Category: Security

Security is immunity from the will of others.

On types of watching

Riding the Toronto subway is a reminder of the different kinds of watching that exist in the world. For instance, there is overt watching of the kind done by security cameras, guards, and other staff members. There is also both overt and covert watching going on between passengers: some trying to use a pointed stare to press someone to discontinue an unwanted activity, some trying to use an overt appearance of awareness to drive sketchy characters toward less responsive prey, some trying to examine their fellow passengers without making that fact obvious.

Overt watching is a tactic. When someone chooses to watch overtly, it is usually because they are in a position of authority and seeking to control the behaviour of the people they observe. By contrast, covert watching is a capability. Whether you are able to do it or not depends on the people and resources you have at your disposal – as well as whether your target has any interest and capability in conducting counter-surveillance. Misdirection can be used as an aid to both covert and overt watching. For instance, shops employ fake security cameras to scare off potential thieves. Meanwhile, people with headphones in but no music playing can be ideally placed to overhead conversations unobtrusively.

To a considerable extent, organizations like the police and the TTC are defined by the capabilities they maintain; their intentions can sometimes be discerned through the tactics they use.

Web servers are vulnerable machines

Imagine you have rigged up an unusual machine, like a home-made steam engine or a centrifuge. Even if it seemed to be working smoothly, it’s not the sort of thing you would want to leave unattended. It’s quite likely that doing so would break the machine, and quite probably cause damage to nearby property or people.

It’s important to remember that a web server is a pretty sophisticated machine. An entry served up by a WordPress blog is quite a different thing from a printed newspaper article or even a static HTML page. When you view a WordPress page, there is a dynamic interplay between your web browser and the web server. You request particular content and WordPress uses PHP scripts to pull together the necessary data from MySQL databases. The same is true for other dynamic content management systems (CMS), like Joomla or MediaWiki. Underneath all this, there is Apache HTTP Server and whatever operating system the server is running.

All this PHP and MySQL work creates openings for attackers. These can never be completely eliminated, though maintaining an updated version of your CMS and being careful about things like passwords and file permissions is important.

What may be most important, I think, is changing the perception of what kind of machine a web server is. You cannot assume that it will continue to obediently do what you want if you leave it alone. It is quite possible that some malicious human or robot will find a crack, take control of it in whole or in part, and then use it for nefarious tasks like sending spam or joining a botnet. If you aren’t paying any attention to things like your server logs, you might never even know that your site has been compromised.

In short:

  1. If you run a webserver, be aware that it is a constant target for attack.
  2. It is wise to take precautions, like promptly updating software and choosing strong passwords.
  3. Keep an eye open for unauthorized activity.
  4. Have backups in place for recovery after an attack.

Practice safer blogging!

Gorbachev on the end of the Cold War

Following up on his exceptional books The Making of the Atomic Bomb and Dark Sun, historian Richard RhodesThe Twilight of the Bombs provides fascinating details on all matters nuclear-weapon-related during the fall of the Soviet Union and years afterward. For instance, there are many details on the clandestine Iraqi nuclear weapons program in operation after the first Gulf War, along with frightening details on the August coup against Mikhail Gorbachev and the protection of American tactical nuclear weapons in Europe during the later years of the Cold War.

One interesting passage Rhodes quotes comes from Gorbachev’s speech from Christmas Day, 1991 formally dissolving the Soviet Union:

“We had plenty of everything: land, oil, gas and other natural resources, and God had also endowed us with intellect and talent – yet we lived much worse than people in other industrialized countries and the gap was constantly widening. The reason was apparent even then – our society was stifled in the grip of a bureaucratic command system. Doomed to serve ideology and bear the heavy burden of the arms race, it was strained to the utmost… The country was losing hope. We could not go on living like this. We had to change everything radically.”

Rhodes, Richard. The Twilight of the Bombs: Recent Challenges, New Dangers, and the Prospects for a World Without Nuclear Weapons. p.116 (hardcover)

In another fascinating passage, Rhodes discusses the control systems in place for the Soviet nuclear arsenal during the August coup. With the particular combination of conspirators involved, it was not possible for them to make unauthorized use of the Soviet strategic nuclear arsenal. A different group of conspirators with different tactics and objectives, however, might have been able to circumvent the Soviet nuclear controls and use weapons without Gorbachev’s approval:

“‘There is an important lesson here,’ [Bruce] Blair concluded. ‘No system of safeguards can reliably guard against misbehaviour at the very apex of government, in any government. There is no adequate answer to the question, “Who guards the guards?”‘”

Ibid. p.95

Dealing with some MediaWiki malware

I am not sure how it happened, but somebody (or some robot) managed to insert some malicious code into my wiki. Random people were receiving emails with links to URLs within the wiki and when they followed the links, they were redirected to malicious pages.

The URLs within the wiki resembled these:

  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?dhe=fh.dhplh&zazssr=fe.dh&ahf=jgtf
  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?er=edo.dhega&rdpy=fm.eza&zso=fbcb
  • sindark.com/wiki/images/thumb/c/c4/Labelled_overview.png/kmdlss.html?vbh=egr.mdjgp&fvsa=fm.dhr&rdvh=ufrv

I removed the whole Labelled_overview.png folder, which it shouldn’t have been possible for a wiki user to upload, given that I had my wiki set up to only allow logged-in users to make edits. In addition to removing the folder, I have also updated MediaWiki to the newest version. I have also set up DreamHost’s system for automatically updating MediaWiki when new versions are released, though that risks breaking extensions that are not compatible with the new software and possibly causing other problems.

I still don’t know how the malware got introduced (perhaps through a vulnerability in an old version of MediaWiki or one of my extensions), so I am keeping the whole wiki inaccessible for now.

My apologies to anyone who followed one of the malicious links.

The whole incident shows one of the annoying things about the internet. Whenever you set up a content management system like WordPress or MediaWiki, you have to be aware that there will be efforts to compromise it. As such, you need to keep it well-updated and keep an eye out for malicious activity. You can’t just set it up and forget about it.

Fallback careers: locksmithing

Starting a PhD program in the fall, I am fully aware that the associated job prospects are poor. It’s a long investment of time, and the skills to be acquired are of interest to only a very few employers who already have a great many applicants and who are mostly losing funding.

Investing in a practical skill seems like a decent risk mitigation strategy. I can keep doing some commercial photography on the side, but that’s another field crowded with amateurs chasing too little work for poor monetary returns.

Perhaps it would be worthwhile to become certified as a locksmith. It would be interesting, and I suspect it’s a growth business. I think the future will be full of fear, with people keen to protect what they have from others who will try to take it. The world’s governments also have an unsavoury enthusiasm for completely eliminating individual privacy.

That creates double opportunities for locksmiths, since they have skills demanded by both those trying to keep attackers out and by those determined to break in.

Free speech online

The internet is one of the places where people in free societies get to exercise their right to free speech. It’s also a place where a lot of private communication takes place, and where the protection of the right to privacy is a constant struggle.

For those reasons, I suggest people consider joining groups that work to protect our rights as citizens online, like the Electronic Frontier Foundation.

Also, remember that the only way to preserve rights is to use them. Make use of your right to engage in political speech online (maybe a little anonymity too).

Third rule of the internet

Following up on rules one and two, it seems appropriate to add a third: “You should probably worry more about being attacked online by your own government than by any other organization”.

This is really an extension of the point about how governments are more dangerous than terrorists and how institutions of armed power need oversight.

Based on the open source intelligence available, we have to assume that governments all over the world are constantly monitoring the activity of their citizens online, for reasons both reasonably benign and exceedingly nefarious. It is worth remembering that even if the official purpose of a surveillance program is acceptable, it can be abused by anyone who gains access to it for purposes that may be very dubious. Hackers and rogue government agents are well positioned to use internet surveillance to rob or blackmail people, for instance. It is also worth remembering that data is not only being monitored in real time; it is also being archived for unknown future purposes.

Tools for privacy

Thankfully, we do have some tools to make this ubiquitous surveillance more difficult to carry out. You probably cannot encrypt your hard drive well enough to protect the contents if government agents grab it, but you can encrypt your online communications sufficiently well to make it at least challenging to decrypt them. The more people streaming gigabytes of data via encrypted HTTPS connections, the less feasible it is to archive and crack internet traffic taken all in all.

You can also use tools like Tor. People should be willing to assert their right to anonymous communication.

Idea for an access control device

There are many circumstances in which both authorized and unauthorized people wish to gain access to the same physical space. It might be a secure storage area in a shop where valuable things are kept, a secure part of a military facility storing cryptographic materials, a person’s bedroom, a bank vault, or even a child’s secret hiding place.

In all of these cases, it would be valuable for authorized users to know if someone else has been entering the controlled space.

In spaces that do not contain moving objects aside from people, it seems to me that there is a pretty simple way to provide a bit more security. All you need is a device that watches for motion and which publicly displays recent spans of time when it has been detected. It is essential that this time display be able to resist tampering by unauthorized individuals. The number of spans that should be shown depends on the level of security desired and the frequency with which the space is used.

Such a device could be useful for militaries worried about spies, businesses worried about thieving employees, and ordinary people worried about over-curious friends and relations.

Design of the device

The key components of the device are a motion sensor, a tamper-resistant display, and tamper-resistant software and hardware to run the physical devices:

Particularly for spaces that have fairly normal patterns of use, abnormal activity would be immediately obvious from the display board. For instance, the secure file storage facility of a company might ordinarily be used during business hours. The appearance of recorded activity during the middle of the night or during a weekend would attract suspicion.

This device would make a natural compliment to a motion-activated video surveillance system. Where such systems exist, people normally only watch the tapes when they have a reason to be suspicious. The tamper-resistant time display would give authorized users a reason to be wary, if unexplained access times popped up. They could then refer to the video footage for investigation. The two systems could be integrated closely. For instance, beside each of the access times displayed could be a button that causes a fast-motion version of a recorded video to be played. It would then be possible to determine at a glance what sort of activity was happening at a particular place and time. This would be especially useful for identifying false positives. After all, that mysterious movement during the middle of the night might just be the moving glare of headlights from passing cars, fluttering curtains, or something similarly benign.

Obviously, a motion-activated video system alone would be sufficient to let people identify instances of unauthorized access and sort out what happened during them. What the time display system provides is at-a-glance simplicity and ease of use. It reduces the amount of time spent worrying about false positives, and it makes it immediately clear to everyone that access to a particular space is logged. That knowledge alone could be sufficient to deter snooping and other nefarious activities.

I think it would be pretty easy to build something like this. All you need is an off-the-shelf motion sensor that you can connect to a microcontroller, a microcontroller like an Arduino, a display system (possibly a set of seven-segment displays) driven by the same board, and a source of power. A very simple system might be able to run from a solar cell and backup battery. Optional extras include physical barriers to tampering like a locked metal and plexiglass casing, tamper-evident components like seals, and systems for external logging of access times (they could be automatically emailed to a particular address, saved in a database, posted to a website, etc). As a further means of resisting tampering, the device could make use of public key cryptography to include a digital signature and time stamp for each entry in the access log.

Concept for a secret communication system

What you need

In order to use this system you will need two computers (which could include phones or other devices) with the same chess-playing software installed on them. The software must always suggest at least two moves for any given board position, and it must always produce the same suggestions based on a particular board arrangement.

For instance, in a game that opens with white moving the king’s pawn two spaces forward (e4 in algebraic notation), the software must always recommend the same set of countermoves. It might recommend the Sicilian Defence (c5) as the highest ranking move, followed by an open game as the top alternative (e5). By choosing c5, the correspondent would indicate a ‘0’ and by choosing e5 they would indicate a ‘1’. It is essential that both players have software that suggests the same moves based on a given board position. It is this determined character that allows the communication system to work.

Sending a message

In order to send a message, it must first be converted into binary code. A simple way of doing this is to start with ASCII text and use an ASCII to binary converter. For example, we might wish to send the message “Your telephone has been tapped”. Converted into binary, this encodes as:

“010110010110111101110101011100100010000001110100011001010110110001100101011100000110100001101111011011100110010100100000011010000110000101110011001000000110001001100101011001010110111000100000011101000110000101110000011100000110010101100100”.

In order to send the message, it is simply necessary to look at the two top moves suggested by the chess-playing software. In the event that you want to transmit a ‘0’ then you should select the topmost move. In the event that you wish to transmit a ‘1’ use the second topmost move. Because the person who you are talking to will also be running the software, it will be immediately obvious to them which digit you intend to transmit. Because both of the top moves are likely to be reasonable chess moves, the game will look fairly ordinary to anyone intercepting the communication.

One option is to have each correspondent make moves in alternating fashion. In that way, each can send a message to the other simultaneously. Alternatively, one person can send a message while the other simply provides countermoves to maintain the impression of a game being played. Alternatively, a single player can transmit moves for both white and black. They could use each to encode a different message, or they could use both together for a single stream.

In order to send a long message, it would take quite a few chess games. There would also need to be a system in place for when there is only one legal move possible, or none at all. I suggest that whenever a situation arises where fewer than two legal moves exist, the ongoing game be abandoned by the resignation of one player and a new one be started.

Automation

The whole thing could be set up to run automatically – for instance, on cellular phones. You could put the text to be transmitted into an app and it could automatically query a database of chess moves. It could then transmit the appropriate move to a chess server which the other correspondent would be connected to. The rate of transmission could be automatically limited in order to maintain the illusion of a game of chess being played, or it could be allowed to run at a high speed in order to send messages quickly. In either case, the data being transmitted would consist of valid chess moves and the game being played would look fairly normal.

Super-encipherment

Naturally, it would also be possible to use an encryption algorithm to turn a plaintext message into a binary string. This could either be a symmetric key cipher with a key that the correspondents have agreed to beforehand, a public key system based on public and secret keys, or an online key exchange system like Diffie–Hellman. This would provide some protection against an attacker who realizes the chess games are being used to transmit a message.

Alternative mechanism

As an alternative to chess-playing software, each player could also look at one of the chess game analyzing websites that ranks moves by popularity. The most popular move could code for a ‘0’ while the second most popular move could code for a ‘1’. Over time, the popularity of moves in the database may change. This shouldn’t be a problem for communication happening in real time, and could be useful insofar as it would make it difficult for anyone trying to decipher the message later to do so.

Obviously, this system could be used for games other than chess. All that is necessary is that both players have access to the same ranking of moves, so that each move can be translated reliably into the appropriate binary digit and from there into plain text. In games where a fairly large number of moves are always possible, the system could be extended beyond binary and longer messages could be concealed in fewer games. For instance, if there were always ten possible ranked moves, each option could be used to convey a decimal digit between ‘0’ and ‘9’.

Dealing with plagiarism as a teaching assistant

One aspect of starting a PhD program is that I will be responsible for working as a teaching assistant: teaching seminars, grading papers, and so on.

I am worried about the inevitable day when I discover that a student has committed plagiarism and when I am in the position of having to decide what to do about it.

So far, the best plan seems to be to issue a stern warning during my first session with each group of students. It could be something along the lines of:

Do not submit plagiarized work to me.

If you do, you will be reported to the appropriate disciplinary authorities without exception.

You are here to earn meaningful degrees. Plagiarism devalues all of the work you are doing, and I will not tolerate it.

It’s unfair to give some people second chances or the benefit of the doubt while denying it to others. Being consistent seems important, and it also seems plausible that a sufficiently strong warning could prevent the problem from ever coming up in the first place.