Recent Comments


Note: new comments may take a few minutes to appear on this page.

March 28, 2017 12:40 PM

Clive Robinson on Kalyna Block Cipher:

@ Anura,

I'm curious why they chose to use s-boxes when they are slow and potentially introduce side channel attacks.

Timing side channel attacks were the big problem with the AES competition.

The NSA effectively set the rules for the AES competition and NIST just rubber stamped various parts because they appeared reasonable.

Three things were problematical. Firstly the NSA would have known in considerable depth the problems with side channels, especially time based side channels. However they did not in any way take measures to prevent the risk (which is maybe why they still only regard it as secure for "data at rest").

In fact the NSA appear to have gone to some lengths to make sure time based problems would occure. As I've mentioned a few times in the past there is an issue with computer based security. It's "Efficiency-v-Security" in the general case --ie unless you take special measures-- the more efficient you make a process the more transparent it is to data leaks via time based side channels. Likewise the faster you make an algorithm run the more likely it is to have time based side channels.

One aspect of the competition was that entry submitters had to provide various implementations that would be freely available to all. Further these implementations had to be both efficient and fast. Obviously the two combined was a recipie for disaster. And it would appear that the NSA's hand was behind both of those choices, without any warning being given about side channels (even though atleast one researcher mentioned it).

The not unexpected result was that the code for the various finalists was downloaded by many and put directly into code libraries.

The result was and still is practical implementations of AES hemorrhaging secret information via time based side channels either to other processes on the same computer or onto the network interface and so off out into the world...

If you look back far enough on this blog I gave clear warnings that AES should only be used "off-line" with a second computer being used to communicate the ciphertext. But it was not realy listened to then, or apparently now as there are still embedded products being developed to run "on-line" that have bad AES code libraries...

I can imagine just how pleased this little bit of "finessing" must have made various people within the NSA... High fives all around.

Thus all new crypto algorithms need to be examined to see if they can be practically built to avoide side channels.

March 28, 2017 12:32 PM

book_review on Decoded, by Mai Jia:

@Wael
"Say, you're not the author. Are you?"

As a dead relative used to say: 'flattery gets you everywhere.'

No I am not the author.

For those of you who haven't read any of this book, from page 283 of 'Decoded':
"Er--um-- I don't know why I am explaining things in so much detail. Let me make an analogy. Let us say BLACK is like a house concealed far, far away, high up in the vast sky. There are countless doors to this house, all of them identical down to the smallest detail and all of them locked. What is more, only one of these doors can actually be opened. You can waste an eternity amid all of these doors, none of which you will ever be able to open and all of which look just the same as the real door."

As a book reviewer I did a duckduckgo search for 'Mai Jia'. Some hits include:

https://www.nytimes.com/2014/05/04/books/review/decoded-by-mai-jia.html?_r=0
https://www.amazon.com/Decoded-Novel-Mai-Jia/dp/1250062357
http://www.telegraph.co.uk/culture/books/10667139/Decoded-by-Mai-Jia-review.html
https://newrepublic.com/article/117138/mai-jia-chinas-dan-brown-subtle-subversive
https://www.theguardian.com/books/2014/apr/05/decoded-by-mai-jia-review
or
http://www.economist.com/news/books-and-arts/21599325-chinese-novel-everyone-should-read-get-characters

I wonder, what parts of this novel may borrow from history?

March 28, 2017 12:27 PM

dvv on Kalyna Block Cipher:

@Megan Prenty, the joke is on you as you won't ever see those enlightened times. Besides, the Russians have their own crypto standard, too.

March 28, 2017 12:18 PM

Dirk Praet on Friday Squid Blogging: Squid from Utensils:

@ Ah the intrigue

Re. "Trump administration sought to block Sally Yates from testifying to Congress on Russia"

To a European like myself, all of this reeks of banana republic diversion tactics and cover-up attempts. For US citizens, it's partisan politics, so we better not discuss the issue any further unless our host first touches on it himself.

March 28, 2017 12:06 PM

Michael on The TSA's Selective Laptop Ban:

In the meantime, safety regulations were previously moving towards mandating that all the large lithium batteries have to be in the cabin for easier overheating detection before spontaneous combustion…

Given that the number of explosives attacks outside the immediate war zones over last five years seems lower than the number of phones that decided to burn in public without any external reasons, the probability of dying horribly on the affected flights has probably gone up. Still low, of course.

March 28, 2017 11:30 AM

Clive Robinson on Friday Squid Blogging: Squid from Utensils:

@ Nick P,

To take things to extreme one can build a CPU or most anything else out of an (E)EPROM, a 74(HC)574 8-bit latch and a 555 as a clock sources.

I actually used a very high speed "Byte-Wide" RAM chip with a PIC microcontroler to load it up on reset to make a "universal mixer modem" for both use in a receiver as the 10.7Mhz IF-Demodulator and a transmitter as a modulator with either a 10Mhz or 100Mhz output.

It was a reasonably quick way to test new modulation modes in the 1990's before other parts caught up from thr likes of Analog Devices.

You could look on it as a transition point into what we would now call Software Defined Radio.

It still surprises me that most people do not know you can use a D-Type latch as a mixer. Which you can feed into a counter and thus a D-A converter to get a realy pure sinewave out of....

March 28, 2017 11:23 AM

Megan Prenty on Kalyna Block Cipher:

Jokes on you, when hackers suddenly crack AES, RSA, and TwoFish, the whole world would be in a global crisis except Ukraine, that will be safe with their Kalyna standard.

March 28, 2017 10:42 AM

My Info on Kalyna Block Cipher:

@Winter

Sounds reasonable, until you realize that the "roll your own" solutions have a tendency to fail catastrophically.

See, this is where the "not having anything to hide" part comes in. The cypherpunks weren't drug dealers, smugglers, or child pornographers. They didn't have anything like that to hide, and in fact they'd rat that sort of criminal out every chance they got.

No, no one wants to risk felony or other serious criminal charges on "roll your own" solutions. What I value here is the lost academic freedom to "roll my own" solutions.

Unfortunately the catastrophic failure modes we're talking about here are not from one's crypto being broken in the sense that plaintext or keys are being discovered but from the barrel of Dan Bernstein's pistol and from some medieval university mace brought out of the back closet of the frat house for the "occasion."

March 28, 2017 10:30 AM

Clive Robinson on The TSA's Selective Laptop Ban:

@ D-503,

Re: manufacturers. Sandisk says their SD cards are "X-ray proof". But I haven't seen anything about tolerances, so my question still stands.

The simple answer is that "X-ray proof" is laws of physics wise, not true. We know how to make X-ray lasers and they can do one 5hit load of damage not just to electronics but just about everything.

What they manufactures realy mean is that under a given assumption, and then within a reasonable probability your data will not get altered. If you are a thin tail or fringe condition on the probability graph then "tough luck", they might just give you a refund if you push hard enough.

The assumption is the level of X-rays used by the machines they are aware of. Providing it's subject to that level or less for a short enough time then a "new" device will retain the data within a probability curve. However this does not say how much it "stresses" the memory component.

It's a bit like firing water at a sheet of metal if it's "low, slow and infrequent" then you will not see any damage, but even low&slow given sufficient time will rust away the sheet metal damaging it. Likewise fast and fine will under sufficient preasure cut through a sheet of metal just like a laser or plasma cutter.

From what I've been told in the past the X-ray scanners are run at low output to give longer usage life on the "tube" and detector. However the power supply is sufficient to drive it at very much higher output or for a continuous time, incase a high density object is placed between the scaner source and detector...

March 28, 2017 10:27 AM

Winter on Kalyna Block Cipher:

@My Info
"Suppose I did develop my own unique cipher that was theoretically weaker than the prevailing standard. It would still take some manual effort to crack it on the part of NSA, which has for the most part seemingly given up all interest and ability in true cryptanalysis, in favor of exerting political control to weaken the hardware and software of the endpoint computers and devices which have access to the plaintext."

Sounds reasonable, until you realize that the "roll your own" solutions have a tendency to fail catastrophically. The tried-and-tested solutions tend to fail "gracefully" (not always). Supposed cracks usually require lots of effort and computing power and warnings are going out a long time before the fact (see, e.g., md5 and sha1, single DES might be a counter example).

And the NSA is not the only agent trying to crack crypto.

March 28, 2017 10:23 AM

Ah the intrigue on Friday Squid Blogging: Squid from Utensils:

"Trump administration sought to block Sally Yates from testifying to Congress on Russia"

https://www.washingtonpost.com/world/national-security/trump-administration-sought-to-block-sally-yates-from-testifying-to-congress-on-russia/2017/03/28/82b73e18-13b4-11e7-9e4f-09aa75d3ec57_story.html?utm_term=.66677aa97505

So the White House tried to block Yates' testimony to the House Intelligence Committee by invoking executive priviledge. She indicated her intention to testify regardless, since priviledge was waived due to the White House's public comments on matter of Flynn in January. That same day Fri the 24th Nunes abruptly canceled the the scheduled House Intelligence public hearing where Brennan and Yates were expected to contradict White House statements. Comey canceled his appearance at the closed door hearing since Nunes will run to the WHite House with details of the FBI investigation, and now Nunes won't proceed with the public hearing untill the closed door hearing with Comey and Rodgers is rescheduled. Speaker Paul Ryan has every confidence in Nunes ability and won't replace him probably to stay on the good side of Trump in order to keep his own job.

March 28, 2017 10:09 AM

My Info on Kalyna Block Cipher:

@Thoth

ChaCha20 is from D.J. Bernstein. That is exclusively a one-man show. I have yet to see independent analysis of any of his ciphers from anyone outside his college fraternity.

March 28, 2017 9:55 AM

Clive Robinson on Friday Squid Blogging: Squid from Utensils:

@ AlanS, Bruce and the usuall suspects,

Ed Felton on issues UK and US law enforcement agencies would have to address if they actually wanted "to have a grown-up conversation about encryption mandates".

The problem I have with these conversations is they almost always start from the wrong point.

The first thing everbody should recognise is that "Properly encrypted data from one algorithm should not be distinguished from another algorithm". That is if I give you a laege block of cipher text you should not be able just from the cipher text to tell what algorithm was used.

More importantly you should not be able to tell from the resulting ciphertext, if what went into a crypto algorithm was,

1, Plaintext,
2, Random data,
3, Ciphertext.

This is something nearly everybody ignores when talking about "getting at the plaintext" for lawful --or otherwise-- intercept.

This is as important as understanding the difference between codes and ciphers.

If I backdoor an encryption system so that it's input can be recovered, does it actually achieve anything?

The answer is both yes and no and is dependent on who designed the compleate communications system not just the encryption at one small part of the overall system.

If a system designer is aware that an algorithm they might use could have a backdoor in it they have two basic choices,

1, Take a risk and use it as is.
2, Mitigate the backdoor and risk.

Anyone with half a brain knows what the most likely answer will be, and that is if possible "mitigation".

Which means the first over-riding question in a "grown-up conversation about encryption mandates" is,

    How do we prevent mitigation?

If the answer is "You can not" then the whole purpose of a "a grown-up conversation about encryption mandates" fails at that point.

Not just because there is no guarantee about getting at the real plaintext / meaning of an encrypted message but the side effects.

It should be clear to most readers here that certainly the UK government will not brook any argument against mandatory access. Worse as past legislation shows they will not flinch from breaching human rights to get at their objective. By alowing for those who innocently or otherwise can not or will not give them what they want to suffer unjust punishment of extrodinary order.

What we are seeing with "WhatsAPP" and Amber Rudd / Theresa May is the beginings of a Mexican Stand Off, as went further with FBI/DoJ-v-Apple. In essence it's going to become a "Pi55ing Contest" which will hemorrhage hundreds of millions trying to achive what is not possible.

To avoid this legislators will "get cute" and put in place draconian penalties against those encryption product producers who can not produce "Plaintext on demand" as with current legislation there will in effect be no real defense against such charges. Even though as I pointed out you have no way of knowing if you are seeing Plaintext/Random Data/ciphertrxt.

Whilst judges may have discretion, they are not seen on mass as being very capable when it comes to technology. Which means that you would be unwise trying to explain the finer points of complex technical systems to them as a defence. Especially if you are going up against "the establishment", who can use dirty tricks to privately brief the judge against you. By for instance claiming "National Security" and "Classified methods and sources" that you are not cleared to see (we have seen this before with terrorist trials etc).

Now ask yourself as a designer of such equipment what will you do,

1, Close down your business.
2, Try to lawyer up.
3, Use a technicaly simple backdoor.

I suspect the actual answer would initialy be option 3.

The problem with option 3 is that like most simple things in life others will find out about them fairly quickly... Which means the world and his dog will find out, which means others will get access one way or another...

Option 2 of lawyering up is generally a very bad idea in that it will cost more than many small countries GDP to fight, and you will not get the money or years of time back. Further even if you win you will lose as there are many many ways the UK or US governments can put a company out of business.

Option 1 is what will eventualy happen one way or another. Which will turn the UK and US into places which people will avoid by prefrence even as "airside stopovers". Likewise people will not use UK or US products by prefrence and that will have very significant "National Security" issues. Because talent is generally not stupid and will move where possible to where they are not under threat. When that is not possible they will switch into other careeers etc. The UK certainly will lose big time over such stupidity. Which Rudd / May do not appear to grasp, but they are both Brexit friendly so I guess it's just one more failing they have on a lengthing list.

Thus the real economic issue over backdoors is not what crime it will stop (next to none). But what the producers of crypto kit will do and the knock on effect of a government directly threatening technical "talent". Back in the 1970's unwise tax policy was seen by "talent" as a threat / attack on them and they voted with their feet and we had what became known as the "Brain Drain" I can envisage such draconian legislation as May / Rudd will be responsable for will have a similar effect.

Further it can be shown that having backdoors in encryption will actually make the various Intelligence Entities and Law Enforcment entities less effective. Worse any attempt to resolve this will end up with very simple and weak backdoors, that will end up helping certain types of criminal...

So very much negatives all round, which makes you wonder why May / Rudd are so desperate to do something so utterly stupid?

March 28, 2017 9:43 AM

My Info on Kalyna Block Cipher:

@Scissors

One of the prerequisites for submissions to the standard:
"A proposed solution must not have any trapdoor and should not be suspected to have one."

Is it standard practice to include this? There seems to be a lot of room for interpretation and manipulation.

My concern is that this would have left more than enough wriggle room for Vladimir Putin to veto any proposed standard.

March 28, 2017 9:39 AM

Thoth on Kalyna Block Cipher:

ChaCha20 ciphers are all over Github and Interwebs even with it's own RFC standard (RFC-7539).

I even ported ChaCha20 to 16-bit JavaCard quite many months back and released the source on my Github page :) .

There's NaCL and BouncyCastle that supports ChaCha20 and even OpenSSL supports ChaCha20 which they could have just adopted right away. ChaCha20 which is designed to resist certain classes of side-channel attacks is probably more suitable for modern security applications considering that during the time of AES competition, the likes of side-channel attacks are less known and thus may not have been actively incorporated into those ciphers back then.

March 28, 2017 9:37 AM

My Info on Kalyna Block Cipher:

@keiner, Who?

... I believe EVERYBODY (outside US) is more comfortable nowadays with non-US security solutions.

I would say most people in the U.S. are more comfortable with non-U.S. security solutions too.

Our situation in the U.S. is not so different from that in Ukraine or other Russian satellite nations. We have the Democratic white nationalists and the Republican Putinists. They pretend to oppose each other, and we find out that all the meanwhile they've been scratching each other's back at city hall.

Blacks, Jews, LGBT, and other minorities are just thrown under the bus in this two-party system. Adjudicated as mental defectives and thrown into mental hospitals which if things go as planned are then set afire by government henchmen.

@herman

"non-US security solutions" - like Rijndael/AES which is from Belgium? Anyhoo, I'm glad that some people are working on different ciphers. The old Soviets have always been good at it.

Sure. Right now, like everyone else in the U.S., I am suffering from acute putinitis of the brain, and I need R&R.

March 28, 2017 9:31 AM

herman on Kalyna Block Cipher:

"non-US security solutions" - like Rijndael/AES which is from Belgium? Anyhoo, I'm glad that some people are working on different ciphers. The old Soviets have always been good at it.

March 28, 2017 9:26 AM

Anura on Kalyna Block Cipher:

Given the progress made with ARX ciphers, I'm curious why they chose to use s-boxes when they are slow and potentially introduce side channel attacks. Seems like a minor security improvement over AES at the expense of performance (and I doubt Kalyna will be able to make much use of AES-NI), when ciphers like ChaCha20 are fast in software and potentially more secure.

March 28, 2017 9:24 AM

Who? on Kalyna Block Cipher:

@ keiner

I would say most people in the U.S. are more comfortable with non-U.S. security solutions too.

March 28, 2017 8:58 AM

keiner on Kalyna Block Cipher:

... I believe EVERYBODY (outside US) is more comfortable nowadays with non-US security solutions.

March 28, 2017 8:54 AM

My Info on Kalyna Block Cipher:

I am so happy to see this blog return to the subject which first attracted my interest.

The entire process about the selection of AES left me rather disheartened, especially with the apparent conclusion that AES is "the" block cipher, "good enough" for all practical purposes, even government secret and top secret use, and we need study no other.

Excessive warnings and admonitions were issued about cryptography's being a black art: "Don't roll your own cipher; don't even think about it. You're an idiot if you try it."

Suppose I did develop my own unique cipher that was theoretically weaker than the prevailing standard. It would still take some manual effort to crack it on the part of NSA, which has for the most part seemingly given up all interest and ability in true cryptanalysis, in favor of exerting political control to weaken the hardware and software of the endpoint computers and devices which have access to the plaintext.

The "cypherpunks" whose online culture was obliterated by the MAFIAA years ago did not so much have anything to hide, but would tend to experiment with some computer cipher or other in a what-if scenario. Or put something unusual or bizarre out there, and try to find out if anyone could crack it.

I don't like Chicago wheat futures or banana monocultures. Why should I like cipher monocultures or buy into Rijndael/AES as the be-all and end-all of computer ciphers? I am especially interested in the runners-up to some of these contests. SERPENT, for example.

https://www.cl.cam.ac.uk/~rja14/serpent.html

Almost certainly even stronger than Rijndael which was selected as AES, it was apparently rejected because it required excessive computation.

=============

I am very curious about the development of a Ukrainian standard. Do the Ukrainians believe that Vladimir Putin is able to break AES? Or, in the worst of all possible worlds, has the Ukrainian process been actively subverted by Putin's agents?

March 28, 2017 8:50 AM

vas pup on Friday Squid Blogging: Squid from Utensils:

Tag: Future of CBI:
Elon Musk creates Neuralink brain electrode firm:
http://www.bbc.com/news/technology-39416231

The company will develop so-called “neural lace” technology which would implant tiny electrodes into the brain.
The technique could be used to improve memory or give humans added artificial intelligence. According to the Journal , leading academics in the field have been signed up to work at the company which is being funded privately by Mr. Musk.

My guess that has potential for IC, military, security as well - kind of universal soldier.

March 28, 2017 8:36 AM

Freezing on Commenting Policy for This Blog:

I will never be able to thank you enough for your initiative. This place is the best forum on the Internet; a glimmer of light in a shadowy world. This precious resource must go on, Bruce.
Thanks for all the fish.

Greetings from Brazil. Peace and Love ya`ll.

March 28, 2017 8:18 AM

Roman on Kalyna Block Cipher:

Ideas on Kalyna design rationale (including preference for S-box based construction over ARX transformation) are published in Ukrainian here: http://jrnl.nau.edu.ua/index.php/ZI/article/download/8789/10813 ; as for now there is no English translation, unfortunately. Independent cryptanalysis results are also available on eprint.iacr.org

Authors can be reached via e-mails from the Kalyna paper ( https://eprint.iacr.org/2015/650.pdf ); some of them also have profiles in social networks. They're real people )

March 28, 2017 8:12 AM

vas pup on Friday Squid Blogging: Squid from Utensils:

Tag: future of surveillance:
Controlling turtle motion with human thought:
https://www.sciencedaily.com/releases/2017/03/170323085038.htm
The research demonstrates that the animal guiding scheme via BCI can be used in a variety of environments with turtles moving indoors and outdoors on many different surfaces, like gravel and grass, and tackling a range of obstacles, such as shallow water and trees. This technology could be developed to integrate positioning systems and improved augmented and virtual reality techniques, enabling various applications, including devices for military reconnaissance and surveillance.

March 28, 2017 8:02 AM

Scissors on Kalyna Block Cipher:

One of the prerequisites for submissions to the standard:
"A proposed solution must not have any trapdoor and should not be suspected to have one."
Is it standard practice to include this? There seems to be a lot of room for interpretation and manipulation.

March 28, 2017 8:02 AM

Trebla on Kalyna Block Cipher:

Instead of developing yet another algorithm they should stick to well tested ciphers that have survived many years of scrutiny.

March 28, 2017 7:56 AM

MarkH on Commenting Policy for This Blog:

@ab praeceptis:

180 degrees off concerning Putin and democracy. This isn't the place to delve into it, but I wanted to register objection.

March 28, 2017 7:50 AM

Bob Paddock on Friday Squid Blogging: Squid from Utensils:

@Nick P

Have you looked at the obscure XMOS parts? They have found their niche in High End Audio. Nothing limits them to that.

"xCORE Multicore Microcontrollers deliver scalable, parallel multitasking compute; high performance digital signal processing and the ability to customize interfaces and peripherals to create a solution that exactly matches the designers requirements."

The peripherals are 'soft' so backdoors can be looked for.

While the architecture is different they are a decedent of the Inmos Transputer.

To take things to extreme one can build a CPU or most anything else out of an (E)EPROM, a 74(HC)574 8-bit latch and a 555 as a clock sources.

Take the data output from the (E)EPROM as the input to the 574, the 574 output feeds back to A0->A7. The higher address lines are inputs to the State Machine.
Parallel EEPROMs/latches etc to get more bits or more outputs.

The 555 clocks the latch so that the system is not oscillating uncontrollably.

March 28, 2017 7:35 AM

Vesselin Bontchev on Kalyna Block Cipher:

@Wm in many Slavic languages, the ending "ov"/"ev" means belongingship (for male; "ova"/"eva" for female). It's similar to how "Johnson" basically means "the son of John". My family name ("Bontchev") basically means "Bontcho's", with "Bontcho" being the first name of some distant male ancestor of mine. So, these Ukrainian family names are perfectly normal.

March 28, 2017 7:35 AM

Bob Paddock on Friday Squid Blogging: Squid from Utensils:


@Clive Robinson

"... you have to be carefull with magnetic materials due to the way they work. Essentially they have domains that if alligned provide higher permeability than if not aligned. ..."

Other than the high costs what is your view on Amorphous Metals such as Metglas[TM] as extreme shielding material?

The most succinct explanation of exactly what is meant by Amorphous Metals comes from NASA's Microgravity research program office in the paper:

--- Containerless Production of Bulk Metallic Glasses (74-49) -

"When a metal or alloy solidifies, it usually divides into many small crystals. The atoms in each of these crystals are arranged in a periodic fashion known as a crystal lattice. Certain metal alloys, however, can be cooled so fast that the atoms do not have time to arrange themselves in a regular fashion but are instead arranged in a more or less random fashion like the atoms in ordinary glass. Such disordered materials are termed amorphous and have very different properties from the same material in a crystalline state. Present techniques for fast cooling of metals on Earth require that the metal be in very thin ribbon form so that heat can be extracted quickly."

Amorphous metallic alloys (metallic glasses) have, in the past, been prepared by (1) splat cooling, (2) roller quenching, and (3) quenching in water. Methods 1 and 2 induce quenching rates on the order of 10^4 to 10^6 ¡C/sec, while method 3 usually results in a quench rate of 10^2 to 10^3 ¡C/sec. It was, therefore, proposed that the elimination of container walls, which can act as nucleation sites for crystalline growth, could allow production of metallic glasses with slower cooling rates (less than 10^2 ¡C/sec). In a reduced gravity environment where such containerless processing is possible, "..the metal can be cooled below its usual melting point so that when freezing does finally take place, the liquid will be so viscous that the atoms in the liquid cannot rearrange themselves into a crystal." The ultimate result of this process would be an amorphous metal produced in a bulk form." ---


With today's obsession with smaller, faster, lower power, sometimes we need every little bit of help we can get. One area of power supply design and shielding that has not made it to the main stream is the use of Amorphous Metals.

"This material offers the potential of reducing the core losses of motors and transformers by more than 70%" - Applications of Low Loss Amorphous Metals in Motors and Transformers by L.A. Johnson, E.P. Cornell, D.J. Baiely, S.M. Hegyi; 81 TD 641-0. A paper recommended and approved by the IEEE Transformers Committee of the IEEE Power Engineering Society for presentation at the IEEE PES 1981 Transmission and Distribution Conference and Exposition.

"Fundamental 60 Hz core loss for the amorphous iron stator was approximately 1W. The corresponding silicon iron core loss was 5W, and common iron core loss 10W. This clearly demonstrated that the low reported core loss of amorphous metal can be achieved in a motor." - Test Results on A Low Loss Amorphous Iron Induction Motor by G.M.Rosenberry, P.G.Frischmann, R.E. Tompkins; Manuscript of August 14, 1981.


Also related to security is something that gets little attention is the power supplies running all the boards being discussed.

Saturable Reactors / Mag Amps are power supplies to use in extrema environments like high radiation, which also use Metglas[TM] cores, when failure is not an option.

Saturable reactors utilize the large change between unsaturated and saturated permeabilities of their cores to delay current for a preset period of time. Similarly, once saturated in the forward direction, they act as a diode temporarily blocking current in the reverse direction. A Mag Amp is a good example of how to use a Saturable Reactor.

Also by using a saturable reactor in series with either a semiconductor or thyratron switch, the circuit designer can reduce losses in the switch and extend its life. The saturable reactor is designed to hold-off current until the switch becomes fully conductive

This delay reduces the overlap between current and voltage in the switch, thereby reducing power absorber in the switch. Higher di/dt's to the load are safely achieved by waiting for full conductivity in semiconductor switches. This prevents spot heating of the Gate [1], again for designs when failure is not an option. The diode-like characteristic of a saturated reactor provides time for switch recovery.

Hitachi Metals America and Allied Signal under the Metglas[TM] name are the primary suppliers of these components.

"Most powertools are designed to do a simple function well."

No one buys a 1/2" drill because they need a drill. What they really need is a 1/2" hole.


[1] Spot Heating failures:

A common problem I see in message boards is that someone's circuit failed and went up in smoke. People in the more esoteric realm's blame this on things like "Subtle Energy" overload and other such minutia. Here is the far more realistic explanation:

The very old "GE SCR Manual" goes into all of the Gorey details of what is happening inside the part, when the "Magick smoke comes out", as it is unlikely you have the Manual at hand, in a nut shell:

What lets the Magick Smoke out of IGBTS, FETS and SCRs in most cases is turn them on to slowly, causing 'Spot Heating' of the die.

Think of a FET as hundreds of thousands, possibly millions, of very small resistors all in parallel, where each one can be turned on and off individually. The 'resistors' closest to the gate turn on first, and as the gate potential spreads across the die the rest turn on. The ones farthest from the gate turn on last.

With a slow gate turn on, a few of the small resistors nearest the gate are trying to carry all of the load, which they can't do, so they burn up, but the device does not fail quite yet. The next time the device is turned on, which may be only milliseconds away depending on your switching frequency, or days away depending on the application, some more of the resistors further in burn up. When the point is reached that there is simply not enough of the 'resistors' left to carry the load is when the Magick Smoke escapes, and the part dies a catastrophic death.

This is why the parts generally run "for a while" before failing. If it fails as soon as you fire it up the first time, you either had a catastrophic short in the load, possibly shorted caps that take a bit of time to 'wake up' before they hold a charge, generally fixed with 'Soft Start', or the gate drive REALLY SUCKED big time.

There needs to a be a few *amps* of current pumped in the gate of the larger parts, for short periods of time, to get the gate potential to spread across the entire die as fast as possible.

You also want to get the thing turned off as fast as possible.

If you are not familiar with the concept of Magick Smoke, this is where all electronic parts run on Magick Smoke, because once the smoke comes out of the part, it no longer runs...

March 28, 2017 7:12 AM

Wm on Kalyna Block Cipher:

I am wondering how reliable the author names are. Seven names end as:
kov, rov, sov, gov, yov, nov, and lov. To be a bit different, there is one sev, also two Gorbenko. Could this be fake block cipher news?

March 28, 2017 7:11 AM

Howard on Kalyna Block Cipher:

I like Twofish, Serpent and ChaCha20. I still see Blowfish and 3DES popping up every now and again.

As it happens Apple removed 3DES as a default cipher in watchOS 3.1.3* but in iOS 10.3** they added it to their SCEP client (DES was deprecated); it's still extremely popular in the credit card world though.

* https://support.apple.com/en-us/HT207487
** https://support.apple.com/en-gb/HT207617

I'm also fond of cascades which might have been a solution if the Ukrainian government was looking for added security by developing their own, more modern (but not widely-studied) cipher.

A 512-bit key size and support for 64-bit CPUs is promising but I dislike complicated key schedules because there's scope for error. I'll study the document in due course.

I've got nothing against modern ciphers and we need to keep developing them because Rijndael (AES) may eventually no longer serve us well. For that reason I'm an advocate of post-quantum cryptography although developing effective ciphers is difficult without a crystal ball.

March 28, 2017 6:53 AM

Thoth on Kalyna Block Cipher:

They should have just stuck to existing and well studied ciphers like Twofish, Serpent and ChaCha20 instead of trying to re-invent the wheel like many countries with their "National Algorithm" and in the end, everyone still stuck to AES and DES ciphers despite having "National Algorithm".

March 28, 2017 6:27 AM

Clive Robinson on The TSA's Selective Laptop Ban:

I suspect quite a few people have missed one aspect of this.

Yes nearly 40,000 people will be killed on US roads this year but the general public view is "So what?" because of one or two common misconceptions such as "It ain't going to be me because I'm an XXXX driver" or "It was their own fault due to their YYYY driving skills".

The thing about aircraft is the same as "ICBM" or "Long Gun" fear, you feel you are vulnerable where ever you are. That is you will have the aircraft "crash and burn on you", not that you will be a passanger on such a flight. Since 9/11 an aircraft has gone from being a great way to get from A to B into a mad man's tool to bring death and destruction upon us all, in the minds of politicos and MSM journalists.

Rational and logical thought is not very persuasive when people are subject to "Oh My God, Think of the children" in quite visceral ways.

As for using it as a way to "favour US airlines" this is not the first time this has come up. Have a look back to a threat a decade ago and what quite partisan behaviour the TSA etc showed. Back then it was British Airways and Air France that got the brunt of the behaviour, whilst the US airlines were uneffected.

March 28, 2017 6:26 AM

Lisa Atkins on WikiLeaks Releases CIA Hacking Tools:

Hello everyone, need hacking services? Be warned, most of these so called hackers here are impostors, I know how real hackers work, they never advertise themselves in such a credulous manner and they are always discrete. I have been ripped off so many times so from experience I know pretty much how they work. Eventually my zeal to solve my issue paid off when a friend of mine introduced me to his hacker friend, his professionalism is top class. He hacks from destroying data and evidence against you, changing school and university grades, hacking into your cheating spouse phone. Getting the job done is as simple as sending an email randyblair@contractor.net or text +1 813 379 2141 Tell him I referred you. He will be more than happy to help you

March 28, 2017 6:02 AM

Clive Robinson on Friday Squid Blogging: Squid from Utensils:

@ reader,

Who keeps track of nefarious purposes for which loud outdoor power tools can be used? Or are there none?

Most powertools are designed to do a simple function well. But can be used for more complex or unexpected tasks.

When you say "nefarious" that covers a lot of ground...

For instance a "thermic lance" can be used by those wishing to get into strong rooms without using the keys. Further the XKCD $5 wrench interrogation tool, shows a "creative repurposing" of a tool outside of it's design specs. As does a soldering iron for "Thermo-rectal" interogation, or as was said in the film RED as a "Potty trainer".

You will need to be a little more specific on what area of "nefarious" you are thinking of...

March 28, 2017 5:49 AM

Clive Robinson on Friday Squid Blogging: Squid from Utensils:

@ r, JG4,

... steel screening beats bronze hands down for their measurements ...

From the screaning point of view there are two major considerations.

Firstly the "effective" surface conductivity, to stop the "E field". Which due to something called "skin effect" means that at what would normally be considered RF frequencies the material thickness is not likely to be relevant. But at low frequencies such as you have with mains hum and older Switch Mode Power Supplies it is (approximately two and a half inches at fifty Herts).

Secondly is "effective" magnetic volume which limits the "H Field". Magnetics is a much more complicated subject and metal sheets are in many cases considerably less effective than ferrite materials. In general you need to consider the materials relative permeability and magnetic susceptibility to judge if it is to make an effective shielding material. However there are a couple of things to note, firstly the nonlinear behaviours of magnetics including frequency responses and saturation etc and secondly the relationship of "bulk" or "volume" effects. Magnetic materials don't "block" magnetic fields what they do is provide a path of lower resistance to the magnetic flux thus diverting it.

Further you have to be carefull with magnetic materials due to the way they work. Essentially they have domains that if alligned provide higher permeability than if not aligned. For instance iron has permiability down in the low thousands, however add nickle, cobolt, chromium or other metals and it goes up dramatically. One such is mu-metal where the permiability can be up to a hundred thousand, but... if you bend, stretch, form or "work" mu-metal in any way it's permiability can drop to around 2% of what it was. To get the permiability back you need to aneal it after working in a hydrogen atosphere to "aline the grains". Most other metal magnetics need to be similarly aligned after being worked on... Something I suspect Mythbusters would almost certainly have not taken into consideration, likewise the permiability of the steel they used, some stainless steels have much higher permiability and susceptability than others, and I'm guessing they will not have used an "Evens Balance" to measure their materials.

I've not seen the Mythbusters in question, but I suspect that with the price difference between steel and bronze there was probably a material thickness issue with bronze in that would have been closer to foil than plate. Thus it's volumetric component would have been quite small. Second the magnetic properties of bronze are quite low compared to iron and it's alloys with certain other metals.

Further I have seen other Mythbusters where Jamie showed a compleat lack of knowledge about electrical effects above that of house wiring, and nothing of AC theory or RF safety. Likewise his compleat lack of knowledge about how to make RF and EMC joints and casings. The clasic being his behaviour with microwave ovens, where he is very lucky he did not get visable injuries.

Which suggests to me that what they were measuring shielding wise was low frequency EM, of the sort you get from powersupplies and audio electronics, not the RF frequencies you get from radio equipment and computers which have harmonics well up into the microwave bands.

I could say a lot more on the matter for instance 1/(x^2) fall off for surface related effects and 1/(x^3) for volumetric effects. Which also effect the design of shielding systems as well as Faraday Cages / SCIFs and also why some TEMPEST rules are what they are.

March 28, 2017 5:44 AM

Desmond Brennan on The TSA's Selective Laptop Ban:

(1) a lot less quantity of explosive is needed in the cabin...as it can be skillfully applied closed to the fuselage, and the charge could be directional. The random placing in the hold would mean a lot more bang needed

(2) they may well have specific threat actors in mind ...and the issue may be down to adequacy of screening (that includes more than just technical) at certain airports

Overall tho ...there's not enough clarity around airline security...and rigorous thinking ...is likely absent/uneven

March 28, 2017 5:23 AM

Charlie on The TSA's Selective Laptop Ban:

Actually we are heading for a nice catch-22

At least on Lufthansa and therefor most of the Star-Alliance no Lithium-Ion batteries are allowed in checked baggage.
In fact I was asked each time at check-in if I had anything with a LIB battery in my checked baggage, which meant all laptops had to be as carry-on.

I guess we will be returning to the old days of removable batteries. The laptop itself has to go in the hold, but the battery must be carry-on.

Sony, Lenovo, Apple, you guys listening here, new market opening up, removable batteries are going to become the rage again ;-)

Funny old world ain't it.

March 28, 2017 1:21 AM

Ben on Commenting Policy for This Blog:

Good post sir.

It raises an interesting point on the distinction between information security and information technology security.

How do you defend against abuse and or trolling?

March 28, 2017 12:57 AM

Figureitout on Friday Squid Blogging: Squid from Utensils:

Thoth
--Argh, did you read that link? That's close but it "flickers" when charging so that's already out, that's exactly what happened to my packet sniffing pi twice, it's very damaging when it doesn't shut down properly. Then it also would just die if you leave your pi running on it.

But yeah, maybe something like a car battery would work, but it's just clunky.

Clive Robinson
--Well it's what I have most experience w/ right now, it's generally pretty quick, less components to deal w/, and at least serves as a PoC. My analog EE skills are basic. I haven't worked w/ those kinds of components a lot (buffers, logic gate IC's, etc.) but want to of course. Where's the galvanic isolation of the LCD w/ just a buffer or latch though?

I'd be treating that MCU talking to LCD as a bit untrustworthy, if I'm assuming an LCD module is infected (very rare, I think...probably way way over paranoid). I just want it to forward commands and data to LCD it receives from "master" and the control channel is isolated, so if there's errors at least it doesn't spill backwards. I'd maybe add an external crystal and clock it to maybe remove a time-based side-channel.

Adding all that functionality may increase attack surface based off what you've mentioned in past (writing serial data to memory in an MCU thru an LED, I want to see it before I believe it). Plus if you tried to squeeze every last bit of functionality out of today's chips you'd be constantly working.

March 28, 2017 12:05 AM

Nick P on Commenting Policy for This Blog:

@ Wael

Funny. It's about right. It's also why being a political moderate is social or political suicide if you don't conceal it. Not getting on bandwagons can have negative effects. Yet, if taking action, you'll anger various people no matter what you do. (shrugs) Gotta do something or nothing. Doing nothing is for quitters. Something it is.

March 27, 2017 11:29 PM

Anon on The TSA's Selective Laptop Ban:

@Michael Crumpton:

Yes, they could, which makes the argument for putting them in the hold a completely asinine idea, as the bomb is still on the flight (that is what they were afraid of, right?!).

There is another, non-security related reason for this "not ban".

March 27, 2017 10:47 PM

Nick P on Friday Squid Blogging: Squid from Utensils:

@ ab praeceptis

" One could as well create a new company around a secure software stack for e.g. mikrotik boards, buy them with volume discounts, and sell them as "XYZ secure router""

I was focused on using their substantial capital instead of my ramen-level of funds. ;) That is possible, though. They make money per unit. They'd want to maximize it. The secure outfit will *not* be high volume. They will have to make enough profit to cover their expenses. Mikrotik will want to make their profit on devices that probably already cost decent money given their market segment. The price ends up being so much higher than original that it will be hard to justify it to customers in any serious volume. If just reselling their hardware, an OEM discount or license would be necessary just to survive.

I did consider having Shenzhen clone their hardware with non-Chinese components, though. Then you just have to buy a few units for your partners overseas. Then they rip you off turning it into their own business. Darn. Back to negotiating with people such as Mikrotik. ;) Seriously, though, there's probably EE's in various places with cheap labor that would happily tear one down to help clone the hardware. Thanks to The Embedded Muse by Jack Gansle, I have archived some places that do PCB's dirt cheap. Still need the software stack, though. Easiest start is cut down or enhanced OpenBSD as the GENUA did. Or hell, maybe just talk to them instead since we speak the same language. But I doubt they'll come down on price. Nope, nope. Not a successful, defense contractor.

March 27, 2017 10:33 PM

Kingman on Commenting Policy for This Blog:

Unfortunately, over many years (more than 10 years), I have noticed that this blog is dominated by a handful of individuals who - by posting incredibly long und difficult to understand "essays" - are de facto behaving like trolls. The same handful of individuals also regularly request the moderator to take down posts they do not like, an attitude you do not find on other blogs.

Also, I have noted that this blog gets more and more political. Trump bashing on the one side, calling the Trump fans names on the other side.

As far as I am concerned, I call it a day on this blog. Let the few ones have their monologues. There are far more interesting blogs, such as "Wilders Security Forums", that offer a good alternative.

March 27, 2017 8:58 PM

ab praeceptis on Commenting Policy for This Blog:

@not all but quite some

And again there is a lot about trump, nunez, and whatnot. So maybe a, granted, somewhat rude wake up call can support our host somewhat better than his quite friendly request:

Have a closer look at the abc conjecture and kindly note that the points neither need to be in Z ("integers") nor need they be limited to 1 dimension.

Quite some mathematicians have looked at and worked on the abc conjecture and variants thereof during the last 30 years. One example that is - or should be - of high interest to us is the work of erdös,ulam looking at points in R² (the rational plane). Luckily it's still an open question. I say luckily because it's of high relevance to ECC and might soon leave us with not much more than RSA, which is considered to be of a (somewhat) lower complexity.

So: Are you sure, really sure, that we should keep our focus on the daily farting in washington? I dare to suggest that we listen to our hosts request and focus on our field because, frankly, ECC - and crypto and good security in general - is by far more important, at least to us, isn't it?

Thanks for finally returning to what we should really focus on (or so I hope).

March 27, 2017 8:48 PM

Michael Crumpton on The TSA's Selective Laptop Ban:

The thing I don't understand is if the laptop is checked as luggage, couldn't it easily run a timer to detonate in the middle of the flight, or have a barometer to detonate at a certain altitude? even iphones have timers and barometers built in.

March 27, 2017 8:05 PM

ShavedMyWhiskers on The TSA's Selective Laptop Ban:

This seems to be targeting the airline economics or specific individuals.

There is no parallel mandate to use hardened luggage containers in the aircraft.

Baring extended delays only one or two devices could be opened and digitally investigated. Modern device are effectively tamper evident in their assembly and could be made more so by a competent individual or corporate IT guy.

There is no evidence of enhanced chemical detection facilities to apply to the departure or arrival stations.

A single device or small collection could be diverted and looked at in some detail in a second aircraft equipped with a lab.

Cloning a laptop with one or two TB of digital stuff takes time. Full disk encryption requires the full disk be cloned.

Devices and luggage do vanish for weeks and require a physical address for delivery.

March 27, 2017 8:03 PM

Ah the intrigue on Friday Squid Blogging: Squid from Utensils:

"Donald Trump's team 'wiping their electronic devices' in case they have to give evidence -- Allegations come just weeks after government lawyers ordered president’s aides to preserve materials that could be connected to Russian interference in 2016 election."

For what good it'll do since the metadata and collect it all...

https://www.independent.co.uk/news/world/americas/donald-trump-staff-wiping-electronic-devices-subpoena-fbi-investigation-russia-a7651276.html

"Senate Committee to Question Jared Kushner Over Meetings With Russians" (but not under oath)

https://www.nytimes.com/2017/03/27/us/politics/senate-jared-kushner-russia.html

(NYT in process of updating the story with new developments)

Ambassador Kislyak arranged meeting between Kushner and "Sergey N. Gorkov, the chief of Vnesheconombank, which the United States placed on its sanctions list after President Vladimir V. Putin of Russia annexed Crimea and began meddling in Ukraine...Mr. Gorkov is a graduate of the academy of Federal Security Service of Russia, a training ground for Russian intelligence and security forces." The White House has characterized these meetings as courtesy calls and a part of his ormal assigned duties as a part of the transition team. However now according to the NYT, the Russian Bank has described these as business meetings between it and the Kushner Companies. Speculating either for the bank to gain favor from the Trump Admin or for Kushner to enrich himself.

Of course we also have Manafort, Carter Page, and Roger Stone volunteering to be interviewed by the Congressional committees (but who knows when and probably like Kushner not under oath)

March 27, 2017 7:58 PM

Adam C on Commenting Policy for This Blog:

Really appreciate the platform here. The subject articles cover a nice range and I have always appreciated the high signal/noise in the comments. The Internet at its best.

March 27, 2017 7:23 PM

Mark on The TSA's Selective Laptop Ban:

My suggestion to everyone is simply not to go to the USA. I have never been, never wanted to go, nor will I go when the country is a police state. Questioned for social media accounts at the border? Not allowed to take certain devices? Blatant racial profiling? The FBI with 50% of adult's photos on record? That's a police state.

These post-9/11 security measures are utterly pointless and ridiculous. We all know that, and I enjoy arguing with the security people every time I go through an airport.

The best way that we, non-USA citizens, can protest is simply to withdraw our money from American companies. I'm personally boycotting all American companies.

@Bruce: This is the sort of comment that I hope you will continue to allow.

March 27, 2017 6:35 PM

Dirk Praet on The TSA's Selective Laptop Ban:

@ My Info

We're just not getting anywhere with health care in America or Western Europe until we fix the Vladimir Putin problem.

Could I interest you in the position of House Speaker? The current one is a bit under fire and there is no doubt in my mind that this beyond genius proposal could draw massive bipartisan support.

March 27, 2017 6:28 PM

Tõnis on The TSA's Selective Laptop Ban:

Do people still believe that any of this airport nonsense is about security? I'm disappointed that my countrymen have stood still for any of this "homeland" farce. Even the word "homeland" is ridiculous: completely un-American. I'm an American, but I'm also Estonian, and I speak the language fluently. "Homeland" is one of those words that sounds normal in Estonian, probably in most European languages, and maybe in Russian. It's totally not normal in American English. In Estonian, "fatherland" is also normal. As I understand it, for Russians it's the "motherland." So, which one is America, a fatherland or a motherland? The enemies of liberty who came up with this homeland security bs are laughing at the American people.

March 27, 2017 6:25 PM

Ted on Friday Squid Blogging: Squid from Utensils:

Just a quick comment on the United Airlines leggings controversy that was touched on in other threads.

If you read the fine print you will note that these girls were traveling on employee passes. My brother in law was an exec at a major US carrier and he always had to "dress up" for flights. I have many memories of my nephews protesting having to wear pants (as opposed to the omnipresent cargo shorts) and a button down shirt for flights. It's very strange to me that most of the press has buried this pertinent fact at the bottom of their coverage.

This incident did bring to mind a truly troubling incident I observed while traveling with my wife from a mid sized US city's airport. A girl whom I estimate was about 14 years old was at the TSA checkpoint and was being subjected to additional screening. She was wearing yoga pants and a tank top (the relevance will be clear shortly). She also had an insulin pump. Smaller than a pager and with a tube going into her body. The TSA inspectors stared at it as if it were the "demon core" from Los Alamos. They patted down every surface of her body despite the fact she was wearing skin tight clothes that she could not have concealed a handkerchief in let alone a nefarious device. They patted down her scalp though she had perfectly straight, flat shoulder length hair. After twenty minutes of this her father who had been very patient started to become vocal about the excess and the TSA finally dismissed her.

There are abuses going on in air travel but they are not employee dress codes.

March 27, 2017 6:07 PM

D-503 on The TSA's Selective Laptop Ban:

@Dirk Praet
SSDs, USB flash drives, and SD cards aren't magnetic media. They store info by rearranging static electrons (the same goes for most modern volatile RAM, too). No one suggested they're sensitive to magnetism.
That's why I was asking about ionizing radiation, not magnetic fields. It's irrelevant whether X-rays are magnetic or not*.
A DDR3 chip that's on does get messed up by the X rays used for carry-on in the US. I've done the experiment** ;-)
Stronger doses of X-rays are used for checked bags worldwide. Also for carry-on too in the sorts of places where terrorism is a bigger concern.
Re: manufacturers. Sandisk says their SD cards are "X-ray proof". But I haven't seen anything about tolerances, so my question still stands.

* A hair-splitter would point out that X rays are magnetic. X rays are just a shorter wavelength of electromagnetic waves, part of the same spectrum as radio waves, infrared, visible light, ultraviolet, and gamma rays. The reason that X-rays in normal doses don't affect magnetic media is that the spatial scale of X rays is much too small.
I remember reading somewhere that old-fashioned low-density magnetic memory is still used in some applications in outer space where ionizing radiation is a concern. Can anyone confirm or deny?

**An unrelated note: Never travel to the US with your electronic devices powered up. It's almost like handing over your passwords on a silver platter.

March 27, 2017 6:03 PM

Dave on The TSA's Selective Laptop Ban:

That fact that the UK immediately followed suit isn't that unusual, the US government said jump and the UK government responded "how high?". What's surprising is that Australia hasn't also immediately jumped as well, in the past they've been even more toadying to the US than the UK (there was the joke that while Blair was Bush's lapdog, Howard was Bush's doormat). So as with the reason for the US ban, it's just as easily explained by politics as security.

March 27, 2017 5:59 PM

My Info on The TSA's Selective Laptop Ban:

@DJ Justice

There is no question that there ARE groups of people around the world who want to explode bombs on airplanes for various causes. It's not unreasonable to assume that's true.

Once we build a psychological or criminological profile, they shift so they don't fit the "profile" anymore — and the minorities whom they hate are shoved into that "profile."

And meanwhile we give up the civil rights of 200,000,000 Americans, falsely, over 4,000 lives that were lost by terrorism on 9/11/2001.

The thousands, tens of thousands, even hundreds of thousands or into the millions of girls, boys, women, and even men who are trafficked by criminal cartels on the airlines just don't matter or even come into the calculation.

The lives destroyed, opportunities wasted, wonderful things that could have been but never were, because of false allegations of mental illness, and false association between said mental illness and terrorism — those just don't matter anymore. That one human being can be adjudicated as a mental defective in a court of law in the United States by another human being on a mere concern, allegation, or whim without examination or defense — that just doesn't matter anymore.

Yes, I said, "a mental defective." Not just mental defective. A mental defective, with an indefinite article in front of the already insulting term. In a court of law. With lifelong consequences. Without examination or defense.

They just don't get it. Even at the highest courts of the land, they just don't want to fix this particular abomination of the law. They like it the way it is. Just like Vladimir Putin who uses allegations of mental illness to punish his political opponents, and has his associate thieves in law set fire to the mental hospitals.

March 27, 2017 5:55 PM

r on Friday Squid Blogging: Squid from Utensils:

@Ah the intrigue,

Actually, that sort've makes sense if it was Numes that was the incidentally collected individual.

I'd go tell the president 'my bad' too if that were the case.

March 27, 2017 5:44 PM

Grateful anonymous coward on Commenting Policy for This Blog:

Bruce, thank you for being the human-in-charge of determining civility on YOUR blog.

Too often this is seen as infeasible or costly, unnecessary or tyrannical, etc.
Most are simply too lazy to attempt it, as such edits garner no praise until screamed for.

If more organizations found the interest/time/integrity to police their site/users with human eyes and reasonable interpretations of civility, we'd be a better society in all.

I do my best to maintain personal civility and integrity when interacting with your site for the simple reason that it is worthy of my best civic effort. It's a great blog.
You talk about powerful deep-reaching topics and you pull no punches.

If people can't talk about them without debasing themselves, they belong on lesser sites.
Carry on sir with my respects.

March 27, 2017 5:34 PM

DJ Justice of the integrity council on The TSA's Selective Laptop Ban:

"In the end, national security measures based on secret information require us to trust the government..."

"... that is becoming less and less reliable, transparent and overseen while openly destroying its built-in protections for underclasses, minorities, and little people..."

There is no question that there ARE groups of people around the world who want to explode bombs on airplanes for various causes. It's not unreasonable to assume that's true.

It's not unreasonable to assume some of these bombs can be made sophisticated-enough to visually mimic actual legit devices, like tablets and laptops. It's additional difficulty and expertise, but we're talking about nation-state budgets. It's feasible.

The question is : If you're interested in preventing that, what GOOD is a half-assed 'ban' on some countries but not others, enforced with varying degrees of pseudo-efficacy?

If you're going to enforce a hardship or cost on some threat vectors but not others, expect the bad actors to move to others. Where do you stop? Exactly. You do not.

At some point this stops being "security" at all, becoming nihilism or paranoia writ law.

Airplanes themselves are vectors. Everything is a security concern.
The justification is either efficient and logical, OR IT IS RIDICULOUS.

March 27, 2017 5:04 PM

My Info on The TSA's Selective Laptop Ban:

@Dirk Praet

Unless it was somehow related to the laptop ban, I believe it belongs in the Squid threat. I don't mean to be rude, but most regulars by now know you're transgender, and there really is little point seizing every opportunity to bring that up. @Clive has serious health problems, there's probably a decent percentage of other LGBTQ commenters here too, and they're not posturing about it either.

Wow! Just wow!

As far as the laptop ban, by "evil maid attack," I mean that this is an excuse to separate the laptops from their owners temporarily, e.g., in checked luggage, so that spyware may be physically installed on them.

Being transgender is simply yet another example of a situation makes one a target for sexually motivated cyberstalking and voyeurism on one's computer — security being especially relevant to this situation. I don't consider this to be posturing, and I particularly don't ask for any support in this respect on this forum except for that of the general computer security considerations which are of interest to the entire community that posts here.

I realize that @Clive has posted somewhat in the past about health issues — I have no reason to speculate whether or not that has anything to do with others on the forum who may or may not be "LGBTQ" as you say, or even whether that is even a medical issue per se or more of a food/drug/law-enforcement issue.

In the past few weeks I have suffered from a nasty spider bite as well as shellfish poisoning from a dish that was not even supposed to contain shellfish. Otherwise a human body is pretty much like that of an animal: if it breathes, eats, drinks, shits, and pisses regularly, and it has a normal range of motion, it's healthy, and in this day and age, if it ain't broke, don't fix it. I'm sorry but dogs get better health care than humans under Obamacare or Trumpcare or whatever they want to call it nowadays.

Reminds me of Alexander Litvinenko, who was poisoned to death with radioactive polonium on Vladimir Putin's orders. We're just not getting anywhere with health care in America or Western Europe until we fix the Vladimir Putin problem.

I still think the concern of bombs on laptops undetectable by the standard x-ray is mostly just theater and probably a diversion to gain physical access to the laptops to install spyware on them.

March 27, 2017 4:15 PM

albert on The TSA's Selective Laptop Ban:

Security Theater notwithstanding, how long would it take for a TLA to put a payload in a laptop, and what is the time between getting possession and loading it on the plane?

. .. . .. --- ....

March 27, 2017 4:05 PM

Jan-Willem on Commenting Policy for This Blog:

@Mark,

The point isn't that someone remarks on political comments from Bruce (on which you of course can disagree) or on the politics of the US,with which you can disagree as well. The point is that some people are bullying and are offending in their wordings.

I do agree with most of Bruce's opinions and sometimes disagree. Sometimes I react, other times I let it go. But as long as you come with clear statements, without bullying and without (on purpose) offending Bruce or people who comment, I think no one will remove your comments.

March 27, 2017 3:56 PM

Dirk Praet on The TSA's Selective Laptop Ban:

@ D-503

OT question: What's the effect of airport X-rays on SSDs, USB flash drives, and SD cards?

Unless otherwise stated by manufacturer: none. X-rays are NOT magnetic and should not damage or destroy electrical equipment or data that is sensitive to magnetism.

March 27, 2017 3:50 PM

A on The TSA's Selective Laptop Ban:

Likely the US did not import specific X-ray machines and image-matching software (for automatic matching of objects) to these countries, fearing that this technology would leak and will be easier to circumvent. Now this comes at a price of another fear -- of actual attack. Classic security through obscurity dilemma.

It shouldn't be difficult to do a precise match/search of an X-ray image against a database of 99.9% of all laptops in circulation (and deal with the remaining 0.1% non-standard/repaired laptops on a case-per-case basis). Such technology should be foolproof. Certainly will catch raspberry pi mentioned above. If it is foolproof, why worry about circumvention?

March 27, 2017 3:40 PM

Ah the intrigue on Friday Squid Blogging: Squid from Utensils:

@ A Hero Seeking Truth

Since he was a campaign and transition team member, perhaps Devin Nunes is himself a US Person incidentally collected, possibly unmasked, or one of the subjects of the FBI investigation into Trump-Russia ties. Perhaps he shared sensitive or classified info with other members of Trump's team that was then shared with foreign persons or simply inapropriately shared. Further the language that he used to explain the location where he received classified intelligence last week is cautious. He said he went to the White House to view the info to be in "proximity" to a secure location, thus apparently not actually inside a SCIF [Sensitive Compartmented Information Facility] which would be required. Got to love this nonsense!

March 27, 2017 3:40 PM

Jonathan Wilson on The TSA's Selective Laptop Ban:

Article on the Guardian suggests that the ban is because of evidence of a plot to put explosives into an iPad.
https://www.theguardian.com/world/2017/mar/26/plot-explosives-ipad-us-uk-laptop-ban

This does raise some questions:
1.Is this new information (from a "security source") accurate or is it something designed to direct attention away from the real reasons for the ban
2.Why has the USA implemented a different set of rules (covering the UAE and Qatar and exempting US carriers) than the UK?
3.Could the USA be using this genuine threat as an excuse to apply these measures to the big 3 middle eastern carriers (Emirates, Etihad and Qatar) as protectionism (what exactly are US carriers doing differently that other carriers out of these airports aren't doing that makes US carriers not need the extra securi6ty measures?)

March 27, 2017 3:33 PM

Anon on The TSA's Selective Laptop Ban:

In the last few days, there have been "security experts" saying that an explosive device in the hold somehow increases the probability of saving the aircraft, but that just isn't true. Lockerbie demonstrated that most catastrophically, with wreckage spread over most of Scotland.

Any explosive device on an aircraft is bad. It's just yet another feature of this restriction that makes no sense.

March 27, 2017 3:29 PM

Jason on The TSA's Selective Laptop Ban:

@compsciphd "How does checking the laptop mitigate this risk? Bag still goes boom and takes down plane."

I think his point was that checking the laptop doesn't mitigate the risk at all. Unless the check is the swab for trace explosive elements is the test, which as Bruce notes in his comment above, is routine by the TSA.

March 27, 2017 3:12 PM

Clive Robinson on Friday Squid Blogging: Squid from Utensils:

@ Figureitout,

Basically you have a data diode off your MCU to this module, and there's a little more assurance the LCD is just receiving commands

Err why add another MCU?

That little board contains a PIC MCU. You could solve the 4/8 bit databus issue to the MCU on the LCD controler in a lot simpler way, and potentially improve your system response as well not slow it down and add unneeded code.

Simply add a buffer or latch in the parallel data path to the LCD. In most cases it can be a 74C or 74LS part without any problems. If you use a very highspeed MCU in the main part of the design, the addition of a 7474 dual latch turns it into "Letterbox buffer" where you can step the data rate right down so you can use a longish length of ribbon cable etc without "Cattle trucking" your main MCU data bus every time you want to do a bit of "User Intetface I/O".

If you are going to add an extra MCU atleast make it work for you. That is get it to not just drive the LCD but also some LEDs, read in all the user controls such as buttons and potentiometers etc. Even provide a number of proper serial port interfaces which can be current loop or voltage based also I2C bus etc. It's what I tend to do in all but the smallest of designs because it becomes a "reusable part" you can just pull in knowing it will work for you. Further it gets rid of a lot of "bit banging" and "debounce" code you would have to redo and test each time you produced a new design.

March 27, 2017 2:59 PM

A Hero Seeking Truth on Friday Squid Blogging: Squid from Utensils:

House Intelligence Committee chairman Devin Nunes, it should be said, has a history of cultivating independent sources inside the intelligence community. He made contact, for example, with the U.S. intelligence contractors who ended up saving most of the Americans stuck in the Benghazi outpost when it was attacked on Sept. 11, 2012. More recently, Nunes has reached out to his network of whistleblowers to learn about pressure inside the military's Central Command on analysts to write positive reports on the U.S. campaign against the Islamic State.

In this case, Nunes had been hearing for more than a month about intelligence reports...
https://www.bloomberg.com/view/articles/2017-03-27/devin-nunes-explains-his-white-house-visit

March 27, 2017 2:36 PM

Ah the intrigue on Friday Squid Blogging: Squid from Utensils:

Devin Nunes Met Intelligence Source on White House Grounds

https://www.nytimes.com/2017/03/27/us/politics/devin-nunes-house-intelligence-committee-white-house-wiretap.html

Then he held a press conference. Then He raced back to the White House to tell President Trump. Then he held another press conference at the White House. Then he apologized to the Commitee for not telling them first. Then he cancels public hearings Clapper and Brennan and Sally Yates...O Brother

March 27, 2017 2:17 PM

compsciphd on The TSA's Selective Laptop Ban:

"Get the 15" laptop, throw all the electronics away, leave just screen and keyboard.
Put Raspberry Pi and three AA batteries inside. Voila - you are able to show TSA staff that this is really laptop, which executes some code, and have a lot of space inside to put in explosives. Moreover, you have powerful processor and lots of program-controled pins to implement timer initiator."


How does checking the laptop mitigate this risk? Bag still goes boom and takes down plane.

March 27, 2017 2:02 PM

J. XCheck on Commenting Policy for This Blog:

Absolutely. The decline in civility, along with Social Media echo chambers and corrupt governments are all real concerns. I admire the honesty, openness and the highest professional and ethical standards Bruce embodies.

March 27, 2017 1:35 PM

Jeff on Commenting Policy for This Blog:

First, Bruce, i have been reading your blog since you began and it would push me even closer to retirement if we were to lose your civility, insight, depth and breadth of exploration of the security ramifications of as much of our current civilization as you have the time to explore.
Second, i would, respectfully, like to disagree with LMK about ending comments. I agree with several of the other guests here that disagreement or expansion or tangential comments only expand my ability to grok the whole. Long live The Savant, Bruce!

March 27, 2017 1:27 PM

Kevin H on The TSA's Selective Laptop Ban:

The only key difference is to separate the traveller with their electronics. Once one's electronics are in a checked bag, copying the contents of a hard drive or inserting some NSA/CIA created malware would be possible without alerting the traveller that an interception had taken place.

March 27, 2017 1:24 PM

smudge2112 on Commenting Policy for This Blog:

I've been reading for many years and never posted before but always knew that I could if I felt the need or desire. Thank you for keeping the comments going and thanks for doing what you do. I've learned as much from the comments as the articles in many cases and both have been invaluable to me.

March 27, 2017 1:10 PM

Ross Snider on The TSA's Selective Laptop Ban:

This recommends an interesting (counterintelligence) threat scenario: an adversary comes up with a threat (with no intent to actually carrying it out) but make sure that intelligence can sniff it. They can then watch with satisfaction as a large number of costly countermeasures are made, people are pained, travel is disrupted, and politics is affected. The technical hurdle to overcome/protect against is what grows to the level that it is deemed "credible". I presume intelligence today looks to see if there appear to be real moves to implement a plan (buying tickets, laptops, etc)?

March 27, 2017 1:06 PM

D-503 on The TSA's Selective Laptop Ban:

OT question: What's the effect of airport X-rays on SSDs, USB flash drives, and SD cards?
Any information storage that's based on parking and counting electrons can be comprimised by ionising radiation. Airport security X-rays are strong enough to fog high ISO silver halide film* and flip bits in DDR3 RAM.

*Back in the stone ages, before digital photography, I remember putting rolls of film in baggies to be inspected separately. Back in those days, airport security routinely looked through your camera's viewfinder and through any removable lenses.
Even further back in the stone ages (1970s), way back when, when terrorism was actually a significant threat, airport security objected to spiral-bound notebooks (because the wire could be used as a garotte?)

March 27, 2017 12:58 PM

Sok Puppette on The TSA's Selective Laptop Ban:

Forcing a would-be bomber to put larger laptops in the plane's hold is a reasonable defense against this threat, because it increases the complexity of the plot.

No. No it's not. It doesn't increase the complexity enough to be worth its cost.

It isn't hard to build a working bomb. But it's harder than hooking up a timer, which you can buy readymade anywhere. And if you look at the complexity of building not just any bomb, but a bomb that can go into a laptop and not make that laptop look totally pathological on X-ray, then that's really a lot harder than adding a timer. Not to mention that you have to defeat the chemosensors and spectrometry and I don't know what all that are floating around at airport security (for both checked and unchecked luggage). And don't even get me started on the complexity of setting up a conspiracy to evade inspection entirely.

So, if you're really so obsessed with attacking planes that no other target will do, not even the airport security lines themselves, then asking you to check your "laptop" doesn't raise the bar for you very much. Hell, if you can't come up with a timer, and you really think carry-on is a big advantage for you, then put your bomb in a book or something. There are a million ways to go. Not that many people are so obsessed with both planes and laptops that they're going to discard all those options.

The reason we're not seeing very many plane bombings of any kind, successful or otherwise, is simply that a terrorist's expected ROI on any plane bombing is already pretty poor, and smart terrorists, the kind who have any real chance of carrying off anything at all, will see that and go do something else. That and the fact that such people are extremely, monstrously rare to begin with.

Why go to all that trouble when you can keep people freaked out by shooting up a nightclub every few months?

March 27, 2017 12:49 PM

Dmitry on The TSA's Selective Laptop Ban:

The EFF has already said most of my thoughts on the matter in a more eloquent manner.

@Pete

I don't quite agree with the idea that security on planes should be essentially dropped, but I agree that many current measures are just counter-productive security theater.

Your numbers are quite clear though. Road security is magnitudes more important and nothing significant is being done. I agree.

@Dominik

So I'm not the only one that thinks that's a stupid and irresponsible behavior. Good.

March 27, 2017 12:28 PM

Dirk Praet on The TSA's Selective Laptop Ban:

@ D-503

The Washington Post and the US edition of The Guardian have reported a similar accusation, this is a protectionist measure to help US-based airlines

With what we know for now, it's the only explanation that makes sense. Why the UK decided to follow suite and the rest of Europe didn't is probably more a political than a security related question.

@ My Info

Re. Here’s why United Airlines banned girls with leggings from a flight

Unless it was somehow related to the laptop ban, I believe it belongs in the Squid threat. I don't mean to be rude, but most regulars by now know you're transgender, and there really is little point seizing every opportunity to bring that up. @Clive has serious health problems, there's probably a decent percentage of other LGBTQ commenters here too, and they're not posturing about it either.

March 27, 2017 12:13 PM

r on Friday Squid Blogging: Squid from Utensils:

@jg4

Mythbusters did a feradyne episode, steel screening beats bronze hands down for their measurements. I'm not sure whether aluminum was tested? I don't think I've ever seen it irl.

March 27, 2017 11:59 AM

JG4 on Friday Squid Blogging: Squid from Utensils:


appreciate very much the discussion of inexpensive, secure platforms. I may have some useful thoughts on the energy gapping. you won't beat the price of plywood or aluminum window screen, which also can be backed with foil. my favorite foil is 0.005" thick. the screen helps insure contact between sheets.

the answer to the threat model question that I posed (yesterday?) is Spookwerks West. they'll sell any information that they harvest to anyone, anywhere in the world, for any purpose, without regret. and you won't even know it happened

http://www.nakedcapitalism.com/2017/03/links-32717.html
...
Big Brother IS Watching You Watch

New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs Ars Technica

https://arstechnica.com/security/2017/03/new-wikileaks-dump-the-cia-built-thunderbolt-exploit-implants-to-target-macs/

Blissful bathrooms: smart showers, magic mirrors and fun loos keep you connected at all times SCMP. Creepy– even absent a mention of a camera-containing microwave.

http://www.scmp.com/native/lifestyle/topics/premier-living/article/2081166/blissful-bathrooms-smart-showers-magic

see also:

"Much Worse Than Watergate", Former CIA Officer Admits Trump 'Wiretapping' Likely True
http://www.zerohedge.com/news/2017-03-26/much-worse-then-watergate-former-cia-officer-admits-trump-wiretapping-likely-true

long popcorn futures, short US equities


March 27, 2017 11:57 AM

Caspar Harmer on The TSA's Selective Laptop Ban:

What we should do is require that all largish electronic devices be put in a kind of trailer sticking out the back or towed behind the plane. People who want to work on their laptops could use a kind of cloning service for their data and use a Airline supplied laptop. Voila!

March 27, 2017 11:53 AM

My Info on The TSA's Selective Laptop Ban:

Re: my previous comment

Here’s why United Airlines banned girls with leggings from a flight

http://www.nydailynews.com/news/national/united-banned-girls-leggings-flight-article-1.3010391

But the policy at United, which has mostly male leadership, is notable for one thing: Many of its clothing rules apply mainly to women.

I should know. Under this policy the transgender are considered terrorists and prohibited from flying at all.

But the real reason for this incident is that Minneapolis is quite a "destination" for underage girls. ... meaning that said underage girls are being trafficked there, lest there be any doubt.

March 27, 2017 11:44 AM

D-503 on The TSA's Selective Laptop Ban:

I feel silly now. Bruce has already posted a link to the Washington Post story!
@Winter
Thanks for the link! People have already pointed out that any attack that can be done from a laptop can also be done from a smartphone. If someone is technically competent enough to hack a flight control system from a laptop computer, then it isn't that much of a step to do the same attack from a smaller form factor computer, AKA "phone". Someone correct me if I'm wrong, but I thought "smartphone" = "smaller electronics that [snip] hide a complete computer".

Israeli security takes a "no-nonsense" approach: they simply shoot your laptop to make sure it isn't dangerous.
Recently, Canadian airport security blew up an unfortunate passenger's laptop. The passenger looked working-class, so airport security assumed she couldn't be the owner of the laptop. Afterwards, local charities pooled together to buy her a new computer.
I don't know how airport security would react to a laptop whose contents have been customised (eg, hard drive replaced with SSD, etc.). Such customisations are becoming more common, but not common enough that airport security would necessarily know what they're looking at in an X-ray.

March 27, 2017 11:42 AM

James on The TSA's Selective Laptop Ban:

Terrorists have probably worked out how to both have a laptop that at first sight turns on like a normal machine, and doubles as a bomb. Off to the top of my head this could be done with a Socket-On-Chip machine with the GPIO wired up normally to correspond to the laptop "on" button.

The ban applies to airlines in predominately Muslim countries probably because that's where (since the 1970s) these types of attacks have come from pretty consistently. Nobody worries about Nuns or Methodists downing planes.

That said I agree there is nothing stopping a terrorist bringing a bomb into Europe via his checked baggage and flying from there. What is also a mystery is the UK and U.S. bans do not fully overlap either from originating countries, nor airlines. Four countries included in the U.S. list - the UAE, Qatar, Kuwait and Morocco -- are absent from the U.K. restrictions, while the UK has additional airlines covered - Jet2, British Airways, Monarch, Thomas Cook, and Tunis Air to name a few.

March 27, 2017 11:32 AM

ab praeceptis on Friday Squid Blogging: Squid from Utensils:

Nick P

I can't comment on that as I know next to no nothing about mikrotik as a company, let alone about their management.

For the rest I agree with you but I'm doubting that they will do what you - quite reasonably - suggested.
It's weird; one would think that any company coming up with a network box that could reasonably and credibly (or even provably) be called secure would earn loads of money - yet no company seems to do that.

My (probably utterly wrong and misguided) explanation is that one needs to have quite a lot of knowledge of a technical/mathematical nature to understand the problem and to judge whether some approach is promising or not. Management, however, pretty everywhere seems to tick very differently and to moreover prefer marketing over reality. In other words, management tends to think in terms of insurance prices being lower (or not), bureaucratic standards (like pci), and most of all, security to them is what one can sell as security.

But luckily mikrotik (or any other existing board/boxes company) isn't needed. One could as well create a new company around a secure software stack for e.g. mikrotik boards, buy them with volume discounts, and sell them as "XYZ secure router" (xyz being the new company).

And we *do* have quite some building blocks and tools available. I certainly don't need to give you examples; you probably know more kernels, OSs, libraries, etc. than anyone here.

So, all in all, I think that would be an achievable - and very worthwhile - goal and mikrotik boards might be a reasonable, easily available and relatively cheap hw. base.

March 27, 2017 11:24 AM

Astromac on The TSA's Selective Laptop Ban:

@andy, @Jered: Please do not perpetuate the myth that US carriers don't fly to those airports. It is simply not true. Multiple US carriers do fly to several of those airports.

I also think the most likely explanation to the ban is economic retaliation against the Gulf carriers and Turkish airlines, which have greatly expanded their offers to the US. However, the fact that the UK also went along with the ban and given that they included UK carriers as well, lends some doubt to that idea. Could it be that Bannon et al. are so dumb that they fed the UK disinformation to enforce their nationalistic brand of economics?

A terrorist with half a brain will naturally fly to another destination before going to the US/UK. Presumably the US also tried to push Europe to this silly ban, but perhaps they are not so eager to follow the "leader" as the UK.

@Victor Wagner : you have a good point. However, taking out the internals of a laptop, replacing with a working small computer, connecting every little thing, filling up voids with a bomb is not a straightforward task. Especially because laptops are x-rayed, and such a homemade concoction of electronics would probably stand out. Much easier to just throw a bomb in checked luggage and time it well.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.