Open Source Software/IoT & Security

“We all like to make fun of security by obscurity, right? But sometimes that’s all we have.”

Sometimes that’s all that’s needed…

History endorses Security by Obscurity 100% as the axis had no knowledge of the tongue(s) used and the CodeTalkers were unbeatable. If any naysayers were able to travel back in time with their laptops loaded with decryption software & special antennas, they would still not be able to break the code without first know what language was spoken, and then their advanced decryption equipment would still be useless. A simple translation software that spoke Navajo could do what a powerful decryption system couldn’t…

The bottom line is that obscurity worked. Unfailingly. Can the same be said for the other currently recommended method of divulging core mechanisms to everyone? No it can’t. Failures happen frequently. Frequent failure versus unfailing security. Hmmmmm…

I have a machine code concept based on a similar core factor to the CodeTalkers obscurity advantage. In fact, the overall concept has several security sub factors.

There are 2 things causing the somewhat emotional response to my open disagreement to your guy"s insistence that there is only “one way” to look at the issue based on other people’s (not mine) previous failures :

1. The first cause is that I am not an expert cryptographer. I know I have much to learn, but that does not somehow technically translate to me knowing nothing, or anyone I disagree with knowing everything (or at least them being right in their disagreement on this topic). Does every layman consumer using PGP or Tor need to be a professor of cryptography to use them? You may argue that one need to be expert to develop such a system, but I am not basing the core system security on flawless encryption (which most deny exists), but rather on a combination of technologies. That changes the dynamic absolutely…
2. The second cause is that due to patent law restrictions, I can’t explain in exact detail the reasons why I think my concept is different enough to secure communications. Without knowing the exact details, all resistance is only well educated, but still technically prejudiced, and therefore lacking assessment value. Constant intended rebuttals can’t change that. I wouldn’t do that to people, and I don’t know why anyone does it.

Why do I keep trying to defend what people keep attacking? Not only because I disagree, but in the event than any VHS member actually might be interested, I don’t want any well educated & well intentioned person to dissuade them. Knowing human nature, I guess this issue will become nasty gossip. It’s a sad statement of human psychology…

There’s an old saying that arguing with strangers on the internet is like competing in the Special Olympics : Even if you win, you are still a rtrd !!! While I don’t like the nasty term it uses, the main point is clear…

I apologize if anything I’ve said has come across as a personal attack. I’ve certainly not meant to be responding to anything emotionally. I don’t feel that I’m guilty of that charge, but apparently I’ve come off otherwise.

You solicited input and I think I’ve said about all I have to say on the subjects of cryptography and software security. Feel free to consider or ignore any of it. If you produce a successful secure product whether through obscurity or open algorithms, my hat is off to you.

Good luck with your project.

It may not have failed during WWII. It may even work today. But it is not secure. The ‘key’ here is the particular language itself, which is known to many and not tightly controlled. Much like the Allies did with Enigma, had the Axis been able to figure out the language, the entire system falls apart entirely. It’s effectively a substitution cipher, which are weak to many types of attacks, given sufficient ciphertext. I don’t think such a mechanism would stand for long against modern statistical analysis.[quote=“boilerwelder, post:21, topic:3983”]
The bottom line is that obscurity worked. Unfailingly. Can the same be said for the other currently recommended method of divulging core mechanisms to everyone? No it can’t. Failures happen frequently. Frequent failure versus unfailing security. Hmmmmm…
[/quote]
What? No modern crypto has been effectively “broken”. AES, probably the most widely used and therefore attacked cipher, was publicized in 1997. Some minor weakness have been found, but none that provide a useful attack. RSA, published in 1977 and still the most widely used public-key crypto scheme likewise has no known viable attacks against modern and correct implementations. I would call this ‘unfailing’, and none of it depends on hiding the mechanisms of the system.

Security is about much more than how strong a cipher or cryptosystem is. Most security failings are not attacks on the technologies, but on the systems built from them, or methodologies of their use. Again, I would urge you to read some of the ‘light’ literature on the subject, it will give you insight into the basic concepts of infosec and what sort of attacks we are talking about that have nothing to do with cryptography or signal security. I would recommend Schneier’s Secrets and Lies: Digital Security in a Networked World.

I don’t see anyone here having an emotional response to your posts. You don’t seem to have even the most elementary grasp of existing infosec technology and practices, and are promising the world. We are simply trying to get you to see that you are way out of your depth, and that if you want your claims to be taken seriously, you need to explain your methods and allow them to be attacked by experts. Many before you have made similar claims, and their systems almost always have fundamental flaws that make them much weaker than the established norms. Maybe you have found some amazing thing nobody has thought of before, but the chances of that being the case are very low, and in lieu of evidence to the contrary, I will remain skeptical, as will others on this board that have some knowledge of computer security. This is not prejudice, a personal attack, or an emotional response. It is the rational response to grand claims that are contrary to established science and with no facts to back them up.

I am interested in your ideas, but I think you should temper your arrogance and recognize that you are not an expert in a field you claim to be poised to create a revolution in. You are an outsider to the security community, and you need to prove your ideas before you will be taken seriously at face value. The way to do that is not to claim everyone else is wrong and that you have a magic answer that you just can’t tell anyone but that invalidates the last 50 years of experience and study. Maybe you can get away with this if you are well respected in the field (and even then, I doubt it would fly, openness is the norm in security), but certainly not as a layman that clearly lacks a strong grasp of the fundamentals and has no reputation.

Good luck with your project. If you want to learn more about security or have something concrete that you want feedback on, I will be happy to provide my input, but for now I am respectfully bowing out of this discussion.

@bruce

“I apologize if anything I’ve said has come across as a personal attack. I’ve certainly not meant to be responding to anything emotionally. I don’t feel that I’m guilty of that charge, but apparently I’ve come off otherwise.”

No offense taken personally. My post wasn’t intended to claim you attacked me, only that because I can’t be too specific and that I lack high training, that somehow it is taken as absolute 100% proof that my concept is wrong. Maybe it is, but because of the repeated prejudice, I couldn’t even get anyone reading this thread to sign a NDA/non-compete, then go soliciting venture capital.

"You solicited input and I think I’ve said about all I have to say on the subjects of cryptography and software security. Feel free to consider or ignore any of it. If you produce a successful secure product whether through obscurity or open algorithms, my hat is off to you.

Good luck with your project."

Thank you Bruce. I wish you well too. If only we had met over coffee somewhere long enough to get you to take it seriously as a risk free development gamble. Gambling with OPM (Other Peoples Money) to develop a new product from concept stage in one’s own spare time is what I mean by “risk free”…

@ktims

“It may not have failed during WWII. It may even work today. But it is not secure.” (Quoting ktims)

How can it work for secure communications without being secure? You do understand that at some point in time somebody actually developed every language from scratch, right? Is it impossible to build a new language from scratch & add the other appropriate factors in to disguise the content from reverse engineering? No it’s not… You’re just wrong, that’s all. I can admit that…

“It’s fully deniable. It’s arguably the safest communication because nobody even knows it’s a communication” (Quoting Defcon 22)

Forgive me, but I will just have to go with Defcon’s assessment over yours. Arguably the safest?!?! Thanks Defcon !!!

“The ‘key’ here is the particular language itself, which is known to many and not tightly controlled.”

Compared to English & German, Navajo was known to a relatively small handful of people, and it’s use as a crypto key was tightly controlled as a wartime state secret.

“What? No modern crypto has been effectively “broken”.”

Wrong again. Read below:

“In this case, however, researchers broke the transponder’s 96-bit cryptographic system, by listening in twice to the radio communication between the key and the transponder. This reduced the pool of potential secret key matches, and opened up the “brute force” option: running through 196,607 options of secret keys until they found the one that could start the car. It took less than half an hour.”

It’s found here:

http://www.bloomberg.com/news/articles/2015-08-14/vw-has-spent-two-years-trying-to-hide-a-big-security-flaw

“Security is about much more than how strong a cipher or cryptosystem is.”

I never said it wasn’t. I said I believed that I had other factors to consider and that I believed they would interact synergistically to increase security. Reading comprehension…

“I don’t see anyone here having an emotional response to your posts. You don’t seem to have even the most elementary grasp of existing INFOSEC technology and practices, and are promising the world.”

Nobody is being emotional ? Really? Is that why you are using extreme expressions like “even the most elementary grasp” ?? Rumor has it that the Defcon speaker has a greater than elementary grasp of cyber security… He said it is “arguably the safest communication.” I am making that argument. Don’t take it from me, maybe you should argue against him…

Unless you want to argue this too, then the Defcon guest speaker knows cyber security deeper than you. Unless maybe you rejected Defcon’s request for you to give the presentation and had to call the other guy in your place as a second choice…

Yes, I know, if he read this thread, he’s side with you right? He can’t honourably retract his words in the intent spoken there…

“You don’t seem to have even the most elementary grasp of existing infosec technology and practices, and are promising the world”

Show me where I promised anything? I said I have an idea. A rough concept. I THINK it will deliver large, but I never promised anything. Again, reading comprehension. Must be emotionally blurred…

“We are simply trying to get you to see that you are way out of your depth, and that if you want your claims to be taken seriously, you need to explain your methods and allow them to be attacked by experts.”

And I have painstaking explained over & over why I can’t do that, but still you are driven to miss my point. NO NDA & NO NON-COMPETE = NO REVEAL How hard is that ??

“Many before you have made similar claims, and their systems almost always have fundamental flaws that make them much weaker than the established norms.”

Before Kittyhawk, how many expert researchers in a new unproven field (human flight) fell to their deaths? Did flight happen? Open your mind please…

“I will remain skeptical, as will others on this board that have some knowledge of computer security. This is not prejudice, a personal attack, or an emotional response.”

Yes it is. By definition, unless you will say you know EVERYTHING about INFOSEC, then because I haven’t told you the missing puzzle pieces, then you certainly are prejudiced against my concept. Admittedly well educated, but still prejudiced. Ironically, the thread was about drone OS program code security, not signal security, yet it got sidetracked, then derailed all by prejudice. And if you aren’t emotional, why are you trying to speak for everyone against me in a future tense?

“I am interested in your ideas, but I think you should temper your arrogance and recognize that you are not an expert in a field you claim to be poised to create a revolution in.”

I said I am not expert. I admitted how it looked and still said I think I have something. Experts had to keep it going negatively… Considering the complexity, I don’t blame them for the first volley, but repetition was not warranted. Thank God my experience at VHS didn’t show people to be like this in person…

“It is the rational response to grand claims that are contrary to established science and with no facts to back them up.”

How many times have I explained this? You didn’t miss it, you just had to keep bashing negativity…

“I am interested in your ideas, but I think you should temper your arrogance and recognize that you are not an expert in a field you claim to be poised to create a revolution in.”

My arrogance? Admitting that I am NOT an expert, but still believing that I have a novel approach is not arrogance. It is guarded confidence. Considering the depth & complexity of INFOSEC, I see how you would get the impression that I am arrogant, but I tried over & over to explain in as accurate way that I can (within patent law restrictions) why I still think the concept will work. You understood my point, but relentlessly drove your opposing point home because you are prejudiced and bear emotional motives you can’t even see. Prejudice is arrogance.

" You are an outsider, and you need to prove yourself before you will be taken seriously."

Thank God the others I met at VHS were friendly, otherwise I would have no motive to change my “outsider” status.

“Good luck with your project.”

Yeah thanks. You too.

“If you want to learn more about security or have something concrete that you want feedback on, I will be happy to provide my input”

No thank you.

“for now I am respectfully bowing out of this discussion”

Thank you.

I consider this a good read for anyone considering obscurity as part of their security model:

https://danielmiessler.com/study/security-by-obscurity/

Thanks Tylsl !!

Interesting read…