Category: Security

Security is immunity from the will of others.

RFID tinkering kit

Radio frequency identification tags are not the most secure things in the world. Indeed, they are probably the last thing you want in your credit card or passport. That being said, they do look as though they could have interesting tinkering applications. No doubt, people will dream up all sorts of cool applications for households and offices.

The Tikitag kit from Alcatel-Lucent should help with that, since it eliminates the need to actually configure hardware. Personally, I would use it to do something along these lines: Attach tags to three or four everyday objects in concealed locations. Hide readers in an equal number of places around my house. Then, when you put the candlestick on the right part of the bookshelf, the clock on the correct segment of the mantle, and the vase on the correct floor tile, a bookcase swings open revealing the entrance to one’s hidden lair…

For added security, one might put the last reader in the bookshelf itself, and the last tag in a radio-shielded pouch around one’s neck.

The world’s most extensive data centres

In an article for Nature, Cory Doctorow, co-editor of Boing Boing, describes some of the world’s most colossal data centres. These include facilities for gene sequencing, particle physics, internet archiving, and so forth. The article includes some vivid descriptions of the massive scale at which data is being interacted with, as well as some of the technologies associated. Describing the ‘PetaBoxes’ that contain copies of much of the web, he explains:

[H]oused in these machines are hundreds of copies of the web — every splenetic message-board thrash; every dry e-government document; every scientific paper; every pornographic ramble; every libel; every copyright infringement; every chunk of source code (for sufficiently large values of ‘every’, of course).

They have the elegant, explosive compactness of plutonium.

Far from being static repositories, many of these places have been designed for a near-constant process of upgrading. They maintain spare capacity into which 1 terabyte drives can be installed when the 500 gigabyte drives become dated (and then 2 terabyte drives, and then 4 terabyte drives). The ones with the greatest capacity use huge arrays of magnetic tapes, archived and accessed by robotic arms. The data centre at CERN (where the Large Hadron Collider will soon begin collecting data) includes two robots, each of which manages five petabytes of data. That’s five million gigabytes: equivalent to more than 585,000 double-sided DVDs.

One of the most interesting issues described is heat and the mechanisms through which it is addressed. The section describing how emergency shutdowns need to occur in the event of a cooling failure definitely comes across powerfully. Describing a facility in the Netherlands, it says:

The site manager Aryan Piets estimates that if it broke down and the emergency system didn’t come on, the temperature in the centre would hit 42 °C in ten minutes. No one could cleanly bring down all those machines in that time, and the dirtier the shutdown, the longer the subsequent start-up, with its rebuilding of databases and replacement of crashed components. Blow the shutdown and stuff starts to melt — or burn.

The main system being discussed is actually surprisingly climate friendly, since it uses cool lake water and pumps rather than air conditioning equipment to keep the drives and servers at an acceptable temperature. Hopefully, it is something that other firms with massive server farm needs are paying attention to. The article mentions Google several times.

For the geeky and the curious, the whole article deserves a read.

India and the Nuclear Suppliers Group

Today, the 45-nation Nuclear Suppliers Group decided to approve a nuclear deal between the United States and India (which is not part of the Nuclear Non-Proliferation Treaty (NPT), and which tested bombs between 1974 and 1998). The decision is one about which I feel ambivalent. One the one hand, it might promote the relatively responsible use of nuclear technologies in India. Despite how we could probably do better by spending our money in other ways, more nuclear power is a likely consequence of concerns about both energy security and climate change. On the other hand, the deal demonstrates that it is possible states can test bombs, remain outside the NPT, and still get access to internationally-provided nuclear fuels and technologies. The lesson to other states may be that the best long-term course of action is to ignore international efforts aimed at preventing the spread of nuclear weapons.

Thinking about how many states are likely to have reactors and bombs by the end of the next century is pretty worrisome.

More comprehensive reporting on the decision:

Generation Kill

Written by a journalist embedded with the 1st Reconnaissance Battalion of the Marine Corps, Evan Wright’s Generation Kill describes the experience of invading Iraq alongside them in 2003. The book provides a graphic account of what transpired among the men of the Battalion and its subsidiary units, as well as on battlefields between Kuwait City and Baghdad.

Some of the more notable elements of the first person account include the lack of coordination between different units, poor logistics and intelligence, near-total lack of translators, wide variations in competence and attitude between officers, and the force with which the sheer terror and agony of the experience is recounted. While large portions of the invading army may have had tents, cots, and warm meals, the recon Marines operate for the entire war on pre-packaged food and holes laboriously pick-axed into the ground. They spent much of the war in bulky chemical protection suits, fearing gas attacks that never came. The Marines are intentionally sent into ambush after ambush, receiving massive amounts of fire from within open-topped Humvies, as a feint to confuse Iraqi forces about the overall American strategy. The book certainly does a good job of conveying the brutality of it all: for the Marines, their Iraqi opponents, and for the civilians all around. The most interesting aspects of the narrative are definitely the characters of the individual Marines, as effectively illustrated through quoted statements.

The book does reinforce some broader conclusions that can be drawn about the war: particularly in terms of how the treatment of the civilian population has been mismanaged. What is less clear is whether the lesson to be drawn is that much more attention needs to be paid to post-occupation planning in future conflicts, or whether expectations of anything other than absolute carnage following a ‘regime change’ are misguided. Probably, the answer lies somewhere between.

The book has also formed the basis for an HBO mini-series of the same name. The series and the book parallel one another very closely. Indeed, given the arguably greater capacity of film to depict the majority of the events described, just watching the series may be a superior option to just reading the book.

Barack Obama on oil imports

Compared with his 2004 performance, Barack Obama’s speech at the Democratic National Convention the day before last seemed a bit lackluster. That being said, it was a more specific about the priorities of a potential Obama administration. Energy issues were touched upon a few times – the environment hardly at all – but that is probably not surprising, given that winning the election is the over-riding priority for him now, and talk of effective climate change policies is (sadly) likely to lose more votes than it wins. The speech only mentions climate change once, as one of the “threats of the 21st century” along with “terrorism and nuclear proliferation, poverty and genocide, climate change and disease.” The lack of elaboration demonstrated both the degree to which this speech was aimed at a domestic audience primarily concerned with the state of the US economy and the desire to avoid the mention of polarizing specifics when enumerating challenges – a tactic that was also used in relation to a number of domestic social issues.

One line struck me as ambiguous and potentially problematic:

[F]or the sake of our economy, our security, and the future of our planet, I will set a clear goal as president: In 10 years, we will finally end our dependence on oil from the Middle East.

If this just means shifting American imports from Middle Eastern states to those elsewhere in the world, this won’t be much of a solution for either climate change or energy security. Let’s say the US buys all of its oil from outside the Middle East. Even so, the world price of oil will largely be set by developments there: particularly expectations about output in volatile areas, as well as confidence in the ability of Saudi Arabia to moderate oil price shocks through reserve capacity. Since the price of Alaskan or Albertan oil moves along with developments in Kuwait and Iran as much as oil
anywhere else, the source of the imports isn’t hugely important when it comes to price or security of supply. If the non-Middle Eastern producers selling to the US can get a better price in Europe or Japan, the oil will follow the money.

A more ambitious and effective plan would focus on ending dependence on oil altogether, regardless of source. That can begin in areas where oil can be easily replaced at present – such as powering urban vehicles – and can progressively move into areas where fewer alternatives now exist. The pledge in the speech to devote $150 billion to developing alternative energy sources hints at an appreciation of the importance of a renewable energy economy. Achieving that requires altering the mechanisms through which energy is generated, transmitted, and used – not just changing the flags on incoming supertankers.

Steganography challenge

In the past, I have posted a few cipher challenges for the cryptographically inclined. Here is a new one:

The above is an example of steganography rather than cryptography, though the two can be easily combined. Indeed, the same approach used above could be applied in a far more subtle and effective fashion. To save people some trouble, I can tell you that the hidden message is in the actual text shown, not hidden somewhere in the data file.

Here is a hint, weakly enciphered using ROT13: Guvf sbez bs frperg jevgvat jnf vairagrq ol Senapvf Onpba.

Track stolen laptops with Adeona

Those enthusiastically toting their MacBooks, MacBook Pros, and MacBook Airs to coffee shops and university libraries should take note of Adeona: a free program that helps recover laptops in the event of loss or theft.

Installation is very simple: download a file, double click an installer, and choose a password. Once the program is running, it can be forgotten entirely unless needed. It won’t give you the name and phone number of the disreputable person who made off with your lovely portable Mac, but it will give you information about any network the computer has been connected to. If your computer has a built-in camera, it can also be used to snap a picture of the perpetrator. That function probably also justifies putting it on any desktop PCs with an integral camera, such as the 20″ and 24″ iMacs.

The software isn’t exclusively for Apple products (though those who shell out the cash for Steve Jobs’ toys might need it most). Versions are also available for Linux, Windows XP, and Vista.

Editing video using still photos

Recently, there was controversy about a doctored photograph showing four Iranian missiles launching, whereas the original apparently showed three and one on the ground. Errol Morris discussed the images on the website of the New York Times.

Photo and video editing are nothing new, but some new software seeks to make the former much easier. It combines video data with that from still photographs in order to accomplish many possible aims. For instance, it could be used to improve the resolution of a whole scene or elements within it. It could also correct for over- and under-exposed regions. Of course, it could also facilitate video manipulation. The skills and software required to edit still images are increasingly available. Combine that with this software and you could empower a slew of new video fraudsters.

It will be interesting to see what kind of countermeasures emerge from organizations concerned about data integrity. One route is forensic – identifying markers of manipulation and tools for uncovering them. Another relies on requiring technologies and techniques for those capturing and submitting video. That could involve the expectation of multiple independent photos and videos produced from different angles using different equipment, or perhaps the widespread deployment of timestamps and cryptographic hashing to strengthen data integrity.

Climate change impacts, ranking severity

These are summer days and the blogging is slow. In the spirit of audience participation, here is a quick poll.

Which three of the following climate change impacts do you expect to be the most severe? Please answer first for 2050 and again for 2100. You can interpret ‘severity’ however you like: economic cost, number of deaths, total damage to ecosystems, etc.

  1. Sea level rise
  2. Droughts and floods
  3. Extreme weather events
  4. Ocean acidification
  5. Ecosystem changes (such as invasive species)
  6. Effects on pathogens (such as malaria)
  7. Agricultural impacts
  8. Impacts on fresh water quantity and quality
  9. Other (please specify)

Clearly, there is some overlap between the options. There are also second-order effects to be considered, like the impact of agricultural changes on inter- and intra-state conflict.

Passphrases should be universal

One of the most annoying things about maintaining good password procedures is the fact that various places have different requirements. Some sites I use require one capital letter and one special character (100%Beef!), whereas others forbid special characters but require numbers. Many places have minimum password lengths, while a few especially annoying ones have relatively short maximum password lengths. Relatively few permit you to use a passphrase.

The best option would be to permit an unlimited string, including whatever punctuation and special characters are desired. Using a string basically foils brute force attacks, as the result of the sheer number of combinations. A hardcore password like “Sz5XULBKwPtI” is probably no more secure (and certainly much less memorable) than a custom phrase like: “The thing I most enjoyed about Paris, France was having picnics in the evenings.” Even if you only permit letters and numbers, each additional character increases the maximum possible length of a brute force search by a factor of 36: 62 if the passphrase is case sensitive.

Attacks not based on brute force (such as those where keystrokes are logged or passwords are otherwise intercepted) can naturally be carried out regardless of the strength of the password itself. What a passphrase system would allow is a high degree of security along with lessened requirements for obscure memorization. All it would take is a few minor code changes here and there, after all.