Schneier on Security

Clive Robinson • October 20, 2022 8:25 AM

@ ALL,

To be honest I stopped reading wheb I got to,

“Signal knows nothing about who you are. It doesn’t have your profile information and it has introduced group encryption protections.”

Whilst that is potentially true it’s disingenuous and designed as a “lie of ommission”

Signal has all it’s users phone numbers, these are like the new social security numbers.

Whilst Signal may not know all your details, it has the “Primary Key” by which they are all uniquely identified…

So they have the “keys to your kingdom” as “third party business records” and all the readers here should know what that means…

So there was no point reading on.

Clive Robinson • October 20, 2022 2:01 PM

@ Bruce, ALL,

If anyone is in any doubt about what I say about “secure apps” being “insecure in systems and use”, how about reading the US National Security Agency on this matter,

https://www.nsa.gov/Portals/70/documents/resources/everyone/digital-media-center/publications/research-papers/the-inevitability-of-failure-paper.pdf

Titled,

“The Inevitability of Failure”

It points out in the conclusion that,

“current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems.”

By “Mainstream Operating Systems” they mean all those OS’s consumers get from from Silicon Valley “Mega Corps” and all those Open Source projects that end up in our desktip, laptop computers, pads and Smart Devices, all those “Internet of Things” devices and all “White Goods” and “Vehicals” you can buy as an Jo(e) Citizen.

Yup that’s all of them that you will ever have some incorrect sense of “ownership of” by “purchase” you actually own none of them, they own you, and they all either spy on you by default like MicroSoft or they can be trivially abused to do so…

But this is not “news”, what feels like a lifetime ago, but was around four decades, in his excellent “Turing Award Lecture” one of the creator of UNIX, “Ken Thompson” succinctly pointed out the warning,

“You can’t trust code that you did not totally create yourself.”

But time has shown that even if you “totally create yourself” code is not enough… You have to inclued the entire “computing stack” from device physics down at the quantum level, all the way up to international treaties. This is not possible for a single individual.

Does this mean we are going to be forever “insecure” well “yes” if the Silicon Valley Mega-Corps and just about every government in existance has it’s way. All these consumer sysyems are designed from the ground up to be insecure by two basic methods,

1, They do not alow you control.
2, They do not segregate parts.

If you want “control” then you have to exert your right to do so by putting “segregation” in as “mittigation”. Which unfortunately means,

1, Knowing how to segregate
2, Ability to “energy gap”
3, Practice good OpSec
4, Know how to safely use crypto

The big problem is whilst a few people can do all of this most can not.

Read the paper,

“Why Johny Can’t encrypt”

As an intro as to the problems,

https://www.ischool.berkeley.edu/news/2015/why-johnny-cant-encrypt-doug-tygars-landmark-paper-stands-test-time

Clive Robinson • October 20, 2022 7:02 PM

@ Q, ALL,

Re : Phone numbers.

“Also, a phone number is not a person.”

Really, I’ve already pointed out that that sort of statment is “a lie of omission”. If you look back up the page you will find,

“Signal has all it’s users phone numbers, these are like the new social security numbers.

Whilst Signal may not know all your details, it has the “Primary Key” by which they are all uniquely identified…”

Perhaps you should sit down and have a think about “reality” not “perception” as used by people trying to in effect lie.

The sort of game the NSA uses in front of congressional commities where they “redefine words” to hide what they have done and are plant to not just continue doing but do a lot more of…

Which brings us around to,

“Many here appear to confuse security with privacy.”

I suspect you are the one confused. It can be easily shown that all information security and a lot of physical security is only possible by the privacy of a “root of trust”. If it is nolonger private then neither form of security holds. Thus one is logically a subset of the other.

Clive Robinson • October 21, 2022 7:53 AM

@ Denton Scratch

Re : “In the Quatermasters Stores”

Or a “how not to of food security 😉

You say,

“my thumbs are too broad, my eyes are too dim, and my hands are too shaky.”

Back oh so many moons when I was not much more than a wee lad, there was a song sung around camp fires. Even the Shadows did an up tempo instrumental of it I gues six decades ago,

https://m.youtube.com/watch?v=sbOEgigo5SY

It’s usually copyrighted as “traditional” and goes back before WWII at least.

The chorus I learned was,

My eyes are dim I can not see,
I’ve left my specs in the WC.
I’ve left my specs in the WCeee.

With verses repeated twice starting with a line like,

There were mice, mice

Followed by a rhyming downside line such as,

Mixed in with the rice

Followed by

In the stores, in the stores,

The starting line repeated followed by a second rhyming downside, then the verse round closing line of,

In the Quatermasters stores.

It was popular enough to be known in the US as well,

https://m.youtube.com/watch?v=x09fzAuNfYU

Funny what menories just a few words bring back.

Clive Robinson • October 22, 2022 12:48 PM

@ iAPX, ALL,

First a quick appology you might have heard the UK has had a few probs in the last few days… With Putin trying to ahoot down an Intelligence plane in international air space well away from either Russia or the Ukrain. Secondly apparently our latest Prime Minister has had a fit of the vapours and was last seen running for the hills (look up “Chiltern Hundreds”). So life has become a little topsy turvey… But back to it.

Re : Communicating safely on Internet.

“There are no simple way to communicate safely through Internet, this is a fact.”

No it’s not “a fact” it’s an assumption.

It’s based on the notion the Internet is in essence a “Point to Point”(P2P) only network… When in fact it was originally designed not to be… The reason for the change goes back to Gulf War I/II and the fact Sadam Husain had used the more interesting facets of the original DoD design –based on the work of Gordon Welchman after he left Bletchly– to make a very fault tollerent Command and Control network (Something the FiveEyes decided could nolonger be allowed).

The World Wide Web”(W3) runs on TCP, which requires the P2P behaviour. There is an alternative UDP that is basicaly a fire and forget protocol that is rarely used. Both TCP and UDP sit ontop of IP which is another non channel datagram based protocol.

The thing about b IP is that it assumes oneway multiply routed datagram packets of data and all it does is make an attempt –not even best effort– to get them from the sender at point A to the recipient at point B. The reason is two fold,

1, It gives independence from the physical layer.
2, It assumes the physical layer is at best “unreliable.

So IP in effect “layers a virtual network” over the physical layer what ever it might be.

As I’ve mentioned before with Shannon Communications Channels you can layer them as much as you wish.

So you can layer your own new more secure and security minded protocol on top.

Thus all you have to do is understand the failings of the current supposadly secure neyworks like Tor / Mix-net that are anything but secure –by design– and design the failings out.

Have a look at the notion of a “Fleet Broadcast” system that has been around since the earliest days of Radio and you will start to see the possabilities.

Needless to say the work of Gordon Welchman is still “classified” but the military networks are often built on the principles laid down by him.

Clive Robinson • October 22, 2022 6:45 PM

@ Winter,

Re :

“There is no non-trivial software without bugs. Current hardware is software compiled to silicon. Hence, there is no hardware without bugs.”

Whilst I do not disagree with the first sentance, in fact there is a mathmatical proof that rather more than suggests it’s true, you get into shakey ground with the second. You assume that a bug in software MUST somehow effect the output, which is at best an assumption. In fact there is software that impliments “state machines” used to control physical devices and every state is not just within the state machine, it’s fully tested as such (it’s one of the things I do with “flight hardware” and it’s a certificational requirment).

Which makes your QED style third sentence improbable.

The problem is that your assumption is that “something flawed” must in turn “make things with flaws”. It’s just not true as any “instrument maker”[1] can tell you.

Further if you think about it nearly all human progress outside of original inventions is about “refinement”. That is you take something existing and use it to make a less flawed version of it’s self in a “turtles all the way down” process with each successive turtle being better than the one before.

An example of this is the use of a pantograph based engraving or cutting system.

[1] Part of my training was as an instrument maker, and one thing you learn is how to make successively better instruments from amongst other things iron ore and tree trunks of oaks.

Clive Robinson • October 24, 2022 11:23 PM

@ SpaceLifeForm, ALL,

“… you also need to consider that when you sent a message to CNN, you did not really know who you were really talking to, and you never had any way of knowing if their OpSec was good.”

The same if you remember was true of sebding documents to the “Intercept” where a journalist then forwarded them on to the entity the whistleblower was blowing the whistle on, so ended up getting caught, and another did similar with an FOI request,

https://www.mintpressnews.com/bad-track-record-gets-worse-new-whistleblower-outed-intercept/239822/

HOWEVER down stream OpSec such as “second party beyrayal” should not be conflated / confused with “Communications Security”(ComSec) even though it can impact significantly on ComSec.

As I’ve mentioned before most ComSec uses encryption that due to unicity distance being very short makes “deniability in the face of second party betrayal” effectively imposible. Which is why I’ve talked about using the “One Time Pad” to get the “required deniability”.

One of the underlying problems with “Second Party Betrayal” is something our host @Bruce has talked about in the past. Which is the “preasure to get work done” to meet deadlines etc. All to often the preasure is in conflict with “self-defence” let alone other party OpSec. Which is what the various “Intelligence Community”(IC) and “Law Enforcment Agency”(LEA) agencies rely on it to persecute whistleblowers.

In my view the likes of all the news / media outlets are way way to “goal oriented” to practice even minimal OpSec to protect their sources these days. Thus all to frequently they score “own goals” and the whistleblowers if they are lucky get to do jail time and have ruined lives.

As for those that are unlucky… well the dozens of CIA sources in China and Iran that got executed demonstrate the problems with “preasure to succeed” giving rise to poor OpSec and what “Power Politics” / “Might is right” will do with a bullet when poor OpSec happens.

@ Nadia el Mansour,

It provides more privacy than SMS. everyone knows smart phones are unsafe.

Do they? Realy?

If so then why do they use them for 2FA and run apps that can never be secure in use?

So you are saying that “little sister diary” level security is fine for everyone… So the MSM amoungst others follow your reasoning and Whistleblower’s end up if they are lucky with ruined lives or unlucky terminated lives.

If you don’t understand this, and you clearly don’t, then perhaps you should not appear to be a “shill” / “fanboi” / “apologist” for those working at Signal taking good money for very poor product and hype, if not out right fraud.

Clive Robinson • October 28, 2022 9:47 PM

@ SpaceLifeForm, Rick, ALL,

“But, even if it is a coding system, your communication path will be leaked via Metadata and Traffic Analysis.”

You beat me to responding 😉

But I’ve chosen not to mention SS7, Ttaffic Analysis, latency and many other issues like message-2-action correlation this time around. Primarily because it’s mostly way to much information for people to get their heads around in less than a few months (one day I might write a “user friendly” book to distribute freely, so people can take it one nibble at a time).

Yes you can “layer” a code / cipher encryption system over the existing insecure systems thus take the “plaintext”, “security end point” past the reach of the Mobile / Smart Device “communications end point” reach. It’s not even dificult to do in theory, or on paper, I’ve described several times how to do it in the past.

The problem is,

“It’s not convenient”

So any second party you do not have considerable control over will tell you to “hit the road” as “It’s their way or noway”.

Even if they do agree, it will be under what they consider duress to do it “your way”… So they will do their best to subvert it any which way they can, by at the very least “poor or nonexistent OpSec” or similar like storing the plain text in either Amazon or Microsoft or other major Silicon Valley Corp “clouds” where the plaintext of the messages will be legaly unprotected “Third Party Business Records”at best. That require no warrant or effective oversight by the Goverments or their agencies, or even “Arms Length Agency Managed Organisations”(ALAMOs) that claim “Commercial Confidentiality” against the likes of “Freedom of Information Requests” and similar, so you can not establish “legal standing” to get anything by any legal recourse…

Then they can do dumb things with “Key Material”(KeyMat) such as just leave it hanging around, or re-use it, or a myriad of other Cryptographic and OpSec mistakes.

As we now know, such “mistakes” of “convenience” were made by the CIA a few years back (and they are probably still doing similar today due to “organisational culture” of “results” thus “convenience”). We know that a minimum of 30 “assets” in both China and Iran were compromised. Some being dragged in front of their colleagues and just slaughtered/butchered as a warning to others… We may never know just how many were compromised in total but it may be up in the hundreds of “human assets” including spys/Agents killed, turned, or watched, and CIA Officers. The latter of which will now they are known will carry on being a compromise risk for as long as they hold a security clearence.

I could go on but it’s getting late over this side of the puddle, also a long list / discussion of mistakes will mostly be unhelpful and tedious to read through without a lot of additional background, try explaining SS7 and all it’s woes succinctly for example (Wikipedia does not get it right).

Clive Robinson • October 29, 2022 2:20 PM

@ Rick, ALL,

Re : Their push via SMS

“If you don’t mind my asking how do you get around the need for text messages?”

They can only “push SMS” at you if,

1, You have a Mobile/Smart device.
2, You let them know you have one and it’s number.

Generally the only way to “rob them” of their lousy behaviour is not to give them or anyone else a Mobile/Smart device number. In which case for many but not all there is little point in having a mobile phone.

The less general way is to dig into the Phone/SIM configuration and stop the SMS service provision (you can actually get “data only SIMs” that lack Voice/SMS, and Apple is taking it’s phones down the “data only path” via their cloud/network).

As you might guess I’ve had a lot of face to face meetings with those who supply goods or services where they say “we need your mobile number” where things go “pear shaped” when me response is truthfully “I suffer from tinitus and don’t own or rent a mobile phone, nor do I have Email or social media”. Then they usually come up with some nonsense about me getting a cheap mobile and service, to which my reply is “Are you going to pay for it?” pause whilst their brains try to grasp the concept… Then I say “As I have better things to do with my money than waste it on something I’m not going to use!”. Then the crappy excuses come out, to which I reply “The postal service works” pause again then say “It’s the only legal communications requirment”, pause again and say “You do, do things legally don’t you?” pause then if they still have not caught up, “Ahh not corresponding legally, interesting”.

The point is legaly it is your choice not theirs in how you communicate. Because there are many “hard of hearing, and those with poor vision” and other disabilities and in some places it’s unlawfull to discriminate against them. In part it’s why English law abd many legal systems based on it have not gone beyond the requirment for a “postal delivery address” for legal cotspondence (communications). Which does not have any requirment to be your residential, work, etc address. It can be a “postal box”, “Accomadation address”, legal / accountants representatives address etc. With the only requirment being any mail will be “serviced” within 7-14 days depending on the jurisdiction.

The only option this Second Party goofs/service provider has in the matter is to chose not to form a contract for goods or services with you, thus no reason to correspond. However in many juresdictions refusing to provide goods or services to a disabled person is legislated against, just as it is on gender, race, religion, etc.

I just wish more people would take what appears to be “the less conveniant route” because at the end of the day,

“Their convenience will be made your inconvenience quite deliberately by them on the ‘blaim the victim principle’ etc.”

Oh, and if you do have some disability or chronic disease/illness/syndrom that effects your everyday life, get a few “credit card” sized cards with a glossy surface stating that you have such an issue and asking for the persons consideration. It puts them in an awkward spot immediately. Oh and often they will hand it back with their fingerprints on… Which makes deniability somewhat awkward for them. But it does make it easy for you to collect their primary evidentiary biometrics (dominant hand index and thumb prints)…

Clive Robinson • November 2, 2022 2:54 AM

@ SpaceLifeForm, EvilKiru, ALL,

Re : Communications, agencies, and execution.

Whilst,

“… you just reduced the field to look at. I can eliminate Android from the search.”

It can be interesting to think about how different agencies might think about things.

Take a law enforcement agency as one agency. They have to have “evidence” that is supposedly of a standard suitable to obtain a conviction in court. Thus “correlating actions” between a first and second party does not realy meet the need, as it can be argued down as coincidence. Thus the burden of evidence falls on the agency to not just “Prove Communications” happened beyond doubt they have to show the method and proof of method of communications as when and what was communicated (actual message lurking on a server backup tape etc).

Take an Intelligence Agency as a second example, it is not so hampered by such niceties they only have to have the “correlation of action” found between the first and second parties. Thus their burden of proof is much less and defined by who the IC agency is working for.

In the past I’ve mentioned a couple of facts from WWII still relevant today that demonstrates not just the capabilities but also they were used long long after, and in a modified form on the modern Internet.

Firstly it is known that during WWII the German “Radio Service” could track down a signal from a “spy set” within minutes and their limitation was “physical movment” rather than technology. That is in modern parlance of “Find, Fix, and Finish” they could do the first two but not always have sufficient time for the third. So SOE agents and similar practicing good OpSec could escape them.

What is less well known even though the evidence was out there, is that the Germans were not tracking the agents “transmitter signal” but the leakage from the “receiver oscillator”. Which was on for much much longer than the transmitter signal ever was.

It also ment that anyone operating just a radio receiver was still very much locatable. Something that was used by both the “GPO Detector Vans” and MI5 post WWII in England, to find unlicensed operation of a receiver. A read of “Peter Wright’s “Spy Catcher” details how he and his assistant Tony Sale –later of saving Bletchly Park fame– tracked down both Russian Embassy staff tracking MI5 surveilence staff[1] but also spies in the UK working for “Foreign Nations” in one case by loading the tracking equipment in a light aircraft and flying it up and down large parts of England (a home made version of what later would be done with the likes of Boeing that gave rise to Rivet-Joint and similar SigInt and ElInt aircraft).

It surprises many modern engineers including proffessional radio engineers just how much power old Valve/Tube radios used in their receiver local oscillator and just how much of it leaked back via the mixer circuit into the antenna and got radiated out. Even more surprising to some of them is just how far such signals will go[2]. To give you an idea modern amateur/ham radio operators chase after “A million miles per watt” in the High Frequency (HF) bands when doing extream “Reduced Power”(QRP) operating, getting world wide contacts on just a few milliwatts of power (less than WWII era radio local oscilators put into the antenna).

Knowing this tells us why the BBC broadcasts of “Now a few messages for our friends…” ment for SOE and similar agrnts during WWII was done after the BBC Medium Wave broadcast news. Because even though the German Radio Service could track down a receiver from upto five to six miles away, it was only possible if it was the only receiver tuned to that frequency. The reach of various BBC transmitters including the “aspidistra” down in Crowborough Kent covered all of “occupied europe” including Berlin and beyond. So using “White Propaganda” they knew that thousand if not hundreds of thousands of radios all over occupied europe would be tuned in for those news broadcasts thus creating an impossible task for the German Radio Service. We know that Herman Goreing was well aware of the “aspidistra issue” problem, but chose not to do anything about it as it would compromise the German leadership “grey propaganda”.

What people do not realise is exactly the same game is being played out on the Internet today, in an almost identical way. The loss of those CIA agents in China and Iran is just one small but deadly part of a larger game being “Oh so Secretly fought, in plainsight”.

Something a lot of this sites readers appear “unaware of” which could at some point have the same negative effects it had on those CIA agents killed and in some cases butchered publically to send a message to those they worked with.

The old saying of,

“Evil is, as evil does”

Still very much applies today in our modern world. It’s one of the reasons I worked out how to use the Google Search Engines that nobody dares jam/block/stop as a way to pass messages covertly. Which in turn gave rise to me describing how to use the process to have “bot nets” be not just “headless” but effectively untracably managed to nearly all Government Agencies with the exception of perhaps the one or two “Collect it all” SigInt agencies that could nearly but not quite “see all” due to the “All roads lead to Rome” or more correctly via Alice Springs in Australia, and Bude in Cornwall England, ending eventually in that ecological disaster in Utah USA where they allegedly “Collect it all”.

[1] The MI5 surveillance staff used early “radio cars” on fixed frequencies that became known to the Russian Embassy Staff. If the Russian’s were “upto something” in London on a given day, they made the mistake of tuning a receiver into the MI5 frequency used. As MI5 knew what equipment the Russian’s used, they could pick up the local oscillator radiation from it and know if it was listening in to MI5 surveillance teams. This then enabled MI5 to run “counter counter surveillance” in various ways.

[2] There are lots of stories and legends about the “GPO Detector vans” that could be seen around “Englands Green and Leafy Suburban lands” from the 1950’s through 1970’s. The way they worked is apparently in some cases still classified under the Official Secrets Act (OSA) so in theory can not be told even though it’s been published. So instead the story from mote than half a century ago of a still in junior school boy, who liked the Thunderbirds TV Puppet show made by the Andersons and broadcast on Saturday mornings, when his parents insisted he “tidy his room”… A battle of wills that played out over many a weekend thanks to a naughty elder sister. Well said school boy had a small portable –large pocket sized– VHF transistor radio in his room, and if he kept the volume down and used a “crystal ear piece” he could appear to be “tidying” when infact he was listening to it. Because he had found a harmonic not of a neighbours TV’s local oscillator –which was unmodulated– but of the Intetmediate Frequency (IF) that had the shows audio on it. Which caused a signal in the lower part of “Band II” VHF radio. It turns out that the TV concerned was across the quite wide road and about six doors down so with front gardens and TV’s being in “back rooms” getting on for 300ft away… So yes easily in range of a van driving slowly down the street, especially with better designed antennas. Three things stopped this being possible today, firstly we nolonger use valve/tube TV receivers, secondly Band I TV stopped being transmitted in the UK back before the 1980’s and by that time “interference” was so bad that the EU pushed out the “Electromagnetic Compatability”(EMC) directive to stop such egregious receiver emissions happening.