Why Is Quantum Computing So Hard?
Blog post (and two papers) by Ross Anderson and Robert Brady. News article.
Note that I do not have the physics to evaluate these claims.
Page 487
New York Times Hacked by China
The New York Times hack was big news last week, and I spent a lot of time doing press interviews about it. But while it is an important story—hacking a newspaper for confidential sources is fundamentally different from hacking a random network for financial gain—it’s not much different than GhostNet in 2009, Google’s Chinese hacking stories from 2010 and 2011, or others.
Why all the press, then? Turns out that if you hack a major newspaper, one of the side effects is a 2,400-word newspaper story about the event.
It’s a good story, and I recommend that people read it. The newspaper learned of the attack early on, and had a reporter embedded in the team as they spent months watching the hackers and clearing them out. So there’s a lot more detail than you usually get. But otherwise, this seems like just another of the many cyberattacks from China. (It seems that the Wall Street Journal was also hacked, but they didn’t write about it. This tells me that, with high probability, other high-profile news organizations around the world were hacked as well.)
My favorite bit of the New York Times story is when they ding Symantec for not catching the attacks:
Over the course of three months, attackers installed 45 pieces of custom malware. The Times —which uses antivirus products made by Symantec —found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
Symantec, of course, had to respond:
Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.
It’s nice to have them on record as saying that.
EDITED TO ADD (2/6): This blog post on Symantec’s response is really good.
Anti-Drone Clothing
Clothing designed to thwart drones.
Proactive Defense Papers
I just printed this out: “Proactive Defense for Evolving Cyber Threats,” a Sandia Report by Richard Colbaugh and Kristin Glass. It’s a collection of academic papers, and it looks interesting.
Security Seals
I don’t see a lot written about security seals, despite how common they are. This article is a very basic overview of the technologies.
Using Imagery to Avoid Censorship
“It’s really hard for the government to censor things when they don’t understand the made-up words or meaning behind the imagery,” said Kevin Lee, COO of China Youthology, in conversation at the DLD conference in Munich on Monday. “The people there aren’t even relying on text anymore It’s audio, visual, photos. All the young people are creating their own languages.”
Friday Squid Blogging: Squid Anchor
Webpage says that it’s “the most effective lightweight, portable anchor around.”
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Pentagon Staffs Up U.S. Cyber Command
The Washington Post has the story:
The move, requested by the head of the Defense Department’s Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians.
[…]
The plan calls for the creation of three types of forces under the Cyber Command: “national mission forces” to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; “combat mission forces” to help commanders abroad plan and execute attacks or other offensive operations; and “cyber protection forces” to fortify the Defense Department’s networks.
This is a big deal: more stoking of cyber fears, another step toward the militarization of cyberspace, and another ratchet in the cyberwar arms race. Glenn Greenwald has a good essay on this.
Jared Diamond on Common Risks
Jared Diamond has an op-ed in the New York Times where he talks about how we overestimate rare risks and underestimate common ones. Nothing new here—I and others have written about this sort of thing extensively—but he says that this is a bias found more in developed countries than in primitive cultures.
I first became aware of the New Guineans’ attitude toward risk on a trip into a forest when I proposed pitching our tents under a tall and beautiful tree. To my surprise, my New Guinea friends absolutely refused. They explained that the tree was dead and might fall on us.
Yes, I had to agree, it was indeed dead. But I objected that it was so solid that it would be standing for many years. The New Guineans were unswayed, opting instead to sleep in the open without a tent.
I thought that their fears were greatly exaggerated, verging on paranoia. In the following years, though, I came to realize that every night that I camped in a New Guinea forest, I heard a tree falling. And when I did a frequency/risk calculation, I understood their point of view.
Consider: If you’re a New Guinean living in the forest, and if you adopt the bad habit of sleeping under dead trees whose odds of falling on you that particular night are only 1 in 1,000, you’ll be dead within a few years. In fact, my wife was nearly killed by a falling tree last year, and I’ve survived numerous nearly fatal situations in New Guinea.
Diamond has a point. While it’s universally true that humans exaggerate rare and spectacular risks and downplay mundane and common risks, we in developed countries do it more. The reason, I think, is how fears propagate. If someone in New Guinea gets eaten by a tiger—do they even have tigers in New Guinea?—then those who know the victim or hear about it learn to fear tiger attacks. If it happens in the U.S., it’s the lead story on every news program, and the entire country fears tigers. Technology magnifies rare risks. Think of plane crashes versus car crashes. Think of school shooters versus home accidents. Think of 9/11 versus everything else.
On the other side of the coin, we in the developed world have largely made the pedestrian risks invisible. Diamond makes the point that, for an older man, falling is a huge risk, and showering is especially dangerous. How many people do you know who have fallen in the shower and seriously hurt themselves? I can’t think of anyone. We tend to compartmentalize our old, our poor, our different—and their accidents don’t make the news. Unless it’s someone we know personally, we don’t hear about it.
EDITED TO ADD (2/21): George Burns fatally fell in the shower at age 98.
The Eavesdropping System in Your Computer
Dan Farmer has an interesting paper (long version here; short version here) discussing the Baseboard Management Controller on your computer’s motherboard:
The BMC is an embedded computer found on most server motherboards made in the last 10 or 15 years. Often running Linux, the BMC’s CPU, memory, storage, and network run independently. It runs Intel’s IPMI out-of-band systems management protocol alongside network services (web, telnet, VNC, SMTP, etc.) to help manage, debug, monitor, reboot, and roll out servers, virtual systems, and supercomputers. Vendors frequently add features and rebrand OEM’d BMCs: Dell has iDRAC, Hewlett Packard iLO, IBM calls theirs IMM2, etc. It is popular because it helps raise efficiency and lower costs associated with availability, personnel, scaling, power, cooling, and more.
To do its magic, the BMC has near complete control over the server’s hardware: the IPMI specification says that it can have “full access to system memory and I/O space.” Designed to operate when the bits hit the fan, it continues to run even if the server is powered down. Activity on the BMC is essentially invisible unless you have a good hardware hacker on your side or have cracked root on the embedded operating system.
What’s the problem?
Servers are usually managed in large groups, which may have thousands or even hundreds of thousands of computers. Each group typically has one or two reusable and closely guarded passwords; if you know the password, you control all the servers in the group. Passwords can remain unchanged for a long time—often years—not only because it is very difficult to manage or modify, but also due to the near impossibility of auditing or verifying change. And due to the spec, the password is stored in clear text on the BMC.
IPMI network traffic is usually restricted to a VLAN or management network, but if an attacker has management access to a server she’ll be able to communicate to its BMC and possibly unprotected private networks. If the BMC itself is compromised, it is possible to recover the IPMI password as well. In that bleak event all bets and gloves are off.
BMC vulnerabilities are difficult to manage since they are so low level and vendor pervasive. At times, problems originate in the OEM firmware, not the server vendor, adding uncertainty as to what is actually at risk. You can’t apply fixes yourself since BMCs will only run signed and proprietary flash images. I found an undocumented way of gaining root shell access on a major vendor’s BMC and another giving out-of-the box root shell via SSH. Who knows what’s on other BMCs, and who is putting what where? I’ll note that most BMCs are designed or manufactured in China.
Basically, it’s a perfect spying platform. You can’t control it. You can’t patch it. It can completely control your computer’s hardware and software. And its purpose is remote monitoring.
At the very least, we need to be able to look into these devices and see what’s running on them.
I’m amazed we haven’t seen any talk about this before now.
EDITED TO ADD (1/31): Correction—these chips are on server motherboards, not on PCs or other consumer devices.
Sidebar photo of Bruce Schneier by Joe MacInnis.