Blayne Sucks

In an election year, it is easy to become caught up in the political discussion about which candidate has the best policy on education, which candidate will fix healthcare, or which candidate will lower our gas prices. It is easy to focus on the problems because politicians don’t get elected for the things that have gone right. These are the things we take for granted, but there are certainly places in the world where the things we take for granted are serious concerns.

Zimbabwe is one of those places. Yesterday, it was determined that the Zimbabwe dollar has suffered from 11,200,000% inflation for the 12 previous months. That’s 11.2 million percent inflation. As Tom Palmer has aptly said, this is how you destroy a country. As you may have surmised, this is a classic example of hyperinflation.

The leaders of Zimbabwe are at best clueless and at worst ruthlessly careless as to the effects of their policies. Zimbabwe’s President Robert Mugabe and Reserve Bank governor Gideon Gono have devalued the currency rather than attempt to address the root causes of the problem. They blame sanctions from western countries for their economic woes, when in reality they have created their own crisis.

Zimbabwe has the natural resources to be one of the wealthiest African countries. Zimbabwe is home to Victoria Falls, a worldwide tourist attraction. They also has rich mineral deposits that could support some of the best mines in the world. Zimbabwe’s sub-tropical climate could support significant agriculture as well. These resources simply need to be managed properly.

Meanwhile, the people of Zimbabwe are suffering. The unemployment rate is over 80%. The brain drain has been staggering. Only those people who can’t afford to leave or who care too much about their homeland to leave remain in the country. Parts of the country have been without running water for months. The electric grid is unstable. Basic elements of the country’s infrastructure are failing.

Zimbabwe’s economic problems dwarf those problems in the United States. The US has had a 17 year high percentage of inflation: 5.6% This is certainly a problem, and one that has caused the economy to be a serious topic of the current presidential election. The economic concept of sound money (a monetary unit that is relatively stable and inflation-free) is crucial to any economy. However, it is important to remember that things could be much worse and we still have a pretty stable economy. If you find yourself tired of paying too much for gas or fed up with the election year political chatter, remember that there are probably quite a few things we may be taking for granted.

I was going to wait until Dan Kaminsky announced more details about this flaw at the Black Hat Briefings on August 6th, but Halver Flake’s recent post as essentially squeezed the toothpaste out of the tube on this one. Just look at what Dan has to say.

I’m not going to talk about Dan’s decision not to release the details of this attack as soon as possible or the merits of full disclosure in computer security. Although interesting, it is less interesting to me than the flaw itself.

I know not everyone who reads this blog is technically oriented. To those people, I encourage you to try and make your way through this (long) post. I will try to keep things as simple as possible and I can guarantee you that a better understand of this particular problem will not only give you a better understanding of computer security, but also a better understanding of how the Internet really works.

Let me take a few moments to provide some background. The Domain Name System (DNS) is the protocol that translates a website’s domain name (e.g. somebank.com) into the corresponding IP Address (e.g. 192.168.1.1). IP Addresses are used by routers and network infrastructure to deliver information from one place to another on the Internet. DNS has been around since the mid 1980′s. It is a critical part of the infrastructure of the Internet. When you type in a domain name or use a bookmark to visit your bank’s website, you are trusting that the DNS protocol will take you to the correct server and not to a well-designed phishing website that looks just like your real bank.

The recent flaw in DNS is a protocol-level design flaw, not a software bug. A protocol is merely a pre-defined set of steps done to achieve some objective. For example, when Alice introduces two of her friends, Bob and Chris, to one another for the first time, she would follow a social protocol of introduction. She may introduce Bob to Chris as her co-worker from the Human Resources department, and she may follow this by immediately introducing Chris to Bob as her friend from church. If Alice forgot to introduce Bob to Chris and Bob eventually had to introduce himself to Chris while Alice was standing there, then that failure on Alice’s part is analogous to a failure in a single piece of software. If there were a flaw in this protocol, then every introduction performed based on this social protocol would fail. That is the difference between a protocol-level flaw and a software bug.

Now we have gotten to the crux of the issue. There is a protocol-level flaw in DNS that allows a phisher to take over the actual domain name of the site that it is trying to imitate. This is a serious problem that led to an astonishing collaboration to patch the entire Internet. Even patching the entire Internet isn’t going to “solve” this problem. Why? Because the patches are just that: patches. The problem still exists in the protocol.

What exactly is this problem? (And here’s where I may lose anyone who’s not technically oriented, but I’ll try and keep this simple.) When a DNS server doesn’t know how to translate a domain name into an IP address, it asks another, more trusted, DNS server for the information. Of course, this happens quite frequently since any given DNS server can’t store all the correct DNS translations for the entire Internet all the time (and since these translations can change).

Each time a DNS server has to ask a more trusted DNS server for a domain name to IP address translation, it does so by providing a number called a Query ID (QID). Now, there used to be a ton of attacks based on these QID since they were sequential. This class of attacks basically consisted of an evil doer asking a DNS server to perform a translation on a domain name that it didn’t already have. The evil doer would then start sending forged responses with sequentially increasing QIDs. If the evil doer got the right one, a bad domain name to IP address would be cached. Once a translation is cached, most DNS software implementations will ignore other updates to that domain’s information.

There are many ways to poison a DNS cache. This particular problem was patched (not solved) by just not using sequential QIDs. If a random QID is used, then it becomes very difficult for the evil doer to respond before the real response arrives.

Another interesting way to poison a DNS cache is to send a fake resource record. This attack works because of a chicken-ad-the-egg problem that I deftly avoided in my earlier description of DNS. I said that when a DNS server doesn’t know the proper translation for a domain name, it asks a more trusted DNS server. How? How does it know a more trusted DNS server? Basically, it only knows trusted DNS servers by their domain name. So it has to resolve a domain name for the next step in the hierarchy. Let me give a simple example.

Let’s say you’re a DNS server trying to resolve checking.somebank.com and you don’t know how. Who are you going to ask? Well, you’re going to ask whatever domain name server is controlling somebank.com since somebank.com is the next step in the hierarchy. If you don’t know that one, you’re going to ask the .com root server. Of course, you would like to learn how to ask somebank.com how to resolve all of it’s subdomains (e.g. checking.somebank.com, savings.somebank.com, etc…) since that would be efficient. This is done through a DNS Resource Record (RR).

Although there are many kinds of DNS Resource Records, for this attack all you need to know is that when you make a query for a DNS translation, you can receive back an answer as well as an additional resource record that is intended to help speed up future queries. Now, it used to be possible to poison DNS caches directly with this because there was a flaw in the protocol that allowed these resource records to be totally unrelated to the original request.

For example, let’s say you’re a DNS server and you just sent out a query about checking.somebank.com. It used to be possible that you would receive a domain name to IP address translation for checking.somebank.com and an addition resource record telling you that you should cache ns.evildoer.com as a name server for future queries. This was patched (not “solved”) by requiring the additional resource records be related to the query. (Thus, you would only be able to get a DNS RR for a somebank.com name server.)

The most recent DNS protocol-level flaw is related to both the QID problem and the DNS RR problem. Here’s how I believe it works (and these details are already available to anyone with access to google and a few minutes):

1. Get a DNS server to look up a subdomain for the site that you want to compromise. For example, randomAAAAAA.somebank.com. The subdomain itself doesn’t really matter other than it shouldn’t exist.
2. Since the DNS server doesn’t have this domain name to IP address translation it will have to look up the answer. Now, the evil doer can’t reliably predict the QID since random QIDs are used. The vast majority of these lookups will correctly be answered by ns.somebank.com as non-existent subdomains with the right QID. However, the evil doer can still try and race ns.somebank.com to guess an answer.
3. The evil doer repeats step 2 and increments the random domain name every time. For example, the next domain name the evil doer might try could be randomAAAAAB.somebank.com. Since QIDs are just randomized and not cryptographically secure, the attacker may still have a mathematically reasonable chance at eventually guessing correctly and beating the real name server’s response. If that happens, then the real name server’s response is dropped and more importantly the attacker has earned the right to send a DNS Resource Record updating the name server for the bank. (i.e. The attacker gets to poison ns.somebank.com and make it point to their phishing site.)

It’s clever. It’s not easy to solve, so we’re going to play the patching game again and people are rushing to patch their DNS servers. Now, this post is not going to talk about the losing battle that is penetrate-and-patch. Although it would be fun to rant, that debate is no longer interesting since all the smart people are on the same team.

So why is the flaw (and perhaps computer security on the whole) interesting? The assumptions involved. Professor Spafford has a great quote about computer security and assumptions:

Finding vulnerabilities is simple; discover the assumptions a developer made, ad then violate those assumptions.

People have become accustomed to DNS working. They assume it will work. It’s not just users, but also developers that do this. Let’s take one example: OpenID.

For those who don’t know, OpenID is an identity system that enables users to store their identity information in one place. Instead of having usernames, passwords, addresses, and other account information stored separately at amazon.com, ebay.com, flickr.com, etc…, users would be able to store it (and update it) all in one place. It’s a really neat idea that could eventually provide useful services and save real people time. However, it was designed with the assumption that DNS just worked.

Kim Cameron points this out on his blog, but I think the best summary of the problem is by Tim Anderson:

Note that Cameron is not opposed to OpenID. Apart from anything else, he recognizes that this may well be the beginning of an identity revolution – part of a process, at the end of which we get a safer, less spam laden, less criminal-infested internet.

At the same time, he’s right. The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.

Now, it strikes me that you can largely fix this by requiring SSL connections. In other words, have the OpenID URL be an https:// URL, and have the relying party (the website where you want to log in) check for a valid SSL certificate. Note thought that SSL must be used at every stage. OpenID lets you use your own URL as the identifier, but redirect to another OpenID identity provider. Both URLs must use SSL to maintain integrity.

Scary indeed. The OpenID developers have assumed reliable DNS. Now, Tim’s probably right that encryption is the solution to this problem, but I don’t think SSL would work. Even if there is a certificate for the site, most browsers fail to properly inform users what it means when an SSL certificate has changed or isn’t there now. Plus, people are trained to use the domain name and trust that it works.

So how can encryption help? Well, I think DNSSEC and IPSEC (or IPv6) would actually solve (not patch) the problem, but designing better protocols hasn’t been the real issue. DNSSEC and IPSEC have been around for a while. The problem is adoption. No one uses these protocols just like no one uses PGP for encrypting their email.

Metcalfe’s Law is holding most people back since they don’t want to be the only ones using the “other” network. This is another great example of why “road” or “highway” analogies don’t work for the Internet. If this were a pothole or even a collapsed bridge, we could fix the problem properly without really affecting most people. However, since this is the Internet, we can’t actually solve this unless everyone agrees to stop using DNS.

So we’re going to continue to see problems with old infrastructure protocols like DNS. As a result, phishing will continue to be a serious problem. The only way this will stop is if there is a problem so big that the monetary incentive to avoid the problem pushes everyone to change. Who wants to guess how big of a problem that would have to be?

I have trouble describing how disappointed I am that this bill has passed. The roll call vote is available here. I have written about FISA previously here and here.

Although there are many aspects of this bill that disappoint me, I would like to take a moment to talk about the one closest to my research: legal compliance in technology systems. This bill sets an incredibly bad precedent for anyone advocating legal compliance. Essentially, what the telecommunications companies did was blatantly against the law. However, this bill retroactively provides them immunity for their actions [1]. When the consequences for violating the law are removed retroactively, companies have an incentive to violate the law in the future.

The ethics in situations like this are already difficult for engineers to recognize. For a technologist like Mark Klein, setting up a room with a whole bunch of cables going into it is a normal daily aspect of their job. Most will not see the ethical implications. Most engineers at that level are not aware of the bigger picture. They may not be able to say for sure whether their action is a violation of the law. To speak out about such a thing already takes great personal courage.

The last thing engineers need to see is a case like this. They will recognize that even if they do risk their job to speak out about a possible legal problem, and even if that possible problem is recognized as such, it is now, with the passage of this bill, clearly possible that Congress will bend over backwards to let their employer off the hook.

To understand how difficult it was before this amendment was passed for someone like Mark Klein to do what he did, I urge you to read the introduction Cindy Cohn gave him at the EFF Pioneer Awards. Congress has just made it harder on the heroes. This is a disappointing day.

[1] Yes, I realize that this bill doesn’t directly provide for retroactive immunity. However, the bill sets up a sham court proceeding to determine whether or not the companies involved were told it was ok to do what they did by the President, which is already widely known to be true.

[Update: There's an extremely well-written article on the FISA Ammedment Act on ThreatLevel.]

One might assume that we can all agree that natural disasters are bad, but apparently we can’t. The Boston Globe has an article about how natural disasters are helpful. Yes, you read that right. The article is about how natural disasters are helpful.

Now, if you, like me, don’t believe that an earthquake which killed almost 70,000 people is helpful, then you may find yourself similarly disappointed that such an article could be published at a reputable paper. The concept is tortured logic at best. It goes something like this:

1. A disaster occurs wiping out all sorts of things that are valuable like buildings, factories, vehicles, and infrastructure.
2. At great financial cost, society re-builds all the things that were destroyed using the latest techniques.
3. Measurements are taken of both before and after the disaster and someone concludes that those affected are better off because they have all new buildings, factories, vehicles and infrastructure.

Let’s think about some logical conclusions one might draw about this. If natural disaster is good because it forces us to rebuild, then wouldn’t man-made disaster be even better? I mean, we could pick the places where the disaster would occur and we would create jobs for the teams of people who could go around destroying things. Actually, that sounds a lot like war now. Heck, why don’t we just start wars all the time since the resulting disaster is so obviously good?

Doesn’t really make much sense, does it?

There are really only two salient points to be found in this article. First, the voice of reason:

To critics of this line of thinking, the problem is that it is, at best, a partial picture. It ignores, they argue, the fact that the money and labor that go into post-disaster rebuilding are simply being redirected from other productive uses.

“If you’re a carpenter, a trash remover, a physician, you may be made better off, but the things that those producers would have otherwise produced are not going to be produced,” says Donald Boudreaux, an economics professor at George Mason University. “Over any reasonably relevant period of time, society is not made wealthier by destroying resources,” he adds. If it were, “Beirut should be one of the wealthiest places in the world.”

Huh, who would have thought that disasters were actually bad? Of course, we have known this for a long time.

Second, the conclusion, which is surprisingly good given how horrible the rest of it was:

It may be, then, that disaster economics works best as a guide in those times when we don’t have disasters to contend with. Investing in human capital, replacing outdated plants and infrastructure – the things that Kunreuther and Skidmore argue disasters drive us to do – are also, it turns out, good ideas even in the absence of a crippling catastrophe. If the disaster economists are right, calamities are simply pushing societies to make the sort of sound economic decisions that inertia or fear or bureaucratic sclerosis prevents them from otherwise making. Governments and businesses might do well to adopt some of the urgency and innovation of a post-disaster mind-set even in more clement times.

Imagine that. If you invest in your business rather than limp along with outdated facilities and inefficient equipment, then your business will operate more efficiently.

War is bad. Disasters are bad. The end.

I recently met Brooke Oberwetter, who has become known as the Jefferson 1. She seems like a nice, unassuming person and we had a pleasant conversation, which is why I was surprised to learn that she was facing criminal charges. I have come to believe that her arrest is an excellent example of the war on the unexpected.

She and around 20 of her friends went to the Thomas Jefferson Memorial to celebrate Thomas Jefferson’s birthday by silently dancing and listening to music with earphones of some kind. Surely this is not a usual occurrence and the park police were not expecting 20 people to show up and silently dance around in the middle of the night. However, she was not breaking any laws and she certainly wasn’t terrorizing anything.

Of course, you don’t have to take my word for it because there’s three videos on YouTube that show the event in detail. This incident happens to be getting a lot of publicity because of the circumstances: a young blond woman, the Thomas Jefferson Memorial on Thomas Jefferson’s birthday, the video footage of the event, the fact that all the participants were active in libertarian politics.

If this doesn’t seem like that big of a deal to you, I am not surprised. Violations of civil liberties rarely seem like that big of a deal to the unaffected. The unaffected are, by definition, not directly affected by events like this. Mistakes are made. Police officers are human just like everyone else, but we all lose something when citizens in our country are wrongfully arrested or detained. This event may be useful in illuminating the broader point: the war on the unexpected is a massive waste of time and money — how can we fix this?

That’s certainly something to think about.

As I mentioned in my last post, Randy Pausch‘s book The Last Lecture has become a runaway success. (And Randy has was named to Time Magazine’s 100 most influential people, which is an honor he absolutely deserves.) The day after Finals week ended I read the book cover to cover.

It is just over 200 pages and doesn’t take long to read. Despite the short length, there’s quite a bit of material packed into it. Randy has promoted the book as another medium for him to pass his life lessons on to his kids and it’s obvious that there’s a lot of material in the book that would be impossible for anyone with a terminal illness to talk about publicly without breaking down. He talks about how he met his wife, how they got engaged, and how his children were born.

There’s more to the book than just the stories. There’s an intimacy with the written word that is different than a speech, video or story. As a reader, you might be sitting in a comfortable chair in your house, on an airplane or in a waiting room, but the act of reading puts you in this separate world. Even if someone knows what book you’re reading they don’t know what part of that book. The only person who knows that is you. As a result of that magic and of Randy’s conversational style, this book absolutely seizes your attention.

The book’s message gets across loud and clear: Time is short. Live your life to the fullest. You truly can achieve your dreams. Never lose that optimism you had as a child.

A hard message to convey with authority, but Randy does so more than effectively. I sincerely urge you to consider getting this book. Don’t pick it up at the library. Go out and buy it. Read it every year. It’s short, and easily manageable in a day. Don’t let yourself get lost in life and forget the things that make it worth living in the first place.

For those of you who don’t know, Randy Pausch is a Professor of Computer Science at Carnegie Mellon University. He is also dying of cancer. He is 46 years old.

As many other people, I have been following Randy Pausch’s battle with pancreatic cancer for a while now. You can read my previous posts here, here and here. When I first posted about his last lecture, the wave of media was just starting. Since that time his exposure and impact have absolutely ballooned to unreal proportions. (Note: This is almost certainly not related to my blog. ) I strongly urge you to take some time and dig beneath the media hype to learn what Randy Pausch is all about. He does not disappoint.

His famous Last Lecture has been profiled on Oprah and he’s been interviewed by Diane Sawyer. Just recently he sat down with Time Magazine for their 10 Questions article. His lecture has been turned into a book and has become an instant success. It has become the overall bestselling book on Amazon.com, Barnes and Noble.com, and the New York Times Bestsellers lists. If you only read one book this spring, make it this one. I know I’m looking forward to next month when I’ll have enough time to read it.

Allison passed me a link to a video about the comparisons between Barack Obama’s campaign for President of the United States and the fictional Santos Campaign on the TV show The West Wing via email today. I have mentioned that I’m a fan of The West Wing before. I didn’t necessarily agree with the politics in the show. In fact, sometimes I strongly disagreed with them. However, the show portrayed politicians of every stripe as people who earnestly want to improve the world in which they live. Sure, they talked about the seedy side of politics from time to time, but on the whole the picture was one of politicians actively caring about the people. The American people yearn for that. This Slate V video is just another example of (in part) why Barack Obama has been so successful.

Fox News is reporting that some lost documents and artifacts relating to the assassination of JFK were found in a Dallas courthouse. As someone who has been fascinated with the JFK assassination for years, this is obviously interesting news for a variety of reasons.

My first reaction was the sort of comic imbalance of the stark reality that an object possesses compared to its potential importance. Baseballs in the baseball Hall of Fame don’t really look all that different from some old baseball you have in your closet for 20 years, and yet people would pay millions of dollars for them on the open market. Moon rocks look pretty much like earth rocks, except that you have to actually physically travel to the moon and back to show them to all your friends and relatives. In the history of all kitchen knives that have been used as weapons there was a point when someone bought it at a store and used it to prepare food that they later ate. I’m sure the brown leather gun holster they found doesn’t look any different than that description would imply, except that at one point it was holding a gun that was used to kill Lee Harvey Oswald live on national TV.

However, the documents that were discovered are even more interesting to me. After everything that I’ve read about the assassination, I think the most compelling conspiracy theory has to be the mob theory, which these documents would seem to support. It’s compelling for many reasons. One of the main reasons I find it compelling is that the first rule in assassinating someone is always kill the assassins. This is the essence of a dead end. Police can’t interview their main suspect when he’s dead. Without being able to ask detailed questions to suspects it’s difficult to uncover what really happened.

The mob has understood this very well and has a long and documented history of killing anyone who had any chance of telling the police anything. (Plus, as is mentioned in the article, the mob had serious motivation to kill JFK.) In Oswald’s case, it’s even more interesting because he claimed to have been setup prior to his death. This puts investigators in the unenviable position of trying to prove a negative – that he murdered alleged assassin *didn’t* actually do the assassination. If Oswald was framed and the framing was done at all decently, proving he didn’t really do anything without being able to ask him questions about everything leading up to the assassination can be extremely difficult.

Perhaps it would be easier to think of it using the analogy to the controversy surrounding baseball. Roger Clemens claims to have not used HGH or whatever. How can he prove that he didn’t? There’s no evidence either way that would be unimpeachable. Without irrefutable proof that a particular event actually happened in a particular way, it can be extraordinarily difficult to prove that the event in question didn’t happen another way. (BTW: This is not my first post on the JFK assassination that involved Roger Clements. This is. )

This is in part because of the way the question is phrased. Thomas Pynchon once said,

If they can get you asking the wrong questions, they don’t have to worry about the answers.

This is most apparent in conspiracy theories. A conspiracy nut will ask you to prove that it didn’t happen any of a million different ways. Many of these may require a cogent argument to prove, but they are the wrong questions to ask. However, that is the wrong question to be asked. What should be asked is “How can you prove that Oswald acted alone killed JFK?” If this can be formed into a rational argument, then that would be the only argument that matters.

The difference is subtle. On the surface you might think that proving Oswald did something alone would be equivalent to proving that everyone else didn’t do it. In mathematics, proofs actually can work like that, but real life is different in that humans are imperfect by nature and therefore a certain level of uncertainty exists in everything we do. Uncertainty can either work in favor of an argument or against it. Conspiracy theorists force people to try and eliminate every possible uncertainty, which uses uncertainty as a weapon against an argument. However, if you accept that every argument is going to have an element of uncertainty and present your rationale supporting the theory of Oswald acting alone as the most certain of the arguments, then you are using the uncertainty of everything else to support your argument.

Anyhow, I suppose I’m no longer really commenting on the article and more accurately rambling like a true blogger. I’ll stop now and spare you, the reader, from further blather.

I have talked about some of the things I would like to see in electronic book readers before. I have a feeling that this is a list that is fundamentally incomplete simply because I haven’t sat down and actually analyzed the problem from an engineering standpoint. However, I read something on Cult of Mac recently that was truly depressing.

It appears that analyzing electronic book readers from an engineering standpoint is probably fruitless because they are fundamentally crippled from a marketing standpoint. Cult of Mac cites a New York Times blog post about Steve Jobs passion for computers and electronic devices. In that post Steve Jobs is quoted as saying the following about the Amazon Kindle:

“It doesn’t matter how good or bad the product is, the fact is that people don’t read anymore. Forty percent of the people in the U.S. read one book or less last year. The whole conception is flawed at the top because people don’t read anymore.”

His opinion on this area is probably more important than the average person might realize. One of the things that Jobs has demanded mercilessly has been incredible user interfaces. This goes back a long way to his interest in calligraphy. If anyone were to design an electronic reader and do it right, it would be Apple. If I were to bet, I would bet that they have considered making a product like this in recent years and ruled it out based on their findings.

Of course, Cult of Mac also posted a link to a recent study on reading by the National Endowment for the Arts. The full study is morbidly fascinating and about 100 pages long, many of which are charts on reading trends. It seems that at every level reading is in decline.

In particular, I thought that the statistics on those who were college educated or above were frightening. The report also makes some general conclusions that the decline of reading skills will affect our democracy. This makes sense if you consider the fact that our government was designed based on the idea that the citizenry would be educated and actively engaged in the process. Sort of an ominous thought to consider…