Blayne Sucks

Tomorrow, on July 8th, the Senate will vote on a pending FISA amendment that includes provisions to give telecommunications companies legal protection for their role in the warrantless wiretapping, about which I have previously blogged here.

FISA stands for the Foreign Intelligence Surveillance Act and it was passed in 1978 to address abuses of several Presidents. The goal was to limit the ability of the executive to perform surveillance on anyone they wanted.

The initial reaction to the amendment from technologists and civil liberties advocates has been strong and consistent. Techdirt believes that our congress has failed us. The Technology Liberation Front believes this is bad policy and bad politics. The Center for Democracy and Technology believes that the bill is unclear and should at least be clarified for both national security and civil liberty. Finally, the whistleblower who got the ball rolling on all of this in the first place believes that this bill would create the “infrastructure for a police state.” It is also interesting to look at the politicians who received donations from telecommunications companies and also changed their votes.

There are other reasons to dislike this amendment. Representative Rush Holt’s thoughts are worth reading. Senator Chris Dodd gave an impassioned speech about FISA, which includes this gem, pointed out to me by Tim Lee:

This bill does not say, “Trust the American people; Trust the courts and judges and juries to come to just decisions.” Retroactive immunity sends a message that is crystal clear:

“Trust me.”

And that message comes straight from the mouth of this President. “Trust me.”

The amendment even redefines Weapons of Mass Destruction.

Let’s look back at the original goal of the FISA: to limit the power of the executive to watch anyone they wanted. Now, consider the current bill. It takes the power to determine the need for surveillance out of the hands of an impartial judge and puts that power into the hands of the President. It also provides blanket immunity to those companies that broke the law to allow the President to have this surveillance power over the last several years. Make no mistake about it; it is not a compromise.

Recently we have seen several interesting developments in Mac OS X Security. Apple published a Leopard Security configuration guide (pdf) for experienced Mac OS X users. Apress published Foundations of Mac OS X Leopard Security. (Slashdot review here.)

However, I think the most interesting development has been the discussion of a SUID vulnerability by Matasano Chargen, among others. The vulnerability can be easily fixed by:

sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app

Along with the announcement that most of the work on the next version of OS X will be under-the-hood improvements, the discussions of what improvements Apple should make to OS X Security have been thriving. In particular, I like Dino Dai Zovi’s editorial on what improvements he would make.

Dino lays out five specific improvements he would make:

• Real ASLR (address space layout randomization). Library randomization with dyld loaded at a fixed location just doesn’t cut it.
• Full use of hardware-enforced Non-eXecutable memory (NX). Currently, only the stack segments are enforced to be non-executable. Welcome to the new millennium where buffer overflows aren’t only on the stack.
• Default 64-bit native execution for any security-sensitive processes. I don’t particularly care that it may waste 5% more memory and a little bit of speed, I want Safari, Mail.app and just about everything else that has security exposure to run as a 64-bit process. Simply because function arguments are passed in registers rather than on the stack, this makes working around ASLR and NX damn near impossible for many exploits.
• Sandbox policies for Safari, Mail.app, and third-party applications. Code execution vulnerabilities aren’t the only kind of vulnerabilities and good sandbox policies for security-exposed applications can help mitigate the exploitation of code execution and other vulnerabilities in these applications. I love the scheme-based policies, by the way.
• Mandatory code signing for any kernel extensions. I don’t want to have to worry about kernel rootkits, hyperjacking, or malware infecting existing kernel drivers on disk. Most kernel extensions are from Apple anyway and for the few common 3rd party ones, they should be required to get a code signing certificate.

Overall, this is an excellent list with one glaring omission: improve FileVault. There are many things that could be improved in this area, but I think the first two that come to my mind are integration with Time Machine and the ability to configure encryption for individual folders (other than the home folder) or entire disks. There are other, more technical problems with FileVault (such as the use of CBC mode encryption), but I think these are largely less important than living up to Apple’s reputation for making things easy to use. Right now, FileVault is not easy to use with Time Machine and it doesn’t serve the needs of those who need full disk encryption or those who really only want a few folders to be encrypted.

I would also like to pick a tiny nit on Dino’s list. I think Mandatory code signing for kernel extensions should be something that by default is enabled, but could be turned off manually as a part of the System Preferences by a user. There are still people who want the freedom to do whatever they want with their computer and although this may mean that they have enough rope to hang themselves, they still deserve that freedom.

Here’s a really nice down-to-earth screencast of the new features in Firefox 3, which will be released this month. I found this through Slashdot, but it is actually quite straightforward and you shouldn’t need a technical background to understand what’s going on here.

The screencast shows a nice overview of the new Firefox, but I wanted to focus on two very important security features that are new in Firefox 3: Website Identity and Malware protection. The website identity feature uses certificates and previous visits to inform the user who runs the website and whether or not the user has been there before. This is critical information that can both improve user confidence and prevent phising attacks.

The malware protection feature attempts to prevent sites from taking advantage of flaws in the browser or add-ons. This feature is similar to the Phising protection added in Firefox 2, but they are also integrating virus scanning and malware protection into the download manager.

The screencast doesn’t talk about Mac features, but since I use a Mac, I will mention the big ones briefly. Firefox 3 takes on more of the Mac user interface conventions when installed on a Mac. One of their big pushes was to make sure that their browser was a native application for each operating system it installed on, so this actually applies to Windows as well. Also, Firefox 3 has significantly improved memory management and speed on the Mac. This was improved across all operating systems, but it was a serious complaint in the Mac community because Safari was so much more efficient than IE or Firefox. For the interested, Daring Fireball has a much more detailed coverage of Firefox 3 for the Mac.

Obviously, I can’t cover all the features in a new release of something like Firefox with a single blog post, so if you want more information I recommend checking out lifehacker’s top ten list of new Firefox features. For those who are of a more technical persuasion and wanting more information, you can check out the Firefox 3 Product Requirements document here. Also for the serious geek, check out this post (somewhat old now) on Firefox 3 Memory Usage improvements.

[Edit: There's an excellent "Field Guide to Firefox 3" post here that explains all anyone would want to know and more about the new version of Firefox, which is released tomorrow, June 17th.]

Threat Level is reporting that John McCain would continue the Bush administration’s policies of warrantless wiretapping. For the uninitiated: The NSA has conducted warrantless surveillance of Americans with the help of some telephone companies such as AT&T. I have previously blogged about whether AT&T should be retroactively granted immunity for the actions. McCain apparently now supports this type of action. McCain’s position on this topic hasn’t always been very clear. Cory Doctorow believes that this is pretty much exactly the kind of intrusion the founding fathers were hoping to avoid with that whole Constitution thing.

Personally, I think the politics are not as important as the technological concerns. Wiretapping isn’t as simple as it may seem and there are real technical challenges and security risks introduced by these systems. For example, every surveillance technique we use is a potential technique that our enemies could use against us. (The founding fathers might say that the government itself might use it against us.) For a detailed list of risks, I highly recommend reading the paper described by Matt Blaze in this post on wiretap risks.

Although I’m sure this is old news by now (I apologize – I have been extremely busy the last couple of months), I did want to post briefly to say that I was announced as the winner of Bruce Schneier’s Third Annual Movie-Plot Threat Contest. As I posted in that thread, I am surprised and pleased to have won. And honored. It’s nice to get a hat tip from people whom you respect and admire.

I encourage you to check out the other entries, which are extremely good. When the finalists were announced, the comment-based voting was very, very close. Here are the other entries:

• DNA adulteratometer
• SOS device
• Anti-laser-pointer eyeglasses
• “Alertness alert”

Lastly, my winning entry: Toothpaste test strips.

Ravan, one of the commenters in the announcement thread, pointed out that the FDA has a FAQ on toothpaste, which is rather interesting. Obviously, I based my entry on the fact that there was a recent scare and actually quite a few deaths related to contaminated toothpaste. I think these peripheral fears are exactly the kinds of things that can cause a lot of unnecessary terror on the part of the average person who simply doesn’t have time to keep up with the myriad of things out there that can cause harm. Even though no one in the United States died, the story about the contaminated toothpaste received extensive coverage.

The whole thing had a sort of Tylenol murders feel to it. What is it about human psychology that makes us so afraid of this type of threat when statistics can show other threats are far more dangerous? Bruce Scheier has been investigating this pretty regularly on his blog and I encourage you to read his essay on the topic if you are curious.

As a former member of the Purdue Society of Professional Engineers Rube Goldberg team, I was extremely pleased to see that they recently won the national competition! If you have never heard of the Rube Goldberg competition before, then you’ll definitely want to check out this summary page that describe the history of the contest at Purdue. You can also read more comments on the Slashdot article.

I just ran across a post on Concurring Opinions that rocked me back in my seat. The full text of two of Dan Solove’s most popular books are now available online for free. The Digital Person and The Future of Reputation are both fantastic books. I have been meaning to reread them and get a review posted here, but one thing leads to another and this semester has become rather backlogged. However, in lieu of writing a short review that doesn’t do justice to either of these books, I will simply give them a heartfelt recommendation. Perhaps with the end of the semester rapidly approaching, I’ll be able to get a review of them up soon. In the meantime, I hope you’ll take a peek!

Last weekend I was able to see a documentary called Helvetica. Although most people I’ve recommended it to this past week have been less than enthusiastic in their feelings towards watching a documentary of a typeface, I strongly urge anyone reading this to give it a fair shot. It is a short documentary on something that virtually everyone takes for granted. I guarantee it will give you a new outlook on text.

To back up a couple of steps, I wanted to talk about Times New Roman, which I have have always disliked. I think I pretty much hate all serif based typefaces. (Serif typefaces have ‘feet,’ called serifs, on letters like capital A’s while sans-serif typefaces have none.) Times New Roman was the default font on many word processing programs when I was in high school. As a result, it was the “required” font for many projects and papers that I had to write. In fact, Times or Times New Roman are still frustratingly required for most academic publications. My favorite font to use in high school was Arial. I even reconfigured the default typeface on any word processing program I could get my hands on to Arial. I was never entirely sure why I liked it, but it seemed to get out of my way. I just felt less formal and made me more relaxed when I was writing something.

How does this related to the documentary? Apparently, many type designers feel that Arial is a rip-off of Helvetica! That’s right folks. There was even speculation that Arial would make an appearance in the film as a villain, but I won’t spoil the surprise for you. Microsoft didn’t want to pay the royalties for Helvetica so they made their own “humanist” typeface. (A humanist font is essentially one that is closer to how a human would write the letter than one that appears machined.) Does that not sound like classic Microsoft to anyone else?

More broadly, anyone who loves design or is otherwise detail-oriented would love this documentary. There was a great quote from Paula Scher in the documentary that holds a subtle truth which applies very broadly.

When you come into design at the point that you start out in history, without knowing that you’re starting out in history, very often you don’t have a sense of what came before you, how it got there, and you certainly don’t know what’s going to come after.

What modern technology company has the best reputation with design? Apple. Why? Most people say this is entirely due to Steve Jobs. How did Steve Jobs become enamored with design? Calligraphy. Calligraphy is as old as writing itself. He began to really appreciate at an early age the historic impact of design and communication. Every aspect of your product speaks to the user. This has been critical to their success.

Anyhow, I hope you’ll consider watching Helvetica. They have a blog on their website which is also rather interesting. You might also like Typographica’s Favorites of 2007.

Although Ed Felten has recently gotten tons of press about his research group’s recent analysis of breaking hard drive encryption, I wanted to talk about some research that he’s done previously on electronic voting for several reasons. First, I mentioned voting in my last post. Second, I have blogged about electronic voting here before that. Third, it is an election year and seems pertinent. Fourth, I am still trying to catch up on some blogs that I follow and recently was able to watch Ed Felten’s presentation in the CERIAS Security Seminar series.

If you are unfamiliar with Ed Felten, I would like to provide some background. He’s a computer security researcher with extensive experience in authentication, secure Java programming, and digital rights management. He has recently also become a leader in analyzing security concerns relating to electronic voting. He is a fellow of the ACM and an EFF Pioneer Award winner. He is the author of a popular technology and public policy blog called Freedom to Tinker. He is also an excellent presenter.

His presentation for the CERIAS seminar is extremely good. I think it is probably accessible for those who are not well-versed in computer security terminology. Certainly, most of the talk is non-technical in nature. I strongly urge anyone reading this who has wondered just what the big deal surrounding electronic voting is all about to at least watch the first half of the presentation. It is an excellent introduction into the amazingly insecure fashion by which elections are held in America.

He talks about the history of electronic voting, some of the legislation that may affect electronic voting, the goal of verifying an election and how their research group has approached the problem. I’m not entirely sure that the importance of the problems can really come through in a sterile environment such as an academic presentation, but he certainly does a great job of motivating these problems on his blog. For example, the pictures on his blog he takes of unattended voting machines prior to election day. Of course, like any true academic, he provides references to their work so that you know where to look for more information if you are interested.

At the end of the talk he is asked a question about possible cryptographic methods that would allow a voter to obtain a receipt that they could later verify on a government website. I’m not entirely sure I like his answer. He says something like (Yes, I’m paraphrasing.), “There are attempts, but they aren’t ready for primetime.” This is a huge caveat and it almost seems to imply that the crypto isn’t quite there yet. Usually, it’s the humans that aren’t ready for the crypto. In this case there are some pretty interesting cryptographic schemes, and they lack the same thing most other cryptographic schemes lack: an easy-to-understand user interface. I’m sure Dr. Felten knows this and was just providing a concise answer, but if you are interested in more, I would read Dr. Rivest’s paper on Three Ballot Voting as a great place to start.

One of the most highly charged pieces of legislation that has been passed by Congress in recent years is the Protect America Act. Probably the only good thing about it is the sunset provision that ensures it will expire in its current form unless Congress acts to renew it or make it permanent. That debate will be soon; the act was extended yesterday for another 15 days.

I haven’t commented about this much because there’s been quite a bit of coverage of it in the mainstream media. If you have somehow managed to avoid that coverage, and landed on this blog (Hi Mom!) the 15-second summary of the Protect America Act is that it allows the NSA to skip the established process of getting a warrant to wiretap communications by using an entirely internal process of reviewing the need for the wiretap. The White House wants this legislation because they believe the current process of obtaining a warrant is too slow for present needs.

Furthermore, there will be debate on a second major initiative of the White House: retroactive immunity for the companies involved in recently allowing illegal wiretaps. The 15-second summary of this situation is that an AT&T employee blew the whistle on a secret room that was setup to see all the data sent over the Internet for AT&T and several other companies. There is a class-action lawsuit against the companies and the Bush administration would like to get them off the hook by making their actions legal after the fact.

If you would like a quick overview of the situation as of November to catch yourself up on what might be on the news in the next two weeks, check out this YouTube video:

There are many places to go for more information on these issues. The Center for Democracy and Technology has an excellent guide on the amendments. EPIC spotlights surveillance issues here. The EFF has more information on warrantless surveillance here.

However, the best resource and the primary reason I chose to make a blog post about this topic is the paper entitled “Risking Communications Security: Potential Hazards of the Protect America Act” by Steven Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter Neumann, Jennifer Rexford that will appear in the Jan/Feb issue of IEEE Security and Privacy Magazine. If you only read one article linked from this post, the Risking Communications paper is the one to pick. Matt Blaze has a post about their article, as does Steven Bellovin.