Recent Comments


Note: new comments may take a few minutes to appear on this page.

May 28, 2017 5:09 AM

Slime Mold with Mustard on Friday Squid Blogging: Squid and Chips:

@ Clive Robinson

(continued from previous squid thread)

Re: SS Richard Montgomery
https://www.schneier.com/blog/archives/2017/05/friday_squid_bl_578.html#c6753253

Good Sir;

I undertook to look into this shipload of ordinance sunk in the Thames Estuary and was surprised to find yourself (especially) much in error. Less in that you misstated the quantity of explosive, but in that of its potential effects on the heart of London(Canary Warf et al) for even a half megaton blast. You have certainly forgotten much more about physics than I ever knew. Yet you gave some sort of credence to such a blast damaging "Canary Warf" (whether the district, the building or the tube station you did not specify) some 40 kilometers distant. I have little used the inverse square law in the last few decades. We have something similar at my firm that we call "diminishing returns".

I did look at the "London Clay" for liquification possibilities. The easily available material does not list depths of strata, thus I remain ignorant of the mass, yet the law of inverse square still applies.

I considered hydrostatic shock and waves, until I saw Gravesend (retirement village?). Fluid shock waves don't do corners.

Most especially, if you can bring yourself to use JavaScript, the third illustration at this site
https://www.quora.com/How-lethal-are-Pakistans-nuclear-weapons-How-much-area-would-be-immediately-destroyed-in-a-single-attack

From a 500 kt ground burst:
Moderate damage to commercial buildings at 5.76 kilometers, and light damage to 9.3 kilometers

Of course, the SS Richard Montgomery contains something closer to 1400 long tons of bombs. The bureaucrats mislead: Roughly 40% of a bomb's weight is explosives. 560 tonnes of stuff. The phosphorous being quite the hazard if:

Londoners bought into a bit of the hype about the nearby Grain Island LNG plant. The Army taught me about something similar. All a can say is that, although the danger is not zero, in the unlikely event the SS Richard Montgomery fully exploded, the risk to people near the gas plant is overwhemlingly from the ship, not the plant.

Sheerness, port and village, would suffer quite a lot. I really ought to exploit the Fear Uncertainty and Doubt for financial gain (real estate), but every time I cross a border, I need more (business) lawyers. Slime Mold recoils in horror at their uncleanliness.

All that having been said:

FIRST CLASS MOVIE PLOT!!!

May 28, 2017 4:52 AM

Ratio on Friday Squid Blogging: Squid and Chips:

Tainted Leaks: Disinformation and Phishing With a Russian Nexus:

Key Points

  • Documents stolen from a prominent journalist and critic of the Russian government were manipulated and then released as a “leak” to discredit domestic and foreign critics of the government. We call this technique “tainted leaks.”
  • The operation against the journalist led us to the discovery of a larger phishing operation, with over 200 unique targets spanning 39 countries (including members of 28 governments). The list includes a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers, CEOs of energy companies, and members of civil society.
  • After government targets, the second largest set (21%) are members of civil society including academics, activists, journalists, and representatives of non-governmental organizations.
  • We have no conclusive evidence that links these operations to a particular Russian government agency; however, there is clear overlap between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors.

May 28, 2017 3:47 AM

Clive Robinson on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@ ab praeceptis, Nick P,

It's no secret that I don't like some of the implications of pointers.

Specifically pointers to data objects and who in essence actually owns the data object at any point in time. Whilst not too much of an issue in a process with a single sequential thread of execution, issues quickly arise with two or more threads. The brut force method being to lock an object to who it was last passed to (Rust's way of doing things) irrespective of if it was for reading or modifing the daya object. Under the same brut force mentality you have to lock the entire data object not individual data items within it.

In nearly all cases the use of clean functions that pass by message/value resolve the issues painlessly. And as a side effect tend to make generic garbage collection unnecessary as adjusting the stack frame on function termination resolves that. But the problem with this is three fold the size and duplication of the data object passed and likewise the return value(s) from the function, that might be used to update the data object, in effect pushes you back to single sequential thread operation and locked records.

Whilst a human can by having intimate knowledge of the function of the code can work around this, in general compilers can not because they lack knowledge to do anything other than brut force locking. Attempts to describe the function of the code via lables such as const / static etc still do not get around the problem.

In fact as a generalised case Process Callculi are defined to use message passing channels not by sharing variables, for good reason.

Whilst I won't say passing pointers is an abomination, the abuse many code-cutters subject them to is very definitely an abomination.

May 27, 2017 10:48 PM

ab praeceptis on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Nick P

Y. Moy is a bright and capable man but again: he is not Ada or adacorp. He is not even Spark. That is not meant in any way against Y. Moy but rather to put your story into a frame. What you call "quite a bit of corroboration" still is far away from "Ada/Spark will use Rusts pointers". Also Y. Moy didn't admit anything; he merely mentioned something that is, btw, *not* high up on adacorps ToDo list. Putting an intern at something usually translates to something like "is probably worth a closer look and some experimenting".

You also consistently fail to see the importance of language. This is not some game where one collects safety items and strives to have the best ones. Ada simply has BY FAR less need for safe pointers than C family languages.

One point that immediately struck me was the clear hint at something that tells a lot about the Ada people and reminds of the difference between professionals doing something vs. some amateurs playing around: Math at Inria and a strong desire to have it properly formally verified, both the design and the resulting code.

"In Ada, they can't without garbage collection" - uhm, garbage collection is optional and many Ada compilers don't have it (and I certainly don't miss it). More importantly, though, that demonstrates once more that you might want to pick up on my multiple strong hints about language specificity. That whole garbage collection mindset comes from a certain background, often C and family, but is of far lesser importance for other languages. So, for Rust GC might be seriously attractive but many Ada compilers do not even plan to work on it; it's simply an unimportant gadget.

"The concepts of maximizing potential and ROI means you want to create as many great things as possible with as little effort as possible." - Uhum. And what is "great things"? Unless "great things" means crap (like most code we have that was driven by profit greed and incompetence), if it means at least halfway decent quality we are back at formal methods and languages like Ada oder Eiffel, etc.

And I'm back at my "report" where I - with good reason - mentioned that TDC (total development cost) with Ada is *not* higher than with C and family. This is even way more true if we include maintenance.

So what are you arguing here? That we should throw millions of more hours and billions of more $ at the C family in the hope that one day in the year 2700 it might be able to deliver "great things" of halfway decent quality with not too much effort - say, like what we can do today even with Object Pascal (not even to mention Ada)?

"Forcing long, hard work in separation logic like Microsoft tried to do in Hyper-V is terrible compared to how quickly Redox team threw together a whole OS with same safety guarantees on heaps just using Rust's borrow-checker. Same benefits with fraction of knowledge or work = better solution."

Theory and improper, too. For a start the "long, hard work in separation logic" of microsoft lead to *provably safe* code. I've yet to see that for redox. Moreover you are comparing apples and horses, namely early research work of microsoft vs. much later work (btw quite probably profitting from microsofts earlier work). Furthermore Rust's borrow-checker solves 1 (in words: one) problem only, albeit a major one while microsofts work solves whole problem classes and offers formal verification.

And again: I did concrete work, I solved concrete problems in C, Frama-C, verifast (sep logic) and in sparked Ada. I have concrete experience with concrete work. And the result is that working in Ada is about as fast as in C and much, much more efficient and faster than ACSL annotated C plus Frama-C checking (which btw. is a pita even just to set up) or sep-logic annotated and checked.

That is a tremendously important result because it means that we can build "many great things ... with as little effort as possible." or, more concretely with about the same effort - but with hugely higher quality!

"Rust's temporal safety" - ... is mostly a misnaming. Yes, temporal aspects may play a role under certain circumstances but the thing you are talking about is mostly memory safety. As for temporal safety there is much more needed than merely pointer safety. And btw. Ada offers a lot in that regard since a long time (I'd love to talk about Eiffel, too, but a) my experience with Eiffel is quite limited and b) multitasking of any kind is quite new there).

As we are on a security blog, let me mention an example that is of importance in crypto protocol verification, namely the temporal pi calculus implication, i.e. a statement like "event A implies that there was event B before" which btw can also be transformed for what you meant, i.e. memory safety with multiple tasks -> "event 'grab token' or 'change bit' implies that there was an event 'release token' before".

All in all, yes, Rust probably is better suited than C to create less buggy software but as soon as we talk real safety we can't but talk formal verification, too.

Closing, I have a maybe interesting tip for you: as you like to dig into papers and concepts, you might enjoy a deeper look into the Pony language; you'll even find something similar to Rust's approach plus an amazing evolution towards quite well done and blazingly fast actors.

May 27, 2017 9:41 PM

Nick P on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@ ab praeceptis

"For a start Yannick Moy != Ada(core). Y. Moy, who has a strong background in C/C++, with emphasis on safety and checking, is a senior engineer at adacore and mainly involved with Spark from what I know."

Yannick understands Ada enough to work on its flagship implementations at the main company contributing to it. That he admits the hole I describe is there is quite a bit of corroboration.

"Also kindly note that Ada's unchecked_deallocation is *not* something dangerous or evil (as it may sound); it's merely about deallocating a pointed to object expressly as wished by the programmer."

You could say the same thing about C or C++. The programmer wants to do that operation safely for good reasons involving dynamic, memory management. In Rust, they can. In Ada, they can't without garbage collection. Ada in FOSS also doesn't have a garbage collector as good as Go's per Yannick. Hence, Ada needs to have one or both of these to be safe in situations the competition is which Ada can't handle.

"On the other hand, people being people and existing software being what it is (e.g. OS or lib Interfaces) pointers are sometimes used, be it out of utter necessity or due to idiocy."

Rust is utterly dominating such extensions in terms of a safe, high-performance language doing them. Ada uses the same platforms without the same benefits. Your counter is actually corroborating Yannick and I's position that a borrow-checker in Ada would be a good thing.

"To me that simply translates to "I don't care. Let them play, I have work to do". Verification is no burden, it's a gift from heaven."

Intellectually stimulating but not in general. The concepts of maximizing potential and ROI means you want to create as many great things as possible with as little effort as possible. Forcing long, hard work in separation logic like Microsoft tried to do in Hyper-V is terrible compared to how quickly Redox team threw together a whole OS with same safety guarantees on heaps just using Rust's borrow-checker. Same benefits with fraction of knowledge or work = better solution.

Rust's temporal safety hit a sweet spot between cost and benefits I rarely see. So, I'd prefer the other safe, system languages to have the same capability. Otherwise, a concurrent, low-latency GC that can be customized to the job at hand more like Go to save programmers effort. However, if Rust people can handle borrow-checkers, the straight-jacket-loving developers using Ada should be able to do it just as well. Maybe better combined with other features of language.

May 27, 2017 7:43 PM

bullfrog on Friday Squid Blogging: Squid and Chips:

@ Clive Robinson:

Is it possible to detect anything from the old "dumb" wrist watches which many stores continue to sell today? Do they spill any details which could be used to monitor/track people?

Is it possible to "poison" a SATA Controller and utilize the LED light for nefarious purposes? I recently disabled a noisy one in BIOS because it wouldn't shut up.

May 27, 2017 7:41 PM

Pandora on Friday Squid Blogging: Squid and Chips:

@ Clive Robinson:

Is it possible to detect anything from the old "dumb" wrist watches which many stores continue to sell today? Do they spill any details which could be used to monitor/track people?

Is it possible to "poison" a SATA Controller and utilize the LED light for nefarious purposes? I recently disabled a noisy one in BIOS because it wouldn't shut up.

May 27, 2017 7:24 PM

ab praeceptis on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Nick P

For a start Yannick Moy != Ada(core). Y. Moy, who has a strong background in C/C++, with emphasis on safety and checking, is a senior engineer at adacore and mainly involved with Spark from what I know.

What he says about that intern is focussed on a certain quite specific problem where Rust like pointer may or may not be helpful.
Also kindly note that Ada's unchecked_deallocation is *not* something dangerous or evil (as it may sound); it's merely about deallocating a pointed to object expressly as wished by the programmer.

But the problem goes far deeper. We (safety oriented Ada people) have a "hierarchy" from desirable down to undesirable and pointers ('access types' in Ada lingo) are considered undesirable; sometimes necessary (e.g. at the OS interface) but undesirable. Another example is pointer arithmetic; it's available in Ada, too ("hidden away", of course) but you'll hardly get an Ada developer to use pointer arithmetic without seriously urgent need or a liberal dose of beating him.

On the other hand, people being people and existing software being what it is (e.g. OS or lib Interfaces) pointers are sometimes used, be it out of utter necessity or due to idiocy. It's *that* dark and sad corner Y. Moy is talking about and not about Ada somehow throwing away all its beauty only to follow the Rust creed.

Moreover keep in mind that Moy is mostly about checking, Spark, proving, etc. So, his statement is *not* "Rust does it better. We'll switch" but rather something to the effect of "Rust pointers are attractive for *checking* and bookkeeping. We should look at that".

There are - like everywhere - of course different factions within the Ada community, one of which is the lenient one with e.g. Moy (maybe to a degree also driven by business interests); I myself belong to the other faction, the one that says "Let them die. More often than not pointers are evil and if used at all, that should be left to only the experienced wise masters. If a grasshopper uses them and dies that's just natural selection and a solved problem".

Which brings us to the next point. Sorry if I'm blunt (my english isn't good enough to put it elegantly) but I don't trust or care a rats rear about Rust. Simple reason: To me "open source community" translates pretty directly to "bunch of idiots". Of course, there are usually some bright or even brilliant individuals involved, too, but "democracy", "equality", bla bla etc, quite commonly and reliably is but a recipee for disaster.

"It also eliminates need for separation logic like VCC uses for temporal safety since it does same thing *without any verification effort*."

To me that simply translates to "I don't care. Let them play, I have work to do". Verification is no burden, it's a gift from heaven.
And btw, even if Rust really had solved the pointer problems (which I doubt until I see rigorous proof) so what? There is still plenty enough crap in their C heritage rucksack. And let's not forget the ugly fact that mozilla not only gave us Rust but they also gave us the browser cancer which is their main product as well as the javascript plague. I won't touch anything from mozilla with a pole.

May 27, 2017 7:03 PM

Captain Jack Sparrow on Friday Squid Blogging: Squid and Chips:

Lubuntu 17.04 & Current Debian LiveCD's Missing Critical Utilities

The Lubuntu 17.04 Desktop/Live CD(ISO) is missing:

Package: net-tools[1]

It's pathetic when you use a LiveCD today and discover
you don't have something as simple as netstat and other
important tools available.

It's also quite pathetic to discover the recent Debian LiveCDs
are missing UFW[2].

[1] "This package includes the important tools for controlling
the network subsystem of the Linux kernel. This includes
arp, ifconfig, netstat, rarp, nameif and route."

[2] "The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD's Packet Filter. It is particularly well-suited as a host-based firewall."

May 27, 2017 4:27 PM

neill on Ransomware and the Internet of Things:

@Andy

it's CPU intense, but filters&pattern recognition can be much more effective when you have more samples (from my whole neighborhood)

i'll happily pay my ISP $5/mo more if that keeps me safe, and i don't have to spend time updating my firewall.

May 27, 2017 3:02 PM

Figureitout on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Clive Robinson
--Well how do you know he didn't think it up himself, especially if it's "missing some spots"? Need to prove that first eh? It won't get a lot of uptake if it's locked behind a paywall. I didn't realize every post online is copyrighted.

Oh I tried to buy bruce a drink but he dipped out to his hotel room then plane after a talk. So sorry I guess a digital beer will do (and I'm not doing your toslink data diode either 😂😂)

May 27, 2017 2:24 PM

Ministry of Truth on Friday Squid Blogging: Squid and Chips:

Revision 2 of my essay with minor corrections

Jesus hated privacy and anonymity[1]. Only somebody who hates Jesus or hates Christians, someone like a Muslim(terrorist) would advocate for privacy.
The declaration of independence wasn't drafted anonymously or anything like that[2]. No. Only somebody who hates America would want anonymous communications.

Firewalls, antiviruses, GPG/PGP[3], LiveJournal(warning! clicking this link classifies you as a Muslim extremist)[4], Tor[5], TAILS[6] and anything else that makes it harder for people to damage your computer or to steal your personal information is an offensive weapon, a cyber munition that causes mass destruction.

On the other hand, things such as network exploitation techniques[7], viruses[8], spyware[9], Denial of Service tools, sabotage of NIST security standards[10] (standards which must be secure to protect the secret service from being murdered[11]), preventing 0-day vulnerabilities from being fixed[12], and so on, factor into "defense". These defensive strategies do not put civilians at risk[13].

These things are for your protection[14]. It makes perfect sense for Anonymous to wear Guy Fawkes masks while DDoSing any dissidents/anyone else who is against Big Brother[15].

The government is above being hacked[16], so you should trust them with your mind body and soul. Failure to accept their mark will result in exclusion from all types of commerce[17], so accept it for your own good. Make sure to protect your children from peeping toms[18] and stalkers[19] by making them accept it too[20].

The only real government is the US government. The US government does not test their chemical weapons on its own students[21], does not use incendiary weapons against civilians in other countries[22] to "liberate" them[23], and does not use nuclear weapons of mass destruction against massive civilian cities to coerce other governments into surrender[24] (that's what Iraq did[25], not America!) Such acts are the two most common definitions of terrorism[26].

The US Government is doing everything it can to prevent Russian czars from having an easy to use, single point of attack (killswitch) that just takes one person to press it to instantly bring the entire US economy and all networked medical services to its knees[27].

The best way to catch terrorists and extremists is to look for groups that use fear to prevent discussing of opposing idealogies[28] instead of simply making a logical argument against their opponents' idealogies.
Another way to spot terrorist is that they try to inspire feeling of fear and hopelessness severe enough for people to stop even TRYING to be safe[29].
Terrorists can also be identified by their tendency[30] to incite[31] others to violence[32], also known as inciting others to violence[33].

Also, it has recently been found that safety features in computers and cars can benefit terrorists, so all anti-viruses[34] and airbags must have an easy, fast, sure way to be remotely disabled without alerting the occupants.
Good night and God bless America.

Works Cited

[1] https://www.gotquestions.org/do-not-tell.html
[2] https://constitutioncenter.org/blog/why-did-jefferson-draft-the-declaration-of-independence/
[3] www.loundy.com/Roadside_T-Shirt.html
[4] www.linuxjournal.com/content/nsa-linux-journal-extremist-forum-and-its-readers-get-flagged-extra-surveillance
[5] https://www.techdirt.com/articles/20140703/02494927769/nsas-xkeyscore-source-code-leaked-shows-tor-users-classified-as-extremists.shtml
[6] https://twitter.com/josephfcox/status/859357743051927552
[7] https://zeltser.com/what-are-exploit-kits/
[8] http://www.computerworld.com/article/2516109/security0/why-did-stuxnet-worm-spread-.html
[9] surveillance.rsf.org/en/amesys/
[10] https://projectbullrun.org/dual-ec/
[11] https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
[12] https://www.rt.com/usa/170264-eff-nsa-lawsuit-0day/
[13] http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar
[14] https://duckduckgo.com/html?q=This%20is%20for%20your%20protection.%20A%20yellow-coded%20curfew%20is%20now%20in%20effect.
[15] http://countercurrentnews.com/2015/02/white-house-responds-to-anonymous-opisis-cyber-attacks-against-terror-group/
[16] https://en.wikipedia.org/wiki/The_Shadow_Brokers
[17] https://nakedsecurity.sophos.com/2016/02/29/tor-users-being-actively-blocked-on-some-websites/
[18] http://kettyle.com/gchq-webcam-snoop/
[19] http://www.telegraph.co.uk/technology/internet-security/10665599/GCHQ-secretly-captured-images-of-innocent-webcam-users.html
[20] https://www.wired.com/2013/08/student-rfid-chip-flap/
[21] https://en.wikipedia.org/wiki/Project_MKUltra
[22] https://muslimvillage.com/2013/08/29/43177/obamas-holy-tomahawk-war-on-syria/
[23] http://www.pravdareport.com/world/asia/16-05-2017/137750-trump_tomahawks-0/
[24] https://en.wikipedia.org/wiki/Atomic_bombings_of_Hiroshima_and_Nagasaki
[25] http://tvnewslies.org/html/iraq_nukes.html
[26] http://www.dictionary.com/browse/terrorism https://www.merriam-webster.com/dictionary/terrorism
[27] http://original.antiwar.com/justin/2010/06/20/kill-the-kill-switch
[28] http://www.huffingtonpost.com/2013/11/13/nsa-writers_n_4267716.html
[29] https://blog.barkly.com/malware-infections-are-inevitable-attitude-creates-security-risk
[30] https://www.sott.net/article/261088-COINTELPRO-Provacateurs-and-Disinfo-Agents-The-US-Governments-war-on-the-American-People
[31] www.youtube.com/watch?v=TtAMWeqOSnY
[32] https://theintercept.com/2014/02/24/jtrig-manipulation/
[33] http://codes.ohio.gov/orc/2917.01
[34] https://www.schneier.com/blog/archives/2007/07/detecting_polic.html

This essay is hereby released as Public Domain.

May 27, 2017 2:16 PM

Rachel on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Clive

Imagine if you can a man of sufficient hight and stature that a previous commenter described him as "looking like a Klingon", but without the wringles, and after reading your comment a slightly red complexion around the ears :$


funnily enough I pre empted both components of your reply because you have previously described 1. your appearance and 2. your physiologial reaction, when reading of compliments on this blog

some millenia ago, Iskander was taking a stroll and encountered a naked Klingon wearing a barrel, sitting on the pavement. Iskander stopped and said, I will give you anything you want. The klingon looked up and responded ' Move out of my sunlight'
Iskander the ruler of the world sighed and exclaimed 'If I was not Iskander I would wish to be Clive Robinson'

May 27, 2017 1:48 PM

Joe Sixpack on Friday Squid Blogging: Squid and Chips:

'Google and Facebook lobbyists try to stop new online privacy protections'

...also includes "Amazon, Dropbox, eBay, Microsoft, Netflix, PayPal, Reddit, Spotify, Twitter..."

https://arstechnica.com/tech-policy/2017/05/google-and-facebook-lobbyists-try-to-stop-new-online-privacy-protections/

Basically, the anti-privacy lobby wants to make sure a rule requiring user consent and a tangible "opt-in" to data sharing gets killed dead, dead dead.

Meanwhile, Google and Facebook are jostling to become the new world order in charge of internet censorship with their magical algorithms, only slightly assisted by a few well heeled CEOs.

Well, I guess that's alright. They certainly have the money to make it happen, not to mention real world control of the www.

But, I wonder what would happen if the people who use the internet were given a vote or some internet rights....OK, that's not going to happen. I get it.

May 27, 2017 1:41 PM

Stefanie on Security and Human Behavior (SHB 2017):

Hello Bruce,

thank you for sharing the liveblogging.

Personally, I think too like others here, that it is essential to educate people much more and get them aware of security measurements to be taken while there are in the Internet.

I see it quite often on my blog that there is not an existing awareness of security at all. Loads of people think it is save cos they got some software running in the background but leaving their passwords empty or choosing one which is easily to guess. In my opinion there should be something like a basic course at school teaching the very basics of links and using them for the good and the bad.

Well, I hope more people get aware of security and broaden their minds soon.

Best,
Stefanie

May 27, 2017 12:03 PM

Clive Robinson on Friday Squid Blogging: Squid and Chips:

@ Tatütata,

Looks like someone actually managed to implement the hallowed Infinite Improbability Drive.

Or a "Perpetual Motion Machine" at the payout slot ;-)

When you read it you realise that those thinking up the system had a bit of a quandry about OpSec.

Casino's have an allergy to electronics on punters as they regard it as being for what they see as defrauding them by "cheating the system" (though how they can say that with the tricks they pull on punters has always supprised me).

Thus whilst casinos originaly tried to ban mobile phones, they eventually had to relent because the "Whales" and similar suffered from "separation anxiety" and this was bad for casino business.

Thus being able to get a smart phone in has made this sort of thing possible, it caused problems, in that they had the choice covert or overt usage. Overt usage requires nothing other than a phone and a suitably innocuous app. Covert use however requires modified clothing etc that will alow the phone to film but not be easily seen. The downside of covert usage is if you are pulled and searched then the modified clothing raises suspicion that can not be talked away.

So the operators went for what they considered to be the safer method. Presumably because they did not think the casinos would realise a more wide spread operation and start going through large quantities of surveillance footage looking for comminalities in behaviour.

By the way I guess it's not much of a secret as I've mentioned it befor and further since a certain Israeli University published how to use a mobile phone to pick up "Compromising Eminations" from a laptop to use a time based side channel to extract key info, but all those gaming machines have compromising eminations, even those shiny new ones with their "crypto protection" methods...

Back in the 1980's long prior to EMC regulations I discovered something interesting, not only does electronic equipment suffer from Compromising Emissions (TEMPEST radiation) it also suffered from a "susceptability" issue (technically an EmSec not TEMPEST issue). More correctly a "cross modulation" problem, which later was one of the reasons the likes of mobile phones were baned from secure areas.

Basically whay you do is "illuminate" the Device Under Test (DUT) with an EM carrier which by the process of cross modulation directly or by reciprocal or harmonic mixing gets modulated by --confidential/secret-- compromising information. Then by using an appropriate receiver you pick up the carrier or it's harmonics that are now modulated with compromising information, and demodulate it and decode it to recover the internal state information.

Further what you often get is much more sensitive compromising information from deep within the DUT, not the TEMPEST emissions that the designers might have tried to protect at the periphery of the DUT such as it's I/O lines.

But better still by adjusting the frequency, direction of propagation and amplitude of the EM carrier you could be selective about what information you could get out of the DUT. Though more correctly an EmSec susceptibility attack, it is sometimes called a "TEMPEST Hijack" attack or "TEMPEST in a Teapot" attack by various sources on the Internet, if people want to find further info on it.

But it gets better still... what I also found back in the 80's was that there was a reverse trick. That not only was the DUT susceptible to cross modulation, but by modulating the EM carrier you could change the computer behaviour by actively injecting a fault into it.

I demonstrated these problems back then on an "Electronic wallet" --for Europe-- prototype and on a "Pocket gambling device" --for far eastern casinos-- much to the anoyance of the designers (who went ibto NIH / "golden goose" denial mode). Luckily the wallet was way to early for public acceptance so died from a lack of market interest after a couple of trials. Whilst the pocket gambling device did go ahead it was clunky and did not give the payout rush, so was not popular with the target audience, thus died as well.

But I went further and discovered other interesting things. Whilst the basic active fault attack could be made ineffective by using a metal case, such cases have problems. Basically unless you weld up or solder all gaps in the metal case an EM carrier of much higher frequency can still get in. Thus edges around access pannels and ventilation slots not only let in an EM carrier they can be very susceptible due to certain effects (look up "slot antennas" and "waveguide filters").

Thus you can get EM energy into the case, but it is generaly of too high a frequency to be of as much use as the lower frequencies. A few years back a couple of researchers as the UK Computer labs rediscovered this and squirted 10GHz at an IBM 32bit TRNG and pulled the entropy down from over 2^32 to less than 2^7 which makes guessing / brut force attacks realy trivial... But they also missed a trick or three.

If you CW modulate the EM carrier you can still get basic fault injection attacks to work. But you can also use a more complex waveform to be rather more devistating. You can AM modulate a 10GHz signal with a sinewave upto about 1/GHz and this will get "envelope demodulated" by the protection diodes built into silicon chips to protect it from transients on the inputs and outputs. If an IC input is connected to a Printed Circuit Board (PCB) trace the demodulated sinewave now more like a full rail square wave will be on this trace which will then act like an antenna and radiate the signal and it's rich complement of harmonics inside the case. Thus you can tune the frequency of the sinewave to make it more readily picked up by other PCB traces or equipment wiring. Further if you then modulate the sinewave with your fault injection signal you've got it inside the case "doing the nasty" big time to the DUT electronics...

Analog circuitry is particularly sensitive to fault injection attacks especially TRNG circuits and the likes of low frequency or base band / direct convertion receivers / demodulators currently gaining popularity with Software Defined Radio (SDR). Oh and also things like touch screen and capacitive key input devices, which have the bad habit of being filtered / decoupled at the distant end of the trace or wire, not the IC pin end...

All that said what I can further assure people is that some managment types never learn and many gambling machines have both emission and susceptibility issues by the shovel full, that have yet to be exploited in anger.

Thus the question arises as to how long it will be before the likes of the Russians mentioned in the article download a copy of the "pita receiver" paper from the Israeli University and firstly start using it to "pickup" the compromising emissions time based side channels to pull out the PRNG state or transitions?

After all it would not be hard to design the antenna to look like a very fashionable bracelet to make it covert. By adding a non obvious connector this could hookup to what would look like a mobile phone ear bud etc...

If there are any Casino Security Personnel reading or likewise gambling machine designers, you might want to start thinking about how you are going to stop such attacks. But remember the Smart Card Industry spent a lot more than just millions trying to stop the EmSec issues they had to get their security ratings...

Happy holiday weekend to those who get an extra day to "do your thing" B-)

May 27, 2017 11:27 AM

B Johnson on Midazolam as a Non-Lethal Weapon:

Nice. Landed here looking for info on people being involuntarily drugged between police and paramedics, and ideas of what why and who and how. Spent my entire morning stuck in a debate between the two main voices here. Engrossing as a good novel. Accomplished nothing. Learned little. Mechanics forums are comparable.

May 27, 2017 11:13 AM

Nick P on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@ Thoth

"It is known that Amazon's CloudHSM uses Safenet Luna HSMs and the security level is set to FIPS 140-2 Level 2. What it means is the keys stored in the HSM CAN BE RETRIEVED."

In the past, Level 4 devices were separate products that cost a fortune. I could see them not using Level 4 if trying to offer low-cost HSM's to a wide audience. I mean, it should be an option for mission-critical, business assets for those who would pay. They might not, though. Since there's justification against Level 4, my first question is whether their current hardware supports Level 3 with no extra costs? If extra costs, maybe a business decision from the penny-pinchers at Amazon. If not, then it may corroborate the idea that they're malicious.

Operating at Level 2 w/ key extraction possible is pretty damning. The report said "tamper-evident, seal broken." Does that mean the key is available but knowledge of extraction is tamper-resistant along lines of Level 3? Or can they get rid of the broken seal status? Also, does the interface easily allow a cloud vendor to let customers (a) ensure their stuff stays on specific set of HSM's and (b) get a signed confirmation that seal is intact before doing a sensitive operation? Then, they could just periodically check with a smaller window of risk.

May 27, 2017 11:03 AM

Nick P on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@ ab praeceptis

"I respect the good intention of the Rust people but as far as I'm concerned it's a lousy compromise. New code should use better languages in the first place and for the huge body of existing C/C++ code we'll need post factum analysers.

I had good reasons to stress in my "report" that Ada a) does not run significantly slower (and usually just as fast as C code) and b) doesn't make us less productive; in fact, if there is a difference at all than it's one to the good side."

You seem to be missing a big reason for my post which has nothing to with C. There's no way in Ada to do temporal safety in the general case. The AdaCore rep acknowledged that. Many others wrote about the need to use unchecked deallocation in lots of places. The Rust solution started with linear types work in *functional languages* decades ago that the Cyclone team made work with a C-like language. Rust adopted affine types and improved on it. That Rust competes with or has occasional similarities to C is irrelevant. The relevant thing is the affine types on references, aka the borrow-checker, make the major, temporal errors impossible and allow safe concurrency with no extra constraints. One can also use multiple, concurrency models just like the best HPC languages allowed given different problems suit different models. All are safe at code level, though, via borrow checker. This allows Rust developers to use those pointer or thread heavy approaches that result in ultra-fast machine code *with no safety concerns or runtime checks*. Ada and SPARK can't do that just like AdaCore rep admitted.

So, I suggested *those features* be including *into Ada/SPARK*. Then, we get all the benefits of Ada/SPARK plus the strongest of Rust that Ada/SPARK currently lack. It also eliminates need for separation logic like VCC uses for temporal safety since it does same thing *without any verification effort*. They just heuristically learn ways to structuring programs to reduce battles with borrow-checker. SPARK would suddenly do dynamic memory and flexible concurrency so long as we're not talking real-time apps. Ada 2012 code would also require less runtime checks and tests given Rust's model makes it immune to these problems without runtime checks. So, there's clear improvement to be gained if Ada/SPARK adds a borrow-checker for references. Meanwhile, Rust is in the lead if the program is dynamic and/or multi-threaded.

May 27, 2017 10:04 AM

Clive Robinson on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@ Rachel,

Imagine if you can a man of sufficient hight and stature that a previous commenter described him as "looking like a Klingon", but without the wringles, and after reading your comment a slightly red complexion around the ears :$

May 27, 2017 8:04 AM

Tatütata on Friday Squid Blogging: Squid and Chips:

Re: slot machine hacking

Looks like someone actually managed to implement the hallowed Infinite Improbability Drive.

Maybe this is why Portland Mud's casinos managed to lose money? (Or he couldn't organise a p***-up in a brewery). Now the Rooskies are making it up to him by appointing him as launderer in chief.

I have an intense feeling of déjà-vu. I thought the dateline on that Wired link is in the future, but then I realised that the date was written in the wretched MMDDYYYY format preferred in the US, and the item is in fact from February.

May 27, 2017 6:52 AM

Andy on Ransomware and the Internet of Things:

@de La Boetic
Every industry has a uptake of time

@neil
The amount of traffic plus CPU cycles will cripple a ISP

@Fred
Upnp, chose your market

@Dan H
Good point

May 27, 2017 6:18 AM

Clive Robinson on Friday Squid Blogging: Squid and Chips:

@ AlanS,

One smile deserves another,

https://twitter.com/adamstoon1

@ Bruce,

Brit & Chips

Hmm, I wonder if he knows that "Brits" are either "tough and chewy" or "slack and flabby" depending on where you catch them. Though at this time of year you will find washed up examples on beaches turning from pasty white to lobster red. I guess the old nursery rhym of "Fe Fi Foe Fum, I smell the blood of an Englishman..." did not warn Mr Frappier that some do have teeth ;-)

May 27, 2017 5:23 AM

Jim Dines on Countering "Trusting Trust":

There is at least one major flaw in this that nobody else seems to see. You need two compilers that can both compile the same source code successfully. That is NEVER going to happen for anything as non-trivial as a compiler. One often can't even get code to compile successfully with different versions of gcc! (for example) Thinking you will get Microsoft's and GNU's compilers to be able to do it simultaneously is a major cognitive distortion! :-)

This is the problem with computer security today in my not so humble opinion. There is a boatload of this kind of Trust us, this is possible because it happens in my mind kind of security. If Wheeler or anyone else can provide some exploit code in the form of a Ken Thompson Reflections on Trust style compiler and actual anti-exploit tools and procedures that prove it empirically when followed then it is all just meaningless mental masturbation.

May 27, 2017 5:14 AM

Rachel on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Clive

Any way all that said as I have said a number of times I do not mind people using my ideas, but there is to requirments, firstly acknowledgment,


Clive, I acknowledge you. Because you are my hero! I mean that with utmost sincerity. I admire you on a variety of levels. I won't go into the number of reasons why but I am sure anyone else here could create such a list just as easily

How many lives have you saved and will you continue to save, we wonder?

May 27, 2017 5:01 AM

Clive Robinson on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@ Figureitout,

Not sure the beef besides if you just want a shout out (and it's still technically possible he doesn't read here and thought up this himself unless you're eavesdropping on his connections)

The "beef" if you will is academics, they get very prickly about atribution of ideas or parts of ideas, hence the often long long list of refrences at the backs of papers. Also those who sites who sites, all are part of the "publish or die" rules. However quite a few academics treat what they see as non academics differently and will not acknowledge other peoples ideas unless they "are part of the club". Not only is it hypocritical behaviour it also makes their crime even more insulting. But worse it "buys in" to one of the worst straight jackets on knowledge since the Catholic Church the racket of the academic journals.

Even on a "public site" what I write good, bad or indiferent is automatically a "work" that has as a minimum the legal protection of copyright etc. The fact it appears on a public site which is freely available also means it is "published". The copyright can not be taken away, only the rights pertaining to it assigned to others. The fact it also carries both my name and a date of creation / publication further strengthens those protections and rights, and makes it in effect "prior art" from that time onwards. Which you probably know means it has legal impications when it comes to both patents and usage. Importantly like it or not the Schneier on Security site is due to both it's usage and history the equivalent of a "journal" even though not pre peer reviewed.

Any way all that said as I have said a number of times I do not mind people using my ideas, but there is to requirments, firstly acknowledgment, secondly that if they buy me a drink, prefereably through our generous host, thus they buy Bruce two drinks, and at some point Bruce can buy me one (if we ever meet up ;)

May 27, 2017 3:27 AM

Ratio on Friday Squid Blogging: Squid and Chips:

Terrorist attack on Coptic Christians in Egypt:

Egypt has carried out airstrikes in Libya after at least 26 people, including children, were killed and 25 wounded in a gun attack on a bus carrying Coptic Christians south of Cairo, the latest in a series of terrorist incidents targeting the religious minority.

Local media reported witnesses saying that between eight and 10 gunmen, dressed in military uniform, carried out the attack. Egypt’s interior ministry said the attackers, travelling in four-wheel-drives, “fired indiscriminately” at a car, bus and a truck in the al-Idwah district outside Minya, about 135 miles (220km) south of Cairo.

[...]

Children aged two and four were among the victims, according to a list of victims released by the governorate of Minya.

May 27, 2017 1:20 AM

Rhys on Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves":

@Deimos

Were being well read an attribute for ascending the power structure of a business, how many sitting executives would you site as a share of US corporate leadership? How many would "ascribe" their ascendance based on the readings in, say, security? Or intelligence gathering?

Still- our headlines are filled with disgust of the Silverback culture that prevails in corporate leadership and cultures.

If leadership is doing the right things, not doing things right- that's where a schism begins.

What executive or board has changed its position on uninsured liability as a result of the last 5 years worth of security events? (If reading doesn't change anything- than what is the point? Which accounting rules on contingent liabilities are reflective of valuations or now identified in audits? Is Anthem's Chair/CEO/still there? Are corporations still asking for government intervention/protection from internet vulnerabilities? Do we now have business models reliant wholly on freebooted information? Using tools that they howl about when subsequently applied to them? )

There aren't bookshelves big enough to hold the number from a decade, or decades worth, of reading. Some read the publications in the language it was actually written in first.

Parading around a reading list is something closer to the value sets in "Dress for Success". Or like the 'ego wall' with diplomas and accolades. (Lessons once given to all Si Ramo's novitiates as unacceptable.)

Your reference to the use of hyperbole in the title being a material clue, hopefully, there are skills also to distinguish science from scientism.

May 26, 2017 10:03 PM

Figureitout on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Clive Robinson // Thoth RE: c v p
--Not sure the beef besides if you just want a shout out (and it's still technically possible he doesn't read here and thought up this himself unless you're eavesdropping on his connections), you're aware you're posting on a public site, and I'm not sure the legal procedures to protect your ideas when you post them online (keyword ideas, not implementations, never saw implementations no matter how much I begged).

I have to keep my mouth shut about a lot of things I wish I could say and discuss, but I've signed agreements and would give competitors a leg up if they happened to be reading. Personally I find it really exciting that different brains with different approaches and different ways of seeing the world will take some work and apply new ways of thinking to it.

So long as you version control, if they muck up an idea so bad, just revert to older versions. :p

May 26, 2017 9:22 PM

Systate on Friday Squid Blogging: Squid and Chips:

Ben A
You want security you have to pay. Alot. Kali linux is cool and all but the only thing i barely understand is fuzzing.

This is a disclamier to Clive Robinson, Nick P and et all
That article contains strange words such as Secure Enclave and Trust Zone.


But from that article it is safe to assume that most android phones arent even encrypted. So you have to pay them for security. Why make a device that takes a performance hit when envryption is enabled in the first place? That encryption 1102.

From a business standpoint, it makes perfect sense.

May 26, 2017 8:37 PM

ab praeceptis on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Nick P

Actually I'm a little sad about C. Dross/Y. Moy doing what they are doing because while certainly meaning well they actually risk to add confusion. Let me explain:

That whole verification field is confusing enough and many do not fully understand it. As it also happens to be one of the few major tools in the rotten software world, it is of importance that it be well understood.

I'd feel a need to elaborate on two important points in that regard. And I'll begin with and use as a guiding light Dijkstras often forgotten but immensely important statement that code is the implementation of algorithm. This immediately leads us to my first point: What is code verification about? Answer: It is obviously about code, i.e. about the *implementation* of algorithms - *not* about algorithm verif.

What Dross/Moy demonstrate is understandable from a human point of view. Of course, having developed a powerful new tool, one wants to show its capabilities and to play with it. Quite probably another factor played a role, too, namely a very troublesome attitude mainly from across the ocean (something like "No need to properly think. Just do it. Shoot!").

And yes, Spark has grown to considerable power; one *can* do lots of amazing things with it, as (not only) Dross/Moy demonstrate.
However: That is *not* what code verification is about! It is *not* about algorithm verification!

As I said, the field is complex and we should certainly not mislead those who are just beginners in it. Similarly I can understand that it just seems practical to throw "all that verif stuff" together, particularly when a tool like Spark seems to be able to handle it.

No. We must discern and not cut corners. The question to be answered using Spark is a specific one. It is about the *implementation* - and nothing else. "Is my algorithm sound?" is a question to be looked at with other tools. Is my red-black tree design sound is not a question to be answered using Spark. Spark is about looking at the question "Is my *implementation* correct?"

2nd and related issue: code verification is *obviously* language dependant. Which also relates to your point of Spark looking at and maybe borrowing from Rust. Frankly, I think that that is largely nonsensical (albeit interesting and fun). Why? Simple: Rust has strong roots in the C family and, in fact, one very C-typical construct, namely pointers and the many related problems, has been a major, if not the reason for Rust in the first place. Most of those problems, however, simply do not exist in Ada.

Digging a little deeper one finds that the core problem is not even pointers but their utterly unaccounted willy nilly availability and arbitrary usability along with an utter lack of means to properly deal with them even if one wanted to; C (and family) simply don't offer any means. *That* is the problem, not even pointers per se. I know what I'm talking about; what I just said is the very reason why I looked at Frama-C (which I liked but which isn't powerful enough) and at separation logic tools.

Let us look at an algorithmically trivial problem, namely at a "hex printer", i.e. at code to "print" an unsigned, say 32 bit integer into a hex string. In C that would be something like a

void hexprint(char*buf, uint32_t num);
procedure where buf is the buffer to print into and num is the number to be printed.
Where does 'buf' come from? Is it on the heap, on the stack? Does it exist at all? What's its size?
In Ada the same thing would be
procedure hex_print(buf : String; num Unsigned_32);
and we need not care where buf is allocated plus the compiler *knows* that; also the size of buf is known. So, sparking it might be as simple as "with Pre => buf'Last >= buf'First + 8", done.

Which leads me to next point: When I said that we must properly understand what we are examining/verifying I left away one decisive point: context - and that's what I'm actually testing above.
Code verification means two things, namely a) implementation (e.g. the procedure itself) and b) context (which includes the interface).

Remember the uni days when they drilled us to provide context, when they drilled us to e.g. specify domain and co-domain for a function? Same thing. hex_print, being code, i.e. meant to be run on real world hardware, is not supposed to work no matter what; it is supposed to provide a well specified service with a well specified context; that may be something simple a 'buf' existing and being at least of size 8 (or 9 in C) or it may be much more complex factors such a temporal or other conditions (like e.g. 'buf' being read or written to from/by another thread).

I agree that Rust has found an interesting and promising approach. However, Rust is only interesting under the premise that one wants to stay withing the C universe - which, frankly, doesn't sound like a smart proposition considering all the problems we have.

But there is good news, too. Gladly only (so my experienced guess) a quite small part of the rich C related problems universe is to do with complex problems. The vast majority are 1 off errors, loop errors, many kinds of buffer errors, etc.

I respect the good intention of the Rust people but as far as I'm concerned it's a lousy compromise. New code should use better languages in the first place and for the huge body of existing C/C++ code we'll need post factum analysers.

I had good reasons to stress in my "report" that Ada a) does not run significantly slower (and usually just as fast as C code) and b) doesn't make us less productive; in fact, if there is a difference at all than it's one to the good side.

That said, I personally chose Ada for many reasons but my intention is not to preach Ada. Eiffel, for example, might be an alternative for many, too. And even C can be acceptable, provided that microsoft doesn't somehow limit vcc to windows and dark-world licensing.

My advice for those who are interested in formal methods and proper software design would be to have a look at tla+ and at B. *Those* are meant to be used to verify ones design (as opposed to code).


May 26, 2017 7:41 PM

Jarrod Frates on Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves":

@Deimos

I'm not sure why HGTTG is problematic. While it's a compendium of snark, sarcasm, and cynicism, it also takes a very different view of some very normal things, including how different people place different values on exactly the same event. I still read every book periodically--I've probably read the original more than a hundred times, including all the times I've picked up my copy of just that book and flipped to a random page. If all you can see is a funny book (or a funny, five-book [and one short-story]) trilogy, you're very much missing Adams's many points.

@Rhys

So executives don't read books. (Or do they? My experience differs from yours.) What does your rejection of the list based on who the article says should be reading it say about your valuation of the individual components? There are a few that I question based on the titles (hyperbole in titles is often a warning sign for me), but I'm willing to at least have a look at the segments that Amazon presents.

May 26, 2017 6:50 PM

Jonathan Wilson on Hacking the Galaxy S8's Iris Biometric:

Yet another reason not to use bio-metrics but to stick with a good old password or code instead (one that your adversaries can't easily guess and that is backed up by strong encryption on the device itself)

May 26, 2017 6:29 PM

Ben A. on Friday Squid Blogging: Squid and Chips:

Totally agree Systate. Android security is a joke compounded by Google's poor update policies (not forcing OEMs to push out the update). Grab a copy of Kali Linux to see the multitude of working Android exploits.

Here's an article that discusses the sorry state of Android encryption:

Android Encryption Demystified

https://blog.elcomsoft.com/2017/05/android-encryption-demystified/

Unrelated: Google Chrome extension to bypass paywalls

https://chrome.google.com/webstore/detail/xray/dgkdfehohjdbmnldpcegekjakcdjlnkg

May 26, 2017 6:29 PM

Rhys on Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves":

I am with LeeHamm.

Have you seen an executive committee that doesn't have a "free blood testosterone minimum"?

You know they have their own maxim between each other- "You do realize that I don't have to outrun the bear, I only have to out run you."

Books are dust collectors for them. Publishing cycle is too long regardless against the speed of adaptation today.

Journals, conventions (not Gartner's), focus groups...though these are in contexts that are foreign/anathema to a Viking or conquistador life style.

Execs hire smart people to read those for them. Then to provide a cartoon balloon they can use for public speaking or to stand as insulation when a fire exit corridor is needed.

May 26, 2017 6:21 PM

Systate on Friday Squid Blogging: Squid and Chips:

Ben A
Do you know what i find extremely funny? I scrolled to the bottom and found this gem

"Current — All the attacks discussed by this work are still practical, even with latest version of Android (Android 7.1.2, with security patches of May 5th installed).

So
August 22
September 22
October 22
November 22
December 22
January 22
Febuary 22
March 22
April 22
May 22
....
....
....
???????

lol
I guess the security fix is get their next top line product and ship it into the sun.

May 26, 2017 5:29 PM

Daniel on Friday Squid Blogging: Squid and Chips:

https://philosophicaldisquisitions.blogspot.com/2017/05/the-right-to-attention-in-age-of.html

That is the link to the quote about attention in the above post. It is a good read and to a large extant I agree with it. The one place I disagree is the pretense that attentional warfare is something new and that technology bears the central blame. Nonsense. Technology may have made attentional warfare more "in your face" but it has been going on as long as humankind has been going on.

May 26, 2017 5:11 PM

gordo on Did North Korea Write WannaCry?:

@ Clive Robinson,

How to go about verifying not just parts or the whole, but also the context it aims to set.

Research.

May 26, 2017 4:27 PM

JG4 on Friday Squid Blogging: Squid and Chips:


wishes everyone who observes Memorial Day a sobering reflection on the human condition

another nice data visualization, including times when the US was a better place to go than to leave

https://blueshift.io/

I have to be careful here, because the only four countries that I know are better are unaffordable to the average wage serf. if they call my bluff and throw me out, I'll end up in a worse place

https://www.newscientist.com/article/2132748-monkey-mafia-steal-your-stuff-then-sell-it-back-for-a-cracker/

https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware

http://www.nakedcapitalism.com/2017/05/200pm-water-cooler-5262017.html
...
Big Brother is Watching You Watch
‘[Matthew Crawford] was prompted to write [The World Beyond Your Head] by a profound sense of unease over how the ‘attentional commons’ was being hijacked by advertising and digital media. One day, he was paying for groceries using a credit card. He swiped the card on the machine and waited for a prompt to enter his details to appear on the screen. He was surprised to find that he was shown advertisements while he waited for the prompt. Somebody had decided that this moment — the moment between swiping your card and inputting your details — was a moment when they had a captive audience and that they could capitalise on it. Crawford noticed that these intrusions into our attentional commons were everywhere. We live, after all, in an attentional economy, where grabbing and holding someone’s attention is highly prized’ [Philosophical Disquisitions].
...

http://www.zerohedge.com/news/2017-05-26/google-about-start-tracking-your-offline-behavior-too

http://www.zerohedge.com/news/2017-05-26/fisa-court-warned-fbis-apparent-disregard-rules-illegally-shared-spy-data-private-co

https://techcrunch.com/2017/05/25/creative-destruction-lab-quantum-machine-learning/

http://circa.com/politics/declassified-memos-show-fbi-illegally-shared-spy-data-on-americans-with-private-parties
...[another perjurer]
In his final congressional testimony before he was fired by President Trump this month, then-FBI Director James Comey unequivocally told lawmakers his agency used sensitive espionage data gathered about Americans without a warrant only when it was “lawfully collected, carefully overseen and checked.”
Once-top secret U.S. intelligence community memos reviewed by Circa tell a different story, citing instances of “disregard” for rules, inadequate training and “deficient” oversight and even one case of deliberately sharing spy data with a forbidden party.

May 26, 2017 4:16 PM

Ben A. on Friday Squid Blogging: Squid and Chips:


Cloak & Dagger

"Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity."

http://cloak-and-dagger.org/


Laptop Ban Reaction to X-Ray Equipment Stolen by ISIS

https://professional-troublemaker.com/2017/05/22/exclusive-laptop-ban-reaction-to-x-ray-equipment-stolen-by-isis/


How to build your own VPN if you’re (rightfully) wary of commercial options

Not a good option from an anonymity point of view.

https://arstechnica.com/gadgets/2017/05/how-to-build-your-own-vpn-if-youre-rightfully-wary-of-commercial-options/


Windows 10 Enterprise ignores various privacy settings

https://twitter.com/m8urnett/status/866353982217699328
https://news.ycombinator.com/item?id=14389441


In a throwback to the ’90s, NTFS bug lets anyone hang or crash Windows 7, 8.1

https://arstechnica.com/information-technology/2017/05/in-a-throwback-to-the-90s-ntfs-bug-lets-anyone-hang-or-crash-windows-7-8-1/


Crysis ransomware master keys posted to Pastebin

https://nakedsecurity.sophos.com/2017/05/26/crysis-ransomware-master-keys-posted-to-pastebin/


Samba exploit – not quite WannaCry for Linux, but patch anyway!

https://nakedsecurity.sophos.com/2017/05/26/samba-exploit-not-quite-wannacry-for-linux-but-patch-anyway/

http://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html


Trump’s Dumps: ‘Making Dumps Great Again’

https://krebsonsecurity.com/2017/05/trumps-dumps-making-dumps-great-again/


Why are hidden files with a leading tilde treated as super-hidden?

"If there is a hidden file whose name begins with a tilde, then Explorer treats it as if the system and hidden attributes are both set, causing the file to be treated as super-hidden."

https://blogs.msdn.microsoft.com/oldnewthing/20170526-00/?p=96235

May 26, 2017 4:13 PM

Ministry of Truth on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Jesus hated privacy and anonymity[1]. Only somebody who hates Jesus or hates Christians, someone like a Muslim(terrorist) would advocate for privacy.
The declaration of independence wasn't drafted anonymously or anything like that[2]. No. Only somebody who hates America would want anonymous communications.

Firewalls, antiviruses, GPG/PGP[3], [redacted part here because it contained weaponized knowledge] [4], Tor[5], TAILS[6] and anything else that makes it harder for people to damage your computer or to steal your personal information is an offensive weapon, a cyber munition that causes mass destruction.

On the other hand, things such as network exploitation techniques[7], viruses[8], spyware[9], Denial of Service tools, sabotage of NIST security standards[10] (standards which must be secure to protect the secret service from being murdered[11]), preventing 0-day vulnerabilities from being fixed[12], and so on, factor into "defense". These defensive strategies do not put civilians at risk[13].

These things are for your protection[14]. It makes perfect sense for Anonymous to wear Guy Fawkes masks while DDoSing any dissidents/anyone else who is against Big Brother[15].

The government is above being hacked[16], so you should trust them with your mind body and soul. Failure to accept their mark will result in exclusion from all types of commerce[17], so accept it for your own good. Make sure to protect your children from peeping toms[18] and stalkers[19] by making them accept it too[20].

The only real government is the US government. The US government does not test their chemical weapons on its own students[21], does not use incendiary weapons against civilians in other countries[22] to "liberate" them[23], and does not use nuclear weapons of mass destruction against massive civilian cities to coerce other governments into surrender[24] (that's what Iraq did[25], not America!) Such acts are the two most common definitions of terrorism[26].

The US Government is doing everything it can to prevent Russian czars from having an easy to use, single point of attack (killswitch) that just takes one person to press it to instantly bring the entire US economy and all networked medical services to its knees[27].

The best way to catch terrorists and extremists is to look for groups that use fear to prevent discussing of opposing idealogies[28] instead of simply making a logical argument against their opponents' idealogies.
Another way to spot terrorist is that they try to inspire feeling of fear and hopelessness severe enough for people to stop even TRYING to be safe[29].
Terrorists can also be identified by their tendency[30] to incite[31] others to violence[32], also known as inciting others to violence[33].

Also, it has recently been found that safety features in computers and cars can benefit terrorists, so all anti-viruses[34] and airbags must have an easy, fast, sure way to be remotely disabled without alerting the occupants.

Good night and God bless America.

sources
[1] https://www.gotquestions.org/do-not-tell.html
[2] https://constitutioncenter.org/blog/why-did-jefferson-draft-the-declaration-of-independence/
[3] www.loundy.com/Roadside_T-Shirt.html
[4] www.linuxjournal.com/content/nsa-linux-journal-extremist-forum-and-its-readers-get-flagged-extra-surveillance
[5] https://www.techdirt.com/articles/20140703/02494927769/nsas-xkeyscore-source-code-leaked-shows-tor-users-classified-as-extremists.shtml
[6] https://twitter.com/josephfcox/status/859357743051927552
[7] https://zeltser.com/what-are-exploit-kits/
[8] http://www.computerworld.com/article/2516109/security0/why-did-stuxnet-worm-spread-.html
[9] surveillance.rsf.org/en/amesys/
[10] https://projectbullrun.org/dual-ec/
[11] https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
[12] https://www.rt.com/usa/170264-eff-nsa-lawsuit-0day/
[13] http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar
[14] https://duckduckgo.com/html?q=This%20is%20for%20your%20protection.%20A%20yellow-coded%20curfew%20is%20now%20in%20effect.
[15] http://countercurrentnews.com/2015/02/white-house-responds-to-anonymous-opisis-cyber-attacks-against-terror-group/
[16] https://en.wikipedia.org/wiki/The_Shadow_Brokers
[17] https://nakedsecurity.sophos.com/2016/02/29/tor-users-being-actively-blocked-on-some-websites/
[18] http://kettyle.com/gchq-webcam-snoop/
[19] http://www.telegraph.co.uk/technology/internet-security/10665599/GCHQ-secretly-captured-images-of-innocent-webcam-users.html
[20] https://www.wired.com/2013/08/student-rfid-chip-flap/
[21] https://en.wikipedia.org/wiki/Project_MKUltra
[22] https://muslimvillage.com/2013/08/29/43177/obamas-holy-tomahawk-war-on-syria/
[23] http://www.pravdareport.com/world/asia/16-05-2017/137750-trump_tomahawks-0/
[24] https://en.wikipedia.org/wiki/Atomic_bombings_of_Hiroshima_and_Nagasaki
[25] http://tvnewslies.org/html/iraq_nukes.html
[26] http://www.dictionary.com/browse/terrorism https://www.merriam-webster.com/dictionary/terrorism
[27] http://original.antiwar.com/justin/2010/06/20/kill-the-kill-switch
[28] http://www.huffingtonpost.com/2013/11/13/nsa-writers_n_4267716.html
[29] https://blog.barkly.com/malware-infections-are-inevitable-attitude-creates-security-risk
[30] https://www.sott.net/article/261088-COINTELPRO-Provacateurs-and-Disinfo-Agents-The-US-Governments-war-on-the-American-People
[31] www.youtube.com/watch?v=TtAMWeqOSnY
[32] https://theintercept.com/2014/02/24/jtrig-manipulation/
[33] http://codes.ohio.gov/orc/2917.01
[34] anti-viruses">https://www.schneier.com/blog/archives/2007/07/detecting_polic.html">anti-viruses


This essay is hereby released as Public Domain.

May 26, 2017 3:15 PM

Kindness on Security and Human Behavior (SHB 2017):

A plea for all to be slow to anger and not rush to judgment about being certain and confident we understand the other person's comments.

Stephen Covey had one of his habits of highly effective People as; "Seek first to understand before seeking to be understood."

Please don't assume other people know the assumptions and the specific path of reasoning that led to your comments and conclusions.

Conclusions with missing assumptions, premises and rationale to give essential context can come off as insensitive to others.

"Think win win" for me would be think how I could be more accommodating, seek clarification first, before making bold accusations.

"Correct me if I'm wrong, this is my understanding of what you just said; ......."

May 26, 2017 2:08 PM

Smedley Darlington on Ransomware and the Internet of Things:

@Jim

"There's absolutely no need for connected cars. The perceived need for connected cars has been artificially created by people with a vested interest in being able to take control of your car."

Agreed. The absolute "need" (not to mention, inevitability) is entirely contrived by said vested interests and is clearly not in the publics best interest. With few exceptions, IoT amounts to little more than a dangerous lie wrapped around a marketing gimmick. And for all but the most casual observers, as Clive Robinson points out in this thread, is quite obviously being perpetrated on the public by those in the data exfiltration for profit game where users data provides the profit. 'nuff said.

Such is life in the Second Gilded Age. We're all awash in a sea of corporate puke.


@Clive Robinson

"But if a certain major credit rating organization is correct Google has run out of steam thus profit in the selling of "user meta data". If they are correct it may well mean that the bubble is bursting on the big data scam (for that is surely what it is)."

I could have sworn I heard angels singing while reading that. :)


@Duty to warn

Thought you might enjoy this classic...

The Gentleperson's Guide To Forum Spies
https://cryptome.org/2012/07/gent-forum-spies.htm

May 26, 2017 1:53 PM

Martin on Hacking the Galaxy S8's Iris Biometric:

Perhaps each serious project should hire hackers to test the product in addition the usual rubber stamp product testers.

May 26, 2017 1:46 PM

Terry on Hacking the Galaxy S8's Iris Biometric:

@ As Bruce has noted more than once being able to build things and being able to break things are not the same skill set.

Except that the adage you're referring to can be equally interpreted to mean that no one build anything that works.

And then this crap get's repeated a billion times until everyone is brain dead. Like "you must drink 20 glasses of water a day"

May 26, 2017 1:41 PM

Robert Wood on Hacking the Galaxy S8's Iris Biometric:

Well, that being said it's probably not a good idea for any dissidents or any subversive minds to carry an s8, especially when traveling.


May 26, 2017 1:27 PM

Bob Dylan's Masterful Foot on Hacking the Galaxy S8's Iris Biometric:

It is easy if one is creative like that but to be perfectly honest that solution would not occur to me in a thousand years. Those rascals (shakes tiny fist)...

As Bruce has noted more than once being able to build things and being able to break things are not the same skill set.

May 26, 2017 12:49 PM

Sean Carter on Perceived Risk vs. Actual Risk:

I think Schneier missing something big here. Your insurance company will give you insurance from flooding from a burst pipe, but not from a nearby river. Why? Because flooding from a nearby river happens to everyone at the same time. The insurance company can tolerate 1% of their customers filing a claim every year, but it can't tolerate 30% of its customers filing a claim on the same day.
Far from being overestimated, the risk of rare but catastrophic events is very much underestimated. Take nuclear war for example: you probably know lots of people who were injured in car crashes, but you don't know anybody who was injured in a nuclear war. Does that mean that nuclear war is less likely to affect you? Maybe, but then again, maybe not. If you think that the chance of a nuclear war is .5% in any given year, then you are 8 times as likely to die in a blaze of radation than in a car crash. It doesn't matter that you don't know anybody who was in a nuclear war- that's an artifact of the fact that a nuclear war affects everybody, or nobody.
But it's hard to say, isn't it? You can't even make a wild guess to the probability of something that has a sample size of zero. Is that a reason to assume the probability is zero? Right before the financial crash of '08, you couldn't have found one person who lost their shirts in real estate. 6 months later, and *everyone* lost their shirts. But it's hard to see the risk of something when so far, nobody has been affected by it. Some of the other things Shneier mentioned - terrorism, earthquakes- are the same way. They happen to everyone at the same time, and therefore we fantastically underestimate our risk.

May 26, 2017 12:43 PM

Clive Robinson on Security and Human Behavior (SHB 2017):

@ Alice Hutchings,

It's nice of you to drop in here during what must be a hectic time at the moment.

The issues of gender imbalance in technology are as old as technology it's self but sadly appear to have defied all attempts to redress it much so far.

I've been actively involved in a number of initiatives from the late 1970's through to recent times in both the electronics and software industries, to improve the prospects for women. The one thing I can say is that women most certainly do not lack the academic or more practical skill sets, in fact they are often superior in the pre and graduate stages.

You are probably aware of Freeman Dyson's "Bird or Frog" view of the way people think are categorized. For some reason when it comes to working in the software industry frog thinkers tend to be over represented when people talk of "Star programmers", however when it comes to management above the team leader level bird thinkers start to predominate. Which is one reason given as to why few star programmers ever move up.

There is however a problematical social expectation that women should be "multitasking" though as you probably know many of the studies into multi / mono tasking/thinking do not show a general advantage to either mode.

Thus there is a societal in built pre disposition that the software industry needs monotasking deeply focused frog thinkers, not multitasking broadly focused bird thinkers, therefore the software industry is often perceived as,"No job for a women".

This is actually far from true. Frog thinking tends not to scale for a couple of reasons, firstly whilst it has depth it lacks breadth and secondly it tends to preclude the ability of effective communication which is vital for projects beyond a small scale. When you look at extrodinaraly large projects in the software industry many tend to fail expensively. The reason usually given is "lack of communication / cooperation" between the disparate parts of the project. That is the projects are not effectively Project Managed.

The easy conclusion is "frogs do not become princes" no matter how hard you promote them, where as "birds take to the sky and fly high". But it does not resolve the actual issues.

As is now being found at non Nation State level ICT projects, monolithic code constructs do not scale beyond a certain point even with multiple load balanced instances. Thus the drive towards microservices via Docker and Kubernetes. But in startups and smaller organisations the switch from monolithic to microservices is usually a disaster. There are two problem areas the technical and the human. Usually it's the technical that gets blamed when in fact it's the human side that fails, usually because of non multitasking and the lack of communication that arises.

I'm known for my preference for Hard Science post grads not CompSci for various reasons. Partly it's because hard science post grads tend to be scientists/engineer oriented not artisan/copyist, but importantly they generally know, not just how to communicate, but also integrate disparate parts as a norm not an exception. Further and importantly from a number of peoples points of view women tend to be better represented in hard science.

But further when you look at people in CompSci at the starting positions in the software industry if they are frog thinkers they fit in, if bird they tend not. Thus you have the problem that there is a high attrition rate at the normal entry rung on the career ladder. But it gets worse, as frog thinkers go up the ladder they bring other frog thinkers in behind them not bird thinkers. Which because men predominate in the frog thinking at the entry rung tends to mean that frog thinking women pull in frog thinking men behind them due to the paucity of frog thinking women... Which means that the paucity of bird thinkers above the team leader management, who also have entry level experience is very very low anyway and vanishingly small when it comes to women.

Thus in my long but somewhat limited experience you need a different way for bird thinkers to get the entry level experience but enter in above the team leader management level. Then find a way to get bird thinkers not to leave at the entry level rung as they can then see a clear career progression opportunity.

The problem is that currently the software industry is set up around the idea of monolithic systems, even when compartmented the view is single instance orientated, not distributed component orientated. It both favours frog thinkers and worse locks the industry into an evolutionary cul de sac where the dead end is the laws of physics for a single processing instance.

As can be seen with CPU's that are now multi-core the next evolutionary stage is parallel processing, which can only move forward via distributed systems. Whilst the design of single instances favours frog thinkers, multiple instances require a different thought process that favours bird thinkers who can multitask and communicate effectively. Thus as we move forward in the ICT industry, science / engineering not artisanal / copying will be the way forward which should favour bird thinkers more and more. Which as the frog thinkers in general will not be able to step up easily will actually create favourable opportunities not just to bird thinkers but women who tend to be better at the skill sets required at a younger age. If there is a sufficient skill shortage gender discrimination should diminish if not disappear due to supply and demand, and as older more staid / stale view points retire or fail to rise. But I must say that with over a third of a century industry experience so far the rate of change appears to have been less than the growth rate of the industry...

There is also the issues of the two world wars to consider. Both showed that outside of certain strenuous manual tasks women were just as capable as men and in some skills rather more so. However after each war women either left or were forced out of the work place, for what were mainly sociological reasons. It was not until the late 60's through to the 80's that "working wives" became more acceptable. Further in the US in the mid 90's for a decade or so, in some ethnic groups women on average had higher pay rates than men, but caution is needed as the same ethnic group showed a much much wider educational achievement between the women and men, with the men entering low skill or working class employment, whilst the women tended to enter middle class better paid administrative and lower / middle management roles.

However there is now another way by which gender neutrality may occur, which is distance working. It's not just the "nobody knows who you are, just what you do" aspect, it's the ability to more easily encompass a much wider range of life styles. Importantly it actively favours those with good communications skills amongst many often disparate entities which favours the bird thinkers over the frog thinkers. However when we look at major FOSS projects we still see a male predominance. However we also see a higher predominance of monolithic projects which still favour frog thinkers, so this may well change as the need for parallel / distributed systems rises.

Finally, whilst there is sexism in the software industry, it's also in many other work domains as well. It further tends to be more prominent in more polarised environments. In effect as a clique forms societal norms change, normally toward a common denominator and in short order a clique develops a "them and us" world view. Once developed separating the members of a clique does not immediately normalise the societal norms and if members meet again they will for some time revert to some extent back to the them and us viewpoint. Which makes undesirable traits linger.

May 26, 2017 12:05 PM

Arclight on Security and Human Behavior (SHB 2017):

The hackerspace community is an interesting place to see this sort of thing. The people who come to our space are definitely interdisciplinary, and there is a general interest in privacy, InfoSec and physical security. One of our members got a PhD in sociology while attending, and we have a lot of cool projects come through.

I don't know if our space is an outlier, but we have a pretty vibrant human/machine meet-point.

May 26, 2017 11:21 AM

Thoth on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@all

It is quite obvious that Amazon's CloudHSM service provides ability to extract keys from HSMs with HSM administrator authority to hand over to anyone and even for themselves. EnigmaBridge took quite a while to realize that Amazon (in bed with U.S. ICs), will not think twice to reveal the user enrolled "HSM protected" key.

It is known that Amazon's CloudHSM uses Safenet Luna HSMs and the security level is set to FIPS 140-2 Level 2. What it means is the keys stored in the HSM CAN BE RETRIEVED. A Level 3 and above prevents retrieval and even then, Amazon is free to lie about the security level and can spoof as FIPS 140-2 Level 3 or 4 (prevent retrieval of keys) and even then Amazon could also lie about whether HSMs are actually deployed as there is very little that they can't do to spoof the HSMs' existence.

Also, the idea of a public cloud-based HSM service is a very bad idea as it means that you are surrendering critical cryptographic material to someone whom you don't really know well and even then it is bad idea to handover any security critical materials to anyone trusted or not.

Also, Enigma Bridge claims their setup for their CloudHSM is FIPS 140-2 Level 4 and it's secure. Yet another obvious snake oil again.

The best security measures are for the customer to purchase or build their own HSMs and deploy it themselves in their own environment and not anywhere else in the context of HSM deployment.

Enigma Bridge and other Cloud HSM solutions will be added to incoming Hoilydays list.

Link: https://dan.enigmabridge.com/does-amazon-want-to-control-all-encryption-keys/

May 26, 2017 10:59 AM

Sean on Security and Human Behavior (SHB 2017):

Fun to read, as I am personally a social psychologist, interested by cybersecurity, its technical and, of course, psychological aspects. If I'm following this blog, besides Bruce's very valuable articles, it's also to read all different comments.

Of course, as so, I am not skilled, or not enough, in technical aspects to figure everything out, but yes, I couldn't disagree with the absolute complementarity of both domains in the security field comprehension. The combination is absolutely fascinating.

That is to say, this article fits perfectly my point of view!

May 26, 2017 10:02 AM

Call Girl on Security and Human Behavior (SHB 2017):

Computer security needs to be logically sound and impartial to human feelings.

The psychological analysis of motives for breaking into others' computer systems belongs to the realm of law enforcement and is relevant after the fact of the break-in.

I am sad to see that this blog has strayed so far from the bits and bytes of actual computer security.

May 26, 2017 8:58 AM

vas pup on Security and Human Behavior (SHB 2017):

Some additional recent input on psychology and risk taking:http://www.pbs.org/newshour/bb/risk-means-reward-angry-ceos-dominate/

May 26, 2017 8:25 AM

Nick P on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@ ab praeceptis

Nice experience report. :) I got another person, doubec, trying to learn SPARK. That user posted this report of their semi-automated style of proof on red-black trees. Meanwhile, I went to find out what Ada had on temporal safety vs Rust as I previously heard you eventually resort to unchecked deallocation if there's a lot of memory moving around. Plus, the Ravenscar restrictions are quite long compared to Rust's borrow checker which is 3 rules and 2 "traits" for concurrency. They really need to steal the safety system of Rust. Pushing them on Reddit and comp.lang.ada got interesting results:

Rust's temporal safety for Ada/SPARK

The bad news is the responses largely sucked. The difference between how they handle a question like this and how the Rust people handle it explains a lot about why only one has momentum. One thing I say everyone should steal from Rust that's non-technical is how they do community building to create momentum. In the Ada threads I encountered, quite a few didn't seem to get the basic question or focused excessively on concurrency part. So, there aren't many people following the main forum daily that can handle advanced questions about the language. Contrast to Mozilla having a whole team of people scouring Google Groups, Hacker News, Reddit, and so on answering questions. Then, I'm getting procedural stuff that doesn't quite explain itself to a lay audience. The Rust team puts tons of effort into writeups on about any aspect you can think of. Independent parties do as well given the momentum they create naturally leads to that. If you're curious, I eventually provoked a Rust team member enough that he dropped an ad-hoc guide to doing it. :)

Now, the bad parts aside, the good news that might appeal to you most is a knowledgeable person from AdaCore did show up. Yannick seems to show up on a lot of these threads. He told me the following:

"In fact, we currently have at AdaCore an intern working with us on the inclusion of Rust-like pointers in SPARK. He has reached a first milestone which was the description of suitable rules to include safe pointers in SPARK, which have convinced the SPARK Language Design Group at AdaCore and Altran UK (the small group working on the evolutions of the SPARK language).

He's now working with us and researchers from Inria team Toccata to give a mathematical semantics to the notions that we're using for these safe pointers: move (on assignment mostly), borrow (on parameter passing for mutable objects) and observe (on parameter passing for immutable objects). We have also started looking at the concrete implementation of these rules in GNATprove (the SPARK analysis tool).

In this work, we don't target everything that the Rust borrow checker does:

- we leave accessibility checking (the lifetime checking in Rust) to the compiler, using existing Ada rules, plus some restrictions in SPARK to avoid the need for dynamic accessibility checks

- we leave nullity checking to proof (a Verification Condition will be generated for dereference of possibly null pointers), with the help here of Ada non-null types that reduce the need for such proofs. Given that pointers are always initialized to null in Ada, there is no need to separately deal with initialization.

- we ignore the problem of memory leaks (which could be tackled later as an extension of the current scheme)

So the main issue that we really address with this work is the issue of non-aliasing. Or rather the issue of problematic interferences, when two names, one of which can be updated, are referring to the same memory location. We're focusing on this issue, because it is the one preventing inclusion of pointers in SPARK, as for formal analysis we rely on the ability to perform modular analysis, where we make assumptions on the absence of problematic interferences.

But since our solution to non-aliasing is based on this Rust-like notion of ownership of pointers, the same solution will also forbid use-after-free or double-free.

This work is ongoing, we will certainly let the community know about our progress after the summer."

Also confirmed that they'll try to extend it further in the language if this experiment succeeds. You can already see they're not investing enough, though, given they have one intern while Mozilla dropped an entire team on the problem. At least it will improve.

May 26, 2017 8:18 AM

Rachel on Ransomware and the Internet of Things:

@ Dan H

thanks for the history lesson, very helpful. Clive can explain it all much better than me, but I guess that explains why the US was funding both sides of the war, And why the US poachhed all the nazi scientists and tech as quickly as possible in exchange for immunity. Oh and IBM was involved in other activities with their punch cards that still affect every person today, but thats another story. And thats just the absolute tip of the iceberg
Appreciate the lucidity, in exchange you may appreciate this

https://www.youtube.com/watch?v=bjeq3NYUw2M

May 26, 2017 8:16 AM

Skeptical on Extending the Airplane Laptop Ban:


Without knowing more about the precise nature of the threat and the purpose of the restrictions, one does not have sufficient evidence to call this security theatre.

First, the tactical efficacy of the weapon may require it to be used in the passenger cabin of the aircraft - anyone with imagination can think of several possible ways in which this might be true.

Second, the nature of the weapon may be such that the knowledge and skill requisite to creating it are not widespread, that any such weapons currently extant are likely within given areas, with declining orders of probability beyond those areas, and that operations are underway to extinguish the source(s) of the weapon design and proper use, and to identify and destroy instances of such weapons.

Such operations may require some time before they can confidently be assessed as successful. In the meantime, discouraging those who possess it by preventing them from carrying it into the environment where it can be effectively used seems wise. Furthermore, the travel restrictions may simply discourage those with limited resources and time from investing further in this line, and to focus on other things instead.

Third, if some are correct that such measures contain obvious holes that could prove to encourage the use of the weapon, then one must consider the possibility that this could be theatre in a different sense than that intended - a non-pejorative sense.

May 26, 2017 8:11 AM

Bruce Schneier on Security and Human Behavior (SHB 2017):

"sorry to rain on your parade here, but please throw the psychs right outta there!"

Don't be ridiculous. The whole point of starting this workshop was to have psychologists and computer-security researchers talk to and work with each other. It's been a fascinating conversation and has resulted in some excellent research, and we're all pleased that it continues.

May 26, 2017 7:55 AM

The Less Changes The More Secure on Ransomware and the Internet of Things:

Almost all of the software updates are really just changes. Take Windows which goes round-n-round back to similar designs it had years ago.
The churning is really for data-mining to monetize the product (people).

True technology changes are MUCH slower. For example Intel has stalled-out and STILL not provided 4K display support.

This is why I use the Linux kernel/operating system. They focus is on making technology improvements to support new hardware and security features.
In contrast the Windows updates rarely benefit customers.
If MS quit making so many worthless changes, Windows security would improve dramatically.
This week we learn MS does not respect the privacy settings even in the Enterprise Edition. Or Google not respecting student privacy. The cycles continue to worsen as the hand-fed addicts continue to propel stock prices.

The two most popular technologies are proprietary phones and Windows. Both keep their customers captive and vulnerable.
One frequently should issue security updates but instead pushes the customer into purchase new hardware.
The others thrashing creates new vulnerabilities to force customers to submit to even more intrusive data-mining. Customers cannot pick just the security patches or even know what they contain.

Now our whole economy is dependent upon these wickedly flawed corporate shareholder-value cycles. The terrorists are NOT being stopped either. Instead the secret data-mining is used for the next promotion or as a political weapon.

My guiding principle is the less code changes, the more secure it can be made.

My guiding strategy is to obscure my computer hardware, operation system and location by feeding random user agent strings from a locked-down browser. Its very effective hiding behind a VPN DD-WRT double firewall router.

May 26, 2017 7:54 AM

Robin on Ransomware and the Internet of Things:

@DanH:

"The best security for IoT is to realize the refrigerator and garage door opener don't have a need to be connected." That I can agree with, at least as a first approximation.

Unfortunately the rest of your post pretty much makes @Clive's point:

"Many people in the US consider their nation to be "The Good Guys" whilst atleast as many if not a lot more outside the US consider the US to be "The Bad Guys"."

The USA eventually came in on the side of the allies in both World Wars, but arguably it was the USSR which drained the resources of the German Army in WW2 which turned the tide, which you do not mention at all.

But heck, this is ancient history.

As for people migrating to the US that is no sort of an argument; people will swear allegiance to a mafia boss if that seems a sensible course of action.

May 26, 2017 7:01 AM

Dan H on Ransomware and the Internet of Things:

@Clive

You and the rest of Europe don't speak German today because the US - twice - had to fight to keep you free. While the US was fighting in Europe in WWII, there was also a war in the Pacific that was primarily fought only by the US with some help from Canada, the UK, Australia. But the contribution of those countries wasn't near the help Europe received twice from the US.

Also, if the US is the "bad guy," then why is the United States the top country for receiving migrants? When do you hear someone saying they want to migrate to Mexico, China, Guinea, Peru, Syria, Guatemala, Panama, Cambodia, etc.? According to the UN, France, the UK, among others, promoted policies to lower immigration into their countries.

Where did Albert Einstein, who was born in Germany, migrate? To the bad guy, the United States.

The best security for IoT is to realize the refrigerator and garage door opener don't have a need to be connected.

May 26, 2017 6:51 AM

Jeunese Payne on Security and Human Behavior (SHB 2017):

I genuinely have no idea what "game" you are accusing me of or what "certain questions" women might ask to get a particular position. I also at no point advocated women getting a job just because they are a woman. I pointed out the evidence for the existence of "gender problems" and its cultural underpinnings, and objected to the term "psychobabble" mentioned earlier in the comments.

May 26, 2017 6:42 AM

ab praeceptis on Security and Human Behavior (SHB 2017):

Jeunese

Playing that game with me is futile. I assume that there are indeed differences between the average man and the average woman - but that does not at all mean that there are no women who are as fit as men in "male" fields.

You see, I was in fact quite engaged myself regarding *really* disadvantaged women. I did quite a lot to help them and, more importantly, to make sex a non criterion re. tech jobs. And I do not at all regret what I did then. Knowing that I helped some qualified women to be properly treated, respected (and earning!), and having a fair chance to climb up still satisfies me.

What makes me very quickly say "f*ck off!" today is that whole gender thing, all that activism, womens quota and the like. Seeing uni decans who got their position for only one reason, namely that they are women (and otherwise *obviously* incompetent stupid political XXXXXXX) makes me aggressive because it means that we simply replaced one sex for another but still have sex as a major criterion.

I still wouldn't care if I had a man and woman apply for a tech job. I'd simply look at their competence, knowledge, and abilities. I would, however, instantly say bye to any woman trying any gender games (asking certain questions, etc).

May 26, 2017 6:26 AM

JG4 on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:


@Ministry of Truth - Thanks! You might try reposting paragraphs of the weaponized satire as a way of probing what is over the limits.

@Clive - Thanks for the nice exposition of engineering history. There is a useful treatment of that and more in Petroski's book, To Engineer is Human.

www.nakedcapitalism.com/2017/05/links-52617.html
...
Imperial Collapse Watch

The U.S. Intelligence Ship Is Too Leaky To Sail Bloomberg (resilc)

Big Brother is Watching You Watch

Florida GOP consultant admits he worked with Guccifer 2.0, analyzing hacked data ars technica (martha r)

About Face: DMV Lets Cops Search Database of Driver’s License Photos Seven Days (Chuck L)

Cartoon: The Internet of Ransomware Things Geekculture. EM: “The broom was my personal favorite.”

May 26, 2017 6:07 AM

Jeunese on Security and Human Behavior (SHB 2017):

Very common arguments are being made here -- that women are self-selecting, the emphasis being on internal differences. However, there is no reason why this should be so. Before high school, girls usually outperform boys in all subjects, including maths and science (Halpern et al., 2007), and tend to engage less in these subjects over time, not because they are incapable, but because they believe that they have to hold themselves to an even higher standard in male-dominated subjects (Hill et al., 2010). They are thus subject to 'stereotype threat', which you can easily find evidence of. (Perhaps you would prefer me to call this "psychobabble"?)

It has a cultural underpinning. For example, the magnitude of sex differences in maths performance negatively correlates with gender inequality in a given country. It's not that women *can't* deliver technically. There are more similarities than differences in the cognitive abilities of men and women (Hyde, 2005). There is a self-fulfilling prophecy at work here.

What is dismissed within quotation marks as "gender problems" is actually a real thing, evidenced in your impulsive "f*** off" reaction to it even being suggested.

And when women do make it to the highly regarded (and not coincidentally male-dominated) technical fields instead of the female-dominated "psychobabble" fields of study, they can expect to be paid less, funded less, make sacrifices for family, and accept sexism as a norm (disclaimer: *disproportionately to their male colleagues*).

May 26, 2017 5:59 AM

ab praeceptis on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Clive Robinson

Haha! Your description of the Victorian boiler makers, and wheelwrights pretty well match major parts of the software industry, too, it seems. "bodge it and cludge which boiled down to work it till it breaks then bolt on a cludge and work it again" puts it quite well, doesn't it.

"as you probably know crypto algorithms have issues when used as PRNGs." - oh yes, and how well I know that. On the other hand, what are we to do (other than using trngs which for some reason are rarely available on mainboards ...)? Them mersenne twisters, xor shifters and linear shifters have good random properties and speed (in good cases) but are utterly simply predictable. The cs-prngs are very hard to predict (well, that's their whole raison d'ètre) but bloody slow and/or plagues by poor random properties.

Funny that you mention state space, which is both an ugly maladie and rarely noticed. Surprising, it seems to me, looking at cache sizes and multithreading systems. In other words: Unless your state doesn't fit in one cache line chances are that you have an attack surface on your algorithms a**. Unless you desire a bad day I suggest to not look at widely used crypto ... (states spaces of kilobytes are quite common (as is memcmp and other bad sins)).

"ARC4" - Oh there are many who made that choice and it seemed not that bad then; nothing to be ashamed of. OpenBSD used it, too. Today we know better. Btw, the prng I've implemented has a state space that fits easily in a cache line and with some effort it fits even in the register set (which, of course, is very strongly desirable).

"prefering hard science graduates over CompSci graduatee" - Hmmm, my personal approach is to go with seasoned CS people but to have some mathematicians on the team, too. In bad cases I end up being the "joint" myself but I've had cases where a CS colleague (with strong math inclination) and a math colleague with solid CS experience/inclination did very well.
The reason for my approach is that we usually absolutely need a good link between the two and also the typically used tools must be "digestible" and produce digestible output, because in the end it ends up in the code. Which btw is another reason why I really love sparked Ada; it brings together the math and the code very comfortably (well, it's on a good way at least). But I get your point.

May 26, 2017 5:31 AM

Clive Robinson on Did North Korea Write WannaCry?:

@ gordo,

As ICIT rightfully points out, such attribution speculation takes the focus off of issues that can, should and need to be addressed.

Yes, there is always more behind things than are generaly visable. The problem is though if somebody claims to have seen behind the curtain and makes certain claims how do you go about verifying them.

For instance this got sent to my wokspace a short while ago,

http://www.voltairenet.org/article196455.html

How to go about verifying not just parts or the whole, but also the context it aims to set.

May 26, 2017 5:29 AM

ab praeceptis on Security and Human Behavior (SHB 2017):

Alice Hutchings

I assume that is partly to do with the women themselves, particularly those endlessly unnerving others with gender problems.

Speaking for myself I can say that I don't care a rats a** about male or female; I'm interested exclusively in competence and brains and there were situations in my professional life where I made this understood quite bluntly to male colleagues.
That said, as soon as anyone starts blabbering about "gender problems" I'm completely in aggressive "f*ck off!" mode within a split second.

I guess that's the result of too much and too long abused patience and good will from my side and too many women blabbering too much about gender problems and delivering too little on the technical side.

You might consider this a "male dominated system" but from what I saw the most promising way for women is the same as that for men: Deliver good work. Simple as that.

"Gendering Cybercrime"? A joke I assume.

May 26, 2017 5:12 AM

Clive Robinson on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

@ ab praeceptis,

I'm gaining more and more confidence that we might escape into a safer future. But I also see that there is mountains of work before us. Nevertheless, medium gray is still much better than pitch black.

Oh there's a little colour in their to if you look carefully you get the occasional jem.

One big problem that is not much talked about is "haste" in software development. Creation in art, science or engineering is actually a thoughtful endeavor and as has been discussed here briefly in the past elegance is a metric of fitness, that we have yet to quantify in a non abstract way. Throwing things together in overly short time scales gives rise to inelegance. I frequently mention the Victorian boiler makers, and wheelwrights. The wheelwrghts artisanl method of small incremental improvment gave rise to a pattern that if followed would provide a serviceable wheel for carts and carriages. The boiler maker however had no history to give them patterns, they only had "bodge it and cludge" which boiled down to work it till it breaks then bolt on a cludge and work it again, looping around untill it stops breaking. The results were as you would expect not just inelegant but down right ugly. There was also a side effect of deaths by boiler explosions. This got to the point wher the British Parliament had to act. The result was the gentlemen of science and the artisan blacksmiths had to meet and the result was engineering (look up the history of "The ring of iron").

If we now look at programing we can see scientists and we can see smiths and wrights, and a degree of artisanal behaviour. But as of yet no real engineering, so software development is mainly in the "bodge it and cludge" endless iterative loop. To make things worse, few can see the shape of software, even those who crank it out, thus the deformed morass of cludges essentialy remains hidden in the dark and festering like a rotting corpse. Few actually shine a light on it and clean up the stygian mess, instead they slap on yet more cludges as though necrotic code could be hidden by a wart and thus ignored.

Few dare mention the driver behind this state of affairs which is the cries of "faster faster from the bridge, as the bottom gets torn from the ship, and the crew frantically bail". There are many to blaim but the likes of Microsoft stand prominent in many peoples minds for the pushing of vapourware that needs endless patching. That in turn infected an entire industry and the techical debt becomes a tsunami of world girdling proportions. Thus we need to slow down and get the artisans to meet the scientists and become engineers. The problem is how to get out of the ship, and stop frantically bailing to keep your nose above water, because from the bridge of every other ship you hear "faster faster", as the world becomes a "Red Queen's race to the bottom". Even Bill Gates discovered that things had gone to far even for a Hercules and the stygian mess will remain in the Augean Stables that is the software industry.

With regards PRNG's it's not just the speed issue it's also the minimal memory requirment as well. It has often struck me as odd, that we know that "entropy" is based on redundancy yet we demand a state behind all PRNGs with minimal redundancy. Back in the 1990's I had reason to be designing PRNG's and as you probably know crypto algorithms have issues when used as PRNGs. Thus you end up with either ridiculously large block ciphers or chains of algorithms where one acts as a CS-CNT to feed the data in of a block cipher and another CS-CNT drives the key in and runs at speed that is a very small fraction of the data CS-CNT.

As I've mentioned here before I ended up using a modified version of ARC4 where the Sarray was 1024 elements long but the output was still only a byte in size. Further I modified the update algorithm such that the Iptr got jumped every so often by the adition of ten bits from a BBS generator. I did also modify the output algorithm such that it ran in the key fill mode, with the input from a Mitchell-Moore generator. The performance like the speed was good but... There were moans about the usage of memory which was 1026bytes for ARC similar for BBS and a hundred or so for the Mitchell-Moore generator, all to produce an apparently endless stream of bytes...

There are a number of ways you can look at your use of Ada, but in effect the process was taking time to think or of using a formal method both of which are a step towards the engineering approach, but the road is long, and the journey but a few steps started.

It's also why I'm known for prefering hard science graduates over CompSci graduates. Because not only do they have a solid science/engineering background, they have actually had to use software in anger for real engineering tasks. Thus they are more in Bacon's mold not that of Descartes which CompSci grads appear to favour.

May 26, 2017 5:01 AM

Alice Hutchings on Security and Human Behavior (SHB 2017):

The chapter I co-wrote with Chua 'Gendering Cybercrime' explains how women face barriers when it comes to being taken seriously in such a male-dominated field. Patriot COMSEC demonstrates succintly that these barriers are not just faced within deviant communities, but also within the security industry more generally.

May 26, 2017 3:51 AM

Pedro Fortuna on Ransomware and the Internet of Things:

@Clive
Yes, I do realize telling who are the "good guys" is extremely tricky, to say the least. Even the gov engages in mass surveillance activities, using undisclosed vulnerabilities as cyber weapons, and thus becoming the "bad guys" in the eyes of many people.

Another model could be, as part of the code escrow service, companies would have to specify either a security company or a panel of security practitioners they trust, external to the company, that would have access to the code in the case of bankruptcy, and that would become responsible for the security of that code. They would be liable if it is determined that no efforts were done to audit the security of the code after the bankruptcy. Obviously, they would need to get paid for assuming that responsibility.

May 26, 2017 2:19 AM

Patriot COMSEC on Security and Human Behavior (SHB 2017):

It sounds fascinating.

The first link in the piece above is interesting because it identifies the speakers and shows some of their work. Perhaps I had bad luck, but I picked out and read three articles: Lydia Wilson's comments on ISIS are off the mark because they are typical of a shallow Western-centered view; Elizabeth Stobert's piece on Expert Password Management is not very interesting, and it could be summarized in one sentence, with a yawn; and worst of all is Yi Ting Chua's piece about "Gendering Cybercrime"--I am sorry to say it, but if you want a laugh, read the first paragraph. It is so bad that it is good.

I hope the discussions at the conference are not as vacuous as the three pieces I just read.

May 26, 2017 12:58 AM

oliver on Security and Human Behavior (SHB 2017):

Hi Bruce,
sorry to rain on your parade here, but please throw the psychs right outta there!
They have nothing usefull tzo contribute at all.
Just mindless psycho-babble.

May 25, 2017 9:20 PM

gordo on Did North Korea Write WannaCry?:

@ Clive Robinson,

"Measure twice, cut once" is not a bad practice. The usual suspects, however, yourself included, do call out confirmation bias at speed.

It seems to me that at one time threat-actor profiling might have been more reliable as there were fewer players on the field. Code-cutting and other TTP's are now interchangeable and proliferating.

It seems to me, as well, that non-attribution attribution, i.e., evidence-free or evidence-lite assertion, if not outright fake news, conjecture at best, is also spreading.

As ICIT rightfully points out, such attribution speculation takes the focus off of issues that can, should and need to be addressed.

Last, a timely quote from Ross Anderson:

There have been newspaper editors who played the man not the ball. Is this going to become the new normal and, if so, what happens to democracy?

https://www.edge.org/conversation/ross_anderson-the-threat

---

The above interview is blogged on Schneier on Security at: https://www.schneier.com/blog/archives/2017/05/interview_with_24.html

May 25, 2017 9:15 PM

ab praeceptis on Friday Squid Blogging: Giant Squid Caught Off the Coast of Ireland:

Nick P, Clive Robinson, Thoth et al.

Today, after lots and lots of research and of work I dare to say that it's not all dark.

The 3 main reasons for my, albeit still modest, hope are the following:

- thanks to Snowden, Assange, Wikileaks and many others we have a changed situation. Sure, there are also factors working against us, the worst one being the smartphone swamp, and Joe and Jane are either blissfully or ignorant or helpless anyway. But generally the situation changed to the better, particularly because have begun to grow up (as I call it). There are more and more people who don't handle IT as the new wild west but who are beginning to understand how important safety and security are.

- More and more available and better hardware, particularly processors. While I like Risc-V it's not even about that specific processor but about having alternatives to x86 and arm and about better chip design and verification.
Unfortunately, the very chips we are supposed to trust most, namely "trusted stuff" like sim and hsm processors are badly tainted, even poisoned, by java but not all hope is lost; maybe sometimes soon companies like nxp or infineon wake up and offer alternative methods of (direct) access rather than having to go through a java crap layer.

- Lots of progress one the software side. Granted, most of it is not yet in a generally and widely usable state but we are on a good way.

Being at that let me report about some of my own experiences.

The task I chose (well the most current one besides my everyday professional work) was a high quality prng (I already hinted at that). The reason is simple: If I had to pick the one "lego" brick that makes or breaks encryption schemes I'd invariably end up looking at prngs. And I understand perfectly well why nsa chose to taint rc4 ...

One of the classical problems is that you can either have a fast prng or a good one, i.e. one that is very hard to predict. There is plenty more or less crappy but quite fast ones (e.g. the xorshift family) and there are quite some cs-prngs of high quality but those tend to be snail-slow (and btw. often do *not* have good random properties). Gladly though that's less bad than it seems because one could - and does - use csprngs to seed (and sometimes also to occasionally reseed) crappy but fast prngs. If there wasn't the problem that pretty all of the fast ones are so utterly crappy (predictable, biased, bad distribution, etc) that they are *very easily* predictable ("crackable").

The algorithm itself showed itself to be impeccable and even elegant (no, it's not mine) but the reference implementation (in C/C++, "of course") has diverse problems; some of them quite grave, most probably not so significant.

This is reporting about my work to implement it in sparked Ada. I myself spotted just 1 (grave) error in the ref. implementation, the rest was spotted by Ada, which I intentionally provoked by "stupidly" translating the C[++] ref. code as verbatim as possible. The kind of errors and problems I found was what I would consider typical for C[++]. Plus the whole thing was brutally lacking in elegance (don't underestimate that! Elegance is a quite reliable indicator of design quality).

So I started all new, based only on the algorithm and completely ignoring the ref. implementation. Result (after just a few days work, most of it thinking): Much more elegant (quite well matching the elegance of the algorithm) and almost no "red" (Gnats error marking).

But it gets better. The Ada compiler also grumbled at me when I had a variable that could be a constant and things like that. Excellent!

When I was all but done and running my test cases (in particular also testing for reference comformity) it soon blew up with a constraint error. It was code generated by Spark to runtime check a precondition. I mention this and find it interesting because it points at a very interesting spot, namely that the designer in me had formulated a precondition that was perfectly right but the programmer in me still had some bad old habits...
Side remark: Currently Spark brings quite many buts and ifs along and the kind of (very low level) code I was working on did not allow for static verification of some parts, so I had to have runtime checks created at least for the development version.

Another result that might be particularly interesting to many: My Ada code runs about as fast a C[++] code but I have to be fair and mention that that not the full truth. To achieve that result I needed quite some experience with Ada (e.g. trying to avoid implicit 2nd stack allocations) and with diverse tricks of the trade (e.g. when and what to inline). But then, the good result could be achieved and was achieved. That's an important message. Using Ada does *not* make your code slow.

All in all I feel confident enough to not just laugh at them if, say a nation state, asked me whether a trustworthy basic OS incl. the major libraries typically neeeded could be created with reasonably low resources and in a reasonable amount of time.

I'm gaining more and more confidence that we might escape into a safer future. But I also see that there is mountains of work before us. Nevertheless, medium gray is still much better than pitch black.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.