Schneier on Security

Clive Robinson • November 16, 2022 7:59 PM

@ Tatütata, ALL,

“Why single out this corporation for shame?”

Well as I indicated above as @Bruce has pointed out,

“What does the code do? Spy on people”

Which alone is a valid point to pull them up on security and illicitly / unlawfully breaching users privacy, but it gets worse, as I further pointed out from the Reuters article,

“Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by [the] technology company”

So it’s also a “serious” Privacy threat to god alone knows how many mobile and smart device users that have downloaded the deliberately backdoored applications. That most users have been led to believe are,

Supposedly user safe applications tested by both Google and Apple to be “safe enough” to be put in their “walled Gardens” market spaces.

So both Google and Apple need,

“calling out yet again for their significant failings in the name of profit and control over users to the users detriment”.

Such is the scale of this, a case could be argued that infact both Google and Apple are complicit in this spying and theft of users details thus breaching the users privacy. Further is the fact you could ask what Apple and Google are getting in “kick-back” to carry it in their walled gardens, directly from the company or other companies that profit by it being used against users.

You could then ask the all important question,

How many of Apple and Googles customers who are having their privacy breached are covered by the EU GDPR with it’s 4% of turnover penalties?

So yes it’s actually quite a big story when you dig down a little. This is not just Tax avoidance, or civil liability evasion, but a deliberate attempt at criminal intent and conspiracy.

And as I pointed out above,

“Thus a look at the source article from Reuters shows it to have been fairly recent…”

That is just the past couple of days so it is “Security News” from a world recognized source.

But to be fair to @Bruce, he’s actually not made much in the way of allegations against the company, the “singeling out” ones all come from the Reuters article.

The only addition @Bruce has made is a generalized security concern,

‘I have called supply chain security “an insurmountably hard problem,” and this is just another example of that.’

We are seeing way more of of this which is worrying but it is just one all be it currently very newsworthy example.

Clive Robinson • November 16, 2022 9:03 PM

@ ALL,

Part 2,

The Technical point of view.

I personally do not think from the technical point of view that this “supply chain” issue is actually an “insurmountably hard problem”.

It is a matter of recorded fact that the US Government “Rainbow Books” from back last century outline a series of procedures to effectively prevent it. Yes you could argue that they are not 100% but then no security ever is due to the “unknown unknowns” issues. But the technical issue is not the real issue where as the movment of money is.

The cost of the most secure A1 procedures in the rainbow books was stagering, which is why so very few systems were ever produced and why next to none were ever purchased.

Security costs along the entire goods / service production chain, and in the case of A1 the costs of storage, and delivery were not technical in the slightest, they were for “physical security” to stop the sorts of tampering the NSA got caught for.

Clive Robinson • November 16, 2022 9:20 PM

@ ALL,

Part 4a,

The costs of work and production.

To carry out any process of work or production you need,

1, Knowledge.
2, Skills (equipment use ability).
3, Tooling (equipment).
4, Space (work area / warehousing).
5, Time.
6, Energy input.
7, Feed Stock (raw materials).
8, Utility added processing.
9, Transportation (in and out).

In traditional “physical object / service” production the first two are a small percentage of the production and to market costs. The second two are very significant usually considerably more than the total cost of a “production run”. The third two are necessary for all production of all goods irrespective of type. The last three also represent a high percentage of a physical object or service production process.

Clive Robinson • November 16, 2022 9:32 PM

@ ALL,

Part 4b,

For electronic or information system goods/services the distribution of the costs by percentage is very different. With the first two often being the most significant costs.

Clive Robinson • November 16, 2022 9:45 PM

@ ALL,

Part 4d,

With the last three list items not actually existing for information objects/services as they will usuall fall directly under the second two list items.

Clive Robinson • November 16, 2022 10:04 PM

@ ALL,

Part 4f,

Importantly though is to compare the process to the distribution of “software patches” as the process method behind both can be made identical.

For information objects the loss of the last three items on the list has a significant effect on the economic processes of the markets. With the bulk of the production cost falling onto “Design Costs” with negligable or near zero cost of production (file copy) and transportation (by Internet).

Clive Robinson • November 16, 2022 10:27 PM

@ ALL,

Part 6

Conclusion / sum up,

It is this “new market economics” and producer “faux market incentives” that need to be considered for the “Supply Chain” and if it’s security actually is an “insurmountably hard problem”.

It’s not hard to see that in the “Walled Garden” case it is actually a compleatly unnecessary step in the supply chain of an information object/service. In fact like financial products it is a “faux market”, deliberately designed to do nothing other than extract financial benifit by a “third party” forceably inserting themselves between the producer (developer) and the consumer (user). The side effect of which is rather than improve supply chain security it has an enormous detrimental effect, not just on security, but as a consequence the security and privacy of the consumer (user).

So what of a solution to these “faux markets” and the poor security they create?

The simple answer is to get rid of them, or “adjust the market” asspects of them that cause the “Supply Chain” to be an “insurmountably hard problem”.

Of course this will for the third parties,

“Break their rice bowls.”

Which means that the level of their “push back” will be extream, and I agree that this would probably be an “insurmountably hard problem” to deal with under the so called “Free Market” mantras.

In some respects corporations are more venal than most individuals, so Upton Sinclair’s observation on people in politics from nearly a century ago applys by the boat load on Silicon Valley Corps, so to re-word the quote,

It is difficult to get a Corps officers to understand something when their salary depends upon the investors not wishing to understanding it for profit reasons.

Thus there are realy only two solutions open to the consumers (users) under current conditions,

1, Do not use the producer so they wise up or go out of business.
2, Government legislates or regulates out the “faux market”.

Which happens, when, and to what measure, are very open questions.

Clive Robinson • November 17, 2022 6:37 PM

@ Denton Scratch, SpaceLifeForm,

“You don’t think the automoderation that you’re trying to work around…”

Work around “NO”, blackbox test, whilst still being on topic “YES”.

The result of the test is it tends to suggest what I’ve suspected with other testing that @SpaceLifeForm, others and myself have tried to do without upseting others.

That is the spam filter appears to have a “leaky integrator” from an IP address over time, which makes hypothesis testing appear random.

That is this particular filter component cares not a jot what the content at the input is just the volumetric flow. At some number of chars input in a given time it applies what appears to be a soft choke that throttles your ability to enter content, thus other tests.

The problem in diagnosing is that it does not pass to the output which is what you see as an observer, so makes making hypothesis and test by trial and error difficult as it adds a time variable component.

The problem with this is it effects other testing, that an ordinary user might try (like @MarkH has in the past).

For example,

Let’s say you think that some word you are using is tripping the “naughty word” filter, but you have no idea what word it is. You’re only solution is to change words in your input to try to find out if it gets through or not.

Such word changing can be done very quickly in time especially if you use an editor with search and replace, or you use a form of binary chop to try to locate the word[1] using “cut-n-paste”.

But, unknown to you, you quickly hit the volumetric filter. Thus changing any words from that point on to find what you think is an accidental naughty word does not work… Even using an efficient “binary chop” search will hit the volume limit rapidly.

@ SpaceLifeForm,

Do you want to add,

“integration on input volume probably as a front end filter.”

To the list you are keeping as it does effect the ability to do other black box testing. In that you have to space resubmissions a lot further appart in time than you would otherwise do.

[1] You have to use a modified binary chop otherwise your part posts will be out of order. So you “try posting” must use only “first halves” not the slightly more efficient “random halves”.