Category: Security

Security is immunity from the will of others.

Framing, selection, and presentation issues

Harris Manchester College, Oxford

One of the major issues that arises when examining the connections between science and policy are the ways information is framed. You can say that the rate of skin cancer caused by a particular phenomenon has increased from one in ten million cases to one in a million cases. You can say that the rate has increased tenfold, or that it has gone up by 1000%. Finally, you could say that an individual’s chances of getting skin cancer from this source have gone up from one tiny figure to a larger, but still tiny seeming, figure. People seem to perceive the risks involved in each presentation differently, and people pushing for one policy or another can manipulate that. This can be especially true when the situations being described are of not comparably rare: having your chances of being killed through domestic violence reduced 1% is a much greater absolute reduction than having your chances of dying in a terrorist attack reduced by 90%.

Graphing

When talking about presentation of information, graphs are an important case. Normally, they are a great boon to understanding. A row of figures means very little to most people, but a graph provides a wealth of comprehensible information. You can see if there is a trend, what direction it is in, and approximately how strong it is. The right sort of graph, properly presented, can immediately illuminate the meaning of a dataset. Likewise, it can provide a compelling argument: at least, between those who disagree more about what is going on than how it would be appropriate to respond to different situations.

People see patterns intuitively, though sometimes they see order in chaos (the man on the moon, images of the Virgin Mary in cheese sandwiches). Even better, they have an automatic grasp of calculus. People who couldn’t tell you a thing about concavity and the second derivative can immediately see when a slope is upwards and growing ever steeper: likewise, one where something is increasing or decreasing, but at a decreasing rate. They can see what trends will level off, and which ones will explode off the scale. My post on global warming damage curves illustrates this.

Naturally, it is possible to use graphs in a manipulative way. You can tweak the scale, use a broken scale, or use a logarithmic scale without making clear what that means. You can position pie charts so that one part or another is emphasized, as well as abuse colour and three dimensional effects. That said, the advantages of graphs clearly outweigh the risks.

It is interesting to note how central a role one graph seems to have played in the debate about CFCs and ozone: the one of the concentration of chlorine in the stratosphere. Since that is what CFCs break down to produce, and that is what causes the breakdown of ozone, the concentration is clearly important. The graph clearly showing that concentrations would continue to rise, even under the original Montreal Protocol, seems to have had a big impact on the two rounds of further tightening. Perhaps the graph used so prominently in Al Gore in An Inconvenient Truth (the trends on display literally dwarfing him) will eventually have a similar effect.

Stats in recent personal experience

My six-month old Etymotic ER6i headphones are being returned to manufacturer tomorrow, because of the problems with the connector I reported earlier. Really not something you expect for such a premium product, but I suppose there are always going to be some defects that arise in a manufacturing process. Of course, being without good noise isolating headphones for the time it will take them to be shipped to the US, repaired or replaced, and returned means that reading in coffee shops is not a possibility. Their advantage over libraries only exists when you are capable of excluding the great majority of outside noise and of drowning the rest in suitable music.

Speaking of trends, I do wonder why so many of my electronics seem to run into problems. I think this is due to a host of selection effects. I (a) have more electronics than most people (b) use them a great deal (c) know how they are meant to work (d) know what sort of warranties they have and for how long (e) treat them so carefully that manufacturers can never claim they were abused (f) maintain a willingness to return defective products, as many times as is necessary and possible under the warranty. Given all that, it is not surprising that my own experience with electronics failing and being replaced under warranty is a lot greater than what you might estimate the background rate of such activity to be.

Two other considerations are also relevant. It is cheaper for manufacturers to rely upon consumers to test whether a particular item is defective, especially since some consumers will lose the item, abuse it, or simply not bother to return it even if defective. Secondly, it is almost always cheaper to simply replace consumer electronics to fix them, because of the economies of scale involved in either activity. From one perspective, it seems wasteful. From another, it seems the more frugal option. A bit of a paradox, really.

[14 March 2007] My replacement Etymotic headphones arrived today. Reading in coffee shops is possible again, and none too soon.

Making a hash of things

The following is the article I submitted as part of my application for the Richard Casement internship at The Economist. My hope was to demonstrate an ability to deal with a very technical subject in a comprehensible way. This post will be automatically published once the contest has closed in all time zones.

Cryptography
Making a hash of things

Oxford
A contest to replace a workhorse of computer security is announced

While Julius Caesar hoped to prevent the hostile interception of his orders through the use of a simple cipher, modern cryptography has far more applications. One of the key drivers behind that versatility is an important but little-known tool called a hash function. These consist of algorithms that take a particular collection of data and generate a smaller ‘fingerprint’ from it. That can later be used to verify the integrity of the data in question, which could be anything from a password to digital photographs collected at a crime scene. Hash functions are used to protect against accidental changes to data, such as those caused by file corruption, as well as intentional efforts at fraud. Cryptographer and security expert Bruce Schneier calls hash functions “the workhorse of cryptography” and explains that: “Every time you do something with security on the internet, a hash function is involved somewhere.” As techniques for digital manipulation become more accessible and sophisticated, the importance of such verification tools becomes greater. At the same time, the emergence of a significant threat to the most commonly used hashing algorithm in existence has prompted a search for a more secure replacement.

Hash functions modify data in ways subject to two conditions: that it be impossible to work backward from the transformed or ‘hashed’ version to the original, and that multiple originals not produce the same hashed output. As with standard cryptography (in which unencrypted text is passed through an algorithm to generate encrypted text, and vice versa), the standard of ‘impossibility’ is really one of impracticability, given available computing resources and the sensitivity of the data in question. The hashed ‘fingerprint’ can be compared with a file and, if they still correspond, the integrity of the file is affirmed. Also, computer systems that store hashed versions of passwords do not pose the risk of yielding all user passwords in plain text form, if the files containing them are accidentally exposed of maliciously infiltrated. When users enter passwords to be authenticated, they can be hashed and compared with the stored version, without the need to store the unencrypted form. Given the frequency of ‘insider’ attacks within organizations, such precautions benefit both the users and owners of the systems in question.

Given their wide range of uses, the integrity of hash functions has become important for many industries and applications. For instance, they are used to verify the integrity of software security updates distributed automatically over the Internet. If malicious users were able to modify a file in a way that did not change the ‘fingerprint,’ as verified through a common algorithm, it could open the door to various kinds of attack. Alternatively, malicious users who could work backward from hashed data to the original form could compromise systems in other ways. They could, for instance, gain access to the unencrypted form of all the passwords in a large database. Since most people use the same password for several applications, such an attack could lead to further breaches. The SHA-1 algorithm, which has been widely used since 1995, was significantly compromised in February 2005. This was achieved by a team led by Xiaoyun Wang and primarily based at China’s Shandong University. In the past, the team had demonstrated attacks against MD5 and SHA: hash functions prior to SHA-1. Their success has prompted calls for a more durable replacement.

The need for such a replacement has now led the U.S. National Institute of Standards and Technology to initiate a contest to devise a successor. The competition is to begin in the fall of 2008, and continue until 2011. Contests like the one ongoing have a promising history in cryptography. Notably, the Advanced Encryption Standard, which was devised as a more secure replacement to the prior Data Encryption Standard, was decided upon by means of an open competition between fifteen teams of cryptographers between 1997 and 2000. At least some of those disappointed in that contest are now hard at work on what they hope will become one of the standard hash functions of the future.

Separate not a man from his techie tools

I have a request for intelligent people around the world. Can we please agree that tiny little multi-tools like my SOG Crusscut are in no way dangerous weapons? Certainly, they are no more so than all manner of items (from pens to umbrellas) that are legitimately carried into all manner of places.

As one of the items that I carry around virtually everywhere, I am quite reliant upon it: particularly the scissors, screwdriver, bottle opener, and ruler. When I am forced to not carry it, usually because of travel, I frequently find myself frustrated and annoyed. The same should go for the Leatherman Micra and similar tools. Gram for gram, these little things are up there with LED headlamps, in terms of usefulness in varied circumstances.

PS. This minor tirade was prompted by this lengthy article on survival equipment, written by Neil Andrews. Judging by his ‘modules,’ he is the fellow to know in the event of a massive natural disaster or zombie attack.

It comes in threes

Claire Leigh working

The first substantive chapter of the thesis is about problem identification and investigation. This is not being treated as necessarily temporally prior to the next two substantive chapters (consensus formation and remedy design), but the three do seem analytically separable. Throughout the triptych, at least three themes are likely to be ever-present: the moral relevance of uncertainty, the importance of social roles, and the ways in which normative assumptions are embedded and concealed within processes.

The confluence of three other things defines the reasons for which this thesis is a novel contribution: the exploration of those themes, the combination and comparison of the two case studies, and the focus upon the contribution that international relations as a discipline can make to the subject at hand. Having those three overlapping reasons is comforting, because it means I am quite unlikely to be utterly scooped by someone else who is looking at the same problems in similar ways.

Pragmatically, it does seem like the environment is likely to be a growth area in international relations. That said, there are three major possibilities for the future overall:

  1. Climate change proves to be less threatening than the worst case, runaway change scenarios would suggest; other environmental problems prove manageable
  2. Climate change is as bad as some of the most pessimistic assessments claim, but it is uniquely threatening among environmental problems
  3. For whatever reason (population growth, economic growth, technological progress, etc) additional problems of the climate change magnitude will arise

If I had to put my money on one of those options, it would be the second. I can see human behaviour causing all manner of specific problems, both localized or confined to particular species or elements of the environment. It is hard to see another human activity (aside from the danger of nuclear war) that threatens the possibility of human society continuing along a path of technological and economic evolution, during the next three to five hundred years.

‘Able Archer’ and leadership psychology

If you have any interest in nuclear weapons or security and you have never heard of the 1983 NATO exercise called ‘Able Archer’ you should read today’s featured Wikipedia article.

One fascinating thing it demonstrates is the amazing willingness of leaders to assume that their enemies will see actions as benign that, if they had been taken by those same enemies, would be seen as very aggressive. Case in point: the issues America is raising about Iranian intervention in Iraq. If Iran was involved in a major war on America’s doorstep, you can bet that there would be American intervention. This is not to assert any kind of moral equivalency, but simply to state the appallingly obvious.

The environment as a security matter

Of late, it has become somewhat trendy to consider the environment as a ‘security’ issue. The most frequently cited example is the danger of massive refugee slows caused by environmental factors (such as climate change or desertification). Also common are assertions that people will soon begin fighting wars over natural resources. While massive environmental change can obviously spark conflict, I am skeptical about claims that this constitutes a major change in the character of international security.

To me, the first strain of thinking seems a lot more plausible than the second. There are already island nations that need to think seriously about what the 7-23″ rise in sea levels by 2100 projected in the fourth IPCC report will mean for their habitability. Environmental factors like soil quality and rainfall have helped to determine the patterns of human habitation and production for all of history, and it is unsurprising that changes in such things could have serious disruptive effects. Large scale population movements, both within and between states, are concerning because of the level of suffering they generally involve, as well as the possibility that they will have problematic secondary effects such as inducing conflict or spreading infectious disease.

The idea of resource wars is one that I think has been overstated and, to some extent, misunderstood. There are certainly resources that can and have been fought over, and resource issues frequently play a role in establishing the duration and character of conflicts. Armed groups with no economic base cannot long persist in the costly business of war-fighting. That said, the idea that states will go to war over something like water seems, in most cases, implausible. War is an exceptionally costly enterprise – much more so than new purification or desalination facilities. Also, most water problems arise from irrational patterns of usage, often themselves the product of a distorted cost structure. While equity compels that people should be provided with enough water for personal needs as a standard function of government, it simply makes sense that those using it on a very large scale pay for it at a level that accurately reflects the costs of production. If that happened, we would see a lot more drip-feed irrigation and a lot fewer leaky pipes. Some perspective is also in order: producing all of the world’s municipal water through oceanic desalination would cost only 0.5% of global GDP, and there is no reason to think that such a drastic step will ever be necessary.1

I am not saying that resources and conflict are unrelated: I am saying there is no reason to believe hyperbolic claims about the nature of international security being fundamentally altered by resource issues. It is also worth noting that conflicts over resources are often used as justifications to engage in actions that can be more sensibly explained by considering other causes.

Thinking about the environment as a security issue has implications both for prevention and mitigation behaviours. Because politicians and the general public place a special emphasis on matters of security, spinning the environment that way can be a form of rent seeking. Those who see the need to do more as pressing may find that this kind of resource transfer justifies selling the security side of the environment more than they otherwise would. On the mitigation side, it suggests that dealing with environmental problems may require forceful action to prevent or contain conflicts. Given the aforementioned costs of such actions, the case to take preventative action against probable but uncertain threats becomes even stronger.

[1] Shiklomanov, Igor A. “Appraisal and assessment of world water resources.” Water International. 25(1): 11-32. 2000

PS. People interested in the hydrosphere may enjoy reading the accessible and informative chapter on it in John McNeill’s Something New Under the Sun. this report from SOAS on water and the Arab-Israeli Conflict also makes some good points.

More amateur cryptography

One of the oldest problems in cryptography is key management. The simplest kind of cryptographic arrangement is based on a single key used by however many parties both for encryption and decryption. This carries two big risks, however. In the first place, you need a secure mechanism for key distribution. Secondly, it is generally impossible to revoke a key, either for one individual or for everyone. Because of these limitations, public key cryptography (which utilizes key pairs) has proved a more appropriate mechanism in many applications.

Once in a while, now, you read about ‘unbreakable’ cryptography based on quantum mechanics. The quantum phenomena employed are actually used for key generation, not for the actual business of encrypting and decrypting messages. Like the use of a one-time pad, the symmetric keys produced by this system hold out the promise of powerful encryption. Of course, such systems remain vulnerable both to other kinds of cryptographic attacks, particularly the ‘side channel’ attacks that have so often been the basis for successful code-breaking. Recent examples include the cracking of the encryption on DVDs, as well as Blu-Ray and HD-DVDs.

An example of a side-channel attack is trawling through RAM and virtual memory to try and find the password to some encrypted system. When you login to a website using secure socket layering (SSL), the data sent over the network is encrypted. That said, the program with which you access the site may well take the string of text that constitutes your password and then dump it into RAM and/or the swap space on your hard disk somewhere. Skimming through memory for password-like strings is much less resource intensive than simply trying every possible password. Programs like Forensic Toolkit by AccessData make this process easy. People who use the same string in multiple applications (any of which could storing passwords insecurely) are even more vulnerable.

As in a large number of other security related areas, people using Apple computers have a slight advantage. While not on by default. if you go into the security menu in the system preferences, you can turn on “Use secure virtual memory.” This encrypts the contents of your swap space, to help protect against the kind of attack described above.

The real lesson of all of this is that total information security can never be achieved. One just needs to strike a balance between the sensitivity of the data, the probability of it coming under examination, and the level of effort that would be required to overcome whatever security is in place.

PS. My PGP public key is available online, for anyone who wants to send me coded messages. Free copies of the encryption software Pretty Good Privacy (PGP) can also be easily downloaded.

GMail security hole

Path to Marston

As people who read techie news pages like Engadget and Slashdot already know, a somewhat serious security flaw in GMail has recently been uncovered. Specifically, when you are logged into GMail in one browser window or tab, any other site you visit can grab your entire contact list. Whether that is a serious leak or not is a matter of perspective. Certainly, it exposes all of your friends of even more spam than they already receive.

Read the following carefully before you click anything. If you want to see the script that grabs contact lists at work, follow this link. Engadget says it’s “non-malicious,” but the risk is yours. The bug arises from the way in which GMail stores your contacts as a JavaScript file that can be requested by other websites. Google claims they have fixed the bug but, as the link above will prove, they have not.

Plausible attacks

A site that wanted to be really sneaky could exploit this information in many ways. At the very least, it could be used to very easily identify many of the people who are visiting. Knowing someone’s contact list might help in the launching of phishing attacks. It could, for example, make it easier to work out what company someone works for. You could then find out who does their information technology and send spoofed emails that seem to come from the IT department, asking for passwords or other sensitive information.

If it is a site that contains content that many people would not want others to know that they view, it could grab the email addresses for people with the same last name as you and threaten to send them information on your surfing history. A less complicated ploy would be to use emails that seem to come from people who you know to get through spam filters. Because of email spoofing, it is very easy to make messages seem to be coming from someone else.

Implications

As someone with 1037 MB of data in my main GMail account – including 14,410 emails and more than 1500 instant message conversations – I am naturally very concerned about GMail security. There is tons of stuff in there that I would be profoundly opposed to seeing on a public search engine, as has already happened in at least one case with private GMail data.

Contrary to their own assertions, Google had analysed and indexed all e-mails processed through their mail service. Due to a mistake made by an administrator, a database of the highly secret project was mirrored onto the external index servers, and as a result, the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour.

Source

Clearly, it would be preferable if GMail started using durable encryption on their archived messages. This would both protect the messages from hostile outsiders and keep Google from doing anything undesirable with them. Even a passphrase based symmetric-key encryption system (perhaps based on AES) would be an improvement. I bet all the students at Arizona State University, which had turned to GMail to provide all their email services would feel likewise, if they knew.

[Update: 8:30pm] This article by Brad Templeton, the Chairman of the Electronic Frontier Foundation, makes some good general points about GMail and privacy.

[Update: 11:00pm] According to Engadget, this hole has been fixed. It’s good that it was dealt with so quickly, but there are still reasons to be concerned about GMail security in general.

[Update: 2 January 2007] The mainstream media has caught up with the story. CBC News: Teen exposes Google security flaw.

[Update: 18 July 2008] GMail just added a very useful ‘Activity on this account’ feature. It tells you (a) whether any other computers are logged into account and (b) when and where the last five logins took place from. This is excellent.

Back in the UK

Istanbul cats

Back in the comparative warmth of Oxford, I am enjoying how it feels to be on a computer with a properly calibrated screen and a keyboard familiar enough to require no peeking. It is gratifying to see how much better my photos look when properly displayed.

Since this is my father’s last night in England, I am not going to spend the three hours or so that it will take to sort through my photos from Turkey, just now. You can expect my previous entries to start getting illustrated as of tomorrow, as well as additional batches on Facebook and Photo.net.

PS. Both my iPod Shuffle and my USB flash drive picked up a few viruses over the course of visiting hostel and internet cafe computers. Thankfully, they are all viruses that only affect Windows machines. Travelers with laptops (or computers running Windows back home) beware. I do feel bad about spreading viruses between all those machines; no wonder they were so slow.