Schneier on Security

Clive Robinson • June 6, 2022 12:47 PM

@ John, ALL,

Just tried to reply to you but it “got held in moderation”…

So split it into bits time…

Part 1,

Is the ‘state’ entitled to have secrets?

It thinks so, and that is often it’s downfall to a carefull observer.

From the start of the article,

“[A]mid the bland northern Virginia suburbs, are generic-looking office parks that hide secret government installations in plain sight. Employees in civilian dress get out of their cars, clutching their Starbucks, and disappear into the buildings. To the casual observer, they resemble anonymous corporate drones.”

This always amuses me because “plain sight” is a form of “Security by Obscurity” and it realy does not work.

Clive Robinson • June 6, 2022 1:01 PM

@ John, ALL,

Part 2,

I won’t go into to many specifics but you can get a feel for Gov / Mil / LEO and other agencies because they are over cautious and the workers are generally not.

You can group things you can observe as a “passer by” into,

1, Buildings
2, Building Attachments
3, Security
4, Security Personnel
5, Workers behaviours
6, Workers attributes
7, Workers vehicles
8, Workers published info.

Often the buildings have a certain style that “does not fit” or just looks wrong. Such as few or no ground floor windows in an “office building” and what windows there are are screened in certain ways.

But the buildings have attachments that look odd that try to hide antennas, high power feed in, hidden air con and other utilities that don’t fit just walking down the pavement and seeing odd manhole covers can give hinky clues.

Clive Robinson • June 6, 2022 1:12 PM

@ John, ALL,

Part 4,

But a careful eye on when people turn up and leave work is a fairly good sign. Most Gov workers are “clock watching” their way to a cushy-pension” on lowish pay, their time keeping and the way they dress the bags they carry the shoes they wear are big tells in that. But also what they drive is an indication of income, marital status and age, which are often quite different to corporate employees.

Even hair cuts, facial hair, and similar are give aways to Mil and similar “flaged personnel” even the way they walk and carry themselves.

Then there are the “fitness” and similar trackers that have Internet access… Talk abou hanging a rope around your neck….

Hiding in plain sight is difficult enough for individuals who’s lives are on the line 24×365, an agency where most of the staff are time serving or maintaining their physical status stand out, realy does not have a hope in hell of hiding.

But also consider vehicle licence plates, they are fairly easy to check without going through “government databases” likewise who owns the houses those vehicle drivers live in and thus all sorts of information.

As for “social media”… “Take me out and shoot me”…

Clive Robinson • June 6, 2022 9:21 PM

@ JonKnowsNothing, lurker,

EW has an entire slew of posts about Dec37 folks and Superseding Indictments.

Apparently there is another “truck load” on the way…

But I must admit, I’ve lost interest in much of the goings on.

It’s become clear that much of the current prosecution behaviour is highly politically biased, whipped up into some self rightious froth by certain “MSM for authoritarian follower air-heads”…

There is only so much of that nonsense a body can tolerate…

The reality is prosecutorial over reach is an understatment, and they are grasping not at straw, but nothing-burgers of “lying to FBI”. I guess to try to stop the FBI of wasting taxpayers money by way of malfeasance.

But what are you supposed to say when three years of investigating, three weeks in court presenting become “quickly aquited” and jury members point out publically there were better things that could have been done with the time… Yet the likes of Fox make wild unsubstantiated and clearly untruthful claims… You have to ask when this abusive politically inspired nonsense is going to stop…

What’s the betting the “pee tape” will be taking a turn on the stand before year end?

Clive Robinson • June 7, 2022 3:49 AM

@ JonKnowsNothing,

Good Guys left, not many but some; and that someone who goes to the FBI and reports something “hinky” is happening (which it was but that’s another sticky jam jar) and alerting the LEAs to check it out was a Good Guy. Only to find this dude Durham was accusing Sussmann of lying about it.

Do you know why MW is nolonger living in the US?

A hint might be she to went to the FBI to report something “hinky”.

Hopefully the Government of where she is, has a different approach than the US/UK do…

After all the highest serving judge in Scotland made a ruling, using an invented crime, against a UK online journalist in poor health, to have him jailed for being inconvenient to the Scottish First Minister, US and UK Governments and to prevent him giving evidence at a serious trial in another EU countrh. The ruling set a legal president about who is and is not a Journalist… And from what I can see MW is in the latter group of individuals.

Hopefully MW will keep her eye open for “stray buses and burly individuals”.

Clive Robinson • June 7, 2022 5:49 PM

@ SpaceLifeForm, -, ResearcherZero, Winter,

Re : Italian Organised Anom?

That is curious.

Whilst Italy does indeed have quite significant organised crime and drug crime often seperatly, they are not realy a “way point” on Internet or other Communications routing.

So in theory a “clued up eye watching” could have spotted it as an abnormality and red-flaged it.

But as I have a habit of noting when it comes to “end point security” you want it off of the “communications end point” device due to various “end-run attacks”, that you can neither monitor nor mitigate when they use the same consumer or commercial grade Smart devices.

I guess the daft thing is that we knew this for centuries before and through WWII and to the last decade of the last century.

In this century all we appear to be doing with regards Privacy and Security both of which are key foundation stones of society is “slip backwards” in ways that would have shocked not just my Great Grand Parents, but my Grand Parents, Parents and myself (so around a century and a half). Even my offspring and friends who appear on the surface to be blasé to it, when you chat with them actually appear shocked and certainly more “politically aware” than I was at their age, with the “Hell in a handbag” statments of the 1980’s with regards “Maggie “bag/milk snatcher” Thatcher style comments being re-made about “the blond blow job slug” and compatriots…

Clive Robinson • June 9, 2022 11:51 AM

@ Andy,

Re : But a couple of things are puzzling

It’s clear you will never make it as a US Gov prosecutor…

Because you are,

“Alowing facts to get in the way of the all important narative”

How can,

“Justice be seen to be done”

When you “nit-pick” and “thread-pull” at the grandiose oratoral splendor of the theater of the court?

You are obviously some “Commie 5th Columnist, hiding under decent folks beds” 😉

Clive Robinson • June 12, 2022 8:07 PM

@ SpaceLifeForm, JonKnowsNothing, lurker, ALL,

With regards “Empty Wheel”(EW) and,

“Among the things Schulte worked on at CIA was a tool to jump an air gap and compressing and exfiltrating data.”

The funny thing is that “jumping an air gap” was something I did years and years ago when looking into how I would go about “rigging an election” by using “fire and forget” malware to infect the voting machines “Maintainence Technicians” laptop. I described it in outline on this blog some considerable time before stuxnet or friends were ever logged or seen by AV analysts eyes. As far as I can tell from the time lines available, that was before Schulte worked on anything at the CIA.

Likewise I also worked out how to do “headless botnet control” and gave an outline on this blog. But… because of the complaints some “ostriches” made, I did not say how even in outline I’d also solved the exfiltration problem, just that I had.

So as time has progressed significantky kets just say “headless botnet control” has a great deal in common with the “exfiltration problem”, in that the same underlying principle works for both (which should be a sufficient hint for smarter people to “join the dots”).

As for the EW quote, people need to realise there is something not correct in it, and it gets people killed. Sadly I see people making this mistake over and over.

What they call “Compressing data” is actually not what you are doing if you actually know what you are doing with “exfiltrating data”.

The goal of “compression” is to just minimise the data size to be sent. This is generally done by removing redundancy at one or two of very many levels, it does not of necessity remove identifing statistics.

Some used to call a similar pre-encryption process “flatening the statistics” where the goal was removing statistics so increasing the unicity distance, thus making cryptanalysis quite a lot harder. It was just a coincidental bonus it reduced traffic length.

But the reality is that statistics is the killer, in that with compression you end up with “random” looking data that “stands out” from other data like “A lit candle in the dark”.

So the actual aim is not to “flaten the statistics” but shape or “tailor the statistics” to match the other traffic.

How far back the “tailor the statistics” idea goes back I don’t know, historical research hits the problem of a lack of available records. I do though have sufficient hints to say it was known prior to WWII by various individuals and organisations in the UK.

That is whilst there were machine ciphers, the bulk of “agent traffic” was encrypted by “hand ciphers” like double transposition based on memorised poems as the shared “root of trust” secret, known as “Poem Codes”(PC) or the “One Time Pad”(OTP).

The problem was PCs, although the agent carried no physical evidence, they were hoplessly insecure, as they had recognisable statistics in the ciphertext. Whilst OTPs were secure as they had no statistics in the ciphertext, they required the physical pads which were daming evidence if found.

Importantly any competent cryptanalysist could spot the difference in ciphertext statistics immediately. So on a tactical basis they simply did not bother with the OTP ciphertext and concentrated instead on the PC ciphertext. Which was undesirable, as getting a cryptanalysist to waste time on OTP took effort away from breaking the vulnerable CP traffic. Also as at the time OTP traffic signified a more important target the “radio service” would prioritize it for “Find, Fix, Finish”(FFF)…

Thus the trick was to make the OTP ciphertext look like it was CP ciphertext by altering it’s statistics. There are several ways to do this, but in deference to any “ostriches” that might be reading and might start flapping I won’t go into details.

However if others doubt the differing statistics in ciphertext can have FFF issues, they might remember Mat Balze mentioning the “missing nines” in some traffic from a Russian Numbers Station in Cuba that alowed correlation to the behaviours of certain people thus enabeling them to be identified as spys.

So getting back to “exfiltrating data” whilst “compression” is useful, “tailoring” statistics so it hides in the other traffic is way more important to avoiding the exfiltration being detected.

Hopefully this will come out more in the Schulte case if the powers that be unwisely proceed…

As I said “tailoring statistics” is something they might not want widely known… If people wonder “Why?” they need to look back in history around four decades ago. Back in the 1980’s and when Gordon Welchman published his book about the goings on at Bletchly Park. What caused the agency folk to get their panties in a wad, was not as many thought at the time that he was detailing the Enigma bomb and how it effected other nations still using similar cipher equipment, but actually that the knowledge of the way more powerfull “traffic analysis” would become known. Technically “tailoring the statistics” is an “anti-traffic analysis” technology as it has when you consider it carefully, quite wide implications, especially with “secure nets” that have “store and forward nodes”.

Clive Robinson • June 13, 2022 7:55 PM

@ SpaceLifeForm,

Re : This is totally implementable.

Fun little side story…

Few programers have ever thought about the implications of the speed of light and “Time-Cones”.

I had the misfortune to recently hear “a software expert” drone on about “fully specified inputs” as a requirment.

They were not happy when I pointed out that there are some things for which you can not fully specify inputs. As I pointed out in the airospace industry you actually have to deal with the effects of Einstein’s Special Relativity, as do mobile phone system operators.

The blank look I got from them “spoke volumes” about their actual expertise.

I suspect somebody else in the audiance picked up on it or already had their own suspicions. Because they asked a question that showed the expert might understand sequential events but did not understand parallel events with independent clocks and how that stopped certain anti-deadlock protocols working.

In fact it sometimes floors me when software developers have no grasp on the real issues to do with the three basic times of,

1, Process time.
2, System time.
3, Wall time.

There was a horible bug in Python 3 libraries on MS OS platforms that did not show up on the two main *nix OS’s. It came to my attention because of my son “doing homework”.

I won’t go into details but I dug through the code and provided him with a work-around for the bug.

The problem I had was I did not actually find a “Specification” for the library code, so technically it was not a “bug” but a “surprise”[1]. One of my pet peves is under specified specifications.

The usuall argument is it’s a “Draft specification as a work in progress” the implication being that the programers will decide as they write code… Although very common this is a terrible idea, because it results in early design choices irrevocably setting the future course, and the notion RAD or similar will sort things out is equally as terrible.

A friend who is an experienced builder pointed out that in any wall each brick is a foundation stone for the bricks above, and should be treated as such and should therefore be laid with due consideration to that within the structure of the architects plans.

In short, before you start writing code the specification has to detail all the features and how they are positioned with respect to each other so you can slot in the appropriate layers of code. If specified correctly, then any changes will be only “local” not “structural” and mostly “cosmetic”.

[1] What differentiates a bug and a surprise when software does not behave as expected? Well it goes back last century to a comment attributed to Brian Kernighan of,

“A program that has not been ‘specified’ can not be incorrect, only ‘surprising’.”

The thing is specifications in the hands of the inexperienced follow not the “waterfall” method but the “spiral” method I prefere to call the “tailspin of doom”.

To see why Wikipedia puts it fairly succinctly,

“In aircraft that are capable of recovering from a spin, the spin has four phases. Some aircraft are difficult or impossible to recover from a spin, especially a flat spin. At low altitude, spin recovery may also be impossible before impacting terrain, making low and slow aircraft especially vulnerable to spin-related accidents.”

https://en.m.wikipedia.org/wiki/Spin_(aerodynamics)

Like aircraft there are specifications where getting into a tailspin is at best difficult, others where it is possible but you can recover, then there are those from which recovery is not going to happen in any realistic senario. They go in the order of from “least surprising” to “most surprising” and the smell of burnt tail feathers.

Clive Robinson • June 17, 2022 11:39 PM

@ SpaceLifeForm, JonKnowsNothing, lurker

re: DEVLAN was not air-gapped

As I noted a few days back,

It’s not the “system” that needed to be “gapped” but the information.

That is when the system was “backed up” where did the backup “tapes” go and thus who could have access.

The fact the files have a cutoff date of XX/YY/ZZZZ does not mean that was the date they were accessed. It just is the date of the “backup-tape” snapshot from days, weeks or months previously.

So if someone is trying to frame the defendent, they just have to find a backup from the time he was there, even though it might be weeks later when they pull it.

The only thing we know for certain is that the data was accessed at some point in time past the newest provably valid time stamp.

But just how provable are those timestamps? Probably not as much as we would like to think, in fact I suspect they are not going to be independently verifiable for this court case…

In which case, do they realy count as evidence?

Probably not.

Clive Robinson • June 18, 2022 7:10 AM

@ SpaceLifeForm, ALL,

You might have trouble finding information on MS and the “quarks and tunneling” as it’s not in their current knowledge base…

You will thus have to know the original MS KBID and look it up in “betaarchive” to save you the effort,

https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/172190

Note that it was last modified in 2007 a decade and a half ago, but… Some of the MS-OS’s (XP) listed marched on long after that and still do in many many “Government funded” institutions / agencies around the world today…