TextSearch
https://www.schneier.com/blog/archives/2015/06/friday_squid_bl_480.html

Friday Squid Blogging: Dancing Zombie Squid - Schneier on Security

Friday Squid Blogging: Dancing Zombie Squid - Schneier on Security

· archived 5/18/2026, 12:43:27 AMcached html
Friday Squid Blogging: Dancing Zombie Squid - Schneier on Security .woocommerce-product-gallery{ opacity: 1 !important; } Schneier on Security Menu Blog Newsletter Books Essays News Talks Academic About Me Search Powered by DuckDuckGo Blog Essays Whole site Subscribe HomeBlog Friday Squid Blogging: Dancing Zombie Squid How dead squid is made to dance when soy sauce is poured on it. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Tags: squid Posted on June 12, 2015 at 4:41 PM • 210 Comments Two clicks for more privacy: The Facebook Like button will be enabled once you click here. No data is loaded from Facebook until you enable the button. Click the [i] button for more information.not connected to FacebookTwo clicks for more privacy: The Tweet button will be enabled once you click here. No data is loaded from Twitter until you enable the button. Click the [i] button for more information.not connected to TwitterIf you click to activate the share buttons, data will be loaded from a third party, allowing them to track your visit to schneier.com. For more details click the [i] button. Comments Lasershark • June 12, 2015 4:54 PM New Intel processors are supposed to have a ‘feature’ called Intel Identity Protection Technology that allows websites using javascript to interact with chip and determine its identity. Benni • June 12, 2015 5:12 PM In Switzerland, they succeeded with the plan to administrate the the nuclear power station AKW Mühleberg entirely from the internet: http://www.beobachter.ch/dossiers/energie/artikel/akw-muehleberg_einladung-fuer-hacker/ Currently, they say that only 27 persons have administrator rights… And former employees say that their firewall has holes as a mosquito net…. Jacob • June 12, 2015 5:17 PM @Lasershark I consider this indeed a “feature”. It is a Good Thing. If you don’t like it, you can either not install the required drivers or, I assume, disable the Intel ME in the bios. Mr. A • June 12, 2015 5:18 PM Bruce, here is a very interesting report commissioned by the UK into Regulatory Powers. The author is an eminent barrister, David Anderson Q.C, and has been given access to a wide range of evidence to enable him to compile his report. The website itself has much (although not all) of the written submissions considered by him in producing the report. This is the BBC article, the Guardian article and the Telegraph article. Here is the Daily Mail and the Telegraph with the story that “Twitter and other firms could tip off terror suspects that they are under watch by spies”. Clive Robinson • June 12, 2015 5:49 PM Dead squid twitching due to soy sauce… A bit like oysters and lemon juice, or frogs legs and a little electricity (which apparently inspired Mary Shelly to give us Dr Frankenstein’s Monster). I’ve seen something similar in my local Sushi Bar, I’d ordered some sashimi, and being the first customer for a particular type of fish, it was pulled live from the tank, then beheaded and prepared and on the plate in front of my in around thirty seconds, when I dipped it in the soy sauce and wasabi mixture it twitched, I glaced up to see the chef smile and say it was good fortune. Whilst smiling back I noticed the head of the fish on the preperation board moving it’s jaw as though gasping for air. Fresh fish indeed but not quite as fresh as a drink I had in Norway, which was whisky with live elvers in it, the idea was to “knock it back” whilst they were still wriggling… And before anybody asks, no I’ve not tried “live monkey brains” but I have tried live mopane worms (actually a large caterpillar), but like sea slug and snails they taste a lot better cooked with strong herbs and spices, though the kids there liked them fried and dipped in chocolate… tyco bass • June 12, 2015 5:53 PM @Benni, What will Homer Simpson do now? AlanS • June 12, 2015 6:02 PM Jack Balkin has an interesting post as surveillance as the modus operandi of modern political parties: The Party as Database. In the Jacksonian era, mass political parties emerged, held together by party platforms, mobilization efforts, and systems of patronage. The political party of the early twenty-first century is increasingly organized around the collection and analysis of information. This is the idea of the party as database. The party’s electoral success depends increasingly on its abilities at data mining and political surveillance of potential voters and messaging to those voters. Information systems are indispensable to their continued success. Also see AWS Case Study: Obama for America Campaign 2012. The results speak for themselves. No wonder he loves the surveillance state. Balkin’s post follows up on a paper from last year that is on SSRN. Also worth checking out on SSRN are his earlier writings on surveillance: The Processes of Constitutional Change: From Partisan Entrenchment to the National Surveillance State (2006, with Sanford Levinson) and The Constitution in the National Surveillance State (2008). Buck • June 12, 2015 6:36 PM @tyco bass Season 7 Episode 7 (November 5, 1995) https://www.youtube.com/watch?v=8OkKhkJiJyo If I recall correctly, the bird falls over shortly afterwards, and it nearly causes a meltdown before Homer saves the day… Great episode! 😀 LessThanObvious • June 12, 2015 6:44 PM As covered on Slashdot. Facial recognition technology is everywhere. It may not be legal. By Ben Sobel of The Washington Post http://www.washingtonpost.com/blogs/the-switch/wp/2015/06/11/facial-recognition-technology-is-everywhere-it-may-not-be-legal/ Suit: Licata v. Facebook alleges violation of Illinois, Biometric Information Privacy Act Scary uses already pushing into retail: http://www.facefirst.com/services/retail Benni • June 12, 2015 7:23 PM The article on the nuclear powerstation says on page 2 that they also have notified the employees via email about the ip adresses of the internet server to which they have to connect when they want to administrate AKW mühleberg…. I guess, they are a bit late, but at least they take the internet of things seriously… Manuel • June 12, 2015 7:50 PM Kaspersky leaves attribution up to the authorities and believes in responsible disclosure http://www.channelnomics.com/channelnomics-us/analysis/2412985/kaspersky-not-our-job-to-hunt-down-our-hackers In general, the attribution of cyber attacks is difficult to do conclusively; in order to know for a fact who is behind attacks, one must either catch the perpetrator in the act, the actors must admit to the attack, or law enforcement must uncover definitive forensic evidence that ties specific individuals to the acts in question. These activities are outside of the services and purpose that Kaspersky Lab delivers; they are the work of law enforcement investigators. In the case of Duqu, the attackers intentionally introduced false information to confuse investigators, and used multiple proxies and jumping points to mask their connections. The use of these tactics make tracking them down to a definitive end source a complex problem, and it makes definitive attribution based purely on systems-based information dubious at best. Some new details on the OPM hack http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html OPM is still assessing how many people were affected, spokesman Samuel Schumach said. “Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised,” he said. mployees of intelligence agencies, such as the CIA, generally do not have their clearance checks records held by OPM, although some do, officials said. “That’s the open question — whether it’s going to hit CIA folks,” the second official said. “It would be a huge deal. They could start unmasking identities.” In the past year or two, the Chinese government has begun building massive databases of Americans’ personal information obtained through cyber­espionage. Besides the series of OPM intrusions, a federal government contractor that conducted background investigations for OPM and the Department of Homeland Security was hacked last year by the Chinese. And Beijing has been linked to penetrations of several health insurance companies that hold personal data on tens of millions of Americans. Manuel • June 12, 2015 7:53 PM Germany Ends Inquiry into Merkel Phone Hack http://arstechnica.com/tech-policy/2015/06/germany-ends-inquiry-of-whether-nsa-snooped-on-merkels-cell-phone/ The German government has decided to abandon its probe of the claims that the National Security Agency spied on Chancellor Angela Merkel’s phone.Chief prosecutor Harald Range said in a German-language statement (Google Translate) on Friday that there was insufficient evidence of criminal activity that would hold up in a German court. Lasershark • June 12, 2015 8:12 PM Regarding Intel Identity Protection Technology This ‘feature’ is already available using usb tokens from RSA. The difference is that the token is ‘opt in’ while the Intel chip is ‘jailed in’. As if we can trust that this ‘feature’ won’t be used to identify specific machines on the internet. Godel • June 12, 2015 8:25 PM While browsing on the Tails website I saw this little gem: When sending an email from an IMAP account, Claws Mail does the following: It connects to the IMAP server and stores a plaintext copy of the email in the Queue folder on the server. It encrypts the email locally. It sends the encrypted email through the SMTP server. It connects to the IMAP server and stores an encrypted copy of the email in the Sent folder on the server. It connects to the IMAP server and deletes the plaintext email saved in step 1 from the Queue folder. The Claws developers have been aware of this since December 2013 but have so far only published work-arounds. Apparently they think it’s not important and their comments virtually blame the users for not knowing that they have to configure their mail setup so as to avoid this. Is it any wonder that encrypted mail isn’t more widely employed by the average user? Thoth • June 12, 2015 8:29 PM @Lonely Stranger, Nick P, GeorgeL I think we miss the fact that high level languages for security settings are actually nearer to us and more common than we think. Most smartcard chips with JavaCard support uses Java as the high level language albeit the lack of a whole sleuth of standard Java functions. In these smartcard architectures (JavaCard and GP architectures), they have concepts of virtualized resources, application firewalls, resource sharing security and the likes (at a CC EAL level somewhere around 5+ for most). For the concern of attackers manipulating the memory access physcially, you can encrypt and sign the memory blocks on the external or internal memory but the trade off is memory consumption. secure code processing (secure execution) can be done in a tamper resistant security chip where you load your secure bootloader, microkernel and most critical functions while using the security chip’s internal limited RAM space to do the secure stuff and when you load the userland applications, you may use external RAM space while using the security chip’s signing and encryption key on the memory blocks. This would have allowed a physically more secured deployment of the high security microkernels in a relatively higher physically secure and logically secure setting. Dorian Hanzich • June 12, 2015 8:51 PM Saw this one on the Internets: http://rt.com/news/266491-drug-pumps-hacking-hospitals/ Thoth • June 12, 2015 9:21 PM @Godel Good old way of handling PGP/GPG email without a mail client is to encrypt/decrypt emails without using a mail client’s cryptographic capability but to simply use the PGP/GPG tools like the command line or GPA to do the trick. If one user wants to send images or media to another user, they could simply zip them up and email the PGP/GPG ASCII armoured text to each other over any sort of mail client regardless is it Gmail, Yahoo or personal mail servers. I am very doubtful if Claws, Enigma or Mailpile have been fully audited for their security functions so it’s best to not touch them directly least the same thing of storing unencrypted drafts happens again or something more serious than that. The storage of encrypted and decrypted emails at rest on the client side can be done using an encrypted volume (e.g. a variant of Truecrypt). Godel • June 12, 2015 9:54 PM @ Godel, Thoth I just tried the following in Evolution: New (message) (Type something) Options -> PGP Sign Options -> PGP Encrypt File -> Save as Draft The message is stored locally in plaintext, unsigned, which brings up some questions: Should a draft message be signed if it is saved? Perhaps, but not in such a way that would allow an attacker who obtained that message to simply send it on to your recipient as if it were your final intended communication. Should a draft message be encrypted if it is saved? Absolutely; I should think so. Slime Mold with Mustard • June 12, 2015 10:29 PM @Alan S This might interest you. From December 2012: How President Obama’s campaign used big data to rally individual voters http://www.technologyreview.com/featuredstory/509026/how-obamas-team-used-big-data-to-rally-voters/ “Obama’s campaign began the election year confident it knew the name of every one of the 69,456,897 Americans whose votes had put him in the White House.” I could see why he might empathize with the NSA. Nick P • June 12, 2015 10:39 PM @ Godel re Thoth’s suggestion You can use this cheat sheet to use GPG without knowing GPG. Just gotta verify that you got the right key and other person do the same. Past that, you can communicate with text files encrypted and decrypted using commands on the site. Encrypted one’s end in .gpg. Can encrypt other media that way, zipping it as Thoth noted. Could be some metadata exposed but I think GPG protects that. I haven’t been concerned about that given who I use it with. So, you install it, each generate key file with command, share it securely somehow (esp in person), and then communicate with texts protected by those cut and pasted commands. Save that page onto your own PC with Save as HTML only, too, to avoid a future MITM attack. EDIT re latest comment: I have no opinion on that as I don’t know the specifics of the product or what’s going on when you do that. @ Thoth re GPG It’s funny as I’ve been saying about the same thing on HN. You should read the comments here on how hard GPG is to use. I took time to tell each one individually that a person with only Google and cutnpaste can use the tool. That a panel of technical experts just gave up after 2 hours of work was… hilarious. If it’s even true. More disturbing is the response to my comment on ECC patents. The NSA rebuttal was fair as theirs are expired. Yet, it’s strange that all those people thought there were no patents on ECC despite it being a multi-million dollar source of income. It was getting amused because they started downvoting instead of responding while others upvoted me back up. I knew the Matasano guy was there: my rep always drops 1 point followed by a comment notification. I told him that the nonexistence of ECC patents was a neat trick given that they sold for 7x his company’s value. Edited comment to reflect what good feedback I got. Moving on. re languages That’s a good observation. However, they tend to use a combination of an abstract machine (VM), a verification component, and a safe language built for the VM. This powerful combination has been proven numerous times. It’s one model among many, though. Another is an inherently safe piece of hardware (eg SAFE, SSP). Another is a runtime or translation tool that makes unsafe code safe (eg full CFI, C-to-JVM compilers). Another is a language with optional runtime that inherently prevents certain problems (eg Ada, ParaSail, Ur/Web, Haskell) and might be compiled to arbitrary machines. Another are type-systems and domain-specific languages that prevent specific types of problems while outputing code that can integrate with other components. These may be used individually or all together. The memory crypto is accurate as that’s what academic and commercial work is doing. I’ve already sent you the specifics on that, though. The schemes are getting better each year. One had a formal security argument that was pretty nice. One of few I’ve seen for hardware. rgaff • June 12, 2015 11:51 PM @Nick P Re: that HN thread… OMG people berating you for copying a command off an “unsecured” cheat sheet off the net? Cheat sheets are reminders of stuff you already know or used to know or can easily look up in the docs and verify, not unintelligible gobbledygook that better be signed or you’re toast… I use them all the time for parameters I can’t quite remember but I know I’ve used them before… Nick P • June 13, 2015 12:09 AM @ rgaff Exactly! We all use them for that exact reason. They overlook that critical, little detail as the zealots push their position. I’ve determined “kragen” is part of the OpenBSD team. He’s been grasping at straws with his bogus arguments on this and the patent debate. His recent claims on the patent part of the discussion, especially that zero patents apply to current ECC, are damaging his credibility. As I told him, people wouldn’t be paying a fortune if patents had zero impact on ECC implementations. That’s what they have lawyers and engineers to prevent. It’s all good fun, though, as the commenters are showing their true colors and other readers have been reacting. 🙂 rgaff • June 13, 2015 1:37 AM @ Nick P Put more precisely… docs are often horrible, and don’t start with common usage at the top, explaining first and most obviously what you most likely are there for… they usually just overwhelm you with a complete reference list of minutia that confuses you and you can’t figure out what you need to do without a very long laborious process of deciphering and learning it all… and THAT is why cheat sheets are so valuable. But still… NEVER BLINDLY copy stuff off a cheat sheet… know what it does first! (Not saying you, Nick P, have a problem with this, just emphasizing for future readers here!) They’re great for giving examples of common usage (which docs often overlook!!), but always know what you’re running before you run it…. and that usually means looking up the options back in the documentation reference for anything you don’t already know and just needed a reminder. Hopefully that’s a slightly more balanced way of looking at it than kragen 🙂 For security’s sake though I really do wish one could take the best features of OpenBSD like the general anally careful programming, and other concepts like Mandatory Access Control (MAC) and Address Space Layout Randomization (ASLR) and jam them all together on a hardware tagged architecture and several other complementary security practices I’ve read about and a few I haven’t…. It wouldn’t even need to be a full-featured computer and operating system at first, just make a nice actually secure home router/firewall first and grow slowly and carefully from there… sigh. Curious • June 13, 2015 2:32 AM US Navy is said to have been openly soliciting for buying ‘0-day’ exploits and “N-days” whatever that means, for “widely used software”. Not sure if something similar was mentioned by others the other day or not: https://www.eff.org/deeplinks/2015/06/damn-equities-sell-your-zero-days-navy Benni • June 13, 2015 3:31 AM Apparently, thanks to these documents http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html the chinese now know something about what NSA is doing in their networks. And they seem not to like that and have upgraded: The chinese hack on the US government perso

… truncated (248,030 more characters in archive)