January 2008 Archives


January 31, 2008

In what is probably not the most astute PR move ever, the TSA has decided to start a blog. It's sort of weirdly earnest and self-justifying. For example:

There is no time to talk, to listen, to engage with each other. There isn't much opportunity for our Security Officers to explain the 'why,' of what we ask you to do at the checkpoint, just the 'what' needs to be done to clear security. The result is that the feedback and venting ends up circulating among passengers with no real opportunity for us to learn from you or vice versa. We get feedback verbally and non-verbally at the checkpoint and see a lot in the blogs, again without a real dialogue.

Our ambition is to provide here a forum for a lively, open discussion of TSA issues. While I and senior leadership of TSA will" participate in the discussion, we are turning the keyboard over to several hosts who represent what's best about TSA (its people). Our hosts aren't responsible for TSA's policies, nor will they have to defend them -- their job is to engage with you straight-up and take it from there. Our hosts will have access to senior leadership but will have very few editorial constraints. Our postings from the public will be reviewed to remove the destructive but not touch the critical or cranky.

Truth be told, they really haven't censored the comments much, and the comments thread on the first post seem to be split about 20/20/60 (this is just a rough estimate, it's not like I actually counted all of them) between:

  • I'm a TSA employee and this is really great.
  • Could you please explain the following baffling TSA security practice?
  • I fly a lot and the TSA sucks, as do their policies.

Unsurprisingly, I don't see a lot of real engagement with the points being raised by commenters. It's mostly the same sort of vague defensiveness you see in the TSA's more formal communications with the public. For instance, this post wants to be a justification of the shoe policy:

It's not all about Richard Reid when it comes to the screening of shoes. Post all of your thoughts about shoes in this blog post. To learn more about how the shoe fits in with the TSA, check out our web page on "why we screen shoes". Then come back here and let's talk.

The article this is referring to is here and transitively these "recently declassified" (nothing like that to give the air of authenticity) photos of x-rays of shoes with explosives in them:

Wow, that's totally convincing, except for the fact that (1) you can get hard (machinable) explosives which you could form into the whole sole of the shoe, pretty much making this sort of contrast technique useless and (2) there are lots of ways to conceal the explosive (non-magnetic, remember) parts of a bomb on your body [*].

People of course point this out in the comments section, but the TSA people don't respond, so the whole exercise is kind of pointless. Do they really expect this to make anyone have a more positive opinion of TSA?


January 30, 2008

In the comments, Dave B. asks:
Can you share your solution, please? 'Not the world's most intuitive UI' is being _very_ polite! That change has smashed hundreds of my inbound links ... but damned if I can find the place to set the dirify defaults ... :-(

Glad you asked.

Go to "Design | Templates | Archive Templates | Individual Entry Archive". At the bottom is a pulldown labelled "Archive Mapping". It's probably set to yyyy/mm/entry-basename.html. Apparently this is a schematic representation of the names. If you change it to yyyy/mm/entry_basename.html (note substitution of underscore for hyphen) you'll get underscorified permalinks. Totally intuitive, eh?


January 29, 2008

MySpace has been under a lot of pressure to do something about the alleged threat from "sexual predators" using their service. As I've observed before, there's not really much they can do unilaterally. They appear to have decided to deal with this problem New York Attorney General Cuomo has proposed legislation to restrict sex offenders use of the Internet:
MySpace and Facebook, said Cuomo, asked for new legislation to help them make their social networks safe. And that's what the E-STOP Act aims to provide. Cuomo described it as a Megan's Law for the age of the Internet. Megan's Law, named after murdered seven-year-old Megan Kanka, refers to a collection of state and federal laws enacted in the 1990s that require sex offenders to register so that communities can be informed of their presence.

"The law that we're talking about today does two things," said Cuomo. "First, as a mandatory condition of parole or probation for serious sex offenders, it will prohibit them from going on social networking sites that attract young people or from communicating on the Internet with any person under 18 years old. Second, it sets up an e-mail registry where every parolee will have to give their e-mail or their on-screen identities to a state registry. And it establishes a process whereby the social networking sites or Internet sites can take that Internet registry, run it against their site, and screen or delete the users who are on both lists. It also allows Internet service companies to notify law enforcement, who can then take the appropriate action."


"Rather than treating the online and offline worlds differently, our goal at MySpace has been and will continue to be to make our virtual neighborhood as safe as our real one," said Hemanshu Nigam, chief security officer of Fox Interactive, which owns MySpace. "We keep a watchful eye on predators who leave our jails and prisons into our physical world. If we fail to do so in our online world, we unwittingly provide an advantage to these predators, an advantage that they can and they will exploit."

OK, so at some level this isn't completely insane. As I said earlier, clearly MySpace can't do this alone, so if your plan is to keep sex offenders off MySpace, then you're going to need some kind of legislation to let you identify them. That said, it's not really clear why this is thought to be valuable. Presumably if you get busted for being a sex offender it's not like you're not going to be overconcerned about whatever odditional penalty you're going to get for failing to register your email address or illegally using MySpace.

Nigam makes the analogy to having to register your physical address, but this doesn't really make much sense. You've got to live somewhere, so it's kind of noticeable if you don't register your physical address, and the parole officer can come by and check up on where you live. So, to the extent to which you think it's important to figure out where sex offenders live (again, it's not clear it really is), it's fairly doable. By contrast, you can have as many email addresses as you want and it's not particularly difficult to get yourself an untraceable or at least hard to trace email address, so it's extremely hard to verify that sex offenders have actually registered their addresses if they make any attempt to evade this law.

And of course this assumes that it's particularly useful to be able to keep sex offenders off of services like MySpace and Facebook. That's not really clear. I'd be interested to see if there is any good data on how many sex offenses actually result from solicitations on services like this.


January 28, 2008

I've upgraded to Movable Type 4. This may produce some weird artifacts, which you should let me know about.

UPDATE: Yes, I know the archives are broken. For some reason, MT4 wants to replace spaces with hyphens instead of underscores. Currently RTFMing for the setting to change this back. If anyone out there knows and wants to save me the trouble, please let me know.

UPDATE: Problem solved, I think. Not the world's most intuitive UI.

Hi folks, I know we're getting a lot of comment spam today. I'm working to get it under control.

January 27, 2008

NPR has an interesting story about Narcan rescue programs. The idea is to package the opioid antagonist naloxone (Narcan) in an easy to administer nasal spray that users acn administer in case of heroin overdose. Based on the article, it's a bit hard to figure out what the impact is, but here are the uncontrolled statistics:
The nasal spray is a drug called naloxone, or Narcan. It blocks the brain receptors that heroin activates, instantly reversing an overdose.

Doctors and emergency medical technicians have used Narcan for years in hospitals and ambulances. But it doesn't require much training because it's impossible to overdose on Narcan.

The Cambridge program began putting Narcan kits into drug users' hands in August. Since then, the kits have been used to reverse seven overdoses.

New data compiled for NPR by researcher Alex Kral of the consulting firm RTI International show that more than 2,600 overdoses have been reversed in 16 programs operating across the nation.

Kral estimates that is at least 75 percent of all the reversals that have occurred so far among several dozen U.S. programs, many of which are new.

This is great, right? Well, not according to ONDCP:

But Dr. Bertha Madras, deputy director of the White House Office on National Drug Control Policy, opposes the use of Narcan in overdose-rescue programs.

"First of all, I don't agree with giving an opioid antidote to non-medical professionals. That's No. 1," she says. "I just don't think that's good public health policy."

Madras says drug users aren't likely to be competent to deal with an overdose emergency. More importantly, she says, Narcan kits may actually encourage drug abusers to keep using heroin because they know overdosing isn't as likely.

Madras says the rescue programs might take away the drug user's motivation to get into detoxification and drug treatment.

"Sometimes having an overdose, being in an emergency room, having that contact with a health care professional is enough to make a person snap into the reality of the situation and snap into having someone give them services," Madras says.

OK, so this is pretty cold but maybe it's good cost/benefit analysis. Econ 101, right? If narcan produces a marginal decrease in the probability of dying of a given overdose but has a big negative impact on the abuse rate and thus presumably on the overall overdose mortality rate, then maybe it's good policy to restrict access (cf. risk homeostasis). It turns out, though, that (at least according to this article) there not only isn't evidence that Narcan increases the aggregate overdose rate, the (minimal) data there is suggests the contrary.

There is not much research on the effect of Narcan kits on drug abusers' behavior, but one small study suggests that overdose-rescue programs reduce heroin use and get some people into treatment.

There's not enough information here to tell whether Madras is just letting theory get ahead of the data, or whether her real objection is something else. That said, a lot of the resistance to various harm reduction measures seems to be based on not having the government appear to be (tacitly?) endorsing illicit drug use by taking steps to help users, so that may be what's going on here.


January 26, 2008

News is circulating of a German plan to build a "Skype-Capture-Unit", software which would live on your computer (be surreptitiously installed by the government) and capture the media for analysis. This is necessary because Skype is encrypted so ordinary capture mechanisms just get ciphertext. It's a little hard to read what's being proposed, but it sounds like the software would actually divert a copy of the plaintext to the monitoring station.

If this is indeed what the German government is planning on doing, it's actually kind of lame. First, it's inefficient since you need twice as much bandwidth, for the original media stream and the copy to the monitoring station. Second, it's easy to detect, because you're using a lot more bandwidth. An approach while would be much harder to detect would be to arrange to leak the encryption key and then capture the ciphertext using standard monitoring techniques. The key leakage can be done in such a way that it's very hard to detect.

The document also describes an SSL interception system. I'm finding it a little hard to decode, but it talks about a man-in-the-middle attack, which also easier to detect than necessary. Again, this doesn't seem like the most efficient technique—easier to just leak the keys.

As I've mentioned before, since Skype controls the software, they could assist the government with LI if they chose. This document is at least suggestive that they're not doing that.


January 24, 2008

As you may have heard, the FISA telecom immunity bill is back. If you haven't heard, the administration is pushing a bill that would, among other things, provide retroactive immunity for telecoms who participated in the warrantless wiretapping program. A few months ago when this last up for debate, I wrote to Dianne Feinstein about this. Probably not uncoincidentally, I got an email from her office about this the other day:
The Intelligence Committee's report on the bill includes declassified text stating that the Executive branch provided letters to electronic communication service providers at regular intervals. These letters all directed or requested assistance and noted that the assistance was authorized by the President and was legal. The Committee's report can be found at http://intelligence.senate.gov/071025/report.pdf.

I introduced an amendment on the Senate floor that would limit this grant of immunity. Under my amendment, cases against the telecommunications companies would go to the FISA Court for judicial review. The Court would only provide immunity if it finds that the alleged assistance was not provided, that assistance met legal requirements, or that a company had a good faith, reasonable belief that assistance was legal.

This seems like a pretty low bar. There are actually three cases:

  1. The telcos thought that they were legally required to enable wiretapping.
  2. The telcos thought that they didn't have to enable wiretapping but that it was legally permitted.
  3. The telcos thought that they were legally forbidden from enabling wiretapping.

The basic rationale for immunity seems to be that the telcos thought they were doing their civic duty and shouldn't be punished if it turns out that it was actually illegal (note that this stance is a bit belied by the much-publicized revelation that the telcos stopped the wiretaps when the government didn't pay). This isn't crazy: certainly, if the telcos were in receipt of a court order directing them to wiretap some set of communications I would expect them to comply (though a telco which was known to have actively resisted the order would certainly be one I'd want to give my business to) and a grant of immunity seems reasonable in such a case—though I'm not sure that one was required. So, if the telcos can demonstrate that they actually had a good faith belief that they were legally required to comply then immunity seems appropriate.

Similarly, if it turned out that the telcos thought they were actually violating the law then immunity seems totally unreasonable. On the other hand, it would be fairly unsurprising if they were stupid enough to leave records lying around that said "let's do this totally illegal thing." Is there anyone who thinks that they should have immunity in this case? (This isn't to say that the law as currently proposed doesn't grant immunity here—I haven't checked—in which case Feinstein's amendment would be an improvement.)

So, case (2) is the interesting case: the telcos thought they had some discretion and decided to exercise it in the government's favor and not that of their customers. That's certainly a reasonable business judgement and of course there are powerful reasons for getting on the government's good side, but getting sued and losing a lot of money in case what they've decided to do is actually illegal is the business risk you take in such cases. If you want (and I do) the telcos to take any interest at all in your privacy, then they actually have to bear some risk in cases when they decide not to do so.

That said, whether the telcos get punished is actually not the most important piece here. As I understand it, one effect of the immunity grant is to effectively foreclose a lot of the lawsuits currently filed against the telcos. Since those suits were a major avenue for public discovery of what really happened in this program, the immunity grant would also act to keep the details of the program secret, which is bad if you think that this is the kind of thing that ought to be publicly discussed rather than just done in secret. I'd be much more receptive to a bill which granted immunity in return for full disclosure, but of course that's not what Feinstein's amendment does, since the immunity determination is made by the FISA court.


January 23, 2008

In this installment of EG career day, I give sex advice. Every year The Stranger runs a charity auction and this year I bought the right to be Savage Love's guest expert. So, last week I flew up to Seattle, met with Dan, and picked out some questions to answer.

Here's me with Dan Savage:

(Sorry about the low quality... it was taken with my iPhone.)

My so-called advice runs in The Stranger this week and in other papers next week and can be found here.

Last time on EG career day, I made burritos.

UPDATE: Props to Jon Peterson, who did the actual eBay bidding for this item.


January 22, 2008

The EU has decided that IP addresses need to be treated as personally identifying information.
Google and other companies maintain that I.P. addresses are not personally identifiable information. One part of the argument is that I.P. addresses identify a computer, not the person using it. True. But that’s the same as a telephone; just because a call was made from a number doesn’t tell you exactly who was talking. Nonetheless, I suspect that most people believe their phone number is quite personal.

The other part of the argument has to do with dynamic I.P. addresses, the practice by Internet providers of switching the I.P. address of home users. Even there, I.P. addresses are not as anonymous as they would appear. Internet service providers keep records of what I.P. addresses are assigned to which customers at what times. Combine these I.S.P. records with a log file from a Web site, and you have a map to who has done what on the Internet.

Look, this isn't even close. It's certainly true that many home users have IP addresses that are assigned via DHCP, so in principle they're dynamic, but that doesn't mean that you don't regularly get the same IP. From what I hear, common practice for full-time Internet connections is to regularly assign the same IP addresses to the same host. The IP addresses change occasionally, but mostly they're semi-static, so the IP address is generally a pretty useful identifier. And of course, even if your IP address does change regularly, it's still possible to cross-correlate activities at multiple sites at the same time.

Of course, this doesn't tell you how IP address information should be handled. Web servers routinely log client IP addresses and your average small Web site has zilcho in the way of policies or mechanisms for purging this kind of information from their logs. So, saying that IP addresses need to be kept confidential would entail pretty significant changes to operational practice. So, it's a balancing act, but it's certainly not true that there's no privacy risk from IP information leaking; quite the contrary.


January 21, 2008

I haven't gotten my copy of Liberal Fascism (aka "a very serious, thoughtful, argument that has never been made in such detail or with such care") to make fun of yet, but it seems to me that this theme isn't exactly new to Goldber. Here's Jello Biafra in 1979:
I am Governor Jerry Brown
My aura smiles
And never frowns
Soon I will be president...

Carter Power will soon go away
I will be Fuhrer one day
I will command all of you
Your kids will meditate in school
Your kids will meditate in school!

California Uber Alles
California Uber Alles
Uber Alles California
Uber Alles California

Zen fascists will control you
100% natural
You will jog for the master race
And always wear the happy face

Rest of lyrics here.


January 18, 2008

On my way home last night I caught Eric Weiner, author of The Geography of Bliss on NPR. Anyway, Weiner claimed that all languages had many more words for negative emotional states than positive ones that this was some sort Sapir-Whorf thing). I'm not sure that this is really true—there are actually quite a few words for positive states— but of course Tolstoy said it first:
Happy families are all alike; every unhappy family is unhappy in its own way.

And of course along the same lines, here's Richard Dawkins:

True, there are many different ways of being alive - at least ten million different ways if we count the number of distinct species alive today - but, however many ways there may be of being alive, it is certain that there are vastly more ways of being dead!

January 16, 2008

Mrs. Guesswork and I just finished watching Penn and Teller's Bullshit! episode on feng shui. Regardless of the merits of feng shui, I was surprised to see that the recommendations from the various practitioners varied so widely. I don't know much about feng shui, but I'd always had the impression the rules (whatever you think of their merits) were pretty well defined. By contrast, while there's some variation in the exact rules, it's not like half the Orthodox rabbis in the world think it's cool to eat bacon double cheeseburgers.

January 15, 2008

OK, so the MacBook Air is now available. I may actually buy a Mac laptop this time.

Oh, also iPhone software 1.1.3 is out, with the cell network triangulation location feature. Not as nice as GPS, but it did figure out where my house was to within 50 meters or so.

Courtesy of Steve Bellovin on the cryptography mailing list, here is the (a?) article about Mike McConnell's desire to "tap into cyberspace":
Spychief Mike McConnell is drafting a plan to protect America's cyberspace that will raise privacy issues and make the current debate over surveillance law look like "a walk in the park,\u201d McConnell tells The New Yorker in the issue set to hit newsstands Monday. "This is going to be a goat rope on the Hill. My prediction is that we're going to screw around with this until something horrendous happens."

At issue, McConnell acknowledges, is that in order to accomplish his plan, the government must have the ability to read all the information crossing the Internet in the United States in order to protect it from abuse. Congressional aides tell The Journal that they, too, are also anticipating a fight over civil liberties that will rival the battles over the Foreign Intelligence Surveillance Act.

Part of the lawmakers' ire, they have said, is the paltry information the administration has provided. The cyberspace security initiative was first reported in September by The Baltimore Sun, and some congressional aides say that lawmakers have still learned more from the media than they did from the few Top Secret briefings they have received hours before the administration requested money in November to jump start the program.

I can't tell if there's even anything new here.


January 14, 2008

Word is starting to percolate around the net about an alleged plan by the USG to tap the entire net.
The article, which profiles the 65-year-old former admiral appointed by President George W. Bush in January 2007 to oversee all of America's intelligence agencies, was not published on the New Yorker's Web site.

McConnell is developing a Cyber-Security Policy, still in the draft stage, which will closely police Internet activity.

"Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the autority to examine the content of any e-mail, file transfer or Web search," author Lawrence Wright pens.

“Google has records that could help in a cyber-investigation, he said," Wright adds. "Giorgio warned me, 'We have a saying in this business: ‘Privacy and security are a zero-sum game.'"

A zero-sum game is one in which gains by one side come at the expense of the other. In other words -- McConnell's aide believes greater security can only come at privacy's expense.

The actual PDF link (http://online.wsj.com/public/resources/documents/WashWire.pdf seems to be broken, which is fishy to say the least.

I don't know what the "authority to examine the content of any e-mail", etc. means. Obviously, the government has the authority to get this information with a search warrant (Google records and emails have been subpenad before) and the feds have had a variety of net tapping technologies (e.g., Carnivore) for a while, so it's not clear what's exactly new here. Obviously, if they want the authority to do this without a warrant, that would be a big change. Is anyone suggesting that? I'm suspending judgement till I see the original article. If anyone has that or a pointer too it, I'd love to see it.

Oh, and this stuff about how security and privacy is a zero sum game. I'm certainly willing to believe there's a tradeoff, but I'd be pretty surprised if it were exactly zero sum. Few things are, and it's pretty hard to believe there's not a point of diminishing returns after which incremental amounts of surveillance only add very small amounts of security.

Sorry about the lack of posting over the past few days—the combination of all-day meetings and a bad cold has left me pretty useless. My viral load is still high but my meetings are over, so expect posting to resume shortly. In other news, nasal spray is the greatest medical invention of the 20th century.

January 9, 2008

The reason that front running works at all is that WHOIS leaks the name of the domain you're looking to the WHOIS service operator and in this case the operator is the adversary, thus giving them an opportunity to get ahead of you. The usual answer to this problem is to create a set of policies that treat WHOIS queries as sensitive information (see ICANN's study on front running). One could, for instance, require the WHOIS operator to treat WHOIS queries as private.

However, there's a cheap, compatible, technical hack that substantially increases the difficulty of front running attacks without any new policies: allow WHOIS searches on hashes of domain names. The way this would work is that the WHOIS operator would create a parallel tree of phony domain name registrations in WHOIS. For instance, if I registered example.org, then they would also create an entry for SHA-1(example.org)=20116dfd6774a9e7b32eddfea3f6cb094e38fc3f.org (we might need to register a new TLD to make this work and guarantee no collisions) and populate it with the record for example.org. Then, I could locally compute the hash for each domain name I wanted to check on and easily verify its existence or nonexistence.

Other properties:

  • The WHOIS server doesn't get the name being searched for, just the hash. It's in principle possible to iterate through all possible names to see what hashes match, but this isn't practical for any at all unusual name, and of course most obvious names have already been registered.
  • The WHOIS protocol doesn't need to change: this looks like a valid domain name.
  • It's easy to generate the records on the server side: just run some script over your WHOIS database.
  • It's easy to enhance your WHOIS client to do the hash first, but even if you don't, command line hash programs are easy to get.
  • Note that there is some chance of name collisions

You still might need ICANN or someone like them to force the operators to do this, since it's not clearly in their interest. On the other hand, direct cost to them is so low that it's hard to really object to on difficulty grounds.

Technical Note 1: This problem is related to private information retrieval but is dramatically easier because we don't care about the server knowing what record we fetched if it exists, only if it doesn't exist. Actually, we only care if the record exists. We don't need the record itself, which makes the problem yet easier.

Technical Note 2: It would be nice to have a solution that didn't allow dictionary attack. The best solutions I know use Bloom filters.

  • The server can send you a Bloom filter with the names he knows. This is completely resistant to dictionary attack but is still of linear size in the number of inserted domain names per key. And, of course, there are false positive issues.
  • The client can request the values of specific bits in a server-side Bloom filter. By asking for a superset of the bits you want you can get some dictionary attack resistance. This has much lower space requirements, but still leaks some information to the attacker—I haven't done the math on how much, but it clearly scales to some extent with the number of bits requested, with the limit being all of them.

Note that the hash solution isn't technically constant size in the number of registered names either—the required hash size for any given false negative probability depends on the number of registered names. However, since 160 bits is so small people just think of this as constant size.

Domain Name News reports that Network Solutions is engaging in front running of domain names—when a user uses WHOIS to check on the availability of the name, NSI grabs the domain:
A story is developing regarding domain name registrar Network Solutions front running domains. According to multiple sources on DomainState.com, it appears that domains searched via NSI are being purchased by the registrar thereby preventing a registrant from purchasing it at any other registrar other than NSI. As an example, a random domain which DNN searches such as HowDoesThisDomainTasteTaste.com can be seen in this whois search to now be unavailable to register at other registrars but at NSI it can be purchased

The whois contact now says :

    Registrant: Make this info private
    This Domain is available at NetworkSolutions.com
    13681 Sunrise Valley Drive, Suite 300
    HERNDON, VA 20171

The domains are likely being purchased and held in NSI ownership until the potential registrant comes back to purchase the name through NSI. If the purchase is not made at NSI within 5 days, NSI uses the same 5 day grace period that domain tasting operations use and they delete the domain. Once a search for a domain is conducted at NSI the domain name is registered and only available to be purchased by a registrant at NSI. It is not clear if NSI has increased prices on domains that have received multiple whois searches and that they are front running.

Obviously, even if NSI isn't increasing prices, customers don't really want to be locked into NSI. NSI's defense? They're doing it to protect customers:

"I'd like to clarify what we are doing. In response to customer concerns about Domain Name Front Running (domains being registered by someone else just after they have conducted a domain name search), we have implemented a security measure to protect our customers. The measure will kick in when a customer searches for an available domain name at our website, but decides not to purchase the name immediately after conducting the search.

After the search ends, we will put the domain name on reserve. During this reservation period, the name is not active and we do not monetize the traffic on these domains. If a customer searches for the domain again during the next 4 days at networksolutions.com, the domain will be available to register. If the domain name is not purchased within 4 days, it will be released back to the registry and will be generally available for registration.

This protection measure provides our customers the opportunity to register domains they have previously searched without the fear that the name will be already taken through Front Running.

You are correct that we are trying to take an arrow out of the quiver of the tasters. As you know, domain tasters are the largest Front Runners. Due to no fault of registrars, Front Runners purchase search data from Internet Service Providers and/or registries and then taste those names. Some folks may not agree with our approach, but we are trying to prevent this malicious activity from impacting our customers."

I don't really understand how this is a defense against front running. Say that I search for example.com and I find it's not taken but I decide not to purchase it. Someone else is monitoring that whois and decides to purchase the name. WHOIS is unauthenticated, so they can buy it just as well as I can, they just have to go through NSI. I see how this is to NSI's benefit, but how is it to mine? I suppose one could argue that NSI is more expensive than other registrars, so forcing them to go through NSI sort of deters attackers, but that seems like a pretty crude instrument. Other than that, I don't see that this is a useful safeguard.


January 8, 2008

So, the other day I needed to register an account with Chase. Part of the registration procedure is the now ubiquitous out-of-band delivery of some token/code to your cell phone, email address, etc. (I've heard this called "loopback" or "answerback").

Here's what they offer me (somewhat reformatted and trimmed, and with my phone number redacted even further):

We'll show you all contact information we have on file for you. Some of it may be outdated, but we'll only send you an Activation Code using the method you select. Note: For security reasons, we have hidden parts of your contact information below with "xxx." Learn more about why we do this.


Phone Call to :

OR E-mail Message to: exr@rtfm.com

First, note the duplication of the phone numbers: YYYY appears twice. A minor issue, though. Note also the substitution of the numbers with xxx.

Now check out the email address: exr@rtfm.com. Note that the middle letter of my username is k, not x, and this isn't xxx either. Anyway, so I'm registering here for the first time and I look at this clearly wrong address, and I figure it's a typographical or transcription error (x looks like k, after all) and I should call get it fixed. But no.... this is just their masking technique.1 OK, so maybe I'm a moron, but seriously, how hard would it be to use * instead of x, like everyone else?

1. Mrs. Guesswork hypothesizes that their algorithm is to take the middle part of my username and so if my username were longer I would get the full xxx treatment.


January 6, 2008

The Times Magazine has a mondo article about electronic voting. I haven't had time to write up a full comment on it, but check this out:
Still, the events of Election Day 2007 showed just how ingrained the problems with the touch-screens were. The printed paper trails caused serious headaches all day long: at one polling place, printers on most of the machines weren't functioning the night before the polls opened. Fortunately, one of the Election Day technicians was James Diener, a gray-haired former computer-and-mechanical engineer who opened up the printers, discovered that metal parts were bent out of shape and managed to repair them. The problem, he declared cheerfully, was that the printers were simply "cheap quality" (a complaint I heard from many election critics). "I'm an old computer nerd," Diener said. "I can do anything with computers. Nothing's wrong with computers. But this is the worst way to run an election."

Here's the thing: those printers (called voter verifiable paper audit trails (VVPATs)), are supposed to be tamper sealed, so that they provide a record of how people voted. You're not generally supposed to be opening them up and screwing with them.


January 5, 2008

Check out this Wired article and the FAA Report on which it is based about how the Boeing 787 control network is connected to the in-cabin entertainment network, which is probably not the design your average security guy would have chosen:
These special conditions are issued for the Boeing Model 787-8 airplane. This airplane will have novel or unusual design features when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes. These novel or unusual design features are associated with connectivity of the passenger domain computer systems to the airplane critical systems and data networks. For these design features, the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing standards.

The FAA imposes the following requirement:

The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain.

Obviously, this specifies a goal rather than a design, but it's pretty hard to see how this goal could be met without at minimum an airgap between the ACD/AID, and the PIED. I'm unaware of any networking technologogy which allows you to connect two networking domains together which can also guarantee that computers in the untrusted domains can't negatively impact computers in the trusted domains. The classic solution that falls short of airgaps is of course firewalls, but then you have to worry about vulnerabilities in the firewall, so this certainly doesn't prevent all attacks.

The more interesting question is whether an airgap is enough? An airgap provides good protection against logical attacks from the PIED network, but not against physical ones. Even if the ACD/AID cables are physically separate from the PIED cables, do they run through areas which are potentially accessible from the passenger cabin (especially the lavs!)? Do they use cryptography so that an attacker who accessed them couldn't directly talk to the ACD/AID network? Note that this isn't perfect protection, but it could substantially lower the attack surface.

Two other things worth noting here:

  • The Air Line Pilots Association (ALPA) comments suggest that: "a backup means must also be provided for the flightcrew to disable passengers' ability to connect to these specific systems.". This is enough to protect against some attacks (e.g., traffic flooding) but obviously doesn't help against subversion of the flight control systems, since it's not clear that once they have been subverted any plausible in-flight mechanism will allow you to regain control.
  • Airbus also provided several comments which seem mostly oriented towards covering their own future designs. For instance:
    AIRBUS Comment (b): Airbus stated that in the sentence ``The design shall prevent all inadvertent or malicious changes to, and all adverse impacts * * *'', the wording ``shall prevent ALL'' can be interpreted as a zero allowance. According to the commenter, demonstration of compliance with such a requirement during the entire life cycle of the aircraft is quite impossible because security threats evolve very rapidly. The only possible solution to such a requirement would be to physically segregate the Passenger Information and Entertainment Domain from the other domains. This would mean, for example, no shared resources like SATCOM (satellite communications), and no network connections. Airbus maintained that such a solution is not technically and operationally viable, saying that a minimum of communications is always necessary. Airbus preferred a less categorical requirement which allows more flexibility and does not prevent possible residual vulnerabilities if they are assessed as acceptable from a safety point of view. Airbus said this security assessment could be based on a security risk analysis process during the design, validation, and verification of the systems architecture that assesses risks as either acceptable or requiring mitigations even through operational procedures if necessary. Airbus noted that this process, based on similarities with the SAE ARP 4754 safety process, is already proposed by the European Organization for Civil Aviation Equipment (EUROCAE) Working Group 72 for consideration of safety risks posed by security threats or by the FAA through the document ``National Airspace System Communication System Safety Hazard Analysis and Security Threat Analysis,'' version v1.0, dated Feb. 21, 2006. Airbus said such a security risk analysis process could be used as an acceptable means of compliance addressed by an advisory circular.

I don't know that much about how this kind of in-flight network is usually designed or how much security analysis usually goes into it, but to the extent to which we're concerned about passenger subversion of flight control systems, this seems like an unusually hostile threat environment. In particular, if the plane is completely fly by wire, does that mean that someone who controlled the computers could potentially fly the plane where (or into) anything they wanted? What features are provided for regaining manual control in the case of such subversion?


January 3, 2008

I caught NPR on the way home discussing the Iowa Caucuses and Huckabee and Obama were described as "insurgents." Given that that seems to be the semi-official term for "bad people we're fighting in Iraq", maybe it's not the best word choice...

January 1, 2008

Dave Winer is unhappy that he took his Mac to the Apple store with a broken hard drive. Apple replaced the drive but then wouldn't give it back. Winer claims they're going to refurbish it and give it to someone else and is concerned about data leakage.

I share this concern. I generally don't let others have access to my hard drive even if I expect them to give it back—for instance if they're repairing some other part of the computer. In theory, you can clean off the hard drive if it's functioning properly, so you can take a backup, wipe the drive, and then restore it when the computer comes back. But of course once the hard drive itself starts to fail, then disk wiping tools present an obvious problem, so you either need to keep possession of the hard drive, or use encryption. Encryption has the obvious advantage that you don't need to replace your own hardware, but of course it's more of a pain to use upfront and you need to worry about losing your data if you lose the encryption key (that's kind of the point, after all).

That said, I do kind of wonder whether the drive is actually going to be refurbished. Hard drive technology changes pretty fast and I wonder if it's really worth refurbishing old drives.

See also FSJ on Winer.