Thursday, November 5, 2009

Can Windows Be Any More Intuitive?

Now here's a prime example of how intuitive Windows is: in an Explorer window, I selected some MPEG files - videos I'd recorded and watched - and pressed the Delete key. To free up some space, you know? And a few seconds later, I was confronted by this:

Right. . . You can't delete a file because there isn't enough disk space. And your suggested fix for this is to delete a file?

OK, I totally get that when you delete a file, Windows doesn't delete it because you are too stupid to know whether you really wanted to delete it or not and will probably cry when you later discover that delete actually means delete. But, for the love of all that is logical, why does Windows go through the motions of actually copying the file, rather than just relinking it into a hidden directory somewhere for the "Recycle Bin" (just a fancy way of saying "Trash Can", anyway)? This would not require any additional space anywhere and files could be deleted in a fraction of a second instead of the minutes it sometimes takes. And it certainly wouldn't give rise to incredibly stupid and counterintuitive error messages like this one.

Thank $DEITY for the command line, where you can get the computer to do what you want, rather than what some UI genius thinks an idiot user ought to get.

Monday, September 7, 2009

Privacy Isn't Just Confidentiality

I've been following some discussion, in a private security-related mailing list, on the topic of what constitutes sensitive information. What's interesting is that many participants seem to have completely missed the point about privacy, as opposed to security.

The whole thing started with a query as to whether a person's date of birth could be considered sensitive or confidential if combined with other personally identifiable information. The thread then meandered around various topics inclduing privacy, identity theft and authentication. It pretty much ended with various contributors suggesting that any security professional worth his (or her) salt should not need to ask this question, and in particular, the last person to ask it of should be a lawyer. One contributor - who had better remain nameless - stated outright, "No slight intended on lawyers, but if anybody who considers themselves to be an information security professional needs to rely on lawyers to tell them what sensitive information is and how they are to protect it then we are all doomed!".

Bzzt! Thank you for playing, Anonymous! Please bring on the next contestant.

Infosec professionals need to be aware of the law in this area, as in many others. And, the law being what it is, the best approach is to consult a lawyer. Certainly, one should have some degree of familiarity with the relevant local law; for me, here in Australia, this is the Privacy Act (C'wealth) (1988) [1] which defines personal information that is subject to the Act, as well as "sensitive information" which is subject to additional safeguards.

The Act defines personal information as "information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

It further defines "sensitive information", which requires specific treatment under the Act as:

"(a) information or an opinion about an individual's:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii) sexual preferences or practices; or

(ix) criminal record;

that is also personal information; or

(b) health information about an individual; or

(c) genetic information about an individual that is not otherwise health information. "

If you're like me when I first read that list, you are probably surprised at some of the items on it, but upon mature reflection you'll probably come to agree and perhaps think of additional elements that should be added. All of which suggests that our intuitive understanding of privacy is often incomplete.

Notions of privacy vary enormously around the world; furthermore there is often a considerable gap between what an enterprise thinks it ought to know about its customers/clients/employees and what those individuals would like the enterprise to know and do with what it knows.

The essential difference between security/confidentiality and privacy is who has control; for security in general, the owner of the information has control, but for privacy, the subject of the information has control. As an individual, the subject clearly has little influence and especially not authority over what an enterprise information owner does; hence the mechanism by which subjects collectively exert that control is legislation.

Security professionals tend to focus on how to assure the confidentiality, integrity and availability of the information in the systems in their care. We put a lot of effort into making sure the bad guys can't get access to our information. But privacy legislation is written to make sure that we aren't the bad guys - that we don't collect information we shouldn't, and that we don't use information in ways we shouldn't. Sometimes that poses ethical conflicts, when our employers think it would be a good idea to collect or aggregate personal information contrary to legislation; in that case, we have to advise against this and require compliance with the law.

For the individual, the decision to disclose personal information is a trust decision. In some cases - when dealing with other individuals, for example - we are able to rely on their benevolence. But massive corporations, by and large, are not benevolent and not possessed of individual free will. We have to rely much more on their competence, their integrity in the sense of willingness to be bound to privacy compliance, and their ability to resist security breaches. Individuals are therefore forced to rely on what is sometimes called deterence-based trust - the existence of legal sanctions which ensure that penalties for breach of trust will exceed any potential benefits from opportunistic behaviour.

An excellent example from Icelandic usage of population genomics databases [2] illustrates the deeper complexities; most individuals have given virtually no thought to the privacy implications of releasing their DNA for research purposes, but fortunately medical and legal ethicists have been thinking about it and proposing additional safeguards. (Thanks to Graciela Pataro for this example).

So to say that security professionals don't need to consult a lawyer is disingenuous. Winging it and assuming that defending our systems against external threats simply isn't enough.

References:

[1] Privacy Act, 1988, as amended, Commonwealth Government of Australia. Available online at http://www.comlaw.gov.au/comlaw/management.nsf/lookupindexpagesbyid/IP200401860

[2] Herman T. Tavani, "The Case of DeCODE Genetics, Inc" in Chapter 1, "Ethics at the Intersection of Computing and Genomics" in Herman T. Tavani (ed.), "Ethics, Computing and Genomics", Jones & Bartlett Publishers, 2005. ISBN 0763736201, 9780763736200. Available online at http://books.google.com.au/books?id=wlrPaPRshesC&pg=PA15&dq=the+case+of+DECODE+Genetics+Inc#v=onepage&q=the%20case%20of%20DECODE%20Genetics%20Inc&f=false

Sunday, August 16, 2009

You've Got to Love TCP

You've got to love the robustness of the TCP protocol. I have a 'client' for whom I set up a Linux box with a specialised Perl/MySQL application which pretty much runs their business. This was back on 2000, and the box is still going, although at the back of my mind, I realise that the inevitable disaster can't be far off. Anyway, when we set it up, we also installed a modem on one of their phone lines and every Sunday I run a script which dials into their system, does a backup of their database and scp's it down to my main office server, from where it will be backed up as part of our regular cycle.

Now that the database has grown, the backup gzip file is around 3.5 MB in size, and takes a while to download. I don't care; it generally runs in the background while I'm doing other stuff and the phone line is only used for inbound faxes, which are mostly spam these days, anyway. But today, the line dropped and pppd died, about 20% of the way into the download. So I had it redial, the other end picked up the line, pppd did its thing, and we were connected again - and a few seconds later, the scp file transfer started ticking over again.

This happened twice more - must be some line problems somewhere. But each time, I just kicked off another pppd, and scp picked up where it left off. The pauses were sometimes a couple of minutes long, but that still wasn't a problem. In this particular case, the IP addresses remained the same, being pre-allocated at both ends, but I suspect that even if one of them had changed, it wouldn't have made much difference - a lot of TCP implementations rely on the sequence numbers, rather than IP addresses and port numbers, to distinguish sessions and so it would probably have still kept going.

You've got to love technology that is resilient enough to keep going in the face of line dropouts.

And yes, an ADSL modem would be faster, plus they could probably eliminate a monthly line rental so that it would pay for itself pretty quickly (assuming a really cheap ADSL plan). But I'd have to update their ancient Linux installation, and that would probably mean a major memory or even machine upgrade, so that can wait until the inevitable disaster I mentioned above.

Monday, August 3, 2009

Infosec Darwin Award Nomination

There ought to be a special category in the Darwin Awards for people who do stupid things with computers - in fact, this category alone could probably swamp all the others, were it not for the Darwin Awards' somewhat onerous requirement for the nominee to have removed themselves from the gene pool.

However, today's news brings word of someone - probably more than one, in fact - who looks likely to remove themselves from society at large in a spectacularly dumb way. This genius planted a fake ATM in a hotel lobby, in order to skim data from the cards of unsuspecting users. Only, they didn't choose just any old hotel. Oh, no.

They chose the Riviera, in Las Vegas.

Just before it was to host the DEFCON hacker convention, this last weekend.

Not many unsuspecting users at DEFCON, I'd say. In fact, the place was probably full of professional paranoids. Not surprisingly, one of the organisers spotted the bogus machine and it was hauled away by local law enforcement.

If the perps weren't awesomely dumb, but actually knew what they were doing, then you have to admire their chutzpah. Naw, on second thoughts, they had to have been dumb as a post.

More details at http://www.computerworld.com/s/article/9136179/Fake_ATM_doesn_t_last_long_at_hacker_meet

Saturday, February 28, 2009

Sharing Your Stuff with the World (or Bits of It)

Someone recently pointed me to the SheevaPlug computer - an ingenious little plug computer that essentially consists of a low-power computer built into a wall-wart - and a consumer applicance based on it, the Pogoplug (http://pogoplug.com/). There's a nice write-up in the SheevaPlug at http://linuxdevices.com/news/NS9634061300.html and their development info is at http://www.marvell.com/products/embedded_processors/developer/kirkwood/sheevaplug.jsp.

The Pogoplug is a small server appliance which shares the contents of a USB hard drive (or flash drive) attached to it. It does this by setting up an SSL connection back to the the company's servers, where a browser-based interface lets you administer your account and generate links which you can email to others so that they can access the shared files on your device. Devilishly ingenious.

The company's home page trumpet's the device's ease-of-use: "Just connect Pogoplug to your home network and attach any external drive or memory stick. That's it, no need to call your office networking guy"

In my cynical fashion, I'd rephrase that: "Please, please don't call your office networking guy because once he hears what you're planning, he'll slap you upside the head and we won't make the sale!".

In other words, if the nasty, restrictive network admins at work won't let you connect remotely because It's A Bad Idea, then this thing is An Even Worse Idea.

The last thing any enterprise firewall admin wants to come across is a device he didn't know about that sits on the inside network and pokes holes through the firewall. In this case, I'm betting (the device is in early beta) that it connects back to port 443 on Pogoplug's servers, since many firewalls don't block or proxy SSL connections. So, expect the firewall admins to black-list pogoplug.com, thereby stopping this device in its tracks.

Once you've shared your stuff, other users can log in at the Pogoplug site via their web browser - this solves the problem of locating a Pogoplug hidden behind a modem with a DHCP-allocated IP address that might change. Of course, this suggests various easy attacks: a keystroke logger, spyware or even XSS attack on a user's browser could capture the user's credentials. In fact, if I was an Evil Criminal Mastermind banging out spyware to capture banking, eBay and email credentials, I'd add my.pogoplug.com on the list of pages to monitor, just to see what might turn up - most Pogoplugs will contain shared photos, videos, etc. but there's bound to be more than a few users who let their guards drop and use it to transfer more sensitive information.

Of course, if our Evil Criminal Mastermind was to compromise the Pogoplug servers, he would own every Pogoplug in the world. I do hope that their software isn't written in PHP by a summer intern.

Access control concerns me, too. If the access checking is done at the Pogoplug servers, that means they have access to the entire contents of the USB drive. People are quite likely to use a single drive for backup, carrying documents around and also plugging into the Pogoplug, and would be trusting the company to protect all of that.

Of course, Pogoplug isn't the only company offering boxes like this; Lacie, Axentra and probably others have them, too, in many cases based on the Marvell OEM SheevaPlug.

Here's a way it could be done better (and a free design innovation for router manufacturers like Netgear and Linksys):

Put the USB connector on the router itself. Many ADSL modem/routers already have a feature to nominate a machine on one of their internal IP addresses as a "DMZ machine" and do port forwarding of common services to that machine, letting you run things like web servers on an internal machine. And the router already has the ability to register with dyndns.org, so that you can register a domain name and that lets people find the external IP address of the modem. I don't like the port forwarding approach, because if an attacker is able to compromise a service on an internal machine, then he's on the inside and can see other machines as well.

Those modem/routers are based on a Linux kernel anyway, so it would be easy to add support for a simple web server that can serve just static data (there used to be such an animal in the 2.6 kernel, but I think Linus took it out again). Add a USB port to the router, with a predefined mount point that is the web server HTML root. Add a simple management interface to let the user manage .htaccess files, and hey presto! Now there's a web server that can be accessed by outside users and uses a dynamic DNS service, rather than a centralized management scheme. There's no central web page for login credentials, making it harder for spyware, etc. to grab credentials.

The access control is entirely in the user's hands; nobody else gets open access to everything on the inserted drive (as would be the scheme for Pogoplug, where the access control is at my.pogoplug.com). And there's a switch in user perceptions, too - if you plug a drive into the router, you're clearly doing that to put it On The Internet, while plugging a drive into a wall-wart inside your house, well, people are a bit more vague about that.

So, what about it, Netgear and Linksys?

Back to the Pogoplug: Neat device, but don't trust it too much. Only use it for semi-public material; don't put personal, private or embarrassing material on there, and make sure you choose good passwords and are careful not to use them from public computers. I'd also put a big "PUBLIC" sticker on the drive to make sure that you never relax and accidentally put something sensive on there. And don't take one into the office!