Digital Security Exchange: Security for High-Risk Communities

I am part of this very interesting project:

For many users, blog posts on how to install Signal, massive guides to protecting your digital privacy, and broad statements like “use Tor”—all offered in good faith and with the best of intentions—can be hard to understand or act upon. If we want to truly secure civil society from digital attacks and empower communities in their to fight to protect their rights, we’ve got to recognize that digital security is largely a human problem, not a technical one. Taking cues from the experiences of the deeply knowledgeable global digital security training community, the Digital Security Exchange will seek to make it easier for trainers and experts to connect directly to the communities in the U.S.—sharing expertise, documentation, and best practices—in order to increase capacity and security across the board.

Tags: privacy, risks, security engineering, surveillance, Tor

Posted on March 14, 2017 at 1:08 PM • 72 Comments

Comments

z • March 14, 2017 1:24 PM

Are you targeting people who already know they want better security but don’t know where to start, or people who need to be convinced to want security?

Winter • March 14, 2017 1:32 PM

“the Digital Security Exchange will seek to make it easier for trainers and experts to connect directly to communities in the U.S.”

Why the chauvinism? Are other communities excluded?

Bob • March 14, 2017 2:05 PM

@Bruce @Winter Precisely… I would like to lend a hand, but I’m not american nor I live in the US.

Tatütata • March 14, 2017 2:53 PM

I remember reading of “encryption clubs” in Germany, a sort of “security boot camp”, where public could go to learn the basics.

I haven’t found a reference yet, but I also kind of remember that the concept did not originate there.

It sounds similar to what you’re trying to do.

What’s the goal anyway?

Getting to run gpg or openssl without googling half an hour to get the parameters right, or squinting your eyes on bl**dy *nix man pages, or procuring a certificate for your personal web site and install it?

Or going in the app store and installing signal?

Two different levels, in my perception.

Why? • March 14, 2017 3:11 PM

@Winter, Bob

Just because a given organization or company is focusing its efforts on a certain country, doesn’t mean that all other countries don’t need similar services… It can easily just mean they’re trying to focus their manpower to something geographically close, where they better understand legalities, etc… Once they figure it out, others can either copy them, or maybe they can branch out…

@Bruce

The issue I see with “secure databases of digital security trainers and orgs in need” is… isn’t merely being in such a database going to be an invitation for the US Government to hack you? I mean, “What?? you need privacy? What are you trying to hide??? You must be doing something illegal, we’d better hack you to find out what it is!!!!” This seems to be the mentality of many high government officials worldwide but especially in the USA. It’s contrary the spirit of the Constitution and Human Rights and the whole concept of “innocent until proven guilty” but that’s what they seem to do anyway!

Tatütata • March 14, 2017 3:27 PM

“CryptoParty” was the word I was looking for.

There are many upcoming venues in the US listed in the calendar.

There are also (e)books which show you step by step how to go about encrypting.

Dirk Praet • March 14, 2017 3:51 PM

Excellent initiative. You should try to get @thegrugq on board too.

ab praeceptis • March 14, 2017 4:12 PM

With all due respect, but the bold part of the OP is about the most thoughtless statement on security I’ve ever read from Bruce Schneier.

And the bold sentence also seems to explain why that statement was made. It seems the “we must fight trump tyranny to our last breath” infection of clintonistas has come up again. (I might be wrong but that’s what I read there).

“we’ve got to recognize that digital security is largely a human problem, not a technical one.”

Well that’s a, uhm, brave statement to make, considering the state of major parts of digital security (just think ssl/tls, tor, tainted prngs, etc).

If we strip off the “democrat warrior” infection and its symptoms, however, we do indeed find some reasonable core, namely that there is a major human factor in digital security being badly or not at all applied or not being applicable/used at all due to lack of knowledge.

And changing that for the better is indeed a laudable cause. Left or right, Trump or clinton, no matter, all citizens and, in fact, all human beings deserve some privacy and security.

Ross Snider • March 14, 2017 4:19 PM

Absolutely. Operational Security is the goal here. That includes physical security, personal security, digital security, and mission security. These large umbrellas include things like keeping secrets well, preventing infiltration, maintaining security against libel.

Pete • March 14, 2017 4:32 PM

Mom and I exchange “secret” recipes using GPG encrypted email.

My GF and I exchange sex-talk using GPG encrypted email too.

Must drive the NSA/DIA crazy. In 50 yrs when they finally crack it, someone will get a good laugh.

GregW • March 14, 2017 5:12 PM

Hi Bruce,

(Sorry, long…) Regarding “If we want to truly secure civil society from digital attacks and empower communities in their to fight to protect their rights” how does one know when such security is needed?

What is the threshold where I should advise someone to pursue the “extra work” that such security precautions involve? When they are (merely) “participating” in a “controversial” group? When they are organizing something local in their community? When it starts to get bigger than their local community? When they start to contemplate civil disobedience?

For example, I had a family member attend one of those womens’ marches a month ago. I was strongly tempted to tell her to leave the cellphone at home (or take the battery out although that’s not as foolproof) to avoid getting on some low-grade low-risk list of people the government knows attended the marches based on IMEI catcher equipment run as a “precaution” by authorities, but I knew there would be safety in numbers, that there was a high probability she’d want to send/receive a call during the event for some coordination purpose or would want to leave it behind for safety reaons and ultimately didn’t give the advice. The risk/benefit ratio wasn’t there and I felt a little unduly paranoid even thinking about such things. But anyway, that brings me back to the point…

Do you have any guidance about where to draw the line? When to teach OpSec? Is this really the road we want to go down or are we just showing off our knowledge? Or do we wait for the civilly-involved to reach out to us when they are feeling nervous? It seems like that’s what the Digital Security Exchange organization is oriented around currently, meeting felt needs, but ultimately one needs to conduct some sort of threat assessment/model to give good advice and I’m wondering what your thoughts are on that.

It seems crazy to do this for small local matters but sometimes that can be where it gets the most vicious, right? I had a friend start to advocate on local online media sites and in local newspapers for approval of a controversial development project bringing lower-income/affordable housing apartments (in a wealthy neighborhood) and someone else apparently went to the local university to dig up a copy of his thesis and started talking about it online in an attempt to discredit him. I was surprised that the “digging up dirt on opponents” started so early/quickly when one got involved in local politics, but it clearly did.

Anyway, curious if you have any thoughts on the “what is the threshold of need” problem and “how to assess the degree of threat” in civil society scenarios.

Would MLK Jr have really benefited from better OpSec or was he viewed as less of a threat in a way without it? What he really needed was better PhysSec in the end…

Clive Robinson • March 14, 2017 5:21 PM

@ Bruce,

… we’ve got to recognize that digital security is largely a human problem, not a technical one.

Sorry no, that’s the mistake they were making fifty years ago with IT.

Your first step would be to recognise that the “human” issues sit on top of the “technical” issues, which in turn sit on top of some “laws of physics” issues.

If you like think of it like the computing stack that has built out from the ISO OSI Seven Layer model.

You would have politics as the top layer and information theory with the Shannon channel towards the bottom layer.

If you don’t do it that sort of way you will not be facing a managable by most uphill task, but an almost impossible to climb overhang of significant proportions.

When I teach “security” or “computing” I almost always start with the Shannon Channel to show amongst other things not just the basic threat models but how the likes of computer basic instructions from gates through RTL, microcode etc give rise to the natural notion of sequential programing and upwards.

Clive Robinson • March 14, 2017 6:15 PM

@ GregW,

Do you have any guidance about where to draw the line? When to teach OpSec? Is this really the road we want to go down or are we just showing off our knowledge?

The short answer is, the line moves with society, and what is showing off today will be old hat tomorrow.

The long answer anthropologists and historians still argue over. Back before mankind even made cave paintings, he was a trible animal with all that implied. One aspect was survival of you and your family within the tribe was being a good provider. This involved a knowledge of the area and how to exploit it better than your rivals, such that you would improve your mating chances. Part of that was keeping secret where resources where as well as being able to keep rivals off of your patch. This drove mankind forward.

Arguably the opposable thumb aided in not just “tool using” but importantly in “tool making”, and it is tool making from knowledge and reason that has kept us well ahead of any other animals on this planet.

Tool making gives benifit to survival and as history shows with new tools and methods came not just force multipler power but political power which ment further secrecy and keeping off your territory of rivals thus the increasing need for security.

Thus as mankind develops his need for both secrecy and security rises with his development of tools, which in turn push mankind forward.

When mankind did not have the tools nescesary for security he relied on brut force such as guard labour. This has always taken a societal cost in that guard labour consumes and does not produce, and the few times it is used the destruction that guard labour causes is even more costly. Thus much of mankinds toolmaking efforts have been driven by trying to reduce the cost to society of guard labour.

The problem is that in the process of making guard labour redundant by developing force multipliers is that you make the guard labour more powerfull and thus those who controle them gain that power, and fairly soon the “King Game” starts with religion being the way to control the civil population without deploying guard labour. Both of which give you politics as an end product. But to maintain the power you still need secrecy and security.

And to be honest I can not ever see mankinds need for secrecy and security stopping, not just for reasons of direct power, but when put together they give rise to the notion of privacy. That is to be away from the common gaze and any approval or approbation others may cast and thus use to increase their personal standing thus power at the expense of your own.

So as humankind expands within the constraints of available resources the population density rises and the need for privacy rises. Part of this density rise is due to reducing the cost of infrastructure deployment to support society. But a problem arises, when I was young people did not bother locking their doors unless strangers were around. The need for security was low which ment that the need for the technology of secrecy was low. As society became more dense the need to look doors became a necesity, but crime prevailed thus the need for further security inside the home for possessions and papers, with the need to hide strong boxes etc and combinations of locks or location of keys, the need for secrecy increased yet again…

A look at the engineering projects of the Victorian era can be a bit of an eye opener for many. But you need to remember that it got ahead of secrecy and security and in part set the conditions for WWI, thus also WWII.

Each significant inovation in technology creates a need for increased security and thus increased secrecy to maintain the levels of privacy we have. Which is why those lines move ever forward.

Tor? • March 14, 2017 6:16 PM

A clearinghouse for anything is a nice idea.

It is easy to prevent Ed Snowden types in the workplace, blocking device access to the client machine and limiting admin duty/access, for examples. This is trivial with Windows.

Tor traffic can be identified and actually stands out for either an ISP or network administrator. Certain long hauls in the US, as pipes to and fro Europe, are filtered. I discovered Tor is piss slow and gave up because it actually increases signature.

With either Tor and/or GPG email, the source client can be traced and TAO, or similar organization like FBI DCSNet, can step in to aid companies in “preventing corporate espionage.”

Websites and lawyers that release public whistleblowing and such are already targeted.

There are severe physical security hurdles and manual method procedures to iron out when acquiring data safely without getting caught, nevermind the backdoor on your router. If you believe in Ed Snowden and Chelsea Manning… they got caught. If you do not believe in those two characters, they were just diversions or fronts for a new generation of techniques.

Faraday boxer shorts would be nice. Ima gonna go watch Enemy of the State now;)

Patrick Esters • March 14, 2017 7:56 PM

Great, no TLA or hostile government should be without a resource like this. A who’s who of anyone you’d ever want to hack (and why) conveniently listed.

Steve • March 14, 2017 8:29 PM

“empower communities in their to fight”

Is this English?

Au revoir !

Ph • March 15, 2017 12:48 AM

Hi Bruce,

Doesn’t your current bold statement conflict with an earlier essay?

Security Design: Stop Trying to Fix the User
https://www.schneier.com/blog/archives/2016/10/security_design.html

Here you say
If we want to truly secure civil society from digital attacks and empower communities in their to fight to protect their rights, we’ve got to recognize that digital security is largely a human problem, not a technical one.

There you say:
“Blame the victim” thinking is older than the Internet, of course. But that doesn’t make it right. We owe it to our users to make the Information Age a safe place for everyone — not just those with “security awareness.”

Security is a designer/developer problem, not a user problem as far as i am concerned

name.withheld.for.obvious.reasons • March 15, 2017 1:31 AM

@ Clive Robison

Each significant inovation in technology creates a need for increased security and thus increased secrecy to maintain the levels of privacy we have.

Subjectively I would argue that a broader context is required, Bruce falls down on this one as well; Innovation, progress, and the societial mechanisms at scale requires both or the integration of a “trust” AND an “honesty” model. Objectively, we as a society are ill equipped to resolve issues when multi-variable problems are viewed from a particular, or biased, problem space.

I do not understand security and privacy as orthogonal to one and the other. Or, that these two terms share coefficients–adding a third or fourth (or is it forth) term may help. My thinking suggests honesty and/or fidelity are near first order in the respective problem space.

Who? • March 15, 2017 4:41 AM

I would not trust on a U.S.-only community for something as sensitive as computer security. In our project U.S. developers are not allowed to work on cryptography at all. This project is developed outside the U.S. for obvious reasons.

It is sad this project denies collaboration from people outside of the U.S. Allowing only U.S. is an artificial restriction and, to be honest, the worst decision that can be made on a security related project. I do not trust on that project.

Clive Robinson • March 15, 2017 5:33 AM

@ name.withheld…,

Subjectively I would argue that a broader context is required…

Yes it is, the problem as I noted is that you have professional groups such as anthropologists and historians seeing the problem domain through “their own telescopes”.

Thus you have the danger of narrow viewpoints from different objectives seeing quite different lines of progress. Sometimes they cross at some point often they don’t. So you end up with “The three blind men describing an elephant” problem.

Which raises the question of how many more blind men do you need to touch the elephant befor you get the same general knowledge one sighted man can see at a glance? That is do you want the bredth of a sighted man’s glance or the depth of a blind man’s touch. And if the latter where in particular on the elephant. Because the sighted man’s glance will tell you an elephant is wide and tall which no one blind man can tell you at a single touch, but is wide and tall usefull information?

I’m a little odd in my security out look, in part because of the French. In English we have two words safety and security, the french have only the one to cover both. Thus I view things as safety, security, secrecy and privacy all of which overlap in interesting ways. It’s why I say privacy is the product of secrecy and security as it came as the result of them, likewise safety is a later product still. To be safe individuals need privacy for which they need places of security that are in part secret. Hence we say things like “safe inside our house with the doors shut and locked” but also “they are locked away in prison for the safety of society” thus security and secrecy have a duality that is based on who has control of the lock and keys. The idea of the panoptican was to have security and safety but deny privacy, thus in effect induce paranoia in prisoners for the purpose of behaviour correction. The lack of success of such ideas when partialy implemented in US and UK jails attests to the lack of success this idea has, people can with effort gain privacy either by turning their back or keeping it inside their heads. If they can then communicate secretly they have all they need to forment trouble which they do as an almost instinctive response to oppression. It’s one of the reasons we know that Empires will fall but Commonwealths tend to survive. Communications builds relations which encorage trade which in turn builds societies not grand visiers and guard labour.

Which brings us back via two routes to yoir observation of,

My thinking suggests honesty and/or fidelity are near first order in the respective problem space.

That is a primary requirment for trade, on which society builds it’s self, but there will always be those who will wish to cheat, which means that they require punishment, hence guard labour and those that control it.

Which is where the problems arise. The simple question of “What happens if the leader of the guard labour cheats?” has caused much debate over the years, and you get the “turtles all the way down” or “lesser fleas” issue that to stop a leader cheating they have to be watched. Hence the question “Who watches the watchers?”.

Those who drafted the US constitution realised it was the duty of every man to watch the leaders and that one way to stop a cheater is to have consensus amongst three or more leaders for any act to take place. Unfortunatly over time the cheaters have pushed the honest men or their votes out by various slights and decites.

Now we see the problem at the guard labour level, they demand the removal of the hard won protections so they can do their job more effectively “in a time of crisis” (of their own making and perpetuation). But they bridle at any attempt to provide strong oversight to keep them honest, they insist that we trust them, yet history shows that to be most unwise at any time…

Sam • March 15, 2017 7:09 AM

Typo: in their to fight to protect their rights

Ergo Sum • March 15, 2017 8:15 AM

@Clive…

Sorry no, that’s the mistake they were making fifty years ago with IT.

Yes, if training could work, it would have by now…

@Ph…

Security is a designer/developer problem, not a user problem as far as i am concerned

Asides from designers/developers are also end users, that’s the basic source of the issue.

With the cloud sucking up everything connected to the web and hackers (state or private) exploit platform/software vulnerabilities, there’s no security. And since privacy depends on security, there’s no privacy either. Nor do I see that changing anytime soon…

Tatütata • March 15, 2017 8:38 AM

In English we have two words safety and security, the french have only the one to cover both.

French also has two words, “sûreté” and “sécurité”.

I think that the distance between them is rather tenuous, more like fodder for hair-splitting philologists.

Compare Monsieur Larousse with his friend Mister Webster.

sûreté: Littéraire. État de quelqu’un ou de quelque chose qui est à l’abri, n’a rien à craindre : Prendre des précautions pour sa sûreté.

sécurité: Situation dans laquelle quelqu’un, quelque chose n’est exposé à aucun danger, à aucun risque, en particulier d’agression physique, d’accidents, de vol, de détérioration : Cette installation présente une sécurité totale.

But the German “Sicherheit” apparently indifferently translates to either “safety¨ or “security”.

Dirk Praet • March 15, 2017 9:19 AM

@ Ph, @ Clive, @ Thoth, @ab praeceptis, @ Sancho_P

Security is a designer/developer problem, not a user problem as far as i am concerned

It’s a shared responsibility. A manufacturer can come up with the best and most secure of microwave ovens, but he can never prevent some dumbass from using it to dry a small pet with if said dumbass for whatever reason can’t be bothered to read the fine manual.

The simple reality is that the average user is ignorant and lazy. As much as security technology providers should strive to make their tools as well-designed and easy to use as possible, it is unreasonable to expect zero effort on behalf of the user. That beautiful Gibson Les Paul Gold is not going to play itself either, and unless you’re willing to put in many hours of practice a day, there is just no way you’re ever going to become the next Jimi Hendrix.

Staying with the same analogy, I would argue that the techniques and recommendations by @Clive, @Thoth, @Nick P, @Wael, @RobertT, @Figureitout et al are the equivalent of master classes by Walter Becker, Django Reinhardt or Steve Vai. Arguably the gold standard, it’s a level out of reach of any novice or amateur and there is no point in imposing it unless you want to send out a message to any aspiring guitarist that it is utterly useless to get on stage until full mastery of the instrument is achieved. Not only does that mean that guitar players and builders would become an endangered species, it is also not how things work.

However low the odds you will appeal to real musicians or supermodels, three simple chords and the right attitude may be all you need to impress a high school audience and will significantly improve your chances of getting laid as compared to the efforts of the local basement geek throwing a crypto party. Where you take it from there is really up to yourself. You can either choose to stick to those three chords and fail miserably reaching out to a broader audience (only Status Quo and The Ramones ever pulled that off), or you can gradually up your game by permanent practice and learning new techniques that might eventually get you into the big league.

I know both programmers and musicians whose stomachs turn when looking back at their early work. It was however a necessary stage they had to go through to achieve the craftsmanship they possess today. Tor, Signal and FDE to me are the equivalent of a guitar player’s first three cords (generally G Major, C Major and D Major). As long as the security greenhorn realizes they are just a first step on a long journey, then they are exactly what he needs to get him started and from which he will eventually move on.

And which is why I applaud initiatives like this new Digital Security Exchange. The average user or organisation needs comprehensible low-entry guidelines, workshops and introductory classes by experts who understand their needs, point out the many pitfalls and assist them in making their first steps. However much it should also offer advanced classes and methodologies for those explicitly targeted by resourceful state actors, I think we can all agree that this group remains a minority and most definitely not the only societal group in need of better digital security, privacy and anonymity practices.

To cut a long story short: if your threat model consists of your spouse, children, parents, other relatives, colleagues, employer, common thieves, script kiddies, corporate tracking, low level cybercriminals, the local sheriff or even the DoJ of some banana republic, then Tor, Signal and FDE are really all you need. But which you still have to learn to use properly, or you may just as well stick to SMS and Internet Explorer 8 on Windows XP.

@ Tatutata

But the German “Sicherheit” apparently indifferently translates to either “safety¨ or “security”.

They also use words like “Schutz” (protection ; as in Schutzhund or guard dog) and “Abwehr”. In Dutch, we have “veiligheid” (safety) and “beveiliging” (security), the latter being the act of creating “veiligheid”.

Clive Robinson • March 15, 2017 9:26 AM

@ Tatütata,

My translation dictionary, and also Google translate give the English to French translation of safety and security as “sécurité”.

It was also the translations a native speaker of French used when translating equipment manuals for electronic items I designed back in the early 1990’s…

So that’s what I’ve gone with for the past quater century or so.

Pink Helmets • March 15, 2017 10:02 AM

One presumes you will extend priority outreach to this plucky downtrodden outsider victimized by the state:

http://www.theamericanconservative.com/articles/a-soft-coup-or-preserving-our-democracy/

Unauthorized presidents are clearly a high-risk group. Since CIA set themselves up in ’49 they pushed aside your first choice, Taft, for Ike, killed your second president and two disfavored aspirants, RFK and King, purged your fourth president and replaced him with a guy who covered up the murder of your second president, plotted with foreign enemies to humiliate and defeat your sixth president, and shot the seventh. Then they dropped the pretense and put their own nomenklatura in there to run the country: GHW Bush; Clinton, recruited at Oxford by Cord Meyer; spy brats GW Bush and BIC intern Obama, son of spooks, grandson of spooks, greased into Harvard by Khalid al-Mansour.

Clive Robinson • March 15, 2017 10:10 AM

@ Dirk Praet,

In the ordinary course of events “things come to pass” that is nobody records that bum note for future times to hurt your reputation with. Thus,

I know both programmers and musicians whose stomachs turn when looking back at their early work.

Is just stomach churning. But with the NSA, GCHQ and other National Signals Intelligence Agencies “Save it all” policy every little youthful mistake is recorded and sit’s there waiting. The more success you have in life the greater the possability those records will get pulled out by people who most definatly do not have your intetest at heart. Thus having a stomach turn would be the least of your worries.

But there is another problem which is “freelance guns for hire”. You might live in a nation where the Signals Agency is run by the brother of the tyrant in charge. Even though most in the agency do not have the knowledge to build the required technology to “collect it all” they can after a fashion use a graphical UI on a desktop PC. They also have significant funds, thus they can buy in the technology from companies that realy don’t have moral or ethical problems that a larger cheque would not salve.

Thus security is like virginity, either you are an innocent, or you are not, and at some point it will come back to haunt you with a probability based on those who do not like or have any regard for you.

You only have to look at by far the majority of nonsense in the recent US elections to see what can be dug out, by a person with an enquiring mind and sufficient incentive.

I doubt that many youngsters these days have any idea where they will be in ten, twenty or thirty years. In the past the sins of youth rarely came back to haunt people. Now we have companies specialising in hovering up every last byte of data no matter how reliable on people and turning it into a product for future employers to asses a prospective hire against. The recent shenanigans by the Republicans about employee DNA and employers rights should be ringing very loud alarm bells, but it appears to have slid by most people.

The problem with security against the Mom/Pop/Sis is it gives a false sense of security, and things will be saod or done behind it’s weak cover, that will be easily pulled out by others now or at a future time.

People need to realise that weak security is worse than no security, because like alcohol it encorages you to lose your inhibitions and do risky things that can not just give you a bad headache, but ruin the rest of your life.

Thus the bottom line is if the securiry is not strong don’t use it you will actually be safer in the long run.

Nick P • March 15, 2017 11:04 AM

@ Who?

Then why are you using a network and stack that the U.S. invented to connect to a security blog? And possibly on U.S.- or U.K.-designed CPU’s, yeah? And maybe on software that uses a compiler? Or with firewalls, auditing mechanisms, and other concept invented in US?

I think this “Don’t use U.S.” claim is BS. The U.S. invented INFOSEC, esp high-assurance. They also invented the method to trust it when your enemy makes it. Wait for it. Wait for it. Here it is:

“Inspect and validate the specific work/software/protocol instead of worrying about who made it.”

You have to do that anyway to find the bugs or backdoors. So, you just do it when the code is American. The only exception is closed-source software or hardware where boycotting American makes sense. Along with other police states or countries known to do espionage. That doesn’t leave you any hardware suppliers that I’m aware of. Don’t buy from country X is obviously not such a straightforward solution. 😉

Anura • March 15, 2017 11:11 AM

I think one of the mistakes we are making as consumers is giving in to proprietary apps. Signal, for example, might be open source, but the company handles the servers and key management – right now there are a lot of competing apps, but they run the risk of becoming the monopoly app, which means they become a single point of failure/collection.

We need to design an open protocol that allows anyone to take complete control over everything. The question is what we need to do to ensure it meets the needs of the basic user. In this case, I think a user needs be able to sign up for a third party service, download an app, choose a user name, and communicate with a friend knowing only their user name in advance.

The messaging protocol itself isn’t that difficult – use the Signal protocol, create a simple encrypted container format, use the container from NaCL/Sodium; ideally, you would make sure it’s as simple and secure as possible. The real challenge is allowing it to be distributed and allow different people to talk to each other. But honestly, this is a problem that was solved long ago by email (albeit packaged with a mess of other problems) – in our case, we want to piggy back off of DNSSEC.

User names should be in the familiar form of “user@domain”, and for each domain there should be a signing certificate that you can lookup via DNS. The second part is the discovery/delivery server, which allows you to check if another user is online and connect to them, or deliver an offline message if they aren’t. Since the only requirement is a discovery/delivery server, a domain name, and DNS, anyone can run their own.

Third is the user key repository. This should be a publicly accessible, distributed service that allows users to upload their signed public keys from their service provider. Before you initiate a connection to another client, you can check with the service to see if they changed their key. On top of that, there should be a way for users to change their key/user name and notify others, by signing with their old key.

This would allow us to create a secure, user-friendly service in which we can be in control over our own keys and data. It is up to the service providers to accept/reject connection requests, since your user name itself is public and anyone can find it – anti-spam measures should probably be implemented to prevent that.

Nick P • March 15, 2017 11:19 AM

@ name.withheld

Hope you’re doing OK. Last time you were here you mentioned a hardware/fab security framework. Did it ever get published or attempted in the field?

ab praeceptis • March 15, 2017 11:57 AM

Who?

You are not alone with that. I know some projects, too, that try to avoid any- and everything us-american if any possible.

Moreover I meanwhile know plenty companies and organisations which consider “us of a free” as strongly desirable and a major plus.

I even know of clients who try to avoid everything us of a and go to great lengths to achieve that.

I myself am a tiny bit less tough on that issue but pretty much everything I use for work, with very few exceptions, is selected i.a. for being us of a free. Funnily those tools have a tendency to be better, too.

Dirk Praet • March 15, 2017 12:07 PM

@ Clive, @ Tatutata

My translation dictionary, and also Google translate give the English to French translation of safety and security as “sécurité”.

I wouldn’t lose too much sleep over it. Technically, both sûreté (old French: seurté) and sécurité are derived from the same Latin noun “securitas” which I suppose is some sort of contraction of “sin(e)” and “cura” + “tas” (typical noun ending) , i.e. “a state without care/trouble/concern”. In fact, the French seurté from which both the adjectives “sûr” (sure) and “certain” are derived, the German “Sicherheit” and Dutch “zekerheid” correspond to both “certainty” and “security” in English.

“Safe(ty)” on the other hand comes from the Latin “salvus” (safe, sound, healthy). While the French have the adjective “sauf”, the corresponding noun “sauveté” never seems to have made it to mainstream and generally is only used to refer to a village that is a sanctuary from religious prosecution.

@ Clive

Thus the bottom line is if the security is not strong don’t use it you will actually be safer in the long run.

While there is no doubt that we live in times where every sin – whether or not at recording time it was one, or you were actually aware of it – at some point may come back to haunt you, I’d say that’s an additional reason to avoid tracking & logging and to hide, obscure and anonymize your traffic and communications by whatever imperfect means possible. The only effective alternative for the average teenager is to get off the grid entirely, which means becoming a social outcast and a non-entity.

Going through years of encrypted/anonymized/obscured communications for whatever agency will still represent a much steeper challenge than simply calling Apple, Facebook, Microsoft or Google, and in the case of an actor not connected to the Five Eyes and for which you were not previously a target probably not even feasible.

@ ab praeceptis, @ Who?

Moreover I meanwhile know plenty companies and organisations which consider “us of a free” as strongly desirable and a major plus.

I see a similar evolution over here. Any US company having a problem with that can file a complaint with the NSA or GCHQ.

albert • March 15, 2017 1:03 PM

@Steve,
C’mon, man. The full quote is “…and empower communities in their to fight to protect their rights…”. The first ‘to’ is obviously a case of Phantom Fingers (where they seem to type on their own, but really the process of typing is momentarily disconnected from one’s thought narrative.

@Dirk,
‘eathen! Hendrix played Strats.
.
“…The only effective alternative for the average teenager is to get off the grid entirely, which means becoming a social outcast and a non-entity….”. Unfortunately, this is the case. ‘We’ have created a cyber-dream-world, where there exists no truth, where facts and fiction intermingle, and information is whatever one wants it to be. On top of that, we now have a Twit In Chief(TIC)*.

@Anyone who thinks digital security isn’t primarily a human problem,
It isn’t just lazy goobers who use the minimum ‘acceptable’ passwords (let’s see, 8 characters, one number, one uppercase: Robbie01)**. Everybody’s in a God-awful hurry all the time, and time and convenience trump security every time. Service providers are all-too-eager to make things fast and simple. And they do. After all, -they- aren’t responsible for their customers weak passwords.
.
It doesn’t matter if good digital security isn’t rocket science; as long as it -appears- to be, that’s what folks believe. So they give up. It’s not surprising that, living in a world of casino-capitalism and casino-democracy, one’s cyber world is casino-security.

TIC: love that TLA. Although he’s a dot.coms wet dream (and at least during the campaign, the MSMs wet-dream as well) Trump uses it to bypass the MSM. He may be an AH, but he’s not stupid. He may actually be a better actor than RR (The Gipper) was.

** Three guesses as to who Robbie is.
. .. . .. — ….

Tor? • March 15, 2017 1:22 PM

@Anura
“I think one of the mistakes we are making as consumers is giving in to proprietary apps.”
Somebody gets it.

I think there is more to talk about psychologically and psycho-motor as a priority, even before crappy software selection, however. One of those disclaimer thingies.

Several years ago, I was digging through the LUKS website. One of the Q/As was “is there a backdoor on this?” The response was “If you don’t have the authority to ask, then don’t ask.” That sums up how perfuse the FTC and NSA is throughout the entire spectrum of distributed security tools. That question no longer exists on the updated website. It’s about the process of gaining allowance to distribute your software.

Many think in terms of backdoors. It’s not necessarily about that. Forensics may simply need to identify encrypted documents for evidence collection. I think in terms of anti-forensics:

Try OpenSSL single file encryption. Open the encrypted file in a hex editor. Since it salts by default, they still chose to put “Salted__” in plaintext at the head of the file. You can write a program to discover OpenSSL salted encrypted files by identifying this. Why wouldn’t they choose to prepend “Unsalted__” on occasion? Exactly. Forensic gathering. Law enforcement is there, every step of the way. Their screwing is granular. Why still offer WEP? Give me more of that. Opportunity for the end-user to get sloppy.

Most of us have been operating under the assumption that there are backdoors everywhere. Cry about it or code your own crypto and don’t distribute it. You’d be surprised at how rigid the govt’s cracking process is. I bet they expect a compliant product that is identifiable. They support networks and services that bundle access at a single point. Their mission is to fight against clandestine communication.

Tony H. • March 15, 2017 1:53 PM

@Clive Robinson

Which brings us back via two routes to yoir observation of

My thinking suggests honesty and/or fidelity are near first order in the respective problem space.

That is a primary requirment for trade, on which society builds it’s self, but there will always be those who will wish to cheat, which means that they require punishment, hence guard labour and those that control it.

Which is where the problems arise.

You are essentially quoting from Jane Jacobs and her Systems of Survival. The Wikipedia article is not a bad summary, but do read the book.

Dirk Praet • March 15, 2017 1:55 PM

@ albert

‘eathen! Hendrix played Strats.

I know. A Fender Stratocaster is a sturdy, all-purpose classic you can torture and abuse as much as you want. A Gibson Les Paul a beautiful but very delicate guitar that will just fall apart if you do a Hendrix on it.

Hestor • March 15, 2017 9:29 PM

@ Dirk Praet

nice music / security analogy. Although it momentarily lost cohesion in one or two spots it’s otherwise excellent. I am sure it will be revisited. thats a keeper, as they say. We can see proof of your analogy in an example of the apex of the pyramid of the collusion of security and muscianship, namely the arguably equal to 2nd greatest guitarist of all time, Prince, declaring recently ‘The Internet is dead’

@ Dirk, @ Ab Praeceptis @ others

to answer the ‘what should groups do’ question.
well, many things are non-tech related. A groups possibly first necessity is a consensus on discipline aka awareness of opsec. But discipline is a bettter word in my opinion because it has connotations of a quasi military mindset required. compartmentalisation, ostracision of members who get sloppy, awareness that the weakest link punishes everyone. etc. that establishes the stakes and the playing field.

using OTP and old school trade craft. Thats much more accessible for non-tech types, and as tech get introduced at whatever level, these can seperate the end point ( thanks Clive)

figure it out a few months back said, get a notebook, remove the hard drive, use a VM, and take a bicycle to a public wi fi . this can be embellished a bit but he correctly said this will greatly reduce the attack surface. thats a good low fi proposition for non-geeks.

The Grugq has a couple of video lectures on youtube where he greately expands upon his well known STFU powerpoint slide show.
Thats essentially a bible for anyone in the need, all the fundamentals are there – without getting particularly technical at all. For some reason he is very pro-Tor although that was a few years ago , I wonder how he feels now. He did on the other hand mention (in the same lecture) that it’s only necessary to own 3% of the nodes to control the entire tor network. I suppose he feels, follow the opsec principles closely enough and tor won’t let you down – it’s a fail open proposition

@ ab praeeptis

I enjoy everything you have to share here . Greatly appreciate your presence and contribution. whenever you name appears at the top of a post it’s always ‘Ahhhh! fantastic, what’s next”

Anyone who doesn’t like it can gob off

Nick P • March 15, 2017 9:55 PM

@ ab praeceptis

Wait, you use verification tools that are American or receive strong contributions from Americans. Also, all mainstream OS’s are either American owned or get most submissions from America (i.e. Linux via Red Hat & IBM). Maybe you have a BSD as they’re niche. All x86 CPU’s (including VIA’s). A smartphone if you have one unless you’re using an EOL’d OS. Any of the four, top browsers. Are these hits or what am I missing?

name.withheld.for.obvious.reasons • March 15, 2017 10:43 PM

@ Nick P

Hope you’re doing OK. Last time you were here you mentioned a hardware/fab security framework. Did it ever get published or attempted in the field?

Thank you for your concern Nick, and it seems you were paying attention; an opportunity may have presented itself respecting the framework I described.

The most problematic element seems to be the level of understanding (Clive and elephants help explain) where a systemic, more specifically a set or series of systemic, risk is not fully enumerated system failure can be assured. Space program taught this lesson long ago and has for the most part been forgotten as it is not a “modern” approach. Scientists and engineers are doomed to repeat the mistakes of the past whilst the spook set continue to muck up the works–trustworthy has just become so passe…let alone robust and reliable.

I am rather enjoying watching the fall of the empire–the reality TV version. It is awesome. It will eat itself and we are technologically advanced enough for a hastiness that avoids boredom (at least for the hyper-elites).

Watch as CE tech expands–eating its own to preserve itself. The results are most predictable, but it is the show that is just so much fun to watch…never miss a “good” train wreck when you get the chance.

Spooky • March 16, 2017 12:32 AM

@ Bruce, @ all,

If we want to truly secure civil society from digital attacks and empower communities in their to fight to protect their rights, we’ve got to recognize that digital security is largely a human problem, not a technical one.

While this new group does need a unifying principle to rally around, I’m not sure it pays to be quite so categorical (though, obviously the focus needs to be narrowed to something that seems remotely achievable; still, this does not excuse the oversimplification–just say that you’re focusing on human factors, instead). The current problems with security are both human/useability oriented and technical, without one clearly standing above the other. Both are critical and both require a variety of near- and long-term solutions…

Some current technical problems:

Every laptop and desktop computer widely available to journalists, activists, politicos and regular citizens with an Intel or AMD processor contains a built-in hardware backdoor (Intel Management Engine, AMD Platform Security Processor). It cannot be removed and it cannot be defeated (when active). Mitigations are approximate at best.
Everyone usually obtains their discretionary Internet access through a local ISP; this company has access to your real identity (for the sake of billing and probably monetizing and selling your browsing habits to advertisers). Once Tor, VPN and (other) targeted users are eventually de-anonymized, the next step is to match their IP with an actual identity using data available from the ISP or various tracking cookies from Facebook, Gmail, etc. (Whether endpoint identification is semi-automated within Five Eyes countries at this point is not known.) Once they have your real identity, some sort of automated risk assessment is probably performed and based on that weighted score, a determination is made on whether you will be targeted with additional (and possibly more invasive) surveillance.
If AT&T is really sitting on 30+ years of telephone metadata, they have a graph of your entire social network far more extensive (and problematic) than anything being held by Facebook or Google. They can roll it forward or backward in time, to any point in your entire life from childhood, through your teens and on to adulthood. Every call to a friend, relative, boyfriend, girlfriend, doctor, psychologist, lawyer, drug dealer, abortion clinic, crisis hotline, 911, etc. All identified, with call duration, time, location and (in toto) frequency. Rather useful, really. And if you happened to get up to any modem-based computer hobbies in the 80s or early 90s, the telltale evidence is now a matter of permanent record (though the statutes of limitation have long since expired). Unless you managed to hack a neighborhood trunk and used it exclusively, you can count on one fact: They Know. Lying about it just digs your hole a little deeper, depending on who is asking. Damn, even decades after the fact, I hope they don’t tell Mom… 😀
Cell phone hardware and software security is pretty sketchy, with Android (the cheapest and most popular, in straight numbers) trailing way behind Apple. Users do not (generally) exercise root-level, authoritative control over their phones; monetized data collection by OS vendors, phone service providers and installed applications is rampant (making data collection by criminals and LEOs fairly trivial). Your physical location is tracked continuously (towers, beacons, GPS, etc). Your cell number can be dereferenced to obtain your real identity, unless you’re using a burner. Setting up a burner is no longer trivial (stateside, at least). Not sure what they’re doing in Europe.
Cable modems and home routers used by nearly all Americans are an absolute abomination of potential security issues (as witnessed by everyone during the recent IoT DDoS a few months ago). Some devices are better than others, none are perfect. Though it might be a PITA, rolling your own is currently the best option, when setting up a device to protect your home’s internal network. A used Soekris plus *BSD is not a bad way to go…
Wireless and networked printers represent another (rarely patched) hackable, persistant threat and source of data leakage. Better to use a wired connection (with wifi disabled).
Ditto for many Bluetooth devices.

As should be obvious, you actually had considerably more privacy and security (by default) when you were not surrounded by these devices, over which you exercise little control. Hard choices may be inevitable, here. I am not quite to the point of suggesting a ‘Clivian’ level of paranoia yet: sitting cross-legged in a Faraday cage, surrounded by three out-of-sync oscillating fans, a space heater and clouds of metallic chaff with the Glen Miller Orchestra cranked to 11 and a grounding strap on your big toe; wait, that’s no big toe! Just kidding, Clive. 🙂 But seriously now, things are rapidly headed in that direction. If you truly need both privacy and (moderate) security, you will need to rearrange substantial portions of your life in order to get it.

Cheers,
Spooky

WebExtender • March 16, 2017 12:38 AM

@Bruce
If you need any help with UI/UX let me know. I do iOS and web mostly but have experience elsewhere. I made a separate github account “for obv reasons” but have worked in the space more than most here I suspect.

Btw, thank you for what you do and for hosting this blog. I do not think people say that enough.

Clive Robinson • March 16, 2017 12:43 AM

@ Tony H,

You are essentially quoting from Jane Jacobs and her Systems of Survival.

I’d not heard of the book, although the author I had in other contexts.

The problem now is getting a copy for the dead tree cave…

Out of curiosity, how did you find out about the book and end up reading it?

Clive Robinson • March 16, 2017 1:56 AM

@ Spooky,

Setting up a burner is no longer trivial (stateside, at least). Not sure what they’re doing in Europe.

It depends on if you are talking “new” or “secondhand” phone.

In the UK because many of those of more tender years treat phones as “Fashion Items” there is a very high drive to “upgrade” almost every six months even when on a 24month contract. Thus you can quite easily find “second hand” phones for next to nothing in the more “vibrant, ethnic areas”[1].

Likewise there are many SIMs you can get, which can be realy realy cost effective if you phone just one or two other phones (eg family). The way it works is that somebody negotiates a deal with one of the big carriers, usually it is for those phoning a different country such as India etc in “out of business hours”, and they wrangle other sweeteners such as free calls or texts to others in the “brand group”. The SIMs are “no name, pay cash at your corner shop” for something like 7USD equivalent, and you can top them up with cash at many supermarkets etc.

As I’ve mentioned in the past those little secondhand phone counters like any “cash business” is a way to launder money etc, thus attract certain types of criminal. They basically “borrow-a-phone” from one unit and return it to another unit, with cash receipts at inflated prices etc (think like a back-to-back loan through a tax haven, but to launder not avoid tax). During the borrow they will use it for a day as a burner[2] with one of the no-name SIMs. The phone then gets sold to some wannabe teenager who can not get a phone contract etc because they are to young or don’t have a bank account or credit score etc. Or it gets “exported” along with stolen phones. Thus as happens with phones in Afghanistan they have “moved on” before the authorities can act upon them (hence wrongfull drone kills etc).

[1] Before somebody jumps down my throat for being Non-PC go talk to people in various non-WMC areas and see what they think. Vibrant they most definitely are, even if branded as No-Go areas. Which is odd because I’ve witnessed and been subject to way more problems in “nice suburban areas” than I ever have in the supposed No-Go areas.

[2] How the phones get used is from what I’ve been told similar to the old illegal bookie system with runners. It will be used in a backroom of a cafe, barbers or other place such as bus stations etc out of sight but in a crowd. The principles never “speak” they use a wannabe to talk or simply “code-txt”. Some even use “open WiFi” in non Corporate cafes etc and almost have an “electronic rock” bridge system[3].

[3] https://www.theguardian.com/world/2012/jan/19/fake-rock-plot-spy-russians

Ph • March 16, 2017 3:27 AM

@Dirk Praet

When you use your example of “A manufacturer can come up with the best and most secure of microwave ovens, but he can never prevent some dumbass from using it to dry a small pet with if said dumbass for whatever reason can’t be bothered to read the fine manual.”

You are using exactly the analogy that removes the control that a designer/developer has over his program.

In software you have the control to check for metal, to check for living things, to check for everything you need to check

If contents ~ Bad things then goto error bad things.

So it all becomes a numbers game, do you expect 1 developer to do the correct thing, or do you expect 1 million users all to do the correct thing?

You educate the users by making good programs, not by seminars, trainings and other slide talk shows.

Spooky • March 16, 2017 3:57 AM

@ Clive,

It sounds like you guys on the other side of the pond have it pretty good, on that count. I wish we had access to that same established ecosystem for anonymous, cash-only transactions. You do have some options in the US, but non-cash payment (for the unlocked phone and SIMs) is a still an issue. Given that a burner and non-burner phone in the same geographic location will appear tightly correlated the carrier’s network stats, I suppose there is a risk of being identified if the two are allowed to be active at the same time, on the same person. Also, allowing a burner to be active overnight (while you’re asleep) is not so great, since it is obvious to the carrier that the phone is not moving and those same baseline stats greatly constrain the range of probable locations for device and owner (it may be sufficient to positively identify you, in a residential housing area). All things to note.

re: Fake Rocks

The U.S. is also fond of those chintzy man-made surveillance rocks. You’ll occasionally see them at large retail outlets, college campuses and even military bases. I’m pretty sure they know they’re not fooling anyone but perhaps they are hoping people will gradually become desensitized to their presence? Alas, more frog boiling.

Cheers,
Spooky

Dirk Praet • March 16, 2017 5:38 AM

@ Ph

If contents ~ Bad things then goto error bad things.

Also known as the SHISHO-principle: sht in, sht out.

So it all becomes a numbers game, do you expect 1 developer to do the correct thing, or do you expect 1 million users all to do the correct thing?

That’s just not how it works. However much you can make your software fullproof, you can never make it foolproof. Everyone who’s ever developed anything knows that, and the harder you try, the more bloated the end product will become. And consequentially its attack surface.

Frankly, I have a hard time understanding people that just can’t be bothered to assume any responsibility or accountability for how they go about stuff. That’s also why we have drivers licenses and don’t allow DUI.

@ Spooky, @ Clive

Setting up a burner is no longer trivial (stateside, at least). Not sure what they’re doing in Europe.

There’s a growing number of countries where you can no longer buy a SIM without identity registration. We pretty much have Daesh to thank for that. But you can still work your way around that if you know the right people.

Though it might be a PITA, rolling your own is currently the best option, when setting up a device to protect your home’s internal network.

I always put at least one additional router behind the ISP box, and which I fully control. These devices are generally pretty cheap, you can flash them with some reasonably maintained FOSS firmware (like OpenWRT) and the setup is pretty easy if you know what you’re doing. The only thing that can be a bit of a PITA sometimes is port forwarding. Alternatively, you can use an old machine running pfSense or something similar, adding network monitoring, NIDS, proxy and VPN functionality to your LAN.

Wireless and networked printers represent another (rarely patched) hackable, persistant threat and source of data leakage. Better to use a wired connection

Which essentially goes for all devices, not just the printers.

@ Hestor

The Grugq has a couple of video lectures on youtube where he greately expands upon his well known STFU powerpoint slide show.

I’m a big fan too. That’s why I suggested our host to try and get him involved in this project too. Almost anything @thegrugq publishes is pure gold. Answering my own question to @ab praeceptis what he would recommend a group of Bahraini LGTB’s, Iranian techno enthusiasts or Dakota pipeline activists, that would be reading up on his OPSEC manuals first and taking it from there.

@ Nick P

Wait, you use verification tools that are American or receive strong contributions from Americans.

From a practical vantage, it is really hard to avoid US tech. It is almost unbelievable how us in Europe here allowed ourselves to be completely engulfed in and outcompeted by US technology.

ab praeceptis • March 16, 2017 9:41 AM

@Hestor

Thanks for the compliments. That said, it was this blog and particularly some of the more experienced and thoughtful commenters who triggered quite some thoughts and whose comments are often quite fertile.

@Nick P

Some of what you mentioned are hits, some are not.
But that’s not the point. My message is not “Kill all us-americans, each and everyone, and rather use a non us of a calculator than a us of a cpu or software!”.

My position is rather “us of a reliably abuses any power it gets, so make sure to not give them any. Plus, on average(!) their products are badly designed (if at all) and badly built (usually because driven by greed and not engineering)”.

It’s probably very hard to digest for someone over there who is impregnated to say utter BS like “proud to be an a.” but there has probably never being any nation on this planet where reality and self-perception were wider apart.

Education is lousy anyway and has been additionally perverted, proper reasoning is widely absent, etc.

Kindly note that I’m talking about the average and about major parts of society – I’m not saying that there are no us-americans with a brain. Also note that I do not say that we europeans are much better; we aren’t, alone for the fact that we are but us-american colonies for decades.

Also keep in mind that many, painfully many of your best people are actually not really us-americans. They may be on paper but actually they are Asians, Russians, etc.

And you err, re. myself. Except for processors, I have pretty much nothing us-american (plus I do not have to trust it as I can use a non us of a cpu for sensitive jobs).

To show you that I’m by no means against each and every us-american I’ll mention what I consider the best programming language today (at least in pragmatic terms): It’s Ada. One beautiful property of Ada is that it was designed by a french (J. Ichbiah, whose design won against the best the us-americans could muster) but further developped and extended mainly by some us-americans (i.a. and mainly Tucker Taft) who did a very good job.
There you have it: I’m lauding a us-american – and deservedly so.

You bring up “all major OS” being mostly us-american – indeed, but now tell me, what are the major crap- and bug collections? Those very same us-american OSs!

I hit somewhat on this because it shows one of my major “accusations” against us of a: They hold crap in their hand but being largely in control they don’t say “Hell, we have created pretty much crap!” – nope, they are pissed off and say “Pretty much every crap collection is us-american and almost everybody must use it!” with a built in “proud to be us-american” …

Let us have a constructive view for a moment, shall we:

a) the cat is out of the bag. The europeans have been to obedient, too fat, and too stupid to come up with a (not insignificant) CPU. The Chinese, however, have multiple approaches of their own. Yes, those are in the end based on former us-american designs, but that’s not the point. The point is that you, the us-americans can’t control (and strangle) them anymore. Similar thing in Russia. You really think the computers in, say, an S-400 system are us-american? Forget it. They are russian (and you bet much more reliable than yours).
Funny that almost nobody saw that but CPUS and OSs have one of the major “weapons” of the us of a to control and to keep subdued all others. But then their predator capitalism won and they outsourced … we all know the result. China is leading the top 500 now, for instance.

b) The future of whole countries and regions will be strongly defined by their ability to create safe and secure systems. If the countries learned one lesson then it’s that. No control over your systems means bye, bye, security and bye, bye economy, because nobody will buy that crap (unless you live from selling potatoes).
One may or may not like bill gates but one thing is clear: That guy has a cunning ability to see what will be needed and the big thing in 10 and 20 years. He did that with windows and he did that with “we must build reliable software!” – and today MS research executes.

It just so happens that that and my field overlap to a large degree. You may know 1000s of papers (I say that respectfully) but I know which 10 in the 1000 are actually useable approaches. And I know something else: major parts of that are not in/from us of a. Plus: Gods mercy upon your country if thousands of those not really us-american scientists leave your country. Because it’s them, those chinese and german and russian and … who are the real scientific cream. us of a basically stole them; they stripped whole countries and regions of their brightest young people. Payback day will come, rest assured.

So, yes, us-americans have been involved in many tools I use. But except a very few the major part is non us-american.

The strongest math departments today are 500km around Grenoble(France and Suisse) and in Russia (and probably China; I don’t know enough about China). And math is the basis. Safety and security are functions of math.
There are other good places around eurasia; many of them are still small islands (examples: some brit unis, some czech stuff, Leuven uni).

I don’t hate us-americans. Many of them are friendly. My normal approach would be to say that we should all share, incl. us of a. Unfortunately, however, the us of a has amply demonstrated two problems:
a) they abuse their position to control, subdue, and strangle the world.
b) they suffer from a very grave gap between PT/show/blabla/proud to be … and reality.

There is a new cold war. The world is breaking free from the us of a, i.a. and particularly in the critical field of IT. It won’t be simple but we will succeed; one reason being that we have thousands of years of culture and science the us of a is utterly lacking.

ab praeceptis • March 16, 2017 9:55 AM

Dirk Praet

“SHISHO” – Excellent! Thank you for that term. It just matches perfectly well in many cases and hits the nails head.

@All

While I find Bruce Schneiers et al. undertaking laudable it will quite certainly fail. Simple reason: No matter how great your protocol and software, you can’t have security unless you have a reliable and secure hardware basis.

Maybe, just maybe (I’m probably somewhat blueeyed here), Risc 5 will take off fast enough and well enough, also finding uptake by manufacturers building the needed gazillions boards (and at competitive prices).

Bruce Schneier has, for instance, shown quite early that good sym. crypto or, another example, that good quality PRNGS can be designed, implemented and find significant uptake.
Unfortunately the spooks and goons have amply demonstrated that they can simply walk around those barriers and attack lousy OS or tainted hardware.

For the time being I see no alternative to what Thoth at all are suggesting and working on, namely relatively simple and trustworthy secondary hardware so as to avoid the primary hardware (typ. x86) ever being involved in critical steps, let alone being the only hw. being involved.
That, however, will be a very hard sell with dumbed down masses who care only about 3-D click buttons with stereo click effects.

Clive Robinson • March 16, 2017 2:56 PM

@ Dirk Praet, Spooky,

I always put at least one additional router behind the ISP box, and which I fully control… ~~~ …adding network monitoring, NIDS, proxy and VPN functionality to your LAN.

If the instrumentation is between the ISP router (garden gate) on the “garden path” to the personal router (front door), I call it the “Garden Path” method.

The point is it leads attackers “up the garden path” where they are seen by the instrumentation that they can not see. Thus you find out what weaknesses are in your ISP router, which can be otherwise hard to see (when locked down from the customer but open to ISP techs and just about eyerybody else on the upstream side).

There are other tricks you can.do as a “home user” in that you can get your instrumentation to block automatically on IP addresses etc that attemot to enumerate or probe your defences. Also the likes of port knocking etc.

For some reason it’s a setup you do not see mentioned very much. Why I realy don’t know, but hey the worlds not perfect 😉

John Doe • March 16, 2017 6:05 PM

@ Spooky

* Every laptop and desktop computer widely available to journalists, activists, politicos and regular citizens with an Intel or AMD processor contains a built-in hardware backdoor (Intel Management Engine, AMD Platform Security Processor). It cannot be removed and it cannot be defeated (when active). Mitigations are approximate at best.

I agree, but purism has made great strides lately: https://puri.sm/news/.

Once they have your real identity, some sort of automated risk assessment is probably performed and based on that weighted score, a determination is made on whether you will be targeted with additional (and possibly more invasive) surveillance.

You claim surveillance is a technical issue, however it is more of a cultural and political one. Any culture that disagrees with such surveillance simply doesn’t engage in it, because it is not in that culture’s nature. Any political system that wishes to prohibit such behavior has ways of doing so, and doing so effectively. This is true regardless of what technology is being used.

John Doe • March 16, 2017 6:12 PM

@ Tor?

Why wouldn’t they choose to prepend “Unsalted__” on occasion?

Did you ask them? They’re quite open. If you don’t ask them on irc you should just write a ticket recommending the above and see what they say (seriously).

Exactly. Forensic gathering. Law enforcement is there, every step of the way.

So you’re saying the above was done due to a request from law enforcement? Any evidence for this? I’m very curious.

John Doe • March 16, 2017 6:25 PM

@ Tor?

It is easy to prevent Ed Snowden types in the workplace, blocking device access to the client machine and limiting admin duty/access, for examples. This is trivial with Windows.

I disagree this is trivial. Not in a functioning real world environment, at least. Insiders performing all sorts of things an employer doesn’t want is very difficult to prevent. If it truly was trivial it would’ve been implemented everywhere and leaks, etc., would simply never happen (because it’s trivial to prevent, after all).

Tor traffic can be identified and actually stands out for either an ISP or network administrator.

There are many ways tor can obfuscate its traffic, and obfuscate it successfully. When properly used, tor traffic looks like any other traffic, since it’s only making requests to google, amazon, the washington post, etc. When not configured to hide itself, then of course it can stand out, since it was configured that way by the tor admin.

With either Tor and/or GPG email, the source client can be traced

Source clients cannot be traced when tor is used properly. If you know of a weakness you should really help people out and open a ticket. Peoples lives literally depend on tor in some countries. We really would appreciate any help in documenting outstanding vulnerabilities. Thank you in advance!

John Doe • March 16, 2017 6:48 PM

@ Dirk Praet

However much you can make your software fullproof, you can never make it foolproof.

I disagree. Cliches aside, if software can never be made foolproof, is this due to an intrinsic lack of ability in homo sapiens, and/or due to physical laws of our universe?

Having been a user of software for 40+ years and a writer of software for 20+ years, I have both used foolproof software, and even worked on one project that produced what everyone agreed was foolproof software. Whether it’s the software in my casio wristwatch, my pocket calculator, or my toaster oven (I could go on), none of them ever exhibited problems regardless of how foolish the user was. Nor have I heard reports of mass frustration from fools due to the complexity of their microwave oven. The one project I worked on in my career which produced more complex software that everyone involved would describe as “foolproof” cost a fortune to produce, but has had perfect operational reliability (if that software ever failed people die quickly so we would have certainly heard about it from our customer over all these years).

Most software has horrendous quality since it’s mostly just a house of cards built atop another house of cards, with turtles all the way down. However I absolutely believe software can be made foolproof. There are no physical laws of our universe prohibiting this. In my experience, embedded systems, and especially embedded systems where life and death are at stake, tend to have much better quality than other software, but if folks don’t play in those domains they may only be aware of a small snippet of the software world (most software runs on embedded systems, but the most visible software runs on telephones and personal computers).

If you had said “However much you can make your software fullproof, you can never make it foolproof without making it much more expensive” I would agree.

Everyone who’s ever developed anything knows that, and the harder you try, the more bloated the end product will become.

Not this everyone. 🙂 I’ve developed anything. The harder I try to create simple, elegant, and robust software, the less bloated things tend to become, not more bloated.

Curious • March 16, 2017 7:23 PM

@John Doe writes,

Is this true? I don’t follow Tor drama closely but I thought programs like meek only obfuscated the initial circuit not the entire stream of packets. So meek can get around simple ISP blacklists but if the ISP were to do deep packet inspection they would still be able to see who is using Tor. That was my understanding.

Spooky • March 16, 2017 10:10 PM

@ John Doe,

I agree, but purism has made great strides lately: https://puri.sm/news/.

That is a very good point, and it is also worth mentioning that Intel is apparently producing a range of CPU products without vPro. Or rather, without vPro enabled. Of course, the beating heart of ME is still present on the die, though Purism reports that 92% of the firmware (incl. kernel and network stack) can be obliterated with a Coreboot overwrite. So, good on them for their efforts. Still, I have to wonder whether that remaining 8% (that presumably cannot be audited) could be used to bootstrap the return of the missing 92%. Minor miracles can be performed with less than a kilobyte of code, no kernel necessary. As long as that tiny MCU has access to power and a clock, I cannot rest easy. I want it dead. 🙂

You claim surveillance is a technical issue, however it is more of a cultural and political one.

Actually, I claim it is both in my first paragraph, though I dedicate space to discussing some of the technical issues that enable automated (default) blanket surveillance of large populations.

Any culture that disagrees with such surveillance simply doesn’t engage in it, because it is not in that culture’s nature.

That has not been the case in my own experience. I have never encountered a population so uniform in its behavior that some members did not occasionally violate the established social and behavioral norms of their culture (which, for most cultures, are not rigidly defined but exist along a continuum). Regarding surveillance specifically, I have seen it all the way down to the tribe and band levels of social organization. In an effort to avoid violent confrontations, it often pays to keep tabs on what neighboring tribes are up to and put out brush fires (mediate small disputes) before things escalate. This is simply a survival mechanism; people (and groups of people) looking out for their own best interests.

Any political system that wishes to prohibit such behavior has ways of doing so, and doing so effectively.

Again, I have not witnessed a great deal of success by political regimes at effectively prohibiting undesirable behavior. Suppression usually pushes behavior further underground and out of sight (where it becomes ever more difficult to monitor and control). As applied to surveillance, I tend to see quite the opposite: most political factions have an appetite for surveillance that borders on the insatiable. It provides them with a satisfying feeling of increased control over their environment (and opponents); however, that impression does not (usually) correspond to reality. Resistance is usually organized with a tacit understanding of the opposition’s capabilities…

Cheers,
Spooky

Figureitout • March 16, 2017 11:04 PM

Dirk Praet
are the equivalent of master classes
–Hey thanks mate, the security community definitely needs more level-headed people like yourself (well there was that one time w/ rolf…but we’ll let that slide :p).

I’ll say my latest idea, since I want to expand the data diode to easier usage. Likely won’t have time to build this summer, got too much going on. But eventually for a PoC, I want to have 2 arduinos w/ SD card shields. There’s already code to read a file from the card and send it over a serial port…catch my drift? :p Send it to a receiver thru a data diode to an arduino that puts whatever it receives on serial line to SD card w/ whatever file name. You have a TX and RX SD card and don’t mix-n-match for transfers that you want to keep most internet attackers away, the SD card allows for easy use w/ laptops, desktops, and smartphones. Then port to different MCU’s. There’s so many ARM chips to use these days as endpoints too, it’s pretty straight forward and cheap to do this if you need it. To compromise these (when you’re taking lots of precautions to remove comms channels) will generally take an active attack, involving most likely physical break-ins. But thankfully there’s computers everywhere to use if that’s the case. I hope this tool will make that process easier.

One of my hw’s was to talk via serial (9600, 8, N, 1) to our PC, and echo chars from keyboard from within PuTTY. No interrupts too. Would be easy to attach data diode there and have a one-way channel to an eeprom or smartcard, you can separately enable RX or TX. Thing is, on that chip, RX and TX use the same data register, but I think different shift registers for the respective transmitter & receiver hardware. That’s concerning from a security perspective though, I’m sure it’s possible to have separate data registers at least. If that’s a common design (likely reduces cost, so it may be common) then that’s a problem. I’ve actually found some things our professors never talked about which I keep meaning to ask..literally says “backdoor key” lol, I’m not even kidding. Has to be a joke since it was in the open of a header file that macros to a lot of ports, if I found that while I was working on a product for someone, that’s a “scrapable offense” for that chip. That was a freescale chip, worked like a charm. PIC’s, I’m able to send a char one way, same parameters, but having issues with strings. Atmel chips, of course. W/ the barebones design from Sancho_P the crazy spaniard (kidding bud! :p), it’s easy to apply it whereever you want, and add on to it. UARTs are fascinating in that sense, it’s the simplest communications interface, and have a place at the security table.

Hestor
–I don’t really recommend newer notebooks (the really small ones) for the obvious reasons…you can’t install linux or bsd for a lot of them (that may have changed), windows has it locked down w/ secure boot. And no CDROM. But if your opsec is on point, neutering even a windows notebook, and using it safely is within the realm of many many people. I said use a liveCD, unless you try the Qubes liveCD version, which is a VM in RAM…pretty sick. I’ve had enough malware following me from harddrive to harddrive, USB stick to USB stick. And a bicycle b/c it’s much easy to search for tracking devices. Then ideally using a yagi antenna to connect to a network most likely out of sight of a camera (but would draw attention). If you haven’t tried that, do it, very cool to see all these networks as you point the antenna around. I’m counting on the bunnie’s of the world, that we’ll get a better market for modern amnesiac hardware, security professionals around the globe need it for evaluating infected PC’s or protecting their businesses’ crown jewels. Relying on old hardware is a losing strategy, eventually it’s all gone, EOL’d.

Also most of the transfer process at least, can be done on embedded systems, usually can’t have the latest crypto on them though. Even an idea of mine that’s surely been used before, transferring messages on the internal eeproms or just in flash memory as strings, and shipping pallets of chips to someone. Could fly under the radar pretty well since there’s billions of chips flowing all around the globe.

Dirk Praet • March 17, 2017 3:15 AM

@ John Doe

If you had said “However much you can make your software fullproof, you can never make it foolproof without making it much more expensive” I would agree.

Whereas arguably you can make almost everything better by throwing more resources at it, it will still remain as hard to achieve a goal as that 99.9999% uptime in data centers. And which still doesn’t change my opinion that somehow it could ever be a fail-safe substitute for proper user education and training. It’s not an or-or, but and and-and thing.

@ Figureitout

well there was that one time w/ rolf …

I guess there were plenty of times Rolf and me went head-to-head because I just couldn’t understand how anyone could be so unreasonably stubborn and in denial 😎 The two Arduinos with SD card shields sounds like an interesting idea. Keep us posted!

Clive Robinson • March 17, 2017 7:10 AM

@ John Doe,

Cliches aside, if software can never be made foolproof, is this due to an intrinsic lack of ability in homo sapiens, and/or due to physical laws of our universe?

Are you joking?

It’s both,

Homo sapiens is driven by what in our modern world appears are irrational impulses. It’s why people get startled or run away or hide in horror films. In times past the ability to subconcioisly recognise a threat and be up a tree befor the concious mind works it out is the difference between being alive or being lunch for a preditor. This is hardwired not just in our monkeu brain but into our concious thought processes as well. Thus we have a lot of limitations even in very simple mechanical tasks, we tend to call them “accidents” when they happen but most times they are not, they are our limitations getting in the way.

As for “laws of the universe” two laws the second law of thermodynamics (entropy) and Newtons third law (conservation of momentum) should answer that without further question. In the case of entropy for both the tangible physical universe and intangible information universe. And in the case of conservation of momentum in the tangible physical universe and when we store, communicate or process information by physical means.

Entropy is interesting because it is a statistical measure not a cardinal or absolute measure. Which means that it is in theory possible for that glass of drink you droped that shattered on the floor to misteriously jump back into your hand unbroken and without a drop spilled, very very very improbable but nether the less possible.

As I’ve mentioned befor, twice in my life I’ve seen a coin land and stay at rest on it’s rim without any support. Improbable things do happen occasionally.

Thus as crypto keys get longer each additional bit should halve the probability you should be able to guess it, but it in noway precludes you,tossing a coin and getting the key at first random guess.

Likewise at some point every physical component of more than just a handfull of atoms has an expected life time during which it is expected to fail (lookup “bath tub” curve). This is due to entropy and the apparent confined way it starts is due in part to the conservation of momentum as was once observed “The apple rarely falls far from the tree”. Which brings us to your,

Not this everyone. 🙂 I’ve developed anything. The harder I try to create simple, elegant, and robust software, the less bloated things tend to become, not more bloated.

The level of bloat is due to how you decided failure will be dealt with. Most software takes the easy “bail out on exception”, those that try to deal rationaly with exceptions and mitigate without bail out (ie fault tolerant) have to deal with exceptions to exceptions and that becomes a “lesser flea” problem. Eventually all software fails, as the underlying hardware fails.

I’ve written fault tolerant fail safe software, and that is 100% reliant on fail safe hardware that I also designed. Some of it on oilrigs has outlasted not just the rig but the oil field it was on. But I know it’s not for ever, and I knew and documented that there were ways it could fail in operation that others had to note and mitigate in their designs, including running tests that could if things had failed silently bring on the fail safe condition.

That is what responsible engineers do, work as best they can with what man and nature decree by thought and action. Nothing is “fool or nature proof” nature will always have the last laugh no matter what, entropy decrees it.

Nick P • March 17, 2017 8:41 AM

@ ab praeceptis

Your reply is all over the place. I’m going to focus this one. Also note that you’re talking to an activist against corrupt government and business practices on a forum where even Americans dislike the bullshit that happens over here. Education, society, etc are about irrelevant if we’re talking about us and various trained engineers doing good work.

Regarding the U.S., most of the software you’re griping about is written for financial and/or political (within companies/governments) reasons. It succeeds at its goal. Some of them succeed so well that foreigners almost exclusively buy them. Microsoft, IBM, Oracle, the browsers, and so on come to mind. If all your venom was true, then foreigners would’ve homegrown one with corporate or government funds that kicked American products out of the market. That didn’t happen. Most of the foreign work is also derivatives of the American work or uses their tools. So, even the trash seems to not be totally trash. There’s value in it along lines of Gabriel’s Worse is Better essay.

Good news is I wasn’t talking about trash. I was talking about the CompSci and corporate groups making good stuff for INFOSEC or tech in general. You people talking anti-America lump them in with the trash peddlers as if America is one thing. I’d figure our states or elections would teach you there’s a shitload of diversity in thought & action in the U.S.. In any case, the groups actually aiming for quality or security have produced some of the best work in the world. Unlike INRIA et al, they also FOSS their most practical stuff more often over here. Still plenty of locked up designs with corporate, tech transfer no doubt. The worst in patent trolling, too. We just get luckier than most areas on that small percentage that makes it to public’s hands.

So, the correct perception based on the evidence is that American products can be trash or gold depending on who makes them. One should always use the golden works to their advantage regardless of who creates them. If they’re open & you worry about future subversion, then you just fork it into your own repository or fab it in some place you trust more. That simple. Who? and you act like the mere touch of an American hand makes all that impossible. Funny thing is that such false views imply we’re smarter than everyone if we’re that good at FOSS subversion. I don’t believe that as high-assurance work pushed here is usually simple enough for bright folks oversees to spot any bullshit slipping in. When that doesn’t happen (a lot!), it’s because of the same apathy toward review overseas that happens here.

Note: Your pick for Ada is great but don’t forget its inspiration from ALGOL and Burroughs safe-by-design systems. The Frenchman didn’t invent those concepts. He just brilliantly iterated on American & international work that already existed. I think the only thing original… so far… is designing for use with other programming languages in same project. That didn’t go commercially successful until VMS OS & then mainstream in Microsoft’s CLR. He was unsurprisingly quite ahead of the curve. 😉

ab praeceptis • March 17, 2017 10:37 AM

Nick P

Not bad for a us-american, your reaction. BY FAR better than the usual blindly defending the us of a and getting aggressive I’ve got used to.

But misplaced.

Mainly two reasons: a) I’m not against “the us-americans”, I do not hate all us-americans. Of course I see and understand and know that there is considerable bandwidth from stupid asshole to brillant cultivated homo sapiens.

b) I’m not interested in the kind of “No! Mine is longer!” contest – and – I, like you, can’t but live in a world which is strongly influenced by politics. And all in all that shows your country in the evil corner (while it itself works hard to arbitrarily paint others as evil, e.g. Russia). Again: That doesn’t mean that all us-americans are bad but it certainly means that one should be extremely mistrusting re. anything and anyone us-american.

Nice try with painting Ada as somehow us-american. In fact I like that example among other reasons because (having been paid by the dod) it almost invites one to think that it’s somehow us-american. Well, it is not. The decisive design decisions have been made by Ichbiah and some decisive points you mention as well as others you don’t mention are based mainly on the insights and works of europeans, too. Finally, adacore has re-put a very considerable part of their operations and engineering back to france, probably for a reason.

Last but least, let us just keep our points of view and not discuss them like dead horses. Chances are yours won’t change and mine will definitely not.
Let me tell you just three reasons:
– there are certain circumstances in how your country came to exist that I’m polite to mention here. But I know them and they are of major influence to my thinking.
– culture. There definitely is quite some significance in it. It’s a major difference whether one has a cultural base of a few centuries or of thousands of years. And no, one can not just mix a plethora of cultures and claim roots reaching back millenia.
– us-americans like to consider anyone with a us of a passport as us-american. I do not (with regard top what we discuss here) and hence I consider a major part of what you call “your” scientists and researchers to not be yours but chinese, italian, german, etc., at least for two or three generations.

Most importantly though, where you see smart and well-intentioned us-american researchers and developers and successful projects and companies I see a country that has killed more humans than any other; I see a country that has poisoned the world with bad software, tainted hardware, perfidious operations (nsa, cia, …), etc. Short, I see the us of a as the country that brought mainly misery, suffering, eavesdropping, unreliability and insecurity, often intentionally.

That said, I, of course, also see intelligent and well meaning people like you. That’s why I’m here and discussing (usually quite politely and respectfully) with them.

And I suggest we leave it at that, at constructively discussing and trying to find ways to repair some of the damage.

Dirk Praet • March 17, 2017 10:46 AM

@ Nick P

So, the correct perception based on the evidence is that American products can be trash or gold depending on who makes them.

There is no doubt that US tech got to dominate the market not just for marketing and financial reasons, but because in general it is also fine and appealing stuff. It is however hard to deny that the degree of subversion it was subjected to by the USG, IC and corporate collaborators was so off the scale that it pushed many into looking for alternatives. Including myself.

ab praeceptis • March 17, 2017 11:31 AM

Clive Robinson

Interesting post, like often from you.

I feel, however, that the glass example (unlike the dime on the rim) is somewhat unfitting insofar as it ignores context. Dime on the rim is within a given context, but glass is not.
Reason: To make a (whole) glass from the pieces again one actually needed drastically decreased entropy as the necessary temperature is a) within rather tight bounds and b) far above room temperature, so much so, that the observing human would die and the liquid content would evaporate.

As for the “bloat” observations I don’t fully agree insofar as it’s way more than just the cheap exception-abort way out. However, I find your thoughts very interesting anyway, as that is indeed a widely applies school of thought, most so in the C and derivatives world.
I remember readings Prof. Meyers thoughts at that and how that usually very mildly tempered man seemed almost bellicose when touching that matter. And indeed, as you correctly indicate, there is much better ways; in fact, one might even say that the usual exception-abort way is incorrect in pretty much every sense and strongly hinting that a developer hasn’t understood the concept.

Obviously, the first thing to do is to differentiate between different classes of errors. There is, for example, a large class of principly recoverable errors such as, for instance, “device full” or “printer not connected”. But, using some proper reasoning and planning one may also reasonably recover from or at least gracefully deal with seemingly much more profound errors such as div by 0 if the software is properly designed.

When looking at the issue whether software or hardware can be 100% correct and error-free (which, as you know but many probably don’t, is not the same) I smilingly note that the two major points of your post come together nicely.
The answer is, of course “No, it’s not possible” but the reasons is interesting: It’s not possible due to i.a. entropy which makes the context-space so large and bewildering large – and includes the hardware itself – that we can’t reach 100%.

Nice excursion, Clive, thank you.

Skeptical • March 17, 2017 3:01 PM

@ab: I think your misunderstanding of American culture may be the reason you’re overweighting the value of avoiding American products.

For instance, you write:

Also keep in mind that many, painfully many of your best people are actually not really us-americans. They may be on paper but actually they are Asians, Russians, etc.

Let me re-phrase your point as an American might: “some of our best people are Americans by choice.” And those people – who choose to become Americans – not only contribute to American culture, but they are parts of American culture. More to the point, they’re part of American culture that produces the products at issue.

– culture. There definitely is quite some significance in it. It’s a major difference whether one has a cultural base of a few centuries or of thousands of years. And no, one can not just mix a plethora of cultures and claim roots reaching back millenia.

No one is alive for millenia. It’s nice to think of having roots going back x millenia, but really they’re unlikely to extend beyond several decades. We each learn what we can within a small window of time. In the United States, as in many nations at this point, the traditions and knowledge accessible to one directly are both many, and also, as a result of being immersed in a particular context, unique.

– us-americans like to consider anyone with a us of a passport as us-american. I do not (with regard top what we discuss here) and hence I consider a major part of what you call “your” scientists and researchers to not be yours but chinese, italian, german, etc., at least for two or three generations.

However you might consider them, they are US citizens, many of them fiercely and proudly so.

That this is possible is itself an important part of American culture. If you fail to grasp the deep role this has in American culture, then you will never understand that culture.

Perhaps it is in part because the United States is composed primarily of immigrants, or their descendants, that innovation, optimism, and pragmatism form such a deep part of American culture. They will produce bad products, because that is part of the process of growth so long as you believe that good products will eventually win out, which is precisely what they do believe. And, frequently, that’s in fact the outcome. Bad products, and the companies that make them, generally fail. Competition is ruthless.

Moreover, if it looks like a practice in a foreign nation is working better, then they’ll attempt to learn from it. Sometimes wrongly; sometimes badly; and sometimes they may fail to recognize that better practice at all; but Americans are no more immune, and no more prone, to human fallibility in these matters than anyone else.

As with all cultures and nations, there are contradictions and contrary currents in American culture to all that has been described. And with the products of the American entertainment industry so widely available, it is perhaps quite easy for American culture to be misunderstood.

However, the open nature of the United States, which leads you to conclude that it lacks culture, is actually one the very things that drive the quality of what it makes. The other aspect is a skepticism of central planning and a belief that a competitive, open, evolutionary process results in better outcomes.

Of course, a more American approach would be to simply evaluate each product on its merits; because companies, and nations, that evaluate matters otherwise tend to fail.

ab praeceptis • March 17, 2017 3:22 PM

Skeptical

Only some short remarks.

What us-americans hype as “by choice” and “fiercly proud” can also be seen as, hmm, how to put that politely, as an indication that many of them will leave as soon as it gets more attractive elsewhere. Well noted, that is an extremely diplomatic formulation.

Also note that being “fiercly proud” (to be a us-american) is perceived by many not as a strength but as a lack of well founded self-confidence.

Frankly, I for instance, consider anyone who is fiercly proud to be us-american, french or whatever nationality just as a poor idiot.

Most importantly, however, again: My point is not one against the people living there. It is rather against the system and all the pus that cancer creates. To name one striking example: ultra-capitalism that makes companies act so insanely that even many of their own engineers complain and demand more time to fix problems instead of creating ever new – and buggy – features.
THAT is what I care about and not the people, many of whom are quite friendly and victims themselves (although they probably don’t understand that).

CR Fan • March 17, 2017 3:25 PM

@ Clive Robinson

‘As I’ve mentioned before, twice in my life I’ve seen a coin land and stay at rest on it’s rim without any support’

ideeed. But are there any others on this forum destined to replace Chuck Norris as the subject of a series of jokes?

“Clive Robinson doesn’t delete files. He melts the hard drive using his mind’

“Clive Robinson doesn’t discuss quantum physics. Clive Robinson invents galaxies”

contributions from the community encouraged – @ Bruce, this requires a section on your site!

Nick P • March 17, 2017 10:54 PM

@ Dirk Praet

“It is however hard to deny that the degree of subversion it was subjected to by the USG, IC and corporate collaborators was so off the scale that it pushed many into looking for alternatives. Including myself. ”

Remember my comment said to validate and use the great stuff that was open but that distrusting closed stuff was sensible in police states. The U.S. isn’t the only one doing subversion either.

@ ab praeceptis

” I’m not interested in the kind of “No! Mine is longer!” contest ”

That’s exactly what I was countering with the anti-American crap. It detracts from the better approach of fighting all untrustworthy or potentially subverted software while using whatever is good from any source after vetting it. American works, esp in CompSci, should be prominently on the list since there’s great, even critical, ones. I work at a per group level unless one is worried about legal orders for backdoors at national level. In that case, I recommend having backup options somewhere else. That’s good advice no matter where the source is due to the more common attacks via copyright and patent suits.

“Nice try with painting Ada as somehow us-american. ”

Ada is a combination of high-level language features for expressing ideas (the form of the language) and safety features. Most of the features in Ada were already in work such as ALGOL before it that Ada’s designer was aware of. The built-in safety, use of HLL’s for system software, software engineering itself, and some other things were envisioned by genius Bob Barton who implemented them in Burroughs B5000 in 1961. Dijkstra and Hamilton were the other indepenent inventors of software engineering in the 1960’s with key contributions that lasted. So, we have most of what’s in Ada already existed mostly built and funded by Americans with large contributions by foreigners on ALGOL side. I used word “international” for ALGOL and engineering (esp Dijkstra) for that reason. Then, a French person exploiting an opportunity only America is providing took some of that, came up with great combination, did some extentions, and that was Ada.

His version unfortunately was too complicated to even implement by compiler teams whereas Wirth in Switzerland and Hansen in (Netherlands?) were kicking ass balancing efficiency and safety in a way that was usable as alternative to C (but didn’t get used). Hardware & compilers eventually caught up to his vision to make his language the safest & usable with steep, learning curve. It was extended by British as SPARK to do amazing things. The one thing it lacked, temporal safety, was done in U.S. via Cyclone that Mozilla (U.S.) got popularized with Rust. That was based on types extended to ALGOL by Reynolds (American) based on foundation laid by Girard (Frenchman). It also lacked easy, powerful safety for concurrency which Meyer (French) did with Eiffel that was too proprietary for wide adoption despite good tech. Some American companies and one Swedish one (Erlang) built alternatives that did get significant use in mission-critical systems with combo of good tech, marketing, and sometimes FOSS.

So, the development of Ada in a technical sense is quite American given Bob Barton invented what it’s known for while a mix of Americans and Europeans that was mostly American made the language it got most of its features from. That’s why I consider the collective body of what makes Ada great to be an effort by people from multiple countries. It is strongly French and American… I’ll put French first here since lead was French… with contributions from German and other researchers via ALGOL. There’s no attempt to Americanize it: quite opposite where an attempt to make it look purely French would be a smokescreen over a complex history of multiple parties.

“hence I consider a major part of what you call “your” scientists and researchers to not be yours but chinese, italian, german, etc., at least for two or three generations.”

I do see where you’re coming from there. I see them as a combination of their culture and ours. As Skeptical says, though, you might be downplaying how powerful that aspect of America is. We say that you can come here for our culture and way of doing business to turn what’s in your head into amazing things that might change the world. Well, that doesn’t usually happen but the big game-changers in tech do happen here more. It’s definitely due to our culture and laws, esp in R&D, venture capital, exploitation of H1-B, and tax dodging. A mix of good and bad that makes those foreign brains do here what they’re unlikely to do there. Same system design also results in all the crud we see in the majority case. I can imagine modifications to reduce the crud while keeping much of the innovations but they’re not happening any time soon. The good & bad will come together when it’s America. Always.

ab praeceptis • March 18, 2017 12:35 PM

Nick P

I’ll pack my response at both issues (us of a and the paper) into one.

But first: Sure, one can always see and follow traces and assume connections one likes to assume. Probably, one could even somehow attribute us of a inventions to the old phoenicians.
Moreover, of course Ichbiah was standing on the shoulders of others, incl. some us-americans. The decisive point, however, that you unfortunately didn’t focus, was what Ichbiah selected, what he left out, which paths he followed and which ones not and what he finally designed out of all that.
He could, for instance, have come up with another kind of C but Pascal Style or with a differently structured Cobol with Objects or … but he didn’t; he came up with Ada – and that’s his merit, no matter how you like to relativise it.

Now to the paper. It’s a nice and interesting paper with lots of information and an interesting and important topic. Kudos to the authors.
At the same time it’s a paper that shows how academia in the “(us-)american century” became foul and rotten.

And – probably most important for us – it’s a paper that shows how sad the status quo is and that we have NO trustworthy kernels. None. Period.

As an aside it also shows how large the gap can be between an observer with an academic perspective (“1000 papers”) and one with a practical perspective and practical experience in the field (engineer actually working in the field).

So, let me talk about some observations I made, some of which look more at how the status quo came to exist than at the made observations.

Probably the biggest problem I see is the MAJOR difference in settings between academia/gov agencies/large corps vs most software designers and developers.

Observation: Isabelle/HOL was among the most preferred and used tools. Why? Because mathematicians (incl. those in CS departments) like it. It perfectly matches their working style. For 97% of all software designers and developers, however, it’s an unreachable, utterly impractical tool from another star.

Which explains what I named as one of the biggest problems above. In a university or in a gov. or large corp setting a mathematician is just some doors down the floor and problem solving is departmentalized.
In the real world of 97% (don’t hunt me on that, it’s an educated guess and I might be off some 1 or 2%) of software developers, however, math is something they are happy to have left behind at college. Based on practical shooting from the hip and utterly unscientific quick tests I made, one will have a hard time to find 1 in 10 software developers who is able and willing to even try Isabelle/HOL, let alone to work with it.

So, the paper view might well lead one to believe that we have a few very safe and reliable kernels (“eal 7”), while, in fact, we do not. Even worse, we do not even know and understand that; we blissfully and erroneously believe something tragically wrong.

And – what a surprise! – we find my observation/judgement in the real world again. There is pretty no safe software or kernel. Simple and ugly as that.

So let’s look closer. How come that that paper mentions some super-special-extra secure kernel als even eal-7+ (note the plus!) while, in fact, we have no secure kernel?

I see 2 main reasons: a) the one mentioned above (departmentalization and practicality) and b) incongruence of multiple levels.

The most grave incongruence is probably the “the algorithms are correct and so the code is correct” premise. Which is sadly wrong.

How do we check whether the Isa/HOL checked algorithms are actually what the code implements? How to build that bridge?

To make the problem more clear I’ll have a quick look at “secure” or “verified” C compilers: Again, those are laudable and important undertakings – but utterly meaningless. Why? Because C itself is ambivalent. Sad and simple.

Which leads me to our french friends. It is THEM who contributed much of what little we have today in terms of safe software design and development/implementation.

While the world (mostly in the us of a) brought us one academic toy after the other, the french have understood that we need a reliable full cycle. We need tools to properly spec and model our algorithms, preferably the kind, a software designer (as opposed to a mathematician) would actually find usable, we need static analysis tools, and, very importantly, we need languages that a) lend themselves to proper design/dev. and b) are not ambivalent and hence adequate in the first place.

Probably the major role in that circus is with static analysis as that can answer the critical question whether the code does actually implement – and properly so! – the design, the tested algorithms.
Underline the last statement in red if you care about the matter.

There are other observations with that paper. One example is the age of the tools used. Quite often it is unpleasantly high and many modern tools seem to not even have made it into anyones toolset. Regrettable, as some are quite good.
Another example is utterly mindless choice of tools. promela is an example. About the only good thing one can say about promela is that it cared about temporal problems relatively early on.
Yet another problem is that extremely important schools of thought and tools are not present at all (in the paper).

Well noted, I’m not bashing that paper! It’s actually quite good. I’m bashing the idiocy and ignorance of major parts of western academia and I’m bashing the intolerable fairy tale show of many researchers in the field, who produce “happy results” for mainly one reason, namely to keep the grant carousel spinning and to get their next grant.

Finally some constructive thoughts:

I’m glad to say that we do have the spec and model tools today as well as the analysers and some, still somewhat limited but quite usable languages and language tools. We are far from a “happiness, flow flow” state as there are still some problem domains that are not sufficiently, if at all, addressed and solved (e.g. the temporal complexity area) and also because we have hardly any full toolchains but rather a rather unorderly plethora of tools out of which one must chose wisely (which itself needs a level of know-how that is rather rare).

But we can, albeit clumsily and with more burden than should be necessary, create safe and reliable software in at least many fields. kernels, btw, are sadly not yet among the kind of software that we can really fully master unless we keep them rather simple.

And, I’m very glad to be able saying that we have some languages that lend themselves to creating verifiably safe and reliable software. Ada is an obvious example, Eiffel, dafny, Ocaml, and some others also come to mind, albeit still with reservations. And while functional languages will not be the ones with which we will finally solve our problems and create reliable software, they have played a major role and have done us great service in researching and understanding the problems as well as in serving as excellent tools in some special fields.

C is the problem child. Being extremely present in existing code bodies and still being the most widely used meta-assembler it can’t be simply ignored or called evil and avoided. At the same time C was, is, and all but certainly will stay ambivalent and while some interesting and promising attempts have been undertaken to create non ambivalent and better subsets, all of those have failed at least in finding considerably uptake.

I therefore suggest to not fight C but rather to create a “not C but feeling like it” language to address an immensely critical but still not properly problem field, namely what might be called P-Code, which at the same time is the thing coming next to a meta assembler and hence the thing that some kind of better C is needed for most urgently. Of, course, saying that I have also verifiability in mind; we urgently need a verifiable meta-assembler that is platform ignorant and verifiable.

Why: Because that very layer is the point where the software cycle is condemned to be broken unless one develops for one architecture only (and even that is tainted; just look at all the x86 incarnations). At the same time, though, it is also the natural “hand over” point between the domain of software and hardware. It would make sense to postulate that the hardware domain (seen from the software side) doesn’t begin with some given architectures assembler but with the “common meta assembler”. This would also offer the hardware people some room and – important! – a standard interface against which to test.

One point, however, should also be clear: It’s about time that we demand that academia doesn’t serve itself but rather society. To implement that and to give academia a chance to do what we expect and need, however, we will also have to break the unfortunate carousel that the western hemisphere (read: mainly us of a) has implemented and forced upon it. Maybe, being a young nation, they didn’t know better or maybe, being a cruelly profit only driven society it just seemed great; no matter which and why, a new and better – and more safe! – world will need to break their mechanisms and replace them with more useful and intelligent ones.

Skeptical • March 18, 2017 5:59 PM

@Ab: What us-americans hype as “by choice” and “fiercly proud” can also be seen as, hmm, how to put that politely, as an indication that many of them will leave as soon as it gets more attractive elsewhere. Well noted, that is an extremely diplomatic formulation.

The process to become a US citizen is not an easy one; there is substantial investment of time and ordinarily of emotion as well.

You forget the communities that one becomes a part of. One’s children are raised there; you may hope they attend the same university that you did in the US (if you did, which is not infrequently the case). Your friends, business associates and partners, etc. are there. Your life is there. The US – the faults of which are as evident as its virtues – does celebrate excellence, and does reward it.

You also forget that as a nation of immigrants, there will be substantial communities within the United States that enable the celebration, and continuation, of one’s traditions and culture, even as one is inevitably altered by being immersed in a new culture.

Also note that being “fiercly proud” (to be a us-american) is perceived by many not as a strength but as a lack of well founded self-confidence.

Frankly, I for instance, consider anyone who is fiercly proud to be us-american, french or whatever nationality just as a poor idiot.

Perhaps this is a missing component in the approach of some nations that have difficulty assimilating immigrants.

A naturalized US citizen can have a strong sense of ownership of their identity. They chose to be American; they are viewed as part of the American story, a core part of the American story; and if they are successful, they are even more likely to associate that choice as the right choice.

You view this as ridiculous only because you miss one of the core components of American identity for many a naturalized citizen: that is is often viewed as a choice, an achievement, and a commitment to a set of virtues, values, and a larger enterprise that enables individuals to flourish. And indeed, often enough it is precisely all those things.

Put more simply: becoming an American is part of the realization of the self, an escape from systems perceived as more corrupt or with social roles more preordained, to a nation that – though riven with faults – offers an opportunity to shape their destiny, and to offer their children better than what they were given.

To view them as mere opportunists is to misunderstand not only American culture, but human nature.

All products must be produced with finite resources and tradeoffs must frequently be made. Market forces, mediated through the bureaucracy of a firm, shape decisions about those tradeoffs by providing certain incentives for making some decisions and certain disincentives for making other decisions. Markets can be and often are inadequate by themselves, which is why many industries and professions are highly regulated. In the case of some products, a certain level of error may be acceptable; in others, less so. There is no one-size-fits-all rule here.

Any system of regulation can be improved of course; the point is not whether the U.S. has “perfect” regulation, but rather whether you have any examples in mind where a lack of “ultracapitalism” has resulted in better hardware and software (and “better” in the sense that it better serves the actual needs of customers and society – not “better” in the sense that it has chosen to forgo the tradeoffs required by finite resources and the requirements of utility to instead produce something beautiful, extraordinary, of very limited utility, and reflective of a completely inefficient use of resources).

Bear in mind of course that many US tech companies not only heavily invest in basic research and development (leaving aside the rather enormous amount of research conducted by American universities and by various forms of public-private partnerships), but also regularly poach engineers from academic posts and engage in joint ventures with tech companies from other nations across the globe. These facts seem greatly at odds with your central generalization.

Sancho_P • March 18, 2017 6:53 PM

@Skeptical, ¿is is you?
Well said. Let me add that you’re talking about the top quarter of populace.
However, also in the worst quarter I’ve never met an un-patriotic American (well, Hawai’i …).
This must have a reason.

ab praeceptis • March 18, 2017 7:15 PM

Sancho_P

I was (well natured) ignoring Skeptical as he seems to uncurably be lost in a bubble.

But as you chime in:

I’ve never met an un-patriotic American

You would have had a hard time to find an unpatriotic german in nazi-germany, too.

So?

Well noted, I do absolutely not intend to compare the us of a to nazi germany; that’s not my point. But stating that one does not find an unpatriotic [xyz] in an utterly brainwashed and indoctrinated society just doesn’t make sense.

Skeptical himselves delivers the example by simply ignoring that his arguments may as well work the other way round. Those “us-americans” (and former Russian, Chinese, whatever) had children and friends etc. in their former country, too. So by living in the us of a it’s proven that those factors do not keep them away from leaving a country.
Yet that was what Skeptical wanted to demonstrate.

Btw the whole discussion is meaningless unless it’s limited to IT safety, security, eavesdropping, shitty hard- and software, etc. because my point is not – how many times do I need to repeat that so as to make it enter the space between us-american ears? – to bash or hate or whatever “the (us)-americans”. In fact, I consider most of them victims, too.
Otherwise I don’t care. As far as I’m concerned the us-americans can live a happy life; I don’t care.

What I do care about is if they act as the worlds biggest terrorist and despot and if they create a situation in which major parts of the world are in deep trouble re. IT security. And it’s not my fault or bad will or evil character if looking at the “why?” I arrive at a grave lack of culture, incl. particularly intellectual culture.

Also kindly note that I do not exactly speak positively of us europeans either. I called us, for example, vassals (of the us of a) and I clearly stated multiple times that good work in the relevant field is sadly rare over here in europe, too.

So, just cut it and stop behaving as if I started a private hate war against the us of a. I didn’t and I don’t. My war is against anyone who produces crap security – incl. most of us europeans.

Reader • March 19, 2017 2:19 PM

One could disagree; Quantum Computing is apparently becoming a reality.

I think the notion that “digital security is mostly NOT a technical problem” underestimates the immense risk posed by Quantum Computing to ALL of todays Internet security!

The security of current Internet encryption schemes completely relies on problems that are solvable by Quantum Computers. All symmetric crypto used in todays Web encryption schemes that could (partially) resist Quantum Computing relies on unsafe asymmetric encryption.

Robert Braunschweig • June 21, 2019 10:26 PM

Hi Bruce,

I REALLY like your blogs and hope that you don’t mind if I keep posting to your site.

Regarding digital security, would you mind answering this question.

I’m subscribed to Express VPN which connects to a specific ExpressVPN server via the OpenVPN protocol. However, between the Asus Router (flashed with OpenWRT) and the ExpressVPN server is the leaky cable modem and the ISP’s server.

Leaky cable modem? Well, I’m in Canada so let’s say I’m a journalist and criticized our socialist sh**hole. Maybe we pay too much tax, etc. Yup, that’ll do it. Now Big Brother tells my ISP to send them everything I do via the cable modem or ISP server.

I can’t flash the cable modem without violating the TOS of my ISP, so does my VPN tunnel actually provide me any protection?

Thanks, RB

Schneier on Security

Digital Security Exchange: Security for High-Risk Communities

Comments

Leave a comment Cancel reply