Category: Information Security

Nutty cryptofails

Considering the vengeance with which cryptobackdoors, or other forms of regulation into tautological-fail limitations, are pursued over and over again (case in point: The soon luckily carved out surrender (to Monay) monkeys [case in point: anyone who has seriously tried an invasion, succeeded handsomely]), it may be worthwhile to re-consider what the current situation is. As depicted in the following:

In which D is what governments et al can’t stand. Yes, it’s that big; pushing all other categories into corners.
Where C is also small, and probably shrinking fast. And B is known; maybe not empty but through its character and the knowledge of it as cracked-all-around part, hardly used if ever, by n00bs only.
And A is what governments want for themselves, but know they can’t have or it will quickly move to B — probably without governments’ knowing of this shift…

And all, vulnerable to the XKCD ‘hack’:

Against which no backdoor-for-governments-only policy will help.
I’ll rest.

What you said, doesn’t matter anymore

Yet another proof class busted: Voice being (allegedly) so pretty perfectly synthesizable, that it loses its value as proof (of identity). Because beyond reasonable doubt isn’t beyond anymore, and anyone venturing to bring voice-based evidence, will not be able to prove (beyond…) that the sound heard, isn’t tampered with i.e. generated. Under the precept of “whoever posits, proofs”, the mere remark that no madam Judge we honestly did not doctor this evidence, is insufficient and there can be no requirement for positive disproof for dismissal from the defense as that side is not the one doing the positing. What about entrapment, et al.?

So, technological progress brings us closer to chaos. “Things don’t move so fast”-believers must be disbarred for their demonstrated gross incapacity — things have moved fast and will do so, ever faster. Or what ..?

Well, or Privacy. Must the above ‘innovator’ be sanctioned severely for violation of privacy of original-content-sound producers ..? Their (end) product(s) is sold/leased to generate false identity or doctored proof, either for or against the subject at hand, <whatever> party would profit thereof. Like an equipment maker whose products are targeted at burglars, or worse e.g., guns. Wouldn’t these be seriously curfewed, handcuffed ..?

[Edited to add, after drafting this five days ago: Already, Bruce is onto this, too. Thanks. (Not my perspective, but still)]

Oh, or:
[Apparently so secure(d), ‘stormed’ and taken practically overnight (read the story of); Casa Loma, Toronto]

Mixing up the constitution

When your state secretary is mixing up all sorts of things. When at the official site, at last email (and other ‘telecomm’) is listed to be included as protected on the same footing as snail mail has always been, qua privacy protection.

Which raises the question: Does that include the right to use (uncrackable) encryption, because that is what is equivalent to a sealed envelope ..? When the same government wanted to ban that, or allow simply-crackable [i.e., with bumblinggovernment means – the most simpleton kind or ‘too hard’] encryption only?
Why would this have to be included so explicitly in the constitution no less, when just about every other tech development isn’t anywhere there, and in the past it has always been sufficient to interpret/read the constitution to automatically translate to the most modern tech without needing textual adaptation ..? [As has been the case in every civilised country, and maybe even in the US too.]
And where would GDPR impinge on this; is the rush necessitated by GDPR (with all its law-enforcement exemptions, pre-arranging the ab-use of those powers GDPR will give), or is this an attempt to pre-empt protection against Skynet overlords (pre-pre-empting GDPR protection for citizens), – recognising that anything so rushed will never be in favour of those citizens – or what?

One wonders. And:
[So many “unidentified” office buildings in NY, NY …]

Pitting the Good against the Others

When the recent rumours were, are valid that some patches were retracted — and this was because they accidentallt disables other exploits not yet outed in the stash, this would bring a new (?) tension to the surface or rather, possibly explains some deviant comms of the past:
Where some infosec researchers had been blocked from presenting their 0-day vulns / exploit-PoCs, this may not have been for protection of the general public or so, but to keep useful vulnerabilities available for the TLAs of a (variety of?) country(-ies).
Pitting the Ethical researchers against the bad and the ugly…

No “Oh-oh don’t give the bad guys valuable info and allow even more time to the s/w vendors to plug the holes” but “Dammit there go our secret backdoors!
Makes much more sense, to see the pres blocking in this light. And makes huge bug bounties by these TLAs towards soon to be a bit less ethical researchers, more possible and probable. Not as yet better known, though. Thoughts?
[Takes off tinfoil movie-plot security scenario hat]

Oh, and:
[All looks happy, but is looked upon from above …; Riga]

DNA not so Determinant; there goes another piece of Evidence

[ Commemoration of the Dead, today in the Netherlands. Never forgotten. Never forget! ]

In the series of surrealisation of proof, in courts and elsewhere, turning anything into faker news than before – a trend that was under way already for a long time, maybe centuries but now speeding up enormously – after the most recent class of proof (yes don’t complain I’m clear, qua ‘class’!) we have even old (?) evidence classes being overthrown. Like, your DNA.
Somehow, we already knew that. Where the analogue of hash collisions happened IRL, with disastrous consequences for peoples’ lives, and that of their families, et al. Really, imagine yourself in the midst of it all: Ragnarök and the collapse of the foundations of society … I’m not joking any bit.

But now, again. What Evidence classes remain? When each and every class can be planted, fabricated (signatures, pictures; untraceably), coerced (‘rat out your partner or all of your family will be killed before your eyes’), etc., indeed nothing remains. Nothing non-repudiatory…

But flipside; Skynet is here. Like before.

And:
[Either way, you lose; Zuid-As Ams]

Collateral (un)patching; 0+1-day

Is this a new trend? Revealing that there had been a couple of exploitables, backdoors in your s/w when you patch some other ones and then have to roll back because you p.’d off the wrong ones since you accidentally also patched or disabled some hitherto secret ones.
At least, this is what it seems like when reading this; M$ stealthily (apparently not secretly enough) patching some stuff in negative time i.e., before-zero day. When later there’s rumours about this patch(ing, possibly parts of) is retracted.

For this, there appear (again) to be two possible reasons:
a. You flunked the patch and it kills some Important peoples’ system(s);
b. You ‘flunked’ the patch and you did right, but the patch effectively killed some still-not-revealed (in the stash) backdoors that the Important peoples (TLAs) still had some use for and were double-secretly requested to put back in place.

I’m in a Movie Plot mood (come to think of it, for no reason; ed.) and go for the second option. Because reasons (contradictory; ed.). Your 2¢ please.

Oh, and:
[So crowded and you’re still much less than a stone’s throw from a Da Vinci Code (was it?) big secret — I may have the pic elsewhere on my blog…; Barça]

Common(s) as privacy and vice versa ..?

Remember from your econ class that concept of The Commons, and how problematic it was? Is?
There was this intriguing post recently, on how Free Speech might be considered and deliberated in terms of the commons being exhausted by undue over-use (abuse) — for its use alone ( → ). Leading to aversity of the concept not of the abuser or his (sic) apparent locally recognised but globally not, ‘valid’ reason(s) for over-use.

Which, as is my wont of the moment, driven by personal business interests, I took to be applicable to Privacy as well. Maybe not in the same way, but … This will need quite some discussion between me on the one hand, and peers and others on the other who would actually know what they’re talking about. Throwing in a bit of anglo-american data-isn’t-yours versus European (‘continental’ — will brexit – which starts to sound like a lame Benny Hill kind of joke ever more – change that ..??) data-is-datasubject’s-always divides, and some more factors here and there. Complicating matters, but hey life’s not perfect.

Waddayathink? In for a discussion ..? Let’s start!

And:
[Not so very common-s; Toronto]

Authentic means work, you see?

Recalling the recent spat about passwords again (and elsewhere), and some intriguing, recent but also not so recent news (you get it when you study it), it seems only fair to the uninitiated to clarify some bits:
Authentication goes by something you know, something you have or something you are. Password(s), tokens or biometrics, in short. All three have their drawbacks.

But that’s not the point. The point is that authentication is about making the authentication unspoofable by anyone but the designated driver owner.
That is why you shouldn’t dole out your passwords (see the above first link) e.g., by writing them on a post-it™ whereas writing a full long passphrase on just one slip of paper that you keep to yourself more zealously than your money, will work.
That is why tokens shouldn’t be stolen. Which you might not discover until it’s too late; and tokens have a tendency to be physical stuff that can be replayed, copied, etc. just like a too-short password. Maybe not as simply, but nevertheless.
Same with biometrics. When made simple enough for the generic user (fingerprints, ever so smudgy!) also easily copyable, off a lot of surfaces. Other biometrics, maybe more secure i.e. harder to copy but not impossible. And opening possibilities for hijacks et al., focus on breaking into the systems in the login/authentication chain, et al.
Which brings attention to yet more vulnerabilities of Have and Are: Both need quite a lot of additional equipment, comms, subsystems, to operate and work from the physical to the logical (back) to the IS/IT levels. Weakest-link chains they are ..!

So, the strength of authentication covaries with the non-leakability of the key, since both correlate to the source determinant in-one-hand-ity close to the actual person whose identification-as-provided (by that person, or by anyone else posturing) needs to be authenticated. By which I mean that ensuring one item of authentication, closely glued to the person and with the simplest, least-link connection chain to the goal system(s), is best. The latter, clearly, is the written-down-verylongpassword method.

Just think about it. And:
[They’re called locks. Discuss (10pts); Ottawa]

Progress, friends, is here. Only, not everywhere. Yet. Say ‘No’ till then?

You know that the bright new future is here, when amid the torrent (figuratively referring to the physical phenomenon, nothing to do with the on-line tool(s)) of fake news, this still makes it into a headline: ATMs now to begin to start being rolled out with Win10 ‘support’. To be completed per 2020, when support for Win7 stops. Right. 2020; probably not referring to the eyesight of the ones planning this, not being personally accountable and duly informed of the risks.

Because otherwise, wouldn’t it be smarter to come up with a clever idea to do the roll-out within a month, to prevent just about anyone to take ATM security — or is it a signpost for overall infosec’s position — seriously, as seriously as it should ..?

It’s time there comes an agency, Nationwide, worldwide, that has the authority to say NO!!! to all ill-advised (IT- which is the same these days) projects. Infosec professionals tried to ditch the Dr. No image, but it turns out, it’s needed more than ever to prevent the Stupid (Ortega y Gasset’s Masses I guess) from endangering all of us or at least squandering the billions (yes) that could have been applied against world poverty etc.etc.

Oh, and:
[The UBO ‘humanity’ seems to be lost, here; Zuid-As Ams]

Yesterday, same thing.

This is sort-of the same as yesterday’s post, put into practice, when your AGA now not only remotely slow-cooks but slow-betrays you. Slowly either does not at all or over-burns your carefully prepped meat. So the wretched short-lived lambkin died for nothing.
Would anyone know of any device out there that is duly protected against this sort of thing? Or whether (not or not) this is a generic weakness: Access from the outside, offers access from the outside to anyone, to rattle the door. And some, through persistance or imme force applied, will find the door opens. Your convenience, theirs too. Same, with ‘connected’ toys. Yes they are

Oh, and:
[May superficially look like an AGA but isn’t, not even a hacked architecture studio’s design, just purposeful – and beautiful – museum design in Toronto]

Maverisk / Étoiles du Nord