Category: Security

Security is immunity from the will of others.

The ‘SSL strip’ exploit

Emily Horn with garlic bread

The Secure Sockets Layer (SSL) is one of the world’s most important forms of commercial encryption. It is the public key system generally employed by e-commerce websites like Amazon, in order to prevent payment details from being intercepted by third parties. At this week’s Black Hat security conference in Washington, details were released on an exploit that takes advantage of the weak way in which SSL is implemented in secure (HTTPS) websites.

The tool – called ‘SSL strip’ – is based around a man-in-the-middle attack, where the system for redirecting people from the insecure to the secure version of a web page is abused. By acting as a man-in-the-middle, the attacker can compromise any information sent between the user and the supposedly secure webpage. The author of the exploit claims to have used it to steal data from PayPal, GMail, Tickermaster, and Facebook – including sixteen credit card numbers and control of more than 100 email accounts.

This kind of vulnerability has always existed with SSL because it is difficult to be certain about where the endpoints of communication lie. Rather than having a secure end-to-end connection between Amazon and you, there might be a secure connection between you and an attacker (who can read everything you do in the clear), and then a second secure connection between the attacker and Amazon.

To some extent, the problem can be mitigated through technical means (as described in the linked article). Beyond that, the question arises of what constitutes adequate precautions, from both a legal and a personal standpoint, and who should pay the costs associated with data breaches and fraud.

[Update: 23 February 2009] The slides from the original presentation about SSL Strip are available here and here. Both servers are under a fair bit of strain, due to all the popular interest about this topic, so it may be tricky to access them during the next few days.

[Update: 25 February 2009] SSL Strip can actually be downloaded on Marlinspike’s website.

[Update: 5 November 2009] One thing I think these SSL exploits (and others described in comments below) demonstrate is that we cannot rely completely on technical means to avoid fraud and theft online. There is also a role to be played by laws on liability and other means.

Webs of trust in academic publishing

Geometric sculpture

Public key cryptography was a breakthrough because of the many new types of secure communication it suddenly permitted: most importantly, between people who do not have a trusted channel through which to exchage a symmetric key. Instead, it permits each partner to make a public key widely available, as well as use the public keys of others to encrypt messages that only they can decrypt.

One avenue of attack against this kind of system is for an attacker to make a public key available that they pretend belongs to someone else. For instance, you mighy try to impersonate a government or industry figure, then have people send sensitive materials to you inadvertantly. One way to prevent this kind of attack is to use key signing: an approach employed by both the commercial software PGP and the free GPG alternative. With key signing, you produce a web of trust, in which people use their own secret keys to vouch for the validity of public keys posted by others. That way, if I trust Bob and Bob trusts Jim, I can adopt that trust transitively.

GPeerReview is a system intended to extend this trust function to the review of academic work. Reviewers produce comments on documents and sign them with their keys. These comments can include different levels of endorsement for the work being scrutinized.

It is difficult to know whether the level of academic fraud that takes place justifies this sort of cryptographic response, but it seems like a neat idea regardless. Providing secure mechanisms for people to prove who they are and that things are properly attributed to them is increasingly important as technology makes it ever-easier for nefarious individuals to impersonate anyone in front of a wide audience.

Hiding Nobel Prize medals

Recently, I came across an interesting anecdote about the history of Nobel prizes: specifically, those that were awarded to James Franck (for work on quantum physics) and Max von Laue (for discovering x-ray crystal diffraction). Fearful of confiscation by the Nazis, both scientists illegally sent their medals to Niels Bohr in Copenhagen, for safe keeping. Franck then fled from Germany to America, prior to the Nazi invasion of Denmark in 1940.

At the time, sending the medals out of Germany was a very serious crime and, since they were engraved with the names of their recipients, Bohr feared what would happen to them if the medals were found by the occupying army. Fearful that the invaders would find and confiscate the medals, Bohr eventually passed the medals to the chemist George de Hevesy, who subsequently dissolved both Franck and von Laue’s medals in acid (aqua regia, specifically). He was able to hide the resulting black solution from the Nazi invaders and, after the war, the gold was precipitated out of the solution and sent to Stockholm to be re-forged into medals by the Swedish Academy. Bohr had previously sold his own medal at a charitable auction earlier that year.

In 1943, de Hevesy himself won a Nobel Prize in Chemistry, for work on using isotopes to trace chemical processes.

NGOs and armed actors

OC Transpo bus

One of the more regrettable developments in international relations in recent years has been the intentional targeting of humanitarian relief organizations, and all the complexities that derive from that. Sometimes, aid groups are presented with difficult choices between accepting protection from an army – and, in so doing, losing part of their claim to neutrality – or disengaging from a conflict zone in which they could otherwise do a lot of good.

Edwina Thompson, a friend of mine from Oxford, has written a report on the problem for World Vision International: Principled Pragmatism: NGO engagement with armed actors. To those interested in armed conflict and humanitarian assistance, it is worth taking a look at.

In the concluding section, the report identifies existing gaps in efforts to manage civilian-military relations. It also provides recommendations to the international community, donors, and NGOs.

Three passages from Payback

There are three further elements of Margaret Atwood’s Payback that seem in keeping with the themes of this blog, and the current conversations here. I am not going to comment on them excessively, since I think they provoke enough thinking in themselves.

The first is her list of possible responses to major crises. You can “Protect Yourself, Give Up and Party, Help Others, Blame, Bear Witness, and Go About Your Life.” In the context of climate change, it seems like we are all engaging in a particular combination of these behaviours. It is worth contemplating if it is the right one. She doesn’t really discuss how there is a prisoner’s dilemma at work here. If nobody else addresses problems, protecting yourself or partying are your best options. If you can convince others to cooperate, you can help others and get on with your life.

The second is her description of an international approach to climate change mitigation:

[G]lobal warming has been dealt with at a global summit during which world leaders gave up paranoia, envy, rivalry, power-hunger, greed, and debate over who should start cutting down the carbon footprint first and rolled up their sleeves and got with it.

While that is a very appealing vision for how developed and rapidly developing states might behave, it does seem appropriate to recall that, in many places, the reduction of extreme poverty and insecurity is a more urgent task. Let Canada, China, and the United States learn how to run a zero carbon society, before calling on Sudan or Afghanistan to do so.

The third is a hypothetical response the American president could have given to the September 11th attacks:

We have suffered a grievous loss – a blow has been struck at us that was motivated by an obsessive desire to harm us. We realize that this was the work of a small group of fanatics. Other nations might bomb the stuffing out of the civilian population where those fanatics are at present located, but we recognize the futility of such an action. Nor will we accuse any bystander nation of having been involved. We realize that acts of vengeance recoil upon the heads of the inventors, and we do not wish to perpetuate a chain reaction of revenge. Therefore we will forgive.

The quote is an interesting one. For me, the last sentence somewhat clashes with the rest. It is one thing to say: “We will not take this fight to those who did not start it.” It is quite another to say that we will not respond directly to those who did, while being careful to spare the innocent. While it is on the fringe of what is imaginable that the United States might have responded to Al Qaeda through international cooperation and the vigorous efforts of law enforcement and the courts, it doesn’t seem either moral or believable that they would not respond in some way to those who were directly involved.

Payback: Debt and the Shadow Side of Wealth

Baby hand

This series of lectures, published in book form, shows Margaret Atwood at her lively best. It is reminiscent of James Burke’s series ‘Connections,’ in which he traces a seemingly random path through history, choosing the most interesting and unexpected road at every juncture. In some ways, Atwood’s consideration of debt occurs in an even richer world, since it includes literature, mythology, and religion among the kind of paths that can be followed.

The first section of the book examines debt in a historical and conceptual way: considering different kinds of debt (financial, moral, spiritual, etc) as well as different modes of repayment. It considers the ethics of being a borrower and a lender, as well as the consequences that can arise for those who happen to be near either. Atwood’s examination highlights how lenders can err both in being too harsh on their debtors and in being too stingy with their money – both the vicious loan shark and the penny-pinching miser are culpable. The book discusses revenge as a special form of debt repayment, as well as the complexities that arise when debts are being incurred by states and princes. All this is made quite entertaining by the cleverness of the connections being identified, and the teasing and humorous tone of the narration.

The second section is an exposition of our current state of deep indebtedness, and a recognition that the greatest and most threatening of those debts are ecological. While Atwood’s updated Scrooge story includes asides on the unjustness of the World Bank and IMF, as well as the risks associated with fiat currencies, her primary concern is with the wanton destruction of the natural world that has been accelerating since the industrial revolution. She singles out overfishing, biofuels, deforestation, overpopulation, soil depletion, and climate change as examples, painting a general picture of extreme human recklessness. The redemptive vision is one based around neo-hippie victory: renewable power, an international agreement to stop climate change, and organic food for all.

The concluding story feels a bit trite, really. Any corporate baron paying the slightest bit of attention would already be jaded about the messages from the ghosts Atwood’s Scrooge Nouveau receives. That said, and while the literary merits of the first section exceed those of the second, it is appealing that this is a book of action as well as contemplation. It is hard not to agree with the thrust of Atwood’s argument. By all means, let’s increase the fairness of the global financial system and curb humanity’s self-destructive ways. This book contributes to that project by provoking a great deal of thought about the symbolism and meanings of debt. We will need to look beyond it for concrete ideas about how to overthrow or convert those who favour the status quo and thus bring about a sustainable (appropriately indebted) new order.

I say ‘appropriately indebted’ because the book makes a strong case that we can never really be out of debt. As social entities, there are always tallies of obligation between us, and nobody can ever be said to be sitting perfectly at the balance point of these transactions. Indeed, given the way they are denominated in different currencies (honour, favours, wealth), seeking such an outcome is hopeless. What we can attain is the position of borrowing and lending rightly, with forgiveness and an awareness and concern about the consequences for those around us and the wider world.

In any case, the book is highly topical, informative, and makes for a quick and rewarding read. It is telling that, while other books have been sitting around my apartment for months, I received this one in the mail yesterday and finished it today.

Profiting illicitly from chance

Canada's eternal flame, Parliament Hill

Skimming through a local newspaper the other day, I came across an advertisement for ‘investment advice.’ Basically, it was someone hoping to manipulate random chance to make a profit. It worked like this:

  • You sign up and, for the next month, you get free weekly investment advice.
  • You are encouraged to either invest according to the advice or pretend that you have done so, keeping track of the relevant stocks and how much you would have earned if you had invested.
  • After the free trial period, you start paying a fee for further advice.

The system works in a pretty obvious way. The people running it either produce one weekly piece of advice or, if they are smarter, many. They then send this information to people at random. Naturally, some of the advice will lead to real or simulated losses. Those people will stop taking the advice. Some people, however, will receive seemingly good advice week after week. These people, impressed with the ‘track record’ of the financial advisors will presumably start paying for the information, perhaps giving up when things inevitably go wrong.

You could perform the same trick with any random and money-connected activity: betting on races or sporting events, commodity prices, and so forth. In every case, enough random sets of advice being distributed will lead to a subset of people winning on the basis of the ‘advice’ several times in a row.

At one level, this is a pretty simple confidence trick. At the same time, it isn’t hugely different from what a lot of legitimate financial firms do from day to day. Buying mutual funds, in particular, bears similarities. People evaluate funds based on their past performance, despite how that may have been the product of chance rather than good choices. At least some mutual funds will always do well, driving people to believe that money can be made with them. In fact, mutual funds are more insidious than the con described above. That is because they charge management fees. As a result, there are likely to be many circumstances in which fund managers are getting paid on a day-to-day basis for making trades that underperform the market.

Incidentally, a related trick could be performed with fake medicine: offer it to sick people for free, to begin with, then start selling it to the ones who happen to see their condition improve significantly for unrelated reasons during the ‘treatment’ period. This would work especially well with chronic conditions where the level of suffering varies significantly from one point in time to the next.

Closing Guantanamo and reining in the CIA

Not only did Barack Obama order the closure of Guantanamo Bay, he has also ordered that secret CIA prisons be closed and that the CIA must abide by the Army Field Manual in conducting interrogations. The latter decision closes a serious loophole in the human rights policies of the previous administration.

While there are a lot of tricky decisions left to be made about exactly how the prisons will be closed, who will be tried, who will be released, and where, this is a major step towards American rehabilitation in the eyes of the world. Hopefully, this will underline the fact that the Bush policies on torture and imprisonment were an aberration from the overall American approach. Of course, their injustice could be highlighted all the more effectively through the prosecution of some of the people who illegally implemented and oversaw them to begin with.

Greyhound’s pointless security

On my way to Toronto last weekend, I was subjected to Greyhound’s farcical new ‘security screening.’

People were made to stand in a line in front of a roped-off area. One by one, they removed metal objects from their pockets, placed them in a dish, and had a metal detecting wand waved over then. At the same time, another security person spent a couple of second poking around in the top few inches of the person’s carry-on bag. The person then entered the roped-off area, carrying their carry-on and checked bags with them, waiting for the rest of the line to be processed.

Ways to get a weapon past this system:

  • Get one not made of metal, like a ceramic knife, and put it in your pocket.
  • Put it below the top few inches of your backpack.
  • Hide it inside a hollowed-out book, inside a piece of electronics, etc.
  • Put it in your wallet. With a wallet that can take an unfolded bill, you could fit a few flat throwing knives.
  • Tape it to the bottom of your shoe.
  • Put it in your checked baggage, remove it while you are waiting on the far side of the line.
  • Go through the screening, ask to go use the bathroom, collect your weapon, and return to the ‘screened’ area.
  • Before entering the bus station, hide a weapon outside, in the vicinity of where your bus will pull in. Pick it up before boarding.
  • Use a weapon that is both deadly and innocuous: such as a cane, umbrella, or strong rope.
  • Get on at a rural stop, instead of Ottawa.
  • Get on in Toronto, instead of Ottawa, since they don’t seem to be bothering with the screening there.
  • Etc.

I am not saying that people should actually bring weapons on Greyhound buses, and I am most certainly not saying that Greyhound should tighten their security to make these tactics useless. I am saying that the new screening is nothing more than security theatre. It does nothing to make Greyhound buses safer, though it will add needlessly to ticket prices.

On a more philosophical level, it also perpetuates the kind of low-freedom, security-obsessed society that many people seem to expect. It would be far healthier to acknowledge that the world contains risks while also noticing that countermeasures to reduce those risks have real costs, whether in hard currency or in convenience or privacy or liberty.

Planning for accidents

Backlit pine needles

Over at Gristmill, there is a good article about planning in the face of possible accidents. Specifically, it discusses the massive coal ash spill in Tennessee. The article stresses how responsible planning must make a genuine attempt to estimate the probability of a catastrophic accident taking place, as well as the likely consequences of such an accident. Excluding worst-case scenarios from planning makes it likely that plans will go forward which are unacceptably dangerous. It also makes it more likely that possible defences against a serious accident will not be established.

Many of these points are similar to ones made about financial risk by Nicholas Taleb. In both cases, there are very serious risks associated with making plans on the basis of ‘ordinary’ outcomes, while ignoring the possibility that things will become far worse than you anticipated.