is in effect irrelevant. The trick is to know how to write code where it has larger "atomic functionality".

I've discussed this in the past as @Thoth and one or two others know.

[1] I susspect the Intel IAx86 and later memory subsystems are another "gift that will keep giving", that @Thoth will appreciate the irony of. That is it's currently --as far as we know-- an "Unknown Unknow" waiting to happen when researchers feal the need to make a name for themselves by proding a new nest of snakes in Intel chip internals. Which "my hinky sense" tells me it has the potential to make the likes of Meltdown and Spector look almost benign. So mark the date in your diary and see how long befor it becomes first one new instant in a new class of Intel CPU hardware vulnerabilities thus a single example of a "Known Known" at the start of a cascade of "Unknown Knowns" becoming "Known Knowns" as researchers churn out paper after papar with accompanying POC for the next five to eight years.

[2] Have a read of,

https://github.com/jbangert/trapcc/blob/master/README.md

Then put your mind in "thinking hinky mode", there is an immense world of possibilities in a Turing complete engine that does not use "instructions" and won't run in the usual "lab environment" emulators... If you have post Friday night brain fog, have a look at,

https://news.ycombinator.com/item?id=5261598

Then think again with post Saturday brain fog, heck better still think about it on the way to brain fog ;-)

[3] https://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/

[4] In theory a stream cipher would only need two rows of XOR gates and a "zero detector" to grnerate an exception. The first row XORs the tag and the keystream, the second XORs the resulting plaintext and memory block and puts it into the zero detector which unfortunatly is not a "bit wide logical" but "word wide arithmetic" function which needs "carry". But whilst that is slow compared to a memory read, there is as well the very slow issue of generating the key stream...

vas pupFebruary 15, 2020 2:23 PM

@Clive, @Who? @AlexT,@Rachel - Thank you all on input related to Protonmail.

@AlexT: I trust your point that at the beginning it was genuine with good intentions, but as we Google, you may see very fast transformation from Do not be evil to Pure Evil in particular when your hands could be easily twisted by such powerful and resourceful structures as CIA and BND with about zero real oversight of their activity even within executive branch.
My point was related to storage of the data - where are servers located, which Laws are governed security and legitimate data access to it by foreign IC and/or LEAs?

@Rachel: there is substantial difference between access to the data by IC and by LEAs: former primary used it for intelligence and until firewall between them and LEAs, I am not concern. IC folks even when very rude on their actions, they could extract data but not as LEAs as basis for case in the court when you can get many years in prison for non-violent crime.

@all: same concern regarding Switzerland Banking Privacy. I guess any law abiding citizen with legitimate income and duly paid all required taxes, need such accounts, not because of Government in broad sense, but because lawyers can get your assets in very often frivolous civil case and make you bankrupt at the end of your life chasing not justice, but rather your pocket. In exact similar case if you have zero assets - they (lawyers) just let you go. That is how justice or rather injustice works.

SpaceLifeFormFebruary 15, 2020 3:15 PM

@ Clive Robinson

I love you dude.

You knew my question was rhetorical, but you took the time to expound.

You are truly a gift.

Thank you for taking the time to expound.

We need more (and younger) people to understand the issues.


CuriousFebruary 15, 2020 4:11 PM

@Clive Robinson
I am a little embarrassed at how long my text is, but there are some nuances that imo require spelling it out properly, or risk having shortcuts that would make statements confusing.

You appear to be a knowledgable individual, however I just think is a disservice to humanity to iterate Donald Rumsfelds saying about unknown unknowns, and so to clarify, it was you that brought along the saying about 'known knows', 'unknowns knowns' and 'unknown unknowns'. You may all laugh at this, but I think this is fairly serious stuff. I asked what you meant by this saying and so I thought I'd parse your way of thinking about this, ref. to you saying "I look at it this way".

"Any ICTsec attack is an "instance" in a "class" of attack types."
(Added comment written last: imo this is an indication of self referential language, aka a tautology as if concluding that "an attack is an attack". Also, the idea of a real world 'event' ends up being either self referential (world understood as theory by doing, more on that later) and also having more than one meaning because of that (fantasy as reality), if referred to something theoretical, or imaginary real (as if "apriori", but not after the fact, or not posteriori), for any case, as 'an instance'. As if describing things in the world is purely theoretical, even though an after-the-fact 'event' is very real with other forms of describing it. A danger here imo, in having this exclusive way of describing things, in thinking that the very things projected in a theory, are real, such that doubts or questions about their existence becomes something of an impossibility because they are not only speculatively assumed, but they presumably become something like an existential, like an tangible emotion or required thinking, a very powerful influencing moment in thinking, because of how such actualizes your understanding of the world, even when confronted with say objections. In philosophy, iirc, "late" Hegel is known for using words for entertaining the idea of a most frail but yet necessary component to thinking, which sort of revolves around the idea of an 'absolute'. "Ab-solute", is by me an idea best understood in the form of an image of a puddle, a singular puddle of water or whatever, things like water becoming a singuar total form, a single puddle. Also similar to something complete, not nearly complete, nor mostly complete, but fully complete, or just, complete. Presumably, because human consciousness is seemingly a singuar thing, the moments in which we experience it might as well be thought of as being something absolute, even though, it is perceived as changing all the time and one being unable to pinpoint exactly what, when or why consciousness is, and then the past, present and future could be imagined as blending together into a stream of conciousness. A premise would be that the human unconcious is distant, if anything at all in particular, and basically would have to be something unkowable. How I make sense of it anyway, I don't think I am off about that even though I've never read any original text in German. Presumably "early" Hegel was maybe a populistic bullshitter, iirc associated with romantic nationalism.)

Hm, now back to the things I wrote initially. I am having fun here writing this, but I also think this kind of "discussion" is important, because as rhetoric, such a saying ought to be considered deceptive or perhaps irrational depending on the circumstance (like fearmongering in politics). The saying attributed on Wikipedia to Rumsfeld apparently attest a form of knowledge, or rather it purports such to be knowledge, but the logic of the possibility of not knowing something that is unknown would then have to be considered a fallacy and that is my concern here. What people might be thinking in general, is of no concern of mine. I am not going to tell what people are to think or not. Any argument that amount to "knowing an idea", is hardly useful knowledge as such (but any application could be useful I guess, as generally is with ideas), or anything could be such knowledge. Worse ofc, is the obvious paradoxical fact of claiming to know that there are unknowns that also are unknowns. My earlier objectios is ofc that this claim as such is pointless and thus void of meaning in any literal sense.

To split hairs here, having understood ICT to probably be meaning 'information and communications technolgy', I think the very idea that there is an 'instance' in a 'class' of attack types, is similar to what I decribed earlier regarding the difference between description of things, and projection of things. A related problem in philosophy would be "the problem of representation", which revolves about, well not a difficulty of knowing things as such but the impossibility of 'certain knowlege', mainly because of the arbitrary relationsship of language and the world. A language/world duality if you will, or culture (ones thinking by language)/nature (whatever you are observing), something mutually exclusive unless ofc the language used becomes sort of self referential having described the world, or, projecting ideas onto the world.

And so, I am tempted to simply conclude that language wise, an 'instance' in this context would presumably come to mean a recognizable event in the world, however, the claim of the existence of such an instance, although theoretical, would be a projection and thus being oxymoronic in nature because of how one rely on first objectifying something as real. Paul Fry, iirc a Yale professor, from a series of youtube videos on 'introduction to theory of literature', pointed out how in the old days, that which was understood by 'theory' was understood as something done in doing (iirc), and so theory this way was not like todays I guess common idea of 'theory' in being limited to a world of the imaginary or speculative. And so one can here easily imagine how one could become locked up in a logic of a particular threat model by rhetoric, and somehow ending up projecting ones fears onto things one doesn't know, or the unknown even. What is worse I'd argue, and perhaps the most critical part of failing, would be failing to distinguish between things described in ones threat model, and whatever is merely speculated to exist so as to attribute theoretical flaws onto real things but in an imaginary way. The issue with a problem about the imaginary would be partly about the attribution part onto real things (like people in general for example) or other types of things in the world you already have thought of as being a class of things. Like, a group of people perhaps, or to use a tech like angle, a group of hardware/software related to certain attacks. And the other part of that would be a perhaps hard to notice difference between fiction and fantasy.

I would think that generally speaking, a 'known unknown' can easily be thought of as lacking a singular type of specific knowledge.

What would "That is a variation of a Master Boot Record attack would be an "unknown" instance in a "known" class " be then? An 'unknown known'? That would sounds really backwards in terms of logical thinking if thinking of it as 'unknown known' (and confusing me because it was you that bought up the saying known from Rumsfeld's speech previously). :)

"Rowhammer for instance was effectively an "Unknown Unknown" even though it was entirely predictable from existing knowledge."

I think this statement just above is an example of where fiction collides with fantasy, though I ofc mean in terms of knowledge. As a conceptual metaphor or idea even I totally get this, but as knowledge, it is imo a faux pas to argue this as being an unknown unknown in this apriori way. You also can't claim incompetence, as you probably aren't responsible for this type of situation, nor could you account for the incompetence of others, and you probably didn't know about it and you didn't forget about it so as to try quality for there being an 'unknown unknown' that way in having forgotten or overlooked something obvious. I think this in turn pretty much raises a question of, why this rowhammer issue wasn't a known problem. I guess, they did not bother with any real work on threat models in terms of how hardware can be manipulated.

What I wrote about speculative thinking earlier, is basically a point about it not being knowledge per se, or basically most thinking would be knowledge, something which imo isn't meaningful when generalizing 'knowledge' that way. Btw, the "fearmontering" part was meant to be separate from the meaningful speculation part, I forgot to add the Oxford comma there before the "and". :) Admittedly, I think one can easily think of 'knowledge' as a blur between personal statements and objective facts, however, I would argue that the conjectural nature of any argument, makes 'knowledge' into this special thing that is supposed to be true, and not fiction nor fantasy, nor rhetoric being prone to bias or selective reasoning. I suppose what you wrote would qualify for being some kind of personal philosophy perhaps, I will have to sleep on that one.

I will have to read the turing related topic some other day I am afraid.

Btw, I just thought of this as I (try) proof read my text: An easily understood example of fantasy vs reality, could for example something heard on news/tv-show, where someone conjectures a particular opinion with a given conclusion, and the listener wouldn't readily know if the conclusions are more like fantasy or more like a piece of reality.

Clive RobinsonFebruary 17, 2020 3:35 AM

@ Curious,

I just think is a disservice to humanity to iterate Donald Rumsfelds saying about unknown unknowns, and so to clarify, it was you that brought along the saying about 'known knows', 'unknowns knowns' and 'unknown unknowns'.

What Donald Rumsfeld may or may not have said that the press mayhave reported is realy not that important in the scheme of things, and it's very unlikely that it was original to him anyway, it probably precedes Aristotle and Plato.

ICTsec attacks appear against time and by what or how they work to get into a computer system.

The reason for the "instances" in a "class" of attack" is rather more than just for classification purposses, and it is not circular reasoning. It has practical purposes with regards the deployment of resources and system design.

To see why consider a defender of an ICT system. Defending against individual "instances" of attack is mainly a task of Sisyphus[1] and is thus a waste of many resources. However defending against a class of attack covers many instances[2] of attack with just one set of actions. Thus not only is it more time efficient it saves other resources. As such it should also effect system design practices making them more effective, which is a self reenforcing process seen in nearly all engineering design methodologies.

Thus you classify an attack as an instant in a class of attack in a standard shorthand technique of "instant class". Which gives rise to the realisation that you can have many instants in a class but also that a class can be hierarchical. That is you have a major class that contains sub classes that in turn can have their own sub classes and so on down. In effect describing the attack method of the instance --but not the payload-- in detail (just as taxonomies of living things do).

But doing this also enables you to use the taxonomy as a predictive tool as well. You might not have an instance of an attack in the taxonomy but you can predict how it will effect any given system if and when somebody does make an instance of that class sub grouping.

But knowledge by the scientific process is an accumulative one. That is we knew less yesterday than we do today and we will know more tommorow than we do today. To be able to do this we have to have a process,

1, Gather, information.
2, Evaluate, the information.
3, Make predictions bassed on the information.
4, Test, the predictions within the body of information.

Step 1 gather information is a continuous process, which is why step 4 of test is important to note because it implicity implies "futute" knowledge as well as "past". Thus the four stages of Gather, Evaluate, Predict, and Test, form an endless process that transforms gathered data into knowledge thus usefull information with time.

Thus time is a part of knowledge that is information moves from "Unknown" to "Known" via one or more predictive hypothesis'.

So when you have a taxonomy of "Instance Class" of attack you have "Unknown Unknow" when a new attack happens it must have both the instance and a class so becomes a "Known Known". However in the predictive stage you have an "Unknown Known". That is from the class-subclass tree you can see where instances of attacks that have not yet been developed can be.

Whilst applying a taxonomy this way might be new to software developers it is not new to the sciences in particular chemistry (periodic table) and biology (Linnaean taxonomy[3]) and most other sciences.

[1] A "Task of Sisyphus" is one that is like the eternal futile punishment bestowed on King Sisyphus by the Acient Greek Gods. He was punished in Tartarus (Hell) by being forced to push a large boulder up an incline and just as it neared the top have it slip from his grasp and roll down again. King Sisyphus was told that should he ever push the boulder to the top, his "task" would be complete, but the Gods had fixed it so that he could never quite get on top of the task.

[2] A real world example that we generaly got to find out about very early in life is often called "The Fire Drill". It is a series of instructions designed to get people out of a building as safely as possible via "hardened/safe routes". As a drill it works in cases of power failure, release of chemicals, earthquake, bomb threat and many more hazards besides fire. Having to learn a drill for each hazard would be not just a waste of time it would cause confusion and thus would it's self be dangerous. However for just a "Fire Drill" the building has to be designed with just a single drill for multiple hazards. This is so recognized as worth while such measures are built into "Building Codes". Something software designers could learn significantly from.

[3] Linnaean taxonomy was developed by Carl Linnaeus in 1735. However the general method of taxonomy long predates him going back to atleast the works of Aristotle and Plato. In fact probably further because Greek Gods are a taxonomy in their own right as are hierarchies of command from a King downwards, units of measure and even the writing of numbers. Taxonomies appear to be an inate part of human cognition thus the understanding process that turns gathered data into usefull information.

AlexTFebruary 17, 2020 9:22 AM

@vas pup: As far I know all servers are still in Switzerland. Which, as we have seen in the crypto AG story, can't refuse much to US in any case. When I interreacted with the Proton people (again, very early in their setup) I raised the point that if they were really successful in their venture it would be almost certain that some (if not multiple !) agencies would put moles in their dev teams. They seemed to think it far fetched and was dismayed that they did not have any code review / security mechanism in place. I have no idea where they are now but last time I asked I did not get an answer...

As for Switzerland Banking Privacy it is a thing of the past for many years now.

@Clive Robinson: as always most excellent contributions !

vas pupFebruary 17, 2020 1:39 PM

Swiss Crypto AG spying scandal shakes reputation for neutrality:

https://www.bbc.com/news/world-europe-51487856

"There are only a handful of countries on the planet that have chosen neutrality; Austria is one, Sweden another. But no country has made a status symbol out of neutrality like the Swiss.

Now that the Crypto AG scandal has emerged in all its tawdry detail, there's not a newspaper or broadcaster in the country that is not questioning Switzerland's neutrality.

"It's shattered," is a common phrase.

A federal judge is already on the case and politicians across the spectrum are calling for a parliamentary commission of inquiry.

Swiss neutrality is revered as if it were in the country's DNA, part of a unique national identity, and not the pragmatic policy of a small country that hired mercenaries to the rest of Europe until its leaders decided not fighting at all might be safer.

Nazi Germany found a safe place for its looted art and gold in Swiss banks. It sent trains full of weapons across Switzerland to support Italian dictator Benito Mussolini.

At the same time, Switzerland's head of the armed forces, General Henri Guisan, was having secret chats with the French about fighting together should both countries be invaded. There's a street named after Guisan in every Swiss town.

Meanwhile the US intelligence-gathering body, the Office of Strategic Services, sent Allen Dulles to Europe.

Dulles set up his office in the Swiss capital, Bern, and stayed there for the rest of war, spying on the Germans. He later became head of the CIA."

Clive RobinsonFebruary 17, 2020 4:04 PM

@ vas pup,

The problem with neutrality is you have to have the power to enforce it.

If you don't you will have to compromise, because that is the nature of "power politics" you are either "usefull" or "to be crushed under heal".

Thus the question of "how to be usefull" to every psychopath who has desires of conquest?

Well Sweden had the same trouble and in part they sold balls for bearings to both sides whilst also spying for the side they most hoped would leave them alone.

You can go down the list.

The thing you will note is that neutral states are generaly small have a uniform population and are considered by many of their neighbours as "wealthy".

The wealth is there because of two primary reasons,

1, They trade without discrimination.
2, They don't waste resources on war.

The simple fact is war is realy all about "ego not profit" it's always because some idiot "slaps it on the table" to prove they have the biggest / hardest / best / etc. Unfortunatly there is no profit in war for the combatants and any victory eventualy become pyrrhic. You might gain an Empire and it's resources, but the cost of defending it? Or as the Spanish discovered vast amounts of gold and silver just makes prices go up, and the gold disapears faster. Worse those who have gold become lazy, their children fail to learn and when the gold runs out, they find they have nothing and know not what to do, and past glories do not put food on the table or crops in the soil.

Trading however is a useful skill it makes you usefull therefore important with those in power in other places, who have either the gold to pay you or other things you can usefully trade with others.

History teaches us that even when at war Germany and France traded iron and coal not directly but trade they did.

The secret to trading is knowledge, so much so that knowledge has become a commodity or even coin in it's own right. The thing about knowledge as a resource is you can trade it more than once or twice, with skill you can trade it almost limitlessly...

But you can also use it in manufacturing to add value. A ton of coal limestone and ironore if used correctly will give you the much more valuable steel. Take steel add more coal for power to transform it correctly into a tool or product then it's value is even higher. That "correctly" is the knowledge that adds the value, as long as your knowledge is better than others then you can not just profit by it but reinvest it in education to keep your knowledge ahead of others.

Thus if you want peace you have to trade and manufacture, but importantly you have to educate your population.

Some countries have realised that spending more on education than on bomb and bullets is a sensible policy. Sadly not everyone sees it that way as their egos will not let them. It's a thought voting citizens should ponder, equitable peace and prosperity by education producing goods and trade or endless oppression by destroying others via tyrany blood shed and the breeding of illiterate cannon fodder by the masses untill all resources are gone and colapse happens?

vas pupFebruary 17, 2020 4:54 PM

@Clive:

Thank you for your recent input.
You stated:"Thus if you want peace you have to trade and manufacture." I agree.

I guess the reverse is right as well: "If you do not want peace, but rather tension escalation between nations, then you must put tariffs, barriers, sanctions, etc. to degrade trade."

SpaceLifeFormFebruary 17, 2020 5:38 PM

@ vas pup

FYI, I would avoid BBC, FOX, NYT, and WAPO.

Find alternative links.

Just saying.

Yes, I'm old (maybe even educated!), and always use Oxford comma.

SpaceLifeFormFebruary 17, 2020 5:57 PM

@ AlexT

"As far I know all servers are still in Switzerland."

It does not matter where the servers are physically located.

When the long-haul backbone routers are backdoored.

Did you spot your MITM today?

No? No surprise.

Clive RobinsonFebruary 17, 2020 7:14 PM

@ vas pup,

I guess the reverse is right as well...

Yes, but remember what George Orwell put in his politics "Room 101" book 1984. He had a list of criteria,

1, You should have an enemy in a far off place (he picked Asia).
2, Where the people are visably different.
3, So your civilians have someone easy to hate other than their,
4, Controling tyranical government.
5, That spies on their every moment.
6, That feeds them propaganda.
7, Via the means of television radio and all electronic communications.

For some strange reason he got the failing empire building government wrong... But hey 7/8 is way more than a good pass mark in predicting the future an average --for the time-- life time away...

Clive RobinsonFebruary 17, 2020 8:16 PM

@ SpaceLifeForm,

Yes, I'm old (maybe even educated!)

Do you mean "head you cratered" from banging it on the school desk ;-)

Back when I went through the process we had three levels,

1, Infants.
2, Junior.
3, Senior later Secondary.

I did not have any problems in Infants, but Junior oh dear, the Headmaster hated my mother as she used to be his boss and blocked his promotion for good reason. The deputy head was an old spinster of the "never spare the rod" variety. Thus you can imagine what problems I had. Which was why my parents made the sensible decision to put me in a secondary school "out of borough". Where after a bumpy start and catching up I did OK, and rare for the time and not being from a "Bash yer grammar" School I went into higher education and later Uni to do post grad as a slightly wiser individual.

AlexTFebruary 18, 2020 2:22 PM

@SpaceLifeForm

Do you imply that SSL is broken and that MITM is actually possible on encrypted channels ?
If so all bets are of...

Drive-By IdealogueFebruary 18, 2020 6:04 PM

"It describes how the United States and its allies exploited other nations' gullibility for years, taking their money and stealing their secrets."

Now if only they'd declassify and publish 1% of 1% of the evidence of the United States and its allies exploiting the gullibility of their own nations for years, taking their money and stealing their secrets.

Because I'm pretty sure that would still be many many reams of documents.

SpaceLifeFormFebruary 18, 2020 6:31 PM

@ AlexT

YEP. SSL, TLS. Same difference.

@ Clive

You made me laugh so hard, tears.

SpaceLifeFormFebruary 18, 2020 6:48 PM

@ Drive-By Idealogue

Check out Panama Papers and Paradise Papers.

Buy your vowels. Zero cost.
`

RachelFebruary 18, 2020 7:02 PM


AlexT

'When I interreacted with the Proton people (again, very early in their setup) I raised the point that if they were really successful in their venture it would be almost certain that some (if not multiple !) agencies would put moles in their dev teams. They seemed to think it far fetched and was dismayed that they did not have any code review / security mechanism in place. I have no idea where they are now but last time I asked I did not get an answer...'

Good insight. Also one which any comparable organisation would be subject to.

There is always the chance the core group were indeed aware of such possibility and feigned innocence to your enquiry as good opsec requires. 'whats a mole?'

Further, given that moles are a broad class of vulnerability regardless of the field, generic means (Clives 'fire escape') can be employed such as compartmentalisation.

It's a good question worth sending Protonmail.
Hmm. A new revelation. The CEO of Protonmail shares a surname with a current running nominee for the Democratic party. Veeerrrry fishy.
Coincidence? You might think that. I couldn't possibly comment.

SpaceLifeFormFebruary 18, 2020 10:26 PM

@ Rachel

Instead of the mole(s) angle, isn't it just easier for it to be an op from the start?

Clive RobinsonFebruary 19, 2020 9:30 AM

@ ALL,

I know this is a bit late but anyone else remember,

The NSA Pown your HD

Apparently they've been doining it for most if not all of this century...

https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/

It's one of those things that @Nick P and myself used to warn people about fairly regularly.

It was also part of our debate over how old hardware would have to be not to have "Hidden Flash" in IO that could be exploited. @Bick P favoured "mid naughties" and I favoured "mid nineties" as the cut off points.

This issue is getting realy bad as hardware that will except any update no matter how untrust worthy and addled it might be has come up yet again this week,

https://eclypsium.com/2020/2/18/unsigned-peripheral-firmware/

SpaceLifeFormFebruary 19, 2020 3:45 PM

@ Clive

"Kaspersky's analysis says the NSA made a breakthrough by infecting hard disk firmware with malware known only as nls_933w.dll capable of persisting across machine wipes to re-infect targeted systems."

This is why I have said, if you get a new PC, and intend to use Linux, never ever boot to Windows in the first place.

NOT ONCE!

"Its main purpose, Kaspersky's researchers said, was to map air-gap networks using a unique USB-based command and control mechanism which could pass data back and forth from air-gapped networks."

You can not trust USB controllers nor USB devices. Where is that hidden NAND again?

Paper. Ok, I'll accept Floppy. But, not over USB.

cozMarch 7, 2020 12:33 PM

And yet, everyone is balking at the USG demand that we not buy 5G networking equipment from Huawei, a firm closely tied to the Chinese government that has previously sold compromised equipment.

Why the double standard? Knowing that all governments always have and always will engage in espionage to the limit of their abilities, why do we consistently pretend to be surprised, disappointed or outraged when we discover it? And why do we only condemn it with vigor when it's our own side that gets caught out?

John SmithApril 17, 2020 9:18 AM

So governments and companies actually payed ernormous amounts of money for security equipment that allowed 3rd parties to listen all the time.

Another nice detail was the dutch company TextLite (Phillips) which was making a at the time unhackable Pocket Telex device. They were bought for a hell lot of money just to prevent them from selling any more and were from then on producing only weakly encrypted machines.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.