Schneier on Security

Clive Robinson • October 28, 2021 10:02 AM

@ ALL,

From the article,

“used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain“

It’s not just the “IT” supply chain, where this is going to happen it’s all supply chains.

This is not a matter of opinion, but “the down hill sloop” of atleast twenty years of managment stupidity based on “The Chicago School” of economics promalgated by neo-cons and others. It is best expressed by the mantra taught to economic and MBA students, that “to be competitive, you have to optomise…” which gets wrapped into “Never leave money on the table/floor”.

Nature has over more millennia than can be counted, developed a survival stratagy for living entities. Some call it the 2/3rds or 66% of capacity stratagy. What it means is that if you optomize beyond that point your entity is over the resiliance peak and on the fast downhill slope to otherwise avoidable disaster. Worse once over that peak a few more % and you reach a “tipping point” where the entity can not pull back by it’s self.

Thus the entity becaomes under the control of capricious others and a hostile environment.

This is good for those neo-cons who then use it as leverage in hostile take overs and the inevitable destruction which ends up with the loss to society of inovation, choice, jobs and much much more besides. Such thinking “hollows out society” and in turn it becomes brittle and subject to the capricious whims of neo-cons and worse.

I and others have been pointing out the dangers for years, one of which is society as we know it will cease to be, and the result will be a new feudal system in which you will have a closed aristocracy that own, and the ordinary citizen will be reduced via rent seeking behaviours into a serfdom worse than slavery.

I’m sorry if others don’t want to think it through, but not taking responsability is a major failing in modern times.

Criminals steal where they can, if you do not take responsability to take reasonable deterents you will at some point get robbed it’s just a matter of probability in a “target rich environment”. At that point you will discover that nobody is there to help you, not the police, not the government or any others you pay taxes towards.

Ask yourself what the two most precious things are that you own?

You will find on the top of the list,

1, Your life,
2, Your freedom,

For several centuries people who make up society have fought for those, are you going to let others steal them away from you?

Well it’s your responsability to take reasonable steps so they do not.

Long supply chains that have been paired to the bone, are brittle beyond most peoples understanding. The sheer numbers of brittle supply chains in all parts of the economy thus society in general is stagering. We look back on the “Toilet roll crisis” and many delude themselves and find it ammusing or blaim horders or prepers or to be blunt, those who think faster and act rather than wallow in complacency which most of society actually does these days. Well toilet rolls, fuel and other “que for it” items are just the equivalent of those tiny tiny bubbles that appear at the side of a cooking pot at the heat is turned up and things come to a boil, if not boil over causing significant harm.

Look at what the wealthy and neo-cons have been doing, they have seen the consequence of what brittle supply chains mean. They have taken some of that and put it towards surviving what they can see will come from their actions. Thus you have the Corporate Billionaires building survival shelters stocked with atleast five years of food and potable water, fuel and similar, ask yourself why they feel the need to take the responsability of taking for themselves and their loved ones what they view as “reasonable action” to mitigate an uncertain future that they see as being close enough to warrent attention now.

Remember this behaviour is far from new history shows it happening over and over. Which is why some religions require their followers to put by not just a year of supplies for their family, but their neighbours as well.

You go back a couple of thousand years or more, where sensible heads of state put by four years of grain and similar, knowing that fat times are followed by lean and starving people are not just desperate but easily become the worst that humanity can be.

Clive Robinson • October 28, 2021 12:09 PM

@ Jeff,

We know, for example, that OpenBSD was warned of a backdoor inserted into their code (which they deny)

Err no, it’s more interesting than that.

Briefly,

1) A person in private communications to one of the core BSD developers aluded to the fact that a backdoor had been put in the network code by another person.

2) The core developer almost immediately made it public.

3) Lots of experienced eyes looked but nothing at the code or implemented protocol level was found that could be claimed was a backdoor.

Some time after that it became abundantly clear the NSA did put backdoors in “code”, “protocols”, “Standards” and by “managment(RSA)” and “interception(CISCO kit)” and possibly by suborning(Jupiter Networks). So any which way they can, which was absolutly no surprise to me as I’d long predicted they targeted,

1, Implementations,
2, Protocols,
3, Standards,

And I had presented reasoning they had actually “backdoored” the NIST AES contest.

Eventually Niels Ferguson –who our host @Brucehas worked with–, whilst working at Microsoft, got deeply suspicious about certain things. He started to go public with his suspicions and later showed the likely hood that the NSA had backdoored the NIST standard via a Digital RNG was probable. This backdoored DRBG was “mandated for US Government US” in generating amoungst other things “Roots of Trust”(RoT). Further somehow still not publically known backdoored the DRBG appeared in Jupiter Networks equipment that generated network encryption keys…

Whilst nobody has been able to point a finger at the BSD code, nor can anyone currently say it is not backdoored by some trick not yet identified… Which is a bit of a quandary, should you trust when you can not verify?, me I just mitigate where I can.

However when it comes to pointing fingers at backdooring codes, protocols in products, etc there are lots and lots of fingers pointing Microsoft’s way especially recently… Some would say that MSFT don’t want to be the “how not to” poster child, especially with Win 11 flapping badly in the wings.

So who gets to decide who is right and who is wrong in a finger pointing game?

Well some say the majority vote (and MSFT has that by the bucket full). Me I’m of the “Court Standard Evidence” for blaim, “meer whispers of impropriety” for mitigation[1] view.

So yes I have two standards and they are more than a few “country miles” appart. Because as I know from experience,

“Atribution is hard very hard, but false flag Ops and rumours are easy”.

[1] My over caution on what might be rumours, comes about from personally backdooring crypto code. It’s quite some years ago as I’ve previously mentioned and actually was way to easy to do. No the backdoor did not go out in shipped product, but it did get right through the “code review and test phases” and was at the point it was packaged to be “code signed”. My reason for doing so was to demonstrate the fundemental failing of the QA process and in specific the “code review” process. The organisation concerned had a managment ethos that the best programers produced product, those that did the code reviews were frequently not even past programers… Unfortunatly this “the best create the worst review” ethos is all to common in the consumer and much commercial software production organisations. Clearly it fails, and fails badly, however on ISO9000 and similar paperwork it looks good…

The moral,

“Trust ye not, what ye nor others can expressly verify, so cast not stones but mitigate accordingly”.