Schneier on Security

Clive Robinson • August 18, 2025 9:15 AM

@ Eriadilos, ALL,

With regards the “soft-sabotage” attack on the Norwegian Dam.

The question of “Who did it?” is less important than “How they did it?”

You always end up with a “causal chain” with from a defenders perspective starts at the ingress point and ends at the point of agency.

However having designed “Safety Critical Systems” for complex high value environments I know you should investigate further to find the most effective of solutions. And this almost always has broader implications often beyond current policy. Put simply,

Any change to a system has internal, local, and external consequences.

And you have to “consider or constrain” them all.

Part of that is the realisation that,

All attacks are “instances” in “classes” of attacks.

Thus you have to keep that in mind during both the consideration and constrain phases.

In a general sense you have few choices,

1, Do nothing / ignore attack.
2, Clean up / Rebuild the systems.
3, Use law enforcement against attackers.
4, Mitigate the “Instance” of attack
5, Mitigate the “Class” of attack

All to often the reality is somebody on “financial basis” goes only as far as step 2… or even step 3 if they do not think it will have adverse effects.

Which like it or not means the door is still open to other attacks in the future.

Unless the ingress was a result of a third party product failure, and the clean up involves “use all the latest patches” where the third party has made changes to their product in their patches that break the causal chain.

However if it is fixed with a patch from a third party supplier the chances are it only “fixed an instance” of attack which leaves the “class of attack” open to a future instance that simply “bridges over” the “patch fix”.

This means you have to go beyond “mitigating the instance”.

Also if you constrain yourself to just “fixing in the causal chain” you are limiting your options to “internal” not the wider “local or external” consequences

So you must also consider mitigating before the ingress point and beyond the agency point.

The two things you might have heard are,

“If an attacker can not reach the system they can not attack it”

This is known as “mitigation by segregation / compartmentalisation” and it’s the principle behind “air gaps” and “energy gaps”. Whilst it has a lot of advantages it usually increases cost, and more importantly it only works against external attackers not internal to the system. Which is why we are hearing more and more about “supply chain attacks”, because third party parts in your system are internal to the system effectively under the control of an external attacker.

The other thing you hear is,

“Design for fail safe operation and shutdown”

Put simply if you can break the chain at or beyond the point of agency you can limit or stop harm or damage. You hear about “intrinsic safety” where you consider all the potential failure modes of a system. You then design such that the system does not cause harm with a “single point of failure” or two or more parts.

So we can say by what is reported that two things were lacking in their system,

1, External communications were open / accessable.
2, There was no effective fail safe measures / systems in place.

The first could be easily mitigated by not using the internet or other “open / external” communications. Thus that is an “ingress mitigation” that solves not just an instance of attack but entire classes of attack.

The second could be mitigated by putting an independent fail safe mechanism on the output of the control system. Thus that is an “egress mitigation” that solves not just an instance of attack causing harm but “all attack and failure classes” in the system.

My advice would be to go for both as the first will stop attackers communicating with the system, and the second limiting or stopping harm under all system failure modes.

But when considering what is and is not open / external communications you need to remember that if an attacker can bring an antenna in range or can hop over the fence and “vampire tap” a comms cable they automatical become an “insider threat”.

I mention from time to time that engineers for various reasons design comms to be “ASCII plaintext”. This is a “legacy issue” that arose back before the 1980’s when encryption was either unavailable or inordinately expensive and unreliable and worse made diagnostics of systems in the field way to difficult. Whilst many of those problems still exist “good encryption on “links” within the system and to the system should be considered as sensible / essential these days.

Clive Robinson • August 19, 2025 7:41 AM

@ ResearcherZero,

You might find this on “group think” and the “madness of crowds” –or commons– of interest,

https://m.youtube.com/watch?v=zPs1NYZR2eU

The hypothesis of which is the group / crowd is now “global” in essence due to the reach of not just modern communications but also those who control the outlet of information to the communications channels in various ways.

It also makes the point that “a hypothesis should be testable”. That is tests are thought up and then if considered valid can aid in proving or disproving the hypothesis.

I’m not sure how you could ethically test to prove the hypothesis, but I can not of my head think of a test that would disprove the hypothesis.

My “gut feeling” based on what I’ve observed and researched is that “group think on a vastly increasing scale” is happening. And also what goes out on the many communications channels certainly falls within the definitions of Black, Grey, and White propaganda,

https://en.m.wikipedia.org/wiki/White_propaganda

See the “See also” section for links to other definitions not given in the main body of the page.

Clive Robinson • August 20, 2025 9:18 AM

@ ResearcherZero, ALL,

You note,

“And politicians.”

I’ve mentioned this in the past but it is a point few consider (and was mentioned in the YouTube link I posted a couple of days back.

Anthropologically humans have evolved to be “jacks of all trades but masters of none” with regards physical attributes. Our true skills are our ability to be adaptable and communicate and thus bypass a lot of what goes into learning to reason things out. Whilst the result appears to be a “hive mind” it’s not it’s a form of parallel tasking. That is as a technique — be it skill or knowledge– is acquired it can be fairly quickly and efficiently communicated / passed on to others. And then the technique gets multiple people doing the same thing slightly differently (ie a stochastic process). So the technique gets refined very much faster, but .. also the learning of a technique gives rise to new similar techniques[1] often of greater utility or to new tasks / applications[2] hence the rider on “an idea comes of age”, “then takes off”.

All of these activites are only possible in “social grouping” the simplest examples being “guard labour” in a four man team on sleeps one cooks does admin and one or two are watching for attackers or opposing forces etc. The Four rotate duties on a rotating basis so that the primary task of “observation” is continuously in progress. The system that was developed into “watches” in the likes of sailing vessels where you might spend months at sea continuously sailing.

Not being able to do this is why “lone wolves always perish” and thus evolution caused humans with little physical advantage in their environment to form tribes and eventually industry and cities of immense size.

The problem with larger social groups are,

1, Responsibility.
2, Dispute resolution.

Without going into details you always end up with some kind of hierarchy. With power moving to those at the top. Which all to often attracts the sort of people who should be the very last people you should give responsibility thus power to. The more obvious corruption and nepotism is actually the least of the issues with hierarchical social structures.

The thing is the people most capable of being effective leaders are often those who do not want power, status or privilege

That meeting in Alaska this past Friday shows this by who they did nor invite. You had a power mad wannabe Emperor calling the shots to a vacuous status grabber there… Achieving practically nothing other than stopping appropriate punishment being applied to the wannabe Emperor. Who achieved that delay by the simple process of “soft soaping” the vacuous and very corrupt status grabber…

Whilst the third person who should have been there was deliberately excluded by the other two… Why? Because he would have shown the other two up in the basest of relief for the corruption they are both rancid with.

I could say more but I suspect you already know what it is likely to be.

[1] The original technique came about due to a basic evolutionary process which is commented on as “an idea coming of age/time”. We’ve see this over the past couple of centuries with what we now call Science Papers and Patent applications. Thus the technique becomes the “Primary” or “first instance” of what becomes a “Class” of “Secondary” techniques in “priority” yet will often have more utility or value than the primary.

This ability to find new instances in a known class is actually a process of “directed random modifications, and test”. Which is something the “Current AI LLM and ML systems” can actually do if given the primary technique and appropriate tests, But currently LLM and ML systems lack the agency to carry it forward in the physical as opposed to informational environment.

[2] You might have heard the expression “Renaissance Man” of which Leonardo Da Vinci is often quoted as an example. If you actually look at how they worked we would call them “multidisciplinary” these days and they rapidly acquired techniques in one knowledge domain and extracted the principles and then applied them to another knowledge domain. Current AI LLM and ML systems are fairly good at a limited form of pattern matching. The problem is they don’t have agency to gain knowledge of the environment they are in. Thus they can not currently do the form of more general pattern matching that Renaissance Man did to carry across known reasoning from one knowledge domain to another.

Clive Robinson • August 20, 2025 2:05 PM

@ Jan Egner, lurker

You say,

“You seem to be referring to Springer Verlag”

In part it’s my fault and in part the article I’d linked to.

I guess the assumption was that Axel Springer SE activities were “common knowledge”.

Back over two decades ago, I used to work with a US/UK citation database company and knew all about Springer Verlag as a scientific journal publisher. But… I was also well aware of Axel Springer SE that happens to be the largest producer of “non science” journals in Europe.

As a result I’m also well aware of Axel Springer SE’s fairly well publicised failings… So as they are not that relevant “other than rapacious legal behaviour” I chose to not mention it.

But it looks like that was a mistake on my part.

So briefly Axel Springer SE is fairly well known for having a very much “right wing” bias and for regurgitation of US mantra. Along with the vast amounts of money it has made in Israel unlawfully exploiting the occupied zones and the lies it spouts to perpetuate certain nonsense myths the Israeli government push out as black and grey propaganda.

I’ve also heard the story it was and still is “Another German Company that the CIA covertly Own / Financially Influence” (like the now defunct Crypto AG, and a certain large German Electronics company that was rather intimately involved with the development of parts of stuxnet. And is believed to be responsible for “weak/backdoored crypto” in European Approved (ETSI) Communications systems chips.)

Yes I know it sounds a lot like a conspiracy theory hence my reason for not previously mentioning it. But take a look at,

https://en.m.wikipedia.org/wiki/Axel_Springer_SE

But actually worse, a lot worse, is said of Axel Springer SE in other reputable publications including sexual abuse scandals and suggestions of slave/child labour use and worker abuse.

To a lot of Europeans Axel Springer SE is as low life if not more so than “The Ausie mut” “Rupert The Bare faced liar Murdoch” and his selection of organs one of which recently had to pay the equivalent of about $1billon for defamation over 2016 nonsense spouted in support of election stealing myths.

Because of the shear volume of dirt shifting around about Axel Springer SE, I’m not going to ask you how you know. Instead I’ll just wish you well 😉

Clive Robinson • August 22, 2025 4:45 PM

@ JG5,

When you say,

“The “Clipper chip” faced widespread opposition after its launch, and the project was terminated in less than three years.”

You don’t say why it was terminated…

And that in of it’s self is a bit of an eye opener.

The way the chip worked involved a “Law Enforcement Access Field”(LEAF) that was a checksum that inhibited the device use if the LEAF value was incorrect.

A researcher Matt Blaze discovered that the LEAF mechanism had a significant failing in it that the NSA must have been aware of as it was at the “standard level” and was a “broken protocol” by either ignorance or design.

The result was it was moderately easy to have a False LEAF value that would allow the device to be used, but not allow the backdoor function to be used.

“Oh dear how embarrassing, lets sweep it under the rug, by pulling the plug.”

But consider this as a deliberate mistake, it alowed the NSA and select entities to use “clipper” securely but not everyone else.

So you had security asymetry… The NSA had a backdoor into slmost everyone’s communications including “over sight and investigation” agencies that had control over the NSA one way or another.

The NSA and other select entities could not be eavesdropped on so had in effect a NOBUS in reverse.

Which brings us to your other point,

“U.S. Congressman Bill Foster led the introduction of a bill requiring the U.S. Department of Commerce to mandate that American chip companies add “backdoors” to chips subject to export controls.”

It’s pointless at best “fig-leaf legislation” as I mentioned the other day over the Nvidia H2O chips.

So whilst,

“[Congressman] Bill Foster holds a Ph.D. in physics and has worked in chip design, so he spoke with certainty that the relevant technology is very mature and entirely feasible.”

He forgot to mention it’s easily pointless as a deterrent…

There is a variation of a saying that goes back to the 1950’s atleast and pointed out that one effective method of security was in effect,

“Deny Front Panel Access” or external access to communications”.

And was the extension of “physical security” into “information security” by “Mitigation by segregation” that gave rise to the notion of “air gaps”. And later with BadBIOS all the rage “energy gaps” when it was demonstrated “academically” one weekend –over 3 decades after engineers had put such comms systems into marketed products…– that sound traveled down University hall ways carrying data modulated on it, and of course just by coincidence some days after it had been discussed in detail on this blog by engineers who had built such products…

A more modern version of the saying is,

“If they can not see/reach it they can not attack it”.

So the “Bill Foster Plan” is effectively pointless “political window dressing” as can be seen for those with even a small amount of knowledge.

Which begs the questions of,

“What is the Bill up to? And who is it/he doing it for?”

My guess is the real reason is,

“To steal ‘research work’ from other countries to boost the home industries.”

It’s something that both France and Israel do all the time and I’ve caught them doing it to me and others I’ve worked with quite a few times.

The first time was back in the 1980’s with the French and phoney diplomats and is what sparked my drive to understand, design, and implement security systems to stop such theft / abuse. And lets say “I still have a passing interest” in the subject and pass useful tit bits on to the public (but I’ve no longer the desire to kick such diplomats into and along the gutter “so they have something to remember” 😉