Senate Intel Cmte – Attacking Encryption Again

On CSPAN there was the Senate Intelligence Committee meeting on encryption. The Director of the FBI was basically complaining that “terrorists” can be tracked during the recruitment phase (on Twitter) but then when one looks “promising” the message will be sent to “move to this app using encryption” on a mobile phone. At that point they go dark. That a communication happens can still be seen, but the contents can not. Due to strong encryption with disposable keys.

The rest of the meeting was largely spent admiring the problem. Mostly focused on how to “compel” companies to let the government get the information, or how to compel the device makers to hand over keys, or how to compel in some way or another access to the communications. There was occasional lip service to the notion that this might harm US industry, technical growth, or citizen privacy; but then it was back on the Jihad Trail against strong encryption. Oh, and they admired that Britain and France had already passed legislation… though did note that while Britain had legislation, they had no idea how to make it work…

The “fix” for the British Problem was US legislation, as some saw it. That if only ALL the technologically advanced western nations had British like laws, then Britain would not be faced with a law, but no ability to enforce a company in California to hand over keys and messages.

I’m here to remind The Committee of the past, explain a bit about the future, and let everyone else know why this is a Brain Dead Idea and doomed to failure.

We’ve been down this road before. We’ve seen the movie. (A few times…). It isn’t a mystery. Oh, and we, the people, already have taken steps that obsoleted this approach. That technology is now global, and NOT controlled by any “company”. There is literally “nobody to compel”. I know because I’m one of those nobodies.

DES – 40 bits and a mule

In The Beginning, the US Govt wanted us all to use a 40 bit encryption standard called DES Data Encryption Standard. This was a hobbled form of the 56 bit DES that cost a bit too much in compute power and $US for The Govt to regularly crack. There were devices made with DES chips in them (now all on the junk pile or in museums of failed ideas) and the USA rapidly fell behind the ROW Rest Of the World in encryption. In short order the ROW was on 56 bit DES or even “Triple DES” or 3DES, where 56 bit was done 3 times in a row.

Moore’s Law has not (yet) hit a wall.
20 years ago it was cranking too.

It says that every 18 months, the amount of computes you can do for a $US will double. Exponentials are amazing things. I first ran into this property in an ancient story. It was that of a king buying services from a saviour who only asked on grain of wheat on the first square of a chess board, then 2 on the second, then 4 on the next, then doubled to 8, then 16, etc. The King agrees. In the end, he loses his entire kingdom as that last square on the chess board needs more grain than would fill a train to the moon and back. The King was bankrupted. This matters.

2^8^8 or 2^64 is a very large number.

https://en.wikipedia.org/wiki/Wheat_and_chessboard_problem

(They present it as 2^63 since the first square starts with 2^0 which equals one grain, but there are 64 squares and 64 exponentiations – thus my shorthand above.)

On the entire chessboard there would be 264 − 1 = 18,446,744,073,709,551,615 grains of rice, weighing 461,168,602,000 metric tons, which would be a heap of rice larger than Mount Everest. This is around 1,000 times the global production of rice in 2010 (464,000,000 metric tons).

This ties in with something called the “Second Half Of The Chessboard” problem.

In technology strategy, the second half of the chessboard is a phrase, coined by Ray Kurzweil, in reference to the point where an exponentially growing factor begins to have a significant economic impact on an organization’s overall business strategy.

While the number of grains on the first half of the chessboard is large, the amount on the second half is vastly (232 > 4 billion times) larger.

Computing with electrical machines really began somewhere between 1936 ( Z1 a German electromechanical device) and about 1943 (the British Colossus). Call it 1940. That’s 75 years to now. Divide by 1.5 and you get 50. Well past the 32 squares that make up “the first half of the chess board”. We are very very far into the second half of the chess board on computing.

Two human accessible examples:

In about 1987 I was managing a $40 Million Cray Supercomputer. We had the astounding speed of 400 Mega FLOPS or million floating point operations per second. It used a 64 bit word in a time of 8 bit micros, and 32 bit mainframes. Storage was 8 mega-words of memory (about 64 megabytes…) and we eventually added a tape robot for 1/2 Terabyte of slow storage. About 5 to 8 years ago I bought an HP Laptop for $400 ish dollars. It came with a 500 GB disk, or that 1/2 Terabyte and had 4 processor cores just like our Cray had 4 cores. The total processing power was greater than the Cray. I/O to that disk was faster than to the tape, too. Oh, and it had a gigabyte of main memory as memory had become quite cheap…

Now, just a few years later, I’m going to buy a Raspberry Pi Model 2. The original Model One had 1 core running at 700 MHz. This one has 4 cores running at 900 MHz. The cost is the same. I will be getting about 5 times the compute power of that older model, bought just a couple of years back, for the same price. The whole kit, powersupply, case, and all, costs $70. Add a 2 Terabyte disk for another $60 ( I bought one a few weeks back) and for about the cost of a nice dinner out for the family, you have a compute engine so fast folks don’t know what MFLOPS it will do. “It depends on the problem” is mostly what you get:

This is talking about the 2012 “old” model one named “B”, so multiply everything by at least 5 for the newer one.

https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=22362

by docteur.blanchard » Wed Nov 07, 2012 10:13 pm
Dear all,

I have the model B 512Mo RAM.

I wish to know how to calculate the number of CPU FLOPs and GPU FLOPs given by different values of overclocking offered by the raspi-config.

Can you help me to know how to calculate and/or does someone has such of informations ?

Thanks for your help
[…]
by jamesh » Thu Nov 08, 2012 5:59 pm
The GPU is difficult to quantify – it has many different processors on it – you could just add up all the values, but since not all the processors can run entirely in parallel, that’s not fair (although seem to be the way some people add them up – for example some A10 based boards are 2x700Mhz cores, so they are advertised at 1400Mhz…).

But the number 24 GFLOPs rings a bell for the GPU. Which is a big number.

Volunteer at the Raspberry Pi Foundation, helper at Picademy September, October, November 2014.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 13911
Joined: Sat Jul 30, 2011 7:41 pm
by tk321 » Tue Nov 13, 2012 7:27 pm
I believe the theoretical peak performance of the ARM cpu is only 350Mflops double precision at 700 MHz. I’m not sure but I would guess fused multiply-add is not available on the Raspberry Pi, because its math unit is only vfpv2 and from the arm doc:

The fused multiply-add instructions are only available on NEON or VFP systems that implement the fused multiply-add extension. The VFP system that implements the fused multiply-add extension is VFPv4.

I timed faddd and fmuld (double prec add and mul) a while ago and I think it was something like

faddd: 8 cycles latency, 2 cycles throughput
fmuld: 9 cycles latency, 2 cycles throughput

So in the best case it still takes 2 cycles for one operation and then 700MHz/2 = 350 Mflops. In the worst case where in your algorithm the result of the current operation is required for the next operation, ie pipelining can’t be used, it takes 8 cycles for one operation and we end up with 700MHz/8 = 87.5Mflops.

The GPU is impressively fast, but I’d guess the 24 GFlops are single precision.

The GPU is the Graphics Processing Unit. These are roughly the same structure as the old Cray Vector Processors, but do a heck of a lot more computes a lot faster. They are used for graphics rendering. Our Cray acceptance test was to render an owl flying at night for the trailer of a movie. Took hours for that chunk of movie, and now we do it real time in all our phones… The GPU, with a small bit of programming, can be used for general compute problems.

But look just at the one number: 350 MFLOPS from the CPU. Now multiply by 5 for the Model 2. 1750 MFLOPS. Our Cray did 400 MFLOPS. 1750/400 = 4.375 times the computes. So over 4 times the computes. For $70 for the system, $130 with storage. And we are not yet done with the second half of the chessboard…

Now I’m about to buy a computer that’s more than 4 times the speed of a “Munition” from the early 1990’s where we were forbidden, under severe penalties, to let any foreigner onto the machine without vetting, nor could they be sold to various countries; and I’m doing it through the mail for $70 for the system ( I already have the disk). BTW, it is designed in Britain and built in China, so good luck restricting it.

Back At 40 DES

Now that 40 bit DES “standard” was almost a joke at the time. It became a running laughing stock inside a few years. Now it is ancient history. Folks largely ignored the government demands and used 56 bit DES for cheap things, and did it three times for important things (called “Triple DES”). As Moore’s Law moved on, DES became a joke. Folks now routinely brute force crack DES in minutes. About 1998 folks designed a dedicated hardware DES cracker that, for $250,000, would crack DES in a couple of days. As that is about 10 doublings of Moore’s Law ago, that same machine ought to cost about $250,000 / 2^10 or $244. Then again, IF my guess is off by 1.5 years, it’s only $122. And in a few more years it will be nearly free.

In 1998, the EFF built Deep Crack for less than $250,000. In response to DES Challenge II-2, on July 15, 1998, Deep Crack decrypted a DES-encrypted message after only 56 hours of work, winning $10,000. This was the final blow to DES, against which there were already some published cryptanalytic attacks. The brute force attack showed that cracking DES was actually a very practical proposition. Most governments and large corporations could reasonably build a machine like Deep Crack.

That Raspberry Pi “kids toy” educational board can crack DES, it just takes it a bit longer. Or buy the next year model…

So just what would our National Security be now if, back then, we HAD gone ahead and put DES 40, or even DES 56 into phones, computers, network encryption, etc. etc.?

It would be “toast”. Non-existent. A Joke.

And that is why “people like me” said “No”. (Not just “no”, but “Hell No!”).

A bunch of folks went on their own ways and did their own things and told you in the government suits to bugger off. Some work was done overseas. Some in basements and attics. Some paid, some volunteer. My part was minor. Mostly just rooting from the sidelines (rather like now) and buying equipment that worked.

Some folks got themselves arrested, imprisoned, fined, lives messed up. By The Government. Guess what, there was nothing “special” about those folks. When Phil Zimmerman made Pretty Good Privacy, he was not the only one who knew about it. He was just the one willing to do it more publicly.

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

https://en.wikipedia.org/wiki/Phil_Zimmermann

Criminal investigation

After a report from RSA Data Security, Inc., who were in a licensing dispute with regard to the use of the RSA algorithm in PGP, the United States Customs Service started a criminal investigation of Zimmermann, for allegedly violating the Arms Export Control Act. The United States Government had long regarded cryptographic software as a munition, and thus subject to arms trafficking export controls. At that time, the boundary between what cryptography was permitted (“low-strength”) and impermissible (“high-strength”) for export from the United States was placed such that PGP fell on the too-strong-to-export side of the boundary. The boundary for legal export has since been raised and now allows PGP to be exported. The investigation lasted three years, but was finally dropped without filing charges.

After the government dropped its case without indictment in early 1996, Zimmermann founded PGP Inc. and released an updated version of PGP and some additional related products. That company was acquired by Network Associates (NAI) in December 1997, and Zimmermann stayed on for three years as a Senior Fellow. NAI decided to drop the product line and in 2002, PGP was acquired from NAI by a new company called PGP Corporation. Zimmermann served as a special advisor and consultant to that firm until Symantec acquired PGP Corporation in 2010. Zimmermann is also a fellow at the Stanford Law School’s Center for Internet and Society. He was a principal designer of the cryptographic key agreement protocol (the “association model”) for the Wireless USB standard.

Now Phil was a very bright guy, and ahead of most of the pack on this. BUT… The Law Of Mutual Superiority says that eventually someone else can improve his stuff, and, had he been shut-up, someone else would have moved the prior art forward.

I was involved with the Arms Export Control Act since our supercomputer site was considered a “munition” under those rules. If I let anyone from our foreign offices log onto the Cray, that was “constructive export” and My Butt could end up in jail. So I was responsible for assuring that didn’t happen.

The net result was that stronger encryption and really good computing started coming out of all sorts of other places outside the USA.

The same thing will happen again.

People do not change. Somewhere there is the “Next Phil”. Kid with an idea and time to put onto it.

The simple fact is that The Law and Congress can’t move at Moore’s Law speeds.
You will never get ahead of it, and in reality can’t even keep up with it.

The notion that you will somehow have a key repository for all the encryption and be able to open the boxes on demand is just insane. What you will find inside is another encrypted box for which you do not have the key. The code is already released “in the wild”. I have a dozen variations on my machine just from personal interest. There are literally millions of computer folks who deal with this technology on a daily basis covering the entire world. It is used in everything from your “HTTPS” secure web pages to your banking to your VPN sessions to… well, everything secure. We will not just forget how to do this and flush all the code to do it on demand.

Furthermore, have you learned nothing from Phil Zimmerman, Edward Snowden, Julian Assange, and the hundreds of un-named in similar situations around the world but for lesser governments and with lesser press? The “Climategate” leaker, for example?

WE are INSIDE and WE have a moral compass. That is WHY you hired us. My job was to keep things secure. I did it very very well. But that means that once you are seen as The Bad Guy, all those instincts demand our obedience to morality. I have watched as recent intrusive snooping has become pervasive. I have not changed, but I’m now more of a “Grey Hat” than a “White Hat”. Not because I have changed, but because my government has moved more toward the Black Hat side. So in their eyes, I’m not “on board” as much as before. The simple fact is that if you squeeze this tomato too much you get covered in tomato juice as things blow up on you. Don’t piss off your own soldiers.

So pass stupid laws, the code and methods will move to other places. The code will not be slowed, stoped, or even channeled. It flows and grows. Folks will work on it in basements and attics again. Darknets are already in existence, they will just become darker. ( I have already laid out the method for a completely dark net with distributed data stores that can not be stopped; and I’m not even very good at it. I’ve not published it as it would do more bad than good. The ones better than me are likely already doing it. ) Do you really think India, Pakistan, China, heck, even South Africa have no good programmers? Think Russian programmers give a damn about you and your laws?

The Competition

What happens when you weaken security is that the weakness is found and exploited.

Period.
Full stop.
Always.
Non-negotiable.

That is why I’ve hated so much the ‘backdoors’ and deliberate weaknesses put into various codes by manufacturers at the request of the NSA (via programs such as PRISM). Yes, you can keep a weakness hidden for a little while, but eventually it gets found.

WHEN that happens, and it IS a when, not an if, then all that infrastructure is laid bare for all to pillage.

Microsoft did a broken form of 3DES where one round was null and another round was only 1/2 key length. Essentially a thing you would only do to give the NSA cheap access. That is now known “in the wild”. Anyone who didn’t close that door immediately is hacked. Any traffic that used it, and was recorded, is now hacked. Any system that isn’t patched is hacked. Any system hacked prior to public release was hacked for an unknown length of time.

Want to know WHY China can run through your networks, your PCs, your Microsoft world with impunity? Look in the mirror. The lack of just that “strong encryption” and “strong security”, most likely IMHO at the request of Three Letter Agencies, is why. NSA via PRISM, per Snowden, has made sure they can get into Microsoft products, Cisco products, etc. etc. And, in 2012, Apple Products joined the “team”. (Any wonder that just after that Apple started selling a lot more into major corporations and Big Government, and was discouraged prior to signing up?)

Now scatter security holes all over for the easy access of your TLA Agents, and what happens?

Folks Notice.

My fantasy is that the Chinese Team was watching packets and data flow (rather like I do… blinky lights are your friend) and noticed “odd things”. Then investigated. They found UDP squibs going to strange places. They found they could crack Microsoft “3DES”. They found the backdoors with weak locks. And proceeded to use those ‘exploits’ for their own.

Why do I say that?

Because it is what I would do.

Something I’ve done for decades is that I have a hub or router with ‘blinky lights’ on it between my computer and the wall. IF the lights start to blink when I’ve not explicitly told the computer to talk to the network, something is “wrong” and I investigate. Simple. Crude. Prone to false alarms. But it always tells you when someone tries to suck your disk down the wire… More than once I’ve punched the “disconnect” button (many hubs had uplink swap sense buttons that could be used to disconnect) and gone searching. Once or twice found someone pushing traffic at me that ought not… I can easily imagine a similar Chinese security guy seeing ‘blinky lights’ and looking at the sniffer recordings and figuring out the backdoor open key…

They then proceeded to make Kylin as their default operating system. It is exactly what I would do. Well, in reality, very much like what I already have done in the past. The way I kept Apple Engineering secure for 7 1/2 years was via using BSD based Unix boxes, hardened and locked down; and Kylin is BSD based, hardened and locked down. It took me hiring 4 of the best Unix guys I could find to do it. I’m sure China has far more than 4 who are just as good.

So where has that left us?

With a China that has seen our weak places, is blocking them at home and making themselves secure and opaque to us; while exploiting those weak places here.

IMHO Russia has found them too, and is also exploiting them, but with less visible tracks other than loads of credit card charges on stolen numbers…

Now some Idiot Suits want to make things LESS SECURE by design? It’s already too damn insecure by design.

We have nearly monthly Hack Of The Month reports of huge and dramatic intrusions and data thefts. IMHO there’s likely nearer one a day than one a month, but not all are reported and in many cases they are likely not even detected.

Make the encryption less secure, you will have more data loss, more credit card fraud, and more problems.

You will also have fewer “terrorists” caught as they will move to stronger systems further from your reach. At least now you get the “contact trace”. That will go away as they move to things like “photo sharing” sites based in foreign countries. You will see a photo of the family eating icecream. They will be sharing steganographic messages hidden in the bits. No, you will not be able to block them by dithering the small order bits. There are already ways around that.

The simple fact is that you can be secure with strong privacy,
or you can be exposed and exploited with weak privacy.

There is no other choice.

We already know that.

We who build it, salute you…

though push too much stupidity and it will be the “one finger salute”…

Specifics

If you go to key escrow, the keys must transit to the escrow. That will need strong encryption. The thing you want to outlaw… Doh!. The escrow needs to be perfect. NO security is ever perfect.

All the honey will be in one giant honey pot. It will be attacked with a ferocity you can not imagine. The weakest link will be personnel inside the facility. The going rate to get a janitor to stick a thumb drive into a PC will be in the “few thousand dollars” range… but that is likely not needed. Thanks to all the weaknesses in things like FLASH players, Microsoft, and Javascript, just a tasty attractive web site will do… someone will browse that “News Story about Key Archive Vulnerabilities”… likely the top management who will have “exceptions” and allowances to the “no browsing” rules…

Moore’s Law makes all encryption methods a ‘wasting asset’. Use 100% of your CPU power today to encrypt a message, and in 10 to 15 years that recorded message is read easily. And yes, other folks record messages too, not just the NSA. Passing those encryption keys, used for multiple messages, means that in just a few years all YOUR emails will be read by your counterparties in other nations. Do you really want your Russian, Chinese, and Iranian counter parties to know what you were saying about them 5 or 10 years ago? How about 2?

Make your encryption weaker (say, by reusing that same escrowed key multiple times) and that time window drops to months, weeks, or maybe even days. (Enigma was partly broken thanks to repeated use of settings and repeated use of the closing phrase “Heil Hitler”… a ‘known text’ attack…) ANY design or legal mandate passed into law today will be obsolete and worthless in a decade, and weak in 5 years. Most likely subject to Major Power hacking in 2 to 3 years. Do you really think Congress can keep up that schedule of oversight and new laws and have industry then implement those new approved methods on that schedule?

It is simply the case that Congress can never have the needed level of expertise to respond in the right way and with the proper timing to issues of encryption and data security. Heck, even the NSA is a bit behind the power curve right now and they are the best in the world. By the time Congress finds out, we have already moved on to better things. Oh, and the more you legislate, the faster we move on… we’re not dumb either… See the history to date for a refresher on that… Ask Phil if you get stuck on the concepts…

That’s just the simple “top bits”. Think you can solve all of those fine? And do it again and again and again every single year forever? “Good luck with that” comes to mind. Oh, and remember you only need to screw it up once for ALL the secure infrastructure built on that ‘approved system’ to come crashing down. Look at the recent credit card number hacks and the Federal Employees records theft for what you can expect. Those came from being almost but not quite state of the art fully secure. Just a little weak. Now you want things to be even weaker… Think about it. Please.

In Conclusion

Congress is in session, so we are all at risk.

The Senate Intel committee and the FBI once again want to be free to riffle through your ‘papers and effects’ at will, constitution be damned; but worse, want to assure nothing is too hard to crack open. Down that path lies ruin. Not to mention it is impossible.

We’ve trod this road before in the 40 DES, 56 DES, and 3DES wars. Unix encryption code moved overseas. (Well, in theory… really lots of folks had it in their basement and elsewhere… ‘just in case’). Phil Zimmerman went public with something good that shifted the dialog for 20 years (despite threats of incarceration). In the end, strong encryption was done by everyone everywhere with a bit of an “up yours” sneer.

Now, a quarter century later, we have even better methods. AES, Blowfish, and more. The Code is free in the wild globally. It can not be erased. It takes no “devices” approved by “agencies” to do the encryption. Apps on cell phones are fine. Make the approved apps ‘buggered’, folks will ‘jail break’ their phones and use unapproved apps. I will publish how to do it. (Not a big deal, as 10,000+ others will have already done so by the time I find out). General purpose compute engines are everywhere now. ANY of them are sufficient to do strong encryption and many already do. While looking to buy a new WiFi router, I found that a large number now can have Linux based software installed, all with strong encryption already built in. $35 is the entry price point and millions of them are made each year. Force their firmware to be pre-hacked, we will just install our own firmware. Directions widely exist on the net. Think you can block firmware updates? That’s been tried for 30+ years and failed.

So block all that? Well, there’s that “roll your own” Raspberry Pi board and the 100 and one cousins of it.

There are already “make your own cell phone” and “make your own tablet” maker scripts out there. I’m in the process of “making my own” web browsing “desktop” out of one just for fun. Cost point is $40 for the board. Software is globally distributed. Boards are fabbed in China. Complexity is about 8th grade skill level to make one. (Banana Pi clonish board is all China. Other knockoffs from other countries. The tech is nearly trivial to do. It’s doing it for $35 instead of $50 that’s hard, but a “terrorist” is not going to be worried about the extra $15 …) All have strong encryption already in them. To think you can stop that tide is to be worse than thinking that Canute can stop the ocean tides…

Sidebar: The Old College Roomie teaches robotics clubs at high school level. These kids are able to build fully functional robots. That’s why I say the ‘roll your own’ workstation or phone is about 8th grade. It is likely the brighter 4th graders can do it. By high school they are working on robots and the next level of artificial life to come… things like transplanting genes to glow in the dark into worms and goldfish… Doing encryption for them would take about one weekend to master. BTW, China, Russia, and India are just as good at it…

I’m sure “this too will pass”, but I’d really rather not relive the late ’80s and early ’90s all over again.

As recent hacks have shown, our present problem is not too much encryption and too hard to crack systems; it is too little security, too little encryption, and systems that are too weak (IMHO at the request of TLAs and with TLA directed designs). Making things weaker is not the right way to go, and will ultimately result in ever more massive data beaches and much higher skills outside the country.

If you really want to crack terrorist cells, do what has always worked. Put agents inside them. Convert folks to double agents. Do your job the old fashioned way. It works, and it does not require exposing the rest of us to a world of very good system crackers. Heck, just have good agents looking a bit wild eyed hang out at the local mosques and wait to be ‘recruited’. Find the folks who browse the ‘terrorist websites’ daily or weekly (ask the NSA, they have a record of all of it…) and do a profile on each of them. That’s your best data, not my encrypted recipe for Mom’s Chocolate Chip Cookies and certainly not my Amex transaction to pay from my next Raspberry Pi from Amazon. Anything “subversive” I’ve got to say is going to be in clear text right here anyway… and that mostly will consist of “Don’t be so God Damned Stupid, please.”

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Political Current Events, Tech Bits and tagged , , , , , . Bookmark the permalink.

17 Responses to Senate Intel Cmte – Attacking Encryption Again

  1. Larry Ledwick says:

    I think the key issue here is technological incompetence at the leadership level. The political class and the government management class are by their nature not technologists, their focus is in entirely the opposite direction. They are far more motivated and interested in mundane issues like budgets, defending their turf, and jockeying for status than they are about “book keeping” issues like security.

    The OPM hack is a good example, it is clear that at the management level all the way down to the technical grunts that managed the data and systems did not give a rip about good practice or even comprehend how vulnerable they were even after getting security vulnerability warnings they totally blew off any useful measures. They simply do not have a clue about how you go about creating a secure system. It starts at the individual level with secure password procedures and an ethic of taking security seriously. That was obviously missing at many levels.

    http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-tapped-the-mother-lode-of-espionage-data/

    They think they can just throw money at the problem and with a few weeks of “security sprint” lock down a system. Unfortunately that needs to be a ground up grass roots effort that in a large complex system takes years to develop and close all the trap doors, as well as good initial design, and an office culture that does not do stupid things like share passwords, use passwords like “Baby52” and do not put plain text passwords on post it notes stuck to the bottom of the key boards. Blocked or at least monitoring of USB devices etc.

    Even simple measures like watching mtime values on files to see if large blocks of data were all accessed at the same time, effective logging and scripts that crawl the logs to flag unusual events not just errors. It takes time to develop those systems, and some time invested in system design as well.

    Their system was just a giant kludge of systems stuck together, without adequate security audits and testing, using known vulnerable software or very old outdated software.

    Unfortunately that level of technological incompetence leads to all sorts of fundamental failures. Folks who have no background in computers think that encryption is solid, reliable and permanent, they don’t realize that almost any encryption can be cracked by a determined nation state attack if they have the time to crunch on the encrypted data long enough, and have enough samples of intercepts to do various sorts of traffic analysis to look for standard headers and salutations or closings in the messages to help with the crack.

  2. E.M.Smith says:

    @Larry:

    In “Tips” there was a suggestion to discuss the OPM hack, and you responded here:

    https://chiefio.wordpress.com/2015/02/04/tips-feb-2015/#comment-63007

    I’m happy to have that discussion continue in this thread as the two things are joined at the hip. Both security and privacy are essentially the same coin.

  3. Power Grab says:

    Does anyone here have a clue how widespread the interoperability of the various systems are these days? In particular, I’m wondering: How interoperable is the OPM system with a government-connected hospital system?

    Even though Electronic Health Records (EHR) sounds like a good idea in many ways, it’s just this sort of thing that makes me wary of it. I don’t blame doctors’ offices for dragging their feet on implementing it.

    One report I read about the OPM hack said that “mental health records” were part of what was obtained. Oh, goody.

  4. E.M.Smith says:

    @PowerGrab:

    My first reaction to the demand for doctors to go to electronic records was “Oh God No!”. It’s not needed, and it is a very high security risk for nearly no gain. But it’s a done deal now…

    There are “special laws” regarding medical information. HIPPA.
    http://www.hippa.com/

    They are a bit draconian. So folks tend to be much more secure and protected. Now my muse is to what extent the Federal Government is immunized from HIPPA and just how secure all those government sites are, given that Government is rarely good at this, and usually done badly by the friend of the congressman… So I’m pretty sure your hospital records are OK, right up until they get shipped to the Government for payment…

    I have also wondered how, since Roe v. Wade was decided on the basis of an implied privacy right in the constitution, the same government can turn around and say there is no medical privacy right…

    As per “interoperable”:

    I think that is the wrong term. Things that “interoperate” have some reason for data to flow between them and some kind of direct connection and process. What I think you really care about is “interconnected”. A connection, perhaps even a passive one, that can be exploited to gain information from one machine, via another with which it typically shares no operations.

    That, in fact, is my major complaint about IOT – the Internet Of Things.

    There is absolutely NO reason what so ever for my refrigerator to be on the internet. Similarly, not a one for my stove, living room lights, stereo, car, and darned near everything else in my house. I have no use at all for an internet connected power meter either.

    They each have a clear, defined, and limited job to do and need not access the internet to do it.

    Similarly, there is not a single reason at all for major power generators and dams to be internet connected. To the extent that remote electronic access is needed to, say, a dam to operate some gate or generator shutdown scram procedure; that can be done just as well over a “leased line” at a very slightly different cost. I know, as I frequently bought leased lines to connect remote sites in a secure way.

    Now the present fad is to connect everything to the internet, then put a Virtual Private Network or VPN over that internet link. Think about that term again. Virtual. Private Network. It is attempting to mimic with encryption a dedicated Private Link. So why not just use the private link to start with? The answer is “a small amount of cost”. Why have 3 or 4 circuits when you can have one bigger internet circuit and then just piggy back things with VPNs? I’ve used that to connect remote sites too. It works. It can even be made “secure enough” if you are bright and work at it.

    But folks who are doing things to be cheap are rarely the ones who do things to make security the best…

    So we end up with stupid behaviours like having the Federal Employment Records on some big mainframe connected to a huge network that has spigots to the Internet. That way folks anywhere in The Federal Network can get reports, or enter data, or whatever into and from the Employee Databases on that machine; yet can still browse the internet on coffee breaks.

    At Apple, I ran a Very Secure Site inside the Very Secure Engineering Network, inside Apple. I kept “air gap” security as long as possible and for a long time folks had two computers on their desk. One for the secret project, one with ROW access. The Engineers complained. The Managers complained. Yet we were secure. Eventually, we managed to use a “change root” environment on the Cray and have, essentially, two isolated worlds, but where the inside one could see out, but the outside not in. That, plus some rather trick and sort of extreme other security enhancements let me take out the “air gap”, but it would be better not to connect things that do not need connecting, and to never connect to the internet things that must stay secret.

    Which brings us to PII Personal Identifying Information and privacy laws:

    https://en.wikipedia.org/wiki/Personally_identifiable_information

    To meet the requirements of those laws, things like credit card and social security numbers and all are usually processed on a separate network from everything else (and so, from Internet traffic). There is a boat load of stuff done so that those wires can share routers, but not have information get from one wire to the other. Things like isolated subnets, VLANS or Virtual Local Area Networks. All very secure. Unless, of course, the router gets hacked… or a fumble fingers doesn’t get the Access Controls right. Or… which is why I still like an “air gap” and not just a configuration hack to provide my security… And why my “private side server stack” is left power off unless in active use, has a ‘blinky light’ on each device right in front of me and that light needs to only blink when I’m making traffic happen (the low tech version of intrusion detection systems and traffic monitoring…) and why I have places where I can shut off a router and unplug a wire unless I actually want that private stuff talking to the internet.

    With all that said, what really happens is that the Entire Enterprise generally gets hooked up to the internet, with the exception that PII / HIPPA / Secret network segments and VLANS get isolated via router configurations, ACLS Access Control Lists, authenticators systems, and a host of other protections. That don’t always work. Thus the hacks.

    There is a very large and specialized profession, now, dedicated to securing company data and servers. It has specialist certifications, too. ( They didn’t exist when I started doing this, and I don’t have most of them, and likely never will get them. I’m not that impressed with them. They are pretty good, and likely enough most of the time. I’m just not interested in sinking that much money and remaining lifetime into chasing Yet More Paper. CISSP is the biggy, but there are a half dozen or more others. Randomly searching on “computer security certs” gave this link:
    http://www.eweek.com/c/a/Security/Top-IT-Security-Certifications-That-Will-Get-You-a-Raise-233791

    Increasingly, the Certified Information Systems Security Professional (CISSP) certification has become important, as has Certified Information Security Manager (CISM). CISSP is governed by the International Information Systems Security Certification Consortium (ISC2). ISC2 claims it received about 700 responses from U.S.-based info-security professionals in a demonstration of an increased demand for specific certification CISSP concentrations, especially in architecture.

    In the past few years, cyber-security appears to have added its name to the list of jobs that are relatively recession-proof. But separating oneself from the pack of IT pros working in the field requires something extra. According to research firm Foote Partners, the following security certifications gained 10 percent or more in market value during the final quarter of 2012: CompTIA Advanced Security Practitioner, Security Certified Network Specialist, IBM Certified Advanced Security Professional, GIAC Certified Penetration Tester. Even with the economic struggles of the past few years, IT security is the one area that has been relatively resilient. For this eWEEK slide show, we talked to analysts, representatives from ClearanceJobs.com and others to compile a list of some of the hottest security certifications job hunters should consider.

    Kamran Shakilsaid on May 27, 2013 08:20 am

    where is CISCO CCIE ? it is best and one of the toughest LAB based exam which tests you till ur blood tries out ! …

    REPLY
    John Gregorisaid on February 28, 2013 10:57 pm

    This is a great slideshow. I am a CSSLP and have received two raises in salary within the past year alone- and talk about Job security- I get at least one job offer per month. Thanks again….

    Look at that list of acronyms: CISSP, CISM, ISC2, Certified Pen Tester, CCIE CSSLP and there’s a dozen more after that.

    Trying to put what all they do into one comment is not going to work well.

    But that isn’t the problem. The problem is taking a system that I’ve heard was written in COBOL, running on a mainframe, never a thought given to internet security, and then bolting it into a network stuffed to the gills with desktop machines that connect to the internet. Now unless every single one of those desktops is 100% secure, and the network is 100% secure against exploits, then that data WILL BE TAKEN.

    The government has a huge number of machines and configurations. “Attack surfaces” in the security jargon. The network is so huge and patched together from lowest bidder parts with lowest bidder skillsets for people who don’t care; that there is no way it is penetration proof. Hooking all that together into one vast spaghetti pile of connectivity is just daft. Yet in the rush to the internet of everything, that’s what was done.

    In that context, if you go to a V.A. Hospital, or file Federal Taxes, or have ever applied for a Federal job, your data is poorly protected and connected all over the place to things that ought not be connected.

    Worse, we have TLAs actively strongarming vendors to weaken their security protects based on the sheer hubris and arrogance of thinking that they can cut it just exactly fine enough that they can get in (perhaps with ‘secret sauce’) and nobody else will ever be smart enough to figure it out. Yet “bad guys” are every bit as smart, can discover the ‘secret sauce’, and WILL find those back doors and pre-built weaknesses. It is only a matter of time, and that time has passed as far as China and Russia are concerned.

    Now “were I in charge” I’d be on a campaign to segment, isolate, and disconnect anything and everything that does not absolutely need to be connected, while locking down that stuff that does need to be connected. You’ve seen that pattern here in my discussions of “how to stay secure”.

    1) If it doesn’t NEED to be in a computer, don’t put it in a computer.
    2) If that computer doesn’t NEED to be powered on Right Now, turn it off.
    3) If that computer doesn’t NEED to be connected to the network Right Now, pull the plug out. ( I really liked that the HP Laptop had a network disconnect button on the keyboard. I could ‘toggle’ connectivity on only when and as needed. Learn how to shut down network interfaces on your computers and only turn them on when you use them.)
    4) IFF that computer needs to talk to the internet Right Now, connect that network segment to the internet. Do it though a filtering isolating firewall router. ( Or two with intrusion detection between them…).

    So well before even starting to think about system security, I’m 90%+ secure. The odds of an attack at just the moment all those connections line up is fairly slim. Even then, the odds that the “interesting” data is online is even more slim. Which brings us to:

    5) Have sensitive data on removable media. SD Cards, USB disks, whatever. IFF that data is needed Right Now, plug it in, otherwise, leave it disconnected and unplugged and powered off. WHY have your archive of secrets powered up and spinning at the time you decide to browse new shoe sites?

    6) Partition your work space. Why have just ONE computer with everything on it? Keep the “old one” and use it for specialized isolated things. It’s free with each new one you buy.

    So at this moment, I’ve got about 2 TB of data. I know it is secure. How do I know? It is on disk drives that are powered down in powered off computers, or in removable drives and media that are unplugged.

    Of 6 “platforms” I regularly use, ONE is powered up. That’s the Chromebox. I use it for Web Surfing and Blogging. You will not find “purchase” information on it, nor old docs, nor passwords nor much of anything. The EVO is powered down (both the legacy XP side and the Linux Playground Debian side are secured by power off, along with the specialized data stores on each of them. The wired connection to it is through a hub, also powered off. Air Gap security on the wire). The Antek / ASUS is powered off. Both the legacy XP (and the archive of various software downloads on it) and the CentOS GIStemp side are “cold metal” secure against hacking. The tablet is off and on the shelf.

    At any one time, my exposure is strongly limited just by that LACK of connectivity and that LACK of “always on”. And that’s what’s missing at the first level in companies and governments. Everything is powered on all the time and connected 24 x 7, modulo rare maintenance. Once someone is “inside”, they can wander everywhere and poke into everything.

    And that gets to your question: ANY government health systems are going to be “up” 24 x 7 x 365 and are going to be widely connected all over the place. Exposure is guaranteed. The best you can hope for is that the network “virtual isolation” and ‘security by configuration’ of it is ‘enough’. SImilarly, you can hope that the systems are relatively hardened (but many will not be). Further, much of the staff won’t give a damn, and some of them will be hired spies there to open holes.

    It’s that interconnection on so vast a scale that is the problem. What ought to be done is to have things like “The DMV Network” that has zero connection to the internet, or to any other government network, with perhaps a ‘reporting bridge’ that gets turned on long enough to extract any needed reports to send up the line. Similarly, there ought to be a Personal Network, not connected to the internet at all. And where, at most, selected subsets of data are extracted and exported to ‘reporting systems’ for those folks who need it, and with strong ACLS by time, date, credentials, etc. Repeat for all departments.

    More work? Yup. But much more secure. Now if someone uses a FLASH bug to “own” a desktop WIndoz box in an executive office somewhere; they can’t crawl down the wire to the Grand Master Database Server and suck out 20,000,000 employee records. At best they could hit the “budget report server” and get the extracted summary reports for that department.

    In short, they need more isolation, compartmentalization, internet repudiation, penetration testing, access control systems, and for gods sake blinky lights and monitoring staff. And stop outsourcing all your support work to folks in foreign countries where costs and morals are cheap and where bribes are low and common.

    I probably ought to stop now, as this is reaching epic proportions…

  5. Larry Ledwick says:

    You also have the weakest link issue, you might have 10,000 properly secured desktops, 500 properly secured switches and 200 properly secured routers, plus one switch that someone forgot to change the default password.

    Likewise out of those 10,000 properly secured desktops you have one duffer who shares his password with his secretary because it is convenient for him to call her and have her email him that important document he forgot to print out. She thinks his password is really funny. “bestgolferEvah70” she tells a friend who tells their janitor who tells his family over dinner and his son posts it on some social network. Poof! there goes your security, because some web crawler for some black hat stumbled across that password in clear text and added it to a dictionary attack of likely passwords, which gets sold on the dark web and now 50,000 script kiddies hit that password every month as they poke around looking for juicy stuff.

  6. Larry Ledwick says:

    OPM announcement about extent of data breech.
    Based on the time boundaries they specify I think I missed being impacted as my clearances were prior to 2000.

    https://www.opm.gov/CYBERSECURITY

  7. Power Grab says:

    Re interoperable vs interconnected – thanks!

  8. E.M.Smith says:

    @Power Grab:

    You are most welcome.

    @Larry Ledwick:

    Makes me glad I was not able to bring myself to apply for Federal jobs ;-)

    And yeah, part of why segmentation is so important is limiting the extent of the weakest link.

    Basically always assume you WILL have a breach, and act to limit the available damage WHEN it happens. I’ve had that save my cookies a couple of times.

    Part of why this “connect everything to the internet” makes my skin crawl… One ought to do exactly the opposite. NEVER connect until and unless necessary, and then only for the duration of the use. (ACLS do some of that, but are not used enough).

    Oh Well… Upper Management wanted a flood of H1-B Visa folks and Outsourcing. They got what they paid for… unfortunately, it will be the “gift that keeps on giving”…

    FWIW, part of why I constantly “rotate machines” is just such a damage limitation behaviour. Part of why I like Linux is that I can “reinstall regularly” and assure nothing is hiding in the disk somewhere. (Oh, and I’ve been known to install scripts on Unix / Linux machines that check the binaries / programs for any changes from the saved signatures. We used simple byte counts and modification dates and checksums in the “old days”. Now I’d use hashes.. Hard to do that in MS land.)

  9. Larry Ledwick says:

    Interesting ramification of the OPM hack.
    Just what do you do if you depend on biometrics like fingerprints for ID and they get hacked?

    http://www.nationaljournal.com/tech/opm-hack-fingerprints-china-20150714

  10. Power Grab says:

    Then there are those who have no fingerprints.

    Just sayin’…

  11. p.g.sharrow says:

    Larry Ledwick says:
    15 July 2015 at 2:05 am How do you prevent a biometrics hack?

    This is a problem I have been considering for years. How to create a hack resistant security system.
    Tough to make things Idiot proof, as the world is full of Idiots that use our computers to play on the Internet.:-( I tell my wife and her son “DO NOT USE THE SHOP COMPUTERS TO SURF THE INTERNET!” even provide them with separate devices to use and still they surf the Internet with the shop computers. Then complain about system crashes! Any suggestions short of murder? ;-) pg

  12. Larry Ledwick says:

    Well you can set up filters that block various destinations.
    Companies used to try to do that with filtering systems but even there you have so many ways around them. A place I used to work used “websense” to filter web destinations.

    Did not take me long to discover that you could go to blocked sites (no not those kind of prohibited sites) by using google search results and following the google search link.

    It used key word filters and was sort of a blunt instrument and sometimes perfectly legitimate sites you needed to go to included were restricted because word filters end up unintentionally blocking content that happened to have the wrong words included.

    For example suppose you are a country that wants to block access to Polish web sites. A poorly chosen word filter will also make it impossible to check the MSDS sheet for shoe polish on line.

    Most companies have dropped those draconian limits on web surfing because today’s employees will literally quit a job if you crack down too hard on incidental web surfing.

    I usually found out about external network issues due to slow web page loads, long before any other indication showed up on the official monitoring tools. I used to work for a company that had offices in Mexico, and we would lose connection to certain offices when severe thunder storms hit a certain area of Texas. Apparently they used a microwave path for part of the hop over the boarder and during heavy rain the microwave would “rain out” and lose connection, and bandwidth would crash to dial up modem speeds. I figured out that I could quickly diagnose the issue by pulling up the local radar loop for that area and if there was a heavy storm there when the link got flaky I knew it would fix itself in a few minutes as the storm moved out of the area.

  13. Steve C says:

    Now that our Tory gov’t in the UK is no longer subject to even the slightest restraint from another party, the “Snoopers’ Charter” can pretty much be taken for granted here, too (along with much else in the “Ill Wind” category). All security-related posts read, marked, learned and inwardly digested.

  14. Larry Ledwick says:

    I think this item fits under the “I told you so” tag

    That, in fact, is my major complaint about IOT – the Internet Of Things.

    There is absolutely NO reason what so ever for my refrigerator to be on the internet. Similarly, not a one for my stove, living room lights, stereo, car, and darned near everything else in my house. I have no use at all for an internet connected power meter either.

    They each have a clear, defined, and limited job to do and need not access the internet to do it.

    Is it a bad thing if a hacker can control your car over its electronic connectivity link?
    https://www.theverge.com/2015/7/21/9009213/chrysler-uconnect-vulnerability-car-hijack

  15. E.M.Smith says:

    @Larry Ledwick:

    Thanks!

    Original article (found in links in your links):
    http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

    Yeah, just the kind of “tin foil hat” worries I’d seen coming… Looks like it got here.

    Why my car has NO computer in it at all… and certainly no connection to communications systems.

    I probably ought to add: And why no appliance in my home has an internet connection nor do any of the non-computer appliances have a computer in them of any merit (i.e. not counting controller chips in the washer…)

    Should they ever start doing remote control and having only remote control appliances in the stores, any such appliance will be isolated from the power grid / comms by a nice fat DC chunk. Charger -> FAT Capacitors -> battery -> inverter -> appliance.

    It’s not paranoia, it’s experience (and knowing what I’ve done…)

  16. Larry Ledwick says:

    The above perfectly explains why the airlines and FBI freaked out when that guy used the entertainment module to poke around in that United airlines control and data system.

    http://money.cnn.com/2015/04/17/technology/security/fbi-plane-hack/

Comments are closed.