Schneier on Security

Clive Robinson • April 3, 2020 11:25 AM

@ ThatGuy,

however, when are we going to acknowledge that almost no one has a grasp on securing their systems and networks?

Let me think, well over a decade ago for me and quite a few of the regulars back then, most of whom have drifted away from this blog for one reason or another.

My thinking started more or less as yours does now,

This is a critical problem that will only be getting worse. It’s out of control. I don’t have a solution in mind, aside from a complete redesign from the ground up on protocols, chips, operating systems with security as the primary mechanism. We may have to get the government involved to require certain standards to be met via some sort of security framework. Simply put, the status quo is not an acceptable way forward.

The first thing you have to realise is a “top down” approach to security does not work for a whole heap of reasons. It’s why despite of over three decades of “formal methods” being used the resulting systems are always vulnerable to “bottom up attacks”. Put simply if I control the memory layer in the computing stack, every preventative scheme you put in place above the memory layer ends up being dependent on the memory in some way, thus it’s under my control. In effect the attack “bubbles up” through the computing stack like bubbles in a champagne flute. The tinyiest of totaly imperceptible flaws gives rise to a bubble of ever increasing attack surface that bursts through at the user level.

But the same applies from even further down the computing stack. That is if I know how to play games with the low level device physics down at the quantum level I too can have a “bubbling up attack” that grows at every level giving me control on each successive layer up the computing layer. What realy scares the likes of the Dept of Defence, is that it does not stop at the user interface level, like all propaganda it can rise up through those in the chain of command and cause all sorts of problems (see “The Man who never was”[1]).

There is no way to stop a bubbling up attack in a conventional computer architecture stack. Because the computer tells you what it has been told to tell you, and you have no way to see this from the user level in the stack.

Thus you only have two ways to go.

1, Mittigation by segregation.
2, Addopting a different architecture.

The simplest solution is the first, if there is no connection by which an attacker can communicate with your system then they cannot attack it.

For a very basic physics perspective, ‘for communications to happen “work must be done”‘. The more formal definition of work is “Energy over time” and time can be measured as the reciprocal of bandwidth. Thus TEMPEST and EmSec fundementaly work on limiting “energy and bandwidth”.

That is the less you have of either or both “energy” or “bandwidth” in the Shannon Channel then the less work you can do through that Shannon Channel. I’ve discussed both EmSeg segregation and bandwidth and “Energy Gapping” at length on this blog over the years, and the things you need to deny to the adversary. These are the freedoms of “time” as jitter, phase, bandwidth and “energy” in all it’s forms be it transported by radiation, conduction, convection, or piggy backed on some physical medium. Also the less realised use of energy converters more normally called “transducers”, especially those with nonlinear behaviour.

However “Energy Gapping” has a problem not only does it keep the bad guys and their bad information out, it also keeps the good guys and their good information out. I guess it kind of goes without saying that no matter how fast, efficient, or powerfull a computer is, it’s just spinning it’s cycles if it has no information to process. Thus you need some kind of “gap crossing” mechanisum that acts as a “choke point” to let only good information in and squeeze out bad information.

The problem is that information is like “feed stock” in a factory, it’s generally agnostic to the use the factory is going to put it too. Just like the “tools” in the factory that work upon the information. Thus you have to be able to tell if,

1A, Information is good or bad.
1B, It’s use is good or bad.

In both cases “good or bad” is a human concept within any given context, which are “human views of the world”. That is computers have no notion of “good, bad, and context” all they have are “rules, data sources and data sinks”. It’s the job of humans to map the human “good, bad, and context” into the computers rules. And it is this we realy realy suck at for various reasons. One of the biggest is “commercial imperative” which gives rise to amongst other things “technical debt”. Basically because of it over 99.9% of code realy is, not only “not fit for the intended purpose” it’s also “not secure by any reasonable measure”. For instance back last century Microsoft DOS was “user mode only” they went through several itterations of Windows and even with an OS that had both “user and kernel modes” (NT) they kept Windows through out in “user mode”… It was only in this century they started to move bits of Win32 into kernel mode. By then so much technical debt had built up, that for “backwards compatability” reasons large sections of Win32 still run in “user mode”. As it’s not that difficult to abuse the Shannon channel passing mechanisms between user and kernel modes to get privilege escalation it’s unsuprisingly a significant security issue… Microsoft have know about this for decades and have not done anything about it untill being “embarrassed” into doing so…

So trying to tell good from bad across any Shannon channel is probabilistic as is trying to determine context. So security by energy gapping whilst it is a good mitigation, the transportation of information in or out which requires a Shannon Channel in each case is at best “hit or miss”.

The Shannon channel problems exists with all architectures of all sizes, including the basic “perimiter security model” which is the fundimental of just about all commercial security offerings at some point.

Which means you have to look at option two of an altered architectur.

I did this and came up with some interesting measures, however it was not pipular with some who wanted to stick with the beoken computing model we currently use, which as I’ve pointed out above can not be secure…

Sometimes I wonder if people realy want security, and then I read a report that says what the market size of the computer security market is, I think yet again ‘there is two much “future money” in securiry solutions’ that many will see improving security as “breaking their rice bowl”.

And that’s the rub, “commercial imperative” has created so many flaws it should not have, it’s actually created a lucrative “faux market” that expands in different ways every day. It’s become like the hydra of myth, you cut off one head only for another two to appear in it’s place…

[1] The book tells the story of the WWII disinformation operation called “Mincemeat” which amoungst other things stopped the Germans effectively deploying troops and armour in Sothern Europe. Similar operations to create a fake “Patton’s Army” in Kent via the “Twenty Committee” (from Roman numerals XX which is also a “double cross”) did the same for D-Day and for several days thereafter enabling a beachhead to be established and the Invasion of Europe to start in the West of Europe and bring about the end of WWII.

Clive Robinson • April 3, 2020 4:43 PM

@ Phaete,

It is however a phrase that lost its meaning because it is said at 90% of all breaches (the ones with spin PR).

Sadly much as I would like otherwise that is the way of the world. It is in part due to the US legal system we get these “formulaic statments”. Basicallybthey have been “pre approved by legal” that tells you something even more horrific,

Most companies know they are going to be cyber-breached real soon and that PPI in the million up will be taken. So rather than reduce the risk they get legal and PR to prepare statments…

That is what the world has become, no one taking responsability and every one reaching for a lawyer.

A friend not to long ago set up a small manufacturing business in the US… There are as many lawyers on the payroll as there are other office staff… Admittedly one is also an accountant as well and specialises in what you might call “running cost minimization”. Another is an IntProp specialist that is a later in life second string to their bow as being an engineer.

But even so that’s a heck of a lot of legal muscle for a company that just makes agricultural and land scaping machines…

Clive Robinson • April 4, 2020 4:50 AM

@ ,

I suppose I am just expressing frustration at what I see coming down the road in the immediate future.

As I was some thirty years ago.

My advantage if you like is that I’ve been thinking about it longer than most others. Not because my crystal ball is any bigger and shinier, but because I was in at the start of it security wise. Being an engineer I was an “old school hacker” of the original MIT Model Railway Club type back in the late 1970’s. I designed computers at all levels thus I got to see a lot.

But even years before that as a pre-schooler I was insanely curious about the world and the way mechanics worked, thus as the most complicated mechanical things I was aloud near was locks. So I learnt to pick them out of curiosity. As a teen I’d moved onto elrctronics and Pirate Radio, which got me into computers before “home computing” came about. So I was kind of “Born into the harness” as it were.

I’m still intensely curious as to why things fail, and how to improve them and what goes into the failure. The “human” problems I’ve seen since being a teen have nearly all been “security” in one way or another, so I guess I’ve developed what our host @Bruce calls “thinking hinky”, you never know their might be a gene for it 😉

Sadly what was easy for me because the world was not realy technically complicated in the 1950’s through 80’s and thus you could self learn, and walk into a good job has changed. Technology wise we have become insanely technically complicated, for realy no practical reason. Thus there are few paths into the “gnarly forrest” other than via software, and that has become way way more complex, convoluted and complicated than it ever needed to be.

That is software has developed serious quasi-religious behaviours with a lot of complexity for show and mysticism, just to keep the unknowing out. In essence it’s become almost a branch of well known cult behaviours, where large amounts of money are sort by cult worthies for what is basically worthless knowledge, that will change as fast as a writhing snake to keep the money flowing and the worthies in the top of the hierarchy (think pyramid selling).

One sure sign things are going bad is when a practitioner in the art, can not make the tools they need before they starve. I know very few people these days who have actually built their own tool chain from physically making a computer and programing it first by diodes and switches all the way up to a functional interpreter / compiler, it’s what you did in the 1970’s and early 80’s and even though it was a right royal pain to do so it was how home computing started and you learnt a lot of foundation material along the way that you don’t even get taught these days. It also gave you insight into how security works or does not work at the lowest levels

My advice as always is “be eternally curious and live to learn”. Because at the end of the day it’s knowledge above physical skill or prowess that makes you a master of an art. Even in sport, this is true, it’s our ability to see, recognise and learn from our observations that keeps us ahead of the competition, and always will do. Irrespective of the tools made by others we may have or may not have to hand. Tools function, animals react, but only humans realy predict past the next meal or two.