network security


A colleague sent me a link to a fascinating discussion of Iranian internet traffic patterns surrounding the election and what they say about what methods of access to and distribution of media the Iranian regime cut off to control information.

They’re using something called, amongst other things, “traffic shaping.” Basically it allows different types of traffic – web browsing vs. SSH vs. file-sharing vs. WoW vs. whatever – to be throttled or shut down without affecting other applications. As they note, WoW traffic went undisturbed but access to Flash video was all but eradicated. (I choose to forgive their mangling of WoW cosmology – Azeroth is a continent and the planet on which it is found, not an island – in light of their clever off-hand suggestion that WoW be a meeting place to organize protests in the real world.)

Looking at the final graph, here’s what they most blocked in descending order:

  • SSH, normally used for encrypted command-line access but also very useful as a sneaky way to proxy web traffic. If you have a co-worker who can always get to anything online no matter what your IT staff does, and SSH is allowed, that co-worker is using an SSH proxy. (For purposes of full disclosure, guess who’s shite at getting that to work? Moi. I’ve just never cared that much.) Other possible transgressive uses of SSH: terminal session to an external host that has a command-line IRC client installed; encrypted file transfer; etc. If the chart listing percentage dropped is also a rough guide to their list of concerns then they are quite right to consider SSH the most subtle threat to their attempted smothering of information access.
  • Flash, used by basically every video site, including YouTube and many news sites, to embed video.
  • Bittorrent, which of course would make an excellent way to distribute, say, video of the militia murdering someone in the street without it being localized or necessarily traceable to the original person who held the camera.
  • POP, because you don’t want just anyone receiving email from their international friends and relatives, do you?
  • Alternative web ports and HTTP proxies are always a popular target for IT staff who want to control access to porn or, you know, news. I’m going to guess they’re just taking a stab at random ports that are likely candidates for alternate web traffic (say, TCP 8080 or 8181) but maybe they’re packing the serious web filtering heat on that scale. If so then I have to wonder if there are some embargoes being broken.
  • Web cam = citizen journalist/potential YouTube star/access to international friends and family who’ve pointed a web cam at their HDTV tuned to CNN. Verboten!
  • SMB: surprise, Microsoft is super-chatty in Farsi, too. Also file-sharing, though gods help the poor bastard who’s down to trying to share drives across international lines. Any modern ISP that is at all conscious of what it’s doing will be blocking this at its own borders anyway.
  • Then, waaaaaaaaaaaaaaaay down the list: normal old web traffic, email (I’m assuming they mean SMTP and IMAP only, since they list POP separately) and FTP.

So, related to my web filtering comment above, I don’t know a damned thing about what embargoes are in place. Ever since I got yelled at by a corporate VP in 1994 for calling up the Commerce Dept. on my own initiative to ask them about regulations related to international shipping of books that discuss encryption I’ve kind of let the lawyers worry about that stuff. That said, the ability to do this kind of traffic shaping on this scale suggests access to equipment that I would expect is embargoed. I don’t know, though. Maybe they can just buy all their Networking Company X equipment directly from X’s contracted manufacturer in China, y’know? I sure don’t. (Know, that is.) Maybe they’ve got enough people sitting around that they can just write up manual access-lists and try to filter everything by port on whatever devices they’ve got that can take ACLs and that’s why they’re only blocking some of this. I don’t know. In some ways the article raises more questions than it answers, for me, since it makes me want to know the specific techniques and technologies being applied.

All that aside, doesn’t it just kind of stab the ghost of my freshman self through the heart with an icicle to see the internet used to limit information and mask access to the truth? Yes it does. Why it still surprises me I’ll never know.

Random half-considered theory: the use within the information security field of the term “sensitive data” as a catch-all for anything worth protecting subtly guides us to be evasive, tentative, even secretive about the mere existence of such information and unwilling to discuss openly the risk management strategies appropriate to a given set of data because of the way we interpret, use and think of the word “sensitive” in other contexts. It’s too easy to make the leap from “sensitive data” to “sensitive people” and we are trained to tiptoe around sensitive people. If we switched to using the term “valuable data” we would more easily discuss it in a matter-of-fact manner.

Yesterday evening the FTC shut down ISP and data farm service to Pricewert LLC, aka 3FN (amongst other names). It is – or was – a major distribution channel for spam along with even less savory internetalia including child pr0n and they acted as a haven for botnets:

The FTC also alleges that the defendant engaged in the deployment and operation of botnets – large networks of computers that have been compromised and enslaved by the originator of the botnet, known as a “bot herder.” […] According to the FTC, the defendant recruited bot herders and hosted the command-and-control servers – the computers that relay commands from the bot herders to the compromised computers known as “zombie drones.” Transcripts of instant-message logs filed with the district court show the defendants’ senior employees discussing the configuration of botnets with bot herders. And, in filings with the district court, the FTC alleges that more than 4,500 malicious software programs are controlled by command-and-control servers hosted by 3FN. This malware includes programs capable of keystroke logging, password stealing, and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution.

Since they were running botnets and keyloggers it’s safe to say that a major part of their business plan was identity theft, the fucks. If this is true then we are all better off with these people off the internet for at least a little while.

Late last year there was a similar shutdown of McColo, another major haven for this type of thing, and at the company where I then worked we saw a significant drop in spam traffic that corresponded almost to the minute with the shutdown. Now I’m very curious to track what happens in my various spam folders today and over the weekend. We might be about to enjoy a very pleasant few days. Given that it looks like Pricewert were caught as red-handed as can be, maybe even a little longer.

However, even if everyone involved in running Pricewert itself were to go to jail and never have the chance to run this sort of operation again, their bot herders and the criminal clients who sought out Pricewert’s services will just go somewhere else and set up shop again. They don’t even necessarily have to wait for things to cool off first… and I don’t think there’s a solution to that. Security tools such as intrusion prevention have issues that make some fantasy of in-the-cloud security across all ISPs or all major upstream providers just that: fantasy. While the 40 and 100 Gbps standards are on the horizon, 10 Gbps security devices are still prohibitively expensive for almost all potential customers. If individual organizations can’t afford that kind of inspected speed in their own data centers then there’s no way an ISP could hope to do the same. On top of that, intrusion prevention has too much potential for a false positive taking out something important. As for firewalls, they’re for premises and individual organizations, not entire classes of customer.

There are things that can be done – basic ACLs on border routers, policies that block specific known bad traffic at the outermost edges of ISP networks – but the internet is simply always going to be, to some degree, the frontier. That’s kind of the point of the internet, actually. By the time some technology or standard or service is understood sufficiently to have vulnerabilities identified and those risks mitigated, there are ten more completely new technologies or standards or services coming down the pipe. The only way to protect a given network from malicious traffic originating outside of that network is to disconnect from the outside world.

ISPs and especially their upstream providers are in the business of providing as much bandwidth as possible as reliably as possible. Just as at the user level there is the potential for tension between convenience and risk management, there is tension between risk management and the level of availability demanded by a hosting center. Any ISP or upstream provider that started policing the traffic of its large, high-bandwidth, highly available clients would be asking to go out of business and that’s just the legit providers. Even if tomorrow someone were to wave their magic wand so that inspection took no more resources than routing there would still be people who see the criminal elements of the internet as little more than an under-served market, especially in times like these.

Through a short but unexpected chain of relationships I was asked yesterday to appear this morning in a brief interview on Scott Fitzgerald’s show on WPTF 680 AM. To be honest, whether or not to say yes was something of a quandary. On the one hand, I couldn’t turn up anything specifically negative about the host and the chain of relationships involves a much-loved former boss; on the other, this is a right-wing AM talk radio station that plays Sean Hannity, for gods’ sakes.

After some thought and a discussion with The Boyf I decided that, given that the topic itself – securing credit card data and protecting personal information – is fairly apolitical and the tone of the thing seemed to be educational rather than advocating a particular point of view, well, what the hell, right? I did a little reading up on the big TJX breach, as that was apparently going to be the topic that morning, and wrote down a few thoughts in case my brain was fuzzy at 7:10am.

The experience itself was nice enough. The host was polite, the interview was brief, I didn’t say ‘um’ every other word and I got to say the thing that made me ultimately decide to do this: that there is no such thing as “security.” As I said to the host (after trying it out a couple of times on KJ, bascha and The Boyf last night), our society has become convinced that “security” is some attainable state of the absence of risk but in truth “security” is the ongoing process of trying to find a balance between risk and convenience.

It’s childish and silly of me but I really relished saying that to an audience of security-obsessed wingnuts.

The only thing I don’t understand is why the host asked me how 9/11 had changed network security. It hasn’t. I didn’t get a chance to bring this up but the truth is that 9/11 didn’t change a damned thing about network security – at least not in the markets where I’ve worked – because 9/11 was a physical attack, not an electronic one. The big engines of change have been government regulation, the very market interventions that free market righty types find so abhorrent. I’ve seen more clients make positive changes to their networks and their policies as a result of SarbOx, HIPAA and the FFIEC than anything else.

The host asked how a person can protect their credit card data and I said, in all honesty, that we can’t. The truth is that once your financial data is in a store’s hands it is out of yours. Period. If that data is compromised then they have to notify you but they don’t have to tell you how or by whom or anything else. In fact, there is a disincentive to inform. TJX’s (eventual) openness about how the theft was done led to lawsuit upon lawsuit. During the time span that the big, multi-store heist in question was being executed my bank sent me three (3) new copies of my credit card and I’ve never known exactly why. Was my information in that data? Probably so; I’ve shopped at Barnes & Noble plenty of times.

The example I gave them was that if one wants to make sure one’s credit or debit card data is never stolen from, say the grocery store, then one had better always pay in cash. It’s not that simple, though. Paying in cash means remembering to go to the cash machine and knowing exactly how much one will spend at the store. That also requires protecting one’s PIN from prying eyes at the ATM, keeping one’s wallet from ever getting stolen and then, even then, if one’s data is stolen directly from the bank, well… so much for all that effort.

The payment card industry has a set of protocols it requires called the PCI DSS (Payment Card Industry Data Security Standard). It’s a good start but it is only that: a start. It covers some basic common sense benchmarks but these are as basic as making sure default passwords aren’t left on vendor-provided cash registers and other equipment. It’s bare-bones at best. The truth is that payment data theft is a problem for which the market is not ever going to correct. The use of cards is way too profitable for everyone involved. Stores, the banks that issue the cards, the payment card providers themselves, payment processors, everyone involved makes way too much money off cards to ever give them up or to make them too inconvenient to use. No store is going to react warmly to someone walking in off the street and asking how that store protects credit card data. No store ever advertises that customer data is more secure with them than with their competitors.

So what do we do? There isn’t much we can do without accepting a high level of inconvenience. Sure, there are options – get prepaid cards to use for online shopping, but read up on the fraud protection for those cards first just in case it’s not as good as your normal credit card. Get a secured credit card. Get a credit card with your picture on it. Keep tabs on your account activity online – weekly, not monthly. Request a copy of your credit report once per year if not once per quarter. Write a check instead of using the card; check data can also be stolen but it’s harder to get at one’s cash with check data. Better yet, use cash. There are ways in which the TJX heist was very clever – they combined elements of physical theft (geographical proximity and physical access to the store) with an electronic intrusion (computer security is often contemplated only as a means of preventing distant attacks) – but ultimately war-driving and cracking WEP aren’t exactly innovations and the theft overall follows the same pattern used in all such cases: the thieves cast the widest possible net and took the easiest pickings. The only thing to do is to make one’s self a less attractive target surrounded by lower-hanging fruit.

None of these make the stores protect our data any better, though, and nothing ever will. Most of these ideas are only useful to protect against identity theft which could be much more easily and thoroughly protected by a couple of basic regulatory changes – require photos be included in credit reports and require automated notification if one’s credit report is accessed for any reason, two things that would cost the credit bureaus some money and save everyone else a lot of headache. Even regulation will at best discourage such carelessness in the retail sector. Ultimately the only option we have is to stare into the abyss and decide for ourselves how much we want that TV or that t-shirt.

So what do I do?

I use my card all the time. I hardly ever have more than a couple of dollars on me in cash. It’s just too convenient. I make up for it by monitoring my account and my credit record and trusting that I’ll be able to get refunds for any fraudulent activity. So far, so good. That’s “security” for me: the amount of risk I’m willing to tolerate balanced against the convenience I desire. Anyone who tells you “security” is anything else believes they can make a buck off it if they tell you enough times.

So, I’m the on-call this week. I hate being the on-call. I hate everyone who calls and I hate everyone at the helpdesk who forwards those calls to me. If I could kill with my mind, my every on-call would have a body count. I would be the greatest murderer of all time. Jim Jones would look like a Care Bear next to me.

At any rate, I have two stories to tell:

First: Friday I’m talking to a client about some work he wants to do on Saturday. We’re trying to schedule a time. I grit my teeth and tell him that whenever is good for him is good for me. He picks a time that means it will be impossible for me to go to brunch and finally meet a friend’s girlfriend – whom I failed to meet last time she was in town because I was on-call. Then he says, and I quote, “Well, really, just as long as we can be done early in the afternoon, any time works. I’ve got plans to get shit-faced at 3, so we have to be done by then.

Ah, yes, I told him. In that case, we needed to do it around 1 because I had brunch plans. Fair’s fair.

That day, once we were on the call, things went well and truly south. I was trying to figure out why The Thing We Were Doing wasn’t working when it occurred to me that The Thing We Were Doing didn’t make much sense in the first place. I very casually asked him why we were doing this and he said, “Because my boss is a fucking manager and doesn’t know what the fuck he’s doing, that’s why.

My response was the only word I could produce in that moment: “…Okay!”

Second story: we have a ticketing system that is based largely around email. When a ticket gets created, it automatically emails a copy of itself to the client involved. They can reply to that email and update the ticket themselves if need be. When we update the ticket it emails a new copy of the ticket log to the client. So on and so forth. It’s quite the clever little ticketing system in that it will spot quoted text from itself in a reply email and excise that so that a ticket log remains a fairly continuous conversation without a lot of quoted text from earlier entries.

Today a client emails us an error message they had received about an email they had sent that had been tagged as disallowed by the standards of their firewall. They sent the email with the following text at the top:

Do not sand me any email

So, a ticket gets cut. What does it do? Send that very email right back to the client. So they reply:

Do not sand me any email

…which causes them to get an email copy of the ticket log. Again. Several rotations of this later we get one last email response from them:

DO NOT SAND ME ANY EMAIL I AM NOT INTRSTED

I laughed until I cried. I could just picture them sitting there sending us an email and immediately getting a reply back that simply quoted what they’d just sent and them, in turn, picturing us sitting there with an evil gleam in our collective eye and shooting them a response as quickly as possible, rubbing our hands together at the thought of their annoyance.

What was the very next ticket in the queue? That same client had tried to send their email again, gotten the rejection message again and forwarded it to us – generating another ticket and another automated response right back to them. This time their plea for silence read:

do not sand me any email do not

I laughed so hard I had to go outside. I still don’t know what we did with those tickets. I don’t care. Whatever it was, if we didn’t print and frame them to go on a wall then what we did was wrong.

In case you’ve ever wondered, yes, you can install Checkpoint NG R55 for RHEL 3.0 on CentOS 3.9. Christ alive, it’s a good day.

I almost never discuss my work on this site for any number of reasons. However, this tidbit is too strange not to pass on and will, I hope, fail utterly to identify anyone involved.

One of the services my employers offer is URL filtering. Clients can be set up so that they can’t view websites that fall into certain pre-defined categories (adult, guns, politics, whatever) but there is also an overriding “allow” list and “deny” list, free-form lists where we can add a given URL to grant or block access to a given site regardless of whether or how it’s classified in the third-party database of URLs we use for category filters. This is all pretty standard, yes, I’m just trying to explain it for people who may not be familiar with the “Net Nanny” approach to web monitoring.

Most clients add big, obvious sites to their universal “deny” lists: myspace, Ebay, that kind of thing. Occasionally I get one that makes me die a little on the inside, like the time I was interrupted from reading the World of Warcraft user forums in order to block said forums for a client, a moment of terrible irony and a faint aftertaste of guilt. In one very amusing instance, I got a request around 3pm on a Friday afternoon from a client who wanted to unblock the Adult, Alcohol and Firearms categories and then have them re-enabled at the end of the day. Someone was, I could only conclude, getting ready for one heck of a weekend.

On even more rare occasions, however, we get a real glimpse into the inner workings of our clients’ offices and the personal obsessions that plague them. One had a string of radio station websites they wanted blocked; they had a colleague who was an incorrigible user of streaming broadcasts, the devil’s own bandwidth vacuum. Once we had a client who had to block, individually, a specific list of professional sports teams’ and, the next day, a collection of specific sports gambling sites. One had a pretty seriously MMO-addicted user and we had to block the forums.example.com domain for about half a dozen massively multiplayer games. Very rarely, a client will actually explain the situation to us, conversationally sharing private personnel matters in a way that makes us deeply uncomfortable; more often, we are left to invent our own explanatory scenarios.

Today, though? Today takes the cake. I just got asked by a client to block a specific list – half a dozen or more entries in length – of websites devoted to the personal and professional lives of the Olsen twins.

Some people don’t just need a hobby, they need a different hobby.

Ever wanted a thorough but largely non-technical discussion of the risks and problems inherent to electronic voting machines?  Read this article from Ars Technica.  He makes some fantastic points.  I will quote only one sentence from it, because that one sentence is, itself, a beautifully brief and very thoughtful point:

Bits and bytes are made to be manipulated; by turning votes into bits and bytes, we’ve made them orders of magnitude easier to manipulate during and after an election.

Monday afternoon I changed my password for the first time in ten years.

That’s a terrible thing to admit, especially given that I’ve made my career in network security, but it’s true. Ten years ago I set my password on the server where I still send and receive what I think of as my “real” email, and I hadn’t changed it since. It was many characters long, a sensible mix of letters and symbols and numbers. In all those ten years, my account was never cracked, my password never guessed, my login never abused.

Then I logged in on Monday afternoon, and I saw an email from Ebay telling me I’d successfully created a listing for 1,000 gold from World of Warcraft. Only, I hadn’t. I figured it was phishing spam, but it mentioned my specific Ebay login. So, I checked my account on Ebay, rarely used, and saw that, whoops, there were over 1,500 fake listings for WoW gold in my name. They were identical, and each listing page included Paypal buttons for the ordering of gold and leveling in WoW – it didn’t matter that they listed them using my account, because the goods weren’t actually bought at auction. It was just a convenient way for them to advertise their product and offer a direct-purchase Paypal link so many times that they could flood the listings one would get were they to search Ebay for World of Warcraft gold.

Long story short, the Ebay rep who talked to me (they call you after initially working with you online, which really sealed the deal for me in terms of coming away viewing it as a positive customer service experience – that, and it took them all of fifteen minutes to have the situation entirely fixed) told me two things: that it was the most fake listings he had ever seen, so many it crashed his administrative interface to the site when he tried to cancel them en masse, and that I should change the password on my email account.

Now, realize that the account in question is an old account. I’ve had it for over a decade. It’s an actual shell account on an actual server where I use Pine to read my email. It is not some Hotmail junk. I remember when I worked there, there was a terminal set up in one corner and whenever someone mistyped a password for an account on our system, an alert would pop up on that monitor.

But I work in network security, and I couldn’t very well just cross my fingers and hope for the best, could I? I’d already cancelled my Paypal account entirely in a fit of paranoid track-covering. I was already in slash-and-burn mode regarding anything related to my Ebay account. It occurred to me that if they had logged in as me then they knew my street address, they knew my email address, they knew my phone number, everything. Even if they couldn’t do much with my street address, it still drove me bat-shit just knowing they knew that. Anything I could do to improve the chances of not having my life dug further into, well, it had to be a pretty good idea, right? And so I sucked it up and typed something I hadn’t in a very long time:

passwd

Now I have to remember a new one. The old one is so programmed into my fingers that I still type it every time I log in. I felt oddly invaded, oddly stripped bare by the experience, but nothing about it is as bad, frankly, as my annoyance at having to remember a new password.

If I could wrap my hands around the necks of those bastards, that’s the last thing they’d hear as the light dimmed: You made me remember a new password, you fuckers.

What’s funniest to me is that I change all my other passwords all the time. Ebay password? Totally changed. I don’t buy or sell on Ebay that often, but I log in fairly frequently just to glance around. I change that password a lot. I just didn’t get lucky on this one.

It’s just that one password, on my “real” email, that I’d let stay the same. Eventually it was like a quiet point of shameful pride, like a monk with a prodigious collection of skin mags. But now even I, perverse as I am, will change it often as well. Just one more thing to go in the calendar appointments, one more account to remind myself to change every so often.

I would wring those bastards’ necks in two seconds, given half a chance.

In 2000, as I was standing in line to vote, a woman in front of me addressed those of us standing around her with this: “Why can’t I just do this online?” I should have kept my mouth shut, but I didn’t. “Because,” I said, “It would be too easy to hack.” After finding out I worked in network security, she went on to decide that it was somehow my fault that this hadn’t been figured out yet. While I certainly didn’t have the answer, I shared her frustration. A part of me relishes the civic cameraderie of standing in line to vote – how else would I have met that lady in ’04 who told me her kids played soccer with the Bush twins in Texas years ago, and said “Laura is the biggest bitch you’ll ever meet,” without that experience? Still, online voting would make some things much easier.

And so, with that in mind, pretend for a moment that you and I are sitting in a bar. There is a large plate of cheese fries between us, with ample supplies of both ranch and honey mustard dressings. I have a Diet Coke (it counteracts the cheese fries, right?) and you have the beverage of your choice. You have just pulled out a pen and one of the bar napkins and said, “So how could it work and be safe?”

This is not a circumstance in which we are going to solve the problem from start to finish, but I do have a few ideas. I don’t know how feasible they are. I don’t even know if they’re truly secure, because encryption and authentication are not my specialties. I do network perimeters, though, so I do touch on authentication and encryption. I am not, however, a genius. I am a guy who is good enough at his job to keep doing it. Keep this in mind. I say this in part to excuse any gaffes and in part to make clear that criticism or other suggestions will not offend me. I am aware of my limitations! Anything we can come up with to improve on the following scenario is a good thing. I do not believe that in a day or a month or a decade the whole world will look back on this post as The Answer That Worked, but neither have I found much of anywhere that this is being discussed in a serious but casual and open way. So, we begin here, and see what happens.

The biggest issue with online voting is, how do we know your vote was cast by you? Online voting would, if dissected into an order of operations, look a great deal like voting in person, in part because that’s already the model that works, and in part because this can be translated into a friendly, tech-free presentation to the user that will make them comfortable with a new process by making it feel like the old process wherever possible. That means the first thing we have to do is check in at the front desk. So, we need to authenticate you. However, managing a national database of logins and passwords is impossible and, just as importantly, neither would it be anonymous. Confidential is not the same as anonymous (let’s hear it from the HIV-testing activists from ten years ago, people), and what we’re gearing for is authenticated anonymity. (I don’t even know if that’s a real term, but we’re too busy eating cheese fries to care. This is all just kicking the ball around.) You want to check in at the front desk but, after that, you do NOT want your vote in any way tied to your name. Remember, you don’t sign your ballot before you stick it in the box.

The second big question is going to be ensuring that your vote is not tampered with. In real life we do this by being alone in the voting booth and then putting the ballot in the box ourselves. Polling place workers do not take the ballots from our hands after they’re filled out. Instead, they are tucked away in the big, brown boxes for security’s sake. After that, we have to trust that the authorities are honest with their counting, but hey, we already do that. So far, so good. How to duplicate this online is going to be to use extra-strength encryption. I am not talking about 128-bit encryption you use to check your bank balance. Yes, that’s great, and the kid down the street sniffing your wireless link is not going to be able to crack that in a hurry, but we know someone can: the government. Rumor has had it for years that 128-bit is the industry standard because the average cracker can’t break it but the NSA can and in real time. Perhaps it is true that Uncle Frank is simply not going to care about that, but the geeks sure as heck will. If we’re going to sell online voting to anyone, we have to win over the geeks first. Then they can sell their Uncle Frank on it on their own time. Thus, I’m going to go out there and suggest 1024-bit encryption. It’s overkill, yes, but it is very, very safe, and all the nerds out there with GnuPG are going to like seeing that big number.

The third question is, how do we deliver it? The bottom line is that, like any question of voting equipment and processes, it’s going to be decided at the state and local-elections-board levels. Your town or county or city or whatever is going to have to keep a server where the votes are tallied. This is not hard, because the process of tallying votes is now largely computerized anyway. Butterfly ballots excluded, do you really think that here, in NC, when we complete the little arrow to the candidate’s name that someone is going through and checking those by hand? Those things are scanned and the results stored on a computer. We will store our results on the same computer. Voila.

“That’s a lot of nice talking,” you say to me around a mouthful of Beverage(tm), “But we already know all that.”

Too true! Here’s the tech part of it, and it’s very simple: one-time crypto keys.

Let’s say we have our system in place. I want to vote online because I am lazy and I could be sitting at home stuffing myself with my own plate of cheese fries rather than out standing in line. Thus, I appear at my local polling place and skip the line and go straight to the front table that’s next to the other front table. There is no line. I tell them who I am, and they check me off in the big book because I’m now saying that I have voted and I am not going to vote in person. The other front table checks me off, too. The nice people behind the table hand me a CD with the voting client software on it (a cosmetically modified VPN client that is light and simple and will uninstall the day after the election and a link to the page where I will vote, using a private IP address for which I’ll only have a route after the VPN client has bound to my network interface). Then, they reach into a big box next to them and pull out an envelope. It looks like a paystub – perforated edges on each end – and they open it. They toss the carbon-copy sheet in the middle, hand me one of the two pieces of paper inside, and take the other piece and stick it into a ballot box.

I have now, for the purpose of validating that as many votes were cast as voters showed up to vote, voted.

I go home. I start warming up the cheese fries.

While that’s happening, I pop the CD in and install the VPN client. It is quick and painless, and requires minimal user interaction. When it launches, I am asked for one thing: the string of letters and numbers printed on the otherwise blank sheet of paper I was handed at the polling place. That string is my key. I should note here that I don’t mean the actual encryption key, I mean something like a pre-shared secret – it’s not 1024 bits of characters, it’s just a random jumble of characters (let’s say 8 to 12 characters in length) that can be compared on the far side of my connection to verify that this is legit. Once I put that in, my browser launches and I am taken to a page that has the appropriate offices and candidates for my precinct/district/etc. I vote by clicking a few radio buttons. I click submit, which takes me to a listing of the votes I just cast. I am asked to review these votes and confirm them. Because this is just a simple page, my enhanced accessibility software for any disabilities I might have has no problem handling it – the page is read outloud, the text is enlarged, whatever. I click that I have verified this information, and tah-dah, I have voted.

The server on the far side marks my key as having been used. It can never be used again, not even next election.

I eat my cheese-fries.

That night, one candidate in a race asks for a recount. The number of votes cast is compared to the number of voters having shown up to vote, voted early or listed as voting online. The tallies are run again. There is no problem with online votes because they are, ultimately, every bit as secure as the output of a touch-screen machine that has no paper trail. So, OK, there are potential problems of the tallies having been tampered with, but these problems exist already in our system, so they are separate questions entirely.

Now, of course, there are problems with this. What about all those unused keys sitting in that box? They are thrown away. But what if someone decides to start opening them and checking off random no-shows in the voter roll and just voting for them? Well, that could already happen with blank paper ballots at any polling station. If we distrust the people running our elections, that is a separate question entirely and not of import to the technical matter of allowing secure, online voting.

But what, then, of Uncle Frank? He’s so bad with computers he tried to install iTunes and wiped his hard drive! He didn’t even know what iTunes was!

That, my friend, is Uncle Frank’s problem. Perhaps his geek niece will help him. Perhaps his geek niece will be so civicly minded that she sets up a local volunteer tech-support line for her precinct to help folks who aren’t sure what to do – staffed by both Democrats and Republicans, and endorsed by the local elections board after receiving election-staffing training. Perhaps she is supported entirely by one party or the other, like the many other programs the parties run on election day to assist voters by giving them rides to the polls, ringing doorbells to remind them it’s election day, all sorts of things.

But they could trick them into voting the wrong way! Yes, and so can phone-jamming schemes in New Hampshire prevent them from getting to the polls in the first place; the thing is, if it’s found out, it can be punished just as surely as any other form of election fraud.

Fine, Mr. Smarty Pants, what about spyware? Hackers? Key-stroke loggers? What about a virus that changes the local host file on Uncle Frank’s computer so that he gets redirected to a false website and his vote is stolen and he gives away his key to someone else to use? That? That I’m not so sure about. That’s partly a function of making sure your computer is safe in the first place and partly a function of threatening such voter fraud with the same punishments as any other form of voter fraud. It is, ultimately, a matter of law enforcement. I’m here to answer the technical matter of making the online voting happen as securely as possible, though, so I simply don’t have the technical answers other than to say that we all risk this every time we check our online banking or pay a bill. As such, Uncle Frank (or his geek niece) are going to have to take the same precautions they take every day, cross their fingers and hope for the best just like the rest of us.

So who’s going to pay for this? We are. We’re the taxpayers. The same budgets that pay for touch-screen voting machines will pay for the VPN equipment, and connections, and the perimeter security around the machines that handle tallying and the VPN concentrator itself, and on and on and on. Will it be expensive? Oh, you bet it will. It’ll be worth it, though, and heck, what we’re spending now on touch-screen devices is already pretty outrageous.

And yet, there are other problems, and other questions, and probably a whole slew of technical issues and hitches and hiccups that I just haven’t thought of. So what are they? It’s time to get cracking on this issue, because it’s going to happen one day, sooner or later, safe or not. We might as well start kicking around the best-case scenarios – not the worst-case, but the best-case – so that we can push for them early.

Now please, stop bogarting the honey mustard.

A movie destined to make me slightly embarrassed to tell people what I do for a living: FIREWALL.

C’mon, Harrison, suck it up and make Indiana Jones 4 or something so we can love you again, OK?

Fresh from MSNBC.com:

RALEIGH, N.C. – One of the nation’s leading suppliers of electronic voting machines may decide against selling new equipment in North Carolina after a judge declined Monday to protect it from criminal prosecution should it fail to disclose software code as required by state law.

Diebold Inc., which makes automated teller machines and security and voting equipment, is worried it could be charged with a felony if officials determine the company failed to make all of its code —some of which is owned by third-party software firms, including Microsoft Corp. —available for examination by election officials in case of a voting mishap.

The requirement is part of the minimum voting equipment standards approved by state lawmakers earlier this year following the loss of more than 4,400 electronic ballots in Carteret County during the November 2004 election. The lost votes threw at least one close statewide race into uncertainty for more than two months.

 

Diebold can bitch and moan all they want, but this is a good thing.  Black-box voting machines do not do democracy any favors.  The rules surrounding voting machines should be very simple:

 

  • The code must be available for inspection by the state.
  • The box must provide an easily readable receipt for voters to verify.
  • The votes counted should be the verified receipts, not mysterious entries in a local file on the voting machine itself.

 

Sounds to me like, by my own personal test of what makes a "good" voting machine, Diebold fails before they get past the first hurdle.  Claiming that they can’t be held responsible because the boxes use other companies’ code that they can’t reveal simply should not hold water – and didn’t, thankfully, when it went to a court of law.  If they want to sell a product, they should be willing to stand behind their product.  If they can’t speak for third parties but they do want to sell a product that enables (or disables) something as important as voting, if they really want to be serious about being in that business at all, they should be willing to build the boxes from the ground up so that they can continue to stand behind their product.

 

Is there anything about that a company could seriously find unfair?  Hell, North Carolina’s law is considerably more generous to the sellers than I would be –  after all, they’re just requiring that the code be held in escrow for examination after any questions are raised.  Me, I’d want the code in my hands and positive assessments from as many impartial experts as I could round up before one of these was ever unveiled in a polling place. 

 

Ah, but we all remember that Diebold is headed by a Republican fundraiser who, last year, swore he was "committed to delivering Ohio’s electoral votes to President Bush."  Now, that’s the sort of statement any enthusiastic volunteer or donor would say.  The problem is, it was said by a guy who makes fucking voting machines.  It’s a relatively young conspiracy theory, but it’s one with some meat on its bones:  the head of Diebold, Wally O’Dell, was on the list of "Pioneers & Rangers," ruggedly doughy white guys who promised to raise $100,000 or more for Bush’s reelection campaign last year.  So when Diebold balks that they can’t comply if they have to open their code to inspection in the case of "irregularities," then frankly I think our state benefits from having lost a vendor whose commitment to transparency and vote security is at best questionable and who is, in my not-at-all-humble opinion, irrationally fidgety around questions of accountability both political and technical. 

 

The state has plenty of other choices.  Diebold makes it sound like we won’t have any voting machines at all if we ask them to accept responsibility for the ones they provide us – even after a Diebold machine’s malfunction was what threw the Secretary of Agriculture race into the courts last year – but that’s simply false.  What we won’t have is any of their machines screwing up a race with no way to determine whether elections using them were actually fair.  If you ask me, that’s not a loss, it’s a gain.

(more…)

So, a dude in Florida has been charged with a felony for using someone else’s wireless network:

Police say Benjamin Smith III, 41, used his Acer brand laptop to hack
into
[emphasis mine – RMcMP] Dinon’s wireless Internet network. The April 20 arrest is
considered the first of its kind in Tampa Bay and among only a few so
far nationwide.

Don’t you just love that “hack into” up there?  Lordy.  Sensationalize much?

Now, lest you take me wrong, by no means am I endorsing driving around
suburban neighborhoods and making use of the Wi-Fi of a stranger. 
(What a great title for a trashy techno-romance:  The Wi-Fi of a Stranger.  Must remember it for the Plot Dare forum on NaNo this year.)  I decline to endorse it not because it’s some great evil, howeverRather, I think it’s just kind of tacky
It’s like letting your dog drop a huge steamer in your neighbor’s lawn
and failing to clean it up because it’s more convenient than walking
the dog your damn self. 

See, here’s the thing:  the concept of “stealing” Wi-Fi is not
unlike the concept of “stealing” air.  Am I stealing something
when I stand in my yard and breathe oxygen that might otherwise have
meandered across the invisible line that marks the border of my
neighbor’s property?  If I stand too close to that invisible line
and breathe for all I’m worth, am I taking something from them? 
The wireless signal that extends beyond those golden, holy boxes with
labels like Linksys and D-Link is effectively unlimited.  Yes,
there are constraints – LAN speeds and the bandwidth available via a
given means of accessing the interwebulons beyond that – but c’mon, who
is ever, and I mean ever, pushing 100 Mb/s across their
wireless LAN?    Seriously.  Get real,
people.  I don’t care how many substitute electronic cocks
someone’s got strapped to his geek belt and how many TiVo’s are on the
network and how many computers they have in the basement, the bottom
line is that it takes a whole lot of users before one more
makes the difference.  So get real with the metaphors and the
similes and the whatevers.  It is not theft, because it is
impossible to steal that of which there is an effectively infinite
supply.

This tweaks me so bad, first of all, because the “real” threat – and
it’s not much of one, frankly – is not the theft of a signal but its
pollution.  Second, it gives me an opportunity to point out
needless corporate greed draped in the cloak of self-righteous
indignation.

So, what’s the real threat?  The article (and the “victim”) get it
quite right:  that someone could use your network for activities
you don’t want carried out on your network:

The technology has made life easier for high-tech criminals because
it provides near anonymity. Each online connection generates an
Internet Protocol Address, a unique set of numbers that can be traced
back to a house or business.

That’s still the case with Wi-Fi but if a criminal taps into a
network, his actions would lead to the owner of that network. By the
time authorities show up to investigate, the hacker would be gone.

“Anything they do traces back to your house and chances are we’re going to knock on your door,” [Special Agent Bob] Breeden [head of the Florida Department of Law Enforcement’s computer crime division] said.

That’s true.  If you have an unsecured wireless network, anybody
can use it to do anything they can do with any network, including
whatever bad things you can imagine.  The interwebs are a dark and
dangerous alley, kids, and every bum has a knife up his sleeve, etc.,
etc.  I mean, yes, the risk is there – if I were a child
pornographer, I could think of few safer(-ish) ways to get a fix than
by driving around the corner and sitting outside the home of the nice
old lady with the wireless network her granddaughter set up for her
last Christmas.  So yeah, that danger is there, I guess, but I’m
pretty sure it ranks right up there with being hit twice by lightning
while under a rain of frogs.

But you know what?  Were I a child pornographer I could also
simply sneak into your house and plant porno tapes in it.  I could
tuck them away at the backs of long-forgotten closets and you’d never
be the wiser.  If only there were a way to keep strangers from
entering your home.  Something – maybe something built into the
door – that could be used to make sure (within a reasonable margin of
failure) that only those who should have access to your home actually
enter it.  Something simple, preferably…. Gosh, I’m just not
sure I can think of anything.

Oh yeah, they’re called LOCKS and KEYS.  Even this article points that out:

For as worrisome as it seems, wireless mooching is easily preventable
by turning on encryption or requiring passwords. The problem, security
experts say, is many people do not take the time or are unsure how to
secure their wireless access from intruders. Dinon knew what to do.
“But I never did it because my neighbors are older.”

And whose fault is that, again?

What really bothers me about this whole thing, though, is the attitude
presented by at least one source for the article:  that even if
you do it with their permission you’ve still committed a crime:

“It’s no different if I went out and bought a Microsoft program and
started sharing it with everyone in my apartment. It’s theft,” said
Kena Lewis, spokeswoman for Bright House Networks in Orlando. “Just
because a crime may be undetectable doesn’t make it right.”

Um, actually, no it is not theft to borrow a neighbor’s network with permission.  That’s kind of what permission is.  The article is a bit murky as to whether they’ve asked her whether it’s wrong to use a neighbor’s connection without permission or whether it’s wrong to use a neighbor’s connection with permission, but it certainly seems, from context, that the situation she’s discussing is one of sharing a wireless connection with permission. 
No, sorry, survey says: XXX.  If I let my neighbor borrow my
wireless signal, it’s no different than letting him borrow the lawn mower.  If her point is that I paid for the right to use the cable modem and no one else
can do so, then I guess I’d better stop letting Bascha and Katastrophes
fire up their machines when they’re DM’ing over here for a night of
D&D, right?  I guess they’re not allowed to borrow my computer
to check their email, either.  And what are they doing in my chairs?  Did I get permission from my Chair Service Provider to let them sit their asses down?

Sorry, Ms. Lewis, but you don’t get to put me in a panic over the scary, scary war-drivers and tell
me what to do with my network in my own home.  Just fuck right
off.  It’s absurd to think that they can tell us what to do with
our own networks, but there you go.  They’re pissed at the idea
the neighbors might skip getting a cable modem altogether if they know
that whenever their grandkids are over to visit they can borrow my
signal, or that I might tell Mr. Saturday he should feel free to stop
by with a laptop whenever he’s out looking at houses in my
neighborhood.  That’s just plain fucked up.

Ultimately, that’s really what gets my goat.  This jackass who
thought it would be smart to set up shop in front of someone else’s
house and use his wireless signal is just that:  a jackass. 
That’s tacky.  That’s just so lame.  This is 2005, buddy, get
a coffeeshop.  I mean, puh-leze.  But to arrest him on felony
charges is equally absurd, and to turn it into an opportunity for some
mouthpiece for an ISP to claim that borrowing a neighbor’s network with
their permission is outright theft borders on the insane.

OK, I’m done now.  It just really put a burr under my saddle. (more…)

So, last night I’m driving home from the awesome Tarot class I’m in, and I’m listening to Future Tense
on NPR.  One of their segments is an interview with Kevin Mitnick
– you know, the guy who ended up in prison after a dick-waving
incident.  Not cool, despite his Mumia-like status by the time it
was all over. 

Anyway, Mitnick is being interviewed about his own computer getting jacked recently.  Apparently aerosmith.com
– yes, that Aerosmith, the band – had been compromised, and Mitnick
went there while it was compromised in order to check their concert
schedule.  A few minutes later his computer starts “acting funny,”
and he realizes an executable has been dropped onto his machine and he
has been, as the kids like to call it, pwned.  Then he remembers,
oh yes, he turned off his firewall while doing some testing on his home
network, and he forgot to turn it back on before getting back
online.  And now he’s hosed.  Whoops.  So he has to
reinstall his OS and all its patches.

Turns out the OS is Windows.  Turns out the browser he was using,
with a known vulnerability – how his machine was jacked by
aerosmith.com in the first place – was Internet Explorer.

The Boyf was
behind me on the drive home, listening to the same show.  We get
back to our abode and he says, “Were you listening to NPR?”  I say
that yes, I was, and he says, “Oh, so that was you I could hear laughing all the way home.”

Hee! (more…)

And in other geek news, UC-San Diego is going to run a study/experiment in which they attempt to track the spread of computer virii
using the same methods used to track the spread of human
epidemics.  Their stated goal is to develop a model for a
self-defending network that fights off attacks in the same way as the
human body.

I’m going to go out on a limb here and say, Duh.  We haven’t been calling them virii for years for no reason.

Snarkiness aside, very cool.  I won’t bore you with my opinions on
the technical side of things, but suffice to say, I think the day will
come when we have to have automated defenses – more automated than we
currently have, anyway – because human defenders already fail to notice
almost everything that happens.  Computer security is not a field
in which intrusions and attacks are prevented or eradicated, it’s an
industry in which, at best, risk is managed and responses are made more efficient, not obsolete. (more…)

m4s0n501

Next Page »