Category: Security

Security is immunity from the will of others.

Track stolen laptops with Adeona

Those enthusiastically toting their MacBooks, MacBook Pros, and MacBook Airs to coffee shops and university libraries should take note of Adeona: a free program that helps recover laptops in the event of loss or theft.

Installation is very simple: download a file, double click an installer, and choose a password. Once the program is running, it can be forgotten entirely unless needed. It won’t give you the name and phone number of the disreputable person who made off with your lovely portable Mac, but it will give you information about any network the computer has been connected to. If your computer has a built-in camera, it can also be used to snap a picture of the perpetrator. That function probably also justifies putting it on any desktop PCs with an integral camera, such as the 20″ and 24″ iMacs.

The software isn’t exclusively for Apple products (though those who shell out the cash for Steve Jobs’ toys might need it most). Versions are also available for Linux, Windows XP, and Vista.

Editing video using still photos

Recently, there was controversy about a doctored photograph showing four Iranian missiles launching, whereas the original apparently showed three and one on the ground. Errol Morris discussed the images on the website of the New York Times.

Photo and video editing are nothing new, but some new software seeks to make the former much easier. It combines video data with that from still photographs in order to accomplish many possible aims. For instance, it could be used to improve the resolution of a whole scene or elements within it. It could also correct for over- and under-exposed regions. Of course, it could also facilitate video manipulation. The skills and software required to edit still images are increasingly available. Combine that with this software and you could empower a slew of new video fraudsters.

It will be interesting to see what kind of countermeasures emerge from organizations concerned about data integrity. One route is forensic – identifying markers of manipulation and tools for uncovering them. Another relies on requiring technologies and techniques for those capturing and submitting video. That could involve the expectation of multiple independent photos and videos produced from different angles using different equipment, or perhaps the widespread deployment of timestamps and cryptographic hashing to strengthen data integrity.

Climate change impacts, ranking severity

These are summer days and the blogging is slow. In the spirit of audience participation, here is a quick poll.

Which three of the following climate change impacts do you expect to be the most severe? Please answer first for 2050 and again for 2100. You can interpret ‘severity’ however you like: economic cost, number of deaths, total damage to ecosystems, etc.

  1. Sea level rise
  2. Droughts and floods
  3. Extreme weather events
  4. Ocean acidification
  5. Ecosystem changes (such as invasive species)
  6. Effects on pathogens (such as malaria)
  7. Agricultural impacts
  8. Impacts on fresh water quantity and quality
  9. Other (please specify)

Clearly, there is some overlap between the options. There are also second-order effects to be considered, like the impact of agricultural changes on inter- and intra-state conflict.

Passphrases should be universal

One of the most annoying things about maintaining good password procedures is the fact that various places have different requirements. Some sites I use require one capital letter and one special character (100%Beef!), whereas others forbid special characters but require numbers. Many places have minimum password lengths, while a few especially annoying ones have relatively short maximum password lengths. Relatively few permit you to use a passphrase.

The best option would be to permit an unlimited string, including whatever punctuation and special characters are desired. Using a string basically foils brute force attacks, as the result of the sheer number of combinations. A hardcore password like “Sz5XULBKwPtI” is probably no more secure (and certainly much less memorable) than a custom phrase like: “The thing I most enjoyed about Paris, France was having picnics in the evenings.” Even if you only permit letters and numbers, each additional character increases the maximum possible length of a brute force search by a factor of 36: 62 if the passphrase is case sensitive.

Attacks not based on brute force (such as those where keystrokes are logged or passwords are otherwise intercepted) can naturally be carried out regardless of the strength of the password itself. What a passphrase system would allow is a high degree of security along with lessened requirements for obscure memorization. All it would take is a few minor code changes here and there, after all.

Greyhound bus security

Having spent much of the last week waiting for or riding on Greyhound buses, all the news stories about the man who was beheaded on one caught my eye. Some people are calling for airport-style screening procedures for buses. There are at least two reasons for which this is inappropriate.

The first concerns the mobility of buses. With a plane under their control, hijackers can fly to distant states that might assist them. The only way to stop them is to shoot down the plane, killing everyone on board. Buses are comparatively easy to stop. You can shoot out the tires, put spiky strips across the road, or simply block the route with something heavy. Nobody is likely to escape to sunny Cuba on a hijacked bus. Another element of mobility is multiple stops. Bus companies would need to (a) put security at every permitted stop (b) only allow people on at big bus stations or (c) allow some unscreened people aboard buses. Someone determined to commit a violent act on a bus could take advantage of (c), while (a) and (b) would seriously inconvenience people at many smaller stops.

The second is that someone in control of an ordinary plane can kill a lot of people. They can certainly kill everyone on board. They can also kill many people on the ground. Similar risks do not exist in relation to buses. At the very most, someone with a machine gun or explosive device could kill most of the people on board. There is no clear situation where being on a bus increases the amount of harm a person can do. Someone who wants to kill a particular person can do it at least as easily off a bus as on it; the same is true for someone who just wants to kill people at random.

There is certainly a certain risk of violence on board a bus, but that does not mean that excluding weapons is a sensible use of resources. For one thing, it would increase bus fares substantially and require the redesign of bus stations. For another, it isn’t clear that it wouldn’t simply displace any violence that was to occur to a different venue. Living among humans naturally entails risks, which we can mitigate to greater or lesser degrees in various ways. Reducing risk always involves some kind of cost: sometimes in money, sometimes in freedom. The level of news coverage this incident is receiving highlights just how slight a risk this actually is. The kind of risks that make the news aren’t the sort to worry about, since they are rare by definition. It’s the stuff that is too common to constitute news that you really need to fear: things like domestic violence and heart disease, for instance. Screening bus passengers is not an intelligent use of our resources.

Improvement to GMail security

Array of cheeses

Much to my delight, GMail has added an ‘Activity on this account’ feature. It is located down at the bottom of the inbox page, where it lists the time of last account activities. Clicking ‘Details’ leads to a pop-up showing the last five instances of account access, the form of access (browser, POP, IMAP, etc), and the IP address.

This is a big security advance. Previously, anyone who knew your GMail password could access your account at will, with no way for you to know. They could even be logged in at the same time as you, with no sign on your machine that this was happening. This is also addressed by the new feature, which includes an option to log out all other accounts.

GMail users should definitely take a peek at this information from time to time, especially if they are in the habit of using their account from shared or public computers. Given (a) how much information the accounts store and (b) how easily searchable they are, any attack that gains access to your GMail account could have serious consequences.

Re-encrypting WiFi

Unfortunately, I had to shut down my open wireless network experiment. That is because I found three people within the span of two days who were both (a) criminal and (b) very stupid.

One thing to remember: if you are going to use open wireless networks to download illegal things, make sure you aren’t sharing your entire hard drive in read/write mode. Not only will the person running the network get wise to you without even needing to sniff packets, they will be able to remotely eliminate your ill-gotten files before banning you from the network. If they were so inclined, they could do much worse things to you.

I suppose I could set up a captive portal system using something like ZoneCD – thus providing scope for well behaved neighbours and passers by to use the network. That would, however, require acquiring and setting up a computer between my DSL modem and WAP. Since the two are presently integrated, the expense and bother would be even greater.

As is so always the case, a few bad apples have made it necessary to discontinue a good thing.

Knives and Britain

Milan Ilnyckyj outside the Beaux Arts Museum, Montreal

I must admit, I find the ongoing debate about knives in the UK somewhat perplexing. The leader of the Conservative Party wants mandatory jail time for anyone caught carrying one. Editors at the BBC argue that the problem may be overblown. To me, it seems like what people are missing is the fundamental difference between knives and weapons. Obviously, a knife can be used as a weapon. So can a hammer, umbrella, or fork. While we rightly appreciate that it is illegitimate use of the latter that is problematic (and addressed through laws against assault, uttering threats, etc), it seems important to remember that use-as-a-weapon is aberrant, rather than to be expected.

At virtually all times, I have either one or two small folding knives on me: one on the SOG Crosscut on my keychain and a CRKT Kiss in my backpack. When I am travelling or going into the woods, I will often have a Swisstool X with me as well. Probably the most common uses of these are cutting food and paper, though each has been used in dozens of ways. Knives are ancient, highly versatile, and useful tools – one of the first technologies to differentiate the human species from less adaptive animals. Assuming that I am carrying either as a weapon strikes me as unfair, as well as a reversal of the presumption of innocence. The onus must be on the authorities to prove malicious intent, rather than upon the individual to prove their intentions benign.

On a side note, all of this is very different for guns, particularly handguns. The only plausible use for a handgun is as a weapon. One never goes on a picnic and regrets the lack of one. Restricting the ownership and carrying of guns is an entirely reasonable restriction, as a manifestation of their nature.

Who are you really talking to?

Bruce Schneier has an interesting post about man-in-the-middle attacks. These are situations in which party A and party B are trying to exchange sensitive information privately (for instance, credit card numbers or orders for moving hostages) without realizing that party E is in between them, pretending to be party A to party B, and vice versa.

The attack model has been mentioned here before in the context of cellular phones. It is rather more interesting in the context of the Betancourt rescue from the FARC.

Bletchley Park today

Ottawa railway bridge

Bletchley Park, the English manor where codebreaking was undertaken during the Second World War, has been falling into disrepair due to lack of funds. This seems especially ungrateful, given the extremely important role the signals intelligence developed there played in the war. In particular, the decipherments helped to clear the Atlantic of U-boats, keep the United Kingdom supplied, and eventually shift the people and equipment required for D-Day and the retaking of the continent.

Work done at Bletchley was also important in relation to the emergence of modern computers. If there are historical sites worth preserving, this is surely one of them. Thankfully, the Heritage Lottery fund now seems likely to provide funding.

The fact that the codebreaking work done at Bletchley was not publicly announced until the 1970s makes it doubly important to tell the story well now. For decades, people who worked there had to respond with awkward silence when asked how they contributed to the war effort. Their extraordinary contribution deserves to be well marked today.