Category: Internet matters

Posts about the internet

Protecting sources and methods

Rusty metal wall

By now, most people will have read about the Canadian pedophile from Maple Ridge who is being sought in Thailand. The story is a shocking and lamentable one, but I want to concentrate here on the technical aspect. INTERPOL released images of the man, claiming they had undone the Photoshop ‘twirl’ effect that had been used to disguise him initially in compromising photos. While this claim has been widely reported in the media, there is at least some reason to question it. It is also possible that INTERPOL is concealing the fact that it received unaltered photos from another source, which could have been anything from intercepted emails to files recovered from an improperly erased camera memory card. It could even have been recovered from the EXIF metadata thumbnails many cameras produce. It is also possible this particular effect is so easy to reverse (and that the technique is so widely known to exist) that INTERPOL saw no value in keeping their methods secret. A quick Google search suggests that the ‘twist’ effect is a plausible candidate for easy reversal.

Providing an alternative story to explain the source of information is an ancient intelligence tactic. For instance, during the Second World War an imaginary spy ring was created by the British and used to justify how they had some of the information that had actually been obtained through cracked ENIGMA transmissions at Bletchley Park. Some have argued that the Coventry Bombing was known about in advance by British intelligence due to deciphered messages, but they decided not to evacuate the city because they did not want to reveal to the enemy that their ciphers had been compromised. While this particular example may or may not be historically accurate, it illustrates the dilemma of somebody in possession of important intelligence acquired in a sensitive manner.

Cover stories can conceal sources and methods in other ways. A few years ago, it was claimed that Pervez Musharraf had escaped having his motorcade bombed, due to a radio jammer. While that is certainly possible, it seems unlikely that his guards would have reported the existence of the system if it had played such a crucial role. More likely, they got tipped off from an informant in the group responsible, an agent they had implanted in it, or some sort of communication intercept. Given how it is now widely known that email messages and phone calls worldwide are regularly intercepted by governments, I imagine a lot of spies and informants are being protected by false stories about communication intercepts.

In short, it is fair to say that any organization concerned with intelligence gathering will work diligently to protect their sources and methods. After all, these are what ensure their future access to privileged information in the future. While there is a slim chance INTERPOL intentionally revealed their ability to unscramble photographs as some sort of deterrent, it seems unlikely. This situation will simply encourage people to use more aggressive techniques to conceal their faces in the future. It is also possible that, in this case, they felt that getting the man’s image out was more important than protecting their methods. In my opinion, it seems most likely that ‘twist’ really is easy to unscramble and that they saw little value in not publicizing this fact. That said, it remains possible that a more complex collection of tactics and calculations has been applied.

Mac security tips

Gatineau Park, Quebec

During the past twelve months, 23.47% of visits to this blog have been from Mac users. Since there are so many of them out there, I though I would share a few tips on Mac security. Out of the box, OS X does beat Windows XP on security – partly for design reasons and partly because it isn’t as worthwhile to come up with malware that attacks an operating system with a minority of users. Even so, taking some basic precautions is worthwhile. The number one tip is behavioural, rather than technical. Be cautious in the websites and emails you view, the files you download, and the software you install.

Here are more detailed guides from a company called Corsair (which I know nothing about) and from the American National Security Agency (who knew they used Macs?). The first link is specific to Tiger (10.4), while the latter is about the older Panther (10.3). I expect they will both remain largely valid for the upcoming Leopard (10.5).

Some more general advice I wrote earlier: Protecting your computer.

PS. I am curious about the one person in the last orbit who accessed this site using OS/2 Warp, back on February 17th. I hope it was one of the nuns from the ads.

A suggestion to Google

One cool feature of Google is that it performs unit conversions. It makes it easy to learn that 1000 rods is the same as 2750 fathoms. One useful addition would be the calculation of carbon dioxide equivalents: you could plunk in “250 tonnes of methane in CO2 equivalent” and have it generate the appropriate output, based on the methodology of the IPCC. The gasses for which the calculator should work would also include nitrous oxide, SF6, HCFCs, HFCs, CFCs, and PFCs.

Sure, this feature would only be useful for less than one person in a million, but Google has often shown itself willing to cater to the needs of techie minorities.

The Storm Worm

The Storm Worm is scary for a number of good reasons. It acts patiently, slowly creating a massive network of drone machines and control systems, communicating through peer-to-peer protocols. It gives little evidence that a particular machine has been compromised. Finally, it creates a malicious network that is particularly hard (maybe impossible, at this time) to map or shut down.

This is no mere spam-spread annoyance. If it takes over very large numbers of computers and remains in the control of its creators, it could be quite a computational force. The only question is what they (or someone who rents the botnet) will choose to use it for, and whether such attacks can be foiled by technical or law-enforcement means. Hopefully, this code will prove a clever exception to the norm, rather than a preview of what the malware of the future will resemble.

Normally, I don’t worry too much about viruses. I use a Mac, run anti-virus software, use other protective programs, make frequent backups, and use the internet cautiously. While those things are likely to keep my own system free of malware, I naturally remain vulnerable to it. That’s where most spam comes from. Also, there is the danger that a network of malicious computers will crash or blackmail some website or service that I use. With distributed systems like Storm, the protection of an individual machine isn’t adequate to prevent harm.

Previous related posts:

Yorke asks you to name your price

In a publicity stunt / experiment in the changing climate of the music business, Radiohead is selling their new album “In Rainbows” online, for whatever the buyer wishes to pay. The website where this is done looks so ugly that it made me initially suspect that the thing is a scam (reading about it here doesn’t mean for certain that it isn’t). The mainstream media seem to have bought it, so it is probably genuine. No matter when you pay, they won’t send you the download link for the album until October 10th.

For my part, I paid the mean price of an Oxford pint. That is more than they would have gotten from me in the alternative, as I stopped buying their albums long ago, during the long slide from the brilliance of “OK Computer” into the mediocrity of their later work.

[Update: 10 October 2007] I received my copy of the album. It arrived in the form of ten DRM-free 160 kbps MP3 files. I will comment on the quality of the music once I have had more time to absorb it.

Dear Apple: please quit it with the sabotage

One of the worst things about Apple is how they sabotage their own products with software updates. The update for wrecking unlocked iPhones is a recent example, but there are plenty of others. I remember when they restricted iTunes so that only five people could access your library every time you booted up. That made sharing music on big local area networks (like university residences) a lot less effective. Also, I remember when they forced a volume limitation on my iPod Shuffle by means of an update. I don’t think there has been a useful feature added to iTunes for years, except maybe the automatic downloading of album art for songs in your existing libraries.

Now, I only install security updates on my Mac. Anything promising new features is just too risky.

Unlocking the iPhone

There is a lot of huffing and puffing going on about people ‘hacking’ the iPhone. At the heart of the matter are the twin definitions of the verb ‘hack’ that are not always well recognized. Many people take ‘hacking’ to mean malicious invasion of electronic systems, for instance in order to steal credit card numbers. An older definition of the word is simply to tinker with technology. In this sense, a ‘hack’ might be a clever modification of a bicycle or a mobile phone.

Apple has been exploiting all the hype about the iPhone to make highly preferential deals with individual carriers. This has happened in the US and UK already, doubtless with more to follow. These arrangements seem to benefit Apple and the carriers, but I doubt very much that they benefit the consumer. It is like Toyota building cars that can only be filled at Shell service stations, then trying to prosecute people who try to remove the restrictions, allowing them to be filled elsewhere. Just as the people own the cars and should thus be free to modify them in ways that do not endanger others, people who own iPhones should be able to tinker with them. Likewise, just as the Toyoto-Shell case is clear-cut collusion of the kind governmental competition authorities police, so too does the Apple-cell carrier situation.

See also: Forbidden features and If you can’t open it, you don’t own it.

Liability and computer security

One of the major points of intersection between law and economics is liability. By setting the rules about who can sue brake manufacturers, in what circumstances, and to what extent, lawmakers help to set the incentives for quality control within that industry. By establishing what constitutes negligence in different areas, the law tries to balance efficiency (encouraging cost-effective mitigation on the part of whoever can do it most cheaply) with equity.

I wonder whether this could be used, to some extent, to combat the botnets that have helped to make the internet such a dangerous place. In brief, a botnet consists of ordinary computers that have been taken over by a virus. While they don’t seem to have been altered, from the perspective of users, they can be maliciously employed by remote control to send spam, attack websites, carry out illegal transactions, and so forth. There are millions of such computers, largely because so many unprotected PCs with incautious and ignorant users are connected constantly to broadband connections.

As it stands, there is some chance that an individual computer owner will face legal consequences if their machine is used maliciously in this way. What would be a lot more efficient would be to pass part of the responsibility to internet service providers. That is to say, Internet Service Providers (ISPs) whose networks transmit spam or viruses outwards could be sued by those harmed as a result. These firms have the staff, expertise, and network control. Given the right incentives, they could require users to use up-to-date antivirus software that they would provide. They could also screen incoming and outgoing network traffic for viruses and botnet control signals. They could, in short, become more like the IT department at an office. ISPs with such obligations would then lean on the makers of software and operating systems, forcing them to build more secure products.

As Bruce Schneier has repeatedly argued, hoping to educate users as a means of creating overall security is probably doomed. People don’t have the interest or the incentives to learn and the technology and threats change to quickly. To do a better job of combating them, our strategies should change as well.

Geography and the web

While it certainly doesn’t have the best name, the concept behind heywhatsthat.com is a neat one. Using data from Google maps, it generates panoramas as seen from mountaintops and other high places. You can then identify the mountains that you see around you.

The interface definitely needs some work, but the site does suggest ways in which openly accessible storehouses of data – such as the position and altitude information available from Google – can be combined into novel tools.

exploreourpla.net is a similarly badly named but interesting site. It combines geographic data and images related to climate change. You can, for instance, view a satellite map of Western Europe overlaid with luminous dots showing the most significant greenhouse gas emitters.

Quantum computers and cryptography

Public key cryptography is probably the most significant cryptographic advance since the discovery of the monoalphabetic substitution cipher thousands of years ago. In short, it provides an elegant solution to the problem of key distribution. Normally, two people wishing to exchange encrypted messages must exchange both the message and the key to decrypt it. Sending both over an insecure connection is obviously unsafe and, if you have a safe connection, there is little need for encryption. Based on some fancy math, public key encryption systems let Person A encrypt messages for Person B using only information that Person B can make publicly available (a public key, like mine).

Now, quantum computers running Shor’s algorithm threaten to ruin the party. Two groups claim to have achieved some success. If they manage the trick, the consequences will be very significant, and not just for PGP-using privacy junkies. Public key encryption is also the basis for all the ‘https’ websites where we so happily shop with credit cards. If a fellow in a van outside can sniff the traffic from your wireless network and later decrypt it, buying stuff from eBay and Amazon suddenly becomes a lot less appealing.

Thankfully, quantum computers continue to prove very difficult to build. Of course, some well-funded and sophisticated organization may have been quietly using them for years. After all, the critical WWII codebreaking word at Bletchley Park was only made known publicly 30 years after the war.

For those who want to learn more, I very much recommend Simon Singh’s The Code Book.