Blayne Sucks

Slashdot recently reported on an ArsTechnica article on the death of RealID. There are several things to take from this.

First, RealID is horrible from a privacy and liberty standpoint. This is well-known to anyone who actively concerns themselves with these sorts of issues. It is essentially a national ID card. Depending on how much of a privacy nut you are this seriousness of this could range from a simple invasion of your privacy to something straight out of 1984 or the Book of Revelation. I’m not sure I would take it to that extreme, but I do think the concept of a national ID card is a non-trivial invasion of privacy.

Second, RealID isn’t ecnonomical. The exact details of the security tradeoffs show that RealID is an extremely expensive trade-off. This is very important and subtly hard to understand. Instinct tells us that being able to identify everyone should allow us to determine those people who pose a threat and those who don’t. Unfortunately, reality doesn’t work like that if for no other reason than the simple fact that past behavior doesn’t always accurately predict future actions. Of course, there are many other reasons stated in the link above.

(BTW, This is really the only reason that RealID is dying. It was a massive unfunded mandate for the State governments. If it had been a pork barrel project with horrible security consequences but a nice paycheck for the State governments, then we might have a different story.)

Third, RealID may actually worsen national security. A single national database with the personal information of every citizen in the US is a juicy target for a lot of people with bad intentions. It is the ultimate honeypot, only using real data as opposed to fake data. A single process by which identification can be done is a monoculture with similar problems. I think the easiest analogy for people to understand is that throwing your support behind RealID as the identification card for any American is like putting your entire investment portfolio in one business. It’s just a lot safer to not have all your eggs in one basket.

So if RealID is so bad and it’s also “dying” why have I titled this post “The Non-Death of RealID”? Simply put, this sort of problem is like a bad penny. It keeps coming back because human instincts make it sound good. It keeps coming back because it affects personal liberty, which must always be defended. Security and Liberty aren’t things that you do once and forget about so the threats to these never really die.

There’s a BBC article that was posted this past Saturday entitled Big Brother is watching us all. I am leary of reading traditional media articles about privacy because many of them are inflammatory and most seem to provide and distorted view of what most reasonable privacy advocates are actually advocating. However, I was curious because it was the BBC and London is well-known to have extensive surveillance camera networks.

Despite my misgivings, the article does describe some technologies in a rational and accurate manner. I don’t know if the technologies described are right around the corner or if it will still take decades for them to be functional. The reality is probably somewhere in the middle. However, I do know that we’re nowhere close to being able to understand as a society the implications that some of these things, when functional, will have for us.

Of course, there is a great example of the traditional tripe usually found in mainstream media articles. It comes at the end of the article:

Using radio waves, you point [the device at] a wall and it tells you if anyone is on the other side. [Ian Kitajima's] company, Oceanit, is due to test it with the Hawaiian National Guard in Iraq next year, and it turns out that the human body gives off such sensitive radio signals, that it can even pick up breathing and heart rates.

“First, you can tell whether someone is dead or alive on the battlefield,” said Ian.

“But it will also show whether someone inside a house is looking to harm you, because if they are, their heart rate will be raised. And 10 years from now, the technology will be much smarter. We’ll scan a person with one of these things and tell what they’re actually thinking.”

He glanced at me quizzically, noticing my apprehension.

“Yeah, I know,” he said. “It sounds very Star Trekkish, but that’s what’s ahead.”

This is exactly the reason I dislike mainstream media articles about technology. No, there will not be a magic radio wave device that can read your mind and determine what you’re actually thinking in the next ten years. This is hogwash. One of the many reasons why is simple. The first step in building a device that can determine what someone is actually thinking is creating an algorithm or process that can determine what someone is actually thinking. Anyone who has ever been married can tell you how successful humans are at that sort of thing.

A quickly beating heart is indicative of many disparate things. Most of these are not “I am preparing to kill whomever is staring at me through my wall.” However, if you are a member of a SWAT team holding a device such as this in one hand and a machine gun in the other… Well, let’s just say that a hammer sees every problem as a nail.

A similar situation is described in Blink by Malcom Gladwell where a police officer had to make a split second decision based on bad instincts. The good news is that training can improve split second decisions in police officers. Thus, it is possible that proper training in the use of technology can prevent abuses and wasteful spending which might result from misunderstanding technology. The bad news is that we may not be able to train those in decision making positions rapidly enough to keep up with technology marketers (and clueless mainstream media journalists) who are trying to sell the next miracle device that will solve all your security problems.

There’s a principle in computer security that is the basis of access control as we know it. This principle is called The Principle of Least Privilege. The idea is that you should only provide the minimum amount of rights needed for someone to do the things they need to do. For example, an account for a computer user who merely needs to browse the web and send emails shouldn’t also include rights to do things like install or remove programs.

Key to this principle is the concept of a “root” owner of rights who is able to determine who deserves to have what rights. With a computer, that “root” owner is the administrator account, but there is a political mirror to this principle. In a police state or dictatorship, the “root” owner of all rights is the State which can pretty much distribute rights however they wish. In a democracy, the root owner of all rights is the citizenry who elects politicians to create, enforce and maintain a legal system that dispenses these rights.

The citizens of a democracy must continually verify that the distribution of rights is proper. Recently, a story was posted on Slashdot about someone doing just that. I encourage you to read the details about this because it demonstrates exactly the kind of thought process that has been abandoned by many citizens for the sake of convenience.

I don’t want to get into anything overly political, so I won’t comment further. However, I do hope that you’ll at least consider this man’s situation. Ask yourself a few questions about the division of rights in this scenario. Do you feel that the Principle of Least Privilege has been violated? Consider similar situations, such as producing a driver’s license or other ID to board an airplane. For example, should you have to display an ID to fly?

[Edited to add: A friend of mine pointed out a similar story about a trip to Best Buy.]

Sometimes I have to try actively to avoid a “me too” post after Bruce Schneier‘s latest article goes up on Wired. However, I will indulge myself this time because his latest article is about disaster recovery communications. I feel very strongly about this and Bruce speaks so eloquently about it that I would be remiss in not posting a link to his thoughts.

His basic premise is that whatever you do to plan for disaster recovery works regardless of what caused the problem. Natural disaster? Check! Security breech? Check! Random malfunction? Check! Unknown design flaw? Check! This is what makes backing up the data on your computer such an important thing. It is useful regardless of how you lose your data. Also, the cost associated with making a backup is really low.

Schneier’s article isn’t about backing up computer data though. He focuses on improving communications between first responders. Any emergency responder will tell you that the most critical elements in responding to a situation are timing and communication. We can’t make more time, so improving communications during disaster recovery is low hanging fruit that I would hope politicians of any stripe could agree on. There may be some local disputes about protocol or hardware, but in the end these seem pathetic because of the big picture.

The privacy of GMail has annoyed me for some time now, but I found another reason to dislike it. Apparently someone designed a point and click tool to hack GMail accounts. It was demoed recently at Black Hat in Las Vegas.

Now, some of the things that are demoed at these conferences are pretty exotic, but this one appears to be based on basic computer security techniques, such as packet sniffing and replay attacks. Once the attack has succeeded, the attacker can read old emails or send new ones. (Of course, if you were using GPG, they wouldn’t be able to read your emails nor send new ones that could be authenticated as sent from you.)

Of course, because the tool is based on packet sniffing and replay attacks, the attack can be twarted by always connecting to GMail with an SSL connection. There’s a cool Firefox plugin called GreaseMonkey that has a user script you can install which will force GMail always to connect with SSL.

Regardless of the details, how is it possible that we still have this sort of problem? Seriously. People have known about these techniques for a long time now. Sometimes it feels like we’re not advancing technology at all.

Another good example of this de-evolution of security techniques was also presented at Black Hat. It was a talk about “Premature AJAX-ulation,” which makes the excellent point that AJAX tends to push a lot of business logic to untrusted clients. (I thought Ars Technica covered it well.)

Bruce Schneier’s latest article for Wired talks about disaster planning as an important part of the security process. Specifically, he’s talking about picking a disaster that has a reasonable likelihood of being mitigable. For example, it’s pointless for an individual or business to “plan” for a nuclear winter, but that might be exactly the sort of thing that should be in the scope of planning for a government. The article is excellent, but he does fail to mention in this article something which he has talked about in the past: the utility of disaster planning as both a recovery mechanism and a security mechanism.

In many cases, it’s easier to get money to do security related things than it is to get money to do disaster recovery related things. Unfortunately, a good disaster plan can help out in case of security events, natural events, accidents and other unforeseen problems while a security defense mechanism usually only tries to prevent something bad from happening.

Also, it can sometimes simply be easier and more cost effective in terms of time, money and reliability to implement the disaster recovery plan rather than the security incident response plan. This is the sort of logic behind Brian Krebs’ article about cleaning out a virus versus just reinstalling Windows.

I am not sure if I have mentioned it before on this site, but Brian Krebs is a journalist at the Washington Post and maintains a blog called Security Fix. If you are not a security person and you only really care about computer security issues that would affect you as a generic computer user, this is by far the best single source of information on computer security issues.

His latest post covers an important problem that I’ve already seen in my junk mail folder. Basically, these are nefarious emails that disguise themselves as electronic greeting cards. They are hoping that you’ll click on the link based on the fact that almost everyone has sent or received an electronic greeting card of some kind in the past.

Here’s the text of one of the emails that I received with the malicious URL removed:

Hi. Neighbour has sent you a postcard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card’s direct www address below while you are connected to the Internet:

Link removed

Or copy and paste it into your browser’s “Location” box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
GreetingCards.Com

This looks incredibly similar to the electronic greeting cards that I’ve actually received from real places, especially several years ago when few people knew much about computer security issues. Now things have changed slightly. Take a look at how Hallmark’s electronic greeting cards appear:

Hello!

NAME has sent you a Hallmark E-Card! To see it, just click the link below, or copy and paste it into your browser’s address line:

Link Removed

Or you can follow these steps:

1. Go to our homepage at http://www.hallmark.com
2. Click “E-Cards & More”.
3. Click the link that says “Pick up an E-Card.”
4. Enter your e-mail address and this number: Number Removed. Click “Display Greeting,” and enjoy your E-Card.

With best wishes,
Your friends at Hallmark

Your privacy is our priority. Click the “Privacy and Security” link at the bottom of any page on Hallmark.com to see our privacy policy.

You’ll notice that the first part is very similar to the nefarious example, but there’s an important difference in the second part. Hallmark gives you instructions on how to access your card without directly clicking on a link in your email client. Phishing scams are built around the theory that they can trick you into believing their site looks legitimate as long as they can get you to click on one bad URL.

Brian Krebs gives the following advice at the end of his post about this:

I have never been a huge fan of e-greeting cards, mainly because they condition people to click on links in e-mail, especially when malicious links are one of the broadest vectors for e-mail borne viruses and worms. I realize there are several established and legitimate e-greeting card companies that base their business on this practice. It is sad that the state of e-mail security has come to this, but Microsoft Windows users would be well-advised to simply delete any e-greeting cards that land in their inboxes.

This is pretty good advice. I always felt a bit “bad” about electronic greeting cards, automated invitations to join social networks and similar emails but have been unable to express why nearly as well as he does here. However, if you absolutely must view electronic greeting cards, I would highly recommend that you do so in a manner that doesn’t involve directly clicking on any links in your email client.

One of the biggest reasons that computer security is so lax across many private industries is that there is a serious lack of accountability. If a business has a massive data breach, currently the only major or direct consequence of that breach to the business is a public relations problem of some degree. Of course, for many of the people who just had sensitive personal information compromised irretrievably, the consequences are much more dire.

In light of this, I’m very please to have read about some promising recent state laws that are allowing businesses to recover costs related to data breaches by other businesses. This is a bit abstract so here’s an example: ABC Corporation has a data breach. This data breach requires XYZ Incorporated, who has many of the same customers, to spend a lot of time and money updating records and making sure that all their customers are once again legitimate. Under laws similar to the ones mentioned in the article, XYZ Incorporated can now recover costs from ABC Corporation.

This sort of financial accountability is critical to improving data security across industries. Bruce Schneier has talked about this before. It’s a fairly simple principle that for some reason has been particularly slow to catch on. Unless there’s a financial incentive to good data security practices, businesses won’t bother with them.

I also like that this is a business vs. business scenario because that should improve enforcement dramatically. HIPAA has been stuck in limbo because of a near complete lack of enforcement to this day. Other businesses are much more likely to take the time to sue companies with poor data security than the government.

Earlier this week the Sixth US Circuit Court of Appeals made an important ruling about the privacy of emails. This ruling basically states that a probable cause warrant would have to be issued for investigators to get access to your emails from an ISP. While you might have thought that something like this would already have been standard practice, the reality is that previous to this ruling investigators could have readily gained access to your emails from your ISP and you likely wouldn’t have known.

Another important thing to take from this is that anyone using an encryption protocol for their email would have been unaffected by a secret investigation. Investigators would certainly have been able to gain access to your emails, but they would have had no way to read them. I understand a lot of the arguments against using email encryption. It isn’t user friendly in most cases and there’s a lot of annoying overhead in setting it up right. However, in a world where almost every kind of communication from love letters to business deals are talked about in emails, which are stored on thousands of different servers for much, much longer than people realize, there’s certainly a compelling argument to biting the bullet and dealing with the overhead.

If you are using a webmail account, this could be more difficult. However, as I posted previously, there are some promising signs that email encryption can be done entirely through a web browser.

Well, the results are in and everyone predicting ZFS as the file system for the next version of Apple’s Mac OS X was only partially right. Turns out that ZFS won’t be the exclusive file system used in Leopard. Of course, this news has come by way of massive back and forth. Needless to say, there’s a lot of confusion about this story. Confusion is never a good thing. If you only wanted to read one article about the whole ordeal, this one summarizes everything pretty well.

Personally, I would be interested in using ZFS in two possible scenarios. The first would be on a Linux desktop / server, which is likely not going to happen because it is released in an incompatible license. To make a short story long: ZFS is released under the CDDL, which doesn’t really play nice with Linux, but there’s a movement to port ZFS to FUSE/Linux so that it runs in userspace under the CDDL. At best, it’s under investigation.

The other place where I would be interested in using ZFS is on a laptop. This is interesting because of the incremental remote backup facilities that it provides. I also like the built in compression features. However, I have to say that lack of file system encryption is probably a deal breaker for me on a laptop. It’s just too important to have on a laptop. There is a zfs-crypto project, but it’s still under development.

I know this was originally scoped out as a server file system, but I don’t understand why they didn’t want to include encryption at the file system level. There are certainly a lot of uses for file system level encryption in a server environment, not the least of which is to avoid the cloudy legal status of third party consent in computer searches. With an encrypted file system, you don’t have to worry about someone stealing your hard drive and using another tool to read it’s contents. Maybe I’m extremely biased, but it seems like any new file system that wants to take itself seriously at the server level and especially on laptops should be designed to at least allow encryption as an option.