* Posts by Rajesh Kanungo

48 posts • joined 23 Apr 2018

'This collaboration is absolutely critical going forward'... One positive thing about Meltdown CPU hole? At least it put aside tech rivalries...

Rajesh Kanungo

Re: What an absurdity!

I, for not a single moment, believe that the Intel security team did not realize that there were security holes. I think that they were, like in most companies, pushed aside. It was a business tradeoff. Most businesses have to make trade-offs based on the projected Loss. Speculative instruction execution, always raises the hackles in most security engineers. I remember quizzing a certain chip vendor about it and they were not surprised by my line of questioning.

Intel will only change if the market pressure is high enough or because of regulations and fines. Maybe GDPR can be used against Intel. The fines are 2-4% of global revenue. The previous CEO sold his stock when these issues were discovered.

Let's look at it in a different market: We all know that cars are extremely hackable. Even the Tesla gets hacked (nowadays with great difficulty). The reasons that Auto companies can skate around cyber security is:

1. No car has been hacked in the field by the bad hackers (white hat hackers not included)

2. No one has died.

3. They have cyber insurance.

4. Market doesn't care enough.

5. There are no NHTSA requirements to do so. Guidelines only.

ACLU: Here's how FBI tried to force Facebook to wiretap its chat app. Judge: Oh no you don't

Rajesh Kanungo

Re: Lets approach this from an application design perspective

It is simpler than that. FB voice calls are not encrypted end to end. They are encrypted to the cloud and back.

Rajesh Kanungo

CALEA with warrant applicable or not?

Can someone explain why simple CALEA can't be used to force FB to intercept and relay voice calls when a warrant is produced, please? Is it because it is not an actual PSTN kind of service? Right now, all my calls go over cellular so the govt can intercept it. Or is it that the govt wants to have unrestricted access to all phone conversations?

At least Sony offered a t-shirt, says macOS flaw finder: Bug bounties now for Macs if you want this 0-day, Apple

Rajesh Kanungo

Bug bounties pay almost nothing on an average ...

Seems like it is vary hard making a living off finding bugs. Given that fixing a regular bug in the field costs $100K or more, the payments are measly.

https://blog.trailofbits.com/2019/01/14/on-bounties-and-boffins/

Rajesh Kanungo

Re: just sell it

As someone else pointed out, it is an ethics issue. Also, once you cross over you are tainted for ever.

Rajesh Kanungo

Re: Market share

The MacBook share and numbers are growing in a shrinking overall PC market.

Cops told: No, you can't have a warrant to force a big bunch of people to unlock their phones by fingerprint, face scans

Rajesh Kanungo

Does it apply to US ports?

I know that the US Customs/border have a lot of leeway (a polite way to say that they ignore the Constitution). Would the legal types be able to say if this ruling could be applicable at the US border/Airport/etc. ?

At some point or the other I fully expect them to copy my laptop drive and my phone not because I have super secret documents but because they can.

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection

Rajesh Kanungo

What is the penalty?

I have been in security for 20 years and I have come to the following realization:

People will not fix security issues unless there is a penalty (market share drop, people die, lawsuits, recalls, etc.). No one follows SDLC unless there is visible harm or a profit. Even GDPR is not a concern here.

Rajesh Kanungo

Airgap a wireless device?

Airgapping a wireless device is an oxymoron unless you have a Faraday cage surrounding the device.

Poland may consider Huawei ban amid 'spy' arrests – reports

Rajesh Kanungo

Re: RFC...

MAC address can be easily spoofed. In fact most Ethernet chips come with the chip manufacturer's MAC ID but once you place it on a device (e.g. a router, camera, etc.) you switch it to the device manufacturer's IDs. It is easy to masquerade ... unless we also have some form of digital signature at the MAC layer. Which would imply that each processor has a private key. There are signature anonymization techniques that would protect the privacy of the device ...

Facebooker swatted, Kaspersky snares an NSA thief, NASA server exposed, and more

Rajesh Kanungo

Re: Jira

I don't know the specifics of THIS case, but I have seen this all to often. Most developers like remote access. Sometimes Jira is opened up for customer/partner/collaborator/vendor access too. They may have done it to 'simplify' access.

Senator Wyden goes ballistic after US telcos caught selling people's location data yet again

Rajesh Kanungo

Re: Instead of piecemeal legislation

The trouble in the US is that this is all you can hope for.

Rajesh Kanungo

Re: Re-seller

An MVNO uses a regular carrier. I would not be too sure that the carrier is not able to get to your whereabouts. You are still using the carriers' towers.

Stormy times ahead for IBM-owned Weather Channel app: LA sues over location data slurp

Rajesh Kanungo

IBM should settle, shut down the App.

It will be better for IBM to not get its brand-name tainted, all for this silly app. Large corporations, governments, non-profits, etc. rely on IBM to be trustworthy. If they fail, they should just own it, slaughter the culprits, quickly, and move one. The longer they fight it the more they will look like FB. And customers will challenge them all the time. I hav a lot of respect for IBM as an entity and I have worked in security long enough to know that these mistakes occur but one needs to correct the mistakes and move on. I'd have said, 'Oh shit, we will fix it, and here is $20M for your city, used for buying IBM stuff (at full price, and we get a tax break), and lets smile for a photo-op and thanks for helping us. We love you for how you have helped us and make us a better IBM. Thank you.'.

Rajesh Kanungo

Re: GDPR?

2-4% of Global revenue or $2M in fines, whichever is higher.

Rajesh Kanungo

Re: Yes

Thank you !!!

Hope you're over that New Year's hangover – there's an Adobe PDF app patch to install

Rajesh Kanungo

Case for a Minimalistic PDF Reader?

Is there a way we can get a minimalistic PDF reader that just renders stuff. No code execution, no access to local files, etc.? Oh, you mean documents which include other documents? Should be a local file read ... if other software can safely access files Adobe can too.

Adobe seems to have done a good job capturing the market and then doing everything possible to give it away. I once was invited to a security Webinar requiring me to install Adobe Flash. I sent Intel a polite note explaining the problem ...

Nice phone account you have there – shame if something were to happen to it: Samsung fixes ID-theft flaws

Rajesh Kanungo

Re: No No No -- Not The "Referer" Alone

I simply don't understand why they don't use client side HTTPS/TLS authentication along with the server side authentication. It is so seamless that I have a hard time explaining it to people.

Oz opposition caves, offers encryption backdoor compromise

Rajesh Kanungo

#5 is completely true; have worked with many Aussies who go into pre-frontal cortex deficient mode when I tell them that govt spying is bad or that the stuff they are proposing will nor work. By using the two trigger words, the govt captures their brains. If you tell them that it is easy to bypass those controls, their usual comeback is, "So you support the terrorists and pedophiles". SMH.

Rajesh Kanungo

In order to read it, they have to store it somewhere, transmit it, search through it, catalog it, etc. Why hack the communication when the Eve can just hang around and steal the processed and digested information.

Rajesh Kanungo

In order to read it, they have to store it somewhere, transmit it, search through it, catalog it, etc. Why hack the communication when I can just hang around and steal the processed and digested information.

Rajesh Kanungo

Re: Would this be illegal?

Good point. Compromising the RNG would be bad for the health of ALL crypto. That may be what they may be alluding to. Or push for. They might actually propose Dual_EC_DRBG. Hard for a normal human to test for randomness. I am sure that quantum computing will be put to "good use" when it becomes available. (sarcasm).

Rajesh Kanungo

Would this be illegal?

Alice and Bob, Aussie and British citizens respectively, each create Elliptical curve key pairs.

Alice and Bob call each other and exchange their public keys.

They then send messages to each other, using ECIES.

Suppose they do rapid ephemeral key exchanges. Would the govt like to keep track of the ephemeral keys too? How many?

Can I generate an ephemeral key every 100 ms or so.

Will the government like to keep track of all the keys?

Programs like Signal: can Dick ban them? How?

Alice’s homeland dictator, Dick, may get overwhelmed.

Linux kernel Spectre V2 defense fingered for massively slowing down unlucky apps on Intel Hyper-Thread CPUs

Rajesh Kanungo

Intel Hyper threading is an oxymoron anyway

In general I have associated hyperthreading to imply a large number of threads.

Intel uses 2 threads per core and calls it hyper.

I know companies which have built processes with 64 threads per core.

Threads were really meant, in these systems, for computational separation but not memory isolation. For example, you establish a pipeline of processes that data has to flow through to end up at a socket endpoint.

Intel, at some point, may have pushed this as a mkt advantage, selling ‘more’ cpus than they really had.

Are there many applications that get a performance boost IRL from threading? The requirements for cache coherence is extremely tight. I can think of same instruction same data as the basic requirement.

Rajesh Kanungo

Re: That can't be right!

He swore off profanity.

MIT to Oz: Crypto-busting laws risk banning security tests

Rajesh Kanungo

Re: Aussies just will not let us win at anything

Brexit.

Empire state of mind: NYC scatters palm leaves for Bezos' cloudy web shop juggernaut

Rajesh Kanungo

Re: DC and MD are the big winners

1.2B per year subsidy, I.e. 48k per year per employee subsidy for the first 4 years. State + city taxes are roughly 12-15k per year. So payroll taxes doesn’t make up for the loss.

I guess it is corporate welfare.

My bet is Jeff Bezos already knew where he wanted his HQ2 but was trying to get a good bargain.

We asked 100 people to name a backdoored router. You said 'EE's 4GEE HH70'. Our survey says... Top answer!

Rajesh Kanungo

Re: What would happen

I have seen this argument used many times. The problem is you end up with a Maginot Line effect. Any compromised device on the network can be used to compromise the router. Plus there are ways for JS to initiate a login to the router. So badly implemented browser security can let that happen. The right way to do secure design and implementation is to have security well implemented in ALL components.

Who ate all the PII? Not the blockchain, thankfully

Rajesh Kanungo

Unless you are in the US

Here your personal data belongs to everyone else but not to you.

It's the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit

Rajesh Kanungo

Re: Humanity is doomed

Lack of empathy, narcissistic personalities, money.

Apple forgot to lock Intel Management Engine in laptops, so get patching

Rajesh Kanungo

Open source processors may be a step

Every cpu security system has been blown wide open. Sometimes it seems that while one part of a cpu team is working hard to secure something, the other part is working hard to undermine the security.

Having managed many sdlc programs, I spent more time going on detective missions where I’d eventually find out a team slipped in a web server, a diagnostic tool, a debug process, etc. without informing us or even documenting it.

And once a device was out in the field there were almost no recalls and the support staff were hooked on to the easy diagnostics (see, no passwords required).

One famous chip vendor’s software team turned off static code analysis because it was giving out too many criticals.

One server code based I scanned had 98,000 criticals. Yup.

In both cases the decision was made to hide everything from my team. Fortunately the CEO stepped in ...

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Rajesh Kanungo

Entirely plausible

Completely plausible. The best proof would be an actual Supermicro board with the spy chip. My only question is, why do it and get a bad rap? My bet is that China has multiple approaches and this got caught. Moreover, China may have realized that the US was aware of the spy chip. So the US went public with it.

Rajesh Kanungo

Re: My take?

Actually, Bloomberg would have been sued by Apple, AWS, Supermicro by now. Bloomberg had multiple sources confirming the insertions.

Rajesh Kanungo

Re: It's simpler

Agreed. Also, adding extra circuitry in the larger processor is probably easier to catch during root-cause analysis than something you never knew existed.

Rajesh Kanungo

Re: From Amazon's denial

The first case was from the acquisition. So yes, Amazon probably knew about it happening on US soil.

Rajesh Kanungo

Re: Chinese agents slip spy chips into Super Micro servers

The Intel ME bugs may not have been known or there could have been the fear of the bugs being fixed. Moreover, any attacks would take known paths so they could be blocked.

Rajesh Kanungo

Re: 'None of the actors can be taken at face value

The boards are not 'normal'. Just ask the board manufacturer to add the spy tips. In China it is not that difficult. The supply chain has been infected all the way to the component level.

America cooks up its flavor of GDPR – and Google's over the moon

Rajesh Kanungo

Preemptive strike against real privacy

This work is to prevent real privacy from being discussed. The companies will want to further dilute everything and then some.

And obviously no fines.

Watt the heck is this? A 32-core 3.3GHz Arm server CPU shipping? Yes, says Ampere

Rajesh Kanungo

Re: Has no one learned the Calxeda lesson?

First sensible response. Maybe there (4) Where is the innovation? (Business, power, performance, management, etc.) should be mentioned more clearly. Not clear if having a totally different architecture works for businesses as it competes with an already x86 humming server ecosystem.

Maybe the authors or inventors haven't been able to articulate the win or they are keeping that under wraps.

Rajesh Kanungo

Why is it better?

Some of the issues I see are:

Negatives:

1. Software: The Servers including virtualization tools are all standardized around x86 (Intel, AMD). In fact, there is a lot more invested in software than in the HW.

2. Architecture: If the competition is based purely on architecture, the server team will look for highly dedicated (NVIDIA type), or the generalized architecture. A general purpose ARM CPU doesn't buy you anything special. Why not stick to AMD or Intel?

3. Silicon: TSMC may have an advantage in Silicon over Intel but Intel has been pumping out these processors for a long time and beating them on Silicon is an iffy strategy at best. If AMD is having a hard time competing then how can you expect a whole different architecture to win?

Positives:

1. Watts: Clearly ARM has an advantage when it comes to lower watt CPU but at the higher end, I don't see it being a deal breaker unless the difference is huge. Nothing seems to indicate otherwise.

2. Bottom up: Remember how DEC stole the market from IBM, Sun from DEC, and then Intel from SUN? My believe is that when the majority of the CPU's are ARM systems, which they already are, that they will slowly move into the mainframe.

However, this will take time.

3. Customization: ARM Cpu's can be customized at a faster rate than intel CPU's. ARM CPU's with full blown AI engines, DSP's etc. are very common.

4. Multiple vendors for CPU choices: Unlike Intel or AMD, ARM allows anyone to find a vendor with close enough specs to what they need. If there isn't one then you can have a vendor design and spin one for you. You want one with 3 DSP cores, 2 Neural network cores, etc. and can't find one? Ask a vendor to make you one.

Apple did something like this in-house for their iPhone since Intel can't put everything they want in the CPU at the rate they want it. (plus the power consumption controls ...)

Ultimately ARM will win because of the speed of customization is in months and it will keep on eating into the x86 market. It will, however, take time.

How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Rajesh Kanungo

Re: Paranoid AF

I would definitely go after the RNG too. Or the software stack to retrieve the keys. One has to just look at cvedetails.com to realize how vulnerable our software is.

Rajesh Kanungo

Re: Paranoid AF

Key size is not a measure of crypto strength when the algorithms are different. Enigma had fundamental flaws. It doesn't mean AES doesn't. But we currently don't know of any real ones.

Just to further confuse the issue, AES-128 is stronger than AES-256. AES-256 refers to the key size and not the block size. Bruce Schneider and others pointed out that the number of rounds were too few.

Finally:

Look up Dan Bernstein's ChaCha, Salsa and Poly series of ciphers and MAC. They have been adopted by many non-government related entities like Google, are being proposed for various RFC's etc.

You are right to be paranoid for a different reason ... quantum crypto attacks are coming.

https://www.linkedin.com/pulse/crypto-armageddon-nsa-says-current-asymmetric-key-quantum-kanungo/

And badly implemented crypto can lead to side channel attacks. The simplest one is a timing attack ...

https://www.linkedin.com/pulse/simple-ecc-implementations-approach-side-channel-attacks-kanungo/

Boffins are building an open-source secure enclave on RISC-V

Rajesh Kanungo

Re: Please no

Someone just broke into the IME via JTAG.

https://www.theregister.co.uk/2018/08/29/intel_jtag_flaw/

Rajesh Kanungo

Anything can be skewed, TRNG, side channel, extra registers, etc

Tampering with the Silicon: It is probably quite easy to skew the RNG. There goes all ECC. If you are more bold, you might even have a separate pathway to extract secrets (private, symmetric, passwords, etc.). One could also introduce modes where side-channel attacks became easier ...

So you’ve got a zero-day – do you sell to black, grey or white markets?

Rajesh Kanungo

Question of ethics

We know that FB sold information to Cambridge Analytica which was used to target citizens in various elections around the globe. Both FB and CA made a ton of money. FB was also the platform of choice for Russian trolls. So FB made money from them.

I KNOW I will never do this but as a security professional, I can see an immoral person justifying selling an FB 0 day to a foreign agency and keeping the money for himself. This is a very slippery slope.

Companies are making a ton of money writing bad software and not following SDLC. Shouldn't they be to blame? I can see occasional mistakes slipping through the cracks but a whole slew of them? Every day I hear of flash 0 days. What is up with that? And they are still making money?

Intel's security light bulb moment: Chips to recruit GPUs to scan memory for software nasties

Rajesh Kanungo

Graphics co processors are written for speed

Traditionally, software (and the microcode) written for GPU's is optimized for blindingly fast performance. Don't check for nulls, ranges, types, etc. Just make it run fast. That makes them nice targets for hackers.

Would security experts who have graphics chip knowledge have any insights into the feasibility of being proposed? Would a hacker not target the GPU and take advantage of it?

Microsoft has designed an Arm Linux IoT cloud chip. Repeat, an Arm Linux IoT cloud chip

Rajesh Kanungo

Isolating the communications is good

In general, IoT attacks occur via normal communications mechanisms and less likely via hardware. In some areas the latter is fairly common; smart meters, set top boxes, etc. It is interesting to see MS isolate the basic communications outside of the main functionality. I wonder how far the isolation goes. Would a driver issue create main kernel issues or is it isolated to the baseband co-processors?

Moreover, how do you isolate higher level communication stack vulnerabilities from the rest of the system?

Maybe someone can educate me.

Also, I think MS intends to open up the VHDL to inspection, right? If not it will be an uphill battle to expose issues.

Rajesh

Brains behind seL4 secure microkernel begin RISC-V chip port

Rajesh Kanungo

Key management/Crypto operations

I looked through the ISA and somethings I work with on a regular basis are not there. I guess ISA can be used to implement a secure element? But then, how does it beat a Javacard? The instruction set is too rich for a standard Javacard. Some of the things I do regularly:

1. Secure keys stores including One Time Programmable key stores

2. Secure boot

3. Cryptographic operations

4. Secure elements for operating on sensitive data with sensitive keys. The moment you pul keys into regular memory you are toast; just freeze the DRAM and read it out. Or rely on a software bug.

5. Handling large numbers of keys (i.e. a key-chain).

6. Introduce new cryptographic algorithms.

7. Optimizing energy consumption/peak performance/speed depending upon use-case.

Just protecting address spaces hasn't worked: most applications will need to pull keys from somewhere to use them and therein lies the problem.

Biting the hand that feeds IT © 1998–2019