[cryptome] Re: Security and the Rise of Snakeoil
- From: Neal Lamb <nl1816a@xxxxxxxxxxxxx>
- To: "cryptome@xxxxxxxxxxxxx" <cryptome@xxxxxxxxxxxxx>
- Date: Wed, 16 Jul 2014 18:01:13 -0700
Whatever
https://www.youtube.com/watch?v=EkaKwXddT_I
On Wednesday, July 16, 2014 6:24 PM, Shaun O'Connor <capricorn8159@xxxxxxxxx>
wrote:
Interesting article and assuming it is factually accurate is very unsettling
indeed.
On 16/07/2014 23:42, Neal Lamb wrote:
http://truth-out.org/news/item/24245-us-nearly-used-nukes-during-vietnam-war?tsk=adminpreview
>
>
>
>
>On Wednesday, July 16, 2014 4:03 PM, Ryan Carboni <ryacko@xxxxxxxxx> wrote:
>
>
>
>>The more you know your device, the more you are in control over it. You
>>should notice when it misbehaves or acts without your intent. As a corollary,
>>when you know nothing about your device, you're naked and exposed. Therefore,
>>mitigation measures need to form a conscious structure, and have to be
>>continuously re-evaluated.
>
There's a trick to learning undocumented features. Simply use it in unexpected
ways. No security service can replicate even undocumented functions, generally
because they focus on the important parts. Act erratically and the potemkin
village falls to pieces.
>
>
>
>
>On Wed, Jul 16, 2014 at 1:41 PM, In Harms Way <11414150173@xxxxxxxxxx> wrote:
>
>Security and the Rise of Snakeoil
>>Published: 04 June 2014
>>The original of this essay was written
by stf in Hungarian. I decided to go ahead and
translate it into English because I liked it.
>>
>>There are more and more people who are
starting to realise what sort of trap
they ended up in by using the internet.
While they desperately want to do
something about it, they might not have
the knowledge or resources to actually
make the first step, like leaving
Facebook or Gmail behind. Yet, people
desperately want to do something, even
if that means the online equivalent of
not carrying mineral water onto
airplanes. Every week we see a new
NSA-proof, military grade encrypted,
web-based chat application, or people
with nice CVs who finally figured out
how to do secure email in the browser.
Self-acclaimed experts teach their peers
at cryptoparties how to defend
themselves against adversaries from the
last decade. This article is for the
latter. This game might get dangerous,
and should be handled with care.
>>
>> 1. security is a conscious, multi-layered, economic process
>> 2. certain adversaries are more motivated, and control more resources
>> than others
>> 3. defenders can only lose. they have to be prepared, and minimise the
>> value and surface of an attack
>> 4. know your adversaries, the resources at their disposal, and act
>> accordingly
>> 5. there are environmental/side-channel/indirect attacks
>> 6. there are non-technical aspects
>> 7. many mitigation techniques are overly expensive and inconvenient
>>The more you know your device, the more
you are in control over it. You should
notice when it misbehaves or acts
without your intent. As a corollary,
when you know nothing about your device,
you're naked and exposed. Therefore,
mitigation measures need to form a
conscious structure, and have to be
continuously re-evaluated.
>>
>>Security is an economic process, and
thus the mass majority of the
non-targeted attacks can be mitigated
when the you raise your cost of defence
marginally above the average of the
potential victims. In non-targetted
attacks, the attacker still plays by the
rules of economics: minimise costs, and
maximise profit. As of 2014, the most
economically viable targets are Windows
and Adobe users, while estimates suggest
that OS X users will make a juicy cut
once OS X market share hits ~20%
[citation needed]. As a consequence,
diversity is an effective mitigation, as
a custom -- competent and expensive --
system will require a custom -- and
expensive -- attack. Lastly, it makes
little sense to overspend on security. A
classic example is spending $150 on a
lock for a $50 bike.
>>
>>A good way to raise the cost of an
attack is defence-in-depth: when plan A
falls, plan B will still cause a
headache for the attacker (and so it
goes). Interestingly,
security-by-obscurity in this case can
significantly raise the costs, but only
when supported by conscious, in-depth
countermeasures.
>>
>>Since this is an economic system, the
defender can only fail when met with a
resourceful enough adversary. In other
words, all defence will fail in face of
a motivated and rich attacker.
>>
>>While an attacker can measure his
effectiveness easily, a defender can
only not fail at best. Even without an
obvious failure, she can't be certain
that there hadn't been a breach that
went unnoticed. Sony is a good example
of how amateur defenders can only fail
against professionals. Minimising the
amount of data we store for longer
periods (e.g. half a year or more) will
reduce the value of an attack, while,
say, consciously controlling an online
presence will reduce the attack surface
on our persona.
>>
>>These are general best practices, and we
need to know our adversary: who they
are, what they are capable of, what sort
of resources they have at disposal. A
simplified model of adversaries might be
the following: citizen, criminal,
corporation, country.
>>
>>A citizen is of course any average user.
A criminal would be any organised and
less organised actor. A corporation can
be Google or Facebook, but it could be
just the company you work for if your
internet traffic is monitored, so this
is probably the broadest category of
all. Last, but not least, we have
countries, or rather, nation-states, in
which case the adversary is probably a
foreign intelligence agency, although
certain politicians in opposition,
political activists, journalists, or
whistleblowers might warrant the
attention of a domestic adversary.
>>
>>We also have to mention environmental or
indirect attacks. An adversary might not
solely attack the target, but can use
(or rather, abuse) the surrounding
environment, too. The defender has to
think about her communication partners,
if any of them may have an adversary
model that is different from, or higher
level than hers. The social network of a
target (Facebook image tagging)
contributes to the attack surface as
well as any other environmental factor,
since a well-motivated attacker will try
to find and exploit the weakest link to
the target. When that cheapest path is
through a less-prepared peer, that just
makes things a whole lot quicker and an
economic adversary more effective.
>>
>>(Un)fortunately the attacks and
mitigation techniques can be
non-technical, and may have other
aspects, such as economical,
educational, social, or judicial. Many
in position to change things are
motivated not to. For example, the net
neutrality and data protection acts are
likely to become sabotaged in the
European Council. It seems like there
won't be any outcome from the
surveillance scandal. The act about data
retention was invalidated by the
European High Court, but European
member-states are yet to act. However,
there are other judicial aspects --
citizens have to act within the
boundaries of the law, while this does
not apply to every actor. Some of these
actors will try and undermine new
legislation, or broaden their authority
through existing legal structures. A few
ideas that could improve the current
situation:
>>
>> 1. general immunity for hackers who publicly expose security holes
>> 2. motivating the attacks of own infrastructures rather than pursuing it
>> 3. education about security, attacks, and vulnerabilities
>> 4. non-free software vendors' liability for handling vulnerabilities
>> should be enforced
>> 5. deterrent financial liability for misuse of personal information
>> 6. public disclosure of, and diligent post-mortem analysis for every
>> incident
>> 7. new legislation for data protection, net neutrality. end data
>> exchange and data collection treaties and legislation
>> 8. free up the frequency bands that become unused after the digital
>> dividend for unlicensed use
>>Defence is difficult: many mitigation
techniques are ceremonial and
complicated even for the trained
defender, and so she'll perform it
rarely, or eventually stop the practice
altogether. In many respects, these
ceremonies are like brushing teeth:
we're not doing it because we enjoy it
so much, but rather because of the
belief in a future reward such as not
having to go to the dentist's, or
improving our chances for reproduction.
A principled approach and attention to
detail are essential, just like with any
implementation, see "goto fail", or
"heartbleed". Correct code is usually
not trivial, and the correct use of
tools is often hard due to external
constraints.
>>
>>Naturally, the it would be best if this
whole process could be simplified, but
it is also the goal of the adversary to
make it as hard as possible.
>>
>>A'tuin is the turtle in Terry
Pratchett's Discworld, on whose back 4
elephants hold the discworld on their
backs. And what is below A'tuin, you
ask? It's turtles all the way down.
A'tuin is the perfect symbol for the
endless layers of attack surfaces, that
you discover if just start scratching:
A'tuin -> organisational ->
physical -> psychological ->
browser -> OS -> HW -> network
-> network OS -> network HW ->
TEMPEST emissions -> other
side-channels -> A'tuin.
>>
>>We also need to stop and talk about
browsers for a minute, because people
tend to create and spread all sorts of
snakeoil based on the them. The reasons
for using the browser as a distribution
medium is none other than to externalise
the costs of having to support
installation on multiple systems, while
introducing a huge attack surface. The
age when a browser's primary goal was
actually browsing websites are long
gone. Browsers of today are for pushing
ads into people's faces, and make them
pay for various services. A good example
for this is Mozilla, who wanted to push
ads into the start screen of Firefox,
and all they managed to get done since
the Snowden revelations is making tabs
shinier and putting DRM into the
browser. There are 6 easy rules to
identify 99% of snakeoil:
>>
>> 1. not free software
>> 2. runs in a browser
>> 3. runs on a smartphone
>> 4. the user doesn't generate, or exclusively own the private encryption
>> keys
>> 5. there is no threat model
>> 6. uses terminology like "cyber", "military-grade", or other marketing
>> mantra
>>As a conclusion, some food for thought,
in the form of 3 questions:
>>
>> 1. how often do you update your systems?
>> 2. how strong are your email passwords? do you reuse them for other
>> pages, too?
>> 3. how many of your peers use GMail, Facebook, Skype, and do you keep
>> in touch with them through these?
>>To try estimating the footprint you
leave online, check out and think about
your results on MyShadow. And then welcome to
the ride on A'tuin. ;)
>>
You may tell "but you're so wrong" by sending an email to me at rhapsodhy.hu
>>This work is licensed under a Creative Commons Attribution-ShareAlike 3.0
>>Unported License
>>--
We have nothing to hide, but something to protect:
LIBERTY, PRIVACY & FREEDOM
- and the people, whose human rights these are.
>
>
>
--
PRIVACY IS A BASIC RIGHT - NOT A CONCESSION
Other related posts:
