Wednesday, June 29, 2005

Cryptography must overcome UI problems to be both useful and effective

A great paper to read up on, especially given that Phishing is showing us that the "Trusted Third Party" model as implemented in today's web browsers is horribly broken.

Don Davis' Cryptography Articles. Specifically, read "Compliance Defects in Public-Key Cryptography".

Public-key cryptography has low infrastructural overhead because public-key users bear a substantial but hidden administrative burden. A public-key security system trusts its users to validate each others' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users' discipline. A "compliance defect" in a cryptosystem is such a rule of operation that is both difficult to follow and unenforceable. This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public-key cryptography more suitable for server-to-server security than for desktop applications.

The slides (78 Kbytes) PDF (78 Kbytes) discuss a topic that the paper only touches upon: the complexity of thoroughly checking a certificate issuance-chain, to see whether any of the certs in the chain have been revoked recently. Even in the best case, this is a surprisingly messy procedure. See slides 12 & 13, and their annotations.

Best quote

Best quote:

"Whenever someone thinks that they can replace SSL/SSH with something
much better that they designed this morning over coffee, their computer
speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment."

-- Peter Gutman,[email protected]/msg00891.html

The rest of the post is great as well, with a "sound" warning about the CIPE VPN.

Wireless security can be funny

This is a true story!

The link to the story below is stale now, but this one still works:

Hackers tell man he's "too fat" to eat at Burger King -

Burger King customers told: 'You are too fat to have a Whopper'

Police believe teenage pranksters are hacking into the wireless frequency of a US Burger King drive-through speaker to tell potential customers they are too fat for fast food.

Policeman Gerry Scherlink said the pranksters told one customer who had just placed an order: "You don't need a couple of Whoppers. You are too fat. Pull ahead."

The offenders are reportedly tapping into the wireless frequency at the restaurant in Troy, Michigan. Police believe the culprits are watching and broadcasting from close range.

Officer Scherlinck said the men are telling customers who order a Coca-Cola that, "We don't have Coke." And when the customer asks what they do have, the hacker would say: "We don't have anything. Pull ahead."

But what has managers concerned is the profanity the hackers are using, according to police.

A drive-through customer has told police if he had children with him in the car and someone used profanity, he would have been upset.

Burger King franchise owner Tony Versace issued the following statement in response to the incidents: "We apologise to our customers who've been insulted by the use of this drive-through speaker."

Management at the fast-food restaurant are reportedly trying to change the radio frequency used for the speakers, reports Local 4.

Pigeons follow roads to navigate.

Telegraph | News

How do homing pigeons navigate? They follow roads
By Caroline Davies
(Filed: 05/02/2004)

Researchers have cracked the puzzle of how pigeons find their way home: they just follow the main roads.

Zoologists now believe the phrase "as the crow flies" no longer means the shortest most direct route between two points. They say it is likely that crows and other diurnal birds also choose AA-suggested routes, even though it makes their journeys longer.

Open letter to Jerry Falwell on his despicable comments

Meant to post this earlier, but I'm backlogged. Originally sent to him 11/23/2004:

I hope that this message may get you to think twice from displaying your vile, anti-christian vitriol such as calling, "Americans United for Separation of Church and State" an "anti-Christ" group. Secularizing _government_ should not be ignorantly equated with secularizing _society_, although that appears to be the way you spin it. There are very pragmatic reasons to not have our country be a theocracy, and many of those reasons date back to America's desire for independence from the religious tyranny of England at the dawn of our independence. Of course, those who forget history are doomed to repeat it and you seem to be leading the charge in that regard.

You might want to take heed of the concerns of the Americans United for the Separation of Church and State that they believe even undermine the very religion that you seek to bolster with your apparent pro church+state stance: "Government should refrain from endorsing religion even in a supposedly neutral manner. The state�s use of religion for ceremonial purposes often has the effect of draining religion of its meaning and power. This is not a healthy development for religion."

Your freedom to freely express your own brand of religion is threatened by the notion of a government that is not religion-neutral. You should reflect clearly on that.

What if the government were advocating Judaism? Or Islam? Would that be okay? If it is only okay because it is a Christian brand of religion, why would that make it okay? Do you think that the Islamic states in the Middle East are healthier and that the world is healthier for them being Islamic states? It is not just the brand of religion that makes the arrangement dangerous.



TSA abuse of power comes to a city near me

This story from my hometown of Seattle is further proof that the current airport security procedures are nothing more than window dressing and are leading to the loss of civil rights for innocent people.

When was the last time you heard about these security procedures actually catching a terrorist?

komo news | 'This Is Not Right'

DES MOINES - Cecilia Beaman is a 57-year-old grandmother, a principal at Pacific Middle School in Des Moines, and as of Sunday is also a suspected terrorist.

"This is not right," she told us. It's not right!"

During the stay she made sandwiches for the kids and was careful to pack the knives she used to prepare those sandwiches in her checked luggage. She says she even alerted security screeners that the knives were in her checked bags and they told her that was OK.

But Beaman says she couldn't find a third knife. It was a 5 1/2 inch bread knife with a rounded tip and a serrated edge. She thought she might have lost or misplaced it during the trip.

On the trip home, screeners with the Transportation Security Administration at Los Angeles International Airport found it deep in the outside pocket of a carry-on cooler. Beaman apologized and told them it was a mistake.

"You've committed a felony," Beaman says a security screener announced. "And you're considered a terrorist."

Beaman says she was told her name would go on a terrorist watch-list and that she would have to pay a $500 fine.

And to make it worse, you are guilty without the ability to confront your accuser and clear your name

She says screeners refused to give her paperwork or documentation of her violation, documentation of the pending fine, or a copy of the photograph of the knife.

"They said 'no' and they said it's a national security issue. And I said what about my constitutional rights? And they said 'not at this point ... you don't have any'."

AT&T plans security news channel

AT&T plans CNN-style security channel

Security experts at AT&T are about to take a page from CNN's playbook. Within the next year they plan to begin delivering a video streaming service that will carry Internet security news 24/7, according to the executive in charge of AT&T Labs.

The service, which currently goes by the codename Internet Security News Network, (ISN) is under development at AT&T Labs, but it will be offered as an additional service to the company's customers within the next nine to 12 months, according to Hossein Eslambolchi, president of AT&T�s Global Networking Technology Services and AT&T Labs

ISN will look very much like Time Warner's Cable News Network, except that it will be broadcast exclusively over the Internet, Eslambolchi said. "It's like CNN," he said. "When a new attack is spotted, we'll be able to offer constant updates, monitoring, and advice."

Given the kinds of horrible "sky is falling" coverage on mainstream media of security items in the past, perhaps this can help raise the bar?

Suspected Steganography lead to raising the terror alert in 2003

Bogus analysis led to terror alert in Dec. 2003 - Lisa Myers & the NBC Investigative Unit -

WASHINGTON - Christmas 2003 became a season of terror after the federal
government raised the terror alert level from yellow to orange, grimly
citing credible intelligence of another assault on the United States.

"These credible sources," announced then-Secretary of Homeland Security
Tom Ridge, "suggest the possibility of attacks against the homeland
around the holiday season and beyond."

For weeks, America was on edge as security operations went into high
gear. Almost 30 international flights were canceled, inconveniencing
passengers flying Air France, British Air, Continental and Aero Mexico.

But senior U.S. officials now tell NBC News that the key piece of
information that triggered the holiday alert was a bizarre CIA analysis,
which turned out to be all wrong.

CIA analysts mistakenly thought they'd discovered a mother lode of
secret al-Qaida messages. They thought they had found secret messages on
Al-Jazeera, the Arabic-language television news channel, hidden in the
moving text at the bottom of the screen, known as the "crawl,"
where news headlines are summarized.

And the critics come out:

"I'm astonished," says author and intelligence expert Jim Bamford, "that
they would put so much credibility in such a weak source of

Bamford says the CIA shouldn't be criticized for considering the theory,
but that analysts should have weighed how implausible it was.

"What you have to do is judge the intelligence versus what your actions
are going to be. And this is the equivalent, basically, of looking at
tea leaves," Bamford says.

I find it very interesting that steganography was the cause for raising the alert level. The article says the messages were supposedly found "in the moving text" in the "crawl", which would seem to implicate Al-Jazeera in communicating secret messages from terrorits since they control the crawl and would presumably have authored the content. The only way they wouldn't be implicated would be if they were to have been scrolling direct quotes from terrorists.

But is the "intelligence" applied to the "steganographic data" (flight numbers, etc.) that was "found" simply masking the fact that the CIA is resorting to numerology? Mining arbitrary data for significance where there is none, ala The Bible Code? The reference to reading "tea leaves" above is apropos...

What I'm also curious about is who leaked the information about why we raised the terror alert level? You would think that would be a national security secret--even now. Makes both the CIA and the decision makers in Homeland security look like idiots to put this information out there.

"It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt"
--Mark Twain

Debunking biometric assumptions

Chris Hill's biometrics thesis:

This is a very interesting development. It challenges a key assumption that people have made about biometrics:

"that stored biometrics pose no threat to their owner (if they are stolen by another party), because it is not possible to recreate the original biometric from the stored data."

So, attackers can potentially bypass biometric systems in a couple of ways if they can compromise digital representations of biometric data (from storage or by sniffing, e.g. USB sniffer or keyboard sniffer): They can recreate new physical biometrics that will have properties indistinguishable from the original.

"I demonstrated that it is possible to recreate a biometric artefact that is equivalent to the original biometric provided to the system. This means that while a third party will not be able to generate the original biometric, they will be able to generate something that is indistinguishable from it, as far as the biometric software is concerned."

Adam Shostack also had some additional comments on this today, pointing out the privacy implications of such a breach:

The answer is you can reconstruct fingerprints from common systems.

Daniel David Walker referred me to some work by Andy Adler, who pointed
out Ross, Shah and Jain, "Towards Reconstructing Fingerprints from
Minutiae Points."[1]


Some additional tidbits are on my blog at

Imagine lost biometric passports allowing the creation of counterfeit passports with "real" biometric data on them. And further imagine trying to prove that it wasn't you who bombed that plane in Lebanon. "But we logged you going through security...and biometrics are _unique_ and _unforgeable_". *Shiver*

Wednesday, June 8, 2005

Washington State Governor's Election Upheld!

The Seattle Times: Local News: Election trial dispatches

Some highlights:

  • Bridges: Overturning election would have meant "judicial egotism"
    Judge Bridges said Republicans did not meet the burden of showing "clear and convincing" proof.

  • "There is no evidence in this record that Ms. Gregoire received any illegal votes," he said.

  • There is no evidence that the problems in King County had anything to do with "intentional misconduct or someone's desire to manipulate the election" or "partisan bias," the phrase Republicans used to allege wrongdoing.

  • "No evidence exists as to which candidate may have received a vote from the provisional ballots not associated with a registered voter."

So, I wish I had heard what Dori Monson's comments were about this...

Thursday, June 2, 2005

A Pledge for Stem-Cell Research Foes

Pandagon: A compromise I can really stand behind

This is a great idea. A lot of adult stem cell treatments may now or in the future benefit from embryonic stem cell research so these foes better hope they or their family members never get Leukemia...

In-vitro fertilization generates hundreds of thousands of embryos that are simply stored or destroyed for no gain. It is ridiculous to not allow the use of these to further cures for diseases such as cancer and diabetes.

The majority of the country cares about science and progress and healing.