Category: Security

Security is immunity from the will of others.

‘Failure due to dishonesty’ at SFU

Last year, Simon Fraser University in Vancouver introduced a new grade for university courses: ‘FD’ or ‘failure due to dishonesty.’ Department chairs are empowered to give the grade on the basis of “behavior [that] warrants a severe penalty”. Usually, it is applied to repeat offenders. The grade continues to appear on a student’s transcript until two years after graduation.

To me, this seems like a sensible thing to do. Particularly when it comes to take-home essays, cheating in university is easy. When students do it, they harm the quality of education that everybody gets, while also gaining unfair advantages when it comes to things like scholarships. Having a mechanism for conveying the fact that someone has behaved in a seriously improper way (rather than failing a course for some more acceptable reason) would be beneficial both in terms of deterring bad conduct and by giving an obvious sign to anyone making decisions on the basis of a transcript, whether the issue at hand is a scholarship, grad school admission, or a job.

Password reuse

The latest XKCD comic identifies one of the major security failings of the internet today: the tendency of users to use the same password on more than one important site. It’s fine to use the same password for a bunch of news sites that do not store important personal information. What’s foolish is using the same password for a potentially vulnerable site and for something important, like a bank’s website or the password on an encrypted hard drive partition. Doing so risks allowing someone to compromise your information, one step at a time.

Another related risk is password recovery systems. Countless websites allow users to either have their password emailed to them or reset their password via email. That means that anybody who gains access to an email account linked to such features can then gain access to any sites that rely on that sort of password replacement system.

The wisest thing seems to be using strong unique passwords for email and other important sites, then having a couple of lower tier passwords to use for general sites that do not pose security risks. Random.org has a password generator, though the trick of building up a password from a memorable piece of music or poetry is probably less troublesome and still quite secure. An alternative approach is to have unique passwords for everything and rely on a password management program (or a piece of paper kept guarded in your wallet) to keep track of them.

Online security would also be better if all sites allowed the use of passphrases, rather than just passwords (and sometimes ones with an absurdly short maximum length). Two-factor authentication can also help.

Quantum cryptography

In theory, quantum cryptography (mentioned before is as good as a one time pad, without the need for a secure channel through which to exchange keys. Potentially, it could also employ quantum phenomena to verify that nobody is eavesdropping.

In practice – as with all cryptographic systems – there are weaknesses to be exploited. One known attack exploits a weakness in some sorts of photon detector. Another works by manipulating synchronization signals.

Quantum cryptography may well have some useful applications, but people who expect it to be foolproof and completely secure probably aren’t thinking too well.

Non-nuclear EMP

Several fictional portrayals have drawn attention to the possibility of an electromagnetic pulse (EMP) being used as a weapon, capable of disabling or destroying electronic equipment over a wide area. Such pulses can be created by detonating nuclear weapons at high altitude, though doing so in a war would provoke international outrage. To get around that, the United States and possibly others have developed non-nuclear EMP generators:

One such weapon uses a small charge of explosive to ram an armature down the axis of a current-carrying coil, squeezing its magnetic field so violently in the process that it emits a powerful burst of electromagnetic energy over distances of several hundred metres. Another type employs a Marx generator (a machine used for simulating lightning strikes) to dump a large electrical charge stored in a bank of capacitors into a specially shaped antenna.

American defence forces have converted a number of cruise missiles to function as non-nuclear EMP generators. Apparently, cars parked up to 300 metres away have had their alternators, ignition coils and engine controls disabled this way. Such e-weapons are said to have been used in Kosovo, the Persian Gulf and Afghanistan.

Intriguingly, a pair of such devices has recently broken cover. The Counter-Electronics High-Power Microwave Advanced Missile Project (CHAMP) is an unmanned aircraft fitted with a microwave pulse generator—presumably for disrupting enemy communications. The Pentagon has also announced that it is deploying an electromagnetic weapon, believed to be called Max Power, for detonating roadside bombs and disabling enemy vehicles. Both CHAMP and Max Power mimic the electromagnetic pulse of a nuclear explosion—albeit over a narrowly focused area and without the geomagnetic effect.

Such weapons could be useful for reducing civilian casualties in war, particularly in situations where military targets are located in civilian areas. For example, if a state put an air defence RADAR station in a residential area, an EMP weapon could disable it at lesser risk to the civilian population, compared with conventional munitions.

Apparently, electromagnetic pulses can also be used to punch holes through steel for industrial purposes.

Deployability of nuclear weapons

Being able to build a device that can produce a nuclear explosion is a significant challenge in itself. Also challenging is building such a device in a self-contained way which does not require difficult last-minute assembly, and which can be stored in a usable state for years. The first American bombs certainly did not meet this standard.

Captain William Parsons, a U.S. Navy weapons expert with the 509th Composite Group (the B-29 squadron that dropped the atomic bombs on Japan during WWII) described the complex and hazardous operation, in a letter intended to convince his superiors that dummy devices were required for practice runs:

It is believed fair to compare the assembly of the gun gadget [the uranium bomb] to the normal field assembly of a torpedo, as far as mechanical tests are involved… The case of the implosion gadget [the plutonium bomb] is very different, and is believed comparable in complexity to rebuilding an airplane in the field. Even this does not fully express the difficulty, since much of the assembly involves bare blocks of high explosives and, in all probability, will end with the securing in position of at least thirty-two boosters and detonators, and then connecting these to firing circuits, including special coaxial cables and high voltage condenser circuit… I believe that anyone familiar with advance base operations… would agree that this is the most complex and involved operation which has ever been attempted outside of a confined laboratory and ammunition depot.

Rhodes, Richard. The Making of the Atomic Bomb. p.590 (paperback)

Probably the reason why the bomb had to be so substantially assembled right before use had to do with the initiator – a sub-component at the very centre of the bomb, designed to produce a handful of neutrons at the critical moment to initiate fission. At the same time, it was critical that the initator not produce even a single neutron before the bomb was to be used.

In early American bombs, initiators were apparently comprised of the alpha particle emitter Polonium 210 (half life 138.4 days) sandwiched between metal foils to keep it from reacting prematurely with the beryllium metal nearby. When the high explosive shell wrapped around the natural uranium tamper and plutonium core of the implosion bomb detonated, the components of the initiator would mix and react, producing neutrons at the same time as the explosives were producing compression.

Details on initiators are still classified, so we can only speculate on how the implosion primaries in modern bombs function.

The whole issue of deployability is relevant to questions of nuclear proliferation insofar as it is more difficult to make a stable, battlefield-usable bomb than to make a device capable of generating a nuclear explosion. That being said, many of the technical details of bomb manufacture have been made available to states contemplating the development of nuclear weapons. That has partly been the product of clandestine activities like the operation of the A.Q. Khan proliferation network. It has also been the consequence of states being insufficiently cautious when it comes to safeguarding knowledge, materials, and equipment.

“Don’t be evil”

The above, famously, is Google’s motto. When I first saw it, it seemed like an embodiment of the ways in which Google differs from other large corporations. They are involved in charitable works, in areas including infectious disease and renewable energy. Furthermore, they give away most of their products, getting the financing from those famous automatic ads.

On further reflection, however, “Don’t be evil” isn’t some lofty, laudible goal we should applaud Google for having. Rather, it is the absolute minimum required of them, given just how much of our personal information they have acquired. Think about GMail: many of us have tens of thousands of messages, many of them highly personal, entrusted unencrypted to Google’s servers. If they were evil – or even a few of their employees were – they could embarass or blackmail an enormous number of people. What Google has is, in many cases, far more intimate than what sites like Facebook do. Facebook may have some private messages to your friends, but Google is likely to have financial information, medical test results, photos you would never put on Facebook, etc.

Now, Google has incorporated a very useful phone calling system into GMail. Install a plugin, and you can make free calls to anywhere in Canada and the United States. In my limited experience, it seems to work better than SkypeOut, while being free to boot. Of course, it is another example where we really need to trust Google to behave ethically. For Google Voice, they already developed algorithms to convert spoken words into transcribed text. Users of their phone service need to trust that their conversations are not being archived or – if they are – that the transcripts will not be used in any nefarious ways.

In short, Google must avoid being evil not out of benevolence, but because their whole business model requires people to view them that way. So far, their products have been remarkably empowering for a huge number of people (any other sort of email seems deeply inferior, after using GMail). If they are going to maintian the trust of users, however, they are going to need to avoid privacy disasters, or at least keep them on a pretty minor scale, like when Google Buzz abruptly let all your friends know who else you are in contact with.

Canada and Joint Strike Fighters

Responding to criticism about Canada’s decision to purchase 65 Lockheed-Martin Joint Strike Fighters (F-35), through a sole source contract for a total cost of about $16 billion, the government has twice highlighted interceptions of Russian bombers as justifications for the purchase.

Does this analysis make any sense?

Partly, it comes down to what the Russians are trying to do. If they just wanted to obliterate Canada, they would do so using ground- and submarine-based ballistic missiles, and perhaps cruise missiles. There would be no reason to send vulnerable bombers into Canadian airspace. On the other hand, just as NATO regularly tests Russian air defence systems, the Russians could be flying into Canadian territory to provoke us into pointing RADAR in their direction, so they can try to suss out what capabilities we have. Finally, the flights could be an attempt to assert sovereignty or de facto control over the Arctic.

In the foreseeable future, the only plausible path to a war with Russia would be an invasion of a central European country prompting an armed response from NATO. In such a circumstance, Canadian Joint Strike Fighters could conceivably be useful. They could also potentially be useful in conflicts like Afghanistan, where air superiority and close air support are clear advantages for Canada and its allies. Also, purchasing Joint Strike Fighters could help keep Canada in the good graces of the United States, especially given how politically savvy the big defence companies are, and how strategic they are about spreading big weapon contract jobs across the country.

Does that justify a price tag of around $500 per Canadian? Does it justify whatever ‘collateral damage’ will result from the purchase of the jets?

How much can one person steal?

Perhaps one of the reasons why intellectual property law is in such a strange state now is because of how much the sheer value a single person can steal has increased.

The most a human being has ever lifted (briefly) during Olympic weightlifting was 263.5 kg, lifted by Hossein Rezazadeh at the 2004 Summer Olympics. Right now, the price of gold is about US$1,300 an ounce for Canadian Gold Maple Leaf coins. That means the world weight lifting record (or just under 8500 Troy ounces) comprised about C$12 million worth of gold.

Compare that with the losses potentially associated with a book or DVD getting pirated early, or a pharmaceutical manufacturing process getting released to a generic drug manufacturer, and it seems clear that the value in goods that a person can now steal is substantially higher. I remember one memorable illustration of this in fiction, from Jurassic Park. In it, corporate spy Dennis Nedry tries to steal 15 dinosaur embryos, developed as the result of painstaking genetic reconstruction undertaken by his employers. He is offered something like $1.5 million for these (I don’t remember exactly how much), but they were surely worth more to both his employer and to whoever was trying to acquire them.

Lots of other pieces of fiction focus on the fate of valuable intangible commodities. For instance, in William Gibson’s Neuromancer, the principal thing being stolen (at considerable difficulty and loss of life) was three musical notes, which in turn served as a control on a computer system.

When people are stealing gold, or diamonds, or cattle, or DVD players there is a fairly set limit to how much they can actually make off with. Furthermore, after such thieves are caught, there is a good chance that much or all of their loot can be restored to its rightful owners. Compare that to some savvy teenager who comes across a valuable bit of information and publishes it online: the value is potentially enormous, and the scope for ‘setting things right’ pretty much non-existent. Of course, locking up grandmothers whose computers have been used to download a Lady Gaga song or two isn’t a sensible thing to do, regardless.

Torpedoes, Pearl Harbor, and the atomic bomb

One of the most interesting things about Richard Rhodes’ detailed history of the making of the atomic bomb is the way it gives the reader a better sense of context. This is especially true when it comes to things happening in very different places and spheres of life. It would take an unusual facility with dates, for instance, to realize how the timeline of research into the abstract physical questions about the nature of atoms lined up with political, economic, and military developments.

One grim but interesting example comes from the end of Chapter 12. In November 1941, Franklin Delano Roosevelt had just committed the United States to the serious pursuit of an atomic bomb based upon enriched uranium (U235) and three methods for producing the substance were to be attempted: gaseous diffusion, electromagnetic separation, and centrifuges (the approach Iran is using now). On December 7th of that year, the Japanese Navy attacked the American base at Pearl Harbor.

Rhodes describes how Japanese research into atomic weapons began with the personal research of the director of the Aviation Technology Research Institute of the Imperial Japanese Army – Takeo Yasuda – in 1938, and expanded into a full report on the possible consequences of nuclear fission in April 1940. Rhodes also describes a somewhat grim coincidence involving Japan, the United States, and atomic weapons. He describes how ordinary torpedoes would not have worked for the Pearl Harbor attack, because the water was insufficiently deep. As such, the torpedoes used had to be modified with a stabilizer fin and produced in sufficient quantity for the pre-emptive strike to be successful:

Only thirty of the modified weapons could be promised by October 15, another fifty by the end of the month and the last hundred on November 30, after the task force was scheduled to sail.

The manufacturer did better. Realizing the weapons were vital to a secret program of unprecedented importance, manager Yukiro Fukuda bent company rules, drove his lathe and assembly crews overtime and delivered the last of the 180 specially modified torpedoes by November 17. Mitsubishi Munitions contributed decisively to the success of the first massive surprise blow of the Pacific War by the patriotic effort of its torpedo factory in Kyushu, the southernmost Japanese island, three miles up the Urakami River from the bay in the old port city of Nagasaki. (p.393 paperback)

That attack – launched partly in response to the American embargo of aviation fuel, steel, and iron going into Japan – sank, capsized, or damaged eight battleships, three light cruisers, three destroyers, and four other ships. The two waves also destroyed or damaged 292 aircraft, and killed 2,403 Americans, while wounding another 1,178. More than 1,000 people were killed just in the sinking of the U.S.S Arizona.