Archive for the ‘Security’ Category

Downsides of a Primarily Offensive Strategy


(FTB stderr) – Marcus Ranum:

Offensive strategies are good if (and only if) you have an identifiable, small, number of foes that you can dominate.

As soon as you’ve got to worry about getting mobbed from several directions, you need to start worrying about how to cover your vulnerable parts while you attack each foe in sequence and defeat them in detail. Anyone who expects conflict that is more than a first strike followed by a one-shot victory, needs to defend themselves against attack. Unless you’re the US, that is. …

stderr 2018/10/16 offensive



Hacking and Propaganda


(FTB stderr) – Marcus Ranum:

Your computer is a free-fire zone. It has been since the mid 1990s, when the NSA was told “no” on the Clipper chip and decided to come up with its own Plan B, C, D, and E. Then, the CIA came up with theirs. Etc. There are probably so many backdoors in our systems that it’s a miracle it works at all.

With backdoors in the BIOS, backdoors on the CPU, and wireless cellular-spectrum backdoors, there are probably backdoors in the GPUs and the physical network controllers, as well. Maybe the backdoors in the GPU come from the GRU and maybe the backdoors in the hard drives come from NSA, but who cares? The upshot is that all of our systems are so heinously compromised that they can only be considered marginally reliable. It is, literally, not your computer: it’s theirs. …

stderr 2018/10/06 hacking-and-propaganda

i big brother bug

The Elephant In The Connected Room


(FTB stderr) – Marcus Ranum:

Here’s a more sophisticated attack scenario: a certain company provides air conditioning and power system maintenance and repair services in an area where there are a lot of data centers. The attacker reasons (correctly) that the HVAC company may have access to systems within a certain data center, so they launch an attack against the supplier, hoping to identify a backdoor into the actual target. Speaking of targets, that’s how Target(tm) got compromised. How did the HVAC company get compromised? Someone there appears to have opened a spreadsheet that looked like it came from Target.

These sort of attacks are possible anywhere where one business sits across another’s supply chain, or their data chain, staffing, or services provided. In other words, it’s an extremely “target rich” environment. The worst thing is: there is no way to do business, have customers, exchange data, or perform transactions without trusting someone. So it’s probably an insoluble problem. …

stderr 2018/09/01 elephant

Trojan elephant

Sunder, a New Way to Share Secrets


(FPF) – Conor Schaefer:

The moment a news organization is given access to highly sensitive materials—such as the Panama Papers, the NSA disclosures or the Drone Papers—the journalist and their source may be targeted by state and non-state actors, with the goal of preventing disclosures. How can whistleblowers and news organizations prepare for the worst?

The Freedom of the Press Foundation is requesting public comments and testing of a new open source tool that may help with this and similar use cases: Sunder, a desktop application for dividing access to secret information between multiple participants. … sunder

Sunder: Create Secret Shares

Unlocking Encrypted Phones


(ZDNet) – Zack Whittaker:

It’s 2018, and we’re still talking about cryptographic backdoors. It’s the bad idea that just won’t die.

But don’t worry: Ray Ozzie, a former Microsoft executive thinks he can beat a dead horse with a not-so-new idea that took about a day for everyone else to rip apart. …

zdnet ripped-apart

Henri Vidal: Caïn (Facepalm)

Bitcoin Snafus


(FTB stderr) – Marcus Ranum:

There are so many things about bitcoin that are wrong.

Because there is no central brokerage, there’s no input validation process that prevents someone from just injecting their own garbage. From a security design perspective that is a “newb mistake” of the first water.

What a stupid design. The stupidity is an unavoidable consequence of not having a central authority: nobody exists to say “this transaction is a bunch of encrypted garbage that doesn’t look like one of our things.” …

What happens to bitcoin if someone finds a flaw in SHA-256? Go on, think that one through. All the people who have bitcoin appear not to have.

You’d think that someone who was creating the next big currency would think about operational details like that. You’d think that someone who was creating the next big currency would think about security models. Nah. Bitcoin are worth a lot of money, though, so who cares?! …

stderr 2018/03/28 bitcoin

Bitcoin bugs

Secure Your Android Phone


(ZDNet) – Steven J. Vaughan-Nichols:

Malware makers, phishers, they really are all out to get you. Here’s how to stop them in their tracks. …

zdnet secure android-phone

Android locked

Just Add Blockchain


(FTB stderr) – Marcus Ranum:

Back when I was doing road-shows to raise money for the start-up that didn’t happen, several of the venture capitalists we met with said things like, “right now, we’re investing in blockchain.” As far as I am concerned, they could just have easily said “quantum.”

Over here, it seems to be “tactical” is another cool word to add to anything, to make it sound better than it is. Do you want a tactical quantum blockchain, as used by special forces operators?

Briefly: blockchain is an open ledger. That’s it. It’s an open ledger that is maintained with successive checksums to make alteration obvious to anyone who cares to check. When those VCs were saying they were investing in blockchain, they were saying that they were investing in tamper-resistant data – hey, that is a good idea, but it gets filed under “duh.” …

stderr 2018/02/05 blockchain

Blockchain formation

The Thick Gets Plottier


(FTB stderr) – Marcus Ranum:

The Russia election interference inquiry appears now to me to be more or less a complete charade, intended to get the various Trumpistas to lie to the FBI – and that’s about it. Because, it becomes increasingly apparent that Obama knew, the FBI knew, the CIA knew, and the NSA knew that the Russians were interfering or seeking to interfere with the 2016 elections. At the time, since the government’s attribution was terrible (I do not accept “we are the FBI, trust us, the CIA told us stuff” as attribution) I was withholding judgement; now that it’s all safely too late a whole bunch of other stuff is starting to bubble to the surface. …

stderr 2018/01/30 plottier


Meltdown and Spectre


(xkcd) – Randall Munroe:

The Meltdown and Spectre exploits use ‘speculative execution?’ What’s that?” …

xkcd 1938

Randall Munroe: xkcd 1938: Meltdown and Spectre