Schneier on Security

Clive Robinson • May 17, 2021 7:14 PM

@ Winter, ALL,

But this has always meant that the state had to contribute funds, one way or another, to these infrastructures. How they did it varies, but all these examples were build out and maintained by tax money, state monopolies, or other collective funding.

Availability costs, if you put a tarp over a tree branch it will shelter you for a little while until, it fails, the tree fails or the wind gets up. But give it a month or so, and you need to start anew. A tarp is what 15 bucks for 50 square feet of shelter (or less). But replaced four times a year so about $1.2/SqFt/year. And trees, well they just tend to be around, till they crash / burn down one way or another and occasionally explode when lightning does it’s thing.

But put in a bit more work by chopping down the tree, seasoning the wood, turning it into lumber and shingles and you can make a roof good for a few years maybe a half decade or so with dried softwoods[1]. A lot longer if they are treated or naturaly preserved such as with oak lumber and ceader shingles maybe the rest of your life or even your grand childrens (50-100years or longer). You also get to cover what 1000 square foot provided you maintain it. But at, what cost, well alowing for pitch and effectively a double layer you need 2500 SqFt of shingles at about $10/SqFt that give you 50years for 1000SqFt so 10/50 gives $0.2/SqFt/year probably with less labour all told and many other financial benifits of better reliability and insulative properties. Tarps might be cheap as a quick fix but nobody would seriously consider them as anything other than emergancy or very temporary shelter.

But corporate short term policy is “go with tarps, the first time and every time” after all it’s not them that are sheltering. And the share holders they want annual or more quick returns, not having to wait a decade to see good returns…

But… all of course assuming you don’t get hit by a hundred year storm or worse that turns not just the shingles into weapons grade frizbies but the lumber frame into matchwood and splinters. They do happen and what was a “Hundred year storm” a century ago, now appears to be once a decade or less these days…

One of the things the free market does is remove resiliance to anything outside of “normal” operating as they drive for the mythical “110% performance”. Thus availablity, except out of very very small excursions from “normal” does not exist in the corporate world. So unless they are ordered to do so, and subjected to real oversight and significant punishment, fails to carry out investment accept at the lowest cost or maintainence other than “to look nice”. The result as the US finds out more and more regularly, is critical infrastructure outages so often they are now considered “normal”…

But what does this realt mean? Well for one thing it’s also grossly in efficient from the point of view of society, it’s also environmentally unacceptable bryond the point of disaster. Why? Because “outages are the norm” people by their own generators, and store large quantities of fuel usually very poorly which is not just inefficient the fuel loss and spoilage ends up causing harm to the environment and other catastrophes (spoiled fuel poured in drains might be “out of sight” for some but very definately leathal for many others. All of which reduces life expectance (most hydrocarbons beyond the simple ones are detrimental to organic processes, even alcohol is a poison and they appear to aid in the trigering of cancers, diabetes, liver failure, heart failure and all sorts of neurodegenerative disorders, possibly even dementia that effects increasing number over the age of 35). Likewise when combusted fuels produce other “tars” and complex hydrocarbons, the brown colour on pie crusts, bread, toast, cakes and the outside of roast meats etc, might taste nice, but they all contain carcnogenic compounds just as tabaco and wood smoke does.

But early death by poisoning, is not the only concern fuels are not just easily flamable, they are often volatile and in some cases can make fairly impressive explosions (look up FAE and the likes of grain silo explosions manhole covers being flung many feet etc[2]).

Thus the likes of Pacific Electricity and Gas by their corporate “free market” policy are inflicting early mortality and property loss onto their customers. Thus the customers get higher longterm medical and insurance costs that are wildly disproportional to PEG’s extreamly short term savings.

However “critical” is another way of saying “to big to fail”, which means that much of the corporate profits are predicated on either the “hot potato game” or being “bailed out” by “The insurer of last resort” which is normaly said to be “The Government” but is more correctly the citizens through taxation and wildly inflated costs in other areas.

If people actually do the math, the corporate policy is by far the most inefficient and least reliable way of running a supply process.

But you do not get taught that on a US MBA course, because that is not what the Chicargo School economists want you to know. Because if you do, those big fat grant funds they get from corporate backed “Think Tanks” for telling corporate types “greed is good” but wrapped in psudo scientific / mathmatical mumbo jumbo, might just stop.

So remember when it comes to “understsnding and salary” back in the 1930’s Upton Sinclair’s observation is even more valid today, than it was nearly a century ago, when there was a lot less impediment to that sort of behaviour other than the public view point, backed still by tar, feathers, rails, and “rough music”… Maybe it’s time to get out the tin plates, pitch forks and barrels of tar again…

[1] With softwood if you know what you are doing you can “distill out” turpentine and other “aromatics” that if painted on dryed wood act as preservatives and keep the shingles and wooden frame servicable for several decades. However those hydrocarbons are bad not just for the bugs but just about every living thing, so it’s now illegal to use them in a lot of parts of the world.

[2] What ever you do do not do this, it’s not even something “trained experts” should do. But fresh flour if you dry it out when mixed in the right quantities with air, and subject to a small spark from static electricity from synthetic cloathing, can make for very powerfull explosions that will crush people to death in confined areas. So for that matter does very fine sugar (icing) oh and “non dairy creamers” you can look up some of the fun Myth Busters had demonstrating this, from long distances behind safety screens in the wide open…

Clive Robinson • May 20, 2021 5:50 PM

@ SpaceLifeForm, ALL,

I submit that you cannot unless you control the secret. There can not be any outside party.

Sometimes not even then, remember there are two ends of the link…

Look at it as a “One Time Passphrase”(OTP) system or “Transaction Authorisation Number”(TAN)[1] like any stream crypto system the strength is in the Keying Material (KeyMat). That is the KeyMat or in this case indovidial TAN’s have to be not only “only used once” they have to also “remain secret”.

However being truely random there needs to be one copy of the TAN list with the user and a copy held at the resource.

If the resource becomes compromised in some way then all the users TAN lists become vulnerable…

It’s the same problem as having “plain text password files”, which has been known atleast into seven decades…

Whilst the TAN lists could be stored encrypted, unless done the right way then all you do is “shift the problem” from copying a plain texy file to copying an encrypted file and then finding the encryption key on the resource.

It’s one of the things Secure Hardware Modules (SHMs) and Secire Enclaves were supposed to solve… Only they do not because we keep finding vulnerabilities with them.

One correct way to do it is to in effect store the encryption key with the user.

I won’t go into the implementation details but you can design the system such that the two TAN lists are infact entirely different and stealing one will give you no information without the other.

[1] https://en.wikipedia.org/wiki/Transaction_authentication_number

Clive Robinson • May 20, 2021 11:12 PM

@ SpaceLifeForm,

If you can not connect any dots, then shame on you.

I connected the dots a decade back, you can read my comments of the time up on this blog somewhere.

I worked out from the get go that RSA had done something extreamly stupid with their seed-storage.

Back then I assumed it was for sales support staff to help customers with finger trouble out quickly and what the RSA S&M people would consider efficiently. And I would have trotted out my mantra of “Efficiency-v-Security” along with the fact that what we called air-gaps were not sufficient (hence my reason for talking about energy-gaps).

Go back and read the article again, somebody is still not telling the truth there even a decade later… See if you can spot it.

Clive Robinson • May 23, 2021 7:19 PM

@ MarkH,

Darwin had issues, he did not publish for decades out of fear, of what we would describe as “religious fanatics” these days. He only published because another person published similar ideas to his own. But even then Darwin “watered down” what he wrote. In effect he “delayed scientific progress” out of fear for his own well being. If that was “Right or Wrong”, is easy to say when you are not the one in fear of what may happen to you and have legislation in existance that in part protexts you from the “crazies” and worse.

Evolution effects are seen in three areas,

1, The general environment.
2, The collective species.
3, An individual with respect to the species or environment.

The third is true because of genetic diversity within any given species. We have seen this with COVID where people are effected differently by any particular SARS-CoV-2 mutation.

Whilst the argument for “nature v nurture” continues apace for intelligence, I prefere to say it is an inate charecteristic not just of humans, or other primates, but entirely seperate and at best very differently related species. Most would be hard pressed to name a common ancestor between octopi and humans, but few who have studied octopi this century would argue that they do not possess intelligence. They certainly exhibit it’s traits via behaviours and the use of tools etc. Other non primate species again exhibit not just tool use but the abiliry to communicate it to others in their species (corvids).

But the real question is not intelligence, tool use, or the ability to communicate it, but the process of modifing the environment they are in by the process of organised learning (education).

It is fairly clear that mankinds progress has easily gone beyond basic manual tool use. We’ve developed various forms of “force multipliers” and “force modifiers” sich as the “throwing stick” that extends the reach of the arm considerably thus couples more energy into a spear. Likewise the bow which takes slow input energy into storage, and releases it very much more quickly, thus far extending the range and accuracy of an arrow. Simmilar applies to the sling shot or bolas, the latter importantly alowing game to be taken alive into captivity, thus start the domestication process that gives rise to animal husbandry.

We can see in the historical records that progression of technology in effect traveled with humans from one grouping to another. The specifics of the education progress are unknown but the progression of usage is fairly clear.

Arguably it is the education process that puts us ahead of other primates and creatures almost as much as the opposable thumb. It can only have come about as a result of evolution and in the process lifted mankind at a much greater rate than other species and importantly other members of the human race in different environments. There is very clear evidence that the environment shapes humans differently. Such as the box like cross section of thigh bones in indigenous Andean dwellers. The mutation favours mechanical lift over a more extensive angular range thus making walking up steep slopes and step cut paths easier. The native aborigines in Australia have way better eyesight and the ability to lower their body temprature during sleep thus making a considerable saving on energy.

But mankind has managed to modify it’s own genome in very short periods of time. If you look at the tolerance to alcohol, in Europe very few are alcohol intolerant we have “bred it out” due to drinking either wine or beer. The fermentation process tends to kill bacteria that effect humans detrimentally, thus drinking wine and beer, and eating pickled food gave significant health benifits to those who could tollerate alcohol. Those that could not either died from disease or accidents much earlier in life. However in the Far East especially Japan, they did not need to drink alcohol thus the petcentage of intolarant people was not far of half the population just after WWII. This change in the European genetics has occured in around 4000 years.

Pinning evolution down is in fact extrodinarily difficult… for instance mankind has increased polution significantly in the past century and a half. An argument was made that the polution had virtually killed of a species of moth. However further investigation showed that the species had mutated in this time, such that the colouring had altered significantly to blend in with the polution. So a very reacent man made effect to the environment in what was considered evolutionary term time scales, has changed a species almost entirely in less time… Which means we have to be carefull with what were once considered “extinct species” they may have undergone a rapid evolutionary change due to environmental change rather than becoming extinct.

Thus “survival of the fittest” is in fact an extrodinarily bad description for evolution, that actuallt favours adaptability and non specialisation.

Clive Robinson • May 24, 2021 4:48 AM

@ MarkH,

Here we are, incipient sacrifices to our own success.

Ouch!

Thus it would appear the seeds of our own destruction were the seeds of our own genesis…

But is the diagnostic true?

We know that many species of humans exist. However quite a number did not go into extream resource usage.

There is a story you can look up about the discovery of the Kalahari Bushmen. They lived in an environment of plenty, sufficient that a scant 20mins of foraging provided the required daily sustinance. The bushmen then spent the rest of the day making at worst a very minimal impact on the environment. Their population was small and importantly they kept it stable, so in effect they were in balance with their environment.

They were discovered by a group of funded European descent explorers. When they returned their discovery was so shocking to the funding organisation they kept it secret for over fifty years.

In essence they were vitaly scared that it would destroy “The Protestant Work Ethic” that was socialy enforced on Europeans. If you deconstruct the work ethic and remove the religious mumbo-jumbo you end up with,

“You as members of the second and third estates, will work all day to receive the minimum you need to survive, any excess will be collected by the first estate without question or disobedience”

It is when you think about it, a psychopaths view of how the world should work for them. With the “first estate” now being the “entitled elite” which drives neo-con thinking. A thinking that not only is wrong has with COVID highlighted much of it which is false and distinctly prejudicial, via the likes of “Guard Labour”.

Quite some years back whilst developing a thesis about religion and it’s effects, I traced this sort of avarice or greed backwards, and it appears to have originated out of Europe and spread like a virulant disease. Interestingly it did not appear in Africa which at the time was claimed to be the cradel of mankind[1].

Thus it raises the question that the diagnostic might well be true, but originated in a specific place and then “spread outwards” over the last few millennia…

[1] The notion of Africa as the cradel of mankind is something that is disputable logically because when you looked at the supporting arguments they suffered from the “Hanging net issue”. In short the issue is seen easily by having a net laid out flat on the floor, you randomly lift a knot and every other part of the net appears to flow out from it pleasingly to the eye as it appears to have symmetry thus “be fit” at a subconscious level. The problem is “any knot will do” thus the subjective fitness is entirely false. Similarly I joke about another “subconcious subjective fitness” with the surface of a sphere. I say correctly that if you stood on the surface of a sphere all other people you see are standing beneath you. Which to many people actually makes them feel good… Because what they hear is “All other people… are… beneath you”. Anyone who can think sees through it as just an amusment, but some genuinely think it is some form of adulation… Which is scary.

Clive Robinson • June 9, 2021 10:58 PM

@ AlexS,

My current car can be shipped with a drivetrain that gets 85MPG. The US government refused to allow it to be brought in. So I’m stuck with the same car but only get 35MPG

The reason there is an 85MPG drivetrain[1] is due to regulation to meet CO2 emmission requirments…

The auto industry was dying due to a downward tail spin spiral of “free market” stupidity and senior managment incompetence hiding behind rather sad marketing campaigns. Regulation for first safety, forced managment to bring in real engineering not the same old ineficcient pig iron box chasis designs with a new layer of chrome and similar “lipstick”.

Then other safety requirments got put on the auto industry driving further engineering and heralded CAM and CAD. It forced managment to also adopt different working practices.

Back in the 1980’s there started to be fuel and emmissions requirments that brought in further engineering advances and new technologies.

But most of this was not happening in the US where the solution managment chose to regulation was lobbying and Sports Utility Vehicles that avoided some of the regulations.

So you still have old pig iron and lipstick.

The problem with “legislation and regulation” is not the fact they exist, they are just another item in mankinds tool box, it’s how the politics behind them work.

You can give things fancy names like “regulatory capture” but at the end of the day, lunitics should not run the asylum, and foxes should not guard hen houses. It you want industry improvments you have to have regulation to not just have a level playing field, but one that’s not sinking into a swamp. For regulation to be effective it needs thorough independent oversight. Who should pay for that oversight, idealy the indistry concerned, but we’ve found that is to prone to coruption by the industry in various ways so as society generally benifits then arguably society should pay, either by a direct sales tax or by other tax. Direct sales tax is preferable because by carefull application it can hasten market change faster than other forms of regulation.

None of this is rocket science, but what boarders on the mystic is why the citizenry put up with the lobbyists, self regulation and the race to the bottom that edangers not just their lives but the lives of their as yet unborn descendants. Oh and also costs them significantly in money, jobs, health, mental wellbeing and decreasing life expectancy to name but a few.

[1] Assuming it is a real “85mpg” drive train, and,not one that “drives to the test”.

Clive Robinson • June 15, 2021 8:55 AM

@ JohnK, David,

I suspect those that believe Critical Infrastructure belongs in the hands of the government will point to last winter’s “Texas freeze”, and the incredible failure of private companies to plan for and respond to a catastrophic event.

It actually matters not a jot who owns the Infrastructure, critical or not.

It realy should not need to be said, but people arr clearly resorting to throwing political mantras and myths around rather than actually applying “critical reasoning”…

As you start to think about what is actually required to be done not the stuff and nonsense of rehtoric, you realise that certain thinking is just wrong.

Unfortunatly the wrong thinking aligns with a very short termist view point that is most easily expressed as “Grabbit and run”, by supppsed “investors” who actually behave like Viking raiders and similar of centuries gone by.

The main difference is that the Vikings could be “bought off” by Danegeld[1], but modern investors think nothing of either the company or the other shareholders that might take the more sensible view that longterm investment not fly by night investment results in better growth thus better long term returns.

Unfortunately some managment of infrastructure companies view their duty is to apease the short term investers, thus they in effect “sell the family silver” just to have them vist for a while.

Only it’s not the family silver they are selling but the companies future. Sensible and needed investment in the maintainence of assets is forsaken in retirn for impossible returns to short term investers.

Not that managment actually care their income is predicated on such behaviour. They think that they can like the investors “get in and get out” and in between profit greatly at the company and it’s,customers and other shareholders expense.

There can only be two real results from this,

1, The infrastructure becomes to fragile to even maintain.

2, The “grab it and run” mentality can only lead to market instabiliry then colapse.

But do the short term investors or senior managers care? No, their sociopathic behaviour and narcissistic traits make them believe they are “Masters of All” thus they will get out just in time to rinse wash abd repeate somewhere else…

But what if it does go wrong? Mostly short yerm investors are not playing with their money but other peoples, so they have no real skin in the game. Secondly if it does go wrong they just “walk away” and “start again” as they suffer no real penalties. Because they also know they are “to big to fail” thus will get bailed out by “The insurer of last result” which is the Government who tax the citizens who not just loose but have to pay atleast twice over for the priveledge of being robbed.

Thus it is not surprising that some think getting rid of the short term investors and just put the Govetnment in in charge which is what is going to happen anyway just reduces the cost and the pain to the customers come taxpayers who are the citizens.

But if that happens those short term investers do not have a game to play with other peoples money on which they take not just a percrntage of any profit but also take fees on any losses they create.

Thus they have to stop the Government any which way they can, which basically devolves down to bribary and coruprtion via lobbyists, sinecure jobs, nest feathering, corporate sponsorship and most importantly in the US political donations for “campaign funds” without which no US politician could get into nor remain in power.

When you see this you start to realise what needs to be done as a minimum, and what should be done in the longer term to protect the citizens from the 400 or so individuals vastly profiting from them.

So “Think and be free” or “Follow to the slaughter” the choice is that of the citizens if they are alowed it, which currently they are not in that stage managed nonsense that is US Politics…

[1] https://en.wikipedia.org/wiki/Danegeld