Schneier on Security

Clive Robinson • February 5, 2021 7:10 PM

@ Security Theatre,

Simple question: how long do you expect us to still wear masks on public transport?

Maybe fore ever…

Look at it from the medical point of view.

The most vulnerable currently (though it appears to be changing) are those well into retirment.

These are also the adults who are least likely to be fit to drive but capable of using public transport.

The virus will only stop being a problem when it is extinct in any given environment.

To continue it’s existance it requires “vulnerable hosts”

Hosts cease to be available to the virus when,

1, They are dead.
2, They have had the infection.
3, They have been immunised.
4, They are unavailable.

The first reduces the population and increases the natural herd immunity as a result (if half the population die then it effectively doubles the numbers in the other catagories).

For a while at least those that have had the infection and survived have a sensitised immune system. To the virus they are effectively dead, untill either their immunity desensitises or the virus mutates a significant ammount.

Likewise those that have been immunised are similar to those that have been infected and survived. Only their immune system has probably not been sensitised as much, and also it’s been sensitised to the innoculum not the virus so is probably more specific so the virus has to mutate less.

The last group are those that are kept away from a virus infected person whilst they are infectious. If a person is clearly sick before they become infectious it’s relatively easy to issolate the sick from the well. However with SARS2 you are considerably infectious before you are visably sick which makes issolating the sick from the well very difficult, therefore issolating the vulnerable tends to make more sense. However issolating groups or what has been called “social bubbles” limits the spread to only those in the bubble, if somebody in the bubble becomes infected. In effect this is what “lockdown” in it’s various levels trys to achive by significantly curtaling, community spread of not stopping it.

However we have to also consider other groups,

1, New borns.
2, Animals.

On average 2% of the population is born each year, we do not yet know if mothers confer immunity to their babies and if so for how long they remain immune. On top of this is the potential for the genetically more susceptible to die out before they become parents, which would have the very very slow effect of breeding the human race into a less susceptible form. However in the process we do not know what else is lost… Take for instance sickle cell disease, this gives the young increased tollerance of maleria but it also kills people young who will now not meet maleria.

But we are not the only creatures on this planet, and SARS2 came from animals by zoonotic transfer, and as we now know it can transfer back into wild animals and back to humans again (human-mustelidaes-human). Thus it’s entirely possible there will be “disease reservoirs” in wide ranging wild animals, where it may cause different symptoms which are less or non fatal to them and may not significantly sensitise their immune systems such they get the infection repeatedly over short periods of time. Thus comming into contact directly or indirectly with humans causing SARS2 to flare up again. We can see this with four other corona viruses which cause the common cold and appear to be fixtures in society occuring every winter season where between a quater and one third of the population gets it, most frequently transmited through children or work colleagues.

If SARS2 mutates as it appears to be doing to more easily infect children and those of working age and it forms disease reservoirs then two things will happen,

1, As with flu and the common cold we will get a “COVID Season” every year.
2, The death rate will most likely be ten or twenty times that of seasonal flu.

That is not sustainable, thus we would need some measure of “lockdown” every year.

In the Far East in South China Seas countries, mask wearing is not just socially acceptable it’s a norm at certain times and not wearing a mask considered degenerate behaviour.

A similar attitude in the West would have rather more benifits than limiting the spread of SARS2… There is anecdotal evidence that this years seasonal flu is actually more infectious this year as a virus. However because of the COVID lockdown it’s not spreading the way flu would normally do, likewise the common cold.

So COVID could still be with us in 80years anyway, and wearing masks prevents quite a few seasonal pathogens that have their own costs in hospitalization and premature death. So still wearing masks in social contact areas such as public transport, shops and social events may be a good idea any way… After all people do wear eye glasses in part to increase their life expectancy by reducing the number of accidents they have and few if any realy question wearing of glasses, in fact they have been known to become fashion items worn by those who have no physiological need of them.

So if we make effective masks fashion items, then the wearing of them might become just like wearing other items of apparel. Thus just another social norm much as women keeping their ears covered in times past.

I suspect that a change in norms could happen in as little as three years and certainly well under fourty…

Clive Robinson • February 5, 2021 8:45 PM

@ Anonymous,

Is it “interception” if the malware stores the message on the device before forwarding it to the police?

It depends on how you view “the source” of the information.

If what is being reported is both true and factual, I think the three judges have made the wrong decision and the argument they made is a false one.

In essence they are saying because the source was in plaintext and not encrypted it can not have been in transmission as the phones only transmitted cipher text…

Well if that is what they have claimed thrn it is a very obvious failure of reasoning or a deliberate and willful deceit by the judges to excuse a forgon conclusion of convenience to the crown prosecuters. Either way if true “They have consipired to bring the law into disrepute” thus would be considered no better than crooks.

As many will know I talk about the communications end point and the security end point and how they relate to information channels fairly often and how you have to get them in the correct order for security to be possible.

Now to communicate you do not need to do so securely, that is self evident to anyone who has spoken to more than one person at the same time, or spoken to a single person in an environment where what is being spoken can be heard directly or indirectly by one or more third parties.

Thus as reported the judges distinction between encrypted and not encrypted has nothing what so ever to do with the communications end point but every thing to do with the security end point, which has nothing what so ever to do with ehat is or is not an intercept.

To see this, lets examine the case of someone who is a little more knowledgable about establishing security by the use of mobile phone aplications. Because they know that neither the application or the phone OS can be in any way secure, as the “User Interface”(UI) is in plaintext and is reachable via the drivers or OS from the “over the air interface”(OTA). In short an “End Run” attack around the security endpoint.

So the more knowledgable person decides to use a pencil and paper cipher that is secure, such as a “One Time Pad”(OTP).

Thus they think up their message and using the OTP they write it down in ciphertext not plaintext. Thus the message is stored on the piece of paper not as plaintext but ciphertext, thus judges argument fails at this point because of their distinction between plaintext and cipher text. The plaintext only existed in the persons mind[1] and was never stored anywhere but there.

But even if they wrote the plaintext onto the pad then wrote the cipher text in underneath, the judges argument would still fail, because the person would type in the ciphertext not the plaintext. Thus under the judges incorrect logic the message must have been in communications on the phone at all times because it was ciphertext.

We have a saying in the UK of “You can have your cake but you can not eat it”, well the judges can have their argument but they can not have it be true, the laws of mathmatics, physics, logic, and reason do not alow it.

Because the intercept capability was constant on all phones, it did not nor could it magically change the source of information or how the information was used just because the message content was inteligable or not.

To claim otherwise is to cross over from reason, logic and sanity to hocus pocus, illogic and insanity.

So the reporting as given gives rise to this question, “do these judges realy want people to think they truly and unreservadly believe in fairy makebelieve that even six year olds would be skeptical about?”

[1] For those that think that such a feet is not possible, I can assure you it is as I used to do it, not with a OTP but an addative stream hand cipher that used a pack of cards as the generator. But we know of people doing similar all the time, take on the fly translators who listen to a speaker and translate what they are saying as they say it and say it in a new language to another person. Some people send messages in morse code and similar. I know of people that used to write to each other using “Tolkien’s Runes” it was effectively a simple substitution cipher with one or two modifiers. I used to do it just to join in but also to cipher it as well by a simple running addition with 0..9, it was a “Party trick” that used to both amuse and amaze much like magic tricks I occasionaly still do such as having a “magic coin” I flip that always come out the way you call it, more fun than a live/dead Schrödinger’s cat demonstration and more instructive 😉

Clive Robinson • February 7, 2021 3:50 AM

@ AL, Anonymous, SpaceLifeForm, ALL,

This “contemporaneous” issue is the test under U.S. law. It could be viewed as not contemporaneous because the storage occurred a moment before transmission. It looks like in an E2E situation, the activity immediately preceding the transmission needs to be looked into. I wonder what Signal does.

I’ve been mulling this over, to see which way it’s going. As lawyers are “salami slicers” by nature training and profit, they still have great faith in the disproved theory that “The finer the cut the more transparent the slice becomes”… It is after all how they make more money and the Upton Sinclair rule applies in spades with them.

The reality is though “The finer the cut the less integrity there is” untill you end up with a pointless usually disgusting mess in which they then chose to wallow profitably.

But back to the problem which is,

“storage before transmission”

It has always been a requirment of communications even if it is just composing a sentence in your brain before saying it…

More importantly if you want to communicate less directly and send a letter, you have to first write it down on paper, this much is obvious to most people. Thus in the warped contemporaneous argument the entire message has been stored long before transmission. My view point is the mear thought to communicate is actually the start of communication, thus the composition in the mind is where the communications starts as from then untill it is read into the intended recipients mind is all part of the communications process.

Likewise but less obvious to users are emails and SMS’s etc they are all buffered untill transmission across a segment of the transmission path is actually initiated.

The reason for the buffering is one of simple engineering it is because it is both more efficient and more reliable, thus giving a higher value of “availability”. And in most cases “availability” is what the customer wants in a communication system, followed by reliability of delivery. Actually speed of delivery is generally not an issue as long as it is reasonable by some human measure. Thus buffering is the technical solution way to go to get availability and reliability.

Unfortunately buffering is always going to be seen incorrectly by some as “store and forward”. Thus the question is,

“How thinly will they slice?”

Arguably under their point of virw putting your finger on a key on a keyboard is “storing” not “sending” as it occupies a moment of time before the release of the key.

But using their false salami slicing argument, lets look at encryption.

Mostly we use a varient of block ciphers of 128bits width or more. The base ASCII charecter set is 7bit thus each encryption can hold 18 characters and 2 additional bits. By their argument all 18 characters are “stored before sending”…

Is it any different for “stream ciphers”? not realy if you keep slicing the argument down they will argue that holding a character or even a single bit in a computer register prior to the XOR or ADD function that mixes in the key stream is “stored before sending”.

Thus by their salami slicing argument any use of a computer is “storing before forwarding”.

The further consequence of that is as all data networks are segmented and have switching nodes that very temporarily hold the data, that also must be “stored before forwarding”.

But you can salami slice a little further. Back in the late 1940’s and through into the 1960’s various ultrasonic “delay lines” were used to store data. That is the data bits were transmitted into a Shanon Communications Channel where some time later they were received and amplified. Thus the communications media is also storage if you salami slice far enough…

Thus by their store before forward definition all communications channels are actually storage, thus always available to be collected…

Thus we reach the point of,

“argumentum ad absurdum”

And demonstrate that their view point entirely negates the notion of “communication” protected or otherwise, as it is all “store” even when forwarding by their definition.

Clive Robinson • February 7, 2021 5:45 AM

@ Ismar,

With regards the Nautilus artical on the semantics of viral evolution to escape immune systems.

Bringing up the subject of specifity in the mRNA used by both Pfizer and Moderna with one of the systems developers brought fourth the following,

“Bryson said, “I think our model underscores the importance of using the full length of the spike as an immunogen, as opposed to prioritizing particular regions of the protein over others.” He said it is fortunate that a lot of the vaccine designs are focused on the full-length spike protein, which their model suggests is a good move.”

Or in other words the mRNA immunizations are too specific thus fragile in the face of viral mutation, that increases proportionatly to the number of hosts past and present. As we know this rises exponentially if alowed to we have a problem.

The only solution to which we have currently is quarantine from individuals through social pods/bubbles of familes etc through to workers and small locals or geographic regions.

Thus anyone arguing for lifting of quarantine / lockdown is arguing for exponential rates of mutation thus the rendering ineffective of vaccines and prolonging of death and longterm injury to people.

Something that politicians should take on board now more than ever… We were saying it this time last year and western politicians ignored it, some even made foolish claims against it. Now here we are a year later with millions of people having been infected and the virus almost beyond control.

If we do not lockdown hard then the virus will mutaye faster than we can come up with new vaccines, which brings up a question nobody realy want’s answered practically,

“One the assumption mutations have to be finite, how many mutations are there to go through?”

But the mutations might not realy be “finite” in any meaningful human usage of the word…

Clive Robinson • February 7, 2021 8:28 AM

@ Winter,

They can be mixed and adapted to include conserved regions and new variants.

That appears to be the idea behind the Russian “Sputnik V” vaccine, in the peer reviewed Lancet artical.

As I understand it the first AD26 virus is aimed at COVID with the full spike protien sequence. Then to stop the body becoming sensitized to the adenovirus the second shot is AD5 with variations (not sure how that works but apparantly it does).

Based,on the currently small phase III results from Moscow it’s the most effective vaccine so far.

However there are several other phase III tests going on in other parts of the world so we need to wait on those results as well to get a clearer picture.

We do know that the Russian Research group, AZ and Oxford Rrsearch groups are getting together so hopefully any arras lacking in the individual vaccines will be made upfor in the combination.

However the major downside on the Russian vaccine is again the “Chill chain” where -20C is needed which is a little beyond most easily available freezers… Though there is a desicated version that needs less of a chill factor.

But one thing should be noted, like it or not Vladimir Putin made a choice, wait for phase III results or putting it in peoples arms based on Phase II results to try and slow the pandemic spread. He went against normal medical practice and opened up general vaccination as Phase III started.

He may just have saved quite a few lives by so doing.

I guess we are going to have to wait and see how things go. But I’ll be honest, if I was in a similar position, and knowing just how dire things had got in Russia, I might well have made the same choice.

With regards,

I just read that the UK government thinks a yearly vaccination round against COVID19 will be needed, just like the flu campaign.

Yes it looks like an inevitability as we’ve let things go to far.

But remember the flu vaccine only works maybe two years in three. Which is quite bad even though the CFR is low for flu. At a couple of decades greater the CFR for COVID mutations could be worse than we are currently seeing. Because people will assume incorrectly they can live what they consider “normal lives” thus not take sensible measures.

Thus I think mask wearing and social issolation with limited social pods/bubbles will become the norm and “going home for xmas/new year” or thanks giving in the northern hemisphere will become a custom best dropped with maybe a new holiday toward the end of August to do the get togetherness stuff.

Clive Robinson • February 9, 2021 5:59 AM

@ JonKnowsNothing, SpaceLifeForm, ALL,

MSM report of an UnAuthorized Access to a water treatment plant in Florida where the intruder altered the chemical treatment mix to a toxic level.

Hmm in effect,

“The town installed a RAT that was persuaded to work for someone else.”

So a “backdoor” they indtalled for “Nobody B Us”(NOBUS) was used by others…

Ignoring for a moment the stupidity of installing a RAT, then making it available via a publically accessible network, this has been recognised as a “No No” for quite some time. Something the realy old hands on this blog were talking about oh so long ago, long before stuxnet and in many cases long before most people had heard of “Supervisory Control And Data Acquisition”(SCARDA) systems, or in fact very much at all about “Industrial Control Systems”(ICS) at any level.

What is not clear though is,

1, Did they gain access to the client and then into the server.

2, Did they gain access to the server directly.

Assuming the former, then in effect the “user” was authorised to the server and there was little or nothing a basic “Intrusion Detection System”(IDS) if installed could do.

If the latter, in theory if installed and operated correctly an IDS would have picked up an intrusion attempt, even if the attacker had copies of the required credentials. In practice few who install such systems add such capabilities as IP address detection white lists, or if they do make them too broad for various non technical reasons.

Further the use of a secure rolling time credential token or other non time static credential would have twarted such an attack. But again for various non technical reasons this is not done as often as it should be.

But it is possible the Commercial RAT was found via the Shodan Search tool[1] or even ages old what we now call “script kiddy” IP address port service enumeration[2] that though even more than fourty years later are still just as effective as they ever were to a not fully clued up service administrator. So means in turn we can not say “sophisticated attacker”.

The fact that the Comercial RAT has apparently been installed for “technical support” reasons tells a story all of it’s own (anyone else renember the CarrierIQ debacle?).

Something Microsoft and other big Silicon Valley Corps do not talk about –but I have since before Dr Watson days– is all kinds of “ET Phone Home” telemetry is a beacon to your system even if the data is encrypted right up and beyond the WAZoo[3]. All a mildly competent attacker in a larger organisation has to do is get close to “the mothership” and just sit there passively watching the packets fly by[4]. Equipment for which the likes of Boeing and IBM to name but two of a large cast are known to make, in some cases as just a spin off of standard products.

So I suspect that the Commercial RAT supplier has already gone into “circle the wagons mode” and we will just have to wait and see.

However now “Home Working” has become a predominant way of doing “Business Continuity” in the past year and is likely to remain a fixture for some time to come. Such RAT and Conferancing tools are going to become number one on certain peoples attack lists. Especially as the majority were never previously “Prime Time” thus have not received abything remotely close to the stress testing they needed –need I say Zoom or TeamWorks?– thus are likely riddled with bugs that will now be keenly hunted as the new basis for even the lowest hanging fruit malware…

As I sometimes note, the Chinese historically have a very different outlook on life and just one part of that gives rise to the curse,

May you live in interesting times.

Well COVID sure has given rise to a paradigm shift in “information working” but humans are “Creatures of a herd” in general and “remote working” is not something they like as it creates fear which is only occasionally paranoia, as mostly sufficient people are out to get above others in the hierarchy by stealth or assassination.

It’s said that in any sizable organisation there is one Hawk for every four Doves, the actuall ratio is not that important, all people need to realise is that as Hawks grow, Doves in effect cease to be the prey of Hawks, and the Hawks start to attack other Hawks. This is simply because the hierarchy rewards the extreams of Hawk behaviour, thus becomes an evolutionary factor. Even if it is one that the likes of many out evolved apex preditors proves long term leads to extinction of the spieces or sufficient environmental change to cause the evolutionary factors to change. Which COVID certainly has in the short term, the long term as well if some predictions are correct.

Any way back to more base needs, time to start cooking lunch, “leak and potato” soup or pie some how feals strangely apt 😉

[1] The Shodan search tool has both simplicity and great complexity when it comes to enumerating sites more or less passively,

https://thedarksource.com/shodan-cheat-sheet/

https://monitor.shodan.io/

Look on Shodan as the “little brother” of the sorts of “target enumeration” engines the likes of certain Level III attackers such as National SigInt agencies have that hover up data from the behind the “next hop” routers site administrators can not see beyond.

Shodan’s capabilities are neither new or original, and the use of “netcat”(nc)

https://chousensha.github.io/blog/2014/05/31/network-tools-netcat/

Or other unix tools such as “telnet”, “ping” or traceroute,

https://network-tools.com/trace/

That have been standard on not just *nix boxes but other Commercial OS’s since the late 1970’s (for instance Microsoft nicked the BSD tools befor Win 3). Which early “hackers not crackers” put together in shell scripts and the like, and if you have “Command Line Interface”(CLI) and “scripting” ability will still tell you rather more than most would wish you to know even today, sich is the nature of communications ay a lower level.

[2] It’s the sort of thing I used to do when Telnet was a good tool to get plaintext across TCP header info on just about any sensible system from a PDP-11 upwards (Microsoft had not started networking back then and DOS was still at best a flaky poormans CP/M clone, with NT still just a dream of a better Unix than Unix hiding behind Dave Cutler’s embarrassing T-Shirts).

[3] The entomology is 20th Century but “uncertain” some claim it’s short for “Western Australia Zoo” others more anatomical, either way think about “creeks and lack of paddles” as a similar colourful expression of near meaning.

[4] The fact such packets travel with visable meta-data for source and destination means that your PC has become “known”. With traffic analysis giving near real time information, much else becomes known. As for encryption… well what use is that? Not much realy, especially if some one has been kind enough to give the passive observer the master secret / key that opens the backdoor. Which is a valid assumption with Corps doing business in the UK, US and other places in the world such as Pakistan, Saudi Arabia, Israel and many more (as BlackBerry amongst others proved “Business trumps user security every time, be it via “health&safety”, “tech support”, “Product Development”, or other invented excuse.

Clive Robinson • February 10, 2021 11:25 AM

@ Winter,

I suspected not by the length and it’s not your style, plus have a look at the “errors” 😉

Yup as @- has suggested,

https://www.schneier.com/blog/archives/2021/02/friday-squid-blogging-live-giant-squid-found-in-japan.html/#comment-368974

Maybe the moderator should look at the IP addresses, it’s something the “blog wreaker bot” should not be able to predict unless you go to a site they control or they have other not legal sources of information, which I suspect they don’t have based on their current failing bot.

But have you noticed the behaviour of the operator is that of a “petulant six year old” with bad learned social behaviours. It’s not just the “Oh my botty” level of language used to try to shock it’s the use of language. It’s simmilar to that of “an outsider trying to get in” the useage is forced not natural, and clearly a failing of the bot design and the selected input.

So there the bot operator stands like a naughty toddler/junior schooler throwing a hissy fit that fails on it’s aim and has now thrown themselves on the floor because they do the old “repeated test madness”.

Clive Robinson • February 10, 2021 10:54 PM

@ JonKnowsNothing, MarkH, SpaceLifeForm, Winter, ALL,

In the UK the Office of National Statistics(ONS) has for some time been runing it’s own indipendent random trial tests etc on SARS2.

They’ve just released some worrying figures covering from 1st Oct to 30th Jan that I’m going to have to dig into further, but the headlines are,

1, Clear indications vaccinations are working and bringing hospital cases down.

2, B.1.1.7 was increasing significant.

3, Testing of those who were significantly infectious (high viral load) many more than expected are asymptomatic, England 53%, N.I. 62%, Scotland 53%, Wales 45%.

Whilst the first is good news the second not unexpected the third is very much unexpected Up untill this the assumption was 20-30% of people were asymptomatic BUT that was across the entire time they were infected.

These new ONS figures are from people tested as being not just infected, but when they are shedding significant levels of virus, thus are highly infectious. Thus across the UK for the past four months, on average half those capable of spreading SARS2 have had no idea they had been infected.

What is not clear is if this is in general with all strains, or if the newer more infectious strains have higher rates of asymptomatic infectors / spreaders.

Either way suggests that now more than ever, social distancing, masks, ventilation and localised area quarantines are essentially the only way out of this pandemic untill sufficient of the worlds population has become disease free to bring the rate of mutations down well below how fast we can get effective jabs in peoples arms.

There also still appears to be a very unscientific argument about immunisation. The assumption by many is they have their jabs and they won’t get sick.

We know from many years of flu jabs that whilst the jab you’ve had may not stop you getting the seasonal flu, those who have had jabs tend to suffer less acutely. So whilst they might get a few unpleasant days at home, they will probably not become hospitalized with their lives at much increased risk.

Thus the question about “vaccine avoiding strains” is not “Will you be immune?”, but “If you are infected how badly in comparison to not being vaccinated?” and more importantly “Are the number of infections in those vaccinated less than those not vaccinated”

As an individual, yes being ill at home sucks, but a whole lot less than in hospital or in the meat waggon round the back. As a society, yes having some people ill at home sucks, but a whole lot less than lots of people crashing hospitals or stacked up like cord wood at the crematorium.

As has been noted a lot here we need a sensible “lock it down and exterminate policy” not an illogical “Spread it all about and look the other way policy” that Herd Immunity Policy realy is.

We need R0 to drop below 1 every where. But so many are currently infected the mutation rate is well ahead of vaccine development… Thus we need R0 to be substantially below 1, so vaccine development can not just catch up but get ahead of the virus, and that means the prevelance has to come down significantly quickly and stay down, and vaccination is not going to get prevelance[1] in the world down for atleast three probably more like five years, in which time a lot of mutation will happen.

[1] Prevelance is the number of people currently infected, and with the new strains that can double around every eight days. The rate of mutation is fairly strongly related to prevelance, thus will on balance track it, but probability means “three busses can turn up at the same time” as has happened with the N501Y mutations. Two of which also had the E484K mutation, that is being associated with “immunisation escape” and possobly “immunity escape” thus some people are getting reinfected in quite a bit less than a year.

https://medium.com/microbial-instincts/the-most-worrying-coronavirus-e484k-mutant-has-arrived-35361ec55923