Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Insecurity in Finnish parlament (computers)
From: James Tucker <jftucker () gmail com>
Date: Sun, 26 Dec 2004 14:34:24 +0000

The only charge appropriate for this case would be what is informally
known as a 'gag order' and will require that you disprove under a
court of law all statements made by Mr Jansson. In fact, you will have
to prove that Mr Jansson's comments are causing you loss of revenue or
damaging the overall reputation of your organisation through false
claims.

Having read the list Markus compiled I can say this.

Items 1 to 9 on the list would suggest physical access to a device,
this is likely to have been contradictory to law. The settings
described would require interaction to discover and this may be deemed
breaking and entering / trespassing / disclosure of government
property. I am not familiar with Finish law; speak to a lawyer not a
mailing list. It is also possible, that he has had only limited access
to one particular device, this would not be conclusive and may not be
a true representation of the state of affairs of all devices owned by
the Finnish government.

Item 10 negates the likelihood of physical access, this would
contradict the above and would seem to make the story inconsistent. A
good lawyer may be able to get you a gag order now.

Item 11 again strongly suggests that physical access was gained and
extensive use of one of these computers has occurred.

Item 12 describes a well known problem, however this cannot be fixed
by the users of the system. Item 9 would suggest that a lack of
encryption on the data provider should be less of an issue.
Furthermore item 12 describes a scenario which simply is not
realistic. Whilst the encryption algorithms in use may be crackable in
near real time on a modern computer, dissection of the modulation
scheme and isolation of a single device is most certainly NOT possible
with a single laptop. Most likely there are no civilians in Finland
with the resources to actually carry out the attack described. This is
the start of his sensationalist reporting based upon a lack of proper
knowledge in the subject area.

Item 13 has more implications than have been considered and would
require more than a little insider knowledge to pull off the attack.
In terms of civilian liability this method of attack is absolutely
absurd. It would require co-ordination from several places and a
significant knowledge of existing infrastructure surrounding that
geographical location. Such hard work is rarely necessary, as it would
make more sense to just knock out the government worker and steal
their laptop. With a good getaway plan this would take far less time,
and not cost hundreds of thousands of dollars. We are discussing
government security here, but if there is something occurring that
would concern the NSA or MI5/6 then encrypting your GSM comms will be
the least of your security concerns. Most real attacks with any
backing do not need to be performed remotely (although the resources
to do so are almost certainly available).

And now for a few comments after reading the rest of Mark's site.
Firstly it would appear that Mark is a common sensationalist. Having
taken part in quite unscientific objections with members of Greenpeace
for a start. There is no need to get into this debate here, but an
educated scientist does not make the same decisions, and this lack of
education or research in subject area is common with many others of
his comments on different technologies. Tetra security for example is
claimed to be useless on his site, but once again his lack of
understanding of Radio Frequency eavesdropping shows a clear lack of
knowledge in this area.

Another clear example of his sensationalist attitude without proper
understanding or thought is in his discussion of SSH security, where
he claims that authentication keys are useless because they cannot be
known trusted during the first connection instance (or maybe he just
hasn't realised you should save the keys during a build??).  The
suggested 'improvement' is already widely used. Why would you print
such a thing? Furthermore there is a clear lack of knowledge of the
process of key exchange for user authentication. Markus, a suggestion,
use the technologies you judge before you judge them. Do some
programming, actually LEARN something instead of reading what other
sensationalists have to say. Don't just believe what you read, take it
into _consideration_ and learn the necessary to make an _educated_
decision.

Common reports of Man in the Middle attacks being possible are not
understood either. As shown by the idiosyncratic inclusion of a key
fingerprint on the same page as his PGP key links (for added
security!?). If someone wanted to sit in the middle, would they not
change both the key and the fingerprint reported?

More sensationalism which has been well discussed in the past and does
not agree with Mr Jansson:
"European Union has considered that Echelon is severe threat to safety
and privacy in the EU region and has suggested that strong encryption
from "open sources" should be used to counter it. "Open source",
because NSA has planted several back doors to encryption systems
around the world. Remember, that Echelon doest just spy on companies.
It spies everyone. Everything that moves in bit-format. Just think
about it: Big Brother IS watching. Every email you send, every message
you post, every page you visit…they will know about it! Scary.
Horrible. And, reality. Again, welcome to the digital age!"
Do some calculations as to the bit analysis you are talking about.
There are so many 'bits' that you simply could not filter all of them
using standard electronics. 1) not fast enough, 2) the warehouses
supposedly running echelon are not big enough to house the processing,
3) the buildings do not draw enough power and show no evidence of a
generator inside, 4) i have not repeated the calculation myself, but
it has been stated, by the EU report no less, that to analyse all of
the data you would require more atoms than are present in the area
used by echelon equipment. This leaves one final possibility -quantum
processing. This is unlikely as again it would produce evidence of its
existence. Furthermore such processing ability if available would not
be restricted to use in communications monitoring. oh, and 5) tapping
the data, the number of data circuits leaving these countries is
sufficiently high that there simply could not be enough bandwidth
entering the analysis buildings. This leaves 6) A decentralised virus
which can infect many architectures and hide quite happily operating
outside of normal conditions in order to not be visible. The
requirements for such a thing (e.g. its ability to run on
preprogrammed DSP's) and the required size and intelligence is simply
not possible. This is not to say that communications don't get
monitored, it is just to say that the report of 'everything you say is
being watched' is quite simply false.
One final point for the amusement of those who also like to think. If
Echelon exists and is monitoring all communications in and out of all
major countries in the world then we are looking at exabytes per
second or greater data transfer. At this rate, you do not currently
hold an encryption which could be deemed 'safe' against a brute force
attack at this speed.You would be better off using human based
scrambling / obfuscation than attracting attention by using digital
encryption. It is for this reason that trade craft professionals are
taught deception before ciphers.

Some more amusement, while the old arguments pop back into my head (It
is Christmas after all...). OK, they don't have physical tapping
devices attached to every cable or router or switch on the planet, and
certainly not in every data centre. Instead satellites are used and
they have a technology to 'pick up' the data comms from there. Ionic
transfer making up thought in the brain is far slower than any modern
electronics. The size of each effective 'bit' (taken to be a single
synapse voltage peak (not really equiv to a bit, but we're talking
electronic induction here and it would be enough)). There would be no
point in monitoring your communications infrastructure, as it would
make entirely more sense just to read the minds of every person. What
does this mean for the scared believer of Echelons pervasiveness? You
should wear a lead hat all the time, in fact, you will need to wear a
heat insulated, eddy current destroying, randomly charged lead plate
(i say plate, it should be several metres thick). They have spies on
the ground too, so you best not talk to anyone, they might be
listening. You could move out of your country and live out in the sea
on a boat, but the satellites can still see you and the submarines
will be after you. In fact they are so worried about their security
that if you did so, you would probably be sunk, so you best not do
that. Climb to the top of a mountain and stay in the clouds, follow
thunderstorms where the disturbance will be too high for their
monitoring equipment. You'll have to do something about grounding
yourself, but you can't because you can't get to ground without being
spotted; so you need to add a rubber cover around your lead plated
internally powered hover ship. Good luck in trying to evade them. Oh
and of course, there's the problem that they know what you are
thinking now, so they know what you will do (including the full design
of your marvelous vessel). In fact I really can't think of what you
could do to get away from 'Big Brother', maybe we should all just
commit suicide?
Or maybe its just deception, maybe no one cares what most individuals
think. Maybe they do conform to their own privacy laws (fundamentally
being patriots, not school bullies). Maybe it's Boxing day and we
shouldn't care; me I'm going to walk my dogs and see my family, enjoy
some socialising (and maybe a stiff drink or three); otherwise "what
the hell are you fighting for?"

Sensationalism only too commonly becomes a way of life for some
people, if you enjoy it then keep it up. That is what your freedom is
about. What you might want to do is provide substantial evidence
though, in order to not end up in lawsuits. Remember too that the
people who create the technologies which you deem useless have
probably spent a large portion of their life getting them to that
point of development. They will not receive slander/libel pleasantly
and any comments which are untrue will be quite simply hurtful. Be
kind to the designers, please stop slating things until you can be
certain.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault