Security – Page 33 – a sibilant intake of breath

CAPTCHAs

Like many web users, I am of two minds about Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAs). On the one hand, I see their importance in fighting several types of spam. In particular, they are an important defence against the spam blogs that have become so prevalent recently. These sites are set up based on a high-value keyword. They then trawl through real blogs, copy content, and put it up. To Google, this looks like a real blog specializing in that keyword. People find it through Google searches, and sometimes end up clicking the ads that are invariably strewn across these robot-created sites.

When it comes to creating new blogs and email accounts, I find CAPTCHAs entirely reasonable.

Where I object is with more mundane uses, such as vetting comments on blogs. Using a CAPTCHA can seriously annoy readers: especially those who have poor vision, or who are using browser add-ons like NoScript for extra security. To me, when a blog owner chooses CAPTCHAs as a security feature, they are saying that they are happy to waste the time of all of their commenters, rather than invest a bit of their own setting up a spam filtering system and occasionally checking for false positives and false negatives. If your blog gets 5,000 comments a day, you have a good excuse. If it gets less than 20, it really seems like a combination of Akismet and some .htaccess rules should be just fine.

reCAPTCHA (which Google recently purchased) has at least two redeeming features. For one, it does useful work. Unlike most CAPTCHAs, which simply garble text for users to decipher, reCAPTCHA uses text from real documents being scanned. It gives users two words to decipher: one known word to perform the CAPTCHA function, and one unknown word for use in digitizing the book. This leads directly to the second good feature: since these books have already been scanned by the best optical character recognition (OCR) software available, they are fundamentally protected against automated CAPTCHA attacks. Of course, you can always pay real people a small fee for solving the puzzles. reCAPTCHA is thus a relatively robust system, against automated attack, with the additional benefit of adding to the sum of useful digitized information.

Hopefully, future CAPTCHA systems will be less annoying for users and more difficult for computers to game. Experimental forms have included tasks like picking out only kittens from photos showing a number of types of animals. This is apparently a task that is easy for humans, but quite beyond the capability of automatic image recognition software.

Personally, I prefer to think of them as Computer Automated Person Checking Algorithms. It lacks the Turing shout-out, but is more concise and comprehensible.

Russia and the Iranian bomb

Apparently, one of the key limiting factors in the Iranian nuclear program is access to uranium. Domestic supplies are limited and of low quality. As such, Iran is heavily dependent on Russia to provide feedstock for its centrifuge-based enrichment program, as well as its Bushehr reactor. For instance, Russia provided 82 tons of low-enriched uranium in February, to allow the initial loading of the reactor.

For those who hope to do so, stopping an Iranian bomb therefore has much to do with convincing Russia to reduce support. Apparently, one thing the Russians want is for Israel to loosen the strong defence relationships it has built with Ukraine and Georgia. Given that Israel has the most to fear from an Iranian bomb – and that they are one of two states that could plausibly use military force to try to disrupt the Iranian atomic effort – this dynamic is a significant one.

As Stephanie Cooke’s book discussed, the proliferation of nuclear weapons has always been associated with the wrangling of great powers. It remains to be seen what outcome will result in this case.

(Note: It would be appreciated if commenters could refrain from any political tirades, if they feel inclined to discuss this. I am sometimes hesitant to post anything related to the Middle East, out of discomfort about the shrill responses any mention of the region can provoke.)

The ICRC and neutrality

I am still in the process of reading Michael Ignatieff’s The Warrior’s Honour, written when he still had the kind of freedom of speech that puts academics at an advantage relative to politicians. One situation described therein does a good job of encapsulating the complexities involved in trying to mitigate the savagery of contemporary war.

It concerns the choices made the the International Committee of the Red Cross (ICRC) during and after the wars that accompanied the breakup of Yugoslavia. The ICRC is a unique institution, legally mandated to implement the Geneva Conventions. A key element of that arrangement is neutrality; the ICRC does not distinguish between good wars and bad wars, nor between aggressors and victims. By not doing so, it maintains the kind of access that other organizations are denied.

In the wake of the Yugoslav wars, the ICRC had the best records on who was massacred, where, when, and by who. Such records would have aided the work of the International Criminal Tribunal for the former Yugoslavia (ICTY), in seeking to prosecute those responsible. The ICRC refused to provide the records, arguing that if the combatants had thought that ICRC records might eventually be used in war crimes trials, they would not have permitted the ICRC to provide the kind of aid it was able to.

The neutrality of the ICRC was subsequently rewarded, when they ended up being the only aid organization not expelled from Bosnia during the Croat-Muslim offensive against Serbs. Ironically, this included the single greatest instance of ethnic cleansing: a term generally associated with actions Serbian forces had undertaken previously, including by using released and trained prisoners as unofficial proxies for acts that violated the Geneva Conventions.

As this example illustrates, contemporary conflicts are often deeply morally ambiguous, on everything from the role of child soldiers to whether it is truly possible for aid organizations to be impartial. To me, there seems to be considerable importance to maintaining an organization like the ICRC, simply because it can get the kind of access that others cannot. When it comes to more judgmental organizations, there are plenty to choose from, including Médecins Sans Frontières, which also has a headquarters in Geneva.

Open thread: the future of Afghanistan

It now seems entirely clear that Afghanistan will not become a liberal democratic state as a consequence of the US/NATO intervention. Where once politicians spoke of a conversion akin to those of Germany and Japan after World War II, the highest ambitions now seem to be for a state that is internally coherent, able to defend its borders, and unwilling to play host to Al Qaeda sorts. Gross disrespect for women’s rights, a theological bent to government, and the continued existence of warlords all seem to have become acceptable in the eyes of the interveners, or at least inevitable.

Given that, what should the objectives of those states currently fielding troops there be? Are there any special considerations for Canada? At this point, what would ‘success’ and ‘failure’ look like, and how good and bad would they be for Afghans, Canadians, and the world at large?

Cloud computing and consumers

Writing in The Guardian, Cory Doctorow provides a good explanation of why cloud computing might not be so great for individual users. Basically, companies are hoping to use it to wring more money from people, for services that were previously free. As he explains:

[T]he main attraction of the cloud to investors and entrepreneurs is the idea of making money from you, on a recurring, perpetual basis, for something you currently get for a flat rate or for free without having to give up the money or privacy that cloud companies hope to leverage into fortunes.

That’s not to say there aren’t potential advantages. It may well be worth a montly fee for well implemented and highly secure backup, especially for those who aren’t too computer savvy or don’t have access to Apple’s excellent Time Machine product. (Doctorow talks about using Amazon’s S3 service and the Jungle Disk tool.)

Really, backup seems like the cloud computing application with the most value for users, since encrypted backups elsewhere will probably be safe if you are robbed or have your house burn down. Another application with more limited utility might be buying access to huge amounts of computing power, which could be useful for some researchers.

Incidentally, Time Machine isn’t quite good enough for protecting irreplaceable physical data, since your external hard drive could be destroyed in an accident at the same time as your computer, or stolen. While I use Time Machine for daily backups, I also back up critical files (such as my photos) to a hard drive I keep at work and update every few months. A fairly easy way to do this is to keep all your irreplaceable documents in one place – such as username/documents/original/ – and then copying it over to the third drive every few months. rsync is an ideal way to do this, but it isn’t very user friendly.

Open thread: torture prosecutions

As many articles have described, the appropriate response to allegations of torture by Americans is controversial. Some argue that prosecutions are the only moral course, that they will restore US standing and draw a sharp line under the past. Others argue that, while justified, prosecutions would be a major distraction for the Obama administration, and will undermine progress on other fronts. Of course, domestic political necessities cannot provide excuses for ignoring war crimes.

That said, there is certainly a practical case to be made on both sides. While the general public hasn’t realized it yet, today’s leaders will be judged retrospectively on whether they set us on a path to avoid dangerous climate change. Prosecutions could kick off a new phase of partisan warfare that makes such progress impossible, given the need for support in the senate.

What do readers think? Are prosecutions warranted? Are they absolutely necessary? What costs would be associated with carrying them out, and with ignoring them?

An apology for Alan Turing

In addition to being one of the most notable mathematicians and computer scientists in British history, Alan Turing played a key role in cracking German codes during the Second World War. Despite the importance of his contribution, and the role intelligence from the Government Communications Headquarters (GCHQ) played in helping the allies in the Battle of the Atlantic, Turing was subsequently persecuted by the British authorities for being homosexual.

Turing was stripped of security clearance, criminally prosecuted for consensual sex with another man, chemically castrated with estrogen injections, and eventually driven to depression and suicide.

Recently, a petition was launched insisting that the “British Government should apologize to Alan Turing for his treatment and recognize that his work created much of the world we live in and saved us from Nazi Germany. And an apology would recognize the tragic consequences of prejudice that ended this man’s life and career.” An apology for both his specific treatment and the general persecution of homosexuals seems entirely in order. Hopefully, the government will bow to the petitioner’s request, despite Turing not having any surviving family to apologize to.

While writing a historical wrong is a valid reason for issuing an apology, the incident is also not without contemporary relevance. Just look at the continued policy within the US armed forces to dismiss gay linguists from the military. Once again, people making a significant contribution to national security are being discriminated against on the basis of characteristics that are none of their government’s business.

[Update: 10 September 2009] Admirably, British Prime Minister Gordon Brown issued an apology to Alan Turing: “While Turing was dealt with under the law of the time and we can’t put the clock back, his treatment was of course utterly unfair and I am pleased to have the chance to say how deeply sorry I and we all are for what happened to him. Alan and the many thousands of other gay men who were convicted as he was convicted under homophobic laws were treated terribly. Over the years millions more lived in fear of conviction.” The full statement is on the Prime Ministerial website.

FOGBANK and American fusion bombs

The United States may have forgotten how to make FOGBANK: a critical component in at least some thermonuclear weapons. FOGBANK is an ‘interstage material’ that gets turned into a superheated plasma by the detonation of the ‘primary’ fission bomb, helping to ignite the ‘secondary’ fusion reaction.

Some speculate that FOGBANK resembles aerogel. Others describe efforts to re-learn how to make it.

Securing the City

Christopher Dickey’s Securing the City: Inside America’s Best Counterterror Force – the NYPD describes the evolution of New York’s counterterrorism capabilities following the 2001 attacks against the World Trade Centre. Much of the responsibility is attributed to Raymond Kelly, who still serves as Police Commissioner, and David Cohen, his intelligence chief. Key among the changes was the development of much greater intelligence capabilities: everything from officers posted with federal agencies and overseas to developing a broad array of linguists, radiation detection systems, and advanced helicopter optics. All in all, the NYPD developed capabilities to become a mini-CIA, while also strengthening their policing and tactical capacity. All this was done in the face of considerable bureaucratic resistance, particularly from the federal agencies who felt their role was being subverted by the new developments.

Much more than Fred Burton’s book, Securing the City considers the checks and balances associated with greater police power. For instance, Dickey discusses the intelligence operations against people protesting the Republican National Convention in New York in 2004. Dickey also makes passing reference to torture and rendition (without considering the ethics of either at length), as well as surveillance and entrapment-type operations where intelligence officers pretend to help advance terrorist plots, so as to incriminate the others involved. Dickey comes to the general conclusion that the new NYPD capabilities are justified, given the situation in which the city finds itself. He does, however, worry if those capabilities will be properly maintained as budgetary pressures tighten, or when Kelly and the other key architects leave.

Some of the book’s chapters break out from the broad narrative to discuss specific topics, such as weapons of mass destruction or the dangerousness of ‘lone wolf’ operatives who operate independently and without the links to others that make most attackers detectable. While such treatment does make sense, the placement of the chapters can make the book feel a bit randomly assembled at times. Similarly, long italic passages (several pages long) are annoying to read. One other complaint is that the book includes a massive number of names, which can be difficult to keep track of. A listing of ‘characters’ with a brief description of the importance of each would be a nice addition to the front materials.

Dickey is harshly critical of the Iraq war, arguing that is was a distraction that undermined American security. He also argues that the ‘Global War on Terror’ was deeply misguided: “dangerously ill-conceived, mismanaged, and highly militarised.” He is also critical of Rudolf Guliani, who he accuses of taking credit for the successes of others, as well as making poor decisions of his own. His general position on the risk of terrorism is an interesting one. Basically, he thinks the capabilities of Al Qaeda and their sympathizers to carry out attacks in the U.S. has been exaggerated, as demonstrated by just how inept most of the post-9/11 plots were. Nevertheless, he sees the consequences of a terrorist attack as being so severe that even dubious plans being made by incompetent terrorists need to be tracked down and broken up. He repeatedly cites the example of the first World Trade centre bombing, where an inept group failed to advance their aims until Ramzi Yousef joined them and carried their operation to completion. Because of this, he agrees with Burton in thinking that terrorism cannot be treated primarily as a criminal matter. The standard of collecting courtroom-usable evidence is too high to disrupt plots early and effectively, while maintaining the covert capacity to do so again.

Overall, Securing the City is a worthwhile read for those with an interest in security, intelligence, or policing. It’s a nice demonstration of the global importance of some cities in the present age, and the special characteristics of New York. In particular, he praises the role of immigration in the city, citing it as one of the reasons why the NYPD was able to assemble such a diverse and effective capability. Those wanting more context in which to think about the strategic, tactical, and ethical issues surrounding modern terrorism would be well served by giving this book a read.

Ghost: Confessions of a Counterterrorism Agent

I became aware of Fred Burton through the free weekly defence briefings put out by STRATFOR, his current employer. They stand out from other media reports, both as the result of the details they focus on and the thrust of their overall analysis. While I wouldn’t bet heavily on them being entirely correct, they do play a useful counterbalancing role when read alongside media stories that are generally rather similar.

Ghost describes Burton’s history with the Diplomatic Security Service (DSS) between 1986 and 1993, with an epilogue in 2004. Burton’s work involved collecting intelligence, investigating plots and attacks, protecting diplomats, and so forth. He goes into detail on several of the investigations he was involved in, including the assassination of Pakistani President Muhammad Zia-ul-Haq and the capture of Ramzi Yousef. He also describes some of the tactics and strategies employed by the DSS, as well as by other law enforcement and intelligence agencies. These include the operation of motorcades, cover techniques, and countersurveillance: a tactic he claims special credit for deploying in the protective services.

The book’s greatest strength lies in the details it includes, on everything from the character of different intelligence agencies to equipment used to various sorts of tradecraft. While the breathless descriptions can sometimes feel like the content of a mediocre spy novel, the detailed technical discussions offer insight into how clandestine services actually operate. Of course, it is virtually certain that security and secrecy led to parts of the book being incomplete or distorted. Still, it has a candid quality that makes it an engrossing read. One interesting perspective offered is on the connections between different states and terrorist groups: particularly the relationship between Iran and Hezbollah; between the Palestinian Liberation Organization (PLO), Yasser Arafat, and various terrorist groups; as well as the ways in which modern terrorist tactics evolved from those developed by Black September, the group that carried out the massacre at the 1972 Munich Olympics.

At times, the book’s language is overwrought, especially when Burton is discussing the innocence of the victims of terrorism and the ‘evil’ nature of those who commit it. His reflections on his own ethical thinking may be genuine, but seem somewhat hackneyed and unoriginal at the same time. He never portrays American intelligence or police services as having any flaws, with the exception of when bureaucrats get overly involved and stop brave and effective agents from doing their work well. No consideration is given to the abuses that can occur when effective oversight is not present. Burton is also unrelentingly hostile towards the media: accusing them of offering superficial analysis and being eager to divulge information that undermines the clandestine efforts of intelligence organizations. The book is also a bit too well sprinkled with cliches, such as decisions being made and information being assessed ‘above Burton’s pay grade.’ In general, Burton seems a bit too willing to assume that all US intelligence agents are working on the side of the angels and that oversight and accountability can only hamper their efforts.

One interesting passage mentions how little time was required to circumvent the encryption on Yousef’s laptop. This makes me wonder what sort of algorithm had been employed and how it was implemented, as well as the techniques used by those breaking the encryption. I suspect that the actual encryption algorithm is not what was overcome, at least not through some brute force means. It is far more likely that they were able to compromise the password by comprehensively searching through the data on hand, including temporary files and perhaps contents of RAM. It does you little good to have a hard drive encrypted with AES-256 if it is possible to recover or guess the key in a short span of time.

In general, the book is one I recommend. It has a good authentic feel to it and includes some unusual perspectives and operational details. Burton’s personal dedication, as well as that of the agents he serves with and admires, is both convincing and commendable.