Schneier on Security

Clive Robinson • May 21, 2021 4:06 PM

@ Zaphod,

I trust you are well. No recent mention of medical incidents in this forum, which I take as good news.

Kind of you to ask, I’m bumping along as I’m still required to be “guarding” so I’m not meeting people who can pass on nasties, but nor am I getting the excercise I crave, that can cause physiological issues to arise…

As for “Pansophical” being my middle name, no not realy. I’ve actually mentioned all of this in the past but…

I have a kind of sixth sense for things that are not right or as our host @Bruce has called it “thinking hinky” when you couple that to an interest in the history of how we moved from artisans through to science and engineering thus our industrial times you get to recognise patterns of “idiocy/stupidity” when looked at from the old maxims of “Those who fail to learn from history condem themselves to relive it” and “Learn by others mistakes, so you make less of your own”.

For some reason I do not understand and nobody I’ve asked has come up with a satisfactory answer to[1] is why ICT does not teach it’s history to those comming into the field of endevor. Worse stuff less than a decade old and well within living memory gets “forgoton”.

But when you dig down a little, very few attacks on ICT systems are actually new, many are centuries old. All that has happened is that people have taken old ways of doing crime and simply reused them but in the comparatively new environment of the ICT industry. Old cons are like fine wines, they generaly care not the age of the glass they are delivered in… Thus a knowledge of lockpicking I taught myself quite a while before I was ten led me into learning about other crimes and I saw the patterns of how they worked and failed before I became a teenager. It ment that at school I and a likeminded friend were doing things that whilst not crimes were not within the rules, but so inventively they usually just look bemused. Thus in my first job in a store, within days I’d worked out how their entire security system worked and how to avoid it inventively and also how to make it look like others… Such mind games are fun, but even when you can get away with them are not realy worth doing. As my father told me “If you are smart enough to carry out the perfect crime, you are smart enough to earn a lot more money honestly”. Also there is almost always going to be someone smarter or more knowledgable than you, or just probability will work against you some how what others chose to call “bad luck” does happen.

If you look at nearly everything I predict it has either happened before, or is a logical extrapolation from what has happened before. Coupled with yes a wide knowledge in technology[2] it’s all rather mundane when explained. But it’s neither nystical or magical anyone can get do it with both the right experience and the right education, which strangely does not appear to be available in “course form” so “self study” is how you aquire it currently…

Just remember it takes 10,000 to 20,000 hours to get a genuinely new skill to a reasonable level. However pick two skills that broadly complement and your time is better served.

Which is why I emphasise that if you realy want to learn any technical skill you must master,

1, The fundementals.
2, The relevant testing experience.

Something most employers do not want their staff learning on their dime, so Universities tend to avoid teaching them…

As I point out to people, if everything goes to plan you’ve not learnt anything from it, even though you might have honed your existing skills a little. When things go wrong you have an opportunity to find out why and thus be prepared in future.

[1] The front runner on “plausable” is that it will get in the way of profits in what is the ultimate race for the bottom market places that ICT represents.

[2] In some ways I got lucky and changed career directions multiple times from my hobbies that became demanded as skills[3]. I got into consumer computing when it was possible to know in breadth just about all that was going on, and I had depth in places I could link together and thus be a usefull asset. Part of that was a memory that could read three or four paperbacks, two or three technical books / manuals and upwards of three or four hundred data sheets etc every week, but importantly remember the important details to not just the document or the page but the paragraph and in quite a number of things individual key sentences. Which made me a very valuable resource to others who would just ask and be told what they needed to know.

[3] I do not advise people turning their hobbies into jobs, even though it can be highly profitable. For two reasons, firstly it takes away a hobby you need and turns it into a job, thus for your own saniry you need a new hobby. Secondly hobbies are ment to be enjoyed, jobs not so much, thus you can end up hating what once was a very enjoyable hobby.

Clive Robinson • May 22, 2021 5:14 AM

@ Anders,

Ok, give me at least one “value transfer” that is comparable
with cryptocurrency and that takes over the cryptocurrency position when effectively all cryptocurrency is killed and buried?

History shows there are a great many value transfer systems that have advantages and disadvantages. Most cryptocurrencies have been designed by technical geeks to replace just one specific type of value transfer system “fiat money”. However as has been demonstrated most of those techno-geeks do not realy understand,

1, Humans.
2, Security.

Thus they built their systems with particular features one of which was to try and prevent forgery. Thus the “public ledger” which does not realy give either unforgability or for that matter anonymity of value transfer. So those who want either or both are discovering that those who do understand humans or security better than the techno-geeks, are realising that cryptocurrencies in their current forms are not realy of use to criminals. Esspecially those criminals who do actually think into the future, thus take great care about not leaving traces of their activities in an indelible form to come back and haunt them five, ten, twenty years down the road.

If you talk to those familiar with serious organised crime in Europe they tell you quite seriously of the invisable economic member of the EU, that would be the state with the highest GDP, and largest financial reserves and the biggest economy by far if it was officially recognised. That is the hidden economy of crime also sometimes called the “black economy”. The politicians, legislators, law enforcment agencies and many more know all about it, and they want that money for their own equally as questionable reasons.

So there are very many quite successful “financial vehicles” in place that actually offer more benifits than cryptocurrencies do to serious organised crime.

You need to look up what is called “Arabic Banking” which is not “Islamic Banking” though the two can be coincident.

Put simply before we had the relatively modern banking system we have today there was a finaning system for traders that was in effect a trust system. When you think about it trading is a two way process and without a value storage and transfer system basic commodity trading cannot exist. Based originally on the likes of gem stones and precious metals it was quickly found that a more fluid system was needed.

Thus “trust systems” developed amongst traders and money lenders and as little as word of mouth could be used to pass value on. Later as the need for these services grew they moved on to tokens of trust that had no direct value, such as “letters of introduction” that were in effect the first Identity Documents.

The old “word of mouth” systems still exist in many forms, especially where either strong tradition, crime, or other patronage system is involved. These systems keep no tracable records and whilst value moves around freely fiat money and the like does not, which makes tracing such networks and stopping them very very difficult.

Thus for crime to prosper and travel widely all it needs is a “trust system” that runs in parallel but mostly unseen to what most would consider the international banking system[1].

So if both you and I had reserves of liquid capitol we could set ourselves up as two ends of a “trust system”. People could pay in to you in a way you would accept, and via a covert communications channel you let me know who to alow to take out money from me and vice versa.

The fact we do not “keep books” and if we are careful to keep transactions balanced at both ends we in effect just take 10% or whatever off the top for doing little or nothing.

That is we in effect create local economic churn by keeping local monies in and out balanced but in the process stimulate local economic activity of which we take a petcentage. The fact we can also move value from one local economy to another even though widely seperated generally does not upset the local churn because it is not a one way but two way system. So what goes out at your end actually comes back in again with a time delay, likewise the same happens at my end and provided we keep the transfers balanced over time examining the local economies will not give you an indication that international value transfer has taken place other than it increases local churn at both ends of our trust path which could be due to any number of a great number of economic factors.

Such a trust path can be more formalized and yes very low visability covert communications systems such as couriers can be used. The couriers need not know what the messages are that they carry or that they are actually carrying a message.

That is the messages can be obfuscated in some manner and the courier can be entirely unknowing that they even are a courier (see some of the tricks used by those moving quantities of drugs around via mules that have been conned into it via trust).

The content of messages can be effectively hidden by many forms of cryptography which is a genie that is well and truely out of the bottle and can not now be put back. The presence of a message can be hidden in many ways just one of which is steganography, and I’ve previously described methods by which a near anonymous transfer of command and control messages can be achived via the likes of Googles cache etc.

Thus all the parts are out there if people just want to bolt them together and use them. That is the number of potential value transfer systems that can be built whilst not infinite are to large to reasonably enumerate.

But also remember that the number of parts out there are so broad in variety and numerous in nature you can neither regulate against them nor stop them in practice.

It’s why I keep pointing out,

“Technology is agnostic to use.”

And it is,

“Humans that decide what is good or bad, under any given point of view, at any given time.”

Which means,

“It’s the directing minds that decide the use of technology.”

Thus it is those your point of view currently says are bad, that you need to stop, not the technology they use.

Anyone who thinks stopping a technology will stop some evil they perceive does not understand either,

1, Humans.
2, Security.

Politicians and many techno-geeks realy do not understand either, it’s why the XKCD “five dollar wrench” cartoon and similar amuse. Also why we laugh at Australian and other politicians that make stupid claims about the laws of the State being superior to the laws of mathmatics, physics or nature, history shows them to be fools each and every time.

To wrap it all up there is a very old very true saying about humans,

“Where there is a will there is a way”

And trust me even if cryptocurrencies did not exist ransomware would be happening anyway, because it was happening in the ICT sector before cryptocurrencies were in use.

So ransomware in one form or another will remain in use even if cryptocurrencies go. Because ransoming is just to good a “business model” for those of little or no morals to not use as an effective means of control for status, power or wealth. Which is why “Ransoming” as an activity has been around for thousands of years one way or another and will be around one way or another as long as humans as we know them remain in existance.

[1] Smarter criminals have learnt the hard way over the years that “patronage systems” can be a double edge sword. Currently much of the ransomware business is avoiding upseting the old CCCP block of countries and Russia in particular. This suggests that they have in effect a “political protection system” in place with Russia. The problem with such political protection was demonstrated with the fall of East Germany and similar where “terrorists” that had been active in the 1960’s and 1970’s had gone into retirement. Their protection system was gone, and they were very very vulnerable, thus had to flee to other places such as the Middle East where they had to come out of retirement to “be usefull” to new masters who would protect them. If you want to put a spoke in the ransomware wheel of progress, then removing the protective patronage would be more effective in the short term than trying to stop “mathmatics”.

Clive Robinson • May 22, 2021 7:39 AM

@ Winter, BOZO, ALL,

What made me laugh from the “Regulation Asia” article you point to is,

“what the market needs is stability and a level playing field where real identities can be linked to illicit activities to stop market manipulators in their tracks.”

It’s a joke at best. There is no such thing as a “real identity” and even when people are daft enough to think they have come up with such a mythical device you come up against two problems,

1, Identity reuse.
2, Persons legal or natural.

The reuse can be by “identity theft” or “identity sale” etc the latter of which is easily done with “persons legal” such as companies and other trading entities.

I won’t go into details yet again but just make a point about what the real intent of FAFT 16 is, which is “asset forfiture by eminent domain”.

Or more biblically “Ceaser is a greedy b’stard” and wants more than his due… Basicallt due to the fact that the tax base is shrinking because of legislation greedy politicians put in place in the first place for a nice well stuffed brown envelope or it’s equivalent, they need to get ever increasing tax dollars to feed the same issuers of well stuffed envelopes that have an insatiable appitiete to aquire levey free assets to turn every one else into “rent payers”.

Thus you will increasingly see easily imposed large fines and asset seizure legislation for “new crimes” that are not even infringments currently. That is they will move from a tax based government to a fine based government, where the number of offenders will be defined by the taxation shortfall.

Clive Robinson • May 22, 2021 4:08 PM

@ JonKnowsNothing, Winter,

… most of Europe, anywhere near Ideal Societies, for the primary reason, they haven’t been around long enough to survive their opposition.

Whilst some parts of Western Europe were sort of democratic pre-WWII the 1930’s in Germany looks horific in many peoples eyes. However what they do not realise is it was not just National Socialist Germany that behaved in what we now consider an entirely barbaric form fo Government.

Looking through historic documents you will find that the “ruling classes” in most of North West Europe and certainly quite a bit of the USA actively supported those “socialist” policies and were very pro eugrnics etc…

It was not untill ordinary American Soldiers started sending home pictures from the concentration camps towards the end of the War in Eirope, and the popular press picked up on it that the ordinary people realised just what a real horror lay behind the mundane words artfully portraid as a “social good”.

So for half of Europe the experiment in representational democracy got started in the late 1940’s simply because all the countries were bankrupt and starving and freezing to the extent that governments and the elites were sufficiently cowed into it. In the US representational democracy turned sour in the 1960’s and had become the entrenched “bought by the elites” system by the 70’s. Some historians actually say that Neil Armstrong’s foot hitting the moon, was not just the end of the space race, but the last time America actually felt good about it’s self. The other half of Europe had to wait untill the 1980’s and the closing of the cold war before their experiment in democracy started. There’s is pehaps the shortest with many going bad very quickly with suppressed racial and religious tensions breaking out with extream far right politics causing no end of violence and blood shed.

Unfortunately such right wing extreamisum is clearly funded in part by some of the same people who fund the more extream parts of the right wing Republican movment in the US GOP (the Mercer Family for one). You only have,to look at what is happening in the UK politically to see what plans some people have. I fully expect that France will be the next target for US funded “destabilization”…

So yes I think that we are seeing the end, not just of democracy but the faux democracy of representational politics as well. In a way back at the end of WWII the author George Orwell having worked in the BBC and seen what was going on more or less called it right in his two books “Animal farm” for the politics of brutalistic communism in Eastern Europe and further, with “1984” for the brutalistic sham democracy of the West dominated by US power politics.

It’s why I hope that there will be a silver lining in the darkness that is COVID, and that like other historical pandemics the social upheaval that follows will favour the bottom 80% of the populations and the ruling classes will get pushed back before they become to entrenched.

Clive Robinson • May 26, 2021 5:07 PM

@ lurker, Winter,

The way the topic was presented left open the possibility that those unproductives were among our ancestors, which goes a long way to explaining why they are still with us.

That was just part of the joke, the first bit is the description of “three Ark ships, A, B and C” and it was the second that got launched first, so they could make a nice place for the others to arive at. It was only later when the second ark was about to crash that Ford Prefect shouts out “You are all B’Ark-ing mad” that the joke become obvious.

As for being our ancestors, hmm hair dressers, marketing assistants and “dead telephone sanatisers” would be a heady cocktail of dodgy geans. Not sure about lawyers and acountants, they are only marginaly better than Human Resource managers and a tads below second hand care salespersons and real estate pushers…

The trouble is we all want our ancestors to be someone infamous take Captain Morgan, with burning cannon fuses/matches in the hair, or some other villain with good notoriety and larger than life personality.

I’m sure some think of Bodacia in her chariot with knives for wheel hubs, or Good Queen Bess, or some such.

Someone in my family traced back the family tree, one or two famous faces to historians, but whilst there is royalty, there are no good villains. The nearest I get is AF Chapman, virtually unknown in England, but of great importance in Sweden. He was master of the Royal Docks on the banks of the Thames. But because he shall we say cuckolded the wrong man, he had to scraper abroad. Where he did the King of Sweden a favour and revealed secrets of “man-o-war” construction etc… So technically a traitor.

Mind you, it’s not to say that I’ve not tried to correct this lack of villains in the family tree… Turns out back in the mists of time, I realy upset one “Mad Maggie Thatcher” when she was the UK Prime Minister and trying to flog off the GPO / British Telecom. Apparently she was not ammused by some of my activities and wanted my head… Well I’ve still got it so I must have done something right.

Not sure it counts, but it’s the best I’ve done sofar, but I’m sure there is time to do better 😉

Pass me the bar of soap and the cheese grater =:(