Thursday, February 28, 2008

Ross Anderson's attacks on Chip and PIN

One of the risks of security research is that some people will read the paper by Ross Anderson and others on PIN Entry Device (PED) vulnerabilities and conclude that Chip and PIN is utterly broken and a complete waste of time.

The attack is certainly serious in that it allows a criminal to profit. But it does not return us to square one. The attack exploits the fact that the standard Chip and PIN protocol does not require the PIN to be encrypted between the PED and the card and the fact that the cards are designed to work with legacy payment devices and ATMs that only use the PIN and magnetic stripe.

This is certainly a vulnerability, but not a fatal one. The best way to close the loophole would be to deploy Chip and PIN in every country and withdraw use of the magnetic stripe. This would require considerable political commitment, particularly in the US where the anti-trust laws and the structure of the banking industry make deployment unlikely to occur without pressure from a strong administration.

Encrypting the communication between the PED and the card is another countermeasure, highly desirable in its own right. Unfortunately as the paper explains, it would be necessary to sign the statement of card capabilities that advertises support for encrypting this communication or the system would remain vulnerable to a downgrade attack.

I am far from convinced that PIN capture represents a significant vulnerability even when dealing with legacy systems, here in the states it is not necessary to use a PIN for a credit card transaction. The only transaction type for which the PIN is required is a cash advance or ATM cash withdrawal. If the banks find that fraud due to this particular attack rises to the point where it is comparable to the cost of deploying encryption capable cards they should certainly do so.

It is quite likely that the EMV specification designers anticipated this particular set of circumstances, did a security evaluation and decided that it was an allowable first generation risk. The problem is that if there is a statement to that effect it has been lost in the thousands of pages of documentation on EMV. As the authors point out, there should be a single compact security guide that brings such considerations together in one place.

The lack of adequate documentation is not just a cost for administrators and implementors, it is frequently an indicator of the quality of the result. It is likely that the usability of UNIX would have been rather better if the original development team had included one member tasked to writing documentation for eventual end users.

The authors are also justified in their skepticism as to the effectiveness of a certification process where the vendors choose the certification lab. The incentive for the laboratory is to allow the vendor to acquire certification at the lowest cost.

GCHQ have recognized this problem and requires the results of testing to be made public in order for common criteria certification to be granted. This is an important distinction because it means that the testing laboratory can be held accountable should researches subsequently discover a vulnerability that they should have detected. The devices in question are merely 'evaluated', not 'certified', a distinction that does not appear to have been widely appreciated outside GCHQ.

Monday, February 25, 2008

Is the Secret Service plotting to help assasinate Obama?

Security around Obama events has raised blogosphere concerns. Is the Secret Service under orders to give Obama lax security? Are they incompetent? Or is there another explanation?

The observed facts are that the Secret Service only checked the first people to arrive at a number of Obama events. With long lines at the screening points shortly before the event the Secret Service suddenly let the rest of the audience in unchecked.

Before we cry conspiracy its worth remembering a couple of issues. First the likelihood that the Secret Service would allow itself to be complicit in an assassination plot. That would be entirely counter to the whole service ethos. Guarding the President is the task the Secret Service takes most seriously. These are people with unique access to high ranking politicians. It would only take one member of the Secret Service to voice concerns to Pelosi, or Reid, or Carter or Clinton or any of the other senior politicians that receive regular secret service protection for a plot to be utterly blown.

The other factor that counts against it being a plot is that no assassination attempt was made. An attempt to deprive Obama of adequate security makes no sense at all unless there was a plot to make use of that weakness.

More likely by far is that this is exactly what the Secret Service claims, an intentional part of the security plan. The principal security concern at a large event like these would be a short range attack by a suicide bomber or someone with a pistol. A person standing at the back of the crowd is going to find it rather difficult to assemble a sniper rifle and take aim. Any areas where a sniper could work undisturbed should be guarded.

The history of political assassinations since the murder of JFK has been the close range attack - the assassinations of JFK and Bhutto being typical examples. An assassin wanting to attack Obama would be looking to get in close. That would almost certainly require them to arrive early.

The question then is how the Secret Service was managing the audience. Was it possible for someone who arrived late to reach the areas closest to the candidate? Was there an explicit separation?

Friday, February 22, 2008

The causes of rising Internet Crime

This is an excerpt from the book in CSO magazine. It describes how we got into the situation we have. (warning, I did not write the biography at the end of the piece, nor did I approve it, while it is technically true it somewhat overemphasizes my role).Early on in the development of the Web there was a lot of concern about the risks of credit card fraud, we didn't worry so much about online banking because the idea was considered preposterous. At the time I was unable to persuade Dreamworks that they should start putting up Web pages for movies. At the time we had a million users and the number was rising rapidly so it was clearly a big opportunity for the studios. But they were not interested.The tipping point came when the White House site went online. Before that nobody would give us time of day. Afterwards every CEO seemed to have the idea that their company should have a Web site. Nobody credited the White House of course, but it was our IBM PC moment. Before the IBM PC the MIS world looked down on the micro-computer. After IBM endorsed the PC they were suddenly kosher.So I don't think it was unreasonable to not think about online banking in 1994. The big mistake I made then that I regret is that I always thought that businesses would care rather more about security before exposing their businesses to the Internet. The banking infrastructure developed in a pre-Internet age and fraud was a significant issue (but not as significant as credit risk). Suddenly the banking infrastructure was dumped onto the Internet using a technology that had only been designed to secure the transport of credit card numbers.

read more | digg story

Thursday, February 21, 2008

OK so I bought a Mac...

After a few months of looking at the problem of Security Usability seriously I discovered that I had to get a Mac.

There was no real choice, you have to get a Mac to do usability. Otherwise the punchline to every conversation is 'well you should get a Mac'.

So I got one, a MacBook Air.

Hardware wise the Air beats the Windows machines on the market, there really is no comparison. Despite the constrained form factor it feels like a solid machine and the keyboard is better than the one on my Thinkpad.

The machine is not the fastest notebook on the market, but it is more than fast enough for Web browsing and running Microsoft Office. I would not want to write code on the machine, but I wouldn't want to write code on any laptop. The only serious hardware limitations are the battery life and the disk space. And the only reason the disk is an issue is that I don't have enough to dual boot.

Both limitations could be removed with a killer accessory - an external module with a 250Gb hard drive and a LiIon battery. The only problem being that thanks to the use of the MagSafe power connector, owners will have to wait for Apple to deliver.

I actually think that Apple have got it right with the non-replaceable battery - fill in the otherwise void spots with battery. But the built in battery should not preclude the ability to make use of supplemental power on a flight.

The items I would fix in the next version are:

  • Make the front edge of the machine less sharp, it cuts into my hand when I hold the machine and use the trackpad. The edge should be rounded to a 1/16th or 1/8th. The look of the machine closed should be secondary to the feel in use.
  • Use a graphics chip that can drive a 30" monitor at full 2560x1600 resolution. I don't much care about speed so long as it is 'enough'. Pixels are another issue entirely, I want as many as possible.
  • Switch to USB 3.0 with the optical and make it possible to drive a DVI/DVI2 monitor over it via an adapter.

Software wise, Leopard is, well like using Vista. Once you get it running there are some nice features that are better than Vista and some Vista features that I miss. At this point the main difference in the window model is that in Vista the menu bar sticks to the Window where the work is going on and on. The Apple model works better on a small screen such as a laptop. The Windows model works better on really big monitors like my 30" HP LP3065.

The real difference between Vista and Apple is the setup process. The Mac automatically connected to my network printers without fuss. It even connected to my Windows Home Server without any problem.

The only configuration problem is that Time Machine will only work with a disk hosted on an OS/X server or a Time Vault. The Mac can store bits on the Home Server box but not use it as a back up device. This is something that Apple should seriously consider fixing as otherwise the fact that I have a Home Server would lock me into buying Windows machines going forward. Its not the cost of the machine thats the issue, its the associated management issues.

When OS/X works, it works well, the problem is that I have absolutely no idea where the applications I am loading onto the machine are going, how much of my disk they are eating up, whether the installation packages have been cleaned up etc. I don't even know if the machine is using power in 'sleep' mode or if that is equivalent to the Windows Hibernate function.

Security, this is the first machine I have had that has asked me if I want to turn on disk encryption. The level of security is much the same as Windows XP professional or Vista Business or Ultimate provide, but its rather easier to be confident that all user data is being encrypted correctly. What is less clear is whether the confidence is justified.

Now the bad part, Mac allows me to set up in minutes the security measures that take rather longer to achieve on Vista but that is as far as it goes. When it comes to the Vista security measures that I am pretty sure nobody except for the developers would ever use the tendency appears to be to omit them entirely rather than work out ways to make the functionality usable.

Tuesday, February 19, 2008

Don't make it too secure

Everyone is agreed that securing the Internet is hard. So why do we have to spend so much time worrying about the complaints of people who say 'don't make it too secure'?

This question was raised during the cryptowars. During the 1990s there was a determined campaign led by Louis Freeh to make non-government use of strong cryptography illegal in the US. As a direct result, more time tended to be spent making cryptographic protocols 'Freeh-proof' than making them usable by ordinary people. We still live with the consequences today.

We risk repeating this mistake today as some people assert that making technology RIAA-proof is more important than making it secure.

Deployment of cryptography increases the power of the deployer at the expense of the attacker. But certain types of attack may be socially desirable, possibly even sanctioned in the case of a whistleblower revealing criminal behavior.

Sometimes its the bad guys who deploy security to enhance their power at the expense of the good. The technology is no better at distinguishing good intent from bad than people are.

Deployment of perfectly secure trustworthy computing could well tip the balance of power in favor of copyright holders, allowing them to effectively create perpetual copyrights through technical means, eliminating provisions for fair use and reversion to the public domain. Whether this goal is or is not desirable it is unreachable. In order to make profis, copyright holders must be able to reach an audience of millions and copyright enforcement is a 'break once run anywhere' problem. We simply do not have the technology available to enforce controls on content that may be accessed from a billion plus endpoints. Nor is this ever likely to be the case.

Nor should trustworthy computing be considered the principal concern for covert whistleblowers. The technology that is most likely to affect them are not technical measures such as trustworthy computing that might be employed to enforce effective access control but fingerprinting and watermarking technologies that might be used to identify the source of a leak and thus strengthen accountability controls.

If we are going to get a handle on the current epidemic of data breaches we are going to have to change the way we secure sensitive information to make the accidental leak less likely to occur.

To date I have received five breach notifications, in each case the cause of the leak was a lost or stolen laptop containing confidential data. Whole disk encryption is currently the most easily deployed fix but its a blunt instrument and one that solves the measurable problem rather than the actual one. Laptops are relatively valuable, the loss of one typically stops the employee working, as a result losses are typically reported. The same is not true of USB thumb drives which are frequently purchased by the employee rather than the company, typically provide no built in encryption system (or at least none the user is likely to use) and are rather more easily lost.

If we are going to start getting a handle on the problem of lost client confidential data we need to move the protection to the data. If we are going to protect the whole data lifecycle we are going to have to deal with the problem of ensuring that the operating system running on the machine is the one the owner actually intends to run on the machine. In order to do that we need to have a trustworthy boot process that guarantees that the right O/S is loaded and a trustworthy means of certifying that the right O/S is actually running. And those are by defintion trustworthy computing technologies.

Friday, February 15, 2008

The catalogue of UK Entrances to Hell

Very handy to know, I guess.

Gunman Slays 6 at N. Illinois University - New York Times

A hint for US citizens confused about the cause (Tune from Dora the Explorer)

With four shootings in a row
there is someting you should know:
It's the guns
It's the guns
It's the guns

When there's twenty people dead,
they were all shot in the head:
It's the guns
It's the guns
It's the guns
It's the guns

It's the guns
It's the guns
It's the guns
It's the guns

It's the guns
It's the guns
It's the guns
It's the guns

Tuesday, February 12, 2008


"The Ribbon, which is part of the Microsoft Office Fluent user interface, is designed to help you quickly find the commands that you need to complete a task. Commands are organized in logical groups that are collected together under tabs. Because each tab relates to a type of activity, such as writing or laying out a page, it is not possible to customize the Ribbon without using XML and programming code."

Translation: you can't customize this feature because we understand what you are trying to do and you obviously cannot.

So despite the fact that I have a 2560x1600 pixel display I cannot add the superscript and subscript buttons to the formatting ribbon.

The security state

An obnoxious company in Wales has been marketting a device that emits a high pitched screech that only children can hear. The device is marketed as an anti-gang device but the noise it makes is indiscriminate.

Not suprisingly there are now calls to ban the device. I am surprised that it would be considered legal in the first place. The fact that a noise can only be heard by people under 25 does not make it any less of a noise and the UK has pretty strict noise abatement laws.

Nor does it make much sense as an 'anti-gang' device. Any shop that used a device of that type against a real gang would quickly find that bricks and much worse were comming through their windows. If the kids aren't lawless enough to chuck a brick at a window after dark they can't be considered much of a threat.

This type of security measure creates a problem where none existed before.

Now try to cash out

The theives who stole art worth $164 million in Zurich will have a much harder time finding a buyer. Unless the art has been stolen to order for a collector they are unlikely to find a buyer at all. The resale value of easily recognized stolen art is negligible.

Art galleries know this which is why the typical gallery holding millions of dollars worth of art has far less security than a local bank branch that never keeps more than a few tens of thousands of dollars on hand in cash.

The same effect is seen in Internet crime. Stealing credit card numbers is easy, cashing them out is the hard part. The Internet criminals that make most of the money are the ones that can do this without being caught. Making it harder to cash out is one of the most effective means of stopping Internet Crime.

Sunday, February 10, 2008

Romney wins Maine

CNN reports that Romney has won the Maine primary with 52% of the vote, this despite the fact he has quit the race.

McCain meanwhile managed only 21% and has failed to win any of the primary races since he became the presumtive nominee last Tuesday - or at least the ones where they actually count the votes. The Washington state GOP having stopped counting the ballots and declared McCain the winner after only 87% of the precincts reported. This despite the fact that a mere 245 votes - 1.4% of the total separated the two.

Any hope of persuading Huckabee to stand aside for the good of the party must surely have been lost as a result of this maneuver.

Saturday, February 09, 2008

Lessons from compact flourescents

One of the examples I use to illustrate the standards effect in The dotCrime Manifesto is the choice of Edison screw vs. Swan bayonet light bulb mounts in Europe and the US. The superiority of the Swan design was acknowledged even when the US adopted the Edison screw as the standard. But the Edison screw had a larger deployed base in the US and more importantly was unencumbered by patent rights. So for almost a century US households have had to deal with the Edison screw fixture which is less reliable (the bulbs work loose over time) and less safe (a loose bulb can spark).

So I was interested in this article forwarded to me by Mrs dFM on compact flourescent bulbs.

The cost savings of compact flourescents are significant - switching to flourescents can cut the electricity bill in half. And there are many incentive schemes to persuade consumers to switch, a pack of six compact flourescents costs $1.99 after rebate in CostCo. The problem is that after the incentive period ends there is a tendency for consumers to 'snapback' to using 'cheaper' incandescent bulbs.

This has in turn led to the search for a way to 'lock in' the consumers to using fluorescents and this in turn has led to the promotion of a new 'pin based' socket which only accepts a fluorescent bulb.

But despite the obvious advantage of CFLs they must surely be a transitional technology which will itself be displaced as LED technology becomes cheaper. LEDs are more efficient than CFLs, offer better light quality, do not need replacement (11 years of constant operation) and do not contain mercury.

We know how to make semiconductors cheaply, why is it taking so long to make cheap LED lights? And why are the LED replacement bulbs fashioned from a collection of discrete LEDs rather than manufactured as an ensemble in the manner of VLSI?

Friday, February 08, 2008

Why does Microsoft ship unsigned code?

I just installed some service packs on Windows XP. Why do I keep seeing warning notices telling me that the software Microsoft has provided has not passed Windows certification?

If the certification is going to have any value at all Microsoft MUST insist that every single piece of code they provide passes. Otherwise they are simply teaching users to ignore their own warnings.

Answering machines

Why are telephone answering machines so lame? Why do they only come with about 60 minutes of record time? Why is the default action to stop accepting new messages when the system is full rather than to discard messages that are months old? And why do they s-p-e-a-k s-o s-l--o--w---l-----l------y?

Vonage VOIP mail is much better for single person use, but not if you have more than one person who uses the line.

Tuesday, February 05, 2008

The new 64Gb big screen iPod

What is suprising about the new 64Gb iPod with the 12" screen is that Apple don't seem to have got arround to thinking about it yet.

Forget the MacBook Air, it is a niche product that falls between two stools. It is not quite a desktop replacement and its not quite an ultra-portable. It is fine for Web browsing and possibly for word processing but gamers, programmers and many others are going to find it limiting.

Why not go one stage better? Forget the word processing, just give me a dedicated Web browsing and video playback device. The new 32Gb iPod Touch is almost there, just give me a bigger screen. I am 40, my eyes are not quite up to reading from a 3.5" screen over extended periods.

A 12" screen is probably an optimal compromise between readability and portability for me but I would settle for anything in the 8" to 15" range. At the smaller end of the range the device looks like a Kindle killer. At the larger end its a true portable entertainment device.

The reason I think Apple would do better to develop this than the iPod touch is that there is very little reason to buy a touch if you either have an iPhone or expect to buy one. But I would certainly buy a 12" iTablet if it cost in the region of $800.

Sunday, February 03, 2008

Daft Michael Bloomberg

Last week various bloggers noted that the Draft Michael Bloomberg count stood at a modest 3,000. Well at the close of the dotFuture Manifesto poll 100% of voters were opposed to a Bloomberg run and the total at Draft Michael Bloomberg stands at only 5130 - and that is after liberal bloggers drew attention to the poll.

If there is any deep seated desire to see a Bloomberg presidency it is pretty well hidden. Another explanation is that Bloomberg never intended to run but was intent on doing whatever he could to wreck the prospects of a Giuliani matchup.

Citation manager in Word 2007

Well it only took twenty years but Word 2007 provides a citation management feature. This might well be the single biggest reason to upgrade to Office 2007. Unfortunately the citation management is not quite what it should be.

The biggest problem is that the only way I have found to import citations from papers is to enter them into the tedious Microsoft provided form. This despite the fact that the whole point of standardized citation formats is that they create a regular expression that can be parsed automatically. Nor does Word 2007 appear to support the standard citation formats (Bibtex/Scribe, Endnote). This means entering the data is unnecessary makework.

A related problem is that Word 2007 does not support a personal citation service either. I have two machines I use frequently, one is currently broken so I am using a third. I would like to be able to hook up to my personal citation library from whatever machine I am on. It should be possible to import citations into the library easily.

Another problem is the restrictive formats offered for citations. I know all about ISO citation format. Frankly the people who put it together were snobs. The only format for which URIs are supported is a 'web document'. This despite the fact that academic papers are increasingly published online. I don't care what the ossiffied gnomes of ISO think, I have a URI and that for me is critical information I want to provide the reader with regardless of what the for-profit academic publishing racket thinks about the Web.

Nor do I think much of the 'accessed on' nonsense. I can't think why the reader would be interested in the date I accessed a document unless the 1) the document was likely to change over time and 2) there was some means of calling up a particular version. If the latter the appropriate way to deal with the situation would be for Word to automatically cache the document or better enter the document into some sort of shared cache repository.

There are copyright issues in caching to be sure. But in most cases the cached data is intended to be public. When a document is for sale the URL is more likely to be stable in any case.

Friday, February 01, 2008

HD DVD losing the High-Def War vs Blu Ray

Hacker skills needed to bring down a bank

The Telegraph posted Kerviel's CV.

Seems like the only programming language known by the 'master hacker' described in the French Press was Visual Basic for Applications. More on this at The Register.