Schneier on Security

Clive Robinson • May 11, 2021 2:07 AM

@ Bruce, Etienne, Fed.up, ALL,

This is bad; our supply chains are so tightly coupled that this kind of thing can have disproportionate effects.

It is the logical consequence of not regulating a market.

Basically due to short-termist thinking the US and other Nations that have favoured neo-con thinking over the past third to half century or in some cases longer, have alowed those supposadly in charge to compleatly “hollow out the infrastructure” with near zero maintainence and a compleate disregard for security and safety.

@ Etienne, Fed.up, ALL,

The “ban the technology” solution will not in any way fix the problem, history has taught us that over and over again with more conventional crime. All that will happen is that those involved will just evolve a different stratagem for communications, carrying out their activities and the transfer of finance etc etc.

Oh and as always legislators will be stupid and come out with legislation so broad in scope that they can make you guilty without you having actually done anything (see UK RIPA as an example with similar in Australia, as well as US legislation).

As I keep saying,

1, Technology is agnostic to use.
2, The good or bad of technology use is an entirely human “Point Of View”(POW).
3, The use of technology is entirely dictated by a “Directing Mind”.

Failing to understand any one of these three points has led almost invariably to bad or impossible legislation or regulation, that does not stop the intended problem in any way, the Directing mind simply out evolves it.

But what such bad legislation or regulation does create is hundreds if not thousands of other problems with the result that all such legislation and regulation does more harm to society than the original problem did, by a very long way.

If you want to actually stop these problems then controlling technology is going to fail, no ifs, no buts, no maybees, it fails every time. Historically like all religions and political systems before it the Roman Catholic Church tried it over and over and each time it failed. Likewise arms control and even Weapons of Mass Destruction it all fails, as will any attempt to stop the use of secure communications, or other technology.

The solution is not controling technology but the “Directing Minds”, that is those who actually made the problem in the first place, and legislate / regulate against them. But as they are the ones that make political donations and employ lobbyists to buy the direction of legislation, thus stop their dangerous behaviours from environmental polution, dangerous work place practices, and upwards being made illegal, you are first going to have to stop those backhanders and other inducements.

But “Being tough on technology” will work even less well than “Being tough on crime” which has “failed, failed again, and continues to fail, and will always fail”. Just like most other stupid knee jerk political mantra it’s designed to fail “profitably” for “the chosen few”. It almost always works because people who do not think the problem through fall for every time, thus those responsible walk away with even more “prevention” tax dollars in another endless “War on XXX”. As for those that created the problem in the first place, they will probably get “bailed-out” by tax dollars as well, either directly via regulation to clean up the mess they have created or when disaster strikes they are alowed to get away with it…

Clive Robinson • May 11, 2021 5:06 AM

@ Winter,

Any cryptocurrency value which did not come from a KYC money account is blacklisted and cannot be exchanged for fiat currency anymore.

Not true, unfortunately, it’s premised on the notion that all banks will behave to a set of rules put in place by an entity they have no legal or regulatory relationship with. Especially when the banks know that the entity concerned will not play by it’s own rules.

You have to remember the biggest crooks in “money laundering” are “Sovereign Treasuries” and their nominated banks.

Thus the US will set up via the Federal Reserve a bitcoin “black list” as they see fit. But the US Government will move bitcoin from that blacklist for various reasons (effectively asset seizure legislation and the like). Other countries will do the same thus you will end up with “flavours of bitcoin”, just as we have “national fiat currencies”.

So when you consider China mines by far the majority of bitcoin and they also manufacture for or supply raw materials to so many other nations… that their whitlist will probably become the international standard if Bitcoin gets taken seriously.

But also consider what the US thinks it could do with such “blacklist power”. In theory it could see all the Bitcoins held by a national or corporate or provate entity and at the stroke of a keyboard make all their Bitcoins worthless… Do you realy think other Nations would ceed such power to the US? Lets just say it’s unlikely they would more likely make the holding or use of Bitcoin illegal, not just in their jurisdiction but take a leaf out of the US legislators loony two tunes mentality and make it clear their legislation applies “without jurisdictional limits” and back it up with the threat of “Guard Labour” force, at which point Bitcoin investors might start suffering from the crippling effects of “long gun fever”.

Various Governments have tried to put in place “Know Your Customer”(KYC) for many many decades, but ever since the breaking of the Bretton-Woods Gold pricing by bonds it became clear that such control not only can not work, it’s actually undesirable from the neo-con economic perspective.

Back when Tony Blair was PM in the UK, he tried pushing KYC onto banks, and banks threw it straight back again by saying they wanted around 430GBP per new account from the UK Government to meet the proposed UK legislative requirment. So the legislation got watered down.

It did not take identity fraudsters very long to realise how easy it was to get around the rules. In essence all they did was divert mail and reregister one or two basic utilities to their pseudonym having first got an identity document in that pseudonym.

For those a little further up the criminal tree stealing existing but quiesent bank accounts via insiders at call centers “outsourced in other countries” was the way to go.

Another technique is to buy up a limited company or similar and use their banking facilities to leverage other banking facilities.

Whilst seting up a limited company from scratch is not that difficult to do, you can purchase them “off the shelf” some used to come with basic “banking facilities”.

But the current prefered way to do things for many is the “Limited Liability Partnership”(LLP).

There are way to many rules, and thus there are edge and corner cases if not loop holes you can fairly easily exploit if you know what you are doing.

Look up Estonian “e-Passport” rules if you want a real eye opener. I was considering going down that route to have freedom of movment in Europe after Brexit, but decided in the end there was another way to achieve the same thing if I ever needed it.

[1] Identity documents are funny things, supposadly they are all tracable back to a “birth certificate” which is not exactly difficult to get hold of a copy. For obvious reasons birth certificates have no real recognisable bio-metric attached after all rumour has it we all look like “Winston Churchill” when we are born. It’s one of the reasons why Stella Rimington who was head of MI5 upset quite a few politicians and the lobbyists that thought they were going to make billions out of a National ID system, when she said no ID document could ever prove “who you actually are” only “The name it says you are”. Israel for instance, is known to encorage those who emmigrate there, not to revoke their previous national ID, but to “donate” their other nation ID documents to the Israeli Government… But if you know what you are doing and you plan ahead it’s actually not difficult to get a passport in a different name, one way is to get married and change your name, get new accounts in the married name and at some point get divorced having carried on using your old accounts throughout. But there is a fun side to ID documents, what are they? Well just about any “Government Agency” issued document will do. A friend who became bankrupt through no fault of their own when they became “discharged” used the UK Court issued paperwork which has no biometric information to open a new bank account. Apparently the young lady in the bank was surprised and went and saw the manager who OK’d it then and there, she just photocopied it and put it in the file… An interesting point is if you get arrested for some criminal act, if you have no ID and the police can not show you are not who you claim to be, then that is the name you get convicted under. Thus getting a new ID as a “Person legal or natural” is not as hard as it’s made out to be, then getting all the trappings of being a “person” such as driving licence, bank accounts, national security/tax ID, job then follow on. So KYC is a myth and for various reasons always will be in the foreseeable future, to exploit it you just have to know how the rules work, then work them to your advantage.

Clive Robinson • May 11, 2021 5:14 AM

@ Winter, Ismar,

The point being that the US political and legal systems are unable to enforce minimum infrastructure and utility services.

Don’t stop there, go on as to why other countries do not have these same issues…

If they can fix the problem why can the US not fix the problem.

It’s a question every US citizen should be asking their representatives. Just to see what lies prevarications and other tripe if any come back from those they vote for, and are supposed to be accountable to the voters.

Clive Robinson • May 12, 2021 2:56 AM

@ lurker,

When was this?

Not long after the neo-con liberators wrecked the place and turned it into a killing ground, where trying to go to the bank would get you high velocity lead poisoning from one side or the other.

Clive Robinson • May 12, 2021 5:55 AM

@ Etienne, Givon

A little lite reading for you,

https://www.theregister.com/2021/05/12/blessed_are_the_cryptographers/

Remember that without privacy that crypto gives us, the society you grew up and live in will be no more, and it will be worse than any Police State or Tyranical Dictatorship you have ever heard of. Just ask someone in their 50’s or older that lived in what was East Germany on the other side of the Berlin Wall, likewise people that lived in other East Eurapean Nations under the old CCCP regimes.

Clive Robinson • May 13, 2021 12:05 AM

@ SpaceLifeForm,

It’s magic. Colonial Pipeline is now back in operation.

Probably because the story leaking out has some truth behind it…

That is, the story has it that it was not the pipeline or it’s control systems that were attacked. Just some of the “head office admin/accounting” systems… So there was actually no reason[1] to turn the pipeline off from an engoneering, plant, or process perspective.

So the implication is it was managment / accounting at some level that “flipped the off switch” in an abundance of caution or avarice depending on how you want to attribute things[1].

Thus if true from an engineering, plant or process perspective managment could flip the switch back on again any time they wanted to…

But is that realy true? Well… Only up to a point, the laws of thermodynamics and physics actually have rather a lot to say on the matter.

Consider the “bulk thermal mass”, “insulative loss” and the stratification and phase change of the “product” in the pipe line…

Most of those who have read this blog should know that solid wax appears to be a very effective insulator compared to liquid wax. Actually it’s not as such, it’s actually the energy differential for the phase change is very large. It’s why it’s used in “thermal storage batteries” which is what the “pipeline” has in effect become. That is whilst the temprature of the pipeline would hardly have changed, very large amounts of thermal energy would have been released into the environment and the product would start to become increasingly viscous as it goes through phase change.

At some point it would be too viscous to flow sufficiently, that is the pumps would not be able to move the product and thus getting energy back into the pipeline to in effect reduce the viscosity would no longer be possible, and that’s when it is nolonger a pipeline but heavily polluted scrap metal.

I would not want to be the chief engineer who had to walk into the board of directors “crisis meetings” and say,

“Gentlemen, if we do not turn the pumps back on we will soon not be able to do so, and you will not have a pipeline business any more.”

So they would be at a point where “giving the product away for free” would be the most sensible option to keeping the company in buisness.

Likewise the up stream producers would have been on their case for similar reasons. Because shutting plant down to stop it waxing up is a very delicate and expensive process as is starting it all up again especially as the “mechanical effects” due to metals contracting and expanding as they cool down and heat up again is likely to “pop a few seals” at the very least.

Likewise think about storage tanks, most product does not realy change density much as the thermal energy leaves it, unlike water it does not “float up” as it goes through a phase change from liquid to solid at best it starts to form flakes, these need to be “stired back in” but there is a limit to what can be done if too much thermal energy gets out.

So “colour me unsurprised” it’s come back on “like magic”…

It’s a classic example of “entropy in action” and what goes wrong if you make supply chains “too efficient” by making your storage margins too small.

Nature “knows” by the process of evolution in a ransomised enviroment where you have lean times and fat times that you have to alow for them both otherwise you become extinct…

That is you need “spare capacity in the system” to deal with transients in system flow. You know that “internal fat around your organs” doctors tell you about that can be so dangerous to your health but you can not see in the mirror? Well that’s part of your bodies multilayer “spare capacity” system. To prepare you for the “lean time of winter” it “stores the fat of autumn”. The problem, is it is so good at storing, and in our modern society we don’t have the lean times, so it just keeps storing every spare calorie untill it crushes the life’s breath out of you quite literally unles you burn it off in some way… It’s why “fasting is good” but “starvation is bad” because when that fat is gone, your muscles and intetnal organs are in next layers down on the list of “energy stores” your body will use…

So nature “knows” there is an optimum for a reserve in each storage system and it works out to a little over 1/3rd of total capacity[2] ~36.788% of the system over ‘a given period of time’ (it’s actually “e to the minus one”[3]). Move either way from that point and you reduce the ressilience of the system in a “random environment” that has a flat, normal or other balanced distribution of fat and lean periods over ‘a given period of time’.

So your “storage capacity” is actually based on “time” and “through put” thus reducing through put can buy you more time upto a point[4] then you need to switch to alternative modes of operation.

Which is where “union breaking” and “COVID” come into play…

The alternative is to use vehicals to move the “product” but these are expensive as drivers have to live and be healthy. Neo-con mantra says 100% utilisation of resources is what should be achieved. Any fool should know that’s not possible, but hey MBA’s and others appear to think otherwise. In engineering you have annual, decade and hundred year design considerations for “worst scale events”, hence you hear about “hundred year storms”. It’s actually a probabalistic measure based on historical records and you use it as a bench mark for how much resilience to design into a system. As this represents a significant “inefficiency” you can see why “moneymen” hate resilience or anything connected to it. Thus even though the first fall back position for product delivery might be road vehicles the pipeline operators do not want to pay for them so they have “externalised the cost” which means all the way down that line every one is doing the same thing and that means there is absolutly no resilience in the system because all the suitable road vehicles have been reduced in number to just cover a quite short term demand. Thus the fallback might look good on paper, but the reality is “it’s not there” thus it’s not a fall back position but a “dead end” even in normal times. But these are not normal times we have a “hundred year storm” of the medical kind with the COVID pandemic, and something like 25% of the “only just enough for normal demand” drivers are unevailable…

Thus a cynic might conclude that the pipeline managment shut the pipline down quite deliberatly to trigger a “Federal Emergancy Plan” which is what they had effectively externalised their costs onto…

[1] “Twenty twenty hindsight” is a wonderfull thing when you want to attribute blaim, it’s one of the reasons the legal proffession has so much money sloshing around in it.

[2] This is about what you would expect if you thought about an ongoing or continuous process for a moment. If you work out your normal system throughput over a given “period of time” you then provide storage capacity of twice that and keep it half full, so 1/3rd throughput, 1/3rd in store for lean times and 1/3rd spare capacity for fat times. The real question though is “what period of time” to use and that’s a much more interesting set of questions and equations but ~2 times the average lean/fat times usually works as a starting point for any system that can switch from one operational or storage mode to another operational or storage mode for similar basic reasoning.

[3] Why does Euler’s Number “e” pop up in most of these equations well it’s because in the real world things tend to work as “fixed rates of growth” or “in percentages”, like “compound interest”. That is growth is given as say 2% over a time period if you draw this growth out for several time periods you get “exponential growth” which is the same curve you get on your graph from drawing an appropriately scaled “e to the x”,

https://www.mathsisfun.com/numbers/e-eulers-number.html

[4] Which is why you fairly quickly become lethargic or “hit the wall” when you run out of glycogen stores in your liver when you burn energy faster than your body can get fat out of your cells. It’s your bodies way of telling you to “give it time”.

Clive Robinson • May 13, 2021 2:48 AM

@ SpaceLifeForm,

Take a second look at,

“agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent “

Because,

I see no comma…

Thus it actually says both,

1, Multi-Factor Authentication(MFA).
2, Multi-Factor Encryption(MFE).

Are to be used, that will be fun, as most vendors will get MFE more badly mucked up than they have with MFA requirments on auditors check lists (remember the “But two passwords are MFA” or even better “But a secret username and password are MFA”).

Clive Robinson • May 14, 2021 1:10 AM

@ SpaceLifeForm,

Which a lot of bridges in the US are of that design.

Funny, we’ve shipped you one of our old second hand bridges over a little over fifty years ago as an example of longer lived designs from back nearly two hundred years ago. I hear it is still reliably doing it’s function as a bridge, despite what the song might lead you to believe.

Oh I think it is still the largest “antique” ever shipped to the US 😉

https://www.history.com/news/how-london-bridge-ended-up-in-arizona

And yes I did walk across it many many years ago when it was “sinking” not “falling” down following some sheep that were being driven across one of those quirky traditions to “maintain a right” of “freemen” it’s still done annually (this year 26th Sept). Back in time Freemen of the City were additionallt given three other privileges:

1, They could carry a sword in public.
2, If they were to be hung, they were allowed a silken noose.
3, If found “rascally drunk or incapable” on the streets, they would be sent home in a cab, rather than chucked into a crowded cell with common drunks for the night.

Due to other peculiarities of such things some Freemen of the City of London have the title bestowed on them via the Guilds of the City of London, for various reasons, oh and other “oiks” by inheritance of trade etc 😉

https://www.cityoflondon.gov.uk/about-us/law-historic-governance/freedom-of-the-city

Scarily Bill Gates is a Freeman of the City of London…

Clive Robinson • May 14, 2021 2:34 AM

@ SpaceLifeForm, ALL,

From the article a Brenntag Spokesperson said,

“As soon as we learned of this incident, we disconnected affected systems from the network to contain the threat.”

Talk about “shutting the stable door after…”.

As I’ve mentioned before almost my first question when called upon for advice is,

“What is the business case for this computer to be connected to a public neywork?”

I’ve yet to hear a truly valid reason that is not compleatly compromised in some way. But mostly the replies are based on “arm waving and MBA mantras”.

Let me put it this way, if I asked a Bank,

“What is the business case,for having this vault stuffed with valuables having a propped open back door to the street 24×7?”

What sort of answer do you think I’d get?

The reality is very very few uset computers need a conbection to the Internet, and next to no repository servers should be connected.

Companies should think about switching from a “permiso” to “non permiso” policy just as they mostly do with physical security…