Blayne Sucks

Although Ed Felten has recently gotten tons of press about his research group’s recent analysis of breaking hard drive encryption, I wanted to talk about some research that he’s done previously on electronic voting for several reasons. First, I mentioned voting in my last post. Second, I have blogged about electronic voting here before that. Third, it is an election year and seems pertinent. Fourth, I am still trying to catch up on some blogs that I follow and recently was able to watch Ed Felten’s presentation in the CERIAS Security Seminar series.

If you are unfamiliar with Ed Felten, I would like to provide some background. He’s a computer security researcher with extensive experience in authentication, secure Java programming, and digital rights management. He has recently also become a leader in analyzing security concerns relating to electronic voting. He is a fellow of the ACM and an EFF Pioneer Award winner. He is the author of a popular technology and public policy blog called Freedom to Tinker. He is also an excellent presenter.

His presentation for the CERIAS seminar is extremely good. I think it is probably accessible for those who are not well-versed in computer security terminology. Certainly, most of the talk is non-technical in nature. I strongly urge anyone reading this who has wondered just what the big deal surrounding electronic voting is all about to at least watch the first half of the presentation. It is an excellent introduction into the amazingly insecure fashion by which elections are held in America.

He talks about the history of electronic voting, some of the legislation that may affect electronic voting, the goal of verifying an election and how their research group has approached the problem. I’m not entirely sure that the importance of the problems can really come through in a sterile environment such as an academic presentation, but he certainly does a great job of motivating these problems on his blog. For example, the pictures on his blog he takes of unattended voting machines prior to election day. Of course, like any true academic, he provides references to their work so that you know where to look for more information if you are interested.

At the end of the talk he is asked a question about possible cryptographic methods that would allow a voter to obtain a receipt that they could later verify on a government website. I’m not entirely sure I like his answer. He says something like (Yes, I’m paraphrasing.), “There are attempts, but they aren’t ready for primetime.” This is a huge caveat and it almost seems to imply that the crypto isn’t quite there yet. Usually, it’s the humans that aren’t ready for the crypto. In this case there are some pretty interesting cryptographic schemes, and they lack the same thing most other cryptographic schemes lack: an easy-to-understand user interface. I’m sure Dr. Felten knows this and was just providing a concise answer, but if you are interested in more, I would read Dr. Rivest’s paper on Three Ballot Voting as a great place to start.

One of the most highly charged pieces of legislation that has been passed by Congress in recent years is the Protect America Act. Probably the only good thing about it is the sunset provision that ensures it will expire in its current form unless Congress acts to renew it or make it permanent. That debate will be soon; the act was extended yesterday for another 15 days.

I haven’t commented about this much because there’s been quite a bit of coverage of it in the mainstream media. If you have somehow managed to avoid that coverage, and landed on this blog (Hi Mom!) the 15-second summary of the Protect America Act is that it allows the NSA to skip the established process of getting a warrant to wiretap communications by using an entirely internal process of reviewing the need for the wiretap. The White House wants this legislation because they believe the current process of obtaining a warrant is too slow for present needs.

Furthermore, there will be debate on a second major initiative of the White House: retroactive immunity for the companies involved in recently allowing illegal wiretaps. The 15-second summary of this situation is that an AT&T employee blew the whistle on a secret room that was setup to see all the data sent over the Internet for AT&T and several other companies. There is a class-action lawsuit against the companies and the Bush administration would like to get them off the hook by making their actions legal after the fact.

If you would like a quick overview of the situation as of November to catch yourself up on what might be on the news in the next two weeks, check out this YouTube video:

There are many places to go for more information on these issues. The Center for Democracy and Technology has an excellent guide on the amendments. EPIC spotlights surveillance issues here. The EFF has more information on warrantless surveillance here.

However, the best resource and the primary reason I chose to make a blog post about this topic is the paper entitled “Risking Communications Security: Potential Hazards of the Protect America Act” by Steven Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter Neumann, Jennifer Rexford that will appear in the Jan/Feb issue of IEEE Security and Privacy Magazine. If you only read one article linked from this post, the Risking Communications paper is the one to pick. Matt Blaze has a post about their article, as does Steven Bellovin.

Slashdot recently reported on an ArsTechnica article on the death of RealID. There are several things to take from this.

First, RealID is horrible from a privacy and liberty standpoint. This is well-known to anyone who actively concerns themselves with these sorts of issues. It is essentially a national ID card. Depending on how much of a privacy nut you are this seriousness of this could range from a simple invasion of your privacy to something straight out of 1984 or the Book of Revelation. I’m not sure I would take it to that extreme, but I do think the concept of a national ID card is a non-trivial invasion of privacy.

Second, RealID isn’t ecnonomical. The exact details of the security tradeoffs show that RealID is an extremely expensive trade-off. This is very important and subtly hard to understand. Instinct tells us that being able to identify everyone should allow us to determine those people who pose a threat and those who don’t. Unfortunately, reality doesn’t work like that if for no other reason than the simple fact that past behavior doesn’t always accurately predict future actions. Of course, there are many other reasons stated in the link above.

(BTW, This is really the only reason that RealID is dying. It was a massive unfunded mandate for the State governments. If it had been a pork barrel project with horrible security consequences but a nice paycheck for the State governments, then we might have a different story.)

Third, RealID may actually worsen national security. A single national database with the personal information of every citizen in the US is a juicy target for a lot of people with bad intentions. It is the ultimate honeypot, only using real data as opposed to fake data. A single process by which identification can be done is a monoculture with similar problems. I think the easiest analogy for people to understand is that throwing your support behind RealID as the identification card for any American is like putting your entire investment portfolio in one business. It’s just a lot safer to not have all your eggs in one basket.

So if RealID is so bad and it’s also “dying” why have I titled this post “The Non-Death of RealID”? Simply put, this sort of problem is like a bad penny. It keeps coming back because human instincts make it sound good. It keeps coming back because it affects personal liberty, which must always be defended. Security and Liberty aren’t things that you do once and forget about so the threats to these never really die.

There’s a BBC article that was posted this past Saturday entitled Big Brother is watching us all. I am leary of reading traditional media articles about privacy because many of them are inflammatory and most seem to provide and distorted view of what most reasonable privacy advocates are actually advocating. However, I was curious because it was the BBC and London is well-known to have extensive surveillance camera networks.

Despite my misgivings, the article does describe some technologies in a rational and accurate manner. I don’t know if the technologies described are right around the corner or if it will still take decades for them to be functional. The reality is probably somewhere in the middle. However, I do know that we’re nowhere close to being able to understand as a society the implications that some of these things, when functional, will have for us.

Of course, there is a great example of the traditional tripe usually found in mainstream media articles. It comes at the end of the article:

Using radio waves, you point [the device at] a wall and it tells you if anyone is on the other side. [Ian Kitajima's] company, Oceanit, is due to test it with the Hawaiian National Guard in Iraq next year, and it turns out that the human body gives off such sensitive radio signals, that it can even pick up breathing and heart rates.

“First, you can tell whether someone is dead or alive on the battlefield,” said Ian.

“But it will also show whether someone inside a house is looking to harm you, because if they are, their heart rate will be raised. And 10 years from now, the technology will be much smarter. We’ll scan a person with one of these things and tell what they’re actually thinking.”

He glanced at me quizzically, noticing my apprehension.

“Yeah, I know,” he said. “It sounds very Star Trekkish, but that’s what’s ahead.”

This is exactly the reason I dislike mainstream media articles about technology. No, there will not be a magic radio wave device that can read your mind and determine what you’re actually thinking in the next ten years. This is hogwash. One of the many reasons why is simple. The first step in building a device that can determine what someone is actually thinking is creating an algorithm or process that can determine what someone is actually thinking. Anyone who has ever been married can tell you how successful humans are at that sort of thing.

A quickly beating heart is indicative of many disparate things. Most of these are not “I am preparing to kill whomever is staring at me through my wall.” However, if you are a member of a SWAT team holding a device such as this in one hand and a machine gun in the other… Well, let’s just say that a hammer sees every problem as a nail.

A similar situation is described in Blink by Malcom Gladwell where a police officer had to make a split second decision based on bad instincts. The good news is that training can improve split second decisions in police officers. Thus, it is possible that proper training in the use of technology can prevent abuses and wasteful spending which might result from misunderstanding technology. The bad news is that we may not be able to train those in decision making positions rapidly enough to keep up with technology marketers (and clueless mainstream media journalists) who are trying to sell the next miracle device that will solve all your security problems.

There’s a principle in computer security that is the basis of access control as we know it. This principle is called The Principle of Least Privilege. The idea is that you should only provide the minimum amount of rights needed for someone to do the things they need to do. For example, an account for a computer user who merely needs to browse the web and send emails shouldn’t also include rights to do things like install or remove programs.

Key to this principle is the concept of a “root” owner of rights who is able to determine who deserves to have what rights. With a computer, that “root” owner is the administrator account, but there is a political mirror to this principle. In a police state or dictatorship, the “root” owner of all rights is the State which can pretty much distribute rights however they wish. In a democracy, the root owner of all rights is the citizenry who elects politicians to create, enforce and maintain a legal system that dispenses these rights.

The citizens of a democracy must continually verify that the distribution of rights is proper. Recently, a story was posted on Slashdot about someone doing just that. I encourage you to read the details about this because it demonstrates exactly the kind of thought process that has been abandoned by many citizens for the sake of convenience.

I don’t want to get into anything overly political, so I won’t comment further. However, I do hope that you’ll at least consider this man’s situation. Ask yourself a few questions about the division of rights in this scenario. Do you feel that the Principle of Least Privilege has been violated? Consider similar situations, such as producing a driver’s license or other ID to board an airplane. For example, should you have to display an ID to fly?

[Edited to add: A friend of mine pointed out a similar story about a trip to Best Buy.]

Sometimes I have to try actively to avoid a “me too” post after Bruce Schneier’s latest article goes up on Wired. However, I will indulge myself this time because his latest article is about disaster recovery communications. I feel very strongly about this and Bruce speaks so eloquently about it that I would be remiss in not posting a link to his thoughts.

His basic premise is that whatever you do to plan for disaster recovery works regardless of what caused the problem. Natural disaster? Check! Security breech? Check! Random malfunction? Check! Unknown design flaw? Check! This is what makes backing up the data on your computer such an important thing. It is useful regardless of how you lose your data. Also, the cost associated with making a backup is really low.

Schneier’s article isn’t about backing up computer data though. He focuses on improving communications between first responders. Any emergency responder will tell you that the most critical elements in responding to a situation are timing and communication. We can’t make more time, so improving communications during disaster recovery is low hanging fruit that I would hope politicians of any stripe could agree on. There may be some local disputes about protocol or hardware, but in the end these seem pathetic because of the big picture.

The privacy of GMail has annoyed me for some time now, but I found another reason to dislike it. Apparently someone designed a point and click tool to hack GMail accounts. It was demoed recently at Black Hat in Las Vegas.

Now, some of the things that are demoed at these conferences are pretty exotic, but this one appears to be based on basic computer security techniques, such as packet sniffing and replay attacks. Once the attack has succeeded, the attacker can read old emails or send new ones. (Of course, if you were using GPG, they wouldn’t be able to read your emails nor send new ones that could be authenticated as sent from you.)

Of course, because the tool is based on packet sniffing and replay attacks, the attack can be twarted by always connecting to GMail with an SSL connection. There’s a cool Firefox plugin called GreaseMonkey that has a user script you can install which will force GMail always to connect with SSL.

Regardless of the details, how is it possible that we still have this sort of problem? Seriously. People have known about these techniques for a long time now. Sometimes it feels like we’re not advancing technology at all.

Another good example of this de-evolution of security techniques was also presented at Black Hat. It was a talk about “Premature AJAX-ulation,” which makes the excellent point that AJAX tends to push a lot of business logic to untrusted clients. (I thought Ars Technica covered it well.)

Bruce Schneier’s latest article for Wired talks about disaster planning as an important part of the security process. Specifically, he’s talking about picking a disaster that has a reasonable likelihood of being mitigable. For example, it’s pointless for an individual or business to “plan” for a nuclear winter, but that might be exactly the sort of thing that should be in the scope of planning for a government. The article is excellent, but he does fail to mention in this article something which he has talked about in the past: the utility of disaster planning as both a recovery mechanism and a security mechanism.

In many cases, it’s easier to get money to do security related things than it is to get money to do disaster recovery related things. Unfortunately, a good disaster plan can help out in case of security events, natural events, accidents and other unforeseen problems while a security defense mechanism usually only tries to prevent something bad from happening.

Also, it can sometimes simply be easier and more cost effective in terms of time, money and reliability to implement the disaster recovery plan rather than the security incident response plan. This is the sort of logic behind Brian Krebs’ article about cleaning out a virus versus just reinstalling Windows.

I am not sure if I have mentioned it before on this site, but Brian Krebs is a journalist at the Washington Post and maintains a blog called Security Fix. If you are not a security person and you only really care about computer security issues that would affect you as a generic computer user, this is by far the best single source of information on computer security issues.

His latest post covers an important problem that I’ve already seen in my junk mail folder. Basically, these are nefarious emails that disguise themselves as electronic greeting cards. They are hoping that you’ll click on the link based on the fact that almost everyone has sent or received an electronic greeting card of some kind in the past.

Here’s the text of one of the emails that I received with the malicious URL removed:

Hi. Neighbour has sent you a postcard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card’s direct www address below while you are connected to the Internet:

Link removed

Or copy and paste it into your browser’s “Location” box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
GreetingCards.Com

This looks incredibly similar to the electronic greeting cards that I’ve actually received from real places, especially several years ago when few people knew much about computer security issues. Now things have changed slightly. Take a look at how Hallmark’s electronic greeting cards appear:

Hello!

NAME has sent you a Hallmark E-Card! To see it, just click the link below, or copy and paste it into your browser’s address line:

Link Removed

Or you can follow these steps:

1. Go to our homepage at http://www.hallmark.com
2. Click “E-Cards & More”.
3. Click the link that says “Pick up an E-Card.”
4. Enter your e-mail address and this number: Number Removed. Click “Display Greeting,” and enjoy your E-Card.

With best wishes,
Your friends at Hallmark

Your privacy is our priority. Click the “Privacy and Security” link at the bottom of any page on Hallmark.com to see our privacy policy.

You’ll notice that the first part is very similar to the nefarious example, but there’s an important difference in the second part. Hallmark gives you instructions on how to access your card without directly clicking on a link in your email client. Phishing scams are built around the theory that they can trick you into believing their site looks legitimate as long as they can get you to click on one bad URL.

Brian Krebs gives the following advice at the end of his post about this:

I have never been a huge fan of e-greeting cards, mainly because they condition people to click on links in e-mail, especially when malicious links are one of the broadest vectors for e-mail borne viruses and worms. I realize there are several established and legitimate e-greeting card companies that base their business on this practice. It is sad that the state of e-mail security has come to this, but Microsoft Windows users would be well-advised to simply delete any e-greeting cards that land in their inboxes.

This is pretty good advice. I always felt a bit “bad” about electronic greeting cards, automated invitations to join social networks and similar emails but have been unable to express why nearly as well as he does here. However, if you absolutely must view electronic greeting cards, I would highly recommend that you do so in a manner that doesn’t involve directly clicking on any links in your email client.

One of the biggest reasons that computer security is so lax across many private industries is that there is a serious lack of accountability. If a business has a massive data breach, currently the only major or direct consequence of that breach to the business is a public relations problem of some degree. Of course, for many of the people who just had sensitive personal information compromised irretrievably, the consequences are much more dire.

In light of this, I’m very please to have read about some promising recent state laws that are allowing businesses to recover costs related to data breaches by other businesses. This is a bit abstract so here’s an example: ABC Corporation has a data breach. This data breach requires XYZ Incorporated, who has many of the same customers, to spend a lot of time and money updating records and making sure that all their customers are once again legitimate. Under laws similar to the ones mentioned in the article, XYZ Incorporated can now recover costs from ABC Corporation.

This sort of financial accountability is critical to improving data security across industries. Bruce Schneier has talked about this before. It’s a fairly simple principle that for some reason has been particularly slow to catch on. Unless there’s a financial incentive to good data security practices, businesses won’t bother with them.

I also like that this is a business vs. business scenario because that should improve enforcement dramatically. HIPAA has been stuck in limbo because of a near complete lack of enforcement to this day. Other businesses are much more likely to take the time to sue companies with poor data security than the government.