Schneier on Security

Clive Robinson • August 26, 2023 5:18 AM

@ SpaceLifeForm, Bruce, ALL,

Re : Code Signing fail was long expected.

“Something about Supply Chain, Microsoft, and Signing Keys.

Maybe you should not use Windows.”

Two issues there, one general, one specific,

1, Use of Code Signing.
2, Use of Microsoft Windows.

The logical fix for both currently can only be,

Don’t have ANY external connections

But,

It’s not just Microsoft

It’s all the consumer and general commercial OS and similar software suppliers have the same “Code Signing” and “Root of Trust” issues.

Whilst the real solution is “fix the ICT Industry” and it’s poor quality issues caused by amongst other things the “Get it out the door fast” managment issues… It’s not going to happen soon, if ever, without significant external pressure, that won’t come from the customer side[1].

From the end of Dan Goodin’s article on ARS Technica we see,

“Microsoft’s string of failures in locking down its certification program, and its reticence when disclosing them, are undermining the entire concept of security, much to the delight of these adversaries.”

Is half right but also very importantly half wrong.

Yes we are talking about Microsoft’s certificate and code signing as well as their additional reporting systems failures here, but both Google and Apple have had similar problems with code signing in their walled gardens etc.

But as @NickP and myself warned on this blog years ago, “Code Signing” was a bad idea from the start. For these and many other reasons we listed. Since then I’ve repeatedly said we need to find a better solution to fix some or all the problems we identified, but actually the industry has done nothing except make the problem worse since then.

Tangentially NIST is trying to solve a small part of the problem with Post Quantum crypto algorithms, but that won’t solve the issue of all the code signed under QC-vulnerable algorithms. They are going to be a problem for upto half a century maybe more in infrastructure, manufacturing industry, and health electronics as I’ve previously indicated.

So the question arises as to,

“How do we solve the issues of code signing and root of trust?”

Well we actually know from the past they are actually not needed. Back then we only had “Physical Security” now we only use “Information Security”.

And… we’ve just seen suggestions we go back to the old ways, with a “replace the hardware” notice from a major security product vendor,

https://www.bleepingcomputer.com/news/security/barracuda-says-hacked-esg-appliances-must-be-replaced-immediately/

So with regards code signing and root of trust issues do we go back to what we know is “physically” workable, or do we push forward and replace them with other information based security systems that we almost certainly know will be vulnerable in many ways?

[1] The big players in the software side of the ICT Industry, know that their customers have to take what they are given by them. Because they have no alternative, worse Goverments are dictating the mandatory use of computers via tax and education domains as well as anywhere eles “human contact happens”. So the ICT Industry lobbies hard to stop any kind of legislation or regulation like “Lemon Laws”. So what we saw happen in the US Auto Industry that made “Death by Car” almost mandatory untill legislation and regulation changed it, will happen to the software industry. With mandatory “Death of Privacy by Software” already effectively beyond hope of recovery in our or our childrens life times.

Clive Robinson • August 30, 2023 10:43 AM

@ Winter,

Re : Russia going high order or fizzling out.

“Personally, I consider banking on a “controllable” disintegration of Russia a huge and dangerous gamble.”

It’s a daft gamble either way.

Firstly Russia is doomed in it’s current form, I think most would agree with that.

Secondly Russia realistically three fates ahead of it,

1, Trade it’s way to a modern diverse western economy.
2, Fail into Cannibalism again.
3, Fail into death by kinetic destruction.

Of the third way there is two options,

3.1 Outward then inward.
3.2 Just inward.

With both tending to option 2…

I know it appears grim but realistically based on Russian History Option 2 tends to be the result, till it all starts again with trying to build an Empire by force[1].

Which in the past has always been because surrounding states that have built themselves up to wealth by trade are not sufficient to withstand the Russian thugish jackboot because they were diverse and disparat and Russia just homicidal.

Now howrver it is a more interesting sotuation, we have an oligarchy of thugs and criminals that actually are just looking to “off each other”. Putin sits on top of this mess and has dreams of “Empire” which as he had a weak hand and over played it is now a bust.

NATO or something equivalent as a full on European military federation will grow and for the next century or two Russia will go into decline and infighting, unless it goes to not just the “trade it out” but “democratic” process.

I’m sure others will put other options on the table, but there is something in the Rus personality that keeps taking them back…

[1] History shows abject poverty where even the elite fail, is followed by a freeing up of the peasant / serf majority growing and trading their way out of poverty. Then the traditional Elite rise up and effectively enslaves the Rus yet again. In part this appears to be due to some faux mythology of “Glorious Past” that is an inherent failing. Each time “revolution” happens it just ends up in a new thuggish elite with nothing but criminal intent. This is not unique to Russia we see it play out all over the place, usually the words “War lord”, “Tyrant”, “Despot” are used to describe the same basic process. Which history shows always fails untill some form of democracy and trading is established that gets the civilian population above the point that individual thugs can succeed. The problem arises when the thugs form an oligarchy, which is Russia’s current state.

Clive Robinson • August 30, 2023 11:38 PM

@ JonKnowsNothing, lurker, Winter,

“I am pretty certain that Orthodox Christianity is not a British invention.”

That’s not the way I read @Winter’s,

“That demarcation line was a Christian/British invention”

I read it as being “both” Holy Roman Empire Christian “political” behaviour at the begining of the second millennium AS WELL AS much later “political and business” behaviour which came about due to trade differences.

British “formal” christianity is known as “Church of England”(CoE) and was created by King Henry VIII in the 1530’s as he had decided he was fed up with Popish rule over him. The CoE is very different to what some call East / Greek Orthodox Christianity / Catholisism that went up the East side of Europe after the “Schism of 1054”. Where you ended up with the west Latin Catholics in Rome and Greek East Orthodox now in Istanbul. The Latin and Greek forms of Catholicism are effectively more alien to each other than CoE is to Latin catholicism that came from the See of the Holy Roman Empire, and what is simply called “Catholicism” in Britain. The Schism of 1054 has caused so many historic problems, especially with the variois Orthodox sects strongly associating with the likes of “Strong Men” fascism, and similar tyranical political forces including the nastier parts of Russian power politics of today. It is also extreamly misogynistic and sees women effectively as not even slaves, but property like farmyard “live stock”.

Clive Robinson • August 31, 2023 7:01 AM

@ ResearchZero, ALL,

Re : Isotopes on the trotter.

You asked,

“What sort of world would remain amid the radioactive fallout?”

Well one part of the answer is,

https://www.theregister.com/2023/08/31/radioactive_wild_boars_germany/

As they say “You couldn’t make it up!” but “You make your bed…”.

“Now, the team is warning against the detrimental long lasting effects of nuclear weapons and nuclear reactor disasters on food safety. Countries like the US, Soviet Union, and UK conducted thousands of nuclear weapons tests during the Cold War from the 1940s to 1990s.”

And the researchers note,

“Although Chernobyl has been widely believed to be the prime source of [cesium-137] in wild boars, we find that ‘old’ [cesium-137] from weapons fallout significantly contributes to the total level in those specimens that exceeded the regulatory limit”

But the same applies to birds and even insects, and their resulting food products including honey.

All it requires is a concentrator store “down the food chain”. With these hogs it’s an underground fungus that grows on tree roots they dig up and eat. But of you consider the tubers of plants and fat on animals and similar you find concentrator stores to some extent.

Clive Robinson • August 31, 2023 7:36 AM

@ Bruce, ALL,

Robodog gets a heads up gun idea

Another “AI gets leathal agency” story titled,

“Let’s give these quadruped robot dogs next-gen XM7 rifles, says US Army”

https://www.theregister.com/2023/08/30/quadruped_dogs_gun_xm7/

Whilst it’s being talked about as a “concept” I suspect the ideas are rather more advanced than that. As is the “RoboCop” version mentioned further down the article that is apparently getting “field trialed” in three US police forces.

Clive Robinson • August 31, 2023 8:15 AM

@ JonKnowsNothing, Winter,

Some “background reading” for you,

https://medicalxpress.com/news/2023-08-newly-emerging-pirola-ba286-sars-cov-.html

From what has been found it looks like Pirola will fairly quickly become dominant, but it’s still to soon to assess the level of virulence…

With it now being “Schools back” virus season and few precautions if any in place this could be a time to follow “oriental social thinking” and go back to masks, wipes and sanitizer as social requirments.

Clive Robinson • September 1, 2023 7:33 AM

@ lurker,

“Lack of hinky thinking, sir. If I was sufficiently close to the action to know how malformed input can DOS the system, it would be the untraceable crime, no?”

Our host @Bruce, has noted the scarcity of the ability to “think hinky” and the significant effect this has on security in general.

All systems that “act on their input”[1] can be DOSed in one way or another, the real question is,

“What is the cost to the attacker?”

Both during the DOS and afterwards, as afronted people can be quite unforgiving, if not vengeful, and venomously spiteful.

As for “untracable” that depends on “ephemeral”.

The French Criminologist Dr Edmond Locard, named the ‘Sherlock Holmes of Lyon’ by some had a basic notion that “every contact leaves a trace”.

Whilst it is logically true it leaves out two important points,

1, Signal to noise ratio.
2, Entropy.

Combined they ensure that every trace is effectively ephemeral to the human senses, and will become less and less noticable with time thus will “sink into the noise”.

Thus consider the “record it all” or “audit process” if an effective one is in place at all steps then your actions get recorded.

But the important question that has to be answered for it to be a crime, is “intent”, and ansering that mostly falls to the “allegedly impartial” future observer…

Which is why “show trials” and “kangaroo courts” are an ever present feature of our modern society and getting more prevelant as communications and it’s attendent surveillance increases…

[1] Systems fundementally are of three types, Sources, filters, Sinks built into chains or nets. Many are filters that is they take input, process it in some way, then output it. Fundementally the filter can be effectively passive or active with respect to the input. That is it does the same thing every time irrespective of the input, or it can examine the input and act on it. Blocks that are passive and properly designed can not be DOSed…

Clive Robinson • September 1, 2023 12:16 PM

@ Winter, JonKnowsNothing,

Re : Russian life expectancy.

“but life expectancy has been lower in “Russia” than even in their European vassal states. Inside the Warsaw pact, the USSR had lower life expectancies than their European “allies”. life expectancy in “Russia” has been consistently lower”

I’ve a Russian friend who has escaped the life that most Russians appear to live.

We know about the misogyny and extream violence that is rife. But also as my friend’s father observes,

“Chop of the purposeless heads and what do you see, blood so thin it can not freeze from alcohol, tarpit lungs from endless smoking, and garbage can guts from eating trash with cream so sour it could poison by just it’s smell.”

He tells stories about “the old days” when he lived in Moscow, when the people were so inebriated their work was little different to sabotage. So the communist party had to act, and the price of alcohol was pushed up so high it was a weeks wages. What did the “good citizens do?” the old went back to the old ways and distilled their own. The young clubed together and bought a half bottle and cotton wool.

The result was the old drank nearly pure alcohol and if careless when lighting a cigarette there would be a small pop as the vapour in their lungs exploded and they would fall dead to the floor. The young would soak the cotton wool in vodka and push it up their a55 where it would go into the blood fast…

I dread to think of the pain in either case…

But as he noted they always would talk of better times, from back when Russia had bread in every shop and Borscht was as grandmother once made when young, with good shin beef and fat beetroots, and big potatoes and was fit for any man, and similar tales that realy never were.

He then laughs sardonicaly and says he must be feeling home sick as he needs a drink…

He’s soon to be eighty which is about the average life expectancy living in North West London. As for Moscow from where he was born, not the under 60 it was just thirty years ago shortly after he left with his family. But even now it’s only a little over 65, and as his eldest daughter –a Dr of medicine– keeps reminding me, we can all eat better and get out for some healthy excercise, and look forward more to the better times we make.

Clive Robinson • September 1, 2023 7:54 PM

@ Bruce, All,

Barracuda ESG debacle continues

Despite Barracuda themselves telling customers to dump their “Email Security Gateways”(ESG) units, it appears that since May 2022 Chinese cyber-spies have via a critical bug in the ESG’s not just burrowed but entrenched themselves in the organisational networks behind the ESGs. Of those in the US affected about 1/3rd of systems so far identified were local and state level government entities.

Aside from Barracuda offering replacments, the FBI and Mandiant, have indicated that the attackers are very probably Chinese and have taken what appears to be extrodinary measures to remain within the systems affected,

https://www.theregister.com/2023/08/30/mandiant_barracuda_esg_bug/

So the publically known state level attacks have been taken up yet another notch.

It is thus overdue for people to ask why such organisations have such broad and exploitable connectivity.

Few employees need Internet access, and those that do, generally do not require an externally connected browsing device to be connected to an internal work device.

Those such as cut-n-paste from StackOverflow and the like coders who claim their efficiency will be effected, don’t consider the risks their behaviours bring with it. Likewise their managers and so on up the chain.

We are increasingly seeing attacks via the supply chain and as with this Barracuda ESG attack there is in reality “no fix” for various reasons you can find warnings about on this site going back more than a decade.

Thus even if you clean and sanitize your work proceadures, you remain vulnerable to the risky behaviours of your suppliers as long as attackers can get access.

Thus logically if you can not fix the supplier issue, and it appears you can not, the only other option is to fix the access option with the metaphorical use of a fire-axe to create a fire-break.

Which in reality is to segregate internal and external systems via an “Energy-Gap” and only where necessary put in place “gap crossing” technology.

Just remember that even the majority of “Data-Diodes” and similar devices are not strictly one way. Because they way they do “error correction” provides a reverse channel that can be exploited[1]. Whilst all feedback systems will enable the creation of “covert side channels” they can not be avoided if high reliability is a requirment. The best you can do is use various ways to “reduce the bandwidth” of the side channels to one or two bits in any given time period[3].

[1] There are two basic ways of removing this error correction back channel neither of which is liked by systems designers who put data reliability above security. The first is to have no error correction thus no back channel required you use hashes or similar authentication systems such that either files are valid or they are not. The second way is called “Forward Error Correction”(FEC) put simply you add authentication codes to small parts of your file, and send the files multiple times. You then stich a correct file together from the multiple parts. The way you use FEC is well established in deep space communications due to the time it would take for a back channel retransmission to take, also in media like CD’s, DVD’s, backup tapes, and similar. Effectively where the basic storage media is considered insufficiently reliable or an error correcting feedback loop impractical to impliment or more recently insufficiently secure[2]. Look up “Reed-Solomon Coding”(RS-Codes) or “Bose–Chaudhuri–Hocquenghem”(BCH) codes.

[2] As a practical matter, FEC codes have been considered for “Post Quantum Computing”(PQC) proof key exchange and signiture systems. It can be expected that some work done for PQC will actually flow back into FEC systems. So expect improvments to happen in various ways.

[3] The most obvious side channels are time or energy based. The normal way to introduce a time based side channel is by introducing timing errors, such as “transmission jitter”. The faster the recieving system responds the wider the bandwidth potential for the side channel. One way to stopit-down is to “clock the input” such that the only option an attacker has is to not send data in a clock period to send a single bit of information. There are other options such as “random rejection” where the reciever of the error code randomly drops incoming error correction data rather than pass it on, thus the side channel timing is disrupted. Whilst no method will be 100% side channel blocking, with care the channel bandwidth can be significantly reduced.

Clive Robinson • September 6, 2023 1:12 PM

@ Bruce, ALL,

A story to keep your eyes on,

Raspberry Pi’s used to rob ATMs

https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm

The story is about three men seen rajng $5700 from a single ATM in Texas.

It’s claimed they used a Raspberry Pi to get past security and access the cash stacks.

No technical details are yet available, so it will be interesting to see them when they surface (if ever they do, as there might be a significant incentive for them to be kept secret).