Category: Security

Security is immunity from the will of others.

Revitalized

Bike beside St. Antony's College, Oxford

Essentially back to back this evening, I had two of the best lectures since arriving in Oxford. It was a well-timed reminder of why it is so valuable to be here, and the kind of knowledge and people one can be exposed to in this environment.

The first speaker was Hilary Benn, appearing as part of the Global Economic Governance series. He is the Secretary of State for International Development in the current British Government. His speech took in everything from institutional reform at the World Bank to what should be done in Darfur. While he may have oversimplified a great deal at times, it was nonetheless refreshing to hear a government official saying some very sensible and progressive things about the role Britain should play in the world. During the question session, I asked him about his department’s policy position on West African fisheries. He advised me to write him a letter, and promised a detailed response. Thanks to an aid, I have the real email address of a British cabinet member in my pocket. I will come up with a cover letter that addresses the major points, then include a copy of the article in print in case he (or a staffer) wants more detail.

The second speaker, through the Strategic Studies Group, was Rear Admiral C.J. Parry. I spoke with him during dinner about his aviation experience (he actually flew a V-22 Osprey). His talk, in the capacity of Director General of Development, Concepts and Doctrine for the Ministry of Defence at Shrivenham, was a look forward into major strategic threats in the next thirty years or so. That said, it was a candid and engaging presentation that has sparked a lot of thought and debate – exactly what the mandate of OUSSG is to provide.

§

Sorry if this is all a bit breathless, but I suddenly feel as though I have a lot to do – and not just in terms of the thesis work I have been dreading.

PS. Both Kai and Alex are back, which adds to my sense of rejuvination. Likewise, the opportunity that has been afforded to see the friendly trio of Bryony, Claire, and Emily was most welcome. Indeed, seeing all members of the program has felt a bit like suddenly being surrounded by friends in Vancouver. Things with my new college advisor – Robert Shilliam – are also going well.

PPS. I have my first free Wadham high table dinner booked for tomorrow, as part of the Senior Scholarship.

Protecting your computer

Beaumont Street, Oxford

At least once or twice a month, someone who I know endures a computational disaster. This could be anything from a glass of wine spilled on a laptop to some kind of complex SQL database problem. In the spirit of Bruce Schneier, I thought I would offer some simple suggestions that anyone should be able to employ.

The most important thing is simply this: if it is important, back it up. Burn it to a CD, put it on a flash memory stick, email it to yourself or to a friend. The last thing you want is to have your laptop hard drive fail when it contains the only copy of the project you’ve spent the last month working on.

Now, for a quick list of tips. These are geared towards university students, not those with access to sensitive information or large amounts of money:

  1. Do not trust anything you see online. If you get an email from ‘PayPal’ or your bank, assume it is from someone trying to defraud you. It probably is. Likewise, just because a website looks reputable, do not give it any sensitive information. This includes passwords you use for things like your bank.
  2. Never address email messages to dozens of friends. Lots of viruses search through your computer for email addresses to sell to spammers or use for attacks. If anyone in that fifty person party invitation gets a virus, it could cause problems for all the rest. If you want to send emails to many people, use the Blind Carbon Copy (BCC) feature that exists in almost all email programs and web based email systems.
  3. If you run Windows, you must run a virus scanner. All the time. Without exception. If you run a Mac, run one in order to be sure you don’t pass along viruses to your friends. Both Oxford and UBC offer free copies of Sophos Antivirus. Install it and keep it updated.
  4. Run a spyware and adware scanner like AdAware often. If you are not doing advanced things with your computer, be proactive and use something like Spyware Blaster. (Note, some of the patches it installs can cause problems in rare circumstances.)
  5. No matter what operating system you run, make sure to apply security updates as soon as they come out. An unpatched Windows XP home machine is basically a sitting duck as soon as it is connected to the internet. See this BBC article.
  6. Only install software you really need. Lots of free software is riddled with spyware and adware that may not be removed when you uninstall it. Especially bad for this are some file-sharing programs. If you do any kind of file sharing, the importance of having a virus scanner becomes imperative.
  7. Never use secret questions. If you are forced to, fill the box with a long string of random letters and numbers. If you cannot remember your passwords, write them down and guard them like hundred dollar bills.
  8. For your web browser, use Firefox. Safari is fine, but you should never use Internet Explorer. If a website forces you to (especially something like a bank), complain.
  9. If there is something you really want to keep secret, either keep it on a device not connected to any network or encrypt it strongly. A user-friendly option for the latter is PGP. Whether it is some kind of classified research source or a photo of yourself you never want to see on the cover of the Daily Mail (once you are Prime Minister), it is best to encrypt it.
  10. Avoid buying compact discs that include Digital Rights Management (DRM). Many of the systems that are used to prevent copying can be easily hijacked by those with malicious ends. See one of my earlier posts on this.
  11. If you have a laptop, especially in Oxford or another high theft area, insure it. They can be stolen in a minute, either by breaking a window, picking a lock, or distracting you in a coffee shop. Aren’t you glad you made a backup of everything crucial before that happened?
  12. If your internet connection is on all the time (broadband), turn your computer off when you aren’t using it.

Basically, there are three big kinds of risks out there. The first is data loss. This should be prevented through frequent backups and being vigilant against viruses. The second is data theft. Anyone determined can break into your computer and steal anything on there: whether it is a Mac or a PC. That is true for everything from your local police force to a clever fourteen year old. Some of the suggestions above help limit that risk, especially the ones about security updates and turning off your computer when it is not in use. The third risk is physical loss or destruction of hardware. That is where caution and insurance play their part.

If everyone followed more or less this set of protocols, I would get fewer panicked emails about hard drives clicking and computers booting to the infamous Blue Screen of Death.

[Update: 6 January 2007] The recent GMail bug has had me thinking about GMail security. Here are a few questions people using GMail might want to ask themselves:

  1. If I search for “credit card” while logged in, do any emails come up that contain a valid credit card belonging to me or to someone else? I only ask because that is just about the first thing that someone malicious who gets into your account will look for. “Account number” and similar queries are also worth thinking about.
  2. Can someone who gets the password to my Facebook account, or some other account on a trivial site, use it to get into my GMail account?
  3. Have I changed the password to my GMail account in the last few weeks or months?

If the answer to any of those is ‘yes,’ I would recommend taking some precautionary action.

More split nuclei

On 16 July 1945, the United States did it. The Soviets followed suit on 29 August 1949, followed by the UK on 3 October 1952. The French followed on 13 February 1960, followed by China on 16 October 1964. On 18 May 1974, India joined the club, with Pakistan doing so on 28 May 1998. Israel and/or South Africa may have tested on 22 September 1979, in an incident detected by an American satellite.

As of 9 October 2006, North Korea seems to have tested a nuclear bomb. It makes you wonder how many more states will do so in the next fifty years, as well as what the security character of the Southeast Asian area, in particular, will be by then.

That said, while they seem to have scientists and engineers capable of making nuclear weapons, the North Koreans don’t seem to have staff capable of producing a particularly cogent English press release:

The nuclear test was conducted with indigenous wisdom and technology 100 percent. It marks a historic event as it greatly encouraged and pleased the KPA and people that have wished to have powerful self-reliant defense capability.

Since this test was pretty clearly meant for American audiences, you might have expected them to pay more attention to their wording. I suppose multi-kiloton underground blasts speak louder than press releases.

Despite such nationalist rhetoric, the test seems more likely to endanger the average North Korean than help them. In the short term, there is the danger that someone will try to strike their nuclear capability before they develop credible delivery systems. Also, as The Economist identifies: “[T]he immediate threats from North Korea’s new capability come from radioactive leaks into the atmosphere and North Korea’s groundwater.” Finally, the test risks sparking a nuclear arms race in Asia that threatens the security of the whole region, at least.

[Update: 1:30pm] Based on my server logs, lots of people have been looking for these photos of test sites in Nevada during the last few days. Google still hasn’t figured out that this site has moved to WordPress. In any case, the photos show one of the ugly legacies of testing and reinforce the point that, while world should be moving towards nuclear disarmament, the converse seems to be taking place.

On electronic voting

There is some controversy in The Netherlands right now about electronic voting. A group has gotten hold of a voting machine, discovered that the physical and software security therein is very weak, and otherwise established the possibility that determined individuals could significantly impact election results through electronic tinkering.

The advantages of electronic voting are fairly numerous. Firstly, it could be made to happen more quickly. This may advantage the media more than anyone else, but it may as well be listed. Secondly, electronic devices could be made easier to use for people with physical disabilities and the like. Another advantage the system should have is increasing standardization between voting districts. Skullduggery involving dated or problematic machines in districts likely to vote in a certain way has been noted in a number of recent elections. Also, having an electronic record in addition to a paper one could allow for cross-verification in disputed districts. In cases where the results very starkly do not match, it should be possible to repeat the vote, with greater scrutiny.

The answer to the whole issue is exceptionally simple:

  1. You are presented with a screen where you select from among clearly labeled candidates, with an option to write in a name if that is part of your electoral system.
  2. The vote is then registered electronically, by whatever means, and a piece of paper is printed with the person’s choice of candidate, ideally in large bold letters.
  3. For an election involving multiple choices, each is likewise spelled out clearly. For instance, “I vote NO on Proposition X (flags for orphans).”
  4. The voter then checks the slip to make sure it is correct, before dropping it in a ballot box.
  5. These are treated in the standard fashion: locked, tracked, and observed before counting.
  6. The votes are tallied electronically, with a decent proportion (say, 20%) automatically verified by hand.
  7. If there is any serious discrepancy between the paper and electronic votes, all the paper ballots should be counted. Likewise, if there is a court ordered recount on the basis of other allegations of electoral irregularity.

Electronic systems have vulnerabilities including hacked polling stations; transmission interception and modification; as well as server side attacks where the data is being amalgamated. Paper systems have vulnerabilities relating to physical tampering. Maintaining both systems, as independently as possible, helps to mitigate the risks of each separately and improve the credibility of the process. It is like having both your bank and your credit card company keep separate records of your transactions. If they do not match, you have a good leg to stand on when alleging some kind of wrongdoing.

This system could use relatively simple electronic machines, and may therefore actually cost less in the long run than all paper balloting. Critically, it would maintain an unambiguous paper trail for the verification of people’s voting intentions. Companies that deny the importance of such a trail are either not thinking seriously about the integrity of the voting process or have self interested reasons for holding such a position.

[Update: 14 October 2006] The Economist has a leader on electronic voting machines and the US midterm elections. They assert, in part:

The solutions are not hard to find: a wholesale switch to paper ballots and optical scanners; more training for election officials; and open access to machine software. But it is too late for any of that this time—and that is a scandal.

Quite right.

Truth and American politics: approaching the mid-terms

Written by Tariq Ramadan, a fellow at St. Antony’s, this statement about his lengthy troubles with trying to get a US visa is well worth reading. In part, he says:

I fear that the United States has grown fearful of ideas. I have learned firsthand that the Bush administration reacts to its critics not by engaging them, but by stigmatizing and excluding them. Will foreign scholars be permitted to enter the United States only if they promise to mute their criticisms of U.S. policy? It saddens me to think of the effect this will have on the free exchange of ideas, on political debate within America, and on our ability to bridge differences across cultures.

This hits straight at what I see as the biggest foreign policy problem in the United States. It is not the holding of convictions; nor is it the willingness to act upon them. It is willful ignorance and self-delusion applied to information that contradicts the existing stance of the administration. While this trend extends into domestic politics, the most stark examples exist in the area of foreign affairs.

It is fair enough to argue that, at the time of the invasion of Iraq, Saddam Hussein was widely considered a threat. This is a judgement that was not confined to the British and American intelligence services. The British and American administrations could say: “We may have been wrong, but we were honest in our beliefs.” To say, instead, that they have been right all along, or deny making claims that have been undeniably recorded makes you them either insane or cynically disinterested in the truth. The indictment here is not based on the truth or falsehood of the original claims, but on the unwillingness of a group of people to revise their positions, or even admit fault, when facts have proved them wrong.

When an intelligence report confirmed the absence of WMD at the same time as the administration was claiming that the report said the opposite, Jon Stewart cleverly remarked:

The official CIA report, the Duelfer Report, has come out. The one that they’ve been working on for the past two years that will be the definitive answer on the weapons of mass destruction programs in Iraq, and it turns out, uh, not so much. Apparently, there were no weapons of mass destruction in Iraq, and their capabilities had been degraded, and they pretty much stopped trying anything in ’98. Both the President and the Vice President have come out today in response to the findings and said that they clearly justify the invasion of Iraq. So, uh, some people look at a glass and see it as half full, and other people look at a glass and say that it’s a dragon.

A notorious example of the trend of denying past statements is Donald Rumsfeld on WMD: “We know where they are. They’re in the area around Tikrit and Baghdad and east, west, south and north somewhat.” on ABC’s This Week With George Stephanopoulos, 30 March 2003. When challenged, Rumsfeld has repeatedly denied having ever claimed certainty about the existence of Iraqi WMD. Dick Cheney has likewise lied about previous statements (example) in which he claimed that such weapons certainly existed. Numerous other examples are obvious: the administration has misjudged the seriousness of the Iraqi insurgency, entirely miscategorized the relationship between the former Iraqi leadership and Al Qaeda, and continually misrepresented the human rights records of friendly but abusive regimes, including Saudi Arabia and Pakistan.

While politics has never been a discipline where practitioners adhere closely to the truth (look at Taylor Owen’s article in this month’s Walrus about the scale of US bombing in Cambodia during the Johnson administration), there are times when the disjoint between official statements and observable reality becomes so broad as to indict all of those who cling to the former. The fact that the run-up to the mid-term elections is being dominated by a scandal that, while disturbing, is quite peripheral to the governmental record of the dominant party demonstrates how narrow and polarized political debate has become.

Let us hope that, whatever the results are, the November 7 midterm elections will lead to a more candid discussion of the most pressing issues regarding America’s place and actions in the world.

Basic problems with biometric security

You have to wonder whether anything other than having watched too many James Bond films feeds the idea that biometrics are a good means of achieving security. Nowadays, Canadians are not allowed to smile when they are having their passport photos taken, in hopes that computers will be able to read the images more easily. Of course, any computer matching system foiled by something as simple as smiling is not exactly likely to be useful for much.

Identification v. authentication

Biometrics can be used in two very distinct ways: as a means of authentication, and as a means of identification. Using a biometric (say, a fingerprint) to authenticate is akin to using a password in combination with a username. The first tells the system who you claim to be, the second attempts to verify that using something you have (like a keycard), something you know (like a password), or something you are (like a fingerprint scan). Using a biometric for identification attempts to determine who you are, within a database of possibilities, using biometric information.

Using a fingerprint scan for identification is much more problematic than using it for authentication. This is a bit like telling people to enter a password and, if it matches any password in the system, allow them into that person’s account. It isn’t quite that bad, because fingerprints are more unique and secure than passwords, but the problem remains that as the size of the database increases, the probability of false matching increases.

For another example, imagine you are trying to identify the victim of a car wreck using dental records. If person X is the registered owner and hasn’t been heard from since the crash, we can use dental records to authenticate that a badly damaged body almost certainly belongs to person X. This is like using biometrics for authentication. Likewise, if we know the driver could be one of three people, we can ascertain with a high degree of certainty which it is, by comparing dental x-rays from the body with records for the three possible matches. The trouble arises when we have no idea who person X is, so we try running the x-rays against the whole collection that we have. Not only is this likely to be resource intensive, it is likely to generate lots of mistakes, for reasons I will detail shortly.

The big database problem in security settings

The problem of a big matching database is especially relevant when you are considering the implementation of wholesale surveillance. Ethical issues aside, imagine a database of the faces of thousands of known terrorists. You could then scan the face of everyone coming into an airport or other public place against that set. Both false positive and false negative matches are potentially problematic. With a false negative, a terrorist in the database could walk through undetected. For any scanning system, some probability (which statisticians call Beta, or the Type II Error Rate) attaches to that outcome. Conversely, there is the possibility of identifying someone not on the list as being one of the listed terrorists: a false positive. The probability of this is Alpha (Type I Error Rate), and it is in setting that threshold that the relative danger of false positives and negatives is established.

A further danger is somewhat akin to ‘mission creep’ – the logic that, since we are already here, we may as well do X in addition to Y, where X is our original purpose. This is a very frequent security issue. For example, think of driver’s licenses. Originally, they were meant to certify to a police officer that someone driving a car is licensed to do so. Some types of people would try to attack that system and make fake credentials. But once having a driver’s license lets you get credit cards, rent expensive equipment, secure other government documents, and the like, a system that existed for one purpose is vulnerable to attacks from people trying to do all sorts of other things. When that broadening of purpose is not anticipated, a serious danger exists that the security applied to the originally task will prove inadequate.

A similar problem exists with potential terrorist matching databases. Once we have a system for finding terrorists, why not throw in the faces of teenage runaways, escaped convicts, people with outstanding warrants, etc, etc? Again, putting ethical issues aside, think about the effect of enlarging the match database on the possibility of false positive results. Now, if we can count on security personnel to behave sensibly when such a result occurs, there may not be too much to worry about. Numerous cases of arbitrary detention, and even the use of lethal force, demonstrate that this is a serious issue indeed.

The problem of rare properties

In closing, I want to address a fallacy that relates to this issue. When applying an imperfect test to a rare case, you are almost always more likely to get a false positive than a legitimate result. It seems counterintuitive, but it makes perfect sense. Consider this example:

I have developed a test for a hypothetical rare disease. Let’s call it Panicky Student Syndrome (PSS). In the whole population of students, one in a million is afflicted. My test has an accuracy of 99.99%. More specifically, the probability that a student has PSS is 99.99%, given that they have tested positive. That means that if the test is administered to a random collection of students, there is a one in 10,000 chance that a particular student will test positive, but will not have PSS. Remember that the odds of actually having PSS are only one in a million. There will be 100 false positives for every real one – a situation that will arise in any circumstance where the probability of the person having that trait (whether having a rare disease or being a terrorist) is low.

Given that the reliability of even very expensive biometrics is far below that of my hypothetical PSS test, the ration of false positives to real ones is likely to be even worse. This is something to consider when governments start coming after fingerprints, iris scans, and the like in the name of increased security.

PS. Those amazed by Bond’s ability to circumvent high-tech seeming security systems using gadgets of his own should watch this MythBusters clip, in which an expensive biometric lock is opened using a licked black and white photocopy of the correct fingerprint.

PPS. I did my first Wikipedia edit today, removing someone’s childish announcement from the bottom of the biometrics entry.

[Update: 3 October 2006] For a more mathematical examination of the disease testing example, using Bayes’ Theorem, look here.

The Economist on climate change

Catching up on the reading that accumulated in my absence, I have just gone through the Survey on Climate Change in the September 9-15 issue of The Economist. Their basic argument is that the possibility of catastrophic harm is sufficient to justify the costs of stabilizing the level of carbon in the atmosphere around 550 parts per million, compared with 280 ppm before the industrial revolution, 380 ppm now, and an estimated 800 ppm by 2100 is current policy goes unchanged. The most plausible dangers identified are disastrous shifts in ocean currents, dramatically cooling Europe, and the prospect of rising sea levels. Even modest amounts of the second could do enormous harm both in the coastal cities of the developed world and the lowlands of places like Bangladesh. Other problems include the possibility of an increase in the frequency and severity of extreme weather events, and large scale species migration or extinction.

Canada is singled out several times as unlikely to meet its Kyoto targets. We are committed to reduce emissions to 6% below 1990 levels by 2012, but seem likely to be 23% above. The survey quotes Environment Minister Rona Ambrose as saying: “it is impossible, impossible for Canada to reach its Kyoto targets.” The Economist had not previously been a supporter of Kyoto, though they surely support countries living up to commitments they have made. With this survey, the magazine seems to have changed tack from general opposition to the Kyoto Protocol to recognition that it may be a valid stepping stone towards a better organized and more all-encompassing climate change policy.

At the very least, the editorial change of heart signals strongly that climate change is no longer an issue whose reality is disputed, not suited to serious consideration by scientists, policy-makers, and the media. With my thesis in mind, it is largely the first group that I paid most attention to while reading this. At several points, the article asserts that it is at the 550ppm level that scientists in aggregate start to become seriously concerned about adverse and irreversible problems associated with climate change. That said, the survey also highlights a number of scientific disagreements and failed predictions. The interplay between science and politics is basically portrayed as a simple relationship between two internally complex dialogs. That is a model I certainly mean to unpack further in my thesis work.

As I didn’t actually manage to go see An Inconvenient Truth at the Phoenix yesterday, I am making another foray tonight for the 7:00pm show.

Republican torture ‘compromise’

Despite the thin rhetoric to the contrary, it is clear that the current American administration tolerates and abets torture, indefinite detention without charge, and other basic violations of human rights. This is an astonishing error on their part. It contradicts international law, including laws that have helped to protect Americans captured by foreign regimes. It significantly diminishes whatever claim to moral superiority the United States can use to help guide regimes entirely dismissive of human rights on to a more acceptable path. Finally, it neglects the very ideals about the respect for the human person that form the basis for the American constitution and the general American consensus on the nature of political ethics.

We can only hope that a saner administration will follow in the wake of this myopic crew.

The mainstream media is reporting on this here, here, here, here, here, and in many other places.

Clever way to protect cameras on planes

Blatantly stolen from Bruce Schneier’s blog (he stole it from Matt Brandon’s blog), this idea seems really clever. If you are travelling in the States with expensive camera gear, put a starter pistol in the locked box in which the camera equipment is to be transported, then register it as a weapon.

The airline safety people will then treat the luggage as though it contains a dangerous weapon, and you can be more certain they will not lose or blatantly mistreat it. A very neat way to make security procedures work for you. Of course, you can be quite sure they will x-ray it, so this doesn’t help with the problem of transporting film on ever-more-jittery airlines.

Early morning politics

United we stand?

Now, I could – and probably should – write about my enjoyable hike up Dam Mountain with my father today. Likewise, the subject of this early morning post should be the fine dinner at Palki on Lonsdale with my mother, father, and brother Sasha. Failing that, I should certainly write about exploring English Bay with Nick, Neal, and Lauren, then getting a jumbo poutine with extra war sauce at Fritz, just off Granville. But people are quite rightly sick of me just narrating life, so I will present a bit of a puzzle instead.

The image above was taken of the back of a utility truck of the kind used by many of the Vancouver schoolboards, at Georgia and Granville at about 2:00am. A fairly odd looking character in a jacket was using various tools on the newspaper vending boxes at that intersection: unloading newer looking units for selling The Vancouver Sun and The Province – local newspapers with content of varying quality.

§

The real questions are, who attached the original sticker, who blacked out one flag with spray paint, and why. Presumably, it previously showed an American flag that has been blacked out subsequently due to the widespread hostility in much of the world that has developed towards the United States, particularly since the invasion of Iraq in 2003.

I don’t really know how I feel about this display, but I took a photo for much the same reasons I often photograph graffiti: any expression of a genuine sentiment is at least worthy of cursory examination, and frequently worthy of deep thought. Right now, I am far too exhausted to think it through.