From: amzoti on
On Jul 12, 9:54 am, unruh <un...(a)wormhole.physics.ubc.ca> wrote:
> On 2010-07-12, adacrypt <austin.oby...(a)hotmail.com> wrote:
>
>
>
> > On Jul 11, 7:46?pm, WTShaw <lure...(a)gmail.com> wrote:
> >> On Jul 11, 11:37?am, amzoti <amz...(a)gmail.com> wrote:
>
> >> > On Jul 11, 2:51?am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote:
>
> >> > > The race between producers of malware and producers of anti-malware is
> >> > > well-known. It is IMHO natural to assume that the former, being the
> >> > > 'active' partner, have some advantages in this race and so the computer
> >> > > of an average user has always a very real chance of being infected
> >> > > without detection, no matter how much money he invests in purchasing
> >> > > software to protect his computer and how careful and disciplined he
> >> > > does his work.
>
> >> > > I think it even may not be entirely foolish to question the (aboslute)
> >> > > safety of protection software themselves, for these are as a rule
> >> > > trusted based on the market reputation of the producers only, if I
> >> > > don't err.
>
> >> > > I remember the time of the first PC that I used, where a few colleagues
> >> > > of mine were regularly reading and adapting some parts of the operating
> >> > > system (CP/M), apparently with ease. Nowadays, who among the users of
> >> > > computers have competent knowledge (and means) to understand some
> >> > > details of an OS, let alone checking and modifing them? And the previous
> >> > > question certainly applies here as well.
>
> >> > > Without saying, all other foreign software downloaded are in principle
> >> > > (maybe more) questionable.
>
> >> > > BTW, a recent article on cyber warfare could serve also for looking at
> >> > > the matter from a different standpoint:
>
> >> > > ? ?http://www.economist.com/node/16478792
>
> >> > > M. K. Shen
>
> >> > Why would you think there is only one attack profile from
> >> > <who_cares_***>_ware?
>
> >> > For example, look at:http://www.eskimo.com/~joelm/tempest.html
>
> >> > If it is electronic (or otherwise), it is vulnerable as the number of
> >> > attack profiles is limitless and one only needs to get passed the
> >> > weakest link.
>
> >> > Forgive my theft of Einstein's quote with a slight modification.
>
> >> > "It's not only worse than you imagine, it's worse than you can
> >> > imagine! "
>
> >> > Cyber warfare can be equated to the war on drugs - what a joke - but
> >> > it makes for great articles, journal and research papers.
>
> >> There are simple strategies that work. ?Bad design can be countered
> >> with good protocols to isolate the weaknesses, not talking about
> >> endless patches but the absurd use of common sense to do the obvious.
> >> "The path to ruin is well trodden."- Hide quoted text -
>
> >> - Show quoted text -
>
> > Hi W.T,
>
> > This topic is outside of my remit and indeed my knowledge in the
> > context of mutual database cryptography - however, I have in mind a
> > free standing computer at Bob's end i.e. not connected to the internet
> > - the ciphertext is transmitted via a properly connected computer and
> > then relayed internally by Bob to this freestanding computer where it
> > is decrypted - a cyber attack on the freestanding computer is
> > impossible ? - adacrypt
>
> What does "relayed internally" mean?  An attack is possible via that
> "internal relay". Also trojan, virus, ... attacks are all possible via
> that "internal relay"

Perhaps he can read: http://www.isoc.org/isoc/conferences/ndss/08/papers/20_analysis_resistant.pdf

See "infiltrating significant amounts of data to a compromised host is
far easier than exfiltrating data ..."

Those two terms are very interesting.

See: "A Multi-layered Approach to Security in High Assurance
Systems1" (google that and there is a pdf)

See also: www.sdrforum.org/pages/sdr07/.../Uchenik%20Security%20Intro.pdf

HTH ~A
From: Gordon Burditt on
>This topic is outside of my remit and indeed my knowledge in the
>context of mutual database cryptography - however, I have in mind a
>free standing computer at Bob's end i.e. not connected to the internet
>- the ciphertext is transmitted via a properly connected computer and
>then relayed internally by Bob to this freestanding computer where it
>is decrypted - a cyber attack on the freestanding computer is
>impossible ? - adacrypt

Viruses being transmitted by "sneakernet" (hand-carried media such
as floppy disks) were pretty well known in the old days of MS-DOS.
Nowadays, USB memory sticks can also transmit viruses.

If you really want a ("freestanding") system secure, maintain a
good air gap (say, 10 feet) between the system and any outside
connections
- Ethernet, phone, or wireless connections
- Any radio or infrared communication links such as Wi-Fi,
Bluetooth, wireless keyboards, cell phones, etc.
- Commercial power. Use batteries and solar cells or
muscle power of the guy operating it.
- Any media that's been touched by an outside computer
(includes floppies, USB memory sticks, CD/DVD disks,
recordable or not, tape, paper tape, punch cards, etc.
I guess this means you pretty much have to build these
yourself or do without, although you could perhaps risk
bulk-erasing floppies, then formatting them and using
them on the secure system.)
- Preferably you put the whole thing inside a Faraday cage
to limit electromagnetic radition from sending info in or out.

I am not sure whether it is safe to use a digital camera inside
your locked room to take a picture of the screen of the internet-connected
computer 10 feet away, then have the inside computer OCR it. I
doubt it.


From: WTShaw on
On Jul 12, 1:49 am, adacrypt <austin.oby...(a)hotmail.com> wrote:
> On Jul 11, 7:46 pm, WTShaw <lure...(a)gmail.com> wrote:
>
>
>
>
>
> > On Jul 11, 11:37 am, amzoti <amz...(a)gmail.com> wrote:
>
> > > On Jul 11, 2:51 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote:
>
> > > > The race between producers of malware and producers of anti-malware is
> > > > well-known. It is IMHO natural to assume that the former, being the
> > > > 'active' partner, have some advantages in this race and so the computer
> > > > of an average user has always a very real chance of being infected
> > > > without detection, no matter how much money he invests in purchasing
> > > > software to protect his computer and how careful and disciplined he
> > > > does his work.
>
> > > > I think it even may not be entirely foolish to question the (aboslute)
> > > > safety of protection software themselves, for these are as a rule
> > > > trusted based on the market reputation of the producers only, if I
> > > > don't err.
>
> > > > I remember the time of the first PC that I used, where a few colleagues
> > > > of mine were regularly reading and adapting some parts of the operating
> > > > system (CP/M), apparently with ease. Nowadays, who among the users of
> > > > computers have competent knowledge (and means) to understand some
> > > > details of an OS, let alone checking and modifing them? And the previous
> > > > question certainly applies here as well.
>
> > > > Without saying, all other foreign software downloaded are in principle
> > > > (maybe more) questionable.
>
> > > > BTW, a recent article on cyber warfare could serve also for looking at
> > > > the matter from a different standpoint:
>
> > > >    http://www.economist.com/node/16478792
>
> > > > M. K. Shen
>
> > > Why would you think there is only one attack profile from
> > > <who_cares_***>_ware?
>
> > > For example, look at:http://www.eskimo.com/~joelm/tempest.html
>
> > > If it is electronic (or otherwise), it is vulnerable as the number of
> > > attack profiles is limitless and one only needs to get passed the
> > > weakest link.
>
> > > Forgive my theft of Einstein's quote with a slight modification.
>
> > > "It's not only worse than you imagine, it's worse than you can
> > > imagine! "
>
> > > Cyber warfare can be equated to the war on drugs - what a joke - but
> > > it makes for great articles, journal and research papers.
>
> > There are simple strategies that work.  Bad design can be countered
> > with good protocols to isolate the weaknesses, not talking about
> > endless patches but the absurd use of common sense to do the obvious.
> > "The path to ruin is well trodden."- Hide quoted text -
>
> > - Show quoted text -
>
> Hi W.T,
>
> This topic is outside of my remit and indeed my knowledge in the
> context of mutual database cryptography - however, I have in mind a
> free standing computer at Bob's end i.e. not connected to the internet
> - the ciphertext is transmitted via a properly connected computer and
> then relayed internally by Bob to this freestanding computer where it
> is decrypted - a cyber attack on the freestanding computer is
> impossible ? - adacrypt

You have part of the possibles. Interconnection of computers online
or subject to being so directly give a good path to tampering. You
can however reduce by movable memory the chance of infection generally
defined as anything undesired that can have some undesired effect. The
least memory involved is best as contents other than desire are easier
to spot. Old discs served this purpose well but they seem to be going
away rapidly. Possibly we are talking of overkill and also neglecting
the tools of a dedicated snoop.

The question of privacy/security is that the option to obscure is not
based on any generic reason per se but the simple desire to control
certain information as a personal choice to whatever degree that is
feasible.
From: WTShaw on
On Jul 12, 4:15 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote:
> adacrypt wrote:
> >>  - a cyber attack on the freestanding computer is
> >> impossible ?
>
> Long time ago yes, but no longer. Look with the key phrase
> "electromagnetic emanation". There are also techniques to
> disrupt the proper functioning of a computer.
>
> M. K. Shen

Including military attack I presume. Interrupting communications has
been done. I remember such during the raid on Waco. I knew so
because at the time I was doing work with a spectrum analyzer not too
far away that produced a rather clear picture of the efforts. General
EMP usages might cause general indignation in a specific area. But the
stupidity of the Waco misadventure shows that when you have a hammer,
all problems can look like nails.
From: WTShaw on
On Jul 12, 11:54 am, unruh <un...(a)wormhole.physics.ubc.ca> wrote:
> On 2010-07-12, adacrypt <austin.oby...(a)hotmail.com> wrote:
>
>
>
>
>
> > On Jul 11, 7:46?pm, WTShaw <lure...(a)gmail.com> wrote:
> >> On Jul 11, 11:37?am, amzoti <amz...(a)gmail.com> wrote:
>
> >> > On Jul 11, 2:51?am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote:
>
> >> > > The race between producers of malware and producers of anti-malware is
> >> > > well-known. It is IMHO natural to assume that the former, being the
> >> > > 'active' partner, have some advantages in this race and so the computer
> >> > > of an average user has always a very real chance of being infected
> >> > > without detection, no matter how much money he invests in purchasing
> >> > > software to protect his computer and how careful and disciplined he
> >> > > does his work.
>
> >> > > I think it even may not be entirely foolish to question the (aboslute)
> >> > > safety of protection software themselves, for these are as a rule
> >> > > trusted based on the market reputation of the producers only, if I
> >> > > don't err.
>
> >> > > I remember the time of the first PC that I used, where a few colleagues
> >> > > of mine were regularly reading and adapting some parts of the operating
> >> > > system (CP/M), apparently with ease. Nowadays, who among the users of
> >> > > computers have competent knowledge (and means) to understand some
> >> > > details of an OS, let alone checking and modifing them? And the previous
> >> > > question certainly applies here as well.
>
> >> > > Without saying, all other foreign software downloaded are in principle
> >> > > (maybe more) questionable.
>
> >> > > BTW, a recent article on cyber warfare could serve also for looking at
> >> > > the matter from a different standpoint:
>
> >> > > ? ?http://www.economist.com/node/16478792
>
> >> > > M. K. Shen
>
> >> > Why would you think there is only one attack profile from
> >> > <who_cares_***>_ware?
>
> >> > For example, look at:http://www.eskimo.com/~joelm/tempest.html
>
> >> > If it is electronic (or otherwise), it is vulnerable as the number of
> >> > attack profiles is limitless and one only needs to get passed the
> >> > weakest link.
>
> >> > Forgive my theft of Einstein's quote with a slight modification.
>
> >> > "It's not only worse than you imagine, it's worse than you can
> >> > imagine! "
>
> >> > Cyber warfare can be equated to the war on drugs - what a joke - but
> >> > it makes for great articles, journal and research papers.
>
> >> There are simple strategies that work. ?Bad design can be countered
> >> with good protocols to isolate the weaknesses, not talking about
> >> endless patches but the absurd use of common sense to do the obvious.
> >> "The path to ruin is well trodden."- Hide quoted text -
>
> >> - Show quoted text -
>
> > Hi W.T,
>
> > This topic is outside of my remit and indeed my knowledge in the
> > context of mutual database cryptography - however, I have in mind a
> > free standing computer at Bob's end i.e. not connected to the internet
> > - the ciphertext is transmitted via a properly connected computer and
> > then relayed internally by Bob to this freestanding computer where it
> > is decrypted - a cyber attack on the freestanding computer is
> > impossible ? - adacrypt
>
> What does "relayed internally" mean?  An attack is possible via that
> "internal relay". Also trojan, virus, ... attacks are all possible via
> that "internal relay"

I suppose that he simply means by other than what would be considered
normal net means. Back to other ideas, a shared database is
impractical if it is not convenient for any selected parties to easily
access.