Security – Page 41 – a sibilant intake of breath

Greyhound bus security

Having spent much of the last week waiting for or riding on Greyhound buses, all the news stories about the man who was beheaded on one caught my eye. Some people are calling for airport-style screening procedures for buses. There are at least two reasons for which this is inappropriate.

The first concerns the mobility of buses. With a plane under their control, hijackers can fly to distant states that might assist them. The only way to stop them is to shoot down the plane, killing everyone on board. Buses are comparatively easy to stop. You can shoot out the tires, put spiky strips across the road, or simply block the route with something heavy. Nobody is likely to escape to sunny Cuba on a hijacked bus. Another element of mobility is multiple stops. Bus companies would need to (a) put security at every permitted stop (b) only allow people on at big bus stations or (c) allow some unscreened people aboard buses. Someone determined to commit a violent act on a bus could take advantage of (c), while (a) and (b) would seriously inconvenience people at many smaller stops.

The second is that someone in control of an ordinary plane can kill a lot of people. They can certainly kill everyone on board. They can also kill many people on the ground. Similar risks do not exist in relation to buses. At the very most, someone with a machine gun or explosive device could kill most of the people on board. There is no clear situation where being on a bus increases the amount of harm a person can do. Someone who wants to kill a particular person can do it at least as easily off a bus as on it; the same is true for someone who just wants to kill people at random.

There is certainly a certain risk of violence on board a bus, but that does not mean that excluding weapons is a sensible use of resources. For one thing, it would increase bus fares substantially and require the redesign of bus stations. For another, it isn’t clear that it wouldn’t simply displace any violence that was to occur to a different venue. Living among humans naturally entails risks, which we can mitigate to greater or lesser degrees in various ways. Reducing risk always involves some kind of cost: sometimes in money, sometimes in freedom. The level of news coverage this incident is receiving highlights just how slight a risk this actually is. The kind of risks that make the news aren’t the sort to worry about, since they are rare by definition. It’s the stuff that is too common to constitute news that you really need to fear: things like domestic violence and heart disease, for instance. Screening bus passengers is not an intelligent use of our resources.

Improvement to GMail security

Much to my delight, GMail has added an ‘Activity on this account’ feature. It is located down at the bottom of the inbox page, where it lists the time of last account activities. Clicking ‘Details’ leads to a pop-up showing the last five instances of account access, the form of access (browser, POP, IMAP, etc), and the IP address.

This is a big security advance. Previously, anyone who knew your GMail password could access your account at will, with no way for you to know. They could even be logged in at the same time as you, with no sign on your machine that this was happening. This is also addressed by the new feature, which includes an option to log out all other accounts.

GMail users should definitely take a peek at this information from time to time, especially if they are in the habit of using their account from shared or public computers. Given (a) how much information the accounts store and (b) how easily searchable they are, any attack that gains access to your GMail account could have serious consequences.

Re-encrypting WiFi

Unfortunately, I had to shut down my open wireless network experiment. That is because I found three people within the span of two days who were both (a) criminal and (b) very stupid.

One thing to remember: if you are going to use open wireless networks to download illegal things, make sure you aren’t sharing your entire hard drive in read/write mode. Not only will the person running the network get wise to you without even needing to sniff packets, they will be able to remotely eliminate your ill-gotten files before banning you from the network. If they were so inclined, they could do much worse things to you.

I suppose I could set up a captive portal system using something like ZoneCD – thus providing scope for well behaved neighbours and passers by to use the network. That would, however, require acquiring and setting up a computer between my DSL modem and WAP. Since the two are presently integrated, the expense and bother would be even greater.

As is so always the case, a few bad apples have made it necessary to discontinue a good thing.

Knives and Britain

I must admit, I find the ongoing debate about knives in the UK somewhat perplexing. The leader of the Conservative Party wants mandatory jail time for anyone caught carrying one. Editors at the BBC argue that the problem may be overblown. To me, it seems like what people are missing is the fundamental difference between knives and weapons. Obviously, a knife can be used as a weapon. So can a hammer, umbrella, or fork. While we rightly appreciate that it is illegitimate use of the latter that is problematic (and addressed through laws against assault, uttering threats, etc), it seems important to remember that use-as-a-weapon is aberrant, rather than to be expected.

At virtually all times, I have either one or two small folding knives on me: one on the SOG Crosscut on my keychain and a CRKT Kiss in my backpack. When I am travelling or going into the woods, I will often have a Swisstool X with me as well. Probably the most common uses of these are cutting food and paper, though each has been used in dozens of ways. Knives are ancient, highly versatile, and useful tools – one of the first technologies to differentiate the human species from less adaptive animals. Assuming that I am carrying either as a weapon strikes me as unfair, as well as a reversal of the presumption of innocence. The onus must be on the authorities to prove malicious intent, rather than upon the individual to prove their intentions benign.

On a side note, all of this is very different for guns, particularly handguns. The only plausible use for a handgun is as a weapon. One never goes on a picnic and regrets the lack of one. Restricting the ownership and carrying of guns is an entirely reasonable restriction, as a manifestation of their nature.

Who are you really talking to?

Bruce Schneier has an interesting post about man-in-the-middle attacks. These are situations in which party A and party B are trying to exchange sensitive information privately (for instance, credit card numbers or orders for moving hostages) without realizing that party E is in between them, pretending to be party A to party B, and vice versa.

The attack model has been mentioned here before in the context of cellular phones. It is rather more interesting in the context of the Betancourt rescue from the FARC.

Bletchley Park today

Bletchley Park, the English manor where codebreaking was undertaken during the Second World War, has been falling into disrepair due to lack of funds. This seems especially ungrateful, given the extremely important role the signals intelligence developed there played in the war. In particular, the decipherments helped to clear the Atlantic of U-boats, keep the United Kingdom supplied, and eventually shift the people and equipment required for D-Day and the retaking of the continent.

Work done at Bletchley was also important in relation to the emergence of modern computers. If there are historical sites worth preserving, this is surely one of them. Thankfully, the Heritage Lottery fund now seems likely to provide funding.

The fact that the codebreaking work done at Bletchley was not publicly announced until the 1970s makes it doubly important to tell the story well now. For decades, people who worked there had to respond with awkward silence when asked how they contributed to the war effort. Their extraordinary contribution deserves to be well marked today.

‘Hair shirt’ environmentalism

In environmental discussions, I frequently see people deriding ‘hair shirt’ environmentalism: basically, the idea that a sustainable society should involve self-sacrifice. There are libertarian sorts who assert their right to live as they wish, without interference. There are also strategic environmentalists who believe that (a) personal sacrifice is not strictly necessary and (b) only approaches that do not call for it will succeed on a societal level.

In order to get into the analysis of this a bit, I think it makes sense to separate three basic ‘hair shirt’ positions. Each holds that it is either necessary or desirable to cut down on some collection of conveniences:

Conserve or we’re doomed

The people of Easter Island didn’t stop their wars and stone head making because they were guilted into it by hippie sorts. They stopped because their ability to sustain a society failed. Conceivably, this could happen at the level of a contemporary state, a region, or the global society.

This viewpoint includes those who think runaway climate change is a major concern, either because it is likely or because the sheer destructiveness it would bring justifies extensive precaution even in the face of a low chance of occurrence. It also includes those who think that when oil runs out we will (a) be unable to locate adequate replacement forms of energy and (b) that this will make civilization impossible to sustain.

Harm Principle advocates

These people argue that libertarians are wrong to assert that one person’s choice to fly or drive is not the business of others. In particular, there is the welfare of those alive now who are vulnerable to climate change (especially in the Arctic, in megadelta, and in small island states). There is also the matter of future generations, and the argument that it is morally wrong to pass a damaged and diminished world on to them.

For these people, it is fine to keep consuming as much energy and as many goods as desired, provided the mechanisms through which they are produced, used, and ultimately disposed of do not cause morally unacceptable harm to others. Naturally, questions about what types and levels of harm are permissible are contested.

Moral minimalists

This group argues that living a simple life is a virtue unto itself. It is split between those who simply choose to adopt such a life themselves and those who argue that others should or must do likewise. In that sense, they are a bit like vegetarians; some try to convert people willingly, others assert that there is a universal moral requirement to be vegetarian, and some are happy to let others do as they wish.

I don’t think any of the views is entirely correct or entirely incorrect.

I do believe that there are ongoing societal behaviours that run a strong risk of undermining the material basis for society, over the long term. Most critical by far is climate change. Runaway climate change would almost certainly mean the end of human civilization. Avoiding that is both prudent and a strong moral requirement. That being said, it is hard to estimate how the climate will respond to a particular collection of forcings – especially when there are tipping points to consider. It is also hard to predict what future generations will be able to do. It is possible that the end of oil will be a global disaster; it is also possible that the transition to renewable sources of energy will be relatively unproblematic.

I also believe that there are many things people in the rich world do as a matter of course that cause unacceptable harm to those alive today and those who will live. I think this is a strong moral basis for requiring behavioural change, including potentially painful changes like restricting air travel and curtailing harmful forms of agriculture.

The moral minimalists have the weakest case, when it comes to asserting the universal validity of their ideas. That being said, they draw attention to the ways in which changes in societal expectations can have big ecological effects. Think of the way in which the ill treatment of whales and primates has come to be rejected by most people. Similarly, note how nasty bogs to be cleared away have become pristine wetlands to conserve – in people’s imaginations, at least, if not in relation to their behaviour. Changes in the general worldview of a society can certainly affect sustainability: both for good and for ill.

In any case, I don’t think it is legitimate to reject the possibility that ‘hair shirt’ actions will be necessary, either on the basis of individual liberty, non-necessity, or political strategy. The strategy point I will debunk more thoroughly another time. For now, it suffices to say that telling people the transition will be relatively painless leaves you in an awkward position if it transpires that deeper (and less voluntary) changes are required.

Statistics in cryptanalysis and paleoclimatology

Reading Wallace Broecker‘s new book on paleoclimatology, I realized that a statistical technique from cryptanalysis could be useful in that field as well. Just as the index of coincidence can be used to match up different ciphertexts partially or completely enciphred with the same key and polyalphabetic cryptosystem, the same basic statistics could be used to match up ice or sediment samples by date.

As with the cryptographic approach, you would start with the two sections randomly aligned and then alter their relative positions until you see a big jump in the correlation between them. At that point, it is more likely than not that you have aligned the two. It probably won’t work perfectly with core samples – since they get squished and stretched by geological events and churned by plants and animals – but an approach based on the same general principle could still work.

Doubtless, some clever paleoclimatologist devised such a technique long ago. Nonetheless, it demonstrates how even bits of knowledge that seem utterly unrelated can sometimes bump up against one another fortuitously.

Oil’s next century

With oil prices at levels rivaling those during the crises of the 1970s, virtually everyone is clamouring for predictions about medium and long-term prices. Those concerned about climate change are also very actively wondering what effect higher hydrocarbon prices will have.

In order to know what the future of oil looks like, answers are required to a number of questions:

How will the supply of oil change during the decades ahead? How many new reserves will be found, where, and with what price of extraction? How much can Saudi Arabia and Russia expand production? When will their output peak?
How will the demand for oil change? How much and how quickly will high prices depress demand in developed states? What about fast growing developing states like India and China?
At what rate, and what cost, will oil alternatives emerge. Will anyone work out how to produce cellulosic ethanol? Will the development of oil sands and/or oil shale continue apace?
What geopolitical consequences will prices have? If prices are very high, will that prove destabilizing within or between states?
Will the emerging alternatives to oil be carbon intensive (oil sands, corn ethanol) or relatively green (cellulosic ethanol, biomass to liquids)?

Of course, nobody knows the answer to any of this with certainty. There are ideological optimists who assert that humanity will respond to incentives, innovate, and prosper. There are those who allege that oil production is bound to crash, and that civilization as we know it is likely to crash as well.

Mindful of the dangers of prediction, I will hold off on expressing an opinion of my own right now. The magnitude of the questions is far too great to permit solution by one limited mind. What contemplating the variables does allow is an appreciation for the vastness and importance of the issue. Virtually any combination of answers to the questions above will bring new complications to world history.

The index of coincidence

If you are dealing with a long polyalphabetically enciphered message with a short key, the Kasiski examination is an effective mechanism of cryptanalysis. Using repeated sections in the ciphertext, and the assumption that these are often places where the same piece of plaintext was enciphered with the same portion of the key, you can work out the length of the keyword. Then, it is just a matter of dividing the message into X collections of letters (X corresponding to the length of the keyword) and performing a frequency analysis of each. That way, you can identify the cipher alphabet used in each of the encipherments, as well as the keyletter.

If the key is long, however, it may be impossible to get enough letters per alphabet to perform a frequency analysis. Similarly, there may not be enough repetitions in the key to create the pairings Kasiski requires. Here, the clever technique of the index of coincidence may be the answer.

Consider two scenarios, one in which you have two strings of random letters and one in which you have two strings of English:

GKECOAENCYBGDWQMGGRR
VQNWSKXMJWTBKCCMRJUO

TOSTRIVETOSEEKTOFIND
SOWEBEATONBOATSAGAIN

At issue is the number of times letters will match between the top and bottom row. When the strings are random, the chance is always 1/26 or 0.0385. Because some letters in English are more common and some are less common, a match is more likely when using English text. Imagine, for instance, that 75% of the letters in a normal English sentence were ‘E.’ Any two pieces of English text would get a lot of ‘E’ matches. Even if enciphered so that ‘E’ is represented by something else, the number of matches would remain higher than a random sample.

Since polyalphabetic ciphers involve enciphering each letter in a plaintext using a different ciphertext alphabet, an ‘E’ in one part of a ciphertext need not represent an ‘E’ somewhere else. That being said, as long as you line up two ciphertext messages so the letter on top and the letter underneath are using the same alphabet, you will get the same pattern of better-than-random matches for Englist text. Imagine, to begin with, a message enciphered using five different alphabets (1,2,3,4 and 5). Two messages using the same alphabets and key (say, 54321) could be ligned up either in a matching way or in an offset way:

543215432154321
543215432154321

543215432154321
321543215432154

Note that these strings describe the alphabet being used to encipher each plaintext letter, not the letter itself. In the second case, the probability of a match should be essentially random (one property of polyalphabetic ciphers is that they flatten out the distribution of letters from the underlying plaintext). In the second case, we would get the same matching probability as with unenciphered English (0.0667). We can thus take any two messages enciphered with the same key and try shifting them against each other, one letter at a time. When the proportion of matches jumps from about 0.0385 to about 0.0667, we can conclude that the two have been properly matched up. This is true regardless of the length of the key, and can be used with messages that are not of the same length.

This doesn’t actually solve the messages for us, but it goes a long way toward that end. The more messages we can collect and properly align, the more plausible it becomes to crack the entire collection and recover the key. This method was devised by William F. Friedman, possibly America’s greatest cryptographer, and is notable because anybody sufficiently clever could have invented it back when polyalphabetics were first used (16th century or earlier). With computers to do the shifting and statistics for us, the application of the index of coincidence is a powerful method for use against polyalphabetic substitution ciphers, including one time pads where the operators have carelessly recycled sections of the key.