Schneier on Security

Clive Robinson • May 25, 2019 8:59 AM

@ lurker,

But Huawei could/should still be excluded because of their shoddy version control, and poor update procedures, leaving holes that anybody, anywhere, could find in their own good time and exploit…

Those were the reasons given in a report by a UK Agency. Which is odd as that privious reports have been different. But now suddenly as the current US Administration is on it’s high horse trying to do a “5G our way or no way” routine suddenly the company is pronounced terrible by a little known UK agency… Coincidence?

Well maybe, maybe not. Remember the UK agency that produced the report is very strongly attached to a UK IC Agency better known as GCHQ.

Also remember that under “the special relationship” that the UK GCHQ IC agency gets payed by the US NSA IC agency to spy for them.

That is not just to spy on the UK and it’s citizens, but most European Nations and their Citizens, oh and on many other nations and their citizens as well. Why? Well because the UK for various reasons is where a lot of the worlds sub-sea communications cables come to shore. It is these cables that many commercial companies use in preference to geo-stationary satellites due to the shorter path times. Remember it is “commercial” “economic activity” companies that favour these shorter path lengths, so the spying is mostly on “commercial economic activity”… That’s hardly the sort of think the US claims it performs espionage on so you have to wonder why they pay others to do it for them…

Thus when the current US Administration started up their “this company must be evil” nonsense people realy should have asked the question of,

How was the company being judged?

That is was it against the rest of the industry? Or some esoteric or mythical ideal that somebody thought up for some altogether different and potentially corrupt reason?

The answer as anyone who works in the industry knows, is it was not against the rest of industry…

So the company was being judged against some mythical ideal that even in a perfect universe would not have be possible. So at best the report was a “Strawman argument” used for some altogether different reason. Or to put it another way some one in the “B-Team” tipped the playing field against the company, so far it was designed to “crush and bury” the company…

Lets put it this way if Huawei were judged against the realities of the very cut throat industry they would be up with the other “Leaders in Excellence”. As for Cisco, well I guess their CERT record might be a place to start, after all Cisco and their other brand name companies are the ones we keep hearing about for things like hard coded usernames and passwords etc. You would have to ask what Cisco’s “version control” and “update proceadures” are like to be fair… But all those CERT advisories, oh and also evidence of their equipment being tampered with by State Spying Entities, perhaps most could make an educated guess, that they are not as good as Huawei…

Or is it all just a “smoke screen” because Cisco are secretly funded by the US state so that all nations and their citizens who buy Cisco can be spyed upon?

It probably would cause some moral out rage in certain places if I ever consider asking the same of all US telecommunications companies as the US government asks of Chinese companies. But as they say “tough”, that’s exactly what I am asking people to do.

Why? Because if people want to play on a fair playing field and have a chance at privacy in their communications then the same questions and the same scrutiny must be asked and verified publically for all market entrants irrespective of what nation they originate from.

The fact that certain nation states are clearly not doing this and then get ruffled feathers when you mention it says where the real problem is and also gives a good indication of the honesty or not of their statments.

Which leads by a different path to almost the same conclusion you arrived at of,

Ah, it’s not about trust, it’s about control.

Let’s look at what “trust” realy means if your objective is privacy of your communications as a nation state. It does not mean holding a popularity contest and going for the people you think are least likely to betray your “blind faith” that’s the “teen school girl approach” at best, and we know how unreliable that can be. So “Trust” has to be achieved in more reliable ways.

There is the old truism about the CIA motto of “In God We Trust” because what it realy means is “every other bu99er we check”. That is they always try to establish trust rather than use blind faith.

That is the approach you have to take, if you want privacy in your communications, you assume that ALL entrants and their products will be malicious and act accordingly.

There was a lot of faux out rage noise when the UK Gov came out and said they were considering Huawei for use in 5G. Put more prosaicaly the US Administration orchistrated, no doubt by B-Team interests, to “throw the toys out the pram” and “have a major hissy fit” about the UK Gov decision.

Actually it was not just a faux “animated fit of peak” for the sake of publicity/spin. In essence there was genuine B-Team conniption at the fact that the “Special Relationship” was not the “Choker Chain dog lead” they thought it was, and as a result of their failing it came to be by implication a quite public slap in the face for the current US Administration[1].

In reality the UK GCHQ position is “We assume ALL ‘equipment’ from all companies from all nations can and will be used to spy on us, therefore we take general mitigation activities based on that assumption”. It is a position they have taken for many years and it’s not ever been a secret.

However take care to note it is about the ‘equipment’ not the companies or where they come from. That is GCHQ very well know that they, the NSA and many other national and private SigInt agencies around the world hack/implant any equipment they can “as a mater of policy”.

Most readers on this blog should know this from the “Greek Olympics” tragidy where the cavalier activities of a CIA operative led eventually to the suspicious death of an employee working for a Greek Cellular Network supplier and an international arrest warrent issued for the CIA operative. Likewise the tapping of the German Chancellor’s mobile phone etc etc.

Instead of joining in with the current US Administration nonsense people shold stop to ask why this common sense long held attitude by GCHQ has so afronted the US representatives? Because it says rather more about the current US Administration views and activities than it does about the UK, GCHQ, or the company in question.

The “technical” or “security” point people should take on board is,

No commercial equipment is immune to the effects of State Level espionage.

It’s a clear, simple, factual statment and it has no prejudice or ulterior motives or agendas behind it.

Thus from my perspective the GCHQ advice to the UK Gov of basically “We assume it’s all got implants no matter where it comes from” is assuming a level playing field. As is the follow through action of we “mitigate all”.

Which given the nature of modern commercial equipment markets, the “mitigate all” is the only sensible technical response to ensure National Security in all ways, not just with regards the privacy of communications.

There is however the thorny issue of a “political” point to consider.

Take the US Company which this thread is about “Cisco”. Who let’s face it are the ones who have had the embarrassment of pictures taken of US IC entities adding implants to their equipment appear in the press. Likewise the frequent vulnarabilities reported about their equipment, that alow not only State Level SigInt agencies, but near all other Cyber-ne’er-do-wells to abuse Cisco’s products at the expense of their products users world wide.

Cisco is one of a number of major manufacturers of telecommunications equipment in the world, thus they are like any other major manufacturers “a target of choice”. Put simply the ROI says every dollar you spend on perverting a big corp’s product the greater is the number of customers they have that then become your victims…

So as a general rule for Cyber-ne’er-do-wells is “it pays to attack big”. You may remember we saw that in play in the early days of PC malware when “Microsoft was the target of choice” and supposed security experts were telling people to “Buy Mac’s” to be secure…

Which importantly also means that big telco manufacturers are targets not just for the IC of the country their head office is in but all countries SigInt agencies etc. In the case of Cisco their home country is the US which has a policy of spying on the world and his dog, hence the photos were not exactly unexpected.

So,

1, We know that Cisco equipment arives at customers world wide with implants in or later it gets owned from software vulnerabilities.

2, We also happen to know that the US IC puts implants in Cisco equipment and also gains illegal entry and control of Cisco’s products.

Therefore,

3, Is US company Cisco to blaim for those US implants and US exploits?

Most would say no, but ask yourself what they would say if I changed “US” to “China” and “Cisco” to “Huawei”?

Well the current US Administration is indicating that if Huawei equipment is ever found to have implants you should blaim Huawei not the country or agencies who implanted or exploited…

So why should I or anybody else treat Cisco any differently?

Therefore under US Gov rules I should claim that Cisco is not just aware of what the US IC is doing to their equipment but that they are actively responsible or even colluding with them, therefor nobody should buy Cisco equipment anywhere in the world.

Do people in the US think that is a fair viewpoint?

At the end of the day the real point is, the current US Administration is effectively saying,

One rule for the US Gov and US corps and a different rule for everyone else.

Thus exhibiting just another form of US Exceptionalism.

So the current US Administration not only do not want a level playing field in their country, they also want to insist that every other country play on the same playing field that so favours the US…

What do non US people think of that?

Well it’s clear that the UK Government think the current US Administration view point is wrong, even though the US SigInt agency the NSA gives the UK SigInt agency GCHQ money and equipment to spy for them. It’s also clear that the UK Government reasoning is based on the common sense reasoning of it’s SigInt agency GCHQ, which has not realy changed in as long as many people can remember. It’s also reasoning based on fact abd not prejudice or hidden agendas etc.

Oh and to cap it off it appears the B-Team in the current US Administrarion are prepared to actually go to real kinetic war over it… No matter what the cost in body bags.

For those in the US ask yourself, do you realy want your loved ones and friends in body bags because the B-Team want a war any war to put their name in the history books?

[1] Actually when you consider how the information came out it might well have been designed “to yank the current US Administration’s chain” to remind them that “They do not set UK National Communications Policy”. However it came about because of a “leak” that arose from a UK NSC meeting, where GCHQ presented their view on how the UK should proceed with 5G under all asspects of “National Security”. The basics of that presentation were not secret or even confidential, and most people in the telecommunications industry know it as it’s based on “common sense” reasoning for atleast the last half century or so. Unfortunatly the MSM involved rather than say what the message was realy about decided that a “UK Minister being disloyal to PM over BREXIT differences” would make more sales etc.

Clive Robinson • May 26, 2019 7:03 AM

@ Jon,

my point was that unless you deliberately include instructions at the outset that permit moving of data from data to program … the data cannot write its own instructions – thus there is no data that can ever be executed.

There was an assumption some years ago that Harvard architectures were not just “more secure” but “secure” and many bought into the idea and to a certain extent still do.

However back in the late “naughties” strange things were happening and in 2007 a paper with the title “The Geometry of Innocent Flesh on the Bone” appeared which in academia kicked of Return Oriented Programing (ROP) that was talked about a lot for the next half decade, but because many assumed it was a “solved problem” you tend not to hear about it much.

But it’s not gone away[1] and the more subtle varients are still ripe for explotation even when the instructions can not be changed because they are in old fashioned ROM that has to be taken off board and reprogramed in some cases with a soldering iron (Rope and diode memory or reconecting the pins used for writing).

The point is that outside of some specialised software like state machine and DSP style programs, programs in general, especially those where the instructions were emmited from a compiler need RAM for their stacks and data on which branching decisions are made.

Thus if the program it’s self or the library code it is built on contains “useful code” then malicious activities are possible.

As you have realised and noted above that “useful code” may not be obvious. One of the weaknesses of the extended x86 instruction sets is that an instruction that takes say five bytes of ROM is also a potential four byte, three byte two byte or single byte instruction. And yes people have exploited this before (usually only as a single or sometimes two byte initial instruction).

However there is a new variation on ROP around which we will probably hear more about in the near future and it’s something I’m playing with currently.

As you have no doubt heard Intel had a little Xmas prezzie for everyone a couple of Xmas’s back. And it’s turned as I said at the time to be the “Xmass present that keeps on giving”, and probably will do for the next half decade or so. The problem is the “go faster stripes” around the CPU’s ALU and instruction decode units are actually more complex hardware wise than the core CPU functions.

Such complexity needs to be made highly efficient and as I have warned for well over a decade on this blog and prior to that in other places there is the problem of “Efficiency-v-Security” the more efficient you make things, then generally the more side channels you open up unless you realy know what you are doing[2].

Most though have assumed that “Efficiency-v-Security” means only “simple time based side channels” even though I warned there were other types. One of which is “system transparancy” from input to output was demonstrated by Matt Blaze and some of his students, and I’ve talked about the reverse direction getting back through data diodes, firewalls and other security measures using “error and exception” excercising tricks. But the majority have still not realised that what hit Intel AMD and ARM in the way of Meltdown and Spector were just a couple more on the “Efficiency-v-Security” list. Oh and that there are quite a lot of further ones that will appear to researchers when they think just a little bit further. Some I can promise you will be real doosies and will be down to hardware that’s become so entwined and critical to the system that they can be neither removed or mitigated without significant penalties. This problem Cisco is having is just one further…

To see why consider High Hardware complexity CPU systems such as the 64bit varients of the old x86. They are so complicated they have what are the basis of “Virtual Turing Engines” in them. For instance the more modern x86 varient memory control hardware has been demonstrated as being a virtual Turing compleate engine that can and has been made to function as such. It’s therefore possible to make a Turing Engine in such complexity, and it needs only the Data RAM to act as it’s tape.

This sort of thing is the future of malware…

[1] https://securityintelligence.com/return-oriented-programming-rop-contemporary-exploits/

[2] You can probably take it as read that nobody and I do mean nobody knows what they are doing in this respect. The reason is the “Known, Knowns” through “Unknown, Unknowns” proplem, that is what we know is quite a bit less than we will know at some future point. In general few designing high end CPU hardware are even aware of the “Known, Known” issues which is why Meltdown and the Spector varients exist. As for those that do, well the solutions to those problems as we know can have quite serious performance degredations. Anyone bringing it up in the “marketing advantage” or subsiquent “implementation” / “engineering” meetings is not only likely to not get invited back, they might find all their personal effects in a cardboard box in the security office supprisingly quickly.

Clive Robinson • May 26, 2019 12:05 PM

@ Alex T,

Again, am I missing something or is this an absolute massive issue?

It depends on your view point to a certain extent, and right some people have their fingers in their ears whilst chanting “not listening” over and over or are chosing to look elsewhere. Whilst many others don’t yet see where this is going. Some of course will do as they did with Meltdown and the Spector varients, shrug their shoulders and hope things will sort themselves out…

So,

1. This is a hardware design issue, most likely not “fixable”

Well firstly remember “All things man made man can fix or replace”, the question realy becomes one of resources and how best to utilise them. Have a think back to what happened with the Pentium maths bug as an example, I’m fairly certain that is going to be in the back of many of Cisco’s managers minds, or an equivalent like the Pinto Gas Tank.

From what’s been said by others it’s a fault that can not be fixed by software, and that does not surprise me in the slightest. Thing about modern PC BIOS chips, they are Electrically Erasable, and in many cases there is no hardware write protect, so you can change it without a lot of difficulty because you don’t have to open the case etc.

So there is a high probability this Cisco system is similar, which implies the only real fix is a replacment of the board or entire unit.

However also from what’s said you need certain software privileges which brings us to your second point

2. It can be exploited remotely

Only if you can get system privileges remotely.

Which means that although the actual hardware fault may not be fixable, keeping the required privileges away from remote attackers may be possible untill the hardware fault has been fixed.

I suspect that Cisco will issue some kind of software upgrade very soon if for no other reason than to buy themselves more time…

What we need now is more indepth information on the hardware to judge by.