August 2007 Archives

Computerworld reports that the Bank of India Web site was attacked and seeded with a rather excessive amount of malware:

Although the bank's site had been scoured of all malware by Friday morning, it's currently offline. "This site is under temporary maintenance and will be available after 09:00 IST on 1.09.07," a prominent message currently reads.

Researchers at Sunbelt Software Inc. first posted details of the hack yesterday afternoon after finding rogue code embedded in the site's HTML. That code, actually an IFRAME exploit, silently redirected users to a hacker server, which pushed 22 different pieces of malware onto vulnerable PCs. By Sunbelt's tally, the malware included one worm, three rootkits, five Trojan downloaders, and several password stealers. "The biggest issue is the sheer volume of malware we've had to analyze," said Alex Eckelberry, Sunbelt's CEO, in a blog posting yesterday.

I guess if something's worth doing it's worth doing right. Outstanding!

OK, you've all heard that some Hash House Harriers were arrested for laying down flour trails in New Haven:

Just before 5 p.m., the police received a call that someone was sprinkling powder on the ground. The store was evacuated and remained closed the rest of the day.

The incident prompted a massive response from the New Haven police and authorities from surrounding towns.

Dr. Salchow was at home waiting for the others who took part in the four-mile run to arrive for an after-party when his wife called to say there was a problem. He biked to Ikea and tried to explain to the police that the powder was just flour.

The club's tactics have caused problems elsewhere.

In 2002, a trail of flour caused a mall in Fayetteville, N.C., to be evacuated for two hours. A few months earlier, two runners in Oxford, Miss., were arrested after using piles of white powder to mark a route through a downtown square.

Dr. Salchow said that after the 9/11 attacks, club members started using chalk to mark courses. But as fears eased, they went back to flour because it is biodegradable. He said they would start using chalk again or find somewhere else to run.

Jessica Mayorga, a spokeswoman for Mayor John DeStefano Jr., said the city planned to seek restitution from the Salchows, and will meet Monday to decide how much.

Ms. Mayorga said they should not have used the flour if they knew it had caused scares in the past.

"You see powder connected by arrows and chalk, you never know," she said.

It's true, you never do know. In fact, I understand that arrows and chalk is the preferred method of bioweapon dispersal.

Seriously, say I had a weaponized bioagent in some sort of power. I can think of probably twenty different methods to use for distributing it that would be better than this (explosives, ventilation systems, just blowing it into the air with a leafblower, spreading it on food at the grocery store, water supply, etc.) Leaving it in a pile on the stret with an arrow pointing to it strikes me as one of the worst possible ways. Given the actual number of terrorist attacks in the US since 9/11, it's probably time to stop going to full panic mode whenever something the least bit out of the ordinary happens.

In the comments section, Todd complains about the accuracy of my characterization of ACT UP SF (reformatted for easier reading).

"One strange twist to this story is that San Francisco ACT UP (though not other ACT UP branches) has become not only HIV denialist but also AIDS denialist"

They are neither. They are HIV/AIDS Dissidents. And ACTUP has been so for over a decade. Do you make any attempt to be accurate at all ?

Yes, I do, and I think this phrasing is accurate. ACT UP SF's refers to AIDS as the "AIDS $CAM". Here's a quote from their web site:

The fact is that there is no plague of contagious AIDS. Every year of the so-called AIDS "epidemic" in the United States more people died from car accidents than from AIDS. Government estimates of the number of HIV positive Americans has been continually revised downward from 1.5 million in the mid-1980s to between 400,000 to 600,000 today. In addition, the life span of HIV positives that refuse toxic AIDS treatments is over twenty years -- as long as HIV has supposedly been around.

So what's going on? Some big government conspiracy? Not likely. Think of AIDS as a tragic medical mistake where in an era of greed and fear non-contagious illnesses were blamed on a virus. Where societal disapproval of gay men was exacerbated by alarmist media reports and a massive amount of government and big business corruption. Think of AIDS as a scam not a scourge.

Sounds like denial to me.

Moroever, at least one ACT UP chapter has dissociated themselves from ACT UP SF. See, for instance, this from "Survive AIDS" (formally ACT UP Golden Gate). (This link was in the original article).

"This bit about "fair play" is really important. One of the underlying norms that makes science work is that people to some extent adjust their beliefs in response to contrary evidence. Obviously this doesn't happen all the time, but when you're dealing with someone who's not interested in the evidence at all but merely using it as a sort of prop to attempt to defend their position then that isn't an argument, it's just contradiction. At some point the proper response becomes to just ignore the offender, but then they claim that the orthodox community won't listen to them. It's obviously very hard for a layman to disentangle who's right. "

Actually, it does "happen all the time". It's a hallamrk of good science, to adjust and adapt a hypothesis, if it still works, to fit the evidence.

I can see how this might not have been clear. What I meant to say was that while scientists strive to adapt their beliefs, I concede that it doesn't always happen. Yes, it's a hallmark of good science but scientists are human.

Speaking of evidence, it's odd how "the deniers" talk constantly ABOUT the evidence, and how people such as yourself, do little more than 1. name-call, 2. misrepresent facts, and 3. refuse to discuss the facts, yet write on the issue without any notion at all what the big points of disagreement even are.

You can dismiss an argument you've never heard and don't know any of the details of, but don't call yourself "scientific" or even "honest".

Uh huh.

As it happens, I have taken the time to familiarize myself with some of the arguments raised by the AIDS denial community and satisfied myself that the "evidence" you're talking about is unconvincing. Luckily, it's not necessary for me to take the time to debunk these claims personally because others have already done so.

This PLOS Article by Tara C. Smith and Steven P. Novella, paints a pretty grim picture of the HIV Denialist movement. Now, you may have thought that this was pretty much limited to Thabo Mbeki and Peter Duesberg, but no, it turns out that the world is full of whackjobs. Smith and Novella aren't interested in arguing that HIV causes AIDS—a proposition which is fairly clearly true—as discussing how movements like this survive. The parallels to other anti-scientific conspiracy theories (with creationism being the most obvious example) are striking:

Although the HIV deniers condemn scientific authority and consensus, they have nevertheless worked to assemble their own lists of scientists and other professionals who support their ideas. As a result, the deniers claim that they are just on the cusp of broader acceptance in the scientific community and that they remain an underdog due to the "established orthodoxy" represented by scientists who believe that HIV causes AIDS.

...

Further, deniers exploit the sense of fair play present in most scientists, and also in the general public, especially in open and democratic societies. Calling for a fair discussion of dissenting views, independent analysis of evidence, and openness to alternatives is likely to garner support, regardless of the context. But it is misleading for the HIV denial movement to suggest that there is any real doubt about the cause of AIDS.

...

Of all the characteristics of deniers, repeatedly nudging back the goalpost--or the threshold of evidence required for acceptance of a theory--is often the most telling. The strategy behind goalpost-moving is simple: always demand more evidence than can currently be provided. If the evidence is then provided at a later date, simply change the demand to require even more evidence, or refuse to accept the kind of evidence that is being offered.

This bit about "fair play" is really important. One of the underlying norms that makes science work is that people to some extent adjust their beliefs in response to contrary evidence. Obviously this doesn't happen all the time, but when you're dealing with someone who's not interested in the evidence at all but merely using it as a sort of prop to attempt to defend their position then that isn't an argument, it's just contradiction. At some point the proper response becomes to just ignore the offender, but then they claim that the orthodox community won't listen to them. It's obviously very hard for a layman to disentangle who's right.

One strange twist to this story is that San Francisco ACT UP (though not other ACT UP branches) has become not only HIV denialist but also AIDS denialist:

The fact is that there is no plague of contagious AIDS. Every year of the so-called AIDS "epidemic" in the United States more people died from car accidents than from AIDS. Government estimates of the number of HIV positive Americans has been continually revised downward from 1.5 million in the mid-1980s to between 400,000 to 600,000 today. In addition, the life span of HIV positives that refuse toxic AIDS treatments is over twenty years -- as long as HIV has supposedly been around.

ACT UP SF now seems to be primarily in the medical marijuana business. There must be a really fascinating story behind that.

Mark Kleiman argues against the arguments against a fast withdrawal from Iraq:

More Iraqis will probably die of violence just after a U.S. withdrawal than are dying violently now. That will hand the pro-war forces a rhetorical "I told you so." Anyone who can blame what happened in Cambodia on U.S. doves is clearly shameless enough to blame the civil war in Iraq on the people who opposed the invasion rather than those who carried it out and then bungled the occupation.

But that's not a good enough reason to hang around, unless at some point it stops being true: that six months, or a year, or two years, or five years from now we would be able to withdraw and not have civil war and massacre follow. If all we're spending blood and treasure on is postponing a catastrophe we can't prevent, the "humanitarian" argument against a fairly rapid withdrawal collapses.

I don't have a good enough understanding of the situation to do a real cost/benefit analysis, but this general form of reasoning is clearly untrue. You wouldn't tell someone with a treatable but otherwise fatal illness that there was no point in treating him because he'd die of old age eventually anyway. Cost-benefit decisions need to be made at the margin and if in any given year vastly more people in Iraq would die if we withdraw than if we didn't then all other things being equal, there seems to be at least some humanitarian argument for us staying that year, even if there's no reasonable possibility that the situation will ever improve. After all, that's another year of life that those people who are not dead got to enjoy.

Obviously, this is just the beginning of the analysis, not the end, since you then have to ask where else we could be spending our bloor and treasure and would that other place have, as seems likely, a better cost/benefit ratio? But the simple argument that we're just postponing the inevitable doesn't seem to do the job.

I was going over my first iPhone bill this morning and noticed something interesting: they don't seem to be reliably billing in-network calls as mobile-to-mobile. One of my friends has an iPhone and so of course he has AT&T and we should be getting free mobile-to-mobile minutes, but we're not.¹ I've called AT&T customer service and they say they're working on it. You may want to check your own bill.

^1. Note: you have to be careful reading your bill because on nights and weekends, the minutes get billed as NW, not M2M. But I'm getting these minutes billed as daytime minutes as well.

I'm not at CRYPTO but my sources tell me that there may have been some more progress on SHA-1 and that the latest estimates are on the order of 2^60.x. Anyone with more details please post them in the comments.

Slate's shopping column always struck me as a little weird, but typically I don't know anything about the products they're reviewing. However, this week, they decided to cover a product I do know: water bottles. Like Nalgene users everywhere, Laura Moser discovers that the widemouth is a bit too wide:

Even without my prompting, audience responses were overwhelmingly negative. The mouth was judged impractically wide, and the bottle itself doesn't fit in most bike cages and car cup holders. Cheaper than most options, yes, and definitely a cinch to wash either by hand or in the dishwasher. But after a day in the sun, the water tasted flat and stale.

Is it really that hard to find out that Nalgene bottles come in multiple sizes? In particular, they come in smaller sizes and narrow-mouth bottles. You can also buy an insert that fits in the mouth of the bottle and stops it from spilling. I don't have any special brief for Nalge bottles, but I do wonder what the point of doing a consumer review is if you're not going to really survey the space.

Oh, and BTW, I don't have an informed opinion on Bisphenol A. I do, however, own a number of Nalge bottles and use them on and off.

Here's Skype's official word on what caused their outage:

In an update to users on Skype's Heartbeat blog, employee Villu Arak said the disruption was not because of hackers or any other malicious activity.

Instead, he said that the disruption "was triggered by a massive restart of our users' computers across the globe within a very short timeframe as they re-booted after receiving a routine set of patches through Windows Update," Arak wrote.

Microsoft Corp. released its monthly patches last Tuesday, and many computers are set to automatically download and install them. Installation requires a computer restart.

"The high number of restarts affected Skype's network resources. This caused a flood of log-in requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact," Arak wrote.

Arak did not blame Microsoft for the troubles and said the outage ultimately rested with Skype. Arak said Skype's network normally has an ability to heal itself in such cases, but a previously unknown glitch in Skype's software prevented that from occurring quickly enough.

Some thoughts:

• The phrasing "lack of peer-to-peer network resources" is quite interesting. One design goal for P2P systems is that their ability to handle load scales smoothly (or at least semi-smoothly) with the number of clients (peers) trying to use the system. It would be interesting to know what happened here.
• This is probably not a behavior you'd see in a truly decentralized system. If, for instance, everyone in the world rebooted their SIP client this would probably not cause all the SIP phones in the world to stop working for two days. Though it might cause transient outages as people independently rebooted their machines.
• How hard would it be for an attacker to trigger this sort of behavior intentionally by bouncing a large number of Skype clients which they have taken over (i.e., zombies in a botnet)?

Skype suffered an extended service outage last week. There were a lot of rumors about how this was the result of some sort of attack, though Skype denies it. Here's what they say:

Apologies for the delay, but we can now update you on the Skype sign-on issue. As we continue to work hard at resolving the problem, we wanted to dispel some of the concerns that you may have. The Skype system has not crashed or been victim of a cyber attack. We love our customers too much to let that happen. This problem occurred because of a deficiency in an algorithm within Skype networking software. This controls the interaction between the user's own Skype client and the rest of the Skype network.

I don't have any more information about this than anyone else, so it could be either an attack or just a simple error. In either case, even if you believe Skype's story, it suggests that the Skype system is fairly brittle. Basically, any problem with Skype's central servers, whether through attack or error, has the potential to bring down Skype as a whole. By contrast, in a more distributed/decentralized system, global outages tend to be a lot less common. For instance, if I have an account with SIP server Atlanta and you have an account with SIP server Biloxi, an outage at server Chicago doesn't affect us at all. Of course, if there's some sort of large-scale Internet outage, this can affect us, but such issues aren't that common and of course Skype is just as vulnerable to such issues.

I'm not arguing that SIP is somehow inherently superior to Skype. It's quite possible to build a SIP-based system which is just as centralized and fragile—if Vonage's servers go down, then no Vonage customer will be able to make phone calls. On the other hand, there are other SIP providers and they aren't affected by Vonage outages. The difference here is that Skype is inherently centralized, and you basically can't use Skype without talking to their servers somehow. ¹. By contrast, SIP was specifically designed to be used in a decentralized environment, much like e-mail is now, and clients and servers from separate vendors more or less interoperate—though of course some network operators won't allow direct SIP connections so you sometimes (often?) need to go through the PSTN for SIP UA A to talk to SIP UA B.

This isn't to say that decentralized systems are inherently better, of course, but they are generally more resistant to this particular failure mode.

^1. Yes, the Skype protocol has been reverse engineered, but as far as I know there aren't any compatible clients or servers, and Skype's implementation is deliberately designed to be closed—you shouldn't expect to be able to use Skype's clients with such a service, which significantly decreases the value of using the Skype protocol.

Rumsfeld apparently submitted his resignation before the 2006 midterm elections. This is getting spun as Rumsfeld not resigning as a result of the midterms, for instance:

WASHINGTON — Former Defense Secretary Donald Rumsfeld did not resign as a result of dramatic Republican losses in the U.S. Congress during last November's midterm election; it turns out he was ready to go ahead of the final tally.

Perhaps seeing the writing on the wall, Rumsfeld, who's largely faulted for mistakes and miscalculations relating to the Iraq war, signed his letter of resignation from the Bush administration the day before the Nov. 7 election, FOX News has confirmed.

His decision was not announced until a day after the voting. President Bush apparently didn't put his initials on the letter until Election Day, Reuters first reported Wednesday.

I'm not sure this spin makes much sense. First, it was pretty clear on Nov. 6 that the Democrats were going to win the House. The major question was whether they would win the Senate. So, even before the results were in, the election was going bad for the Republicans.

Second, thinking like a security guy, we don't know what would have happened if the Republicans had performed better than expected. Maybe Bush would have just torn up the resignation letter. Remember that Rumsfeld had offered to resign before and Bush had refused to accept it, so the decision ultimately rests with the President. For all we know, Rumsfeld signed a new pro forma resignation letter every day, but we just heard about the one Bush finally accepted. Obviously, that's unlikely, but the mere existence of a pre-election letter doesn't tell us much.

Dreamhost was down. Hopefully we're back on the air now.

Bike Snob NYC (þ Cilogear makes packs:

Trek engineers were finally liberated from the crippling constraints of seven-time Tour de France winner Lance Armstrong, whose irrational demands for a durable, comfortable, and practical road racing bike long prevented them from implementing the types of design improvements we real cyclists all long for--most important among them being larger head tube bearings, the elimination of pesky bottom brackets, and proprietary everything. The Madone is their ultimate achievement in fulfilling the new Trek mandate--to create a bicycle that cannot and will not accept any components manufactured by a company other than Trek.

Thanks to the wealth of diagrams and photographs that have accompanied the introduction of the new Madone, it was completely unnecessary for me to ride it, because it's abundantly clear the carbon fiber construction and layup yielded a frame that was laterally stiff yet vertically compliant. More important though is the fact that Madone riders will no longer have to go to the bike shop when they have a problem with a noisy, rough, or sloppy bottom bracket. Rather, they will only have to go to the bike shop when they have a problem with their noisy, rough, or sloppy proprietary bottom bracket shell. And if you've ever owned a bike that takes a more-or-less standard seatpost size, you can relate to the frustrating and time-intensive process of choosing from among the vast array of posts available to you on the market. With the Madone, Trek have taken the choice away from you, so instead of agonizing over seatposts you can spend more time riding. But enough of all this technical jargon. The fact is that this bike climbs like a fever on a dumbwaiter, descends like a German U-boat, cuts corners like a UAW welder, and accelerates like a Fiat strapped to an ICBM. Overall, just knowing that you're riding a bike that puts a pair of pedals, a seat, and some handlebars under you in a completely revolutionary way is enough to make you drive that much faster when you've got this baby strapped to the rear rack of your Honda Pilot.

Cacaolab, home of the world's most secure chocolate:

The store carries a range of truffles and other chocolate candies, but he also sells bars of chocolate, some of them single origin. In the middle of these bars, in a silver package that sets it apart from the dark packaging of the other more "ordinary" Marcolini bars is the Limited Edition, made from his own private stash of Mexican Porcelana Criollo. And, it's a $15 for 2.5 oz of chocolate. Yikes.

Being a complete chocolate fanatic, and admitted sucker for status items, this (and an assortment of the other single origin specialities) was a clear must-have. (In the most effective sales pitch ever, the clerk explained that they only had 9 bars left, and would not be getting any more for a year.) Got to give Marcolini points for designing a great retail experience!

Outside of the theatrics, this is one monumental chocolate. The Porcelana bean is known for being a very light, fruity bean. Latin American beans, in general, have a chocolate taste that builds more slowly and is less powerful than the more monochromatic, more directly "chocolatey" African beans. In Marcolini's Limited Edition, he's roasted and conched these sophisticated little seeds into a baroque wonder. One of my favorite things about tasting really quality chocolate is how the taste can play out and elaborate over time. Different cocoa butter fractions will melt at different points, and cocoa solids will release different flavors as the chocolate melts on the tongue. In a good Venezuelan or Madagascar chocolate, this shows up as a pleasant fruit or floral note that typically plays out after the initial chocolate and nutty flavors. This chocolate is sophisticated enough that it carries at least three distinct fruit notes that play out sequentially on the tongue. It's full of pineapple, apple, and banana notes that blend seamlessly into the bready and nutty lower flavors. There is very little bitterness or astringency to distract from this little taste melody. The Limited is clean and light enough that the middle flavors actually are quite similar to the softness of a milk chocolate. The typical punchiness of a lower end dark chocolate is almost entirely absent. The Marcolini has a complexity evident in very few dark chocolates, with a gentle character that makes milk chocolate seem redundant. Extraordinary.

MSNBC has a fairly disturbing article about how abusive spouses, *-friends, etc. are using tracking technology (GPS, spyware, etc.) to keep tabs on their victims:

Leah lived for seven years with an abusive man. The bruises, the bleeding and the isolation were only part of his strategy to control her, she says. He turned technology on her, too. He installed spyware on her computer, read her e-mail, tracked her cell phone calls, spied on the Web sites she visited, even attached a GPS locator device to her car.

One day, after she visited her college Web site, he accused her of trying to contact a former boyfriend. The punishment was severe.

"He beat me all weekend after that," she said.

There's nothing new about abusive spouses using technology to terrorize, said Cindy Southworth, technology director at the National Network to End Domestic Violence. What is new is that now nearly all abusers use high-tech spying tools to try to extend their domination, she said.

I'm a bit skeptical of the "nearly all" claim (though without any evidence against it) but it's certainly very straightforward to do any of this stuff. This also seems like a case where the attacker has an enormous advantage. Just to take the GPS case, a GPS unit can be stuffed into a unit the size of a large watch. It's pretty easy to hide something like that in a car. It's true that GPS has trouble getting a fix without clear access to the sky, but you don't need it to work all the time to get a pretty good idea of where someone has been.

On the other hand, one could imagine a victim of abuse using this kind of communications technology in a positive way: microphones and cameras are now incredibly small so gathering evidence of abuse has gotten a lot easier. You can also get a cheap prepaid cell phone which your abuser doesn't know about and use it to call for help. You could even put a GPS in your abuser's car so you know when you had time to get away. Hard to know where the tradeoffs are here.

Why are twist-off beer caps often so hard to twist-off? It doesn't help that the corners of the crimp are sharp and dig into your hands—maybe you could coat them with plastic or something. Listen up, folks: I shouldn't have to wrap the cap in my shirt in order to get it open; and if I have to resort to an opener, like I did with my otherwise quite nice Full Sail LTD we've completely missed the point of the twist-off.

Minnesota resident Dale Underdahl got busted for DUI and decided that requesting the source code for the Intoxylizer 5000EN would be a good way to get off:

During a subsequent court hearing on charges of third-degree DUI, Underdahl asked for a copy of the "complete computer source code for the (Intoxilyzer) currently in use in the state of Minnesota."

An article in the Pioneer Press quoted his attorney, Jeffrey Sheridan, as saying the source code was necessary because otherwise "for all we know, it's a random number generator." It is hardly new technology: One criminal defense attorney says the Intoxilyzer is based on the antique Z-80 microprocessor.

A judge granted the defendant's request, but Michael Campion, Minnesota's commissioner in charge of public safety, opposed it. Minnesota quickly asked an appeals court to intervene, which it declined to do. Then the state appealed a second time.

What became central to the dispute was whether the source code was owned by the state or CMI, the maker of the Intoxilyzer.

Minnesota's original bid proposal that CMI responded to says that "all right, title, and interest in all copyrightable material" that CMI creates as part of the contract "will be the property of the state." The bid proposal also says CMI must provide "information" to be used by "attorneys representing individuals charged with crimes in which a test with the proposed instrument is part of the evidence," which seems to include source code.

I have no informed opinion on whether Underdahl has a legal right to get a copy of the source code, but from a technical perspective it's not clear what he's hoping to find. It's certainly possible that the source code contains a random number generator or incriminating comment that says "insert .10 BAC reading here", or "this sensor doesn't work" but that doesn't really seem that likely. More likely it will be that it's just typical embedded software. I certainly don't see any problem with it being old technology. The Z80 is old, but it's a perfectly reasonable piece of hardware. Heck, I had one in my TRS-80 Model 3 back in the 80s.

If I were trying to call a breathalyzer reading into question, I'd probably be looking for a different angle: the measured accuracy of the system. This isn't really an issue of the source code but rather of the accuracy of the sensor. You might be able to learn something from the source code—for instance if there was some explicit fudge factor in the code—but more likely you'd need to actually examine the hardware or at least have access to studies done by someone else.

Obviously, if the vendors aren't willing to give up their source code, then subpenaing them may be a useful angle for now, but it's not likely to be a long-term effective strategy. It's not like states are going to give up on breathalyzers and even if CMI refuses to produce their source, some manufacturer eventually will. According to this article, some already do.

Just looked over DHS's new Secure Flight proposal. (By the way, it's a scanned printout, which is super-annoying.) Some initial reactions:

• The big change is that currently the carriers get a copy of the black (no-fly) and gray (selectee) lists and evaluate your name against the list. In the proposed system, the airline would send your PNR to TSA, which would make the evaluation itself. From a privacy perspective, this is substantially inferior; TSA would have a record of every flight you took. They claim that the vast majority of records will be deleted within 7 days. However, if you're a potential match (whatever that means) your records will be retained for 7 years. Remember when people got upset because JetBlue was sending PNR data to the government? This proposal would basically institutionalize that practice.
• The airlines are required to ask for your name, DOB, and gender, but the only information you're required to provide is your name. However, if the airlines have that information (plus a bunch of other stuff) then they have to provide it. Two notes here:
  • There's a big incentive to provide this data because it's being used to disambiguate you from terrorists who happen to share your name. And even if there aren't any terrorists, you can expect that the first thing that happens when you complain is that it's suggested that you provide this info.
  • It's probably irrelevant anyway because if you're a frequent flier it's likely your airline knows this information and they'll be required to provide it to TSA.
• If you feel you're being subjected to too much screening, there's (already) some program you can use to complain. They won't tell you if you're on the watch list but they might (or might not) issue you a number which yu can provide with your reservation and which might (or might not) lower the false positive rate.
• DHS is considering having a machine-readable indicator on each boarding pass. The idea would be to block tampering. Strangely, they say it won't contain any personally identifying information, which makes it a little unclear how it would work. The natural thing here is a digital signature over your name and maybe a picture, but the proposal isn't specific, and of course that would be personally identifying.
• There's some hints that TSA is planning on taking a harder line on letting you fly without ID if you get searched. On the other hand, the document does suggest there will still be exceptions so it's not clear what those will be.

Of course, like any name-based blacklist, the security of this system depends on (1) the quality of the algorithm generating the blacklist and (2) the level of difficulty required to obtain fake ID that will be accepted by the blacklist enforcers. It's not clear that either of these is really adequate at this time.

War Czar Lt.-General Douglas Lute just put the draft back on the table:

Washington -- A top U.S. military officer in charge of co-ordinating the U.S. war effort in Iraq said yesterday that it makes sense to consider a return of the draft to meet the U.S. military's needs.

Lieutenant-General Douglas Lute, said the all-volunteer military is serving "exceedingly well" and the administration has not decided a draft is needed.

But in an interview with National Public Radio, he said, "I think it makes sense to certainly consider it, and I can tell you, this has always been an option on the table."

I'm having some trouble figuring out what's going on here. I guess this could be a Kinsley gaffe, but I'm pretty skeptical that (a) a draft could get passed in the current environment or (b) the American people are going to tolerate having their teenage children conscripted and sent to Iraq. Of course, I could be totally misreading the current environment, but if I were the Democrats, I'd be hoping that the Bush administration would propose a draft.

DHS is revamping the no-fly/watchlist yet again. I haven't read this yet, so no useful comments, other than my general suspicion of name-based passenger screening.

One interesting point, though:

TSA is also proposing that each boarding pass will have a unique, scannable mark, which could be authenticated by a TSA employee with a wireless device at the head of the screening line. While the TSA hasn't chosen what technologies to use for this system, the move starts to eliminate a long-standing hole in the current system. That hole allows a watch listed person to avoid being banned from flying or encountering extra screening by modifying a print-at-home boarding pass.

Well, extra screening, perhaps, but not banned from flying, since you can just make up a fake name and then say you forgot your ID.

Infrant (makers of ReadyNAS, now owned by Netgear) just released a security advisory for remote root SSH access to their box:

NETGEAR has released an add-on to toggle SSH support for the ReadyNAS systems based on a potential exploit to obtain root user access to the ReadyNAS RAIDiator OS. Each ReadyNAS system incorporates a different root password that can be used by NETGEAR Support to understand and/or fix a ReadyNAS system remotely using the ReadyNAS serial number as a key. An attacker that has obtained the algorithm (and your serial number) to generate the root password would be able to remotely access the ReadyNAS and view, change, or delete data on the ReadyNAS.

ReadyNAS installation most vulnerable to this attack is in an unsecure LAN and where the ReadyNAS SSH port (22) is accessible by untrusting clients. Typical home environments are safe if a firewall is utilized and port 22 is not forwarded to the ReadyNAS from the router. We do advise that all ReadyNAS users perform this add-on installation regardless.

Installation of the ToggleSSH add-on will disable remote SSH access and thus close the vulnerability. At the same time, if you need remote access assistance from NETGEAR Support, you can install the ToggleSSH add-on again to re-enable SSH access during the time when the remote access is needed.

In other words, NETGEAR support can remotely log into any ReadyNAS box as root and manage it. A few notes:

• I'm having trouble imagining any conditions under which I'd want NETGEAR support to have remote access to my fileserver (and no, I don't own one of these). I wonder if there's some way to change the root password or if you're stuck with this backdoor. Is this really something that they need a lot or was it just a cunning plan that didn't get filtered out at some higher level.
• They don't disclose the algorithm they use to produce the password. Some such algorithms are good and some are bad. It would be interesting to know which type this is.
• There are three major ways to build a system like this on the verifying side:
  1. Have the box simply know its own password.
  2. Have the password-generation algorithm built into the box.
  3. Use public key cryptography. E.g., the password is a digital signature over the serial number.
  If I had to bet, it would be on (1) or (2). (2) is obviously pretty bad since it means that anyone who has a single box can reverse engineer the algorithm and generate as many passwords as they want. Anyone take one of these apart and know?
• What kind of auditing is available to find out if your box has already been taken over by some attacker who knows the key—or just someone from NETGEAR tech suport.

Oh, and what were they thinking having this on by default? Outstanding!

In my previous post about SWORDS robots, I referred to "fail-safe" and "fail-unsafe" strategies. Now, clearly, if you're a civilian in the line of fire of a killer robot, you'd think a strategy in which the robot shut itself down when it couldn't communicate with base to be "safe", you might feel a little differently if you were a soldier who had to go out into enemy fire because a minor communication glitch caused your robot to shut down.

As another example, take a system like Wireless Access in Vehicular Networks (WAVE), which provides for communications between vehicles and between vehicles and road-side units. WAVE can be used for safety messages, such as the Curve Speed Warning message, which allows a station at the side of the road to broadcast the maximum safe speed for a given curve. Obviously, you'd like there to be some message integrity here to prevent an attacker from broadcasting a fake speed. Now, what happens when the integrity check fails; do you ignore the message?

A decent argument could be made that either ignoring or trusting such messages was "fail-safe". Obviously, ignoring them appears safe in the sense that your vehicle reverts to what it was without the WAVE functionality, so you haven't been damaged. On the other hand, the curve speed warning is designed to help safety (that's why it's being broadcast) so ignoring it is arguably failing unsafe! I don't really have a position on what's right or wrong here, but it should be clear that the terminology is confusing.

I've heard people substitute the terms "fail-open" or "fail-closed", but those are even worse. If you're an electrical engineer, a closed circuit means current flows and an open circuit means current doesn't. On the other hand, an open firewall means that data flows but a closed one means it doesn't.

I don't know of any really good terms, unfortunately.

While we're on the subject of armed robots, it's sort of worth asking the question of what sorts of inputs caused them to "spin out of control". Are these the kind of inputs that could potentially be presented by attackers? If so, I hope they were actually fixed, not just covered up with a kill switch.

Wired reports that the DoD has taken delivery of three "special weapons observation remote reconnaissance direct action system" (SWORDS) robots. (Pretty tricky with those acronyms, guys!). Anyway, these are remote-controlled robots armed with M-249 machine guns.

Apparently these robots were uh, a bit flakey, but the manufacturers say they've got all the bugs worked out now:

The SWORDS -- modified versions of bomb-disposal robots used throughout Iraq -- were first declared ready for duty back in 2004. But concerns about safety kept the robots from being sent over the the battlefield. The machines had a tendency to spin out of control from time to time. That was an annoyance during ordnance-handling missions; no one wanted to contemplate the consequences during a firefight.

So the radio-controlled robots were retooled, for greater safety. In the past, weak signals would keep the robots from getting orders for as much as eight seconds -- a significant lag during combat. Now, the SWORDS won't act on a command, unless it's received right away. A three-part arming process -- with both physical and electronic safeties -- is required before firing. Most importantly, the machines now come with kill switches, in case there's any odd behavior. "So now we can kill the unit if it goes crazy," Zecca says.

OK, so ignoring the wisdom of starting from a platform which used to "spin out of control", I'm sort of interested in how the "kill switch" works. As far as I know, there are two basic ways to build a system like this:

• Fail-unsafe. The kill command is just a separate command that tells the unit to shut down.
• Fail-safe. The control unit regularly (or continuously) sends a signal. If the robot stops getting the signal it shuts down.

It should be pretty clear that if what you think there's a high likelihood that the robot's going to go nuts and you want to minimize the chance that it kills your own people, random civilians, their pets, etc., you probably want something that fails safe. This is especially true in view of the implication in this article that signal strength isn't always what you might like. You really don't want to have a situation where the robot is busy slaughtering innocent bystanders and you can't shut it down because your control unit is showing zero bars.

On the other hand, a fail-safe system is also much easier to DoS—it's probably more important when the system being DoSed is shooting your enemies than when it's serving up copies of Girls Gone Wild. All the attacker has to do is somehow jam your signal (and remember that since you probably want to have a cryptographically secured control channel, they only need to introduce enough errors to make the integrity checks fail). This makes the problem of designing the control channel a lot more difficult. I'd definitely be interested in hearing more about the design of the protocol for these gizmos.

I recently renewed my driver's license. Normally you can just renew my mail but after you've had two renewals by mail you have to go back into the DMV (carrying the form they send you). There seem to be two purposes here:

• Make sure you can still see.
• Get an updated picture.

Here's the weird part: they didn't check my current license (though as I remember, the form they send you say you need to bring it). They just took my money, checked my vision (in that order, which is also kind of weird) and then gave me the provisional license printout. You then walk over to a different window where they take your thumbprint and picture.

Assuming this is standard practice, and not just an error by the clerk, then attacker who pulled the form out of your mail, could just walk in and complete this process. In theory, they might catch you by comparing your existing biometrics (photo, thumbprint) against the newly captured biometrics. I don't know if they do that or not, but it seems like it would be relatively easy to bypass: people's looks change a lot in 15 years and while thumbprints don't change, there are also known techniques for cheating thumbprint scanners--assuming they check this stuff at all.

Obviously, if you went to the DMV and found someone else had already renewed your license, that might be something you'd notice, but it's not clear what the State would do about it. The wrong person would still have an ID in your name. There's no normal procedure for revoking driver's licenses. This isn't catastrophic, of course, unless you have some system that depends on positive identification of people, like say, a no-fly list.¹

^1. And of course if the person who's identity you were stealing was cooperating, then they wouldn't even have to report it. This doesn't make sense ordinarily, but you could use it to exchange the identity of someone who was on a no-fly list for a plant who was not.

Until today I had been unaware that the Canadian Dollar had passed parity with the US Dollar. The Canadian Dollar is now at 0.946074 US Dollars. Maybe I'll have to take back those peso jokes I made a few years back.

UPDATE 20070804 OK, this post was completely wrong. Someone had told me that the CAD had passed USD and then I somehow misread the results from the exchange site. Still, we're getting scarily close.

For the past couple months I've been spending most of my time working on California's Top-to-Bottom Review of electronic voting systems certified for use in California.

The overall project was performed under the auspices of UC and led by Matt Bishop (UC Davis) and David Wagner (UC Berkeley), who did a great job of negotiating a wide variety of organizational obstacles to get the project going and keep it on track.

This project reviewed the systems of three manufacturers:

• Diebold Election Systems Inc. (DESI)
• Hart InterCivic
• Sequoia Voting Systems

Each company makes both an optical scanner for paper ballots and a computerized direct recording electronic (DRE) (these are often called touchscreen, but the Hart system actually uses a clickwheel), as well as a back-end election management system.

Each system was assigned to three teams:

• A documentation team which reviewed only the documentation.
• A "red team" which conducted penetration testing.
• A source code team which reviewed the source code.

There was also an accessibility team for all the systems.

I led the Hart source code team, consisting of me, Srinivas Inguva, Hovav Shacham, and Dan Wallach, and sited at an undisclosed location which can now be disclosed as SRI International in Menlo Park. Our report was just published yesterday, just ahead of the statutory deadline for the State to decide on whether these systems will continue to be certifed (more detail here). You can get it here and all the reports here.

I wasn't planning on saying much about this on EG. Most of what I have to say is already said better in our report. I did want to say a word about my team, who put in extraordinary amounts of effort under an extremely tight timeline; just over a month from the time we got the Hart source to the delivery of the final report. Thanks, guys, and I look forward to working with you again, hopefully next time in a room with 24x7 air conditioning.