An interesting way to look at DRM

From “The Big DRM Mistake?“:

Fundamentally, DRM is a about persistent access control – it is a term for a set of technologies that allow for data to be protected beyond the file system of the original machine. Thus, for example, the read/write/execute access control on most *nix file systems will not only be applicable to the original machine but to all machines.

Stated in these terms, I agree with the aims of DRM. However, it is the ways in which large media and software businesses have mis-applied DRM that have ruined the associations most users have with the technology.

Better technical security increases personal risks

From The New York Times‘ “They Stole $92 Million, but Now What?“:

Just one week ago, Colin Dixon, the manager of a depot where bank notes are stored, was driving home on a quiet Tuesday evening when what he thought was a police car with flashing blue lights pulled him over.

It was the beginning, as it turned out, of Britain’s biggest ever cash caper. Seven days later, a staggering $92 million — around twice the previous record in a country that seems to specialize in mind-boggling robberies — seems simply to have disappeared.

The men who ordered Mr. Dixon, 51, to pull over were not police officers but hoodlums who bundled him into their Volvo and handcuffed him. According to police accounts, he was told that his wife, Lynn, 45, and son Craig, 8, would be shot if he did not cooperate.

Less than two hours later, more bogus police officers called at Mr. Dixon’s home in Herne Bay and told his wife that he had been in an accident. She and her son believed their story and walked into captivity. The family was reunited at a farmhouse, then driven to the depot at Tonbridge, in the county of Kent southeast of London, according to police accounts. Then their ordeal really began. …

The haul was enormous even by the standards of a land that likes to express its criminal landmarks through thefts of industrial proportions — more than twice the $45 million taken in a caper at Northern Bank in Belfast, Northern Ireland, in December 2004, at that time the biggest cash robbery on record. The Irish Republican Army was blamed for that robbery.

But one similarity between the robberies has raised worrisome questions about the way money is protected.

In both cases, employees and families were taken hostage, forcing managers to help the thieves. And so the most vulnerable point in guarding the cash has become the people who know the codes and procedures to bypass sophisticated security systems.

Such tactics “are part and parcel of the shift towards the technologized management of money,” said Tim Newburn, a professor of criminology at the London School of Economics.

According to the BBC, such abductions are known as tiger kidnappings, because the victims are stalked before they are seized. “Tiger kidnapping requires a detailed knowledge of staff — their journeys, their responsibilities and their families — which often comes with the help of a current or former employee.”

In other words, an inside job.

Why people don’t use firewalls

From the Windows OneCare Team Blog’s “Windows OneCare Firewall – Keepin’ it Green, Part I“:

Through a combination of surveys, emails and customer communication, we maintain a close watch on the “health” status indicators, such as, percent of users with anti-virus out of date, or the ratio of customers that are regularly backing up files.

… Recently, we have noticed a slight increase in the number of people turning off their firewall, with a corresponding decrease in the number of green machines.

Based on our investigation, there are four primary reasons people are turning off their firewall.

1. Do not think a software firewall is necessary
2. Do not like the (sometimes incessant) pop-up dialogs
3. An application failed to install with firewall turned on
4. An application fails to work with firewall turned on

Risk management

From Glenn Fleishman’s post to the Interesting People mailing list:

I heard the strangely frank head of TSA on NPR this morning–perhaps he forgot he was speaking to the public?–talk quite honestly about what I would describe as “yield management for risk.”


* The pilots are now protected, so the plane won’t be weaponized even if many passengers were to die on board.
* Passengers will overwhelm someone armed with relatively minor weapons, even if some passengers die. That’s acceptable risk.
* A lot of stuff on planes can be used as weapons already (he didn’t elaborate).
* The evaluated risk of smaller knives is low in their testing — meaning whatever air marshalls wear for protection will resist punctures from smaller knives.

He said the focus is now on explosive detection.

How to know if you should worry

From Bruce Schneier’s “Should Terrorism be Reported in the News?” in Crypto-Gram (15 May 2005):

One of the things I routinely tell people is that if it’s in the news, don’t worry about it. By definition, “news” means that it hardly ever happens. If a risk is in the news, then it’s probably not worth worrying about. When something is no longer reported — automobile deaths, domestic violence — when it’s so common that it’s not news, then you should start worrying.

Shoehorning drivers licenses

From Bruce Schneier’s “REAL ID” in Crypto-Gram (15 May 2005):

REAL ID also prohibits states from issuing driver’s licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses — which isn’t going to help anyone’s security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)

Confidential, Secret, Top Secret … and SSI

From Bruce Schneier’s “Sensitive Security Information (SSI)” in Crypto-Gram (15 March 2005):

For decades, the U.S. government has had systems in place for dealing with military secrets. Information is classified as either Confidential, Secret, Top Secret, or one of many “compartments” of information above Top Secret. Procedures for dealing with classified information were rigid: classified topics could not be discussed on unencrypted phone lines, classified information could not be processed on insecure computers, classified documents had to be stored in locked safes, and so on. The procedures were extreme because the assumed adversary was highly motivated, well-funded, and technically adept: the Soviet Union. …

In 1993, the U.S. government created a new classification of information — Sensitive Security Information. The information under this category, as defined by a D.C. court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words, “air” and “passengers,” and changed “safety” to “security.” Currently, there’s a lot of information covered under this umbrella. …

The rules for SSI information are much more relaxed than the rules for traditional classified information. Before someone can have access to classified information, he must get a government clearance. Before someone can have access to SSI, he simply must sign an NDA. If someone discloses classified information, he faces criminal penalties. If someone discloses SSI, he faces civil penalties.

SSI can be sent unencrypted in e-mail; a simple password-protected attachment is enough. A person can take SSI home with him, read it on an airplane, and talk about it in public places. People entrusted with SSI information shouldn’t disclose it to those unauthorized to know it, but it’s really up to the individual to make sure that doesn’t happen. It’s really more like confidential corporate information than government military secrets. …

The U.S. government really had no choice but to establish this classification level, given the kind of information they needed to work with. For example, the terrorist “watch” list is SSI. If the list falls into the wrong hands, it would be bad for national security. But think about the number of people who need access to the list. Every airline needs a copy, so they can determine if any of their passengers are on the list. That’s not just domestic airlines, but foreign airlines as well — including foreign airlines that may not agree with American foreign policy. Police departments, both within this country and abroad, need access to the list.

A brief history of backdoors

From Network Magazine:

Ken Thompson, a designer of the Unix OS, explained his magic password, a password that once allowed him to log in as any user on any Unix system, during his award acceptance speech at the Association for Computing Machinery (ACM) meeting in 1984. Thompson had included a backdoor in the password checking function that gets included in the login program. The backdoor would get installed in new versions of the Unix system because the compiler had Trojan Horse code that propagated the backdoor code to new versions of the compiler. Thompson’s magic password is the best known, and most complex in distribution, backdoor code.

DRM ratchets up, but never quite works

From Edward Felten’s "DRM and the Regulatory Ratchet":

Regular readers know that one of my running themes is the harm caused when policy makers don’t engage with technical realities. One of the most striking examples of this has to do with DRM (or copy-restriction) technologies. Independent technical experts agree almost universally that DRM is utterly unable to prevent the leakage of copyrighted material onto file sharing networks. And yet many policy-makers act as if DRM is the solution to the file-sharing problem.

The result is a kind of regulatory ratchet effect. When DRM seems not to be working, perhaps it can be rescued by imposing a few regulations on technology (think: DMCA). When somehow, despite the new regulations, DRM still isn’t working, perhaps what is needed is a few more regulations to backstop it further (think: broadcast flag). When even these expanded regulations prove insufficient, the answer is yet another layer of regulations (think: consensus watermark). The level of regulation ratchets up higher and higher – but DRM still doesn’t work.

The advocates of regulation argue at each point that just one more level of regulation will solve the problem. In a rational world, the fact that they were wrong last time would be reason to doubt them this time. But if you simply take on faith that DRM can prevent infringement, the failure of each step becomes, perversely, evidence that the next step is needed. And so the ratchet clicks along, restricting technical progress more and more, while copyright infringement goes on unabated.

Painter of kitsch … and security

From "Art for Everybody" in the 15 October 2001 issue of The New Yorker, an article about the immensely popular, incredibly kitschy painter Thomas Kinkaid:

… ten million people own some product featuring his name, and most editions are signed with ink containing DNA from his hair or blood, to prevent fakes. 

Feral cities of the future

From Richard J. Norton’s “Feral cities – The New Strategic Environment” (Naval War College Review: Autumn, 2003):

Imagine a great metropolis covering hundreds of square miles. Once a vital component in a national economy, this sprawling urban environment is now a vast collection of blighted buildings, an immense petri dish of both ancient and new diseases, a territory where the rule of law has long been replaced by near anarchy in which the only security available is that which is attained through brute power. Such cities have been routinely imagined in apocalyptic movies and in certain science-fiction genres, where they are often portrayed as gigantic versions of T. S. Eliot’s Rat’s Alley. Yet this city would still be globally connected. It would possess at least a modicum of commercial linkages, and some of its inhabitants would have access to the world’s most modern communication and computing technologies. It would, in effect, be a feral city.

The putative “feral city” is (or would be) a metropolis with a population of more than a million people in a state the government of which has lost the ability to maintain the rule of law within the city’s boundaries yet remains a functioning actor in the greater international system.

In a feral city social services are all but nonexistent, and the vast majority of the city’s occupants have no access to even the most basic health or security assistance. There is no social safety net. Human security is for the most part a matter of individual initiative. Yet a feral city does not descend into complete, random chaos. Some elements, be they criminals, armed resistance groups, clans, tribes, or neighborhood associations, exert various degrees of control over portions of the city. Intercity, city-state, and even international commercial transactions occur, but corruption, avarice, and violence are their hallmarks. A feral city experiences massive levels of disease and creates enough pollution to qualify as an international environmental disaster zone. Most feral cities would suffer from massive urban hypertrophy, covering vast expanses of land. The city’s structures range from once-great buildings symbolic of state power to the meanest shantytowns and slums. Yet even under these conditions, these cities continue to grow, and the majority of occupants do not voluntarily leave.

Feral cities would exert an almost magnetic influence on terrorist organizations. Such megalopolises will provide exceptionally safe havens for armed resistance groups, especially those having cultural affinity with at least one sizable segment of the city’s population. The efficacy and portability of the most modern computing and communication systems allow the activities of a worldwide terrorist, criminal, or predatory and corrupt commercial network to be coordinated and directed with equipment easily obtained on the open market and packed into a minivan. The vast size of a feral city, with its buildings, other structures, and subterranean spaces, would offer nearly perfect protection from overhead sensors, whether satellites or unmanned aerial vehicles. The city’s population represents for such entities a ready source of recruits and a built-in intelligence network. Collecting human intelligence against them in this environment is likely to be a daunting task. Should the city contain airport or seaport facilities, such an organization would be able to import and export a variety of items. The feral city environment will actually make it easier for an armed resistance group that does not already have connections with criminal organizations to make them. The linkage between such groups, once thought to be rather unlikely, is now so commonplace as to elicit no comment.

Zombies! 100s of 1000s of zombies!

From The New York Times‘ “An Army of Soulless 1’s and 0’s“:

Officials at the F.B.I. and the Justice Department say their inquiries on the zombie networks are exposing serious vulnerabilities in the Internet that could be exploited more widely by saboteurs to bring down Web sites or online messaging systems. One case under investigation, officials say, may involve as many as 300,000 zombie computers …

In one recent case, a small British online payment processing company, Protx, was shut down after being bombarded in a zombie attack and warned that problems would continue unless a $10,000 payment was made, the company said. It is not known whether the authorities ever arrested anyone in that case. …

More than 170,000 computers every day are being added to the ranks of zombies, according to Dmitri Alperovitch, a research engineer at CipherTrust, a company based in Georgia that sells products to make e-mail and messaging safer. …

Mr. Alperovitch said that CipherTrust had detected a sharp rise in zombie computers in recent months, from a daily average of 143,000 newly commandeered computers in March to 157,000 in April to 172,000 last month.

He said that the increase was attributable to two trends: the rising number of computers in Asia, particularly China, which do not use software to protect against zombies and the worldwide proliferation of high-speed Internet connections.

Social engineering via celebrities

From PC World’s “Britney Spears Ranked Top Virus Celebrity“:

Researchers combed through the seven years of virus-laden messages stored in Panda’s malware database to determine which celebrities most often had their names involuntarily used in association with malicious spam. …

The top ten list of celebrity virus rankings (in descending order) is: Britney Spears, Bill Gates, Jennifer Lopez, Shakira, Osama Bin Laden, Michael Jackson, Bill Clinton, Anna Kournikova, Paris Hilton, and Pamela Anderson.

My first book – Don’t Click on the Blue E! – is out!

For all those surfers who have slowly grown disenchanted with Microsoft’s Internet Explorer web browser, Don’t Click on the Blue E! from O’Reilly is here to help. It offers non-technical users a convenient roadmap for switching to a better web browser – Firefox.

The only book that covers the switch to Firefox, Don’t Click on the Blue E! is a must for anyone who wants to browse faster, more securely, and more efficiently. It takes readers through the process step-by-step, so it’s easy to understand. Schools, non-profits, businesses, and individuals can all benefit from this how-to guide.

Firefox includes most of the features that browser users are familiar with, along with several new features other browsers don’t have, such as a bookmarks toolbar and window tabs that allow users to quickly switch among several web sites. There is also the likelihood of better security with Firefox.

All indications say that Firefox is more than just a passing fad. With USA Today and Forbes Magazine hailing it as superior to Internet Explorer, Firefox is clearly the web browser of the future. In fact, as it stands today, already 22% of the market currently employs Firefox for their browsing purposes.

Don’t Click on the Blue E! has been written exclusively for this growing audience. With its straightforward approach, it helps people harness this emerging technology so they can enjoy a superior – and safer – browsing experience.

Read two sample excerpts: Counteracting Web Annoyances (651 kb PDF) & Safety and Security (252 kb PDF).

Translated into Japanese!

Buy Don’t Click on the Blue E! from Amazon!

SSL in depth

I host Web sites, but we’ve only recently [2004] had to start implementing SSL, the Secure Sockets Layer, which turns http into https. I’ve been on the lookout for a good overview of SSL that explains why it is implemented as it is, and I think I’ve finally found one: Chris Shiflett: HTTP Developer’s Handbook: 18. Secure Sockets Layer is a chapter from Shiflett’s book posted on his web site, and boy it is good.

SSL has dramatically changed the way people use the Web, and it provides a very good solution to many of the Web’s shortcomings, most importantly:

  • Data integrity – SSL can help ensure that data (HTTP messages) cannot be changed while in transit.
  • Data confidentiality – SSL provides strong cryptographic techniques used to encrypt HTTP messages.
  • Identification – SSL can offer reasonable assurance as to the identity of a Web server. It can also be used to validate the identity of a client, but this is less common.

Shiflett is a clear technical writer, and if this chapter is any indication, the rest of his book may be worth buying.

Crack Windows passwords in seconds

This is an oldie but still a goodie – or a baddie, if you use or depend on Windows. Back in 2003, researchers released tools that enable the cracking of Windows passwords in an average of 13.6 seconds. Not bad, not bad at all. CNET has a nice writeup titled Cracking Windows passwords in seconds, which explains that the best way to guard against the attack is to create passwords that use more than just alphanumeric items. In other words, read my SecurityFocus column from May 2004, Pass the Chocolate, which contains this advice: “… you should use a mix of at least three of these four things: small letters, capital letters, numbers, and symbols. If you can use all four, great, but at least use three of them.”

If you want to download and test the security of your Windows passwords, you can grab the software at Ophcrack. You can get source, as well as binaries for Windows and Linux. There’s even an online demo of the software, in which you can paste a hash of the password you’d like to crack and get back the actual password. Nice!

Mozilla fixes a bug … fast

One of the arguments anti-open sourcers often try to advance is that open source has just as many security holes as closed source software. On top of that one, the anti-OSS folks then go on to say that once open source software is as widely used as their closed source equivalents, they’ll suffer just as many attacks. Now, I’ve argued before that this is a wrong-headed attitude, at least as far as email viruses are concerned, and I think the fact that Apache is the most-widely used Web server in the world, yet sees only a fraction of the constant stream of security disasters that IIS does, pretty much belies the argument.

Now a blogger named sacarny has created a timeline detailing a vulnerability that was found in Mozilla and the time it took to fix it. It starts on July 7, at 13:46 GMT, and ends on July 8, at 21:57 GMT – in other words, it took a little over 24 hours for the Mozilla developers to fix a serious hole. And best of all, the whole process was open and documented. Sure, open source has bugs – all software does – but it tends to get fixed. Fast.