I started the first day with 1o57′s talk on the new DefCon badge. This year’s badges were non-electronic (for the first time in several years) — they were antiqued titanium discs with the Eye of Ra and various codes inscribed in them with a water knife. Apparently making the 10,000 DefCon badges actually used the entire supply of sheet titanium in the United States at the time. Bright side of them being non-electronic: they actually had them before the con started! There has been a history of the badges getting hung up in customs on the way from China, but the non-electronic badges were produced in the USA. 1o57 designed an elaborate puzzle contest around the badges, but I can’t say much about it as I didn’t participate this year. There was, however, a very nice-looking code wheel on the floor of the Rio convention center rotunda that was key to the game and gave the room a nice DefCon look, so it was appreciated even by non-participants.

I spent the next couple of hours exploring the non-talk aspects of DefCon (none of the sessions in those slots were particularly interesting to me) and bought up some DefCon shirts and a couple of 2600 Hacker Calendars. I also donated $170 to the Electronic Frontier Foundation in my name and my wife’s, though I didn’t actually end up going to the party to which that entitled me admission (the donation and not the party was the primary purpose anyway.)

I dropped into Mark Weber Tobias’s physical security talk, called Insecurity: An Analysis Of Current Commercial And Government Security Lock Designs, which involved some hilarious attacks on “high-security” physical locks. You know those locks with 5 vertically-arranged pushbuttons you see in every airport or government building? They pop right open if you stick a neodymium-iron-boron magnet on the side. A keycard/keypad electronic lock with a USB port on the bottom for reprogramming is impervious to electronic attacks… but opens if you shove a paperclip to the back of the USB port. This sort of attack was ubiquitous — simple modifications that made sophisticated electronic locks open in purely mechanical ways. The overall point is that to get through a door, you do not have to open the lock — you have to actuate the mechanism that the lock actuates. Sometimes this is really easy.

The next talk was entitled Why Airport Security Can’t Be Done FAST, about the TSA’s Future Attribute Screening Technology. This project intends to detect malicious intent, based on biometrics and facial cues, kind of like an electronic Cal Lightman. The problem, in short, is the standard Bayesian statistical issues that always come up when trying to detect something vanishingly rare like terrorism. The top 10 airlines in the world carry a billion passengers per year — the top 5 US carriers alone carry 500 million per year. How many of these are terrorists who actually intend to blow up a plane that flight? Let’s be very conservative and pretend 100 people try to board an American plane with the intent to blow it up every year (probably an enormous overestimate.) Now let’s imagine my FAST system is 99.9% accurate at detecting terrorists — sounds great, doesn’t it? Let’s get that into our airports immediately! But wait… 99.9% accurate means it will probably catch all 100 terrorists. It’ll also catch 500,000 innocent people — 0.1% of the 500 million passengers. So if FAST points you out as a terrorist, there’s a 0.0002% chance it’s right! Due to the base rate fallacy, a 99.9% accurate terrorist detector’s alarms are false positives 99.9998% of the time. Oops.

What do you bet the real FAST isn’t 99.9% accurate, either?

I next attended the EFF Year in Civil Liberties panel for a summary of legal issues in information security, privacy, and free speech. This was followed by the Hackerspace Panel, about hackerspaces and DefCon groups around the country and what they do to encourage innovation and bring hackers, makers, and other interested people together. Both panels went very well, especially given that the Q&A nature of panels often makes them hit-or-miss.

Friday night at DefCon is surprisingly free of events — about all that’s going on is the Black Ball and the DefCon Pool Party. I met up with the DC206 group again, had some dinner, and mostly hung out at the pool party for the evening and discussed the day’s events and other topics in hackerdom. Frankly, talking about interesting topics (in a hot tub outside with DJs spinning techno in the background, no less) beats most parties anyway.

Next I went to Chris Paget’s overview of the Final Security Review for Windows Vista. Since I’m someone who’s actually done Final Security Reviews for Microsoft and is part of the team that owns the Security Development Lifecycle, there was nothing here I didn’t know. However, Chris gave a very favorable review of Microsoft, and it was clear that she really appreciated the work Microsoft does in securing their products. For all the bad press Microsoft used to get in security, Microsoft has the most mature and complete security processes in the industry, and this is a remarkable turnaround when you look at where they were in 2001. It’s good to know that even on the much-maligned Vista they gave Chris and her team full access to everything and everyone remotely relevant, and got a very good return on investment in terms of security bugs fixed.

I missed the next session to pick up my DefCon badge. In my five years of attending DefCon, they have run out of badges every time, thanks to DT underestimating attendance (each DefCon has been much bigger than the last, recessions notwithstanding.) As a result, everyone queues up early to get one, making for hours-long lines. Though this year they went for a non-electronic badge, and thus at least had them on time, they did still run out by midday Saturday. Lines were about an hour at BlackHat, and apparently ran to over two at the Rio.

In the afternoon, I dropped into Moxie Marlinspike’s SSL and the Future of Authenticity. Moxie is worried about the constant compromises of SSL Certificate Authorities — many have had bugs in them that made it possible to get real, valid certificates issued to you for other people’s domains (e.g. google.com, or your bank), thus making it possible to eavesdrop on SSL communications in a man-in-the-middle scenario. One of the most-public breaches was the attack on Comodo that resulted in many false certificates being generated for some of the most important sites on the Web. But what happened to Comodo? Nothing! The CA system has no ability to change. Browsers trust Comodo, and even if we don’t like the idea of trusting them anymore — when they have been proven untrustworthy — there’s nothing to do about it. If browser vendors dropped Comodo, 20-25% of all secure sites on the Web would stop working. Moxie proposed a new system (he demonstrated it with a Firefox plugin called Convergence) wherein the user selects trustworthy parties, called notaries, which verify certificates for him. The notary system will prevent a man-in-the-middle attack just as well as the CA system does, and if you distrust a notary you can just switch to others, and nothing breaks. The user chooses who to trust. On one hand, this does give trust agility — the ability to change who you trust — which Moxie highly values, and it does prevent man-in-the-middle attacks unless the attacker is very close (from a network-topology standpoint) to the destination host (which is unusual — in most MitM attacks, the attacker is very close to the source host, not the destination.) On the other hand, I’m not quite convinced — the system does not prove authenticity, only that no MitM is present, so it doesn’t really substitute for the CAs. However, I’d say my friends and I spent more time discussing this talk than any other at BlackHat or DefCon, so right or wrong he got us thinking, which can only be good in the long run. The CA system really is broken, and it’s untenably fragile — if one CA has its private key widely distributed, everyone will be able to make fake SSL certificates forever. And there are thousands of CAs.

I went up to IOActive’s IOAsis suite at the top of the Forum Tower in lieu of the next BlackHat session. I’m not sure what actually happened between BlackHat and IOActive this year, but for the first time since I’ve attended the conference, IOActive had no official presence at the conference (whereas before they’ve been one of the top-tier sponsors) and ran their own parallel events at Caesars instead. I had a pass to IOActive’s events as well — spend five years in infosec in the Seattle industry and it’s hard not to know half of IOActive, particularly their CEO who seems to have the remarkable ability to remember everyone she meets, instantly and forever. I went to a talk they hosted about malware tools like Spy Eye and Zeus. Overall, they’re remarkable professionally-developed tools, with high-quality tutorials and documentation. They really make being a criminal easy, and if you happen to live in a non-extradition country like Russia, it turns out crime does pay.

Finally, I went to a talk about the latest Chip & PIN exploits. I have to admit, as an American, Chip & PIN exploits always seem kind of lame. They boil down to “with this amazing exploit, we can make European credit cards almost as insecure as American ones are all the time!” The fact that if you steal a credit card you can, you know, buy stuff with it until the cardholder notices it’s gone and calls the bank just doesn’t seem like a revelation. This said, it is interesting to see some of the dubious security decisions made in this “secure” payment system, and Chip & PIN will be coming to the U.S. in the near future. The worst threat here is not technical but legal — in most European countries, the fact that a transaction happened via Chip & PIN is considered prima facie proof that you authorized the transaction and are fully liable — either that, or you were negligent with your PIN and still fully liable. The fact that it’s possible to make these transactions without a PIN makes this dangerous.

At this point, BlackHat USA 2011 was over. I headed back up to IOActive’s IOAsis suite for their post-conference reception. I not only met up with several people from IOActive, but I also happened to strike up a conversation with someone who informed me that she was with the DC206 group — the local DefCon club here in Seattle that meets at The Black Lodge about 10 miles from here. We quickly found we had several friends in common, and she introduced me to the other DC206/Black Lodge people at the party. This worked out very well, as I ended up hanging out with them for the next three days of DefCon, and had a lot of great conversations with a very interesting mix of security pros, makers, and hackers as a result. Though I’ve been by the Black Lodge and DC206 events before, I plan to make an effort to be present for more of them in the future.

We went to the Microsoft party at the Haze nightclub in Aria, primarily because given the youth of the Aria property, none of us had ever seen it before. The party itself wasn’t bad — quite good compared to last year’s event — and they had a nerdcore rapper performing (I honestly don’t remember if it was DualCore or MC Frontalot, having encountered both of them multiple times during the week.) However, we stayed only briefly then moved to the Rio, where we hung out with other DefCon attendees at the pool. The Rio was kind enough to keep the pool open until 1am (much later than normal) for DefCon attendees, and even until 2am on subsequent nights, which was quite appreciated.

Apple doesn’t want you to run anything on your phone that they didn’t approve. But of course, customers want to run whatever they want on the phone they bought, regardless of if Apple likes it. This creates end-user demand for jailbreaks — software that attacks their phone’s OS to remove Apple’s restrictions. Whenever one is discovered, Apple patches it, but another one is always discovered soon afterwards.

Right now, there’s a website, jailbreakme.com, that offers the easiest, most convenient jailbreak yet. You browse to the site on your iPhone, iPad, or iPod Touch, and suddenly it’s jailbroken and the non-Apple application stores like Cydia are available. It’s very slick, and much easier than any previous jailbreak, many of which required modifying OS images, caching key signatures from Apple, and other tasks that required at least some moderate technical savvy. People really like jailbreakme.com — it makes taking ownership of your own phone quick and easy!

How does it work? Well, it’s a combination of two exploits. When you visit the site, it loads a PDF that exploits a bug in Apple’s font rendering (iPhones render PDFs themselves, using Apple code — Adobe’s reader is not even involved) to load and run arbitrary code. Then that code exploits another vulnerability, in the iOS kernel, to run code as root, outside the app sandbox. This third piece of code jailbreaks the phone and installs the necessary backdoors to wrest control away from Apple and give it to the user.

But… there’s a problem here. The fact that this works means that there’s an unpatched remote root exploit on every iOS device. That is, on an iPhone, iPad, or iPod Touch, any website you visit or any email you receive can silently load and run arbitrary code on your device, which will then reside there permanently and do whatever the attacker wants. How do you know this hasn’t already happened to your phone, and your location isn’t being tracked, your calls tapped, your SMS messages and web passwords forwarded to some Russian crime syndicate? You don’t. There’s no way to know, because there’s no anti-malware software for iOS — Apple would never approve it anyway, since you’re not “supposed” to be able to run anything but Apple-approved apps anyway.

In a normal, open ecosystem, like that on PCs, this problem would be less likely to happen. If a security researcher discovered remote exploits like this, they would often follow responsible disclosure practices, and contact the vendor and let them know about the problem so it could be fixed. But they’re not willing to do this for Apple — because they need the remote exploit to have unfettered access to their own phones!

Apple has created a situation where someone acting in good faith to help iPhone users use their own devices has to keep security flaws away from Apple, so that they can also be used by malicious attackers. Apple and Apple’s users are on opposing sides — helping Apple hurts legitimate users, yet helping users jailbreak also means helping attackers exploit them.

What’s more, when Apple releases a patch to iOS to make it no longer vulnerable to these attacks, they will undoubtedly reverse the jailbreaks in the same patch. Thus, users will not want to install the patch, since it will kill functionality that they want on their phones! In the IT world, it’s hard enough to get people to patch even when there’s no downside, and Apple’s creating customers who deliberately avoid patches and updates, since most of Apple’s “security fixes” are aimed at protecting Apple from customers, not protecting customers from harm.

Come on, Apple, would a settings checkbox marked “Allow execution of unsigned code” be so bad? You could even pop up a warning that turning it on makes you ineligible for Apple support. Is it really better to force your userbase to help hackers?

This year, BlackHat had an entire Cloud Computing track, running all day on Thursday, of which I attended a great deal. Part of my job involves protecting cloud computing services, so it seemed very relevant, and it’s certainly a hot topic in the industry right now. It began with Alex Stamos, Nathan Wilcox, and Andrew Becherer presenting a lecture on cloud computing models and vulnerabilities.

They defined cloud computing as not just virtualization, but including general-purpose hosts, central management, application mobility, distributed data, low-touch provisioning, and soft failover. They looked at three different cloud models: Software as a Service, Platform as a Service, and Infrastructure as a Service, and the differences & vulnerabilities in each.

The Software as a Service (SaaS) model is to outsource everything. From a security perspective it’s not necessarily a bad idea — the cloud provider probably has a lot more security people than the average company. On the other hand, you also outsource all your data — the recent Twitter “breach” via somebody logging into Twitter’s Google Docs account shows the risks this can entail. You lose the perimeter, endpoint management, the ability to use better authentication than simple passwords, credential quality controls, password reset processes, and realtime anomaly detection (though you hope the cloud provider has some of these things.) It puts all your eggs in one basket — if someone can read your email, they can access all your data. SaaS products include Office Live, Google Apps, and Salesforce.com. None of these have decent audit & rollback capability; Google Apps at least provides login history (though you have to write code & call an API to get at it) but still no read/write level auditing. Salesforce.com offers some write logging. However, the biggest flaw with SaaS models may well be authentication — all your security relies on a password, with all the vulnerability that entails, and you can’t even set a strong password policy (for all the good it would do you.) Google Apps actually lets you use a SAML-based SSO system; with other SaaS apps the best you can do is set a strong password policy via employee education.

Another issue with SaaS providers is the legal concerns — the cloud service EULAs tend to promise basically nothing and disclaim all liability. Also, they forbid malicious traffic — even pentesting your own app. There’s also decreased protection from search and subpoena. Since the data is stored with someone else, there’s no Constitutional protection from search, and even statutory protection is usually only for “communication.” Are Google Docs communication? Courts haven’t really defined this yet. The net result of this is that there’s no need for a warrant, probable cause, or even notice of a search — you can’t fight a seizure before it happens, but only after the fact.

Platform as a Service (PaaS) is the model of having a common development platform provided, yet allowing people to customize their applications. This is the model of Google AppEngine, Force.com, and (maybe) Windows Azure. (Azure is a unique case, kind of halfway between PaaS and IaaS; I’ll come back to this.) This section of the presentation was rather odd, as they really looked at the common web vulnerabilities (CSRF, XSS, SQL injection) and investigated how the platform protected you from them. In short, the answer is that they don’t. Some of the platforms have some inherent protection available (e.g. Windows Azure apps are typically ASP.NET, which has some built-in XSRF protection via ViewStateUserKey, XSS protection via encoders, and SQL injection via LINQ), but it’s up to the developer to actually use them. I found this section somewhat lacking, because it wasn’t really about the cloud platforms at all, but rather the common web technologies sitting on them.

The Infrastructure as a Service (IaaS) model is that taken by Amazon EC2 and similar services. It provides virtual machines with short-lived instances, non-persistent local storage, and available helper services. Though the presenters thought of Azure as very much a PaaS model, I think it’s a little fuzzier here — while Azure does not allow you to choose an operating system (the Windows Azure OS runs on every VM), it does not constrain you to anywhere near the degree of Google AppEngine or Force.com, as you can run arbitrary native code on it. It would be impossible to use AppEngine or Force.com to run anything but a web site; Azure is like EC2 in that it could be used for any flexible computing task, not just web sites.

The problems with IaaS services are usually hypervisor flaws or problems in the helper services. However, they brought up something very new here that I don’t think any of the current cloud providers consider — lack of entropy. Virtual hardware has mostly deterministic timings — input events don’t exist and block device events are abstracted. Thus, entropy is generated very slowly if at all. What’s more, in the case of Amazon EC2, since OS images are available to everyone, an attacker can get a copy of the stored entropy pool you’re using (which will never update after the image is originally created, thus depriving the system of another source of entropy) and eliminate it as well. The net result of this is that pseudo-random number generators — even cryptographically strong ones — are unreliable and may be predictable. This attack may or may not be practical given the specifics of the system in question, but for now you may not want to build your online casino or public key infrastructure in an IaaS environment! Cloud providers may actually have to have random number generation as a helper service as well, supported by quantum hardware.

Next, Jeremiah Grossman and Trey Ford presented a sequel to last year’s talk on “making money the black hat way.” Essentially, it was a survey of interesting hacks-for-profit that have been carried out recently. They noted that hacking activity is up this year (layoffs create more hackers?) and that 69% of attacks are discovered only because a 3rd party tells the company it’s been hacked.

Some of the interesting ones: eBay gave away 1000 items for $1 in a “Holiday Doorbusters” promotion. However, almost 100% of them were bought by bots, which was evident because the items were purchased before the item description page was even viewed. StrongWebmail.com had a contest to give $10,000 to whoever could hack into the CEO’s webmail account; rather than attacking the servers, the winners of the contest sent the CEO phishing mail with an XSRF in it that stole the contents of the account. (Amusingly, they got him to open the mail by labeling it “I think I won.”) Grossman & Ford also brought up cookie-stuffing, a type of affiliate fraud that’s been around for many years; it’s a well-known technique in the affiliate marketing world (basically you spoof the referrer while iframing the advertiser’s site on your site, then drive traffic to your site in ways that would not please the advertiser if they knew about it) but was apparently new to most of the BlackHat audience. They also brought up the technique of using embedded site search to fake authority links, another well-known “black hat” SEO technique. Marketers have apparently also begun spamming Google Maps with fake businesses, so as to come up first in “local searches” with their web-based and not-remotely-local businesses. A man in Britain used Google Earth to find all the lead roofs in London, then steal the lead tile in the middle of the night.

Some of the more ambitious hacks were more intriguing, though. One man discovered that you could order “advance replacements” for broken iPods from Apple just by giving them a credit card number as collateral; he used low-balance anonymous Visa gift cards to get 9,000 iPods. Another group put their garage band music in the Amazon and iTunes stores using Tunecore, then bought hundreds of downloads of their own album with stolen credit cards (thus getting a big check from Tunecore.) One thing to note is that these people got caught only because they weren’t trying not to. The iPod guy shipped all 9,000 to his home address; the Tunecore fraud was so blatant as to get this garage band’s album onto Amazon and iTunes top-10 bestsellers.

Finally, in South America, the system for getting logging permits for the Amazon rain forest was put online. An investigation discovered that 107 different logging companies had hired hackers to compromise the site, which was full of common web vulnerabilities. All told, 1.7 million cubic feet of lumber were smuggled out of the country. Scary permit systems in the United States that are now protected only by a web site: entrance visas, hazardous material transport, and open burning permits.

Next, Haroon Meer, Nick Arvanitis, and Marco Slaviero presented a talk on “Clobbering the Cloud.” This SensePost talk covered much of the same material as the iSec Partners talk earlier in the day. Their primary risk factors for cloud computing were as follows: lack of transparency from cloud providers (opaque EULAs), people don’t want to store regulated data in the cloud, vendor lock-in especially if the vendor goes out of business or stops offering the service, availability concerns (not just servers being down, but also things like password lockout from DoS attacks), monoculture issues (worms and cascading compromise are a big concern when you have thousands of perfectly-identical boxes), and trust in the cloud provider — you have to trust your cloud provider implicitly not to lose your data or have system failures. In addition, there’s the problem that the cloud is available to the bad guys, too — cloud boxes can be used for click fraud, DoS, or spamming (for a short time Amazon EC2 was the net’s #1 spammer.) Finally, the security of your environment is all in the hands of the account owner, who authenticates with nothing more than a password, and is (in most companies) probably a non-technical executive. Breaking into the CIO’s email now makes you the global administrator of the company’s entire infrastructure.

The presenters then went into more detail about attacks on Amazon Web Services (EC2, S3, SQS, and DevPay) in particular. I can understand why they chose AWS; due to its flexibility, it’s certainly the most fun of the cloud services for a hacker to play with (though Windows Azure is getting there, too.) EC2 is based on a modified Xen hypervisor, and supports running any OS you want that can run in that environment. Amazon provides 47 OS images, but users have contributed over 72,000 more, and an EC2 user can choose to boot any of them. Sometimes user images have interesting things in them, like other user’s EC2 credentials, for example.

Scanning EC2 is prohibited, but you can start up one of the images and scan it yourself via an SSH tunnel (or even have the machine scan itself.) They found 646 Nessus critical vulns in Amazon’s public images; you can also steal Amazon’s own Windows activation keys off their images. The DevPay system is interesting; it’s supposed to allow a user to make an image then charge other users for its use (e.g. to resell an application on EC2.) However, the presenters found you could get a DevPay image and modify its ancestor info (stored in the image itself) so as to credit use of it to you rather than the original author, then reregister it for others to use.

Simply putting up pre-owned (pun intended) images for others’ use can be an attack on AWS. If you prop up a box with a good name (e.g. “Ubuntu 9.04 Standard Image, All Patches”) and a low-numbered ID (so it shows up at the top of the list), and people will use your image to host their apps! You can get a low-numbered ID simply by registering repeatedly; since it’s a hash, eventually you’ll get lucky and have one start with zero. You can only have 20 images per account, but you can create 20 accounts in 3 minutes, so there’s no effective limit.

After that talk, I went over to the mobile track to hear Jesse Burns talk about Android. Android interests me because I’d really like a phone that behaves like a computer (i.e. a device I own) rather than like a toy the phone company is reluctantly allowing me to touch, and Android’s open-source nature has real potential to give me that. It’s not that I trust Google any more than any other wireless provider, just that the platform seems much more hackable and thus inherently harder to control.

Android has a dual security model — Android permissions on various privileges, plus Linux permissions on the filesystem. Applications have their own UIDs/GIDs and are thus somewhat isolated from each other. A package (application) is made up of Activities (GUIs,) Services (background tasks,) Broadcast Receivers (event handlers,) Content Providers (databases,) and Instrumentations (used for testing.) For interprocess communication, there are Intents, which are sets of name-value pairs with routing information. Applications are written in Java, but they’re not applets (i.e. no Java sandbox.)

Available attack surfaces for a malicious app include other apps, system services under privileged accounts (like the clipboard or the surfaceflinger, which draws the UI and owns the screen,) the binder (the inter-process communication system, similar to domain sockets,) and anonymous shared memory. There are a variety of tools available — one can just install a bash shell on Android (either interactively or over the wire or network,) use logcat to look at logs, view Android system properties, check the /proc and /sys filesystems, run dmesg to get kernel output, and all the usual Linux attacks. There’s also a file in /data/system/packages.xml that contains data about every installed app, including the location of the app and its manifest. /proc/binder contains a transaction log of the inter-process communication, and /proc/binder/proc contains data of all the processes themselves.

Another interesting detail about Android is the “secret code” handler. When you dial *#*#somenumber#*#*, this triggers the secret code handler for that number, which can do pretty much whatever an app wants it to do. The only secret codes on “stock” Android are 8351 and 8350, which turn voice dialer logging on and off, respectively. However, wireless providers may add additional codes — the presenter found some in T-Mobile’s MyFaves app, for example. Finally, the presenter had a series of Android hacking apps he’d developed — Manifest Explorer (to view the system manifest and the manifest of each app, such as to see what events they react to,) Package Play (to see the parts of a package or to directly activate Activities,) Intent Sniffer (to view Intents as they’re routed at runtime,) and Ill Intent (an Intent fuzzer.)

The last presentation of the day was Bruce Schneier, whose talk was entitled Reconceptualizing Security. Mostly, he gave the same speech he always does, about fear, psychology, security vs. security theater, why we mis-estimate risk, etc.; pick up a copy of Beyond Fear or Secrets and Lies if you want the details. However, during Q&A he did also talk about the attack on AES-256 that was just demonstrated. It’s a feasible attack on 10 rounds of AES-256 (out of 14,) in 2⁴² time. It’s a related-key attack that works only on 256-bit keys (not on shorter ones,) so there’s no reason to panic right now, but it does show that the margin of safety on AES is smaller than we thought. There may need to be a Double-AES in the same way Triple-DES was devised as a stopgap until a new cryptosystem is developed. Alternately, the standard could be changed to increase the number of rounds, but that would require replacing or updating all the AES-based crypto hardware out there.

And that wrapped up BlackHat 2009. Overall, there was nothing as Earth-shattering as last year’s DNS exploit, though it turns out that the SSL issues are pretty nasty. After BlackHat, I hit the Microsoft Security Researcher Appreciation Party at Christian Audigier, which was actually a pretty good party this year without any of the problems of previous years. It’s only drawback was that it only ran two hours. However, at this point DefCon festivities had begun, so there was still plenty going on; my next post will get into DefCon 17.

A privately-run alternative to the TSA’s Registered Traveller program, Clear started out with what seemed like a good idea — allow frequent travelers to undergo a thorough background check to make sure they weren’t terrorists or criminals in lieu of screening them every time they went to the airport.  For someone who travels by air every week or even every day, the long-run time savings would be worth a fortune.  The TSA was all for this idea, since their goal is to prevent hijackings, not just have people take off their shoes for fun.  So Clear (originally called Verified Identity Pass) was started — and frequent travellers could pay $200 per year, have a background check performed on them, and get a nifty-looking smart card that they could use at any of a dozen major airports to skip to the front of the security screening line.

Wait a minute… skip to the front of the security screening line?  Yep, somewhere along the line some government bureaucrat changed the rules such that Clear and Registered Traveller-certified people still have to undergo the screening, they just get to go to the front of the line.  I can easily see their motivation for doing so.  Imagine being an assistant director at the TSA in charge of such a program: “So, what happens if, God forbid, someone with a Clear card blows up a plane?  What would we say to the public?  ’Yeah, he had a bomb on him, but we didn’t search him, because he’d undergone a background check a couple years ago.  You see, he’d never blown up any aircraft before, so we had no idea this would happen.’”  It would go even worse for the TSA if said terrorist were a member of a group that the public would consider an “obvious” terrorist suspect (e.g. a Muslim of Arabic descent) and would pretty certainly end the careers of everyone involed in the program, if not end the TSA itself.

So the Clear card was changed to only allow you to skip the line, while still undergoing the full security screening.  What no one seems to have thought of, though, is… why bother with the background check?  If you still have to be screened at the airport, what’s the point of having to be investigated to get the card?  In what way does the screening line contribute to security?  Many of these same airports let members of airlines’ top-tier frequent flyer clubs skip the line, too, and they’re not required to have background checks.  Essentially, Clear and Registered Traveller simply morphed into HOT lanes — pay a fee, and you get to go faster than people who don’t pay a fee.  It’s not “trusted” status, it’s “VIP” status. A smart card with associated fingerprint and iris scans seems kind of excessive for jumping a line.

Also, Bruce Schneier brings up an interesting point — now that Clear is out of business and having all its assets transferred to creditors, what happens to all the personal data in the background checks?  Who gets that asset?

The obvious purpose of this is to help people scam their companies’ expense reporting system by “padding” receipts.  People who are reimbursed for hotel, meals, etc. can create receipts for slightly more than they actually pay (or for that matter, create receipts for meals they skip altogether or eat a balogna sandwich for) and pocket the difference.  Apparently the same company aims to help people rip off their employers in any way they desire, as they also run “Fake Sick Notes USA.”  (Though people running that particular scam are often caught by their own actions.)

It’s interesting that receipts are considered “proof” of purchase.  A receipt, after all, is just a piece of paper, and what’s more, there is no standard for what a receipt looks like.  People know it should be printed on “receipt paper” — which is usually thin thermal paper, but is sometimes quite heavy paper tape that’s inkjet or impact printed — and contain certain pertinent data, like the location of the purchase, the tax, the total, and some legalese at the bottom.  In the modern era, receipts often have serial numbers or bar codes on them, which makes the receipt uniquely identifiable by the issuer, but is quite useless for anyone else to authenticate them.  After all, only someone who has access to Target’s computer system can say if Target receipt #824935729345 is authentic or not.  And when it comes to small mom-and-pop retailers (which often have cash register receipts that contain literally nothing but prices) and online retailers (whose receipts are trivially-forged HTML emails), receipt as proof of anything becomes even more ridiculous.

All this false expense site does is make available to the general public an ability that’s been available to the tech-savvy for years. Someone with Photoshop and a USB thermal printer (easily available on eBay for under $100) has been able to forge receipts since the 1990s. This is another case (like checking accounts) where the “security” of a system comes not from any internal defense, but simply from the fact that most people don’t have a security mindset — most people don’t look at everyday systems and think about their weak points and where they break down.  Since a recept is used as proof of purchase, people assume it is proof of purchase.

Unfortunately, there’s really not much to be done to “secure” receipts.  To do so would require data-sharing between merchants, employers, and the IRS, so as to make receipt numbers authenticable — and that’s a case of the solution being worse than the disease (the privacy implications would be staggering.)  As an employer, the best solution may be to simply avoid the problem — have the company book hotel and travel for the employee (rather than reimbursing after-the-fact), and provide a per diem allowance for expenses rather than reimbursing exact receipts.  Any time you rely on receipts from employees, there’s the potential for fraud losses.

However, all the discussion about privacy in the article is, in my opinion, a secondary issue.  As I’ve discussed before, using an ad replacer has other effects that may be much more serious.  It means Charter is now mounting a man-in-the-middle attack on all its customers and editing the web pages they view.  Thus, if there are any security flaws in the NebuAd software (like, say, a cross-site scripting vulnerability as we saw with Barefruit in a previous post), they are now embedded in every web site viewed by every Charter customer.  When you’re a large ISP like Charter, this makes it worthwhile for hackers to try to attack the system — being able to steal the bank account passwords of every Charter customer at a given bank is almost as good as being able to do it to all customers of the bank.  It may only be 10% of people, but 10% of everyone is still a lot of people.  In addition, Charter customers are no longer contributing to the revenue of the web sites they visit (which could be interpreted as an attack on those websites by Charter — they just stole all their revenue.)  I don’t much expect Charter to care, nor their customers, but the more ad replacers that are out there, the less advertising is able to support web sites.

So, what to do if you’re a Charter customer?  Well, you can opt out of the tracking system by setting a cookie, which means the ads you’re served will not be targeted.  However, the ads probably will still be replaced, so you’re still not helping pay for the web sites you visit.  And chances are that Charter could still come up with a record of all your web surfing if they were served a subpoena.  If you want to avoid that, the only choice is using an encrypted tunnel and mix network like TOR (which law enforcement has probably at least partially compromised, but this puts them in a situation like the Allies after they broke the Enigma machine — if they use evidence from a TOR compromise to prosecute you, then they give away that they’ve compromised the network and criminals will stop using it.  Thus, you’d need to do something pretty serious for them to be willing to admit they know about it.)  And what to do if you’re an advertiser-supported website?  Not much.  You can lobby for net neutrality laws, or ban Charter customers outright (which will hurt you more than it hurts them.)  However, I would expect Google, DoubleClick, and other ad networks to start working on obfuscating their ads soon if more major ISPs embrace ad replacement.

Dan Kaminsky, however, gives us another reason to oppose ad replacers in his latest presentation, which he gave last week at Toorcon 10. A bunch of ISPs (and I mean big ISPs — Comcast, Earthlink, Cox, Verizon, Quest) decided that rather than replacing ads in live pages, they’d go after something less controversial — typos. They set up their DNS servers to return ad servers run by a British company called Barefruit when a DNS lookup failed (rather than following the RFC and returning NXDOMAIN, the code for “no such domain.”) This is similar to what Verisign SiteFinder did a couple years ago (SiteFinder was taken down after a storm of bad publicity), but instead of affecting the entire Internet (VeriSign did this on the root domain name servers), it only affects customers of the specific ISPs doing it.

The result is that if you mistype “www.google.com” as “www.gogole.com” or somesuch (actually, gogole.com is registered to Google, too, but it’s just an example) on one of these ISPs, you get a “site not found” page from the Barefruit, filled with ads. Doesn’t seem too harmful — after all, you’re still getting the error message, and seeing some ads never hurt anybody.

Except for one problem. Dan Kaminsky found that the Barefruit page constructs the error message from an argument in the URL querystring (telling the server which site you were trying to hit, so it can say “Sorry, we couldn’t find an entry for www.gogole.com” or somesuch.) This is the classic cross-site scripting vulnerability — you can just toss in some JavaScript in that URL, and when someone clicks a link to the corrupt URL, the JavaScript will execute in their browser. Normally, this is bad — a site with an XSS vulnerability can be used to carry out phishing attacks, where users are sent a link to a site (say, a bank), but clicking the link executes the attacker’s script and steals their credentials to the site.

When it happens in this ad replacer that’s based on DNS voodoo, though, it’s not just bad — it’s catastrophic. The ad replacer page comes up for subdomains, too. Not only does a typo of Google send you to the Barefruit site, so does trying to go to this-domain-does-not-exist.perimetergrid.com. Since the Barefruit page comes up in response to a call to any bad subdomain, and the Barefruit page has a severe XSS vulnerability on it, this means that an attacker now has an XSS to work with on an arbitrary subdomain of every domain on the Internet. A really insidious, intelligent attacker (e.g. Dan Kaminsky) can do terrible things with this.

Luckily, Dan is a nice guy, and instead only did ridiculous things with them, crafting links to RickRolled versions of Facebook, MySpace, Apple, Microsoft, eBay, ToorCon, Fox News, etc. However, he could have just as easily crafted links to GMail, Hotmail, Chase, Bank of America, Fidelity, and eTrade that steal your credentials when you click on them.

The presentation slides do not make it obvious what exactly his script does (presumably because Dan explained that out loud during the presentation.) However, I can see from context how this attack works. The attacker writes a script to exploit a given site, and then creates a link to a nonexistent subdomain containing the script. They then send this out in a phishing email, or embed it in a hidden iFrame on a compromised site, and wait to receive credentials. Any user who clicks on the link:

http://evil-subdomain.gmail.com/index,html,aaa=bbb&ccc=ddd<script>[long evil script file here]</script>

gets sent to the Barefruit page, but with the attacker’s long evil script inserted into that page. That script then takes over:

1. The browser thinks that the script is running off of “evil-subdomain.gmail.com”, since that was the DNS query that (falsely) returned the Barefruit page.
2. The script sets document.domain to “gmail.com”. Since it is on a subdomain of gmail.com, this is allowed under the same-origin policy, and the browser lets it happen. The script is now permitted to script against gmail.com.
3. The script creates a frame that occupies the entire browser window (thus hiding the Barefruit page entirely) and loads the real gmail.com into the frame.
4. The script grabs document.cookie out of the frame. Since the frame is gmail.com, and document.domain is set to gmail.com, this is permitted. Document.cookie contains the user’s GMail credentials, or at least a session ID that will let the attacker in.
5. The script generates code to load a resource from the attacker’s malicious server, with the cookie contents in the resource value. Loading a resource (e.g. an <img src=…> tag) is allowed on other domains, without the same-origin policy applying.
6. That resource doesn’t exist on the malicious server’s pages, of course… but now the user’s cookie is in the attacker’s server logs where he can retrieve it at his leisure.

And what does the user see when this happens? Just a normal load of the GMail login page. And there’s nothing wrong with GMail in this example! It could be any site, including online banking, shopping, etc. There is nothing that the site — or the user — can do about it. Click a link or visit a malicious web page and the attacker steals your credentials to any site he wants.

All this is made possible because you’re on an ISP that is running an ad replacer, and that ad replacer contains a vulnerability. Using the ad replacers makes a simple cross-site scripting vulnerability into a full compromise of the entire Internet.

Are you on Comcast, Earthlink, Cox, Verizon, or Quest? They’re some of the biggest ISPs in the nation, so probably so. If so, be glad Dan Kaminsky found this simple, obvious XSS before some malicious hacker did, or that hacker could have been stealing credentials from half the Internet for months without detection.

“Without detection.” Yeah, maybe Dan wasn’t the first one to find this. We’ll never really know for sure.

This vulnerability is fixed now — it was very straightforward, and Barefruit fixed it within hours. But Barefruit isn’t the only ad replacer out there, and there will be more experiments like this in the future. Whether “net neutrality” becomes a law or not, it needs to be something we demand from our ISPs, or this won’t be the last internet-wide compromise we see.

RFID devices are becoming more and more common, and this trend will continue — they’re too convenient for many purposes for the security risks around them to stop them. You may not want every consumer good you buy to be tagged with an ID that lets people watch your shopping from 100 yards away, but the scenario of being able to check out at the grocery store by instantaneously scanning every item in your cart simultaneously is too compelling for people to resist.

Bruce Schneier has a post on the ineffectiveness of security cameras, but while calling them ineffective it does note that criminals moved their crimes to somewhere the cameras couldn’t see. This may be “ineffective” for a government camera system designed to deter crime, but it’s precisely what privately-owned security cameras are meant to do — make a target unappealing so criminals go elsewhere. This actually shows that cameras do deter crime… but only where they can see it.

However, both of these technologies can have pernicious effects, too. The HexView article points out that you could use the RFID tire monitors to commit murder — set a bomb with a radio trigger that goes off when the “right” car drives over it. It would also be just as useful to private investigators spying on citizens as it is to law enforcement chasing down criminals. And speaking of law enforcement, these cameras create a dangerous imbalance in their favor — the camera evidence is all under their control, and thus can come up when needed to prove a perpetrator’s guilt yet be conveniently lost in cases of police brutality, abuse of power, corruption etc.

This is an interesting time for surveillance — police and government surveillance ability is skyrocketing (London is practically blanketed in cameras at this point, as the British seem much less uncomfortable with them than Americans are) but it is still largely in the hands of authority figures. This is dangerous because of how fast the change is coming — our criminal laws and sentencing structures are based on the principle that most criminals get away with it. A $75 fine for speeding seems pretty reasonable, but what if that fine were levied every time a car hit 1 mph over the speed limit? Most of us would get fined a dozen times a day, every day, despite not even meaning to speed, because our behaviors are based on the idea that we probably won’t get caught and that even if we are police are unlikely to punish us for very minor transgressions. If people were caught for speeding every time, and fined every time, a $75 fine would be absurd — the fine could probably be under $1 and still bring in a few hundred dollars a month from every citizen. What is the right legal structure here? I can see two possibilities:

• Raise the speed limits to the speeds we really think no one should exceed, and continue to fine every time.  Maybe you should get charged every time you exceed, say, 85 on a highway or 55 on a city street.  Set them high enough that there’s no leeway required.
• Leave the speed limits where they are but set the fine really low, say a $0.25 per minute of speeding.  This makes speeding discretionary — you can obey the law, or not, but if you choose not to you pay a penalty.  This is a fundamental change in the whole idea of crime and punishment, and itself has some pernicious consequences — it means that a certain income level can render you “above the law,” which is not a good thing.  Obviously some crimes (such as murder) should not be treated as discretionary, but for traffic violations it could make sense.

It’s not just traffic laws that are like this; consider the War on Drugs.  If every person who ever smoked marijuana went to prison, we would have a nation of felons — there’d be few people left who could vote, get security clearances, hold most jobs, etc.  The RIAA lawsuits against file-sharers are a good example of what happens when technology that catches everyone gets used to enforce laws designed under the assumption that only the worst and most flagrant criminals will be caught — people being hit by millions of dollars in fines for using technology to do something that wouldn’t even raise an eyelash if done by old, physical means (e.g. posting a song on BitTorrent vs. handing it to a friend on a cassette tape.)

A surveillance society needs a different kind of jurisprudence — one that sets punishments that fit the crime even if applied every time.  On the bright side, actually doing this would lower crime rates tremendously due to the psychology of criminals.  Escalating punishments does little to deter crime because criminals are risk-seekers — they do not expect to get caught.   Even a small punishment can be a strong deterrent if applied every time — if criminals are usually caught, such that all criminals have some first-hand experience with being caught and punished, it would break this idea.  On the not so bright side, a surveillance society must have very liberal laws to avoid being a police state — our current legal system, applied to everyone every time, would result in tyranny.  We all break 10 laws a day, it’s only sloppy enforcement that allows us to live our lives.  Unfortunately, the technology for ubiquitous enforcement will come well before the legal system changes to make it livable do.

What’s interesting to me is what will happen when surveillance becomes even more common: that is, when it is no longer monopolized by authority.  This has already started with cellular phones.   Almost everyone carries around a device which, while primarily for communication, contains a camera and often a voice recorder and videocamera as well.  Everyone is equipped to carry out impromptu surveillance at any time.  Devices like these glasses from ThinkGeek (found via BoingBoing) coupled with the rapidly falling cost of storage capacity will change this to everyone actually carrying out impromptu surveillance all the time.  This will have a chilling effect on human behavior at first — would you act differently if you knew everyone around you was videotaping everything you did?  Everything you say will, indeed, be able to be used against you, and not just in a court of law.  However, look at what young people put on MySpace and Facebook these days — the next generation does not have the assumption of privacy.  They’ve grown up in a world where they know everything goes on a permanent record, and have simply accepted it.  Sure, they’ll be occasionally shocked by it (e.g. the first time their party photos on MySpace disqualify them from a job), but the knowledge of permanence has not stopped them from sharing themselves, and eventually the rest of us will adjust, too.

Consider what the democratization of surveillance does to government power.  When we’re all recording, someone is watching the watchers.  Corruption, abuse of power, etc. all rely on the fact that authority figures can get away with crimes because they are more reliable witnesses in court than their victims are.  When everything is on the record — and not just the official record, but everyone’s record — police and government officials become compelled to act within the law.  While this may not be much of an impediment in truly totalitarian societies like China where the courts are as corrupt as everyone else, it’s a very strong bulwark of freedom in any society with an independent judiciary and a liberal tradition like the Untied States and Europe.  This is the next generation of surveillance — everyone sucking in light and sound from their glasses, or lapel pens, or even contact lenses, recording every moment of their lives on multi-terabyte devices that fit in their pockets.  It’s probably only 5-7 years away, and it washes away the current problems of a surveillance society and replaces them with new ones.

I think this cycle will continue for some time.  After all, once we’re past the era of democratized surveillance, computer graphics and artificial intelligence technology will improve to the point that ordinary people can modify their recordings to create perfect video of events that never happened, indistinguishable from the real thing.  What happens to recordings in law courts then, when they cease to be reliable evidence and become hearsay?  Tapes will become the new eyewitnesses, known to be unreliable and requiring corroboration from others.  When it becomes truly easy to make forged video, perhaps we will have emerged from the surveillance society from the other side — why bother to record anything when there’s no way to tell if it’s real?  Sometimes the only way out is through.

“It’s safe to go on the subway,” Skenazy replied. “It’s safe to be a kid. It’s safe to ride your bike on the streets. We’re brainwashed because of all the stories we hear that it isn’t safe. But those are the exceptions. That’s why they make it to the news. This is like, ‘Boy boils egg.’ He did something that any 9-year-old could do.”

She’s right. Most of us in our 30′s today remember growing up in the 1980′s — and it involved riding your bike across town, visiting neighbors, and being unattended for relatively long periods of time. Of course there were unsafe areas – there were parts of cities where people alone really aren’t safe — but these are the exceptions rather than the rule. Today, most parents seem to live in fear, convinced that there are criminals lying in wait to abduct children everywhere. It simply isn’t the case — it never has been, and crime rates are lower today than they were in the 80′s! We have not gotten any less safe, we have simply become so afraid that we think we’re less safe. And this culture of fear is damaging and contagious:

“Half the people I’ve told this episode to now want to turn me in for child abuse. As if keeping kids under lock and key and helmet and cell phone and nanny and surveillance is the right way to rear kids. It’s not. It’s debilitating — for us and for them.”

There are a variety of reasons that people believe that their children are under constant threat. Among them are:

• Vividness criterion: shocking anecdotes stick in our memory more than statistics, and they attract our attention. This is both why the media reports on every bad thing happening to a child, and why we remember them.
• Availability bias: when determining how frequently something happens, rather than turning to statistics we turn to how many cases of it we can remember. Since the news reports on every plane crash, but almost no auto accidents, we think of air travel as riskier even though we know the statistics show differently. Since in this age of pervasive news reporting we hear about crime more often, crime must be more common, even though the statistics show differently.
• Fundamental attribution error: when something happens, we tend to overestimate behavioral causes. So when a child is hurt, we assume the parents did something wrong, even if the event is random and exceedingly rare.
• We overestimate risks from intentional causes and underestimate risks from natural causes. This is probably related to the vividness criterion — someone deliberately hurting a child is more shocking than the child being hurt in a bike accident. The result is that we expect people to be malicious a lot more often than they are, and we think children are more likely to be hurt by criminals than by illness or car accident, once again despite statistics showing otherwise.

In truth, the violent crime rate today in the United States is less than half of what it was in the 1980′s! Most of our burgeoning prison population consists of nonviolent drug offenders, and most violent crime occurs in geographically delimited areas. Skenazy is right — the streets and subways of New York City are as safe as they were in 1963. Crime against children is even lower — the simple fact is that the overwhelming majority of humanity doesn’t want to hurt kids and is inclined to help and protect them.

It’s sad how many normal childhood experiences have been lost to this obsession with safety from small risks — just try to buy a chemistry set today even as an adult and compare it with what was available to young children 20 years ago (or to what’s in The Golden Book of Chemistry Experiments, now available pretty much only via BitTorrent, which begins by teaching children to use an alcohol burner to shape glass tubing. Today, a children’s chemistry set would never be allowed to contain an alcohol burner… or glass tubing.)

The key is this:

‘The statistics show that this is an incredibly rare event, and you can’t protect people from very rare events. It would be like trying to create a shield against being struck by lightning.’ ”

She said that people ask her how she would feel if one of those terrible and rare events happened to her son. “It would be horrible,” she said. “But you can’t live your life that way; you could slip in the shower.”

When faced by extremely low risks, the rational response is sometimes to disregard them. Sometimes the response to fear of something is, in aggregate, worse than the thing itself. We of course do the same thing with terrorism, and these same biases cause us to misallocate security dollars in industry, too (how many companies have tens of thousands of dollars in firewall and IDS hardware, but no disaster recovery plan?)

First of all, the AP reports that AT&T is still considering filtering backbone traffic. They say they’ve noticed the massive amount of copyrighted data being shared over P2P networks, and feel a need to do something about it — “It’s like being in a store and watching someone steal a DVD. Do you act?” However, I think it’s likely that this is not just AT&T having an attack of conscience (not exactly something Ma Bell is known for), but rather AT&T being pressured by the usual suspects, the MPAA and RIAA.

They’re looking at this as a security problem — how do we stop unauthorized traffic (piracy) while allowing authorized traffic? From this perspective, it’s tractable — the technology exists to do it, albeit clumsily (you either miss a lot of piracy or you throw out a lot of legitimate traffic.) However, this is more than a security problem — there are legal and business problems here that in my opinion should overwhelm the security concern.

I’m surprised that AT&T is actually considering it. Currently, AT&T is shielded from lawsuits over content carried over their network by having “common carrier” status — they do not discriminate based on content. If they begin discriminating based on content, they may cut down on music and movie piracy — but they also render themselves vulnerable to being held liable for what music and movie piracy does occur. Perhaps the MPAA and RIAA have offered to indemnify AT&T in exchange for its help with the filtering. There is another problem with filtering, though — AT&T’s Internet backbone lines carry a staggering amount of traffic, so any kind of filtering would of necessity have to be very rudimentary or the processing power requirements would be enormous. Essentially, they would have to do something like what Comcast did with the Sandvine system — just interfere with all BitTorrent (or other P2P) traffic, without making any attempt to differentiate between legal and illegal content.

Perhaps AT&T has another ulterior motive, though — P2P traffic is representing an increasing proportion of all Internet traffic, at this point more than half. If killing P2P would drop AT&T’s bandwidth requirements by 60% while not affecting their revenue, this would have to be tempting for the corporation.

The increasing amount of P2P traffic is causing another major Internet company to consider sabotaging their own business — Time-Warner Cable. Ars Technica reports that Time-Warner is considering switching to metered rates, where users pay different amounts based on how much bandwidth they are using. They’re undoubtedly considering this due to the public’s reaction to Comcast’s filtering of P2P traffic (outrage and lawsuits.) Cable companies are in a bind — they built their networks under the assumption that traffic is extremely asymmetric — many users send small amounts of traffic (requests, acknowledgments) to centralized servers which respond with large amounts of traffic. This made sense when almost all Internet traffic consisted of web pages, but P2P networks destroy this assumption, with each user uploading as much, or more, than they download. Essentially, with P2P everyone is a server, and the cable companies simply can’t handle this without massive, expensive upgrades to their entire infrastructure. Their problem is one of failure to plan — they didn’t see this coming, and spent billions of dollars in capital building the wrong network. Even without piracy, P2P would be an increasing proportion of Internet traffic today — the world has changed, and it won’t be changed back again.

On one hand, metered pricing is fair. Right now, the people who use P2P are getting their Internet connections below-cost — we’re unprofitable for the ISPs, who can only support us because the masses of people who do nothing but occasional web-surfing are so profitable that they subsidize P2P users and result in an overall profit for the ISP. ISPs can afford to offer “unlimited” broadband only so long as they can be sure almost no one will use it. With metered pricing, heavy users pay for their heavy use, and light users can pay less since they don’t have to subsidize the heavy users. On the other hand, there’s a problem — customers despise metered pricing, especially when they’re used to flat-rate. In the 90′s, phone companies experimented with metered local service, and it was outrageously unpopular even with people whose phone bills decreased as a result. Sure, they were paying less, but now they felt limited.

Switching to metered pricing will indeed save money. However, it will do so by driving away customers, starting with the unprofitable heavy users. Perhaps this is intentional — banks set up their fee structures to drive away unprofitable customers, too, so it’s not unprecedented. But in the long run, P2P use is increasing, and the old usage patterns are decreasing — if the networks don’t adapt to this, eventually they’ll have no customers left. Competitors like Verizon FiOS, which (due to a fiber-optic last mile) don’t need to limit upstream bandwidth and have been built in the modern P2P world will kill off any network that tries to live in the past.

It turns out that I had nothing to worry about. Despite its title, there are only four paragraphs about resilience in the 41-paragraph article, and even those are wrong.

So what does Giuliani think must be done to defend a society from terrorism? Primarily a command-and-control response process combined with offensive attacks on the sources of terrorism.

With regard to prevention, Giuliani favors deployment of massive detection nets to fight against the attacks we’ve already faced — radiation and biohazard detectors at every port and point of entry. The cost-benefit ratio of this would be astronomically poor; as a free society with mostly open borders, there are a phenomenal number of entry points to the United States, and only very rarely (possibly never, so far, though the government would not be likely to tell us if it did happen) does anyone try to smuggle weapons-grade nuclear material or biological weapons through it. This isn’t to say that these measures would do no good, but they protect only against specific attacks and are obvious. They signal to terrorists “you can’t bring a nuclear or biological weapon through a shipping container in a port,” thus letting them know they should instead a.) use conventional weapons, b.) acquire nuclear/biological materials already inside the United States, or c.) enter via uncontrolled border space. If I, in three minutes, can think of three easy ways around a measure that will take billions of dollars to implement, it’s not very cost-effective.

He discusses the difficulties in information sharing between law enforcement and military agencies, clearly seeing these as an unalloyed negative. He’s right that there have been clear communications breakdowns, where these organizations had information that they were legally free to share, but chose not to out of myopia or the desire to preserve the institutional sovereignty of their silo. Despite the Central Intelligence Agency being founded to ensure all military and civilian intelligence agencies share information, it has in many cases become the most isolated hoarder of information of them all, and this is a problem. However, in other cases the obstacles to information-sharing are the civil liberties guaranteed by the Constitution. Giuliani has no issue with sweeping these away — this is, after all, the person who claims “Freedom is about authority. Freedom is about the willingness of every single human being to cede to lawful authority a great deal of discretion about what you do. You have free speech so I can be heard.” (That quote is not taken out of context in any way. He did not, however, go on to add “War is Peace. Freedom is Slavery. Ignorance is Strength.”)

Judicial oversight is not inimical to detecting and stopping international terrorism. Judges do not want terrorist attacks to happen, either; these protections exist to ensure that normal people are able to live their lives without constant monitoring. Surveillance is not unintrusive. Comamnd-and-control executives like Giuliani think that it does not matter if people are being watched, as only the “bad guys” will be prosecuted, but this simply isn’t true. First of all, people change their behavior when they know they’re being watched. It has a chilling effect not just on actually criminal behavior, but also on any behavior that people consider “socially unacceptable.” Surveillance drives everyone toward the mainstream center of society, homogenizing them; it creates the very opposite of a free society. (For a chilling illustration of this, I highly recommend Charles Stross’s sci-fi novel Glasshouse, one of the best and most terrifying books I’ve ever read, though it requires a high tolerance for transhumanist concepts.) Second, who watches the watchers? Even if Giuliani’s motives are pure (they’re not), and he wants to use these tools of warrantless surveillance, imprisonment without trial, etc. only against international terrorists, no one can possibly believe the entire law enforcement apparatus of a 300-million-person nation is entirely free of corruption and petty tyranny. Security has a cost — Giuliani looks only at how these measures benefit security, ignoring their unintended consequences. Security is of limited value — a terrorist attack is tragic but it does not end the world. We must not embrace “security at any cost” — instead we must consider security at a cost that we can bear, and most importantly, not allow the cost of security to exceed the cost of terrorism.

Giuliani also wants a “good Samaritan” law for people who report suspicious activity, protecting them from lawsuits. This is a terrible idea. Lawsuits are there to provide a cost for making a false of frivolous report — people will still report the man walking down the street with a pile of dynamite, but they think twice about reporting possibly-suspicious but almost certainly innocuous activity, like speaking Arabic in an airport, or loitering in a parking lot. Making reporting costless means you’ll get an inevitable excess of it, resulting in both the chilling effect of universal surveillance and a waste of law enforcement’s time. When people are encouraged to report everything unusual, you drown in reports and make people paranoid. This teaches people to react to the unknown with fear — that is, it accomplishes precisely what terrorists aim to accomplish. People reporting suspected terrorist activities should not be immune from lawsuits; rather, courts should decide whether the report was reasonable and take appropriate action. Often the reporters should be held blameless, having had a reasonable reaction that turned out to be incorrect, but doing so automatically makes filing false reports a simple way for private citizens to use the nation’s law enforcement apparatus as a means for private revenge.

Giuliani also calls for “tamper-proof biometric ID cards” for all non-citizens. As a security professional I can’t help but chuckle when anyone uses the word “tamper-proof.” But there’s nothing terribly wrong with this… except that it doesn’t do any good. We already know when people enter the country legally, and we identify them then; if they sneak in, they’re not going to have a “tamper-proof biometric ID card” any more than they have a regular ID card now. In addition, identity alone does not provide security. The fact that you know who someone is does you little to no good if he does not have a background in committing terrorist acts. And if he has a background in committing terrorist acts, why would you hand him a “tamper-proof biometric ID card?” Just deport him!

Giuliani supports fences around borders and stepping up guards, but claims to want to avoid turning the nation into a “fortress” in order to “deepen the connections between America and the Islamic world that will prove essential in prevailing over radical Islamic extremism.” On one hand, he’s on to something there — the only way to truly prevent terrorism is to eliminate the motivation for terrorism. Otherwise, 100% prevention is impossible — total prevention requires that you succeed every time, while the villains only have to succeed once. On the other hand, he simultaneously advocates precisely the foreign policy that creates that motivation — worldwide interventionism and American control and support of often-corrupt foreign governments. Now, the fact that a given policy makes people want to kill you doesn’t necessarily mean that that policy is wrong – but it is a cost of that policy that must be taken into account, and to claim that it will not have this effect is disingenuous.

Stepping up epidemiological surveillance and data gathering is the one good idea Giuliani has. Not only would it be helpful to detect bioterror attacks, but more importantly, it can help detect and contain natural pandemics. The emergence of a serious disease threat at some point in the future is a certainty, and unlike surveillance of people’s activities, this sort of surveillance has very little civil liberties cost.

Giuliani is obvious very proud of New York’s CompStat method of crime detection and prevention, given his desire to apply the same methodology to everything. For terrorism and border control, it makes some sense, as these are essentially law enforcement problems with a lot of parallels. However, for emergency preparedness it does not. Dividing up funding based on “need” determined by a statistical formula is absolutely certain to result in “gaming the system.” Emergency preparedness must be decentralized; there is no way for the Federal government to take care of it on a nationwide basis, or even to effectively coordinate and monitor it. Fundamentally, preparedness requires having appropriate materials on site and appropriate plans made, and no one can make those plans from afar.

Finally, Giuliani gets to the putative subject of the essay, resilience. He says, rightly, “Government should harness the inherent strength of the American people and the private sector in order to build a society that may bend—but not break—if catastrophe does strike.” It is somewhat ironic to hear this from Giuliani, who has just spent the preceding 30 paragraphs calling for increased central control of everything. His entire resilience proposal is as follows:

• Create government-organized response teams of private citizens who have been trained and equipped by government to respond to disaster,
• Pass a law shielding people from lawsuits if they are trying to help in disaster response, and
• Set government standards for how businesses, citizens, and charitable organizations should respond to disasters.

Ah, for every problem a government solution. This is precisely what resilience isn’t. A resilient society is one that responds to and recovers from disaster on its own — one that is not broken by disaster but continues to function mostly unchanged. The model of a resilient society is England during the IRA period: terrorist attacks happened, and life went on largely unchanged.

Western society is still phenomenally resilient, but not as much as it once was. You cannot build a resilient society using only government. A resilient society comes from a variety of factors, and these can do more to protect against the impact of terrorism than any technological or centralized security measure. They include:

• A culture of hope. People have to believe that every terrorist attack is an abberation, and that life will return to normal. This is what prevents a localized disaster from having repercussions on an entire nation for years to come; without this, with a culture of fear instead, the damage of a terrorist attack is multiplied a hundredfold.
• A citizenry that trusts itself. People must believe they are competent to solve their own problems, so the first reaction to a disaster is not “how will I get help,” but rather “what do I need to do?” Government cannot save everyone; if the able-bodied and passably intelligent people save themselves, government is freed up to help those who genuinely need it, and not simply those who abrogated their responsibility to plan.
• A populace that cares for others while still expecting them to take care of themselves. When disasters like Hurricane Katrina or 9/11 occur, there is an outpouring of charity from the populace to help. It doesn’t take government to solicit this; general benevolence will do, the desire to help anyone hurt by a disaster rather than using disaster as am impetus to hoard more for yourself and your tribe. However, people also must recognize the limits of charity, and be willing to go back to their own lives as time passes.

All of these are cultural shifts; we can’t impose them, and as Giuliani is running for head of government, it makes sense for him to talk about government actions. However, the statements he’s making are precisely what damages resilience. When all we hear from government is how they are expecting impending doom, and how government will save us when it happens, it does not teach us to have hope, trust ourselves, and help others! It teaches us to always anticipate disaster, do nothing and wait for help when it happens, and expect the government to do all the helping. Regardless of what the government does, this rhetoric from our politicians itself reduces the resilience of our society.

The SAFE Act (Secure Adolescents From Exploitation Online; another case where the acronym almost certainly came first) aims to protect children and teenagers from exploitation by increasing enforcement of child pornography laws.  Not, on the surface of it, a bad thing.  The controversy comes from its means: it requires anyone operating an internet service to report not just actual child pornography, but also fully-clothed minors in “lascivious poses” (whatever that means) and any “drawing, cartoon, sculpture, or painting” consisting of an obscene depiction of minors.  This troubles people for two reasons: first of all, due to the vagueness of what is prohibited (can you tell if a drawing, cartoon, sculpture, or painting is of a 17-year-old or an 18-year-old?), and second, because of the apparent requirement that providers monitor all their traffic in order to make these reports.

According to C|Net News, the monitoring requirement would apply to anyone providing an open Wi-Fi node, such as coffee shops, restaurants, and even homes that simply don’t choose to encrypt their Wi-Fi, in addition to social networking sites, web-based email providers, domain name registrars, etc.  Were the bill interpreted in this way, this would place an impossible burden on any provider of connectivity — there is no automated way to scan the traffic of all your subscribers for vaguely-defined unlawful depictions of fictional minors, you would need to have a person manually inspect all the traffic, which is obviously impossible at any scale (not to mention a terrible privacy invasion.)

However, I think that this is an overly alarmist reading of the bill.  It’s certainly not the author’s intent (indeed, Rep. Rick Lampson’s office has responded to the C|Net article) for the bill to apply to every small Wi-Fi provider, though author’s intent is often beside the point once a law is passed.  More importantly, though, the bill does not mandate surveillance or detection at all — it mandates reporting if child pornography (or something that kind of sort of looks like it) is detected.  In other words, it forbids finding out about illegal activity and looking the other way; it does not mandate actually looking for it.  I think that Ars Technica has a much more balanced article about the bill.  Overall, I think it’s feel-good “for the children” legislation that won’t accomplish much (ISP’s are already required by law to report child pornography if they detect it, this just raises the penalties and expands the definition), and that prohibiting fictional depictions of children where no actual children are involved is a poor idea from a legal standpoint (since it is very open to abuse by subjective interpretations of judges, prosecutors, and jurors), but that this bill, if it passes — which is likely — will not impose a serious technical burden on service providers.

Meanwhile, the Electronic Frontier Foundation reports on the PRO IP Act (“Prioritizing Resources and Organization for Intellectual Property (PRO IP) Act of 2007″ — doesn’t anyone ever just name a bill and then come up with the acronym anymore?), which aims to fight copyright infringement in the typical ineffective way, presumably to shore up the music industry’s failing business model.  It increases penalties for peer-to-peer file sharing from their current ridiculous levels (which build animosity toward the recording industry via outlandish million-dollar damages levied against ordinary university students) to new even more ridiculous levels, while also creating a new $25 million federal bureaucracy to step up copyright enforcement.

Having a copyright system is important.  However, you would think that by now the music industry would realize that if suing customers for $250,000 does not stop piracy, the problem is not that they’re not suing them for enough money, and stepping up the penalties will have no effect.  People believe either a.) that they’re not doing anything wrong or illegal, or b.) that they’re extremely unlikely to get caught (this latter belief being true.)   In order to change this, they’ll need to either offer a legal alternative that at least approaches the convenience and usability of illegal downloading (which you would think would not be a high bar — BitTorrent is not very convenient) and is affordable for broad categories of consumers, or they’ll need to decrease the penalties while increasing the percentage of people who get caught.

With regard to the former, coming up with a pricing model seems to be their stumbling block.  Some customers buy several CDs a month, spending $100 or more on music.  These customers would love a monthly-fee option, and would pay a substantial amount for unlimited downloads.  Other customers buy one CD in a great while, and a subscription model is terrible for them — and thus they prefer individual song downloads like iTunes.  All customers hate DRM, as it prevents them from using music in ways we now take for granted (e.g. playing on multiple devices.)  What the music industry is doing now is akin to the government trying to win the War on Drugs by dropping defoliant in Colombia while doing nothing to reduce local demand — if the demand for illegal material exists, an infrastructure will spring up to fill it.

With regard to the latter, the recording industry faces a backlash when they impose penalties that vastly outstrip the perceived seriousness of the crime.  People have an idea of what fair use entails, and anything you could do with a tape recorder in the 1980′s pretty much fits in that category.  Thus, multi-million-dollar prosecutions of parents and students seems grossly unfair.  However, people also know that “everyone” shares files, yet we only occasionally hear about these huge lawsuits, and thus people assume it won’t happen to them.  The only people who believe they’ll get caught for file-sharing are those that already have.  However, if being caught file-sharing leads to financial ruin, this must of necessity be only a very small percentage.  If university students got caught by the thousand file-sharing and got fined $100 for it, they might consider legal alternatives a better option after a fine or two.

All this said, I think the future will eventually be in DRM-free downloads, and that that future will result in less profit both for recording companies (which may die entirely) and for hit artists (though it will result in substantially more profit for well-known local and regional acts, or less-popular national acts, which currently get almost nothing from the “star” system of the recording industry.)  It’s understandable that the recording industry and the most-successful recording artists want to fight this future, but I don’t see any way that continuously stepping up penalties for actions taken by half the American population is going to do it.

As for creating a new federal bureaucracy to fight copyright infringement, having law enforcement involved in what is essentially a civil matter (as copyright should be) is always dangerous, because it eliminates risk and return from the equation.  When something is a civil matter,  the injured party must decide that its worth its while to pursue a given enforcement action.  Industrial-scale piracy would certainly be worth a lawsuit; a university student running Kazaa probably isn’t.  However, when the injured party can simply ask the government to use taxpayer dollars to go after infringers, then why not go after everyone?  it doesn’t cost them anything; instead we get to pay for it.

DRM is a dead end; as a trusted-client problem, it is unsolvable.  I think this “get tough” legislative approach is a dead end as well.

To people not very familiar with cryptography, it may seem odd that random number generators are very significant.  However, all modern key-based cryptography is based on having a source of entropy (true randomness) — somewhere it can get a key that is unlikely to be guessed or otherwise determined.  When we talk about “40-bit” or “128-bit” encryption, we’re really talking about the key length, which provides an upper bound on available entropy.  Ideally, cryptography would be based on true random numbers, for which every bit of number is a bit of entropy.  However, true random numbers have to be generated physically — we have devices that do it based on radioactive decay, but you can also get it by asking a human to move a mouse around or bang on a keyboard, as PGP does when generating keys.  Thus, for most applications, we settle for pseudo-random number generators — programs which generate a stream of numbers that are unrelated to each other, have a uniform distribution, and are for most purposes entirely random.

However, a psuedo-random number generator usually needs a seed — a starting point for the generator.  If you use the same seed, you’ll get the same stream of “random” numbers.  Thus, the seeds chosen are usually very large numbers.  Cryptographic pseudo-random number generators are considerably more processor-intensive than the regular “random” number generators used in non-security applications, as they’re usually based on multiple iterations of a hashing algorithm.

What happens if your pseudo-random number generator isn’t very good?  Well, in the early 2000s, an online casino in the Caribbean (I wish I could remember the name of it to provide a link to the news coverage) lost several million dollars.  Apparently, a player realized that to shuffle the decks of cards, they used a standard, non-cryptographic random number generator — the sort of thing that’s built into Windows and Linux and such.  A shuffled deck of cards is very random — there are 8×10⁶⁷ ways to shuffle a deck, which is about 225 bits of entropy. However, the random number generator used only a 32-bit seed!  There are only 4×10⁹ 32-bit numbers.  This is still a lot, but with modern computer aids, it’s a manageable number.  So what did this player do?  He had his computer generate shuffled decks for each of the four billion 32-bit seeds.  He then wrote a program that let him enter specific cards that were drawn (e.g. “fourth card was a queen of spades, fifth card was a 9 of diamonds…”) based on the draws he could see (such as his own cards in poker, or the up cards in blackjack) and it would pare down the four billion decks to the ones that could have potentially produced those draws.

It turns out that when you know that almost all decks are invalid (not able to be generated by the random number generator in use), there aren’t many decks that can produce a given set of cards.  Thus, within 3-5 known cards, his program would spit out the entire deck, and that player could now predict the future.  He would know exactly what cards would be coming out, and what ones already had.  Thus, poker and blackjack were trivial, and he won a ton of money.

Many things in cryptography operate similarly.  If you can predict the random numbers being used, you drastically simplify cracking the code.  It is generally still not what a layman would call simple — but it brings a message from “even the National Security Agency with its thousand acres of supercomputers couldn’t crack it in our lifetime” to “it’s still out of reach for you and I, but, well, the NSA could probably crack it in a day or two.”  Well-funded, skilled adversaries can use any small defect in a cryptosystem that lowers entropy to shorten the time to break codes.

And that’s why the NSA would be interested in putting a back-door in a pseudo-random number generator.  Did they actually do this?  In my opinion, the evidence Schneier presents is pretty convincing, and while Schneier is today best known as a popularizer of security rather than a technical expert, one would do well to remember that he also wrote Applied Cryptography, a very technical book that sits on the bookshelf of basically every security developer, including mine.  The NIST publication presents four random number generators, based on different algorithms, and then recommends the use of one, Dual_EC_DRBG, that is about 1,000 times slower than the other three.  Unlike the others (Hash_DRBG, HMAC_DRBG, and CTR_DRBG), however, with this particular algorithm it would be possible to craft a set of input constants that are defective in a specific way — such that someone armed with a corresponding set of constants could predict the output of the generator.

Now, we don’t have proof that the NSA actually did this.  It’s possible that the input constants in the NIST publication are truly random, chosen arbitrarily, and the NSA does not have a matching key that will break the generator.  But the NSA is pretty smart, and almost certainly knew about the flaw in the algorithm — in general, people in the cryptographic industry assume that the NSA is a few years ahead of them and just hasn’t said so.  The old adage about not attributing to malice what simple incompetence will explain usually applies to government pretty well, but not to the NSA.

Really, this is a rather ingenious way to backdoor a crypto algorithm.  The normal method — just make a cryptosystem with a mathematical flaw or known backdoor key — has a serious issue: if you can figure out the mathematical flaw, so can someone else.  The NSA wants to be able to listen to our phone calls — it doesn’t also want every other country to be able to do so.  To backdoor a cryptosystem requires making it so you can read messages without also weakening it for everyone else.  This method does exactly that — without the specific numbers that match the provided input constants, the system isn’t flawed at all.  The NSA has the key (if, indeed, they do), and no one else does.  Putting it in the random number generator rather than the cryptosystem itself is a good way to draw attention away from it, too.

And if the NSA didn’t choose the constants to have a backdoor, why recommend an elliptic-curve based generator that’s three orders of magnitude slower than several other generators, all believed to be just as secure, that are based on much more easily understood mathematics like hashing?  It just doesn’t seem to make much sense.

Of course, there’s not much motivation for government to reduce these overzealous “awareness” programs, either.  A paranoid populace is always supportive of more government intervention to “protect” them, and making everyone into a criminal makes social control quite easy, since there is no one not subject to arrest, only the people you haven’t chosen to arrest yet.

Terrorism can never be absolutely prevented because terrorism is easy — it is a sad fact of chemistry that many things explode, and there are many ways of being dead.  A free society can only prevent crime because criminals have something to lose — people acting in self-interest do not want to die or go to prison, and a free society must fight crime via punishing criminals after the crime has been committed.  Since terrorists of the current radical Islamic model aren’t deterred in this way, we are deprived of our normal security responses and forced to try to fight with prevention only, rather than the standard responses of detection & punishment.  To truly eliminate this sort of terrorism requires changing the culture from which it emerges — removing the “feed stock” of terrorist organizations by giving people something to live for.  This is not a short-term project.
The proper response of a free society to terrorism is not “prevention at all costs,” but rather prevention where the cost is justified and resilience where it is not.  Western society is distributed, and has a phenomenal depth of resources that is absent in many other societies — our culture is, in short, extremely hard to destroy.  As catastrophic as the September 11th attacks were, your chances of dying in a terrorist attack remain smaller than your chances of dying of heatstroke, inhalation of a foreign object, or drowning in a swimming pool; our society is threatened not by the direction damage of terrorist attacks but by the response those attacks cause in us.  Some threats are direct and obvious enough that mitigates them makes sense, but for many threats the rational response is to accept the risk; that is, recognize that the risk is there, understand that the chances of it affecting you, personally, are nearly nil, and that absolute safety does not exist.  We need to go on about our lives, and work to recover from attacks in the same way that we recover from natural disasters.  When a disaster happens, we mourn, we help the people affected, we rebuild the damage — but we do not change our way of life because of them.  Somehow, we think that human-caused disasters should be entirely different, but this is not necessarily the case.