On the darker side
- It’s just theory and the technology of it is very much over my pretty little head. But Bruce Schneier notes that it’s possible to insert surveillance almost undetectably at the microchip level.
- More evidence that while the NSA may know what you’re doing, it has no idea what its own people are doing.
- The ACLU doesn’t come right out and call the FBI America’s secret police. But pretty close. Alas, they still imagine the agency might investigate and reform itself. (Via Sipsey Street)
- But of course, it’s all just okey-dokey-hunky-dory-nifty-zorch because none of it’s unconstitutional!
On the lighter side
- Bad dog!
- Even badder dog.
- Really
terriblegood dog! Even better yet, here’s the hilarious animation a local New Zealand news program created to illustrate this particular dog story. - New Jersey may be the worst state in the nation for gun rights (and a lot of other things). But here’s a big one they haven’t banned. (H/T JW)
- I don’t know whether this is “lighter side” or “darker side.” But it’s strange: It’s possible for one person to carry more than one genome and scientists are realizing it’s not as uncommon as they thought.
The “DNA Double Take” is interesting – and could play havoc with some anthropological or evolutionary theories. Scientists like to appear knowledgeable, but we may be more complicated than they can explain. Where did these different DNA come from: was it a simple natural mutation? Or neanderthal vs homo sapiens ancestry? Or might influence from different parts of the world affect our DNA (apart from race itself)?
I can also see lawyers and prosecutors lining up to fight over which DNA was chosen when DNA was tested in a crime case. If we might have two DNA, how can they know if DNA is accurate for guilt or innocence? (Will they have to test twice – or more? – before any DNA is accepted?)
Love the dog escaping from the kitchen video. Hilarious!
I’m kind of glad that scientists haven’t figured out our DNA yet.
Avoid the NYT login. Dunno how much is reproduced.
http://blogs.smithsonianmag.com/smartnews/2013/09/one-woman-can-have-multiple-genetic-identities-hers-her-secret-one-and-all-her-kids/
Also this: http://talklikeapirate.com/
Arrrrrrrr!
The manufacturere of microchips can pretty much insert any kind of code, good or bad, into those microchips, doesn’t have to be a second or third party. Makes one wonder about who is watching the microchip makers.
Let’s see… if we tell people we have a peanut allergy, we can immediately get all sorts of work arounds, concessions and abject attention to our every demand. Can’t we tell the PTB that we’re allergic to microchips?
🙂
The article on genetics is absolutely fascinating. When I was studying such things, this wasn’t even mentioned! Thanks for finding that one. I’ve already sent the link to several people I know who are doing genetic testing right now.
[And it can be done at mask generation — very late in the design process — since it does not require adding circuits, changing the circuit layout, or anything else. All this makes it really hard to detect.]
As someone who wrote diagnostic software for some years, I sincerely doubt this. When writing tests you have to check the operation of every gate in the machine – even more so when the chip gets put into a gazillion computers around the world. Bugs do appear in hardware but it is a company-threatening event when it happens.
Also keep in mind that hardware is very often if not always modeled in software (actually that is what diagnostic testing is – comparing hardware results with the software model of that hardware). The only way to sneak in something like this would be to subvert the entire test department. Maybe not impossible, but a heck of a lot more difficult than Schneier imagines. And this can be done after the case too. You could check how random the generator really is. No doubt some non-Intel techies are doing just that now that the question has come up.
I haven’t worked with random number generators though; that may be more difficult to test than other types of circuits. Computers are generally supposed to be deterministic – EXCEPT that part generating random numbers. But this hardware attack seems like a very expensive way to do the same thing you could do by attacking software…
In the comments of Schneier’s blog post there was this very juicy Cold World link:
http://fcw.com/Articles/2004/04/26/Tech-sabotage-during-the-Cold-War.aspx?Page=1
Looks like I might have to upgrade my opinion of Reagan. The games the rulers play – must be fun. Even when they are gambling with our lives…
Of course the American state is looking a lot more like the old Soviet state these days. Who knows what side will prevail this time.
Also another comment:
[Have a good-quality entropy collector, feed it entropy from device drivers *and* entropy from your on-chip TRNG. Then by the definition of “good-quality entropy collector”, if either of those sources of entropy is good then the output is good. The TRNG protects you against side-channel attacks on your devices, and the devices protect you against Intel-sabotaged reduced entropy in the TRNG. Only if the attacker can do both at once do they win.]
Apparently even if one source of randomness is compromised, combining that with other good sources still generates a good result. So Linux (which uses this method, don’t know about Windows) is still OK I think. But to be honest, whenever people are using random number generators in Linux (e.g. to fill a hard drive preparatory for encryption), they always use (and are advised to use) /dev/urandom rather than /dev/random. It’s done for performance reasons – even the former takes a loooong time to fill our gigantic disks. But /dev/urandom is far less random than /dev/random.
Oh, well. “There’s security in obscurity” I guess. We can hope anyway…
California college student prevented from handing out copies of U.S. Constitution on Constitution Day 2013 on campus of Modesto Community College. Story and video of his interaction with campus cop and college administrator.
http://www.myfoxdc.com/story/23483119/california-college-bars-student-from-handing-out-copies-of-constitution#axzz2fSBT7ENv
I think that wonderful “bad dog” statue peeing on a building should be moved to DC where it could go from building to building. Lovely new image for the expression “piss on it”.
I have a small exposure to hardware random number generators. There are some processes to test them too. Places such as Fourmilab have algorithms. I’ve played a bit with this, without good results, but then I’m no expert on digital circuits. I’ll get back to it at some point, because it’s fun. I’ve played with both the paired inverter circuit described by Intel (but without their secret sauce) and with avalanche noise from reverse-biasing a zener diode.
The Diehard tests are available as GPL’d code. Here’s some more link dump: (Once more, into the queue, Horatio!)
http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator/0
http://csrc.nist.gov/groups/ST/toolkit/rng/stats_tests.html
http://www.lavarnd.org/
http://www.fourmilab.ch/hotbits/how3.html
To get true randomness, you need to find something chaotic, and tap into it. I don’t know when Intel started putting random generators in their CPUs, but the method they’re employing seems sound. Also, if your computer has a TPM chip, there’s a RNG in there too.
Coincidentally, Freedom to Tinker just published an article about an older OpenSSL bug, where the PRNG got broken. It’s a good read, if for no other reason than a couple links to good comics.
BTW, I’m unconcerned about Intel’s ‘secret sauce’ for conditioning the bit stream coming from the inverter circuit. The gov buys a lot of Intel-based product, and they want their encryption to be non-broken. And, as we know, they have other avenues of attack.
Claire has a Lava Lite lamp, so she has a source of chaos. I’m sure she’d say it’s no the only one! 😉
The microchip hack isn’t “almost undetectable.” It is essentially completely undetectable with presently available methods. The authors of the paper have better than decent expertise and discuss why presently available chip tests and examination of the random bit stream will not disclose the attack.
Now that the attack is disclosed, research will eventually develop defenses. No telling how long that will take and how expensive and practical.
The defense now is to run the output of the chip through a high-quality, open-source software PRNG like Fortuna. While open-source is no panacea, and vulnerabilities will continue to be discovered in software, programs like GPG should still provide decent protection, so long as the machine is well secured.
On the DNA article: Biology is sometimes called “the sloppy science” for good reason. The exceptions often outnumber the rules!
(Personally, I think that’s part of the fun.)
[The microchip hack isn’t “almost undetectable.” It is essentially completely undetectable with presently available methods.]
It’s detectable by someone spilling the beans. 🙂 Like Snowden…