Schneier on Security

Clive Robinson • February 10, 2024 2:26 AM

@ for the lulz, ALL,

Re : failure to protect root of trust.

“The crux of it is sniffing out the key to the device as it is passed from TPM to CPU. The key is helpfully not encrypted.”

This is possible so often it is realy embarrassing to talk about because it appears,

“Nobody in the ICT industry learns from history!..”

This sort of thing was happening with passwords over first serial lines in the 1950/60’s and later 1980/90’s over LAN’s and WAN’s and especially the Internet.

But IoT and embedded systems like network appliances has brought it back again with hard coded passwords and the like.

I could go on at considerable length as I have done in the past.

But I know people are going to turn a blind eye, make excuses and do nothing from the lessons…

Because “cost and convenience” always “trump security” even if you draconianly sack people who do it, they won’t stop. In fact they counter argue “your paranoid”…

I’ve just had this nonsense from a friend who should know better, because I refuse to load shit loads of apps that I know to be not just insecure but actively spying on my phone, i’m in the wrong because it inconveniences him and others who want to send puerile cartoons and the like…

Pointing out why the EncroChat and similar phones caused thousands of defendants and why secure message apps are now pulling in politicians and others by the boat load into judicial issues/proceadings is apparently “being paranoid” and gets the “You’ve got nothing to worry about” nonsense. Even pointing out why their mother got her pension stolen because of the apps installed, apparently just more of my paranoia…

Clive Robinson • February 10, 2024 8:05 AM

@ JonKnowsNothing,

Re : Societal Identity flags.

“Can you imagine some AI image identification system deciding that”

Life is full of “gender flags”.

For instance think of how you fasten your clothes. With left over right or right over left. We are “told” by some this comes from the fact of “right handed dressers”. That is servants who did up buckles, buttons and bows for others facing the person with their dominant hand on the person being dressed non dominenent side. Personally I’m doubtful, for a whole variety of reasons, but we still have this prefrence after so long the real reason is probably long forgorton.

Then there are indicators of “handedness” in the way you part your hair and the way you sit if on your own or in company. Think of the high leg broad cross where you raise the ankle of one leg onto the knee of the support leg. Then use the raised knee as a work surface or something to bang your dominant fist on.

It actually goes further with the angle you sit towards your non dominant side leg. If you are sitting and need it as a work surface you tend to place it in front of you with your dominant side out.

Now consider the lean in position where both feet are flat on the floor and your thighs parallel to it. You place your non dominant are wrist side up and your dominant hand palm side down, the non dominant side leg straight or slightly outwards such that most of the non dominant fore arm rests along it for strength and support. The dominant leg outwards so that the middle of the dominant hand forearm uses just behind the knee as a pivit point.

Strangely this pattern has a habbit of going through to the way people want to fold their sunglasses or specs…

Even the foot you lead off with when climbing stairs apparently has several biases built in.

Some of these biases become “built in” such as in bone and muscle structure the work hand generally being more developed and stronger, and the coresponding shoulder lifted higher. Unless you are a crafts man where the non dominant arm tends to have more muscle but the dominant shoulder is still lifted. Thus you can tell in times past what type of work is done. As well as observing the hands where the dominant hand is less scared or caloused.

Certain proffessions use these “tells” as a form of secret identifier that is if you are trying to hide your handedness.

But it also even in living memory terms has quite a bit of real evil attached.

My father had a ruined left hand courtisy of his teachers and their superstitions. His teachers used to quite litterly smash down on his left hand with an ebony rod every time he tried to use his left hand… Why well because,

1, Being left handed is “sinister” from the French for left but having a whole different meaning in English.

2, The left hand was the dirty hand you used for cleaning your backside etc.

Hence we have “cack handed” for left handed people.

Like always “I’m annoying” 😉 in this respect, people who see me using tools to work with often think I’m right handed or ambidextrous. The actual reason is some tools are designed handed and some are not. My father taught me to use many “handed tools” when I was very young such as hand drills and it was only later that files and chisels and similar less handed tools came into it when I was around six or seven.

Fun fact, do you know why door hinges are on the side they are? Well it goes back to the use of stabbing weapons such as daggers and swords. When you are inside your dominant hand is on the opening side and your shoving shoulder behind the door thus giving you a small but often important advantage.

But beware, of “forensics” and handedness by the way people do their shoe laces up. I can and do do it both ways to ease the wear on not just the laces but the holes they go through.

So how do you think this “lack of handness with laces etc because I think” going to work out with an AI?

Maybe it will conclude as they have in Yorkshire,

“There’s now’t as queer as folks”.

Clive Robinson • February 10, 2024 9:52 PM

@ ALL,

It is that time again when the luna calender[1] calls the passing of one year into the next and the beginning of the over two week Spring Festival so,

Welcome to the “Year of the Dragon”.

Dragon’s are the only mythical beast on the 12year Zodiac and they are considered to be very powerful creatures that are,

“Believed to have control of the seas and water”

Which might account for the mess the US West Coast is having with “sky rivers” from the pacific currently[2] as well as increasing tropical storms we are having from the Atlantic in Europe as well.

The Year of the Dragon is also considered an epoch of change, children born in the year are considered to gain power and strength and become great leaders and the like (this of course would have nothing to do with flattering the Emperor 😉

Anyway I wish all a better year than last, and hope it brings peace not further unrest and conflict.

[1] The lunar new year supposadly starts with the second new moon. However it varies across a time period based on where you are in the world. Technically on Greenwich East London on the Greenwich Meridian it happened yesterday a little before 11PM (22:59GMT). The Spring Festival continues untill the end of the first lunar quater and thus is about 15 or so days in duration and in Asia is a time of being with family etc. Thus a time where houses are packed full and also a time when a great many people travel at the same time. Which means packing them together in trains and planes and so it becomes a time for advantageous airborne pathogens to find new hosts…

[2] Sky or “Atmospheric rivers” are meteorological phenomenon where warm tropical air moves in a narrow stream towards the poles. Being saturated with water vapour when the air meets a cause to release the trapped humidity it falls as heavy to torential rain or snow. Sometimes they are benificial, sometimes not. It’s not unknown for two years rainfall to fall in a month, with land quickly saturating and the excessive run off causing significant soil erosion if not held in place by sufficient close rooted vegative cover,

https://www.usgs.gov/news/featured-story/rivers-sky-6-facts-you-should-know-about-atmospheric-rivers

Clive Robinson • February 11, 2024 8:34 AM

@ ALL,

Potential GPS and magnetometer anomalies

It appears that the Sun is having a bit of a strop and throwing more than just the toys out the pram currently and more likely in the next few days.

From a security aspect GPS abd radio systems will be effected thus keep an eye on SysTime etc as it’s going to have issues depending on your setup.

Likewise navigation systems and specially any microcontroller system with physical agency using GPS and magnetometers for location, velocity and direction, and in UAV’s worst of all ASL hight is going to be flaky.

So if you drive a car by GPS you might want to consider the old fashioned way of getting from A to B. And if you are yomping or goating into areas where mist, fog or other weather can reduce visibility you might want to keep your maps in hand and plot your course and check compass direction readings via solar position via clock (ie basic astronavigation).

Which brings in intercontinental flights at high altitudes especially near or across the poles. Radiation levels will be way higher than normal so if you are at risk or a frequent flyer changing your plans might be a consideration.

Also flights will have the same problems with GPS as will UAV’s and in addition HF radio is going to get crapped upon. Potentially with black outs at the poles and high background noise at most latitudes.

But there is an upside… For those at higher latitudes getting those extra doses of high energy particles heading your way, you should get sone good “Northern Lights” to see and photograph starting late on the 12th and going through to the 14th. So romantic but wrap up warm.

https://m.youtube.com/watch?v=pWfnozrR79c

Now for the longterm bad news, coronal ejections consist of a lot of matter moving at significant fractions of the speed of light some of it is very high energy and hits us over a short period of time thus really quite high in power.

Such high levels have to go somewhere which is either to be stored in chemical bonds or back into space, otherwise by the logic of radiation transport it ends up as the worst form of pollution “heat”.

This means the Earth’s ordinary weather systems are going to get a fairly large kick in the pants so some of the recent weather anomalies will continue and even get worse with potentially some new activities popping up.

So keep your eyes and ears open and stay alert and above all err on the side of caution and stay safe.

Hopefully this will go quietly and almost unnoticed by most, but there is the potential for some less than fun CME type events including loss of electrical and communications infrastructure on which most other infrastructure including supply chains are now overly reliant on.

Clive Robinson • February 11, 2024 9:28 PM

@ Research Zero, Winter,

Re : Man lays Egg and wees the bed?

“At least he finally admitted he is absolutely terrified of Russia.”

And much else besides.

The pathology of the personality suggests many things that are neither desirable in a leader or in an adult human.

As for scared of you have to ask why he would be in effect “terrified of Russia” and the answer is not for what the state is or it’s ability to create war etc…

No it’s in his past, it’s something he’s done that is either craven, criminal or both. And he’s been recorded doing it in some way.

Something that he could not bluster through, that would destroy not just his political and business life but even his personal life.

In part it accounts for his pathological desire to find the same in others, and where it can not be found create it. Because at heart he believes that all people in his position have similar personal failings and that they can be controlled by such as he can be.

But what would a man apparently without shame, actually be that shameful of?

And at the end of the day that was what the Steel Dossier was all about. Trying to find a pressure point to apply leverage, and that obviously scared the man and I guess that it still hangs over him in his head. Which suggests that he believes there may be evidence of such shame that could or has been found.

So is he in the panty poisonors pocket? or just believes he is? And given his basic pathology what would scare him the most?

Just something for people to speculate on.

But the fact is we know one thing from it, he will in all probability fold like a wet cardboard box if push comes with even a breath of chill wind from the East.

Is that desirable in someone who believes he’s going to be leader of the free world? Especially in times of considerably rising tension on the world stage?

I suspect some will speculate what I think as to a short answer to that question. Even though what they think, may say more about them and their outlook on life, than it does about me.

Clive Robinson • February 12, 2024 7:33 AM

@ Winter, ResearcherZero, Robin, Winy,

Re : compromising material

“The one thing that ever touched a nerve of The Donald was the small hands joke.”

What is it about Republican Presidents the century and little hands… GWB had that “walk like a cowboy” thing…

In the UK we have a couple of expressions that are shorthand for an observation about phallic compensation by physical status symbol. With the observation being “Big car little ….” And you have,

“Big car syndrome”

As the euphemism for the physical short coming compensation.

So “smaller than a sub compact?” Less than a Smartie EV, perhaps less than an electric unicycle?

It would be embarrassing but I suspect not enough on it’s own. Thus maybe he has some other compensation going such as cross dressing or strapping / caging / binding. Then there is that “golden rain” stuff, maybe he was actually the recipient…

Personally I care not what kinks and swerves that might be involved providing people are not being hurt. Heck we know from history many leaders had them and whilst some were truly appalling others like an ancient Greek having a stable for “Pony Play” were just quirky hobbies in comparison. But then I don’t have any time for “Strong man posing” or “Macho posturing” or any other of that form of compensatory stupidity like having excessive numbers of children. But in certain cultures you find the dumb,

“A man is a man and stands alone at the head of his house”

It’s what some incorrectly call Caveman Culture, it’s actually just an excuse for self entitled effectively unlawful, antisocial, often criminal behaviour.

As the sinister side of,

“Individual Rights v Social Responsibility”

But it’s noticeable that Religion often features strongly for the “deities command” excuses for such unacceptable behaviour. Which brings us back to the “King Game” and the nonsense behind “The Estates of man” that some oh so desperately want to drag us back to. One sign of which is the glorification of the past, and the pretence it gave certainty and predictability to people which an honest appraisal of history indicates was either false or worse than slavery. A major warning sign of such people is their affected status and signs of supposed superiority. Often it’s clothing, that you can or can not wear due to your inherited cast status but there are many other signs that lower casts should grovel on their knees in the dirt before them.

The fact such people hold back mankind and its development and condemn all including themselves to a short brutish life full of pain and little else and will desperately fight to keep it that way, tells you most of what you need to know.

Worse though is that the cast system is a “closed stud breeding” system based around “Strong blood” and “not diluting the blood” notions. Well it gives rise to significant inbreeding and all sorts of genetic problems including whole varieties of madness, as the European Royal Houses and Aristocracy show. And in the case of the Spanish Hapsburgs that truly awful facial deformation and increasing lunacy infertility, and sterility thus cessation of the entire family line…

Do ordinary people want to feel subservient to such aberrations especially give that they are self inflicted by idiocy?

Clive Robinson • February 14, 2024 4:56 AM

@ fib, Winter,

Re : The leaves of autumn fall.

“I sometimes think a few months without electricity could reset the course of mankind.”

Depending on the time of year, which hemisphere and how high the latitude as little as 15days could kill between 1/3rd and 8/10ths of the population in the America’s where building codes are at best shoddy. By thirty days irespective of season or lattitude estimates are 80-95% dead or dying with less than three percent making it to or beyond ninety days…

Have a think on that, because what we spend our days thinking about in ICTsec is in effect at best the foam on an expensive coffee. Real security has it’s foundations way down, read on and be surprised 😉

Let’s start with an obvious one,

Ask people in California and Texas what a little “power outage” can do for you today…

In Cal you had PG&E deliberately turning power off for many hours at a time if it looked like the wind was going to blow at more than a restless breeze.

Why? Because PG&E’s managerial incompetence and desire to get bonuses for very short term shareholder advantage effectively caused the company to be bankrupted by legal action for civil damages near a 100billion all told. The action was from just some of those harmed by the damages from shoddy or non existant maintainence on shoddy or down right dangerous transmission cables causing fires… For the second time around…

https://www.cbc.ca/news/business/california-wildfire-pacific-gas-electric-bankruptcy-1.5620160

In short rather than “make good” after the first time PG&E managment significantly raised prices and did not do any of the work. Hundreds have died needlessly directly and indirectly and quality of life and duration significantly reduced for so many the word “countless” has real meaning.

More recently was the Texas energy outage where those managerialy responsible did next to nothing other than get on aircraft and fly to other places like “South of the boarder” out of jurisdiction just like bandits and criminals used to do.

In both cases the effect of managerial criminal greed, neglect and incompetence was the loss of electricity.

Less than a century ago, electricity was still a novelty. In way to many homes in the America’s it was used only for lighting and a little entertainment by the radio (both so inefficient they could warm a room). Thus it’s loss back then was not critical.

Now everything including your wrist watch runs on electricity and the loss of electricity effects everything. Mechanical clocks, control systems, thermostats, and much else swept away by microcontrollers. Leaving control systems that can not be over turned by hand, and in “the name of efficiency” made so complex it would be effectively impossible to try.

So your gas boiler won’t work without electricity likewise if you have one your gas cooker in many cases either. Back when I was very young our fridge had a “pilot light” because to the incredulity if not total disbelief of many these days it ran not off electricity but totally off of gas… Yes you can still get gas powered fridges for caravaning but it’s becoming almost impossible to find them and the multi power types all require electricity even when running on gas.

Supprisingly to many the main use for energy in homes is “moving heat” what few relise is that they have been conned. Much electricity is generated by gas these days if you start at the natural gas well head and measure things in terms of available energy (Kilowatt hours) you will be shocked by two things,

1, The transmission loss difference.
2, The consumer cost difference.

The loss of energy in a properly designed and implemented gas delivery network is a fraction of that of a typical electricity supply network in the America’s. The generation of electricity from gas is not exctly efficient even in well designed power stations, and heat is said to be the ultimate form of polution.

The result when you consider it from the generation of heat, in your home is that electricity is oh around six times more expensive… Worse the environmental impact of electrical energy distribution compared to gas even when done properly is way worse…

Yet now virtually everything runs on electricity… It stops and you freeze up in many ways, even in the heat of summer.

Because all other infrastructure runs on/by electricity, either directly or for communications, and I realy do mean all. The entire food production and delivery process. The entire water supply and sewerage take away. The control of vehicles on roads by traffic lights and delivery driver routes. Every where you look you will find that it all needs electricity and more recently computer communications.

Fun fact, all computer communications runs on electricity, the energy supply for which is 100% dependent on computer communications. If one stops the other stops, once both stop you can not bring it back again.

That is you get a “latch up failure” that in turn becomes a “cascade failure”. The only way out of this failure mode is the physical presence of “a man in a van” going from place to place manually overriding the switches, where it’s possible (often these days it’s not). But to do that first he or she needs to exist… Basically they don’t any longer the energy companies have replaced them with electrically powered computers 100% dependent on electrically powered communications. But even if he or she did exist, they are almost 100% dependent on electrically powered communications of data over electrically powered communications networks. But to know where to go and when and in what order to bring things up in to stop other issues such as startup surge trips, they would need information only kept or communicated by electricity…

By the time they even started sorting that out… He or she would be incapacitated or dead due to lack of water, food, health care and the rampant disease spread in the population in cities and urban areas. And that’s all before nut-bars with guns or other weapons try and stop them for various reasons from plain desperation through to religious nut-f4ck3ry…

You will hear about the rule of threes. Three minutes to die for lack of air, three days to die for lack of water, thirty days to die from lack of sanitation and about the same to die from starvation. If of course you don’t get wounded, murdered, or worse first by other desperate or deranged people.

But that’s all alright because a population so dumb it can not survive without electrcity or electronic communications are absolutly ideal for the self entitled to extort benifit from in ordinary times…

A lesson those in Texas who nearly froze to death or got bankrupted by energy costs going up by 8000% whilst those responsible went and lived it up “south of the boarder” will not forget over night.

But the Cal and Texas issues were in reality just “minor regional” issues… Think about the Colonial Pipeline issues, they were wider spread and effected about 1/3-1/2 the US population. More by luck than anything else it did not cascade as it could so easily have done.

But then think back a little what about the “meat packers” during C19 lockdown? Arguably the whole of the first world Americas were effected.

You notice how more and more such failures are via neo-con mantra pushed by self entitled people waving MBA’s etc becoming more and more fragile?

So far the America’s have been lucky, their breaks due to fragility whilst increasing in frequency have happened sufficiently seperately that things have so far had time to be sorted out before the next one happens.

But those “in between times” are getting shorter as the fragility due to stupidity worsens. So at some point in the not too distant future two or more breaks will happen sufficiently closely that they will overlap with a probability they become self reinforcing, thus potentially start a cascade, latch-up or both… What then? What use an MBA certificate or stock opptions? Or money in a bank where the computers don’t work?

Back in the 1930’s still just in living memory many people lived in an entirely different way. They usually had a year of food and water on hand that did not need electricity or communications and globe spanning supply chains just a “pantry and root store” and if a little wealthier a “feed store” for the four legged criters. They even had reliable sewerage and waste disposal “on the property” with a very high recycling rate. As for energy… Well the old saying “Wood warms you twice or thrice” is quite true think of it as “grow, chop and burn” phases. People get horrified when you talk of wood as fuel, because they think of mature woodland. That’s not how our ancesstors did it, look up “copicing” and “living fences” to see one way. But people also insulated their homes with “live stock feed” you would be surprised at the “R value” of a bale of straw.

My dad had a short run of “living fence” made of dwarf fruit trees effectively cross trellised. So fencing, and screening for privacy, fruit for preserving and materials for making baskets and hurdles or sticks for burning in a small stove to boil a kettle on for tea or fry up an egg or two for a sarnie.

The thing is a pint of boiling water if put in a hot water bottle will keep you warm in bed even if ice does form on the inside of the windows. Something that happened quite a bit when I was young due to power outages in the 1970’s two sometimes three nights a week.

They also knew that you did not need to wash the way we do today… Few realise that the amount we wash and the way we wash is bad not just for our mental health and bodies, but our clothes, and the environment, in terms of the staggering amounts of energy and polution and destruction of natural resources that are irreplaceable.

Making “Apple Vinegar” is something very small children can do, and did in times past and some still do,

https://www.theguardian.com/lifeandstyle/2020/nov/07/how-to-make-apple-cider-vinegar

One thing you can do is use it instead of detergent based chemical shampoo… Ever wonder why poetry and stories had the “love intrest of the swain” having hair that smelt of rosey apple blossom? Well it’s because she would wash her hair maybe once a week in apple vinegar.

OK maybe some people try to “over sell it” via the “No-poo” movment (serioisly no I did not make that up[1]) but articles like,

https://www.healthyandnaturalworld.com/wash-hair-with-apple-cider-vinegar/

Are what we used to do. And yes washing other parts of you with dilute vinegar has similar cleaning and microbial effects on pathogens.

Soap has always been a hard commodity to make. Basically you boil animal fats in a caustic solution and skim it off the top. Animal fats are hard to come by high energy foods essential for most forms of cooking, so not something you would want to waste. Making caustics is not exactly something you want to be doing either, the safest is generlly by using the ashes from burning certain woods (hence the term “potash”).

So clothes did not get washed much. It’s actually unnecessary. If you keep the essential parts of you clean and wear loose fitting wool underware that you “hang to air” you can rotate clothes around for six to nine months then make your soap in the fall at pig-kill time and let it cure and harden over the winter. Then have your “spring-clean” and hang cloaths up in the sun to “bleach”. Oh and bed atire with bedsocks and nightcaps were as much for cleanliness as they were for keeping warm. In London is the “V&A Museum” in south Kensington, that was once a swamp, thus available land for Prince Albert to put up his palaces to knowledge and learning. They have a very interesting library of information about what we might consider “low energy” or “environmentaly friendly” living. It sounds frugal but people lived well within sustainability and quite healthily (it was coal needed to power industry that together made people unhealthy and killed millions before their time well into the 1950’s and beyond).

To see the “cleaning power” of simple/sustainable, just using white vinegar on a lint free cloth will bring back the sparkle to much of your home where airborne muck such as oils from cooking and smell of food have deposied oils and VOC’s around the place gluing down dust and muck and taking the shine off. Now think how much better apple vinegar smells. It’s also an effective food preserver and it’s needed for making many preserves, especially those low in acidity thus energy intensive “freezing” is unnecessary. Oh and an apple tree is bee friendly something we need desperately if we want to survive as a species.

Security is a funny thing, we tend to worry about the wrong things, thus doing it wrong. If you do not have a solid foundation to build on everything else is for naught in the long run.

[1] If you search on hair washing and no poo method you will find the likes of,

‘https://therighthairstyles.com/no-poo-method/

Clive Robinson • February 14, 2024 7:46 PM

@ JonKnowsKnothing, fib, winter, ALL,

Re : He who pays the piper does not call the tune.

“It all eventually falls on the people with the fewest resources, least access to alternatives, and no access to power, literally or figuratively.”

As is so often the case,

“Those with the least, pay the most, as they can not afford to defend themselves.”

The way to be rich is to be totally self entitled, and never to spend anything or pay for anything. Further not to own anything so you have nothing that can be taken away.

The way to do the former is to get someone else to pay for you “as is your entitlement”.

The way to do the latter is to live behind a company and legal cut out.

I used to know someone who had a very small company they worked for and earned just enough to cross the “National Insurance” threshold that back then was something like sixty pounds a week. They fiddled the expenses system by working unsociable hours and having a company pool car held at the company office which was a room over a garage, just a few moments walk from where they actually lived.

In reality when I met him originally he kind of worked from home developing software for a well known mobile phone company through another small company that rented a space on a broom cupboard door in a then European Tax Haven as a side line to trading shares etc out of another tax haven in a warm place with nice beaches.

I never got to know all the details but at some point he upped sticks and moved home to Thailand and France / Germany / Holland where he owned but rented various places near a place called Maastricht where he spent about half the year. He’d fly back from a French or German or Dutch international airport to the UK or later come back on the Euro Tunnel. Always staying a few days short of the taxation times, except for Thailand where his girlfriend was from.

I’ve no idea how much tax he did or did not pay but his business interests earned quite a bit and he later moved into commercial property speculation which back then was definitely a rich mans game.

I once joked it was a waste of a good maths PhD to which he replied with a variation on an old adage of,

“The wages of sin are low, but so are the taxes, and the hours are real good.”

The last I heard he had settled down more or less permanently in Thailand after marrying his girlfriend in Europe and settled in to raising a family but ensuring the children were “British Born” and educated, thus technically able to hold dual passports.