Schneier on Security

Clive Robinson • July 5, 2019 6:23 PM

From the Vice article,

“Not only do we have to think about classic prison escape and riot efforts like digging holes, jumping fences and starting fires, modernity requires that we also protect our prisons and the public against data system breaches and malware,” DOC spokesperson Jennifer Black said in an emailed statement. “It is a balancing act we are actively trying to achieve.”

What a load of “horses apples” Department of Correction spokesperson Jennifer Black spouts.

There are only two reasons programing and other CS type knowledge would be even remotely dangerous,

1, Because the DOC alows external connection.

2, Because the DOC has connected their internal administrative systems to the same wiring as the prisoners computers.

If either case exists the Department of Corrections is being extreamly negligent.

But with respect to Applied Cryptography, what is it actually going to teach them?

Appart from one or two algorithms that you could memorize (think card shuffling algorithms as stream generators) unless they are already reasonable programmers then they are not going to be able to cut the code anyway.

But you also have to ask what sort of programing environment ie language and tools the DoC would alow the prisoners to have access to. Fun as many modern beginers programing languages are, at the end of the day they do way to much hand holding behind the scenes. Worse crypto code is fairly low level code more suited to Algol 68 derivatives than much more modern languages like Python, where beginner books don’t dig down enough.

Ask any begining programmer in Python3 to write a simple substitution cipher to encrypt a file and see what they end up doing, if they actually manage to get it to work correctly. It’s actually a lot easier for a beginer to write it in GW-Basic or even C.

Then of course there is the stuff that comes with Win10 like “Powershell” (or what ever Microsoft are now calling it after the little resuffle they’ve just had).

Clive Robinson • July 6, 2019 4:40 AM

@ ervin,

those two reasons don’t consider prisoner-on-prisoner attacks. They’re an important part of a prison’s physical threat model, and arguably should be part of the digital threat model.

It depends on how you view the scope of my two points. Which ranges from zero computers for any prisoner, through a single unconnected computer for any prisoner through compiters on local area networks to wide area networks and the Internet.

If prisoners are kept continuously in their cells as is becoming more the case these days the “physical threat” of an issolated computer is not very different from a televison, radio or games console. Whilst you get right wing journalists saying things like “was given a cosy cell with a television” to try to raise faux moral outrage, the simple fact is in the UK at least studies have shown that alowing such things reduces incidents of violence not just against other prisoners but guards and the fascilities as well.

I’ve seen studies from some European Nations that indicates that the closer a prisoner is kept to normal societal norms the less likely for violance during incarceration and likewise after as well as lower rates of re-offending[1][2]. Further that “streaming offenders” is highly beneficial. That is for instance first time offenders should never be mixed with repeate offenders and those who have committed certain types of violance should not be mixed with others.

The reason for this is much of the real violence in prisons is not physical but psychological in nature, and is one of the primary motivators behind prison suicides. Whilst this has been know for years most penal systems have actively fostered it under the old idiotic “character forming” or “never did me any harm” notions that alowed such things to run rife in all sorts of institutions including schools, hospitals and workplaces, and is likewise one of the major contributors to “social issolation” and in some cases “going postal”.

As people are starting to wake upto “digital connectivity” is actually very bad news for many many people as it tends to polarize emmotional weaknesses in some it causes addictive behaviours, in others disconnection from the physical social world and in others it unfortunately alows them to bully others in new ways.

Thus the Department of Corrections should be looking a lot less at how to give “Internet connectivity” where some criminals will find many advantages due to the “digital connectivity” and be actually promoting or encoraging “self study” which does not in the main require connectivity.

Thus I’m of the view point that the DoC has behind their PR-nonsense a money motive in mind. Or more correctly how to further profit from inmates. You only have to see the ludicrous things that have been done in the way of making “inmate phone calls” a very lucrative profit center to realize that this is certainly in many minds. And one thing you can be sure of, is that just as Facebook and other Silicon Valley entities use psychologists to “hook users” and keep profiting from them, that those minds looking to profit from inmates are working hard at ways to ensure high re-offending rates etc such that they can not just continue to profit but grow their profits and care not an iota how much damage they are actually doing to society in the process.

[1] This is for prisoners who would be considered sufficiently equivalent to the population that they can at some point be seen to be safe to re-enter society, not all can be.

[2] The upshot of most studies is that of all the ways we could deal with offenders, incarceration probably has the worst possible out come for society. Which unfortunatly is not what politicians or certain commercial interests that vastly proffit off of our current disfunctional penal system want.

Clive Robinson • July 8, 2019 6:32 PM

@ Givon Zirkind, Chris,

<

blockquote>And, let us not forget, that some of these prisoners are probably in for computer crimes.

<

blockquote>

Lets be honest here, anyone who has committed a guenuine[1] computer crime, has realy no need of such a book, they will already know about “encryption” to a point few non criminal programers etc do.

I actually carry around in my head the knowledge to implement various encryption algorithms, and so I suspect do quite a few readers of this blog.

For instance using a hash function in a Fiestel round gives you the active part of quite a large block cipher. The hash function can be generalised into anyone of a number of “one way functions” the knowledge of how to use a “Random Sbox” to do this can be learnt and memorized in less than an afternoon.

Stream ciphers are again fairly easy to implement after all, all they are is a mixing function for which “XOR”, “ADD” and even “MUL” in selected 2^N or Prime ranges will work quite happily. The other part is a key stream generator, which is a specialised form of “maximal length generator” though “Card Shuffling Algorithms” work fairly well as long as the both use non-linear feed back. Even simple Fibonacci generators again with nonlinear processes added will do.

Statistics flattening algorithms are again easy to memorise and can be used in interesting ways. For instance a cipher that has an output that is indistinguishable from random can be “expanded” to look like it has the statistics of the likes of simple ciphers such as “transposition” followed by simple substitution.

The list goes on and on almost “ad infinitum”.

I’m far from special in this ability to remember the “how” if not the actual “in depth specifics”. Some may remember back to a time when ARC4 was still thought to be secure, the actual “C code” required to implement the Sarry shuffle/update oneway function was just two lines of code.

[1] Most “computer crimes” when you analyze them and compare/contrast with physical world crimes are not actually crimes, at most they would be considered torts. The stupidity of the legislators in making the legislation so broad in scope is that with little effort any computer user could be convicted under their legislation which is in effect bringing not just the legislators but the judiciary into disrepute. For instance I turn off both cookies and javascript for just about all web browsing. With US legislation if “the terms of service” say you have to have them on to receive advertising etc, than to use the site without them is the equivalent of a minor unknowing “trespass”… In the physical world that would equate to being accused of a tort for say not wearing an orange jursy when walking down a particular street, it would probably be thrown out if you tried to bring such a case. However as it’s a computer then suddenly it is a very serious crime with unbelivable tariffs for which no real evidence has to be given to obtain a conviction. Luckily most site administrators and designers are utter morons on this because their terms of service only show up if you have both javascript and cookies enabled… So I don’t get to see them displayed, although some but not many sites will only display a blank page, others just let you browse away to your hearts content all you realy loose is some features like “non functioning hamburgers” which are often not necessary because scrolling to the bottom of the page often gives hypertext links to old fashioned pages of URLs that function as the hamburger drop down menu would…