[cryptome] Re: Security and the Rise of Snakeoil

  • From: Shaun O'Connor <capricorn8159@xxxxxxxxx>
  • To: cryptome@xxxxxxxxxxxxx
  • Date: Thu, 17 Jul 2014 00:23:32 +0100

Interesting article and assuming it is factually accurate is very
unsettling indeed.
On 16/07/2014 23:42, Neal Lamb wrote:
> http://truth-out.org/news/item/24245-us-nearly-used-nukes-during-vietnam-war?tsk=adminpreview
> On Wednesday, July 16, 2014 4:03 PM, Ryan Carboni <ryacko@xxxxxxxxx>
> wrote:
> >The more you know your device, the more you are in control over it.
> You should notice when it misbehaves or acts without your intent. As a
> corollary, when you know nothing about your device, you're naked and
> exposed. Therefore, mitigation measures need to form a conscious
> structure, and have to be continuously re-evaluated.
> There's a trick to learning undocumented features. Simply use it in
> unexpected ways. No security service can replicate even undocumented
> functions, generally because they focus on the important parts. Act
> erratically and the potemkin village falls to pieces.
> On Wed, Jul 16, 2014 at 1:41 PM, In Harms Way <11414150173@xxxxxxxxxx
> <mailto:11414150173@xxxxxxxxxx>> wrote:
>     Security and the Rise of Snakeoil
>     Published: 04 June 2014
>     The original of this essay was written by stf
>     <https://www.ctrlc.hu/%7Estef/blog/posts/szekuriti.html> in
>     Hungarian. I decided to go ahead and translate it into English
>     because I liked it.
>     There are more and more people who are starting to realise what
>     sort of trap they ended up in by using the internet. While they
>     desperately want to do something about it, they might not have the
>     knowledge or resources to actually make the first step, like
>     leaving Facebook or Gmail behind. Yet, people desperately want to
>     do something, even if that means the online equivalent of not
>     carrying mineral water onto airplanes. Every week we see a new
>     NSA-proof, military grade encrypted, web-based chat application,
>     or people with nice CVs who finally figured out how to do secure
>     email in the browser. Self-acclaimed experts teach their peers at
>     cryptoparties how to defend themselves against adversaries from
>     the last decade. This article is for the latter. This game might
>     get dangerous, and should be handled with care.
>      1. security is a conscious, multi-layered, economic process
>      2. certain adversaries are more motivated, and control more
>         resources than others
>      3. defenders can only lose. they have to be prepared, and
>         minimise the value and surface of an attack
>      4. know your adversaries, the resources at their disposal, and
>         act accordingly
>      5. there are environmental/side-channel/indirect attacks
>      6. there are non-technical aspects
>      7. many mitigation techniques are overly expensive and inconvenient
>     The more you know your device, the more you are in control over
>     it. You should notice when it misbehaves or acts without your
>     intent. As a corollary, when you know nothing about your device,
>     you're naked and exposed. Therefore, mitigation measures need to
>     form a conscious structure, and have to be continuously re-evaluated.
>     Security is an economic process, and thus the mass majority of the
>     non-targeted attacks can be mitigated when the you raise your cost
>     of defence marginally above the average of the potential victims.
>     In non-targetted attacks, the attacker still plays by the rules of
>     economics: minimise costs, and maximise profit. As of 2014, the
>     most economically viable targets are Windows and Adobe users,
>     while estimates suggest that OS X users will make a juicy cut once
>     OS X market share hits ~20% [citation needed]. As a consequence,
>     diversity is an effective mitigation, as a custom -- competent and
>     expensive -- system will require a custom -- and expensive --
>     attack. Lastly, it makes little sense to overspend on security. A
>     classic example is spending $150 on a lock for a $50 bike.
>     A good way to raise the cost of an attack is defence-in-depth:
>     when plan A falls, plan B will still cause a headache for the
>     attacker (and so it goes). Interestingly, security-by-obscurity in
>     this case can significantly raise the costs, but only when
>     supported by conscious, in-depth countermeasures.
>     Since this is an economic system, the defender can only fail when
>     met with a resourceful enough adversary. In other words, all
>     defence will fail in face of a motivated and rich attacker.
>     While an attacker can measure his effectiveness easily, a defender
>     can only not fail at best. Even without an obvious failure, she
>     can't be certain that there hadn't been a breach that went
>     unnoticed. Sony is a good example of how amateur defenders can
>     only fail against professionals. Minimising the amount of data we
>     store for longer periods (e.g. half a year or more) will reduce
>     the value of an attack, while, say, consciously controlling an
>     online presence will reduce the attack surface on our persona.
>     These are general best practices, and we need to know our
>     adversary: who they are, what they are capable of, what sort of
>     resources they have at disposal. A simplified model of adversaries
>     might be the following: citizen, criminal, corporation, country.
>     A citizen is of course any average user. A criminal would be any
>     organised and less organised actor. A corporation can be Google or
>     Facebook, but it could be just the company you work for if your
>     internet traffic is monitored, so this is probably the broadest
>     category of all. Last, but not least, we have countries, or
>     rather, nation-states, in which case the adversary is probably a
>     foreign intelligence agency, although certain politicians in
>     opposition, political activists, journalists, or whistleblowers
>     might warrant the attention of a domestic adversary.
>     We also have to mention environmental or indirect attacks. An
>     adversary might not solely attack the target, but can use (or
>     rather, abuse) the surrounding environment, too. The defender has
>     to think about her communication partners, if any of them may have
>     an adversary model that is different from, or higher level than
>     hers. The social network of a target (Facebook image tagging)
>     contributes to the attack surface as well as any other
>     environmental factor, since a well-motivated attacker will try to
>     find and exploit the weakest link to the target. When that
>     cheapest path is through a less-prepared peer, that just makes
>     things a whole lot quicker and an economic adversary more effective.
>     (Un)fortunately the attacks and mitigation techniques can be
>     non-technical, and may have other aspects, such as economical,
>     educational, social, or judicial. Many in position to change
>     things are motivated not to. For example, the net neutrality and
>     data protection acts are likely to become sabotaged in the
>     European Council. It seems like there won't be any outcome from
>     the surveillance scandal. The act about data retention was
>     invalidated by the European High Court, but European member-states
>     are yet to act. However, there are other judicial aspects --
>     citizens have to act within the boundaries of the law, while this
>     does not apply to every actor. Some of these actors will try and
>     undermine new legislation, or broaden their authority through
>     existing legal structures. A few ideas that could improve the
>     current situation:
>      1. general immunity for hackers who publicly expose security holes
>      2. motivating the attacks of own infrastructures rather than
>         pursuing it
>      3. education about security, attacks, and vulnerabilities
>      4. non-free software vendors' liability for handling
>         vulnerabilities should be enforced
>      5. deterrent financial liability for misuse of personal information
>      6. public disclosure of, and diligent post-mortem analysis for
>         every incident
>      7. new legislation for data protection, net neutrality. end data
>         exchange and data collection treaties and legislation
>      8. free up the frequency bands that become unused after the
>         digital dividend for unlicensed use
>     Defence is difficult: many mitigation techniques are ceremonial
>     and complicated even for the trained defender, and so she'll
>     perform it rarely, or eventually stop the practice altogether. In
>     many respects, these ceremonies are like brushing teeth: we're not
>     doing it because we enjoy it so much, but rather because of the
>     belief in a future reward such as not having to go to the
>     dentist's, or improving our chances for reproduction. A principled
>     approach and attention to detail are essential, just like with any
>     implementation, see "goto fail", or "heartbleed". Correct code is
>     usually not trivial, and the correct use of tools is often hard
>     due to external constraints.
>     Naturally, the it would be best if this whole process could be
>     simplified, but it is also the goal of the adversary to make it as
>     hard as possible.
>     A'tuin is the turtle in Terry Pratchett's Discworld, on whose back
>     4 elephants hold the discworld on their backs. And what is below
>     A'tuin, you ask? It's turtles all the way down. A'tuin is the
>     perfect symbol for the endless layers of attack surfaces, that you
>     discover if just start scratching: A'tuin -> organisational ->
>     physical -> psychological -> browser -> OS -> HW -> network ->
>     network OS -> network HW -> TEMPEST emissions -> other
>     side-channels -> A'tuin.
>     We also need to stop and talk about browsers for a minute, because
>     people tend to create and spread all sorts of snakeoil based on
>     the them. The reasons for using the browser as a distribution
>     medium is none other than to externalise the costs of having to
>     support installation on multiple systems, while introducing a huge
>     attack surface. The age when a browser's primary goal was actually
>     browsing websites are long gone. Browsers of today are for pushing
>     ads into people's faces, and make them pay for various services. A
>     good example for this is Mozilla, who wanted to push ads into the
>     start screen of Firefox, and all they managed to get done since
>     the Snowden revelations is making tabs shinier and putting DRM
>     into the browser. There are 6 easy rules to identify 99% of snakeoil:
>      1. not free software
>      2. runs in a browser
>      3. runs on a smartphone
>      4. the user doesn't generate, or exclusively own the private
>         encryption keys
>      5. there is no threat model
>      6. uses terminology like "cyber", "military-grade", or other
>         marketing mantra
>     As a conclusion, some food for thought, in the form of 3 questions:
>      1. how often do you update your systems?
>      2. how strong are your email passwords? do you reuse them for
>         other pages, too?
>      3. how many of your peers use GMail, Facebook, Skype, and do you
>         keep in touch with them through these?
>     To try estimating the footprint you leave online, check out and
>     think about your results on MyShadow <https://myshadow.org/>. And
>     then welcome to the ride on A'tuin. ;)
>     You may tell "but you're so wrong" by sending an email to me at
>     rhapsodhy.hu <http://rhapsodhy.hu/>
>     This work is licensed under a Creative Commons
>     Attribution-ShareAlike 3.0 Unported License
>     <http://creativecommons.org/licenses/by-sa/3.0/>
>     -- 
>     We have nothing to hide, but something to protect: 
>     - and the people, whose human rights these are.


Other related posts: