Schneier on Security

Clive Robinson • April 16, 2019 9:40 AM

@ David Rudling,

<

blockquote>Did someone at the NSA or similar really earn their bonus that time?

With “finese” obviously.

I’ve seen it happen so many times, it’s not only not any longer a surprise, but I actively go looking for it in the notes of meetings in standards committees etc.

As I’ve remarked befor look out for the “Health and safety” argument, it’s just like the “Think of the children argument” based at best on extream or fanciful imaginings of dire consequences that are “Statistical improbabilities” at best, or as our host has named them in the past “Security Theater”. However the real point is the argument is designed to be “unarguable against” because if you challenge it they then trot out how evil you are because you want children to be injured, maimed, disfigured, abused, killed, etc, etc…

The best thing to do is make notes such that at future times you can just discredit them just as vociferously, and make very public their history as “agents of evil intent by a rouge nation state”. It does not stop their little games but it does slow them down.

The thing is you can never win against such people because they live off of your tax dollars, they suffer absolutly no economic or other harm by trying it on repeatedly untill they get what they want. All you can do is “name and shame” and slow them down. But if you get to successful at lifting the corner of the carpet where they hide like roaches, expect them to come out fighting.

Keep your eye on White House national security adviser John Bolton, he is a thoroughly nasty example of their ilk. Who he is actually working for is difficult to tell, but it does not appear to be the current administration in anything but name. Every time I hear him speak, the thought occurs “What genocide is he plotting now”, shortly followed by “And who is going to benift by it”…

Clive Robinson • April 16, 2019 11:17 AM

@ MX,

How should we launch a secure wifi then?

Well as you’ve not been able to do it so far, what makes you think you might be able to now?

The point is secure communications has three asspects you need to consider,

1, Message Content security.
2, Mesage Metadata security.
3, Underlying hardware/OS security.

The first can be done with the right forms of “end to end” encryption, only if the endpoints are secure.

The inherent way that WiFi protocols works means that unless you build some inyeresting network topology over the top of the WiFi and ethernet protocols the metadata can not be made secure, thus traffic analysis can be fairly easily acomplished by even a single person as an adversary.

As for hardware, OS and Application security, it’s effectively non existant. So without some specialized precautions you end points will not be secure. So it does not realy matter how hard you try to make the WiFi asspect of things secure, you will fail to “end run attacks” via IO drivers below the OS kernel and the apps the OS supports that makes the plain text a user sees available to the adversary…

Yup nobody said it was easy, abd the idiom of the “weakest link” still holds sway and in this case it’s the underlying end point securiry negating all the communications security.

Clive Robinson • April 16, 2019 11:41 AM

@ Bob,

At the point that “an adversary is able to observe memory access patterns on a victim’s device,” that device and everything on it, including wi-fi credentials, is already pwned.

Cache usually alow timings of activities in memoryvto become visable to the network simply by sending the target device data.

You don’t have to actually see either the contents of the memory or the addresses at which it’s stored for cache based attacks to leak data.

Look on it as an attack against meta-operations not data/addresses or meta-data/addresses.

You can use such attacks to synchronize timing for other active fault injection attacks. It’s a subject that does not get much talked about, but is a very real threat. In essence if you know the code being executed it has a timing signiture against which it can not only be identified, but it’s future actions identified. If you then cause an error or exception at an appropriate time you can in effect break the atomic nature of blocks of code which can open other vulnerabilities that can be exploited.

Such injection attacks can work against “formaly verified” code because it can cause a change of state that top level checking does not catch. Thus it’s an attack method that “bubbles up” the computing stack.

Clive Robinson • April 16, 2019 6:45 PM

@ David Rudling,

Did someone at the NSA or similar really earn their bonus that time?

Some definitely think so and have named a name who works for the NSA, and point blankly demands the persons removal from post. With an involved “J’Accuse” attached. Whilst not quite upto that published by Emile Zola, it does make the case refrencing back to other NSA employee behaviour and misdeeds with respect the CS-DRBG they back doored…

It’s taken me a little longer to find than I thought it would…

https://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html

You and others might find it interesting reading…

I would have found it sooner but Google has just screwed the pooch re EU and the GDPR data protection regulations in a totally bat shit crazy way. So I’ve tried using another search engine with which I’m not familliar, and I suspect my mutterings although muted somewhat were not as temperate as they could be :$ However having purged Google, I will put in the effort to get the best from the new search engine…

But… It turns out @Ross Snider posted a link back to an earlier thread on this blog and the link I was looking for was on that very page…

Clive Robinson • April 17, 2019 10:47 PM

@ fish,

The reason for dropping Google is their now absolute insistance that you be “data raped” by them.

Prior to this you used to be able to use Google with Javascript and cookies turned off.

Yes unless you went through a VPN they could still track you but it was not as invasive.

But also working with broadband mobile Google sending several packets for each key you press, takes a very big chunk of a dataplan for absolutly no good reason. Also it alows them to do biometric identification by both your typing cadence and any spelling error patterns you might correct…

As Microsoft are just as bad if not worse these days, their offering is also compleatly dissed.

Which leaves DuckDuck… Yes it’s not very good but Google and other Silicon Vally and Seattle based organisations have made it absolutly clear that data rape is their primary objrctive, and that they fully intend to kill off the purpose of the EU GDPR, I’m voting with my feet and they can go take a flying one at each other.

Hopefully a more EU legislation search engine will arise, and thus break the US cartel.

Clive Robinson • April 19, 2019 6:35 PM

@ fish,

I use Tor to reduce the tracking done by Google (yes, they block it sometimes, which is a shame).

Google are not the only ones to block Tor… Certain broadband mobile suppliers also prevent not just Tor but other VPN services…

Even though I am known for a dislike of Tor[1] I would use it or even a –very limited– number of VPN services, to do a subset of things I do.

With regards,

Why not use StartPage? It uses a syndicated feed to Google so the search quality is pretty good (much better than DDG), but doesn’t track you.

I guess it’s something I’m going to look into along with a number of other options. I guess Google caught me “flat footed like the proverbial duck” by the way they changed things. I though based on earlier issues it was just going to be another very visually annoying possibly illegal HCI upgrade.

[1] My issues with Tor are much like they are with Secute Messaging Apps, they all have end point issues that can not realistically be solved with modern system architectures and OS’s (though there are ways if you know what you are doing). Tor also due to wanting to support “interactive” or “real time” communications tries to have very low latency which makes it an easier target for “traffic analysis”. So yes they do increase security, but no you should not think of them as “being secure” because “secure” is a relative term and all told they only give small to moderate increases in security. Unfortunatly journalists and others such as political activists mistakenly believe from the “web secure myth” that both Tor and Secure Messaging are going to keep them safe, they are not. As Chinese spys working for the CIA found to their terminal detriment security on the web is extreamly difficult to achive even for supposed experts… I’ve spent years working with the various meanings of “secure” and communications and I would not trust myself with what I could design for the Internet as it currently is. Because so far I’ve always found ways to break one or more of the “security” meanings. Oh and the laws of physics don’t help, whilst information is neither energy or mass as far as we are currently aware all communications requires energy of some form. Even kinetic energy due to it’s interaction with the environment it’s in ends up “radiating” some coherent part on it’s way to becoming the ultimate form of polution which is heat. Any coherent signal that radiates can be received by anyone with appropriate technology[2] which can be a lot further in range than you might expect.

[2] Back shortly after WWII in the UK scientists discovered radiation reflected not just from man made objects, such as aircraft but “heavenly bodies,as well. It was discovered whilst looking for Russian military signals bouncing off of metal skined aircraft. Not only did they get signals bouncing from aircraft in the “Berlin Air Corridors” they also found military signals bouncing of aircraft over the Russian heartland, and the moon. Both are something Amateur Radio practicioners carry on with today. With formally deep pockets were required for “Earth Moon Earth” (EME) working, new transmittion modes designed by a Nobel Prize winner have brought it into most Hams pocket book range. Whilst some with realy big antennas have worked “Earth Venus Earth”(EVE)

Clive Robinson • April 23, 2019 5:39 AM

@ fish,

The real issues are people misusing it or assuming it protects against attacks which it does not.

That is the nub of the problem, but what is it’s cause?

From my view it is a lack of information as usefull knowledge. In effect it creates a vacuum in which myths appear, echo and become accepted facts. Even though they are no such thing.

Ignoring Tor for a moment, there was a short while ago a lot of trumpeting about secure messaging apps, especialy those developed around the work of Moxie MarlinSpike. Yes he had put in a lot of work in certain areas, and that may have made those areas of a greater level of security, many apprare to think so and made public comment to that effect.

I made myself unpopular by pointing out that the applications were not secure…

Why did I say that? Because it was true. If those singing the prases of the areas Moxie had worked on, and taken a step back and viewed the whole system as I had done then they perhaps would have been more cautious in their praise.

When I look at the security of a system I look at it from “human to human” rather than just one or two of the very many links in the whole chain.

The apps like all apps had the issue that they ran on insecure platforms. It was known from several years before that malware writers had successfully attacked banking apps by putting I/O shims in between the app and the screen and keyboard, this enabled the attackers from other parts of the communications system, to in real time control what the application user saw on their screens, and change what they typed going into the application that got sent to the bank. The user thought they were paying the electricity bill, but the bank got told to transfer a large part of the account balance off to the attackers account.

Not only was this a known attack, it was one I had predicted from the 1990’s and mentioned in several places over the years.

It works because there is a gap between the security end point inside the application and the communications end point with the human that an attacker can access on the device. In short the attacker could “end run” around the application through the OS to get at the application plaintext interface.

Although a true, factual and known attack method, people dod not want to know this, so like the King of old they attacked the messenger…

It’s actually fairly easy to fix this issue, but inconvenient. To fix it you simply move the security end point beyond the communications end point an attacker can reach/influence/see. In past times when talking about the issue with banking applications I said you had to do two things, firstly authenticate transactions not communications, and secondly I made it clear you had to move the security end point off of the device in such a way that an attacker could not reach beyond the device, by putting the human in the communications path.

The problem is the second step is not convenient, thus people don’t want to do it. Thus you could say they realy don’t want to be secure.

But they are actually not given the choice, because a developer assumes the user won’t put up with the inconvenience. Thus the user is not given the choice, they are just given an insecure system with some areas that are potentialy strong. Worse yet the application is sold on the strong points and the user never gets told the system is actually known to be insecure or why… So they don’t get the chance to make the choice to employ methods that will make it secure…

It’s this condescending behaviour by developers and those extolling individual features that annoys me, because the users get not just important truths hidden from them, they are also robbed of the choice to be secure or not.

In short they get sold a known to be insecure system well because they are users…

This whole attitude is the prevailing one in the software side of security, and as far as I can see the same is now true for the hardware side of things as well…

Thus if you want security then the reality is you are out on your own, which is OK if,

1, You have the information to know you are in that state.
2, You have the knowledge of how to mitigate that state.

But how many people do you know who have both the information and the knowledge?

Clive Robinson • April 26, 2019 4:08 PM

@ Dennis,

… is a solid telling there are ways around the proposed e2e messaging protocol/scheme(s)

I would say it’s very likely.

Also note that those shouting the loudest for backdoors / Frontdoors / golden keys / etc are not the “professionals” like the IC and SigInt agencies, but those who were once called “the bumbling flat foots” of Law Enforcment.

In part this is because Law Enforcment is somewhat amateurish in it’s abilities in this area, and they are also in effect lazy wanting to just sit there and have everything presented on a plate rather than learn to do what’s required to get their desired results. Also unlike the IC and SigInt agencies they have to play more “within the law”. Hence the continuing battle of the FBI and DoJ to get “legal precedent” via dodgy trials and “rights stripping” that never should have been brought before a court.

Clive Robinson • April 30, 2019 5:45 PM

@ fish,

What they do have, though, is lawyers and legal experts who try their damnedest to convince the public and the courts that backdoors are necessary.

As an outsider looking into the US I’m never sure with the DoJ and FBI which end of the dog is the head and which end the tail.

The DoJ appears staffed with a number of legal types who make your everyday sociopath look normal. The case against Apple was clearly cooked up between the FBI and the DoJ and was ment to be a coup d grass on Silicon Valley by setting case law. It went badly wrong Apple fought back and the FBI very clearly lied to a magistrate, which is never a wise thing to do, the magistrate certainly appeared to be wise to what was going on and started to real things in. The DoJ knowing that they were going to loose and rather than have a court set things the wrong way, they pulled the rip cord and the FBI did their little Pirouette on cue and both of the “cleared out of Dodge in a hurry”.

I feel sorry for the more normal people that work at the DoJ with such people.

But still the thought lingered, who came up wirh that little stunt someone at the FBI or someone at the DoJ… It’s clear from other more recent cases that the FBI feel quite happy purjuring themselves in court, yet nothing appears to be done about it.

Thus the question of why both agencies feel it’s OK to knowingly lie in court. What gives them the sense of invincibility and why it continues.

What ever the reasoning, my name once came up over a DMCA takedown, I only found out about it by accident via a Google search. To this day I still don’t know what the takedown was or why I was connected with it. But one thing it has set in stone for me, even with the statute of limitations and even if I do get well enough to fly again, I will not be visiting the US or US friendly countries like Canada or Australia, as it would appear based on other FBI activities that the risk is potentially to high…

Perhaps it sounds overly cautious / paranoid to some, but I have a somewhat chequered past. Even though it’s been suggested I’m a little paranoid in the past over not having social media, having javascript and cookies turned off, not having my personal machines connected to the Internet or no Personal Email. So far my choices based on what I can see as possible attack vectors appears to have been correct, if a little early.

I have a guiding rule on this sort of thing which is “If the laws of physics alow it someone will eventually do it” with the rider that “Base technology costs approximately halve every nine months” when you consider capacity / performance / bandwidth / power.