Architechnosecurigeek. Tinkerer. General trouble maker.
544 stories
·
9 followers

The anomaly of cheap complexity

1 Share

Why are our computer systems so complex and so insecure?  For years I’ve been trying to explain my understanding of this question. Here’s one explanation–which happens to be in the context of voting computers, but it’s a general phenomenon about all our computers:

There are many layers between the application software that implements an electoral function and the transistors inside the computers that ultimately carry out computations. These layers include the election application itself (e.g., for voter registration or vote tabulation); the user interface; the application runtime system; the operating system (e.g., Linux or Windows); the system bootloader (e.g., BIOS or UEFI); the microprocessor firmware (e.g., Intel Management Engine); disk drive firmware; system-on-chip firmware; and the microprocessor’s microcode. For this reason, it is difficult to know for certain whether a system has been compromised by malware. One might inspect the application-layer software and confirm that it is present on the system’s hard drive, but any one of the layers listed above, if hacked, may substitute a fraudulent application layer (e.g., vote-counting software) at the time that the application is supposed to run. As a result, there is no technical mechanism that can ensure that every layer in the system is unaltered and thus no technical mechanism that can ensure that a computer application will produce accurate results. 

[Securing the Vote, page 89-90]

So, computers are insecure because they have so many complex layers.

But that doesn’t explain why there are so many layers, and why those layers are so complex–even for what “should be a simple thing” like counting up votes.

Recently I came across a really good explanation: a keynote talk by Thomas Dullien entitled “Security, Moore’s law, and the anomaly of cheap complexity” at CyCon 2018, the 10th International Conference on Cyber Conflict, organized by NATO.

Thomas Dullien’s talk video is here, but if you want to just read the slides, they are here.

As Dullien explains,

A modern 2018-vintage CPU contains a thousand times more transistors than a 1989-vintage microprocessor.  Peripherals (GPUs, NICs, etc.) are objectively getting more complicated at a superlinear rate. In his experience as a cybersecurity expert, the only thing that ever yielded real security gains was controlling complexity.  His talk examines the relationship between complexity and failure of security, and discusses the underlying forces that drive both.

Transistors-per-chip is still increasing every year; there are 3 new CPUs per human per year.  Device manufacturers are now developing their software even before the new hardware is released.  Insecurity in computing is growing faster than security is improving.

The anomaly of cheap complexity.  For most of human history, a more complex device was more expensive to build than a simpler device.  This is not the case in modern computing. It is often more cost-effective to take a very complicated device, and make it simulate simplicity, than to make a simpler device.  This is because of economies of scale: complex general-purpose CPUs are cheap.  On the other hand, custom-designed, simpler, application-specific devices, which could in principle be much more secure, are very expensive.  

This is driven by two fundamental principles in computing: Universal computation, meaning that any computer can simulate any other; and Moore’s law, predicting that each year the number of transistors on a chip will grow exponentially.  ARM Cortex-M0 CPUs cost pennies, though they are more powerful than some supercomputers of the 20th century.

The same is true in the software layers.  A (huge and complex) general-purpose operating system is free, but a simpler, custom-designed, perhaps more secure OS would be very expensive to build.  Or as Dullien asks, “How did this research code someone wrote in two weeks 20 years ago end up in a billion devices?”

Then he discusses hardware supply-chain issues: “Do I have to trust my CPU vendor?”  He discusses remote-management infrastructures (such as the “Intel Management Engine” referred to above):  “In the real world, ‘possession’ usually implies ‘control’. In IT, ‘possession’ and ‘control’ are decoupled. Can I establish with certainty who is in control of a given device?”

He says, “Single bitflips can make a machine spin out of control, and the attacker can carefully control the escalating error to his advantage.”  (Indeed, I’ve studied that issue myself!)

Dullien quotes the science-fiction author Robert A. Heinlein:

“How does one design an electric motor? Would you attach a bathtub to it, simply because one was available? Would a bouquet of flowers help? A heap of rocks? No, you would use just those elements necessary to its purpose and make it no larger than needed — and you would incorporate safety factors. Function controls design.” 

 Heinlein, The Moon Is A Harsh Mistress

and adds, “Software makes adding bathtubs, bouquets of flowers, and rocks, almost free. So that’s what we get.”

Dullien concludes his talk by saying, “When I showed the first [draft of this talk] to some coworkers they said, ‘you really need to end on a more optimistic note.”  So Dullien gives optimism a try, discussing possible advances in cybersecurity research; but still he gives us only a 10% chance that society can get this right.


Postscript:  Voting machines are computers of this kind.  Does their inherent insecurity mean that we cannot use them for counting votes?  No. The consensus of election-security experts, as presented in the National Academies study, is: we should use optical-scan voting machines to count paper ballots, because those computers, when they are not hacked, are much more accurate than humans.  But we must protect against bugs, against misconfigurations, against hacking, by always performing risk-limiting audits, by hand, of an appropriate sample of the paper ballots that the voters marked themselves.

Read the whole story
petrilli
11 days ago
reply
Arlington, VA
Share this story
Delete

Raspberry Pi Home Assistant Runs on Old Sony TV-511

1 Comment
Telefrag Entertainment has created a custom voice assistant system using Jarvis on a Raspberry Pi with video output to an old Sony TV-511 television.

Read the whole story
petrilli
11 days ago
reply
The future we could have had.
Arlington, VA
Share this story
Delete

Three Arrows Capital crypto hedge fund defaults on Voyager loan

1 Comment and 2 Shares

Prominent crypto hedge fund Three Arrows Capital has defaulted on a loan worth more than $670 million. Digital asset brokerage Voyager Digital issued a notice on Monday morning, stating that the fund failed to repay a loan of $350 million in the U.S. dollar-pegged stablecoin, USDC, and 15,250 bitcoin, worth about $323 million at today’s prices.

3AC’s solvency crunch comes after weeks of turmoil in the crypto market, which has erased hundreds of billions of dollars in value. Bitcoin and ether are both trading slightly lower in the last 24 hours, though well off their all-time highs. Meanwhile, the overall crypto market cap sits at about $950 billion, down from around $3 trillion at its peak in Nov. 2021.

Voyager said it intends to pursue recovery from 3AC (Three Arrows Capital). In the interim, the broker emphasized that the platform continues to operate and fulfill customer orders and withdrawals. That assurance is likely an attempt to contain fear of contagion through the wider crypto ecosystem.

“We are working diligently and expeditiously to strengthen our balance sheet and pursuing options so we can continue to meet customer liquidity demands,” said Voyager CEO Stephen Ehrlich.

As of Friday, Voyager said it had approximately $137 million in U.S. dollars and owned crypto assets. The company also noted that it has access to a $200 million cash and USDC revolver, as well as a 15,000 bitcoin ($318 million) revolver from Alameda Ventures.

Last week, Alameda (FTX founder Sam Bankman-Fried’s quantitative trading firm) committed $500 million in financing to Voyager Digital, a crypto brokerage. Voyager has already pulled $75 million from that line of credit.

“The default of 3AC does not cause a default in the agreement with Alameda,” the statement said.

CNBC did not immediately receive a comment from 3AC.

How did 3AC get here?

Three Arrows Capital was established in 2012 by Zhu Su and Kyle Davies.

Zhu is known for his incredibly bullish view of bitcoin. He said last year the world’s largest cryptocurrency could be worth $2.5 million per coin. But in May this year, as the crypto market began its meltdown, Zhu said on Twitter that his “supercycle price thesis was regrettably wrong.”

The onset of a new so-called “crypto winter” has hurt digital currency projects and companies across the board.

Three Arrow Capital’s problems appeared to begin earlier this month after Zhu tweeted a rather cryptic message that the company is “in the process of communicating with relevant parties” and is “fully committed to working this out.”

There was no follow-up about what the specific issues were.

But the Financial Times reported after the tweet that U.S.-based crypto lenders BlockFi and Genesis liquidated some of 3AC’s positions, citing people familiar with the matter. 3AC had borrowed from BlockFi but was unable to meet the margin call.

A margin call is a situation in which an investor has to commit more funds to avoid losses on a trade made with borrowed cash.

Then the so-called algorithmic stablecoin terraUSD and its sister token luna collapsed.

3AC had exposure to Luna and suffered losses.

“The Terra-Luna situation caught us very much off guard,” 3AC co-founder Davies told the Wall Street Journal in an interview earlier this month.

VIDEO6:0806:08
What’s going on in the crypto market right now?

Contagion risk?

Three Arrows Capital is still facing a credit crunch exacerbated by the continued pressure on cryptocurrency prices. Bitcoin hovered around the $21,000 level on Monday and is down about 53% this year.

Meanwhile, the U.S. Federal Reserve has signaled further interest rate hikes in a bid to control rampant inflation, which has taken the steam out of riskier assets.

3AC, which is one of the biggest crypto-focused hedge funds, has borrowed large sums of money from various companies and invested across a number of different digital asset projects. That has sparked fears of further contagion across the industry.

“The issue is that the value of their [3AC’s] assets as well has declined massively with the market, so all in all, not good signs,” Vijay Ayyar, vice president of corporate development and international at crypto exchange Luno, told CNBC.

“What’s to be seen is whether there are any large, remaining players that had exposure to them, which could cause further contagion.”

Already, a number of crypto firms are facing liquidity crises because of the market slump. This month, lending firm Celsius, which promised users super high yields for depositing their digital currency, paused withdrawals for customers, citing “extreme market conditions.”

Another crypto lender, Babel Finance, said this month that it is “facing unusual liquidity pressures” and halted withdrawals.

— CNBC’s Ryan Browne contributed to this report.

Read the whole story
petrilli
52 days ago
reply
"How did it get here?" Because the entire cryptocurrency world is a ponzi scanm?
Arlington, VA
acdha
52 days ago
reply
Washington, DC
Share this story
Delete

Twitter to allow Musk to speak at an all-hands call

1 Comment

A decision that either demonstrates a whole lot of confidence Musk will still be purchasing Twitter or is just extremely reckless, has apparently been made by Twitter CEO Para Agrawal. Certainly, Agrawal knows things we all do not, but if Musk doesn't buy his company the damage done by this failed acquisition will certainly be sizeable. — Read the rest

Read the whole story
petrilli
66 days ago
reply
I'm going to go with extremely reckless.
Arlington, VA
Share this story
Delete

Taiwan Restricts Russia, Belarus to CPUs Under 25 MHz Frequency

1 Comment
Taiwanese government effectively bans all high-tech exports to Russia and Belarus.

Read the whole story
petrilli
79 days ago
reply
Ouch that's gonna hurt.
Arlington, VA
Share this story
Delete

DEA Investigating Breach of Law Enforcement Data Portal

1 Comment

The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

Unidentified hackers shared this screenshot of alleged access to the Drug Enforcement Administration’s intelligence sharing portal.

On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.

KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Department of Justice, which houses both agencies. The DEA declined to comment on the validity of the claims, issuing only a brief statement in response.

“DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,” the agency said in a statement shared via email.

According to this page at the Justice Department website, LEIA “provides federated search capabilities for both EPIC and external database repositories,” including data classified as “law enforcement sensitive” and “mission sensitive” to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA’s El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community.

EPIC and LEIA also have access to the DEA’s National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins).

“The EPIC System Portal (ESP) enables vetted users to remotely and securely share intelligence, access the National Seizure System, conduct data analytics, and obtain information in support of criminal investigations or law enforcement operations,” the 2016 White House document reads. “Law Enforcement Inquiry and Alerts (LEIA) allows for a federated search of 16 Federal law enforcement databases.”

The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

Claims about the purloined DEA access were shared with this author by “KT,” the current administrator of the Doxbin — a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly.

As KrebsOnSecurity reported earlier this year, the previous owner of the Doxbin has been identified as the leader of LAPSUS$, a data extortion group that hacked into some of the world’s largest tech companies this year — including Microsoft, NVIDIA, Okta, Samsung and T-Mobile.

That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley.

Weaver said it’s clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases.

“I don’t think these [people] realize what they got, how much money the cartels would pay for access to this,” Weaver said. “Especially because as a cartel you don’t search for yourself you search for your enemies, so that even if it’s discovered there is no loss to you of putting things ONTO the DEA’s radar.”

The DEA’s EPIC portal login page.

ANALYSIS

The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a “Personal Identity Verification” or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each user’s appropriate security level.

However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.

It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but I’m willing to bet big money that this DEA portal is not only offender here. The DEA portal esp.usdoj.gov is listed on Page 87 of a Justice Department “data inventory,” which catalogs all of the data repositories that correspond to DOJ agencies.

There are 3,330 results. Granted, only some of those results are login portals, but that’s just within the Department of Justice.

If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.

I’ll say it because it needs to be said: The United States government is in urgent need of leadership on cybersecurity at the executive branch level — preferably someone who has the authority and political will to eventually disconnect any federal government agency data portals that fail to enforce strong, multi-factor authentication.

I realize this may be far more complex than it sounds, particularly when it comes to authenticating law enforcement personnel who access these systems without the benefit of a PIV card or government-issued device (state and local authorities, for example). It’s not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape.

But when hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations — all because someone stole, found or bought a username and password — it’s time for drastic measures.

Read the whole story
petrilli
98 days ago
reply
Wait, so are these the people we're supposed to "trust" with crypto backdoors?

Nope.
Arlington, VA
Share this story
Delete
Next Page of Stories