Blayne Sucks

There’s a principle in computer security that is the basis of access control as we know it. This principle is called The Principle of Least Privilege. The idea is that you should only provide the minimum amount of rights needed for someone to do the things they need to do. For example, an account for a computer user who merely needs to browse the web and send emails shouldn’t also include rights to do things like install or remove programs.

Key to this principle is the concept of a “root” owner of rights who is able to determine who deserves to have what rights. With a computer, that “root” owner is the administrator account, but there is a political mirror to this principle. In a police state or dictatorship, the “root” owner of all rights is the State which can pretty much distribute rights however they wish. In a democracy, the root owner of all rights is the citizenry who elects politicians to create, enforce and maintain a legal system that dispenses these rights.

The citizens of a democracy must continually verify that the distribution of rights is proper. Recently, a story was posted on Slashdot about someone doing just that. I encourage you to read the details about this because it demonstrates exactly the kind of thought process that has been abandoned by many citizens for the sake of convenience.

I don’t want to get into anything overly political, so I won’t comment further. However, I do hope that you’ll at least consider this man’s situation. Ask yourself a few questions about the division of rights in this scenario. Do you feel that the Principle of Least Privilege has been violated? Consider similar situations, such as producing a driver’s license or other ID to board an airplane. For example, should you have to display an ID to fly?

[Edited to add: A friend of mine pointed out a similar story about a trip to Best Buy.]

Sometimes I have to try actively to avoid a “me too” post after Bruce Schneier‘s latest article goes up on Wired. However, I will indulge myself this time because his latest article is about disaster recovery communications. I feel very strongly about this and Bruce speaks so eloquently about it that I would be remiss in not posting a link to his thoughts.

His basic premise is that whatever you do to plan for disaster recovery works regardless of what caused the problem. Natural disaster? Check! Security breech? Check! Random malfunction? Check! Unknown design flaw? Check! This is what makes backing up the data on your computer such an important thing. It is useful regardless of how you lose your data. Also, the cost associated with making a backup is really low.

Schneier’s article isn’t about backing up computer data though. He focuses on improving communications between first responders. Any emergency responder will tell you that the most critical elements in responding to a situation are timing and communication. We can’t make more time, so improving communications during disaster recovery is low hanging fruit that I would hope politicians of any stripe could agree on. There may be some local disputes about protocol or hardware, but in the end these seem pathetic because of the big picture.

The privacy of GMail has annoyed me for some time now, but I found another reason to dislike it. Apparently someone designed a point and click tool to hack GMail accounts. It was demoed recently at Black Hat in Las Vegas.

Now, some of the things that are demoed at these conferences are pretty exotic, but this one appears to be based on basic computer security techniques, such as packet sniffing and replay attacks. Once the attack has succeeded, the attacker can read old emails or send new ones. (Of course, if you were using GPG, they wouldn’t be able to read your emails nor send new ones that could be authenticated as sent from you.)

Of course, because the tool is based on packet sniffing and replay attacks, the attack can be twarted by always connecting to GMail with an SSL connection. There’s a cool Firefox plugin called GreaseMonkey that has a user script you can install which will force GMail always to connect with SSL.

Regardless of the details, how is it possible that we still have this sort of problem? Seriously. People have known about these techniques for a long time now. Sometimes it feels like we’re not advancing technology at all.

Another good example of this de-evolution of security techniques was also presented at Black Hat. It was a talk about “Premature AJAX-ulation,” which makes the excellent point that AJAX tends to push a lot of business logic to untrusted clients. (I thought Ars Technica covered it well.)

Bruce Schneier’s latest article for Wired talks about disaster planning as an important part of the security process. Specifically, he’s talking about picking a disaster that has a reasonable likelihood of being mitigable. For example, it’s pointless for an individual or business to “plan” for a nuclear winter, but that might be exactly the sort of thing that should be in the scope of planning for a government. The article is excellent, but he does fail to mention in this article something which he has talked about in the past: the utility of disaster planning as both a recovery mechanism and a security mechanism.

In many cases, it’s easier to get money to do security related things than it is to get money to do disaster recovery related things. Unfortunately, a good disaster plan can help out in case of security events, natural events, accidents and other unforeseen problems while a security defense mechanism usually only tries to prevent something bad from happening.

Also, it can sometimes simply be easier and more cost effective in terms of time, money and reliability to implement the disaster recovery plan rather than the security incident response plan. This is the sort of logic behind Brian Krebs’ article about cleaning out a virus versus just reinstalling Windows.

I am not sure if I have mentioned it before on this site, but Brian Krebs is a journalist at the Washington Post and maintains a blog called Security Fix. If you are not a security person and you only really care about computer security issues that would affect you as a generic computer user, this is by far the best single source of information on computer security issues.

His latest post covers an important problem that I’ve already seen in my junk mail folder. Basically, these are nefarious emails that disguise themselves as electronic greeting cards. They are hoping that you’ll click on the link based on the fact that almost everyone has sent or received an electronic greeting card of some kind in the past.

Here’s the text of one of the emails that I received with the malicious URL removed:

Hi. Neighbour has sent you a postcard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card’s direct www address below while you are connected to the Internet:

Link removed

Or copy and paste it into your browser’s “Location” box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
GreetingCards.Com

This looks incredibly similar to the electronic greeting cards that I’ve actually received from real places, especially several years ago when few people knew much about computer security issues. Now things have changed slightly. Take a look at how Hallmark’s electronic greeting cards appear:

Hello!

NAME has sent you a Hallmark E-Card! To see it, just click the link below, or copy and paste it into your browser’s address line:

Link Removed

Or you can follow these steps:

1. Go to our homepage at http://www.hallmark.com
2. Click “E-Cards & More”.
3. Click the link that says “Pick up an E-Card.”
4. Enter your e-mail address and this number: Number Removed. Click “Display Greeting,” and enjoy your E-Card.

With best wishes,
Your friends at Hallmark

Your privacy is our priority. Click the “Privacy and Security” link at the bottom of any page on Hallmark.com to see our privacy policy.

You’ll notice that the first part is very similar to the nefarious example, but there’s an important difference in the second part. Hallmark gives you instructions on how to access your card without directly clicking on a link in your email client. Phishing scams are built around the theory that they can trick you into believing their site looks legitimate as long as they can get you to click on one bad URL.

Brian Krebs gives the following advice at the end of his post about this:

I have never been a huge fan of e-greeting cards, mainly because they condition people to click on links in e-mail, especially when malicious links are one of the broadest vectors for e-mail borne viruses and worms. I realize there are several established and legitimate e-greeting card companies that base their business on this practice. It is sad that the state of e-mail security has come to this, but Microsoft Windows users would be well-advised to simply delete any e-greeting cards that land in their inboxes.

This is pretty good advice. I always felt a bit “bad” about electronic greeting cards, automated invitations to join social networks and similar emails but have been unable to express why nearly as well as he does here. However, if you absolutely must view electronic greeting cards, I would highly recommend that you do so in a manner that doesn’t involve directly clicking on any links in your email client.

One of the biggest reasons that computer security is so lax across many private industries is that there is a serious lack of accountability. If a business has a massive data breach, currently the only major or direct consequence of that breach to the business is a public relations problem of some degree. Of course, for many of the people who just had sensitive personal information compromised irretrievably, the consequences are much more dire.

In light of this, I’m very please to have read about some promising recent state laws that are allowing businesses to recover costs related to data breaches by other businesses. This is a bit abstract so here’s an example: ABC Corporation has a data breach. This data breach requires XYZ Incorporated, who has many of the same customers, to spend a lot of time and money updating records and making sure that all their customers are once again legitimate. Under laws similar to the ones mentioned in the article, XYZ Incorporated can now recover costs from ABC Corporation.

This sort of financial accountability is critical to improving data security across industries. Bruce Schneier has talked about this before. It’s a fairly simple principle that for some reason has been particularly slow to catch on. Unless there’s a financial incentive to good data security practices, businesses won’t bother with them.

I also like that this is a business vs. business scenario because that should improve enforcement dramatically. HIPAA has been stuck in limbo because of a near complete lack of enforcement to this day. Other businesses are much more likely to take the time to sue companies with poor data security than the government.

Earlier this week the Sixth US Circuit Court of Appeals made an important ruling about the privacy of emails. This ruling basically states that a probable cause warrant would have to be issued for investigators to get access to your emails from an ISP. While you might have thought that something like this would already have been standard practice, the reality is that previous to this ruling investigators could have readily gained access to your emails from your ISP and you likely wouldn’t have known.

Another important thing to take from this is that anyone using an encryption protocol for their email would have been unaffected by a secret investigation. Investigators would certainly have been able to gain access to your emails, but they would have had no way to read them. I understand a lot of the arguments against using email encryption. It isn’t user friendly in most cases and there’s a lot of annoying overhead in setting it up right. However, in a world where almost every kind of communication from love letters to business deals are talked about in emails, which are stored on thousands of different servers for much, much longer than people realize, there’s certainly a compelling argument to biting the bullet and dealing with the overhead.

If you are using a webmail account, this could be more difficult. However, as I posted previously, there are some promising signs that email encryption can be done entirely through a web browser.

Well, the results are in and everyone predicting ZFS as the file system for the next version of Apple’s Mac OS X was only partially right. Turns out that ZFS won’t be the exclusive file system used in Leopard. Of course, this news has come by way of massive back and forth. Needless to say, there’s a lot of confusion about this story. Confusion is never a good thing. If you only wanted to read one article about the whole ordeal, this one summarizes everything pretty well.

Personally, I would be interested in using ZFS in two possible scenarios. The first would be on a Linux desktop / server, which is likely not going to happen because it is released in an incompatible license. To make a short story long: ZFS is released under the CDDL, which doesn’t really play nice with Linux, but there’s a movement to port ZFS to FUSE/Linux so that it runs in userspace under the CDDL. At best, it’s under investigation.

The other place where I would be interested in using ZFS is on a laptop. This is interesting because of the incremental remote backup facilities that it provides. I also like the built in compression features. However, I have to say that lack of file system encryption is probably a deal breaker for me on a laptop. It’s just too important to have on a laptop. There is a zfs-crypto project, but it’s still under development.

I know this was originally scoped out as a server file system, but I don’t understand why they didn’t want to include encryption at the file system level. There are certainly a lot of uses for file system level encryption in a server environment, not the least of which is to avoid the cloudy legal status of third party consent in computer searches. With an encrypted file system, you don’t have to worry about someone stealing your hard drive and using another tool to read it’s contents. Maybe I’m extremely biased, but it seems like any new file system that wants to take itself seriously at the server level and especially on laptops should be designed to at least allow encryption as an option.

One of my pet peeves with gmail is that it doesn’t have native support for GnuPG. I don’t think email encryption will ever achieve widespread adoption unless it’s built in to a major webmail client. Since Google’s philosophy of doing no evil seems at least somewhat close to doing something good, I was hopeful that they would find a way to get it to work. Of course, that didn’t happen. I suspect that it was and is because they want to be able to scan the text of your emails to provide you targeted advertising. I don’t really know because I don’t use gmail that often.

However, there was an article that caught my eye on Linux.com about a new Firefox plugin called FireGPG that allows someone to use GnuPG with their gmail client. I haven’t tried it yet, but it really looks legit. Also, I’ve been looking for something like this for so long that I couldn’t wait to announce that it does, in fact, exist. If only web-based email security wasn’t once again an afterthought…

I recently read Jennifer Granick’s latest column on Wired about the interesting legal case between Oracle and SAP. Basically, an Oracle customer wanted to switch to SAP and gave SAP their passwords to log into some Oracle systems. Now Oracle is claiming that SAP has broken some computer crime statues for accessing a computer illegally.

Granick’s column looks at this from the perspective of anti-competitive practices. While I agree that this has some implications in that area, my first thought about this case was that it was an information property issue. If I was a customer and I gave my information to a company, I would say that I still own that information and should be able to ask the company to remove it or authorize other people to access it.

This sort of thing crops up all the time in online privacy issues. Of course, I am not a lawyer and Granick is a very good one, but I thought it was an interesting issue that seems like it could be solved based on the simple question of who has more rights: the owner of the information or the owner of the place where the information is stored?