Category: Security

Security is immunity from the will of others.

Policy proportionality

Amnesty International display at Blackwell's

I know it’s a theme I have raised many times, but it remains puzzling to me: why are democratic societies so uniquely incapable of accepting the costs associated with terrorism? If you try to circumscribe any kind of dangerous activity, from smoking to extreme sports, you will find plenty of people ready to wave the banner of liberty and claim that the deaths and injuries are worth the costs of the freedom.

If you add up the casualties of all the terrorist attacks worldwide since the end of the Cold War, you arrive at a number that is a small fraction of the number of deaths from alcohol poisoning, from AIDS, from obesity related illness, or from automobile accidents. Heart disease killed 696,947 Americans in 2002, while cancer killed 557,271. About 400,000 died from tobacco usage, while alcohol killed 100,000. And yet there is no call to reorganize society to deal with these horrific threats. We make that choice not because societal re-organization could not eliminate these problems, but because the costs of doing so (or trying to do so) exceed those we are collectively willing to bear to achieve these ends.

In response to a failed two-man terrorist plot in Germany, The Economist claimed that Germany is “immune no more” and that terrorism is sure to “leap up the list” of people’s concerns. Even if the attack had succeeded, it would still be only a blip in the passing into and out of life of the mass of people who we describe as Germany. The same is true of every terrorist plot in history. Yet they have, by contrast, generated shifts in law and power out of all proportion to their lethality or the amount of harm they cause.

Just as terrorists are adept at exploiting the physical infrastructure of modernity to generate and amplify their attacks – coordinating attacks on aircraft over the internet – they exploit the psychology of modernity to generate an emotional impact out of all proportion to the harm caused. The sane response, it seems, is to accept the hundreds or thousands of deaths as a cost we may have to pay in order to continue to live in a free society – just as we accept the deaths from automobile accidents or fatty foods. The point isn’t that we cannot or shouldn’t take precautions (whether we are discussing terrorism or car crashes), but that we should consider them sensibly and in keeping with the actual seriousness and scope of both the threats that exist, and the entities that we may choose to create or empower to deal with them.

Major vulnerability of mechanical locks

Open pin and tumbler lock, from Wikimedia

To those who retain faith in mechanical pin and tumbler locks, a bit of information on the bump key as a means of picking them may unsettle you. It’s a hot topic on many of the news aggregation sites online at the moment (Metafilter and Engadget 1 and 2, for instance), but those who don’t frequent such sites may find it helpful to know. Perhaps the biggest issue is that this technique does not produce signs of forced entry, which may cause problems when making insurance claims.

This Dutch television segment shows how absurdly easy it is to open even quite expensive locks using a key cut in a particular way, an object to whack it with, and no skill whatsoever. Definitely enough to make a person fearful for their laptop, music equipment, etc. That is especially true in an area that has as high a burglary rate as North Oxford. Just last night, Emily saw someone trying to get into her flat. Thankfully, the front door of our flat uses horizontally-oriented “dimple” keys (Mul-T-Lock brand), that are somewhat less vulnerable to this attack (see the last PDF linked at the bottom of this post). Even so, our internal doors, as well as basically all the ones in Wadham College, use the pin and tumbler design vulnerable to bumping. Here is another video on how to make and use a bump-key. Apparantly, anyone with a file, a reasonably steady hand, and a bit of time can make their own.

The alternatives generally advanced to get around such vulnerabilities are other sorts of mechanical locks, electronic access control systems, or systems that use both mechanical and electronic elements (a system used increasingly often in cars). While they do have problems of their own, electronic access control systems do have many appealing features. In particular, if one were to use low-cost RFID tags or simple swipe-cards with a pre-set code as an authentication token, it would be easy to maintain a database of allowed and disallowed keys. If you lost your keys, you could disable that one and issue yourself a new one. Likewise, temporary keys could be issued to people, and restrictions could be placed upon the hours at which certain keys could be used. Features like these are what make keycard based systems so appealing, as well as common in commercial settings.

The first downside of such conversion is cost: replacing locks is expensive. Secondly, such systems are open to other kinds of attacks that people may not understand as easily. Thirdly, if an electronic lock fails in a profound way (no longer responds to authentication tokens), you have little choice but to break down the door or saw through the frame and bolt. Once again, the nature of security as a perpetual trade-off is demonstrated.

More detailed information (PDF) on key bumping is available from Security.org. Also, from The Open Organization of Lockpickers (TOOOL) (PDF).

On risk and decision making

In a complex world, understanding risk and responding to it properly is an essential human skill. Every kind of important decision involves it: from making choices about where to get electrical power to deciding whether to walk home through a dark city or let your children use the internet.

The manipulation of risk-related thinking is an increasingly obvious trend, with two major facets. The first is manipulation of the data upon which people base their decisions. The media, for instance, grossly exaggerates many risks. Rare phenomena, by definition, are news. Things that happen all the time (car crashes, domestic abuse) are not. As such, we worry about serial killers and terrorist attacks, when there is a vanishingly small chance either will ever harm us. Even worse, some campaigns actively deceive so as to try and achieve political ends; one particularly harmful example is education systems that misrepresent the effectiveness of contraceptives in hopes of encouraging teenagers to refrain from sex. Such campaigns are both unacceptably patronizing and quite obviously harmful. Another obvious example is the cultivation and exploitation of fear, on the part of governments, as a mechanism for securing increased power and freedom from oversight and criticism.

Such campaigns blend into the second trend: a denial that risk-related decisions must be made at the level of individuals. A natural trend of those in charge is to strip people of their ability to choose, for any of a number of reasons. There are times at which it is reasonable to force people to take certain precautions. Requiring people to have car insurance is a good example. Such cases, however, must be evaluated through public legal and political scrutiny, and justified on the basis of arguments that are critiqued and data that are legitimate and verified.

The intelligent solution is to teach good risk-related thinking. That means learning how to identify the agendas of those providing information. It means having tools to make reasonable assessments of logical arguments, as well as supporting data. That means not keeping people ignorant or keeping essential information secret. And it means teaching a perspective of individual empowerment, where the reality of trade-offs between different risks is acknowledged. Alas, it seems unlikely that such an approach is likely to be widely adopted.

More security, less freedom

While we can all be very glad this alleged plot was foiled, the new rules on carry-on baggage are going to make travelling long distances by plane truly hellish. Without more information, it is impossible to evaluate how justified they are, but they certainly appear to be quite onerous. No water; no books, magazines, or newspapers; no portable electronics of any kind. Of course, either the restrictions or all duty-free shopping will eventually have to go.

It also seems that all EasyJet flights out of all London airports are cancelled. With my EasyJet flight to Dublin in six days, I wonder what is going to happen. They seem to be offering refunds on tickets. Maybe I should take it, then pay the cancellation fee from the hostel.

Such is the power of terrorism: even when we win, we lose.

[Update: 6:52pm] Both of my current roommates have had to re-schedule flights over this: one to Austria and one to Barcelona. It seems likely that another friend’s trip to Madrid will not be happening, and that yet another friend’s flight to Canada tomorrow will be boring and uncomfortable.

[Update: 11 August] Flights from London to Dublin are back on schedule, according to EasyJet. My friend also made it to Madrid today, after all.

Something to try over the weekend: cryptography by hand

For about three and a half hours tonight, I awaited essays from next month’s tutorial students in the MCR. Having exhausted what scaps of newspaper were available, I fell back to reading a copy of Dan Brown’s Da Vinci Code, abandoned by some departed grad student.

Two hundred and sixty pages in, and unlikely to proceed enormously further, I note somewhat pedantically that there have been no codes presented. At best, there have been a series of riddles. The book would be interesting for its historical asides, if I could consider them credible.

Rather than go on about that, I thought I would write an incredibly brief primer on how to actually encrypt a message:

Crypto by hand

In the next few paragraphs, I will show you how to use a simple cryptographic device called a transposition cipher. If you really want to learn it, follow along with a pen and paper. As ciphers go, it is very weak – but it is easy to understand and learn. For starters, we need a secret message. The following is hardly secret, but it will do for a demonstration:

“DAN BROWN IS A DUBIOUS HISTORIAN”

Next, we need an encryption key. For this type of cipher, we need two or more English words that do not use any letter more than once. It is quicker if they have the same number of letters, but I will use two with different numbers of letters to demonstrate the process:

“DUBLIN PINT”

Write the first word of the key onto a piece of paper, with a bit of space between each letter and plenty of space below:

“D U B L I N”

Now, add numbers above the letters, corresponding to their order in the alphabet:

“2 6 1 4 3 5
D U B L I N”

Now, add your message (hereafter called the plaintext) in a block under. If necessary, fill out the box with garble or the alphabet in order:

“2 6 1 4 3 5
D U B L I N
D A N B R O
W N I S A D
U B I O U S
H I S T O R
I A N A B C”

Note how each word of the first keyword now has a column of text underneath it. Starting with the first column in the alphabetical ordering (B, in this case) copy out the column, starting at the top, as a string of text. Make sure you understand what is happening here before you go on. The first column, read downwards is:

NIISN

Now, add to that string the other columns, read from top to bottom, in alphabetical order. You can leave spaces to make it easier to check:

NIISN DWUHI RAUOB BSOTA ODSRC ANBIA

Clearly, each column section should have the same number of letters in it. Make sure you’ve got the transcription right before going on. Note that the string above is the same letters as are in the original message, just jumbled. As such, this system isn’t smart to use for very short messages. People will realize fairly quickly that “MKLLINAIL” could mean “KILL MILAN.”

Moving right along…

Take the strong you generated a moment ago, and put it into a block just like the one you made with the first keyword, except with the second keyword. This time, if you need letters to fill out the rectangle, make sure to use the alphabet in order. You will need to remove the excess letters when working backwards to decrypt, so you may as well make it easier.

“3 1 2 4
P I N T
N I I S
N D W U
H I R A
U O B B
S O T A
O D S R
C A N B
I A A B”

Now we have the message even more jumbled. The final encryption step is simply to copy each column in that grid out, from top to bottom, in alphabetical order according to the second keyword:

IDIOODAA IWRBTSNA NNHUSOCI SUABARBB

Note: the shorter the key, the longer each column will be. The above string is your encrypted text (called cyphertext). This final version is a jumble of the letters in the original message. Remove the spaces to make it harder to work out how long the last keyword is. If you like, you can use that put that string through a grid with another word. Each time you do that, you make the message somewhat harder to crack, though it obviously takes longer to either encode or decode.

To pass on the message, you need to give someone both the cyphertext and the key. This should be done by separate means, because anyone who has both can work out what kind of cipher you used and break your code. The mechanisms of key exchange and key security are critical parts of designing cryptographic systems – the weakest components of which are rarely the algorithms used to encrypt and decrypt.

To decode it, just make grids based on your keywords and fill them in by reversing the transcription process described above. I am not going to go through it step by step, because it is exactly the same, only backwards.

If anyone finds out about the credibility of Mr. Brown’s historical credentials, it won’t be my fault.

One word of warning: this system will not keep your secrets secure from the CIA, Mossad, or even Audrey Tautou. This cipher is more about teaching the basics of cryptography. If you want something enormously more durable that can still be done by hand, have a look at the Vignere Cipher.

PS. It is rumored that this very blog may contain a tool that automates one form of Vignere encryption and decryption. Not that it is linked in the sidebar or anything…

[Update: 27 July] Those who think they have learned the above ciper can try decrypting the following message:

BNTAFREEHOOI-LTOSIRISOTWD-FTNWAOEYSOXT-ERASEAAAKGVE

The segment breaks should make it a bit easier. The key is:

SCOTLAND HIKE

Good luck, and please don’t post the plaintext as a comment. Let others who want to figure it out do so.

On password security

I was talking with Kelly today about passwords, and how they are a fundamentally weak form of security. Supposedly, we are all meant to have different passwords for every site, so that one database being compromised by an external hacker or malicious insider won’t lead to our email and other sites being at risk. Also, we are supposed to use long and complex passwords with case-changes, numbers, punctuation, etc. (Think ‘e4!Xy59NoI2’) Together, these two requirements far exceed the capability of most human beings.

The real solution is to back up passwords with something else, so that they don’t need to be so strong. This is called two-factor authentication, and it could include something like a smart card that people carry and slot into computers along with a password so as to authenticate themselves. This is already used in cars. Inside the key or newer cars is a little chip with a radio antenna. When you try to use the key to start the car, a radio message is broadcast by the car. The chip detects it, does a bit of thinking to generate a response that authenticates the key, and re-broadcasts it. Using both the physical profile of the key and the radio challenge-response authentication system, attacks based on picking locks or freezing and cracking the cylinder inside them can be circumvented. The system obviously isn’t impossible to foil, but it is substantially more difficult in relation to the additional cost.

In the computer context, such two-factor authentication could take other forms: for instance, a little card that listens to a series of tones from an external source (over the phone, or from a computer), passes them through an algorithm and emits a series of tones in response to authenticate. This is just doing with audio what a smart card does with electricity. Ideally, the second factor would be like a credit card, in that you could have it cancelled and re-issued in the event that it is lost or stolen, immediately disabling the missing unit.

Until such a system emerges, it seems sensible to have tiers of passwords. I have two really weak passwords for things that I sometimes share with close friends. Then, I have a password for low-risk sites where there is no real harm that can come from my account being compromised. Then, I have a cascade of ever-stronger passwords. Something like LiveJournal has a pretty strong password, because it would be a pain if somebody took it over. The general vulnerabilities of passwords are:

  1. Someone could guess it (either manually or with a brute force attack)
  2. Someone could watch you type it in
  3. Someone could install a hardware or software keystroke logger on a machine where you enter it
  4. Someone could break into a database that contains it, then try using it on other sites you use
  5. Someone could extract it from a program on your computer that stores them in an insecure way (like Windows screen-saver passwords, which can be learned using a simple program)

Most of these require physical access to a machine that you use. I would guess that the most common of these is number four. Given that most people use the same password for everything, some underhanded employee at your ISP or webmail provider could probably grab it pretty easily, as well as information on other sites you use. (Hashing algorithms are one way this risk can be mitigated, on the server side, but that’s a discussion for another day).

At the top level, there are things that demand a really strong password: for instance, webmaster control accounts or anything connected to money. For these, I use random alphanumeric strings of the maximum permitted length, never re-using one and changing them every month or so.

Obviously, I cannot remember these for several banks and websites. As such, I write them down and guard them. I am much better at guarding little bits of paper than at remembering random strings of data. I regularly carry around little bits of paper worth tens of Pounds, and little bits of plastic worth thousands of Pounds, if only until disabled. Indeed, I have been guarding bits of paper for well over a decade.

Lecture in the Taylorian

Graffiti near the Oxford CanalThe lecture today on Canada-US security and defence cooperation went well; it could even be a solid demonstration of the preferability of lecturing over research. I did talk overly quickly, burning through my forty-five minute presentation in just over half an hour, but the questions were good and I think I fielded them pretty well. The fear of going overtime can generate unwanted haste. I did manage to avoid a frequent error I’ve made in the past, namely that of getting lost in my own notes. It’s easier to avoid when you really know the material you’re covering, and the notes are for structure, rather than content.

A presentation on a topic like this is always a political act. On that basis, I think I struck the right note. I took the more truthful bits of the ‘staunch and eternal allies’ premise sometimes hammered upon by Canadian politicians under fire from the US and mixed it with some of the more essential elements of the ‘importance of legitimacy and international law’ scolding that with which we tend to fire back. All in all, I think it was reasonably balanced and candid. Wearing my NORAD pin – with Canadian and American flags on it – probably contributed positively to my ability to represent myself as someone who genuinely wants a friendly and constructive relationship between the two countries, and has considerable respect for both.

Lecturing itself was quite enjoyable, despite the associated anxiety. With a bit more practice and confidence, I think that I could get very good at this, indeed.

Privacy and power

Canada’s Privacy Commissioner has released an excellent report, highlighting some of the disturbing trends that he sees as ongoing. Rather than paraphrase, I will quote one of the best sections extensively:

It is my duty, in this Annual Report, to present a solemn and urgent warning to every Member of Parliament and Senator, and indeed to every Canadian:

The fundamental human right of privacy in Canada is under assault as never before. Unless the Government of Canada is quickly dissuaded from its present course by Parliamentary action and public insistence, we are on a path that may well lead to the permanent loss not only of privacy rights that we take for granted but also of important elements of freedom as we now know it.

We face this risk because of the implications, both individual and cumulative, of a series of initiatives that the Government has mounted or is actively moving toward. These initiatives are set against the backdrop of September 11, and anti-terrorism is their purported rationale. But the aspects that present the greatest threat to privacy either have nothing at all to do with anti-terrorism, or they present no credible promise of effectively enhancing security.

The Government is, quite simply, using September 11 as an excuse for new collections and uses of personal information about all of us Canadians that cannot be justified by the requirements of anti-terrorism and that, indeed, have no place in a free and democratic society.

I applaud both the Commissioner’s comments and his willingness to take such a firm and public stance. As I’ve said dozens of times now: terrorists are dangerous, but governments fundamentally much more so. They can cloak themselves in secrecy and are imbued with a level of power that permits them to do enormous harm, whether by accident or by design. Compared with the excesses and abuses committed by governments – Western democratic governments included – terrorism is a minor problem.

I recommend that all Canadians read the report in its entirety. I found the link via Bruce Schneier’s excellent security blog.

Media idiocy

One of the BBC top stories right now: “Mobile phone risk during storms.” I am not going to link it, because they don’t deserve traffic for publishing something so asinine. The crux of the article is that people who get struck by lightning while using a metal mobile phone are more likely to be injured than people just standing there. The article doesn’t indicate that your chances of getting struck by lightning while talking on the phone are any higher. Indeed, I would posit that you would be less likely to be standing around outside in a thunderstorm if you had your expensive and almost certainly non-waterproof mobile phone pressed against your ear. And whose mobile phone is made of metal anyhow?

According to scientist Paul Taylor: “I would treat a mobile phone as yet another piece of metal that people tend to carry on their persons like coins and rings.” Do they advise not wearing rings or carrying change during thunderstorms? Of course not. That would be absurd.

Sometimes, the enthusiasm of the media to scare people on the basis of incredibly improbable events is so frustrating I don’t know what to do. They would have you believe that strangers will poison your child’s Halloween candy (all known cases of poisoning by this route were committed by the parents of the child). Everything from shark attacks to terrorist incidents gets presented as far more common than they really are, in a world of six billion with a media likely to report every incident of each. A really brilliant essay by Jack Gordon on this kind of fear-mongering can be found here. The best paragraph reads:

It is fashionable to remark that America “lost its innocence” on September 11th. This is balderdash. Our innocence is too deep and intractable for that. The thing we’ve really lost doesn’t even deserve the name of bravery. We’ve lost the ability to come to grips with the simple fact that life is not a safe proposition—that life will kill us all by and by, regardless. And as a society, we’ve just about lost the sense that until life does kill us, there are values aside from brute longevity that can shape the way we choose to live.

This essay won a contest by Shell and The Economist on the topic “How much liberty should we trade for security.” It is well worth a look; it’s enormously more deserving, I would say, than the BBC article of comparable length. The basic point: we need to acknowledge the existence of risk and deal with it intelligently. We can never be perfectly safe, and we shouldn’t try to be. We can never do otherwise than balance risks against benefits.

Government and secrecy

With increasingly credible revelations about illegal surveillance within the United States, the general concern I’ve felt for years about the present administration is becoming progressively more acute. To be fiscally reckless and socially crusading is one thing. To authorize actions that blatantly violate international law (in the case of torture, rendition, and the indefinite detention of noncombatants) as well as domestic law (by disregarding constitutional safeguards and checks on power) an administration shifts from being simply unappealing to actually being criminal. You can’t just throw away the presumption of innocence and probable cause while maintaining the fiction that the foundational rules upon which a lawful society is based are not being discarded.

Perhaps the most worrisome of all the recent developments are the actions and statements being made against the press. I don’t know if there is any truth to the claim that the phones of ABC reporters are being tapped in hopes of identifying confidential sources, but the general argument that wide-ranging governmental activities must be kept secret for the sake of security is terrifying. If history and the examination of the contemporary world reveal anything, it is that protection from government is at least as important as protection from outside threats. As I wrote in the NASCA report (PDF):

Protection of the individual from unreasonable or arbitrary power – in the hands of government and its agents – is a crucial part of the individual security of all citizens in democratic states. While terrorists have shown themselves to be capable of causing enormous harm with modest resources, the very enormity state power means that it can do great harm through errors or by failing to create and maintain proper checks on authority.

Harm to citizens needn’t occur as the result of malice; the combination of intense secrecy and the inevitability of mistakes ensure that such harm will result. Anyone who doubts the capability of the American government and administration to make mistakes need only think of their own explanations for the Hurricane Katrina response, Abu Ghraib, weapons of mass destruction in Iraq, and all the rest.

Three of the NASCA report’s recommendations speak to the issue of secrecy and accountability specifically:

  • Security measures that are put in place should, wherever possible, require public justification and debate.
  • The perspective of security as a trade-off should be pro-actively presented to the public through outreach that emphasizes transparency.
  • With regards to domestic defence planning, military practice reliant upon secrecy should always be subsidiary to civil and legal oversight.

People both inside and outside the United States would be safer if such guidelines were followed. When even Fox News is opening articles with statements such as the one that follows, something has gone badly wrong.

The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers the necessary security clearance to probe the matter.

A legitimate government cannot operate under a general principle of secrecy. While there are certainly cases where secrecy serves a justifiable purpose – such as concealing the identity of the victim of some forms of crime, or the exact location of certain kinds of military facilities – a democratic government cannot retreat from accountability by its citizens by claiming that oversight creates vulnerability. The lack of oversight creates a much more worrisome vulnerability: worrisome for America, and worrisome for everyone who has faith in the fundamental values of democracy and justice upon which it is ostensibly founded.