Thursday, May 17, 2018

Ambient Authority - The Trojan Horse

“Secure Computing” - Isn’t. If it was, you’d be able to check your gmail and surf the web on a secure computer in a secure environment. No sane GS-15+ is going to let that happen any time soon, because they know better.
Ok, controversial statement up front, let me explain where I’m coming from, and defend that statement.
I’ve come to learn that there is a set of jargon used in “secure computing” that I really don’t know, and need to learn in order to effectively communicate to the crowd that uses it. There is also a different set of jargon used in the description capability based security that further makes it hard to convey what it is, and why, to people who really, really need it. So, forgive me if I oversimplify things a bit, and try to make this as plain-speak as possible.
There is a Trojan Horse hiding in every major operating system out there, Linux, Windows, Mac OS, and even (as far as I can tell from my civilian outsider view) the “secure” OSs. As far as I can tell the major difference when it comes to “secure” computing is to carefully check the code for errors, audit and log the shit out of everything that happens, be very very paranoid about what you let the user do.... and then hope the applications do what they say on the tin, every time.
The Administrators don’t trust the “dumb users” in civilian environments, and are rightly concerned with spies in the “secure” environments. Everyone is worried about the users, nobody worries about the code they run once it’s decided that it is safe to run. They trust the code, pretty much without thinking.
If a program wants to open a file, the programmer will write a line of code like this:
open("filename", O_RDONLY, 0)
If your operating system allows this, it isn’t secure. Why do you trust the program to randomly open files on the user’s behalf? Because it’s always been done that way, that’s why. It’s called “ambient authority” and it’s a trojan horse. Read up on it at Wikipedia here: https://en.wikipedia.org/wiki/Ambient_authority
Now, there is a safer way, that doesn’t require more/different work, on the user’s part
Capability systems move the “dialog box” (file open) outside the applications control, and hand the file handle (a “capability”) to the application, which can then use it as normal. This then removes the need to trust applications with the ability to randomly do anything the user can do... this removes ambient authority.
Changes for the user - The dialog boxes look a bit different, pretty much works the same. No government employee is required to learn something new.
Changes for programmers - Things are a bit different, have to request the capabilities instead of a dialog box then opening files. Not a huge shift for them. Changes for the OS - Things have to be re-written, if you want deep security, using a proven microkernel, etc.... but even Windows could be made secure, IMHO. (Not EAL7, though, never) This subtle shift removes entire classes of attack from computing, and makes the world safer. We all need capability based computing. Thank you for your time and attention.

Tuesday, May 15, 2018

History - Lessons Unlearned? - Part one

Back in June 2015, The US Office of Personnel Management was hacked by a Chinese national, who managed to make off with pretty much all of the personal information of everyone who has a security clearance, including the big long nasty form where you tell them every little thing that makes you black-mail-able, as part of your security clearance application. Oh, and fingerprints, too. 

You can read all about it on Wikipedia - https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

In the summer of 2016, a group called The Shadow Brokers published several leaks containing hacking tools from the National Security Agency (NSA).  These tools targeted Firewalls, Antivirus Software, and Microsoft Products.

You can read all about it on Wikipedia - https://en.wikipedia.org/wiki/The_Shadow_Brokers

I’m no expert, but my reading of history informs me that in the 1970s, in response to the need to be able to have computer safely process data that was “secret” and “top secret” at the same time, Multilevel Security was invented, and through the decade, pretty much perfected. It strikes me as very odd that things aren’t more secure, as the technology exists, if you can afford it, to keep things secure.

Data diodes - are devices which are designed to only allow data flow in one direction. They work, and have been around for decades.  It is physically impossible to get data transfer the wrong way though these things, not because of clever programming, but because the inbound link only has a fiber optic input, and is incapable of transmitting data outbound.
You can read about data diodes on Wikipedia - https://en.wikipedia.org/wiki/Unidirectional_network
Once upon a time, I got to see how work happens in classified environments during an open house... people actually work in big vaults.  Computers which contain important secrets being worked on aren’t connected to the internet. Colloquially, these machines are said to be air-gapped.  Now there are attacks which can leak data out of these networks, but the good ones require physically breaching the network, not remote hacking.

You can read about air-gap on Wikipedia -  https://en.wikipedia.org/wiki/Air_gap_(networking)

Put air-gaps and data diodes together, and you can build a system which can take data, even over the internet, and get it into an air-gapped network, and never let it back out.  Why was this not done? It boggles my mind.   I’m ok with our secrets being collected, and stored in a central location, with physically secure, redundant backups.

Now a pile of secrets which can’t be accessed from the outside is useless.... there needs to be a controlled means of egress, something that humans can understand, and thus manage intelligently, with little cognitive load.  I propose a simple way of doing this.  Build a system wherein a personnel record can be requested from the real world, and makes its way via a data diode into the secure environment.  The request is reviewed, and approved, and filled by a human using a computer, and then the requested records are written to a single use, 1.44 mb floppy diskette.  The operator then hands this diskette off to a different operator, who then records the transaction, and sends the information off via the internet.  The used diskettes are then sent to a third person who stores them in a vault, should any back-checking of access, or auditing be required, etc.

I’m out of time.... more later.
Mike Warot - May 15, 2018

Sunday, May 13, 2018

Crisis solved, thanks to Mixxx the Free DJ Mixing Software App

So, thanks to Mixxx, I can now record stereo into my laptop with no external mixers, XLR cables, etc.

Here is a sample.


I'm an unreasonable man, about to prove it again.

The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw

I am an unreasonable man... I have some ideas about how technology should work, and have a strong interest in keeping my ideals aligned with reality. There ave been times in my life when I've been told something "just can't be done" directly, or by circumstances.   I tend towards proving otherwise, sometimes I fail, sometimes I don't.

Back in the days of MS-DOS I wrote a text search algorithm that was as fast as you could read from diskette... 10x times faster than the default one.

I also was told you couldn't dual boot Unix (way before Linux) and MS-DOS... after some hacks to the boot sector, it worked.

I did multitasking, and text pipes internal to Turbo Pascal programs in DOS, because I needed it.

Back in the days of OS/2, I wrote an application in assembler, because I was told it couldn't be done.   It was a native code Forth interpreter.  Forth/2

Lately I haven't done as much... but circumstances have arisen which I find most intolerable, and must be fixed, by me.

Situation: One Windows 10 laptop, with 2 USB ports, and new brand new Blue Ice microphones... each of which does work, by itself.    Audacity can't record from both, but rather only allows one input.

I've just wasted most of my free time today trying all the usual options, none of which work.

I'm going to have to either write a multi-track recording program, or build some virtual mixer device, to solve this problem.

I'll write more once I've gotten a path figured out.  Thanks for your attention.