Browsed by
Tag: security

Back Doors are for Bad Guys

Back Doors are for Bad Guys

The UK Prime Minister, David Cameron, says he’s going to ban strong encryption within his country. Somehow this is going to make everyone safe from terrorists. I have some questions:

  • Are terrorists the ones who will abide by such a law, first and foremost?
  • Is it your intention to shut down all  e-Commerce in the UK?
  • How will it improve the welfare of British citizens to have the UK cut off from the rest of the Internet?

When that notoriously left-wing publication, Forbes, caught up with Internet security expert Bruce Schneier for his reaction, he was uncharacteristically hyperbolic: “My immediate reaction was disbelief, followed by confusion and despair.”  It makes no sense even to try this, according to Schneier.

Technically, there is no such thing as a “backdoor to law enforcement.” Backdoor access is a technical requirement, and limiting access to law enforcement is a policy requirement. As an engineer, I cannot design a system that works differently in the presence of a particular badge or a signed piece of paper. I have two options. I can design a secure system that has no backdoor access, meaning neither criminals nor foreign intelligence agencies nor domestic police can get at the data. Or I can design a system that has backdoor access, meaning they all can.

So try, and join the rogues’ gallery of China, Iran, Syria, Pakistan, Russia, Kazakhstan, and Belarus, who have all tried to censor the Internet and have all failed.

Cameron and Xi Jinping, censorship BFFs

It is worth remembering that the internet was designed beginning in the 1960s as a project of the Advanced Research Projects Administration, a DoD agency.  The original idea was to have a digital communications network with enough redundancy and resiliency that nuclear strikes would not disable it, merely slow it down.

The millions of routers that run the Internet are designed to have a primary way to get the next unit of data where it needs to go, and one or more backup ways if the primary fails (yes that’s a vast oversimplification).  More to the point, there is no truly central controller.  Every node in the network shares routing information and rules on how to apply it with every other node.  To kill “the Internet” you would have to kill so many nodes, you might as well be planning to end civilization.

Network architect John Gilmore pointed out an interesting consequence of this design.  He said, “The Net interprets censorship as damage and routes around it.”

Cameron’s try at the Great Firewall has the stated goal of making us safer from terrorists.  This objective is so far beyond the reach of his proposal as to be simply ludicrous.   The real result would either be as porous as China’s and the rest, or would take his country to the information-economy status of North Korea.  In any case, Cameron, or someone advising him, must know this.

So which one is the one that he wants?

Spoiler Alert: Government Spy Agencies Might Be Lying

Spoiler Alert: Government Spy Agencies Might Be Lying

UK intelligence agencies are claiming that they are having to move agents who are endangered in the field, and according to this report the reason is… Edward Snowden!

I must say, this has the stink of the barnyard.  Information about the nature of surveillance programs, which is what Snowden revealed, is so far from operational info about field agents that it might as well be the 1997 Minnesota Twins’ box scores.  If agencies are having their networks compromised they should look to the flaws in their protocols that allowed Snowden to take any files out, not to the actual files Snowden took out.

Assuming they are not flat-out lying about having to roll up field networks (a BIG-ass-umption), they are simply scapegoating the man they love to hate.

The Chinese just breached a carload of US government data from security clearance applications. So now they know:

  • Who has clearance
  • At what level
  • What is all the garbage those people had in their background that had to be vetted out to give them the clearance.

Now which one is more likely to have compromised field agents?  That?  Or a detailed description of how Verizon rolls over and gives the gov’t all your call data?

But wait – what could the government POSSIBLY want with distracting you from the Chinese breach and turning attention back on Snowden?  Such a mystery.

Why Security on the Internet is an Afterthought

Why Security on the Internet is an Afterthought

This WaPo article gives us an historical perspective on why the Internet was designed to operate mostly with no encryption.  The money quote:

“Back in those days, the NSA still had the ability to visit a professor and say, ‘Do not publish that paper on cryptography.’ ”
As the ’70s wound down, [Vint] Cerf and [Robert] Kahn abandoned their efforts to bake cryptography into TCP/IP, bowing to what they considered insurmountable barriers.

This is really a great piece on how the internet morphed from an academic & defense research project to the collective nervous system of humanity.  I came into the field during the second decade of the Internet and it was not really a part of my life until about four or five years in.  I really enjoyed the insight into the earlier days.  Note the role Richard Stallman took back then – it hasn’t really changed much, at its core.

h/t to Rob Slade via CISSPForum.

Do you own your car?

Do you own your car?

Or does GM?  I’m not referring here to leasing vs. buying.  I am referring to the fact that GM has recently declared that only mechanics they license are allowed to work on “your” car.  And if you take it to another mechanic, or use less-expensive after-market parts, or connect the car’s diagnostic port to a home-brew or third-party device, the issue is not merely the possibility of voiding the warranty.  The issue is, GM can more or less unilaterally declare you to be in violation of the Anti-Circumvention provisions of the Digital Millennium Copyright Act (DMCA).  You can be charged with a crime at the Federal level.


Here is where the evils of DRM (that I started to write about here) intersect with the entertainment industry lobbyists’ power to get stuff enacted into laws, and affect how we can use technology we think we own.  These laws have effects on our lives that are not at all well-understood, not even by the content-industry monopolists who paid to have them enacted.

Do farmers own their tractors?  According to comments filed by John Deere with the Copyright Office, they do not.  They are not allowed to modify any aspect of “their” tractor that is mediated by software, which is pretty much anything useful.  This article in Wired brings up a case of a farmer — a neighbor of the author — who cannot get his transplanter fixed because he is not given access to the correct diagnostic software.  And so he has a six-figure barn ornament.

In their comments in support of this policy, Deere points out that if they were allowed to tinker with the tractors’ software, farmers might change the engine tuning to violate the EPA pollution regulations.  Well, OK, but then they would owe the EPA a fine, not John Deere.  They might even use the in-cab entertainment system to pirate music.  (Roll that around in your brain for a minute.) Yes, that’s why the farmer spends half a million bucks on a harvester — to evade paying $9.99 for a Taylor Swift CD.

 

Convenience

Convenience

Wireless Car Locks are designed for convenience.  Yours, and also car thieves’.

In this NYT story, the author describes why he now keeps his car keys in the freezer:

He explained it like this: In a normal scenario, when you walk up to a car with a keyless entry and try the door handle, the car wirelessly calls out for your key so you don’t have to press any buttons to get inside. If the key calls back, the door unlocks. But the keyless system is capable of searching for a key only within a couple of feet. 

Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.

He’s now using the freezer as a Faraday cage to prevent this – his Prius had been broken into three times as of the writing.  This method is less useful for stealing the car than for entering it, because once it’s driven away there will be obvious difficulties without the key.

I think my plan will involve two things, none of them below room temperature.  One, we will no longer keep ANYTHING of value in the car.  And two, we will get Faraday bags similar to those that protect your new “secure” passports and keep our key fobs in there when not driving.

Exam Time!

Exam Time!

If you’re a student and you’re reading this, I just made you clench a little with that title, didn’t I?  Well, here’s some news you can use: it never really goes away.

Ten years ago next month, I sat for the CISSP exam.  Being a bit underemployed at the time, I had done little the preceding six weeks but study for it.  I had to travel to NYC for the exam, which was a non-trivial financial risk, but lack of confidence has never been my issue. Even the night before in the hotel, though, I sat doing flash cards of the Legal & Regulatory elements, which was the one area I felt needed boosting.  I could never get the hang of this due to its utter lack of internal logic or consistency.  This is what keeps the courts in business, I suppose.

I went into the exam with a strategy of sorts.  I was planning to give my brain “breaks” by doing 25 questions at a time, then reviewing those before moving on.  I was never worried about the time limits.  Right or wrong, I do these things quickly.  I have yet to hear the words “pencils down” in a test, and that goes all the way back to the PSATs in 1972.

So there I was doing this answer 25, check 25 routine… and I started to notice something.  The text of questions in the second half of the test started giving me clues to some answers I had not been so sure about in the first half.  I know for a fact that there are at least three questions I would have had dead wrong on my test that I was able to fix, thanks to clues in the “givens” of later questions.

The only time-related distress I’ve experienced in a test was on the CISM exam.  At that one, there’s one other CISM candidate among a gaggle of would-be CISA.  For no discernible reason, the proctor seats us next to each other.  We start the test at 9:00.  At about 10:10, I’m on question maybe 110 of 200… and doesn’t she close her book, go up front, hand in her paper and leave?!  This freaks me out in no small measure.  But to this day, I have no idea if she scored 100% or “no better than random”.  I just figure it has to be one of those two extremes.

This comes to mind because I have now started to hear the siren song of yet another certification exam, the CCSP.  It takes the same body of knowledge from the Cloud Security Alliance that went into the CCSK exam and adds continuing CPE requirements and renewal.  I have a feeling it will be better-recognized.  And hey, one thing I appear to be able to do well is take multiple-choice tests, so… why not?

Day Against DRM

Day Against DRM

“Digital Rights Management” is one of those things that sounds so benign.  Like “Patriot Act”.  In fact, DRM is a willful effort to make sure that your computer is not really your property, and that legitimate uses of it are under control of the corporations you bought media from.  Oh, sorry, “bought media” is a misstatement.  Under DRM, you cannot actually buy media.  You can give corporations money, yes, but they retain the ownership of everything.  You have only bought a license to use the media until… well… until they decide you can’t use it anymore.  When this day arrives, you will have no recourse.

Security?  Broken software is not secure.  Proprietary encryption algorithms make me pull my hair out.  DRM requires that you hold all the information in your hands and yet you are subject to arbitrary restrictions about how it may be used.  The theme of all DRM is, or should be, “Defective by Design.”  Because the only way to make DRM start to work is to break your software or device in some way, and then arbitrarily forbid you from fixing them.

Why the sudden DRM screed today?  May 6th is the International Day against DRM and this has been welling up for some time.

This is a security issue.  There will be more to come on this topic….

Meanwhile, a big tech book publisher is having a sale; go buy something.

Sony: The Gift that Keeps On Giving

Sony: The Gift that Keeps On Giving

As you may recall, late last fall, Sony Pictures Entertainment acknowledged that their entire IT infrastructure had been severely breached.  At the time, the attackers were announced to be the North Koreans.  But serious analysis absent political axes to grind has put that conclusion in doubt, to say the least.  More evidence points to the actions of an unhappy employee/former employee and roughly half a dozen accomplices.

One of the things that the attackers did was release a huge cache of internal emails, emails that did not put anyone from within Sony in the best light.  Who among us can say that the release of all our emails would treat us much better?  Still, these were dumped onto public sites, e.g., PasteBin.

Sony’s immediate response was to try to shut down the press from covering this aspect of the situation by sending legal-ish letters to all major media outlets, claiming that just because they were public didn’t mean that they could be reported.  To understand how this is consistent with the First Amendment, I think you need a law degree and a fat paycheck from Sony.  Needless to say, the folks at WikiLeaks were not impressed.  They spent the next few months building everything that was released into a searchable archive.  You can read about that site they just opened here.

Sony’s well-compensated lawyers have jumped right back into the fray, of course.  Unable to do anything about the WikiLeaks site itself, they have once again taken their, um, peculiar understanding of Freedom of the Press to the medium of threatening letters directed at the press (sample here).

The website TechDirt received one of these letters, and wrote about that fact (coverage).  Yeah, gossip about Julia Roberts is not truly newsworthy but there’s plenty in those emails that is.  It’s worth noting that one of two Investigative Reporting Pulitzer Prizes just given out went to Eric Lipton, who also didn’t think much of Sony’s legal theory in this matter.  Lipton used whatever he needed from that treasure trove.  TechDirt has now made a formal response to Sony, which is rather amusing.

I know Sony likes when their work product makes us want to get popcorn and settle in, but I don’t think this is what they had in mind.

The price of free games

The price of free games

What price do we pay to play our favorite games?  Especially the “free” ones?

Privacy.  It’s not that we don’t value it.  We do; we treat it as currency.  And it’s sobering how lavishly we spend it.

I just sampled the permissions requested by the following apps on my Android phone or tablet:

Ingress  Unblock Me FREE 
Pandora Slice It!
Angry Birds  Flow Free
Bubble Blast 2

Except for Pandora, a music-streaming service, all are free games.  Some support in-game purchases but I am disregarding that.

Here are the permissions they require, in aggregate:

  • access Bluetooth settings
  • add or modify calendar events and send email to guests without owners’ knowledge *
  • approximate location (network-based)
  • change network connectivity
  • change your audio settings
  • connect and disconnect from Wi-Fi
  • control vibration
  • find accounts on the device
  • full network access
  • install shortcuts
  • modify or delete the contents of your USB storage
  • pair with Bluetooth devices
  • precise location (GPS and network-based)
  • prevent device from sleeping
  • read call log
  • read Google service configuration
  • read phone status and identity
  • read sync settings
  • read sync statistics
  • read the contents of your USB storage
  • read your contacts
  • receive data from Internet
  • retrieve running apps
  • run at startup
  • toggle sync on and off
  • use accounts on the device
  • view network connections
  • view Wi-Fi connections

* – I uninstalled the one that needs to be allowed to do that.  ~~shudder~~
For some of these games, some of these permissions make sense.  Obvious example: Ingress is simply not going to “do what it says on the tin” if it cannot know your exact location.  On the other hand, what the heck does a simple cutting-puzzle game like Slice It! need with my phone’s call history?
Not to mention, the fact that a given permission seems aligned with the game’s function does not mean that is the only use to which that info is being put.  Imagine if all of the information in the listing above were being compiled in one building.  We’d think that was the NSA and we were on some terror watch-list.
How different is the situation here?  If a game manufacturer can’t use this info themselves, they can surely find a buyer for it.  And yes their privacy policy might say that they won’t sell your individual information but I have found most of them do allow the resale of the information they collect if it’s aggregated and “anonymized.”  Except, as you can see here and here and many more places, anonymization is laughably easy to reverse.  Not to mention, the buyers of your information might have a looser privacy policy than the original collector.  Or they might have none at all.
I’m not saying, don’t play free games.  Or even don’t use a smartphone, which really has all the same issues.  I’m saying, be aware of what you’re paying for those things.
Tech To-Do List

Tech To-Do List

My home tech to-do list (in no particular order)

  • Network Zones: I would like three segregated network zones in our home LAN.  One for our general purpose computers, one for our Android and BlackBerry devices, and one for our printers and connected entertainment boxes (Roku, TiVo, etc.).  There does need to be some traffic between them, however; at least the computers need to be able to communicate with the printers. I have at my disposal for this an ASUS WiFi router and a TP-Link managed switch.  I may also soon add…
  • A UTM device in front of our Internet connection.  That ASUS router is currently connected straight to the DOCSIS 3 cable modem, and doing boundary duty as well as all its internal responsibilities.  I am considering Sophos Free Home UTM, and pfSense.  I have purchased the Intel Atom D2500 for the hardware base.  This will probably handle the Sophos – if not, pfSense will be no challenge to it, for sure.
  • Need to find a way to set up a group of Raspberry Pi units with USB DVD drives to bulk-rip all our movie and TV DVDs into a format that Plex or Serviio will serve.  This is a living-space-placement issue as well as a tech challenge because cats.
  • We have a Sony Bravia TV and a BD player/receiver combo that do a nice job of switching the sound to our 5.1 speakers… some of the time.  The receiver also has a bunch of streaming applications that are now mostly duplicated on other devices.  So I think it might be time to replace the BD-Receiver.  Anyone who knows of a non-Sony device that does “Bravia sync” please comment.  I’m willing to put in two devices here only if absolutely necessary.
  • I am trying out SpiceWorks for a combination of ticketing and monitoring but I’m leery of giving an online service the amount of internal access and authentication that a monitoring system does need.  If anyone knows of a similar facility I could stand up and host internally, shout it out.
There are probably more but they are all much lower priority.  In fact, the priority is so low I can’t think of them now.  This is why I need a ticketing system.