Schneier on Security

Clive Robinson • July 27, 2022 12:30 PM

@ Frank B.,

“We’re officially at peak stupid.”

Sadly not even close yet.

The “fiddler” is just tuning up, you wait untill he plays the first reel… There will be way more than just feet flying…

@ ALL,

Having read the whole piece, on thing realy annoys me about the author. Despite legal training she claims not just that Open Source is a “public good” but effectively it’s not owned and therefore up for grabs…

As @Winter notes,

“the whole digital economy runs completely on FLOSS.”

And it brings in billions of dollars of revenue almost every day, yet pays back nothing to either the creators of the Open Source, or the Citizens the Corps also free load off by not paying taxes… Worse if the Governmebt does “pay developers” you can be assured those Corporates will get most of it in one way or another. Because that is the name of the game as we’ve seen with the “Walled Gardens” etc.

Clive Robinson • July 27, 2022 5:28 PM

@ Arclight,

“Does nobody ever just send them a check to get it done?”

If only it were legally that easy…

Over the years since WWII and the past three or four decades most Western Governments have made it extrodinarily difficult for companies to pay individuals. Supposedly to stop fraud and tax, evasion by both sides.

So this in effect requires the Open Source developer to set themselves up as a business or company. Which requires no end of paperwork (think about one day a week if you do it yourself).

But they may not be able to be, due to what is called “tax avoidence” via the likes of “off payrole earning”. Where the tax authority assumes you are acting in what they see as an unlawful manner.

Look up the history of the UK IR35 rules[1] to see just how bad it is.

The sick joke of it is large companies are now via the “gig economy” forcing minimum wage earners into “off payrole status” and people like “care assistants” who get payed less than minimum wages because of travel time and not getting anything like the correct amount of travel expenses have been faced with revenue investigations where they could loose everything they own and be made bankrupt so not be able to actually work for several years…

So no “just sending a check” could cause the developer to loose everything they own and be forced into destitution.

[1] UK Inland Revenue press release 35 back in 1999 was in part as a result of “Y2K contractors driving Ferraris at the tax payers expense” nonsense in the Daily Mail and similar “useful idiot” press. Put simply a press campaign had been run against IT Contractors because allegedly they were all charging £2000/hour for a minimum of a day to change eight lines of Cobol or similar, and had flashy cars on expenses parked in their drive ways causing resentment and envy in other British Workers…

The real issue was however was the unfair disparity between companies and their employees in their duties to HM Treasury via the Inland Revenue. Which gave rise to what is called “Off Pay Role Earning” which was seen politically as a major loss to the UK Treasury (it was not, and never realy was). Back then small companies could easily pay less than 20% of gross income in tax, in fact it was not that difficult to end up being owed money by the Inland Revenue via quite reasonable accounting practices. However for an emoloyee on “the pay role” back then if I remember correctly UK National insurance was 20% of an Employee’s annual pay as well as 30% of the same figure for tax upto £27,000 then 40% and so on, so a minimum of 60% of a professional level wage. Along with no ability to have reasonable expenses that small companies and even partnerships got. So IT Consultants were quite sensibly setting themselves up as “small companies” to get equitable treatment with their competitors such as consultants from the “Big Four” accountancy firms, Cap Gemini, Excenture etc, who had been taking the UK government for thousands of millions in ICT contracts and the like (the real drain on HM Treasury, but as they all gave kick-backs to Party Political funds, expeditures as well as lucrative speaking fees etc to individual politicians they were obviously “friends”).

https://www.itcontracting.com/history-of-ir35/

Clive Robinson • July 27, 2022 7:23 PM

@ Bruce, ALL,

Re : Coincidence or causality

Yesterday, I posted[1] to the thread on “Apple Lockdown Mode” and picked up on,

“Most message attachment types other than images are blocked.”

And said,

“Anyone else remember when “images” were a major attack vector?

For various reasons some image formats need a “Turing Complete Engine” that interprets the image file…”

Well one such case was the use of the near universally used image file manipulation package “ImageMagic” half a decade ago,

https://arstechnica.com/information-technology/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/

You will find at the bottom of that article,

“The threat at least in part stems from ImageMagick supporting more than 200 different formats, including nroff (man pages) and postscript.”

Both “nroff” and “postscript” files need a “Turing Complete Engine”(TCE) to process then, as do PDFs and quite a few more other image formats. As you usuallt have little no control over these embeded TCEs they are an ever present security threat in Closed Source “proprietary” code, and a very real pain in Open Source even to “Code Security Experts” because of,

1, Unbounded state “state”.
2, Unconstrained control path / chain loopback.
3, Uncontroled / Unchecked / Unverified file input causing control path change.

All three being security “no no’s” but all most always found with TCE usage.

TCEs are a very powerfull way to do a great deal with very little, in that you can write a quite powerfull interpreter in as little as a hundred lines of C code (ie turn a simple calculator into a Forth like interpreter). Or just import one like the “Tool Control Language”(TCL) of “WiSh Tk/TCL” fame. Or if you are mean and embittered –and who’s not these days– the equivalent of the DDS BASIC interpreter from the “International Obfuscated C Code Contest”(IOCCC) back in 1990. This link,

http://computer-programming-forum.com/47-c-language/4304b233749863b8.htm

Provides both the original “obfuscated” DDS BASIC and an unscrambled and readable –by as near ordinary mortal as programers get– version.

Which should let anyone reading who is shall we say a managment type, who has heard of the supposed wonders of “code review” but never actually experienced the futility of them[2] get a feeling for the problems.

My advice as always in this respect is,

“Security is a Quality Process”

Every bit as much as Quality Assurance, in fact way more so. So if you do not treat it as such from the highest organisational levels downwards, then you are going to fail and fail horribly. Usually as you build up a “Tsunami of Technical Debt” you can never ever get out from underneath, and to use the surfing term you will suffer a “wipeout”.

[1] My post of yesterday,

https://www.schneier.com/blog/archives/2022/07/apples-lockdown-mode-2.html/#comment-408190

[2] I’ve posted about the futility of “code reviews” in commercial organisations before several times on this blog. But this is the short version,

1, Marketing thus Managment want the best or Star Programers to code new features.
2, For the sake of “check list” testing QA paperwork, Managment need to have “Code Reviews”.
3, Managment want the cost and time and other resource impact of “Code Reviews” to be minimized.
4, Star Programers can be both inventive and “Prima-Donnas”.
5, Star Programers often resent or hate “Code Reviews”.
6, Programers asgined to “Code Reviews” are usually not Star programers and often have an entirely different mind set.
7, Code reviewers and Star Programers unfortunately often have poor relationships boardering on antagonistic.

All of which can result in some Star programers being “too inventive” for their own good, and deliberately writing code that is either to difficult to understand clearly or to hide things “to get one over” on Managment or Code Reviewers.

If you think you might have such an issue in your organisation, it often shows up in “bug track” systems where bugs get closed but not fixed with no, or very terse comment.

Clive Robinson • July 28, 2022 5:52 AM

@ JonKnowsNothing, Arclight, ALL,

Re : “send them a check” and “business setup”

With regards,

“… often have pledged their homes to get the SBA loan to fund the company so they rejoin the ranks of renters …”

There are also,

1, The court records
2, The bankruptcy
3, The “forever” debt collectors

To haunt them beyond death.

There used to be a sick one-liner in the UK,

“To poor to die…”

Where the unsaid finish was,

“… can’t aford to be buried.”

But there is another side of course being bankrupt means not only do you have no money, that’s been taken away from you, but also and importantly any assets you had have become the property of others at “fire sale” prices or less.

Many years ago I went out on my own, after I had saved up what I had called,

“Two years drop dead money”.

That is I had enough money to survive for two years paying all my bills etc before I started.

I sent things up in a way such that I protected myself and my assets should things go wrong… So no falling into “loans or leases” or other financial snares and certainly no “business banking”. Part of the making safe had to be changed when later I had to become a part time employee of a company where I did just enough company hours to cover the new Government requirments and so on.

But I decided enough was enough, even though I was “making bank then some”. The Government changes were forcing me to go places I did not want to go. Not least of which but effectively “the final nail” was the rapidly increasing “bovine scat” paperwork being inflicted, took up more and more time. When it got to more than half a weekend every week and then some I realised I had to get others involved to “share the load”. But found that they would add significantly more paperwork, in exchange for only taking some of the paperwork away, and I would have to pay them as well… Then news came of changes to “emoloyee pensions” and it took only a few minutes to work out the enforced liabilities there…

So I shut up shop and “divested” the bits of the business off, ensuring I had paperwork to show the transfers of ownership had not only happened but were legal thus no come back on me, and I walked away into being a full time employee again.

I do however know of people trying to go it alone… One young couple one of whom is the daughter of a veey long time friend live in a van.

With “solar on the roof” an electric bike and trailer for shoping etc, a smokeless “wood burner stove” and gym membership to get clean in and a “Wifi Yagi” antenna on the roof and heavy duty blackout curtains all around and IR cctv and motion sensors covering all sides for security. During the day one has a full time employed job the other is building up a business and working out of “coffee shops”, Pubs/Bars, and Fast Food places even public libraries, university student fascilities and even hospital emergancy waiting rooms. Something that has since Covid lockdown become a lot more, acceptable, and easier.

Why do they do this? Simple to save enough money to build up sufficient money to make a sizable deposit –pay down– to get their own property… They would rather save a few thousand a month rather than “waste it on rent, council tax, utilities”. Plus as one wryly notes,

“If our relationship can survive this nomad existance…”

One thing that did surprise me is that they can get their van to the top floor in multi-story car parks where the use of a couple of traffic cones and yellow tape alows them to lay out extra solar pannels out of sight of CCTV etc[1]. Oh and visits to certain cemeteries, alows discreet connection to a mains water supply and drains so they can flush out foul tanks and fill clean tanks and even do some laundry[2].

Whilst living that way is not common in the UK yet, I gather it is becoming increasingly so in the US.

[1] One thing they have got that made me smile as it took me back to my days of “technical van squatting” on “contractor jobs” was you can get signs made up that use magnets to stick to not just the sides but top of the vehicle (the ones at the sides usefully covering windows but let some light in). Also bright orange and yellow work over clothes that are water proof and several “over vests” with logos etc. As the lassy notes “We do have some strange things under the bed, but it’s cosy”…

[2] Laundry takes a lot of water… 4UK/5US gallons –15-20 liters– will do about a weeks socks and underware for one or two people, the same again for tee/golf shirts night ware, and the same again for casual trousers. So even with using one loads “first&second rinse” as the next loads “pre&wash” you are still looking at 40-80 liters of water per person per week. One way to do this is from clean river / stream water which you then filter which can also help with reusing water for toilet flushing etc. You can easily filter with the multiple bag filter technique, starting with a loose weave you filter out crud in successive steps each taking out finer and finer particles getting down to “millbank bag” style makes it almost clean enough to drink safely… However a two step active charcoal and then hollow fiber, reverse osmotic, or ceramic, makes it as safely drinkable as tap water. I’m told that pump and filter systems used by exotic fish keepers can turn dark urine into safe drinking water likewise dish/laundry/washup water… I’ve never tried it and for some strange reason don’t ever envisage me doing so… 😉

Clive Robinson • June 26, 2023 6:21 AM

@ Winter, Leon Theremin, ALL,

Re : Trust Chain.

“Which will leave us with the trojans embedded by/in other countries. Why limit this to the US?”

Remember that it’s not countries or the companies/corporates that work in them but individuals who betray the trust chain.

It’s why Ken Thompson was able to come up with his speach on the “Trusting Trust Attack” and how it was implemented.

But the attack was just one of thousands that could have been implemented at any and all levels of the computing stack. From the lowest level physics of a “bubbling up attack” to the highest legislational level of international treaties.

Years ago on this blog I pointed out that the order of technical attacks I would follow if I was the likes of one of the Five Eyes SigInt agencies was,

1, Systems
2, Protocols
3, Standards

I also noted that I would attack sources of entropy by which the “Roots of Trust” were selected.

In time all these were shown to be targeted by the NSA, GCHQ etc, and we assume by every other SigInt Agency that has or will obtain access to people who work with the trust chain.

I also pointed out in conversations with @Nick P how defective “code signing” was –and by the way still is– and how it could be attacked, again by people acting allegedly for a Chinese / Iranian / North Korean / Russian / etc agency.

On initially hearing about security researcher Dragos Ruiu’s problem back shortly after the Ed Snowden Revelations it took me about thirty seconds to work out how I would go about it. As a hardware engineer I knew all about the hole in the design of IBM PC’s that they had copied from the Apple ][ design that I’d “used and abused” since the 1970’s and had tried to implement audio networking. I was not the only one you can see the conversation between @RobertT and myself on this blog detailing it in some depth and Identifing AC97 as the most likely hardware candidate. I also described an experiment I carried out over “the weekend” to prove it worked. You will see quite a few people saying it was not possible… Then two students published their experiment in a corridor paper, and suddenly the whole world and his dog were BadBIOS experts… Did any of those who said it was not possible appologise, of course not, some however did became those instant experts getting in on the “Twilight Barking gigs”.

Also from inovative work I’d carried out in the 1980’s was “Active EmSec” attacks where the use of EM carriers both CW and modulated are used to cause data to be not just taken out from systems, but the flow of programs in systems changed. I pointed out this attack method worked quite well against the likes of Smart Cards, Electronic Wallets, and Pocket Gambling devices back in the 1990’s when the world started getting upset over Smart Cards and power supply related attacks.

The point is not that I’m one of those our host @Bruce pointed out “Think Hinky” but that “Thinking Hinky” is possible because of people and their behaviours and that as things stand you can not stop thrm betraying the trust chain. @RobertT upset one or two here when he pointed out you could hide things in the design of a chip that could not be seen by examining the chip. @Nick P went to some lengths on talking it over as did @figureitout. What @Nick P also noted was the US DoD did some open calls for ways to combat such chip tampering, and then just as it started getting interesting it all went quiet, as did those who had been involved… @Nick P concluded that it was likely that the DoD had hit “pay dirt” in some way and in effect classified it all…

Any way I applied my hinky thinking to the problem in a more general way and finally realised that with the way the computer industry worked due to all the assumptions it was built on there was no way you could stop humans betraying it’s trust chain…

Yes that’s right I’m saying that with the way the fundementals of computers work they can not be trusted. On doing a little research it turns out this was actually known in the early 1930’s before Turing wrote his now famous paper. A very original “thinking hinky” person had written a couple of what to most are incomprehensible papers that shook the assumptions at the foundations of mathmatics. His name Kurt Gödel, and if you have the right sort of mind you can see why the fundementals of computing systems as we currently design and use them can not be trusted.

So I sat on it and thought about the nature of “shifting sands” problems, from the saying about,

“You can not build a castle on shifting sands”

And realised that since Tudor King Henry VIII, and the founding of the first Navy, we had done way better than build castles on treatcherous sand, we had built mobile fortresses on water. It made me realise that you don’t have to trust the foundations you build on, only mitigate the effects of them acting against you.

It was then I remembered an old riddle about two doors and their guards, to walk through one door was death, the other life and freedom. You were alowed to ask just one question to either of the guards, knowing that one only told the truth and the other only lied but you had no idea which was which.

The answer is to ask one guard what the other guard would indicate was the door of life, knowing that which ever guard you asked you would be given the death door, so you should walk through the other.

It’s the basis of binary sequential logic and a variation of it to non binary systems gave rise to voting protocols used in high reliability and intrinsically safe, and fail safe systems. Importantly it’s sufficiently fundemental it can be applied to all computer security and those pesky human problems of betraying trust chains.

Importantly I realised that humans had come up with ways to get usefull work out of untrusted people whilst also preventing them attacking the trust chain. We call them prisons and the original work was picking tared hemp rope in their cells to make the fibers used for caulking the seams of wooden ships to make then water tight.

Further the work of Jeremy Bentham on prisons, and how to make them efficient as the “Panoptican”.

Throw in a little more thinking and the idea behind “Castle’s v Prisons” or as @Wael ended up calling it C-v-P then just CvP came into being and from there “Probabilistic Security”.

In effect you split any computing function down into very small “picking hemp” tasks and put each one in a very resource limited prison cell monitored by a guard that is only a fully quantified “state machine” and not a “Turing Machine” thus side steping the issue that Kurt Gödel had pointed out.

But each task is done multiple times in parallel by different cells independent of each other and you use voting protocols to look for any sign of betrayal.

Whilst it’s not impossible to attack such a system, you can make the probability it will be detected arbitarily high. Thus catch it before real damage can be done.

I’ve described the ideas in some depth towards the ends of many threads of this blog. As @Toth pointed out one day, some academics in the UK (call out to George Danezis at UCL[1]) have taken the ideas without acknowledgment and started building a business around them using ironically “smart cards”…

[1] George Danezis has a taste for “taking ideas” and in effect claiming them and then turning them into “start-ups” to get rich. Not an original idea but people do spot it going on and tell the originators of the ideas… It’s just further proof that “trusting trust systems” will always be not just abused but with good probability be detected…

Clive Robinson • June 26, 2023 8:33 AM

@ Winter,

“On the internet, who ever does apologize for being wrong?”

Some do, you can find evidence to that in this blogs pages.