Schneier on Security

Clive Robinson • April 12, 2023 9:33 PM

@ submarine propeller, ALL,

Re : How old to be safe?

“But again, the Intel/HP 100% remote control hardware backdoor is much more serious.”

Many years ago on this blog, this was discussed by @Nick P, myself and others.

My view was any computer hardware after 1995 was “suspect”[1] @Nick P, thought 2005. It’s been shown that attacks were carried out on 2002 hardware, and the follow up to the Ed Snowden Trove release in 2013[2] gives more insight for those “Who want to know” rather than the majority who “cherish their ignorance” so effectively “sleep walk” into “the guilded cage” trap being built around them by one hardware “implant” after another right up the head of the “supply chain”.

It’s why I talk of “Energy gapping” not the very out of date notion of “air gapping”. Air gapping is a very out of date notion as I indicated when I’d worked out how to cross the gap to “Pown Voting Machines” some years prior to Stuxnet which proved the point air gaps had been bypassed. But again the majority even in ICTsec “cherish their ignorance”.

As I’ve said before, one of the defining characteristics of ICTsec is the refusal to “learn from the past” even if it’s less than a decade ago…

So do not be surprised if your warning “falls on deaf ears” because most of the industry has stuck it’s fingers in it’s collective ears and is saying “Nagh, Nagh, Nagh” as loudly as possible.

As for “finding” IME and similar activity… You need to think about the fundemental laws of nature, specifically,

1, Work uses energy.
2, Work is inefficient.
3, The inefficiency via radiation trasport becomes heat.

You need to be able to look carefully at step 3, where “side channels abound”.

The nature of all active electronics is that it has atleast two signitures you can fairly easily detect,

1, An Elecromagnetic”(EM) / RF.
2, A heat / Infrared.

The former can be detected with “E and H field probes” –you can either buy or hand make– a low noise broad band amplifier and Spectrum Analyser, say $5000 of “traditional” equipment[3]. Or not including a laptop/PC for less than $50 an SDR and hand made probes and amps. Or if pushed go and buy a Nano-VNA that has a Spectrum analyser mode and make your own probes and amps, that will all fit in your pocket and cost less than $200.

It’s best to do “Delta mode testing” in essence you build a screened “cage” to put the “Device Under Test”(DUT) in with carefully screened power via a “Line Isloating Network”(LISN). And capture “test waveforms” to disk in as much resolution as you can get. Mechanically attach the probes” and then run one set of tests without power and the other set with power attached but the DUT not “booted”.

Average the test traces to remove or minimise random “noise” then compare the “unpowered” and “powered” traces. The difference or “Delta” enables you to “build the EM signiture” which can then help you trace activite the IME or equivalent is doing around the board. The Signiture if you have the skill base to analyze it –and maybe only one in a million has it currently– you can work out what is going on.

The second way to “find work in progress” is another “Delta” technique using a FLIR thermal imager and controled temprature changing. In essence what you are trying to find on the nain-board is potentially nanowatt hot-spot temprature differences. As you need “commercial / scientific” grade environmental systems or even “cryo-stats” to get down to those power levels I will say it’s beyond most individuals skills and budgets. But I’ve used it in the past to find listening devices in the 10 milliwatt range hidden in walls and the like, as it can be faster than doing a “manual sweep” with crystal detectors and similar, and a lot safer than doing a 1kW microwave source[4] sweep or “open X-Ray scan” sweep… (both of which could “cook your inards” if you stand in the wrong place, even if there is a wall inbetween[4]).

[1] My reasoning was based on the introduction of “Flash ROM” as standard on IO cards and on the main-board. Also my knowledge of a glaring security hole that started on the Apple ][ in the 1970’s that got “ported” into the fundemental design of every IBM PC and Compatible on the planet[2].

[2] If you go back to BadBIOS and Lenovo’s “you can not remove it with a full wipe” malware on it’s consumer laptops you will find a glaring security vulnerability. Put simply it’s to do with ROMs on IO cards. An OS can not support every device that is out there, and it certainly can not support hardware that is developed after the OS is released, without a mechanism to do so. One of the reasons a computer boots up in “three stages” is to provide this mechanism. Put simply the after initial “sanity boot” of the main-board peripherals in POST, the computer drops into the stage 1 process of OS booting via the “Basic Input Output System”(BIOS) loader process. This checks every IO Card for “driver code” which if found gets loaded into “protected core memory space” and provides “hooks” into it. This enables new “semi-maluable memory devices” to function so that the “Boot loader code” on the first track of the memory device can be loaded into core memory and executed to leverload in the OS via “boot-strapping”. One such “trick around” was for “Diskless Thin Clients” that no “hard drive” only a “Network Card” which had the drivers to redirect Hard Drive requests over the network (see “Intel PXE Boot” or earlier NetROM from the 1990’s). Well back when “ROM’s” realy were “Read Only” this was a “supply chain” vulnerability not a “general vulnerability” however the move to “Flash ROM” for BIOS ROM on the main-board flipped it directly into the “general vulnerability” catagory. For most people checking the contents of all the “on-board” or other hidden “Flash ROM” is near impossible, even for security specialists in the employ of the likes of the NSA and GCHQ it’s a very difficult process… Something a “pissing contest” between then Editor of The Guardian news paper and the UK Cabinate Office over the Ed Snowden trove in 2013 brought very clearly into the light but nearly every body just “walked on by” in a haze of “don’t want to know” which was kind of silly, but is why the likes of Intel’s IME and worse audio chips supporting AC97 –now built in the Southbridge– etc.

[3] The earliest such equipment was known as a “Crystal Detector” and was esentialy a “crystal set” receiver of a very low forward turn on voltage semiconductor diode and a “Parallel Tuned Circuit” that was mechanically tuned. Where the mechanical tuning provided a voltage out to drive an Oscilloscope X plates (time base) and the DC out of the diode provided the Y voltage (amplitude). Slightly later versions used the “hetrodyne” principle to get better linearity and low frequency range. I’ve built “crystal set” detectors that work up above the 100GHz range, but the diodes are neither cheap or even easy to see with a microscope, andcthe “wave guides” need to be precision drilled with drills down in the 2mm and a lot less diameter… “it ain’t the sort of work for a shaky hand” which is why building a jig using micrometers to move the drill and spin the work piece in a precision mount rather than the drill is the way to go (think in the same way as you would using a “center lathe” or “preciscion mill” to drill)…

[4] Mad as it might sound you can buy equipment to do this commercially and without many questions. It’s used to “kill bugs” of the biological kind without using realy dangerous and mostly ineffective chemicals like “cyanide”. Both Wood and Ceramics like bricks are fairly transparent to microwaves if they are dry and oil free. Lava / pupa and insects and even smaller “pathogens” like plant spores and some bacteria because they contain both water or lipids rapidly heat up to tempratures beyond the point they remain “biologically viable”[5]. As the “deactivating” by “boiling” / “frying” only happens when the power is on unlike other “pest control” for fleas cockroaches and smaller there is no poisons of any kind introduced into the environment, and it gets to places quickly and easily without having to “drill and inject” and the like, which are destructive to the buildings fabric. It will kill rodents upto and including rats and larger, however trying to do so is illegal in most western nations, not just because it is very inhumane, but because the corpses then attract other pests and pathogens that can be worse (look up black mould and what happens if you get it in your respiritory system, it can “eat you alive” requiring very very invasive and life changing surgery like having half your face removed).

Clive Robinson • April 13, 2023 7:35 AM

@ MarkH, JonKnowsNothing, ALL,

Re : Flu pandemic side effects.

“Fortunately, no human cases have yet appeared; the animals most directly affected are fowl (especially waterfowl).”

Unfortunately that can be seen as a very anthropocentric view, and when it has been by authoritarian leaders it often leads to disasters not just for the ecology but man kind as well.

Consider the “animals most directly affected” are neither the top nor bottom of the food chains they are in.

They are not just a source of needed protien for other creatures including humans, they also predate on other creatures that attack food crop pests. As well as serving a usefull purpuse in plant life cycles.

Back in the bad old days of Chinese central control, in 1958 some idiot (Mao Zedong) decided that “Sparrows” were the cause of crop losses. So a master plan was thought up to kill as many birds as possible. As nobody with any sense dared call the idiocy into question, the plan went ahead.

The result was even bigger crop failures for several years especially in 1960 and reasonable estimates say that 50million or over Chinese starved to death or were killed as a result. It is known that there were cases –as with Russian famines– of murder and cannibalism. There after as it took a long time for the wild bird populations to even start to reestablish, even with importing a quater of a million sparrows from Russia, the Chinese people suffered and suffered badly, as is the history of such “authoritarian central planning”.

You could call it the worlds biggest experiment in “not understanding” how the natural balance works.

But also it’s a warning of what could easily happen as an lethal avian flu pandemic spreads…

Clive Robinson • April 13, 2023 5:38 PM

@ Dong Gee, Bob Paddock,

Re : Swatting and lockdown drills.

“How could we defend against these attacks?”

Do you really want to know the answer to that?

And yes that is a serious question.

To answer the question you first have to trace back to the root of the problem.

From the WSJ article,

“Principal Andrew Lavier was in his office at Alamosa High in Colorado… …when a police officer with his gun drawn banged on the door and ran into the school shouting about an emergency call reporting a gunman inside a classroom… …Mr. Lavier rushed to the school’s intercom. ‘School, we are in lockdown mode. This is a lockdown.’… Prompting teachers to lock their doors, cut their lights and huddle with students on the floor, away from windows and doors as they had traibed for in drills.”

So ask your self why US schools feel it,

“Necessary to have ‘mass shooting drills’?”

Also ask your self the “Why, why not?” of,

“How many other Western Democratic Nations have such drills?”

Because that will give you insight as to,

“Why “swattings are not just possible, in the US, but why authorities respond with guns drawn presenting leathal effectively millitary ‘Shoot to Kill’ response”

And why the problem is getting exponentially worse in the US with on average more than one event per day in the 2020-21 school year[1].

It boils down to two simple facts,

1, There is a significant societal problem.
2, There is a ready supply of lethal force multipliers that are easily portable and usable even by children.

In the UK we’ve had terrorist activity by indoctrinated adults attempting to commit “mass murder” but this has largely involved failed bombings with burning gas cylinders in vehicles, wildly swinging of machetes and driving vehicles into crowds. With few if any events related to schools (but have been to some religious instititions).

The numbers hurt or killed in the UK related to schools compared to the US has therefore been comparitively tiny. So no matter what others may argue the easy availability of “force multipliers” is a very significant factor esspecially when the people committing school shootings are often not adults.

At the inquest on all such “mass murder attempts” it becomes clear that be they children or adults, all showed very clear “not normal” behaviours seen by many around them but ignored or going unaddressed.

Thus the question of “inate or taught” arises. Either way it is a societal issue of,

1, A society not looking after those with clear mental health issues.
2, A society bred to prey on those who are not some idealised norm, thus creating many mental health issues.
3, Politicians and other societal leaders delibereately fostering such “prey on the weak”, “Might is right” anti-morals/ethics, that give rise to the “Prey on the weak” behaviours being seen by to many as “good”.

So there is something “fundementally sick about certain types of society” in the UK, and US especially. And it is at the root of it, down to certain types of societal leaders via their rhetoric and other teachings “leading their flocks / followers / devotees into anti society actions”, and providing the easy access to the tools to do so.

As seen in the UK removing the tools will not stop the harms, just limit the scope of injured and killed.

Likewise in the US not addressing the health care issues that by their absence alow a “forest fire” effect to occur, with the horrific consequences.

The problem that actually needs to be fixed is the corrupt leaders and that is a very difficult problem to solve. Esspecially in the US where those who most benifit by the corrupt system control the legislation and regulation making process. A process that might otherwise acceptably reduce it, thus allows the corruption to continue unchecked or abated.

I’ve said all of this before, but in various small bits and pieces so as not to create issues here. But you’ve both effectively asked, so like it or not that is the answer that can be reasoned from various facts available.

If you don’t agree, be polite, and find reasonable facts to back your argument, that way we all get better informed by differing view points and available facts.

[1] Just how bad is the problem well how about getting over 4 per school week without injury or death, so only “locally newsworthy”…

From,

‘https://usafacts.org/articles/the-latest-government-data-on-school-shootings/

Updated just a few days ago on Mon, April 3, 2023,

“In the 2020-21 school year, there were 57 school shootings with and without injuries or deaths at high schools. Fifty-nine elementary schools had shootings with and without injuries or deaths, as did 21 middle or junior high schools, and eight other types of schools.”

That is in the 36 week school year (57+59+21+8)/36 = 145/36 = 4.03

That involved shots fired but did not involve “injuries or deaths”.

As we know there were other incidents where harms beyond psychological happened,

“When it comes to 2020–21, however, there were 93 school shootings with casualties, including 43 school shootings with deaths and 50 school shootings with injuries only.”

So (145 + 93)/36 = 238/36 = 6.61..

If you look at the first graph given, which shows incidents with “injuries or deaths”, you will see fa low in 2009. From then till now with a little smoothing it is an almost perfect exponential rise. Much as you would expect to see with an infectious pathogen in a naïve host group / population.

So a pertinent question would be,

“What was the societal change(s) in 2008-2009 that gave rise to the change in the trend from downward to exponentially upward?”

Clive Robinson • April 14, 2023 1:37 AM

@ Dong Gee, Bob Paddock,

“You miss the key point that I mentioned earlier, as did the articles: these attacks are from overseas. This isn’t a problem with American society.”

No, you are suffering from “blinkered vision”.

It matters not where the “information warfare” attack comes from the chances are if the person(s) know what they are doing then where they are actually located will remain an “open question”[1]. Just as with malware it’s success depends on the vunerability of the “target” which is unquestionably “US society”.

“I asked a security question on a security website under the assumption that we’d be discussing security, not ideology.”

I’m actuall quite supprised to see you are still muddling things up.

Security is these days increasingly a “sociological” issue not technical. That is it is “human failings” that get attacks across the defensive perimiter rather more than technical ones. Most often talked about is phishing attacks but there are numerous others where “social engineering” can be brought to bare to establish a “toe-hold”.

You appear to be under the unfortunate thinking there is,

“A technical solution for everything ”

Which is realy unfortunate, as I’ve indicated in the past,

“You can not fix societal issues with technical solutions”.

Because “Good v. Bad” “Good v. Evil” etc are very definately down to the moores of society that colours the observers perspective. Technology is very much agnostic to this.

As I’ve pointed out above any technology, tool, or “weapons are as a minimum ‘dual use’”. That is they can be used offensively or defensively. The observer decides if either of those is “good or bad” depending on their point of view and innate or engendered cognative bias.

You either need to change your original question,

“How could we defend against these attacks?”

Or your expectation of what you are going to get as a valid answer.

For instance an invalid reply would be,

“Block all foreign numbers from calling emergancy services”

Is not going to work, if the calls are actually not “foreign” when they are actually “local” and just displaying a fake number, that can be changed at will by the attacker.

Because you need to understand the POTS is in no way “secure” and never has been. That is even though it is “circuit switched” the two ID’s are just generated and forwarded and can not be reliably verified especially when part of the circuit is VoIP.

A soft meme for this site is,

“Atribution is hard, very hard.”

This is especially true for systems like the POTS that were never designed for any kind of authentication or security. So you can not “defend” against abuse of such a system.

[1] Though the time based estimation techniques Cliffod Stoll outlined in his book might help.

Clive Robinson • April 15, 2023 6:35 AM

@ SpaceLifeForm, ALL,

Speaking of turtles, the military, tragedy, and problems from on high and also flying hawks of enmity.

They have reminded me of “Aeschylus”, his life and death had it all,

https://en.m.wikipedia.org/wiki/Aeschylus