Schneier on Security

Clive Robinson • October 28, 2019 5:02 PM

@ Ismar,

as for some other readers on this blog – why always focus on the negative- not much can be achieved that way ?

Oh contraire… A great deal can be achived that way, our host @Bruce tends to call it “thinking hinky” in the more distant past it was “nice hack”.

Ever hear the expression,

Either you have full security or you have no security.

The one thing history has taught us about ICTsec, over and over is that an “optomistic view point” is one that gives rise to “head in the sand thinking” which is not good for you privacy let alone security.

What you should do is,

Assume the worst thus work towards the best.

Which means taking responsability thus ownership of your privacy and attendent security.

The only reason people are currently getting away with ignoring security is that it is a “target rich environment” thus your individual fate is in effect based on probability more than anything else.

People buy “fire and theft insurance” because they generally accept that on probability they will have a fire once every twenty years or so and get broken into once every five to ten years. Thus they accept the insurance cost over time knowing that when the dice come up for them, they will atleast be not entirely wiped out.

Thus with ICTsec insurance being a very imature market, most do not have the opportunity to reliably “externalise risk” through insurance. Thus a sensible person takes the risk on internally and implements an appropriate risk reduction / mitigation stratagem. Something you can not do if you have an overly optimistic view about ICTsec.

ICTsec is by the way a game where due to large Corps and Governments, being paranoid is almost being optimistic. Because they are very intent on “data raping all” be it for profit or for power or both. You could argue against this view point but you would as far as history is concerned be on the loosing end of the argument…

As they say,

Pays your money, takes your choice

Though ICTsec has a rider of,

But there is no real choice,
they are all as bad as each other.

Clive Robinson • October 28, 2019 8:25 PM

@ Gerard van Vooren,

So I would say that from the point of view of the FBI nothing changes, at all.

The FBI’s attitude has been effectively as it is back in the 1980’s.

FBI Director Louis J. Freeh, flew to Europe and to FiveEye Nations to promote the idea of total surveillance. He knew the US Public would in no way accept his ideas. So he came up with the idea of ratcheting up legislations via other WASP and First World nations so that US Politicians could be bamboozled into doing the FBI’s bidding.

Back then most of the nations FBI Director Louis Freeh visited effectively showed him the door like you would with any uninvited sales pitch at your home with a “thanks but no thanks, please do not call again”. The exception was the UK, due to UK Prime Minister Tony Blair and his rampant toadying to anything US, he and David Blunket came up with the first version of the Regulation of Investigatory Powers Act (RIPA) in a green paper. It caused very great concern in the UK as it alowed people who should never have access to peoples, homes and private affairs to run rampant into their bank details, medical details and even put surveillance equipment in their bedrooms. It also opened an easy way for people to be blackmailed with serious imprisonment just on the nod of a lowly police inspector. The proffessional and increasing public outcry caused various superficial changes. As legislation goes most judges treat it like a poisoned challice for good reason.

As you are probably aware in more recent times the Australian Government have been toadying upto these same ideas FBI Director Freeh had been pushing, based in part on what the UK had done. It now appears that other nations are going to ratchet things up further.

All of which is highly undesirable for first world societies.

As I occasionaly mention, there is no penalty for those pushing these ideas if they don’t succeed, they just wait or reword legislation and represent it, knowing that no matter how outrageous what they ask for is they will bit by bit get it. This “no penalty” bias needs to be removed, thus if told “no” by society and their representatives, those presenting the idea should be dismissed for bringing their employer into disrepute (which is already in their work contracts). That way those that follow might rather rapidly reasses their posirion whilst still in office, rather than after they have left it.

Clive Robinson • October 29, 2019 4:25 PM

@ Who?,

ICTsec failures do not imply an obvious money lost.

Not acording to the FBI. They have claimed that millions have been lost due to clean up and restoration.

Some argue that the figures they come up with, make no sense, and I can understand why. However with investors any such sums is as far as they are concerned “money on the table” which is rightfully theirs be it real or imaginary.

It’s one of the reasons those who offer cyber-insurance are very likely to take a bath. Worse with the “double take” argument from 9/11 there is nothing to stop investors taking out insurance as well as the conpany officers and both parties having to be paid the full agreement.

Such is the way of the world some companies take out life insurance on employees, such that the company benifits from an employees death. This has apparently distorted the life insurance market, which raises the price to individuals seeking to protect their loved ones should they unfortunately die. So you could understand why othets claim such companies are “robbing widows and orphans”.

In both cases there is a limited pot of money which means it gets reduced by such investor type actions.

Clive Robinson • October 30, 2019 3:02 AM

@ SpaceLifeForm,

Paper? Cage? Double Cage?

Up untill recently,

Paper, paper never data.

For crossing an “energy gap” was sound advice.

However, a cautious person these days, might just start to wonder if the likes of Microsoft or printer/scanner manufacturers have started to some how “watermark” documents as,a “Canary Trap”[1].

For some time it’s been known that both printers and scanners –especially the “combos”– and photo copiers had some anti-forging software in them. It was also assumed that it was in PC software but nobody reported finding it. I as did a number of others assumed that this absence was because at the time way too many people would be “in the know” for it and the all important algorithms to be kept secret.

But the world has moved on in a decade or so and Windows 10 and Microsoft Office are many many megabytes in size larger, plus most computers have a DRM chip of some form “built in” on the motherboard these days along with “Managment Engines” in the CPU chip sets. Thus there are way to many places for such canary trap software to be hidden away.

With various Western Governments seeking the blood of whistle blowers, if not already in place, I suspect it won’t be long before canary trap software gets put everywhere in some form or another.

In the past this would not have been a problem with proper document destruction policies in place. Because if only used for energy gap crossing the paper documents would not get into circulation. The only issue would be the crossing from the security end point computer back to the communications end point computer and then outwards into the Internet. Which could be managed in various ways.

However most printers and scanners have WiFi or similar built in these days because it comes virtually for free with the SoC devices used on them. Further “inventory cost” control on FMCE production is a “one size fits all” basis, it’s the final software load and a fee cosmetics that makes the difference between the high end all singing and dancing “Premium” model and the lowest price “economy” model. You can still see the evoloution of this on older graphics cards where they did not fit components. Now with it all on the CPU microcontroller that potential cost control measure has gone.

Thus we now have to worry not just about undesigned “emissions” that are relatively low field strength, but designed in communications at much much greater field strengths.

Which is something we can discuss in another post later. But my advice for a while now is to mitigate the issue via an entirely different route.

[1] A “Canary Trap” gets it’s name from the use of such small birds as a warning systems like guard dogs might growl etc. It’s been suggested that the NSA developed various canary traps for printed documents upto a third of a century ago when most “personal printers” were either “dot matrix” or like certain typewriters used a changable “print wheel” or “golf ball”. It’s been suggested that in reality the idea and name actually came from a well known author’s books. It’s also been suggested that all photo copiers and laser printers “embed” make, model and serial number into the images they print out. What ever the origin, we do know that with the advent of high quality colour printers the “Eurion Constellation marks” were seen from the mid 1990’s in bank notes. And it has been assumed that they were developed to stop people printing their own money. However there are other more subtle image artifacts at work, as Steve Murdoch of the UK’s Cambridge Computer labs found back in 2003/4,

https://murdoch.is/projects/currency/

Clive Robinson • October 30, 2019 7:39 PM

@ Who?,

However people tends to ignore the consequences until it is too late to remedy them.

History shows this to be normal for anything new, and that it can take three to five human –not ICT– generations[1] for things to change. That is a time period of between 90 to 175 years in the First world –where ICT is most prominent– currently and it is increasing fairly rapidly as manual waged labour becomes increasingly scarce[2] and education to around twenty five is required to enter the “information economy” at a sensible salary range.

Needless to say ICT at the personal level did not get going untill the late 1970’s early 80’s and the “information economy” is realy a creature of this century which is not yet two decades old.

So which ever way you look at it in human terms “ICT is still to young” and few who started,in ICT upon graduating have made it to retirment yet. So ignorance of consequences has not realy had a chance to be “educated out” yet.

My point is …
that people do not see a risk (i.e. money lost) until an incident happens. People do not understand that what happens in what they call “the virtual world” is really happening in the real world and has real consequences.

There is a secondary “availability effect” in this which has two drivers,

1, Reliability / cost.
2, Target rich environment.

Whilst computers are becoming less reliable due to “commoditization” their cost in real terms is dropping faster. Thus you can get smart devices that might just make it past 18 months life expectency where desktops were once making it to 60 months or more, the price has dropped from 1500USD to less than 300USD. Combined this has caused people to treat smart pads and somilar effectively as “consumables”, thus they have low expectations of device life. Further the Internet is still a target rich environment which means the probability of your device being attacked is bassed more on how low it hangs in the security tree. Just turning on the OS firewall will make many attackers go and look for easier targets to attack.

So many users have seen their devices fail with a hardware fault in a year and a half, whilst turning on the default OS firewall and AV software means they probably don’t see malware getting on their computer at all in that year and ahalf. So their expectation of an insurance payout is actualk negligible.

[1] In third world nations a generation is as little as thirteen years, however in first world nations it’s now considered to be thirty to thirty five years. This is based on length of time from birth to become a parent.

[2] There is a socio-economic link between where you sit in the “class structure” and when you have children. In general those in the lower or labouring working class that have no professional status have children younger in their late teens and twenties and have more children than those who have significant professional status and are at the upper or white collar middle classes, who might have only one or two children in their late thirties or early fourties. This has given rise to some political think tanks saying in effect those at the bottom are out breeding those at the top and give broad hints that this is anti-Darwinian… It’s not hard to work out what their actuall bias in thinking is, and long ago it stopped being amusing.