Blayne Sucks

I decided to read Franz Kafka’s The Trial after seeing it used by Dan Solove to describe the no-fly list. I knew very little about the book before reading it.  I knew that it was about a man named Joseph K. who was arrested and then, despite his best efforts, completely unable to understand or control the resulting course of events. I also knew that it was one of the books that has motivated the term “Kafkaesque.” What I didn’t know was that it does all of these things in a “meta” sense as well, which has made the the book extraordinarily rich and entertaining to read.

What do I meant by my use of the word “meta” to describe The Trial? Anyone who has read Gödel, Escher, and Bach would probably understand what I mean if I re-phrased it by saying that The Trial is a Strange Loop. However, for those who haven’t read GEB, I will try to explain in more detail, particularly since this is the most delicious part of the book. The Trial was originally written in German, with which I have some experience, but I am not capable of reading a book at this level in German. Thus, it had to be translated. Every time I read a translated book I feel it tug at me a little: Am I really reading this as it was intended? This tugging adds a level of disorientation, which is really the entire point of The Trial.

Of course, Kafka wasn’t intending that everyone read a translated version of the book. In fact, Kafka may have never intended anyone to read the book. It was published posthumously and perhaps against his wishes. Now, there is perhaps some debate over whether or not there was a moral obligation to publish, but that debate is still going today. Thus, it is, in some sense, a book over which not even the author could exercise complete control.

Since it was published posthumously, it was never finished. There is an obviously incomplete chapter that simply ends. There are unfinished chapter fragments and deleted sections published as appendices in the printed version of the book that I read. In fact, literary scholars aren’t entirely sure about the order the chapters should appear. All of this only adds to the confusion and disorder that is depicted throughout the book.

If you haven’t read any of Kafka’s books, but you’re interested in learning a little bit about why Kafka is such an important author, then I would recommend The Trial as a good starting point. I enjoyed the “meta” aspects of the book, but there are certainly a lot of other themes that are enjoyable, including the role of women in the book, which was the biggest surprise for me. I won’t talk about it here though. You’ll have to discover it for yourself.

Ordinary Men by Christopher R. Browning is a book on Nazi Germany’s Reserve Police Battalion 101, which participated in the Holocaust. The primary discussion in the book is on how a group of ordinary, middle-aged Germans became mass murderers. He attempts to understand how this transformation took place, and he uses insights from the Milgram experiments and the Stanford Prison experiments. However, he is quick to point out in the forward of the book that “explaining is not excusing; understanding is not forgiving.”

The book was recommended to me by Lucas Layman after a discussion on the importance of the human element in computer security led to a discussion on the Milgram experiments and the Stanford Prison experiments. Certainly there are many elements of computer security and computer crime that can be better understood through studying human psychology. For example, the simple fact that as the men of Reserve Police Battalion 101 were removed from direct participation (e.g. pulling the trigger themselves) to indirect participation (e.g. leading Jews to death trains) they were more easily able to cope with their actions psychologically. Similarly, computer crime is easily disassociated because of the impersonal nature of dealing with computers rather than humans. However, after reading the book my strongest reaction has been broader than just computer security.

When I was in high school I had to read quite a few books on the Holocaust. It seemed that every year we read a different book on the subject, and I tired quickly of the extremes that were pushed. Nazi Germany in general and Hitler in particular have become famous for being the most extreme extreme. This is perhaps best identified by Godwin’s Law.

Ordinary Men suffers from over-extremism to some extent as well. For example, Browning causally refers to the Holocaust as the “most extreme genocide in human history” without offering much in the way of proof or comparison. The number of Native Americans systematically killed by Europeans and the number of Russians killed by Stalin’s regime could each easily exceed the numbers of Jews killed by the Holocaust. The rate of killing in Rwanda could easily surpass the rate of killing in the Holocaust. The brutality of groups like the Khmer Rouge and leaders like Genghis Kahn could be argued to be greater than that found in the Holocaust. Is it even possible to classify something like the “most extreme genocide in history?”

My point is that our only reaction to events like these cannot be the emotional one; we must attempt to understand why and how these things happen so that we can learn from them. We aren’t good at rationalizing emotions, and we are rarely able to draw objective conclusions based on them. However, if we can take a look at some facts, then we may be able to learn important lessons. For example, before the brutality caused by Nazi Germany and in former Yugoslavia, we see extreme hyperinflation. Do we know anywhere else in the world where that is happening right now? I think so. This is something to be concerned about.

More generally security is a field that suffers from extremely emotional reactions. The air travel response to the September 11th attacks is a good example. How many of these responses have been the result of reason rather than emotion? How many of them have actually improved airport security? These are questions that we will probably continue to struggle with for years because of the highly charged emotional response most Americans have to the September 11th attacks.

On the whole though, Browning does a good job of ensuring that we don’t view the people of Reserve Police Battalion 101 as caricatures of themselves. As a result, there are many lessons to be learned from this book. The Holocaust should not be thought of as an abstract evil thing, but instead as a real consequence of human plans and actions. As Browning says, “Ultimately, the Holocaust took place because at the most basic level individual human beings killed other human beings in large numbers over an extended period of time.” The book offers an objective take on how ordinary people are capable of such a thing. I found it to be a very worthwhile read.

In an election year, it is easy to become caught up in the political discussion about which candidate has the best policy on education, which candidate will fix healthcare, or which candidate will lower our gas prices. It is easy to focus on the problems because politicians don’t get elected for the things that have gone right. These are the things we take for granted, but there are certainly places in the world where the things we take for granted are serious concerns.

Zimbabwe is one of those places. Yesterday, it was determined that the Zimbabwe dollar has suffered from 11,200,000% inflation for the 12 previous months. That’s 11.2 million percent inflation. As Tom Palmer has aptly said, this is how you destroy a country. As you may have surmised, this is a classic example of hyperinflation.

The leaders of Zimbabwe are at best clueless and at worst ruthlessly careless as to the effects of their policies. Zimbabwe’s President Robert Mugabe and Reserve Bank governor Gideon Gono have devalued the currency rather than attempt to address the root causes of the problem. They blame sanctions from western countries for their economic woes, when in reality they have created their own crisis.

Zimbabwe has the natural resources to be one of the wealthiest African countries. Zimbabwe is home to Victoria Falls, a worldwide tourist attraction. They also has rich mineral deposits that could support some of the best mines in the world. Zimbabwe’s sub-tropical climate could support significant agriculture as well. These resources simply need to be managed properly.

Meanwhile, the people of Zimbabwe are suffering. The unemployment rate is over 80%. The brain drain has been staggering. Only those people who can’t afford to leave or who care too much about their homeland to leave remain in the country. Parts of the country have been without running water for months. The electric grid is unstable. Basic elements of the country’s infrastructure are failing.

Zimbabwe’s economic problems dwarf those problems in the United States. The US has had a 17 year high percentage of inflation: 5.6% This is certainly a problem, and one that has caused the economy to be a serious topic of the current presidential election. The economic concept of sound money (a monetary unit that is relatively stable and inflation-free) is crucial to any economy. However, it is important to remember that things could be much worse and we still have a pretty stable economy. If you find yourself tired of paying too much for gas or fed up with the election year political chatter, remember that there are probably quite a few things we may be taking for granted.

I was going to wait until Dan Kaminsky announced more details about this flaw at the Black Hat Briefings on August 6th, but Halver Flake’s recent post as essentially squeezed the toothpaste out of the tube on this one. Just look at what Dan has to say.

I’m not going to talk about Dan’s decision not to release the details of this attack as soon as possible or the merits of full disclosure in computer security. Although interesting, it is less interesting to me than the flaw itself.

I know not everyone who reads this blog is technically oriented. To those people, I encourage you to try and make your way through this (long) post. I will try to keep things as simple as possible and I can guarantee you that a better understand of this particular problem will not only give you a better understanding of computer security, but also a better understanding of how the Internet really works.

Let me take a few moments to provide some background. The Domain Name System (DNS) is the protocol that translates a website’s domain name (e.g. somebank.com) into the corresponding IP Address (e.g. 192.168.1.1). IP Addresses are used by routers and network infrastructure to deliver information from one place to another on the Internet. DNS has been around since the mid 1980′s. It is a critical part of the infrastructure of the Internet. When you type in a domain name or use a bookmark to visit your bank’s website, you are trusting that the DNS protocol will take you to the correct server and not to a well-designed phishing website that looks just like your real bank.

The recent flaw in DNS is a protocol-level design flaw, not a software bug. A protocol is merely a pre-defined set of steps done to achieve some objective. For example, when Alice introduces two of her friends, Bob and Chris, to one another for the first time, she would follow a social protocol of introduction. She may introduce Bob to Chris as her co-worker from the Human Resources department, and she may follow this by immediately introducing Chris to Bob as her friend from church. If Alice forgot to introduce Bob to Chris and Bob eventually had to introduce himself to Chris while Alice was standing there, then that failure on Alice’s part is analogous to a failure in a single piece of software. If there were a flaw in this protocol, then every introduction performed based on this social protocol would fail. That is the difference between a protocol-level flaw and a software bug.

Now we have gotten to the crux of the issue. There is a protocol-level flaw in DNS that allows a phisher to take over the actual domain name of the site that it is trying to imitate. This is a serious problem that led to an astonishing collaboration to patch the entire Internet. Even patching the entire Internet isn’t going to “solve” this problem. Why? Because the patches are just that: patches. The problem still exists in the protocol.

What exactly is this problem? (And here’s where I may lose anyone who’s not technically oriented, but I’ll try and keep this simple.) When a DNS server doesn’t know how to translate a domain name into an IP address, it asks another, more trusted, DNS server for the information. Of course, this happens quite frequently since any given DNS server can’t store all the correct DNS translations for the entire Internet all the time (and since these translations can change).

Each time a DNS server has to ask a more trusted DNS server for a domain name to IP address translation, it does so by providing a number called a Query ID (QID). Now, there used to be a ton of attacks based on these QID since they were sequential. This class of attacks basically consisted of an evil doer asking a DNS server to perform a translation on a domain name that it didn’t already have. The evil doer would then start sending forged responses with sequentially increasing QIDs. If the evil doer got the right one, a bad domain name to IP address would be cached. Once a translation is cached, most DNS software implementations will ignore other updates to that domain’s information.

There are many ways to poison a DNS cache. This particular problem was patched (not solved) by just not using sequential QIDs. If a random QID is used, then it becomes very difficult for the evil doer to respond before the real response arrives.

Another interesting way to poison a DNS cache is to send a fake resource record. This attack works because of a chicken-ad-the-egg problem that I deftly avoided in my earlier description of DNS. I said that when a DNS server doesn’t know the proper translation for a domain name, it asks a more trusted DNS server. How? How does it know a more trusted DNS server? Basically, it only knows trusted DNS servers by their domain name. So it has to resolve a domain name for the next step in the hierarchy. Let me give a simple example.

Let’s say you’re a DNS server trying to resolve checking.somebank.com and you don’t know how. Who are you going to ask? Well, you’re going to ask whatever domain name server is controlling somebank.com since somebank.com is the next step in the hierarchy. If you don’t know that one, you’re going to ask the .com root server. Of course, you would like to learn how to ask somebank.com how to resolve all of it’s subdomains (e.g. checking.somebank.com, savings.somebank.com, etc…) since that would be efficient. This is done through a DNS Resource Record (RR).

Although there are many kinds of DNS Resource Records, for this attack all you need to know is that when you make a query for a DNS translation, you can receive back an answer as well as an additional resource record that is intended to help speed up future queries. Now, it used to be possible to poison DNS caches directly with this because there was a flaw in the protocol that allowed these resource records to be totally unrelated to the original request.

For example, let’s say you’re a DNS server and you just sent out a query about checking.somebank.com. It used to be possible that you would receive a domain name to IP address translation for checking.somebank.com and an addition resource record telling you that you should cache ns.evildoer.com as a name server for future queries. This was patched (not “solved”) by requiring the additional resource records be related to the query. (Thus, you would only be able to get a DNS RR for a somebank.com name server.)

The most recent DNS protocol-level flaw is related to both the QID problem and the DNS RR problem. Here’s how I believe it works (and these details are already available to anyone with access to google and a few minutes):

1. Get a DNS server to look up a subdomain for the site that you want to compromise. For example, randomAAAAAA.somebank.com. The subdomain itself doesn’t really matter other than it shouldn’t exist.
2. Since the DNS server doesn’t have this domain name to IP address translation it will have to look up the answer. Now, the evil doer can’t reliably predict the QID since random QIDs are used. The vast majority of these lookups will correctly be answered by ns.somebank.com as non-existent subdomains with the right QID. However, the evil doer can still try and race ns.somebank.com to guess an answer.
3. The evil doer repeats step 2 and increments the random domain name every time. For example, the next domain name the evil doer might try could be randomAAAAAB.somebank.com. Since QIDs are just randomized and not cryptographically secure, the attacker may still have a mathematically reasonable chance at eventually guessing correctly and beating the real name server’s response. If that happens, then the real name server’s response is dropped and more importantly the attacker has earned the right to send a DNS Resource Record updating the name server for the bank. (i.e. The attacker gets to poison ns.somebank.com and make it point to their phishing site.)

It’s clever. It’s not easy to solve, so we’re going to play the patching game again and people are rushing to patch their DNS servers. Now, this post is not going to talk about the losing battle that is penetrate-and-patch. Although it would be fun to rant, that debate is no longer interesting since all the smart people are on the same team.

So why is the flaw (and perhaps computer security on the whole) interesting? The assumptions involved. Professor Spafford has a great quote about computer security and assumptions:

Finding vulnerabilities is simple; discover the assumptions a developer made, ad then violate those assumptions.

People have become accustomed to DNS working. They assume it will work. It’s not just users, but also developers that do this. Let’s take one example: OpenID.

For those who don’t know, OpenID is an identity system that enables users to store their identity information in one place. Instead of having usernames, passwords, addresses, and other account information stored separately at amazon.com, ebay.com, flickr.com, etc…, users would be able to store it (and update it) all in one place. It’s a really neat idea that could eventually provide useful services and save real people time. However, it was designed with the assumption that DNS just worked.

Kim Cameron points this out on his blog, but I think the best summary of the problem is by Tim Anderson:

Note that Cameron is not opposed to OpenID. Apart from anything else, he recognizes that this may well be the beginning of an identity revolution – part of a process, at the end of which we get a safer, less spam laden, less criminal-infested internet.

At the same time, he’s right. The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.

Now, it strikes me that you can largely fix this by requiring SSL connections. In other words, have the OpenID URL be an https:// URL, and have the relying party (the website where you want to log in) check for a valid SSL certificate. Note thought that SSL must be used at every stage. OpenID lets you use your own URL as the identifier, but redirect to another OpenID identity provider. Both URLs must use SSL to maintain integrity.

Scary indeed. The OpenID developers have assumed reliable DNS. Now, Tim’s probably right that encryption is the solution to this problem, but I don’t think SSL would work. Even if there is a certificate for the site, most browsers fail to properly inform users what it means when an SSL certificate has changed or isn’t there now. Plus, people are trained to use the domain name and trust that it works.

So how can encryption help? Well, I think DNSSEC and IPSEC (or IPv6) would actually solve (not patch) the problem, but designing better protocols hasn’t been the real issue. DNSSEC and IPSEC have been around for a while. The problem is adoption. No one uses these protocols just like no one uses PGP for encrypting their email.

Metcalfe’s Law is holding most people back since they don’t want to be the only ones using the “other” network. This is another great example of why “road” or “highway” analogies don’t work for the Internet. If this were a pothole or even a collapsed bridge, we could fix the problem properly without really affecting most people. However, since this is the Internet, we can’t actually solve this unless everyone agrees to stop using DNS.

So we’re going to continue to see problems with old infrastructure protocols like DNS. As a result, phishing will continue to be a serious problem. The only way this will stop is if there is a problem so big that the monetary incentive to avoid the problem pushes everyone to change. Who wants to guess how big of a problem that would have to be?

I have trouble describing how disappointed I am that this bill has passed. The roll call vote is available here. I have written about FISA previously here and here.

Although there are many aspects of this bill that disappoint me, I would like to take a moment to talk about the one closest to my research: legal compliance in technology systems. This bill sets an incredibly bad precedent for anyone advocating legal compliance. Essentially, what the telecommunications companies did was blatantly against the law. However, this bill retroactively provides them immunity for their actions [1]. When the consequences for violating the law are removed retroactively, companies have an incentive to violate the law in the future.

The ethics in situations like this are already difficult for engineers to recognize. For a technologist like Mark Klein, setting up a room with a whole bunch of cables going into it is a normal daily aspect of their job. Most will not see the ethical implications. Most engineers at that level are not aware of the bigger picture. They may not be able to say for sure whether their action is a violation of the law. To speak out about such a thing already takes great personal courage.

The last thing engineers need to see is a case like this. They will recognize that even if they do risk their job to speak out about a possible legal problem, and even if that possible problem is recognized as such, it is now, with the passage of this bill, clearly possible that Congress will bend over backwards to let their employer off the hook.

To understand how difficult it was before this amendment was passed for someone like Mark Klein to do what he did, I urge you to read the introduction Cindy Cohn gave him at the EFF Pioneer Awards. Congress has just made it harder on the heroes. This is a disappointing day.

[1] Yes, I realize that this bill doesn’t directly provide for retroactive immunity. However, the bill sets up a sham court proceeding to determine whether or not the companies involved were told it was ok to do what they did by the President, which is already widely known to be true.

[Update: There's an extremely well-written article on the FISA Ammedment Act on ThreatLevel.]

One might assume that we can all agree that natural disasters are bad, but apparently we can’t. The Boston Globe has an article about how natural disasters are helpful. Yes, you read that right. The article is about how natural disasters are helpful.

Now, if you, like me, don’t believe that an earthquake which killed almost 70,000 people is helpful, then you may find yourself similarly disappointed that such an article could be published at a reputable paper. The concept is tortured logic at best. It goes something like this:

1. A disaster occurs wiping out all sorts of things that are valuable like buildings, factories, vehicles, and infrastructure.
2. At great financial cost, society re-builds all the things that were destroyed using the latest techniques.
3. Measurements are taken of both before and after the disaster and someone concludes that those affected are better off because they have all new buildings, factories, vehicles and infrastructure.

Let’s think about some logical conclusions one might draw about this. If natural disaster is good because it forces us to rebuild, then wouldn’t man-made disaster be even better? I mean, we could pick the places where the disaster would occur and we would create jobs for the teams of people who could go around destroying things. Actually, that sounds a lot like war now. Heck, why don’t we just start wars all the time since the resulting disaster is so obviously good?

Doesn’t really make much sense, does it?

There are really only two salient points to be found in this article. First, the voice of reason:

To critics of this line of thinking, the problem is that it is, at best, a partial picture. It ignores, they argue, the fact that the money and labor that go into post-disaster rebuilding are simply being redirected from other productive uses.

“If you’re a carpenter, a trash remover, a physician, you may be made better off, but the things that those producers would have otherwise produced are not going to be produced,” says Donald Boudreaux, an economics professor at George Mason University. “Over any reasonably relevant period of time, society is not made wealthier by destroying resources,” he adds. If it were, “Beirut should be one of the wealthiest places in the world.”

Huh, who would have thought that disasters were actually bad? Of course, we have known this for a long time.

Second, the conclusion, which is surprisingly good given how horrible the rest of it was:

It may be, then, that disaster economics works best as a guide in those times when we don’t have disasters to contend with. Investing in human capital, replacing outdated plants and infrastructure – the things that Kunreuther and Skidmore argue disasters drive us to do – are also, it turns out, good ideas even in the absence of a crippling catastrophe. If the disaster economists are right, calamities are simply pushing societies to make the sort of sound economic decisions that inertia or fear or bureaucratic sclerosis prevents them from otherwise making. Governments and businesses might do well to adopt some of the urgency and innovation of a post-disaster mind-set even in more clement times.

Imagine that. If you invest in your business rather than limp along with outdated facilities and inefficient equipment, then your business will operate more efficiently.

War is bad. Disasters are bad. The end.

I recently met Brooke Oberwetter, who has become known as the Jefferson 1. She seems like a nice, unassuming person and we had a pleasant conversation, which is why I was surprised to learn that she was facing criminal charges. I have come to believe that her arrest is an excellent example of the war on the unexpected.

She and around 20 of her friends went to the Thomas Jefferson Memorial to celebrate Thomas Jefferson’s birthday by silently dancing and listening to music with earphones of some kind. Surely this is not a usual occurrence and the park police were not expecting 20 people to show up and silently dance around in the middle of the night. However, she was not breaking any laws and she certainly wasn’t terrorizing anything.

Of course, you don’t have to take my word for it because there’s three videos on YouTube that show the event in detail. This incident happens to be getting a lot of publicity because of the circumstances: a young blond woman, the Thomas Jefferson Memorial on Thomas Jefferson’s birthday, the video footage of the event, the fact that all the participants were active in libertarian politics.

If this doesn’t seem like that big of a deal to you, I am not surprised. Violations of civil liberties rarely seem like that big of a deal to the unaffected. The unaffected are, by definition, not directly affected by events like this. Mistakes are made. Police officers are human just like everyone else, but we all lose something when citizens in our country are wrongfully arrested or detained. This event may be useful in illuminating the broader point: the war on the unexpected is a massive waste of time and money — how can we fix this?

That’s certainly something to think about.

As I mentioned in my last post, Randy Pausch‘s book The Last Lecture has become a runaway success. (And Randy has was named to Time Magazine’s 100 most influential people, which is an honor he absolutely deserves.) The day after Finals week ended I read the book cover to cover.

It is just over 200 pages and doesn’t take long to read. Despite the short length, there’s quite a bit of material packed into it. Randy has promoted the book as another medium for him to pass his life lessons on to his kids and it’s obvious that there’s a lot of material in the book that would be impossible for anyone with a terminal illness to talk about publicly without breaking down. He talks about how he met his wife, how they got engaged, and how his children were born.

There’s more to the book than just the stories. There’s an intimacy with the written word that is different than a speech, video or story. As a reader, you might be sitting in a comfortable chair in your house, on an airplane or in a waiting room, but the act of reading puts you in this separate world. Even if someone knows what book you’re reading they don’t know what part of that book. The only person who knows that is you. As a result of that magic and of Randy’s conversational style, this book absolutely seizes your attention.

The book’s message gets across loud and clear: Time is short. Live your life to the fullest. You truly can achieve your dreams. Never lose that optimism you had as a child.

A hard message to convey with authority, but Randy does so more than effectively. I sincerely urge you to consider getting this book. Don’t pick it up at the library. Go out and buy it. Read it every year. It’s short, and easily manageable in a day. Don’t let yourself get lost in life and forget the things that make it worth living in the first place.

For those of you who don’t know, Randy Pausch is a Professor of Computer Science at Carnegie Mellon University. He is also dying of cancer. He is 46 years old.

As many other people, I have been following Randy Pausch’s battle with pancreatic cancer for a while now. You can read my previous posts here, here and here. When I first posted about his last lecture, the wave of media was just starting. Since that time his exposure and impact have absolutely ballooned to unreal proportions. (Note: This is almost certainly not related to my blog. ) I strongly urge you to take some time and dig beneath the media hype to learn what Randy Pausch is all about. He does not disappoint.

His famous Last Lecture has been profiled on Oprah and he’s been interviewed by Diane Sawyer. Just recently he sat down with Time Magazine for their 10 Questions article. His lecture has been turned into a book and has become an instant success. It has become the overall bestselling book on Amazon.com, Barnes and Noble.com, and the New York Times Bestsellers lists. If you only read one book this spring, make it this one. I know I’m looking forward to next month when I’ll have enough time to read it.

Allison passed me a link to a video about the comparisons between Barack Obama’s campaign for President of the United States and the fictional Santos Campaign on the TV show The West Wing via email today. I have mentioned that I’m a fan of The West Wing before. I didn’t necessarily agree with the politics in the show. In fact, sometimes I strongly disagreed with them. However, the show portrayed politicians of every stripe as people who earnestly want to improve the world in which they live. Sure, they talked about the seedy side of politics from time to time, but on the whole the picture was one of politicians actively caring about the people. The American people yearn for that. This Slate V video is just another example of (in part) why Barack Obama has been so successful.