Doubting the Debian Doubters

On Open Enterprise blog.

Oyster Is...Toast

As Ben Laurie so eloquently puts it:

The MiFare stream cipher, as used in Oyster cards, has been comprehensively cracked. The researchers claim they can recover the key in well under 5 minutes after observing a single transaction.

Tricky Things, Ecosystems

A decade ago, I and others started wittering on about the Microsoft monoculture - the fact that practically everyone was using the same OS, the same browser, the same office suite. This made crafting attacks much easier, because certain assumptions about what was on a given machine were almost certainly true.

Nowadays, with the rise of Firefox and, to a lesser extent, OpenOffice.org, you might think we've moved on. Apparently not:

We have different versions of the OS, and we have Mac users. But we’ve only got one Flash vendor, and everyone has Flash installed. Why do you care about Flash exploits? Because in the field, any one of them wins a commanding majority of browser installs for an attacker.

Moreover:

Although this document deals specifically with the Win32/intel platform, similar attacks can most likely be carried out on the many other platforms flash is available for. In particular, some of the methodology discussed might be useful for constructing a robust exploit on Unix platforms as well as several embedded platforms.

In other words, ecosystems need to be heterogeneous everywhere: as soon as you have a monoculture in some area, that becomes a weakness for the entire system to be attacked.

oCERT – A Dead Cert for Security

On Open Enterprise blog.

Asus Eeek PC?

I'm a big fan of the Asus Eee PC, but it seems that someone was a smidge careless with the software that runs by default:

Easy to learn, Easy to work, Easy to root.

Time to Get Incensed about the 2011 Census?

US authorities will not be able to see data covering all UK households even if a US defence giant wins the contract to run the 2011 census, a minister says.

The US Patriot Act allows personal data held by companies in the US to be made available to intelligence agencies.

But Treasury Minister Angela Eagle told MPs the government had received legal assurances this would not happen if Lockheed Martin wins the census bid.

Oh, that's alright then - if they really gave "legal assurances".

The fact the US telecom companies have been spying on US citizens illegally because they were told to do so by the US government doesn't have any bearing here, does it? I mean, if Lockheed Martin were *ordered* by the US government to hand over all the census data, they'd just refuse, wouldn't they? They'd have to: after all, they have given those legal assurances.

And if by any chance you were still a teensy-weensy bit nervous about the security of all that intimate information about yourself and your family - because, well, you know, the UK government has had one or two little mishaps with data recently - Angela Eagle has some reassuring words:

she was "pretty confident" there would be robust safeguards on the security of data.

Update: ORG's Becky Hogge points out a useful site called Census Alert that tells you what you can do to thwart this gross insult to the national intelligence.

Schneier on the False Dichotomy

Once more, Brucie tells it as it is:

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

When are they going to make this man President of the USA?

Google Profile Keeps a Low Profile

Google Profile is with us, just about:

A Google Profile is simply how you represent yourself on Google products — it lets you tell others a bit more about who you are and what you're all about. You control what goes into your Google Profile, sharing as much (or as little) as you'd like.

And here's the sting in the tail:

Use multiple Google products? Soon your Google Profile will link up with these as well.

In other words, despite its ultra low-profile launch, Google Profile will be the nexus of everything you do on Google.

Eeek.

What's the Opposite of Openness?

Not simply being closed, but something like this:

If I make a computer security mistake — in a book, for a consulting client, at BT — it’s a mistake. It might be expensive, but I learn from it and move on. As a criminal, a mistake likely means jail time — time I can’t spend earning my criminal living. For this reason, it’s hard to improve as a criminal. And this is why there are more criminal masterminds in the movies than in real life.

BTW, this interview with security god Bruce Schneier is just amazing - not least because it goes on for ever. Luckily, you just can't have too much of Brucie.

Will Microsoft Ever Learn This Trick Doesn't Work?

When you read this:

Perhaps more important than the overall numbers is the positive impact IE7 has made for our users. As you know, we focused a lot on improving security in IE7. We believe IE 7 is the safest Microsoft browser released to date. According to a vulnerability report published today, IE7 has fewer vulnerabilities than previous versions of IE over the same time period. What’s more, the report showed that IE7 had both fewer fixed and unfixed vulnerabilities in the first year than the other browsers we compared.

...you might not notice that the "vulnerability report" published at the imposing-sounding CSO site is written by a certain Jeff Jones, who, by an amazing coincidence:

is a Security Strategy Director in Microsoft’s Trustworthy Computing group.

So, Microsoft refers to a report that just happens to be written by one of its employees, but without mentioning that fact. Amazing how these things can just slip the mind, eh? (Via Mike Shaver.)

UK Government Loses 15 Million Bank Details

This has to be about the most stupid security lapse in the history of computing:

Confidential details of 15 million child benefit recipients are on a computer disc lost by HM Revenue and Customs, the BBC understands.

Insult is added to injury:

Revenue and Customs says it does not believe the records - names, addresses and bank accounts - have fallen into the wrong hands.

Yeah? And they know that precisely how - because they're psychic, perhaps?

And then the UK government wants us to trust them with our IDs, too? If we did, how long before the odd 60 million IDs get "lost"? At least you can change your bank details - you don't have that option with your identity.

Update 1: What's really heartening is that a surprisingly large proportion of those commenting here on the BBC story spot the ID card connection....

Update 2: Better make that 25 million bank details, plus key data on all children in the UK.

The Liability of Closed Source Software

It's a pity that reports from the House of Lord's Science and Technology Committee are so long, because they contain buckets of good stuff - not least because they draw on top experts. A case in point is the most recent, looking at personal Internet security, which includes luminaries such as Bruce Schneier and Alan Cox.

The recommendations are a bit of a mixed bag, but one thing that caught my eye was in the context of making suppliers liable for their software. As Bruce puts it:

“We are paying, as individuals, as corporations, for bad security of products”—by which payment he meant not only the cost of losing data, but the costs of additional security products such as firewalls, anti-virus software and so on, which have to be purchased because of the likely insecurity of the original product. For the vendors, he said, software insecurity was an “externality … the cost is borne by us users.” Only if liability were to be placed upon vendors would they have “a bigger impetus to fix their products”

Of course, product liability might be a bit problemtatic for free software, but again Schneier has a solution:

Any imposition of liability upon vendors would also have to take account of the diversity of the market for software, in particular of the importance of the open source community. As open source software is both supplied free to customers, and can be analysed and tested for flaws by the entire IT community, it is both difficult and, arguably, inappropriate, to establish contractual obligations or to identify a single “vendor”. Bruce Schneier drew an analogy with “Good Samaritan” laws, which, in the United States and Canada, protect those attempting to help people who are sick or injured from possible litigation. On the other hand, he saw no reason why companies which took open source software, aggregated it and sold it along with support packages—he gave the example of Red Hat, which markets a version of the open source Linux operating system—should not be liable like other vendors.

Security in Numbers (105, to be Precise)

One of the oldest canards is that open source can't be secure, because crackers are able to see the source code and exploit it. Good to see a journal dedicated to security doesn't buy it:

Open source applications make their source code publicly available for any user to download, compile and execute. This makes it possible for developers to modify different aspects of the program to their needs. However, it also makes it extremely easy for malicious coders to find and use exploits in the software against unsuspecting users.

To prevent this from happening, open source software employs some of the highest forms of security around, and when it comes to open source security applications, that bar is set even higher. After all what good would a network firewall or intrusion detection system be if a user were able to penetrate the system because of an exploit in the source code?

It follows this up with a handy list of 105 open source security apps (although I'm not quite sure if all are pure free software, or whether some just run on things like GNU/Linux). Anyway, a useful starting point.

Fresh Thoughts on DRM

One of the problems with the DRM battle is that it tends to get into a rut: the same old arguments for and against are trotted out. For those of us who care, it's a necessary price to pay for telling it as it is, but for onlookers, it's just plain boring.

That's what makes this piece, which reports on the recent conference "Copyright, DRM Technologies, and Consumer Protection", at UC Berkeley, quite simply the most interesting writing on DRM that I've come across for ages: as well as explaining the old arguments well, it includes a couple of new thoughts:

One good point a few panelists made is that successful DRM is likely to weaken the user's privacy. All DRM prevents computers and media devices from sharing files freely with each other. But in order to merely curb freedom, rather than end it entirely, DRM must identify which files can be shared and which can't, and which methods of sharing are permissible. The more sophisticated this process of determination becomes, the more it is necessary for devices to analyze information about the files in complex ways. The burden of this analysis will often be too great to implement in typical consumer electronics — so instead the data will be sent to an online server, which will figure out your rights and tell the client device what to do. But step back and consider where this is going: devices all over your house, sending information about your viewing and listening habits to a central server. Is this data certain to be subpoena-able someday? You bet. It probably already is.

Another point (made by Peter Swire among others) was the computer security implications of running DRM. The code in a DRM system must be a black box: it cannot be open source, because if the user could understand and change it, she could disable it and copy her files without restriction. But if the code is opaque, it cannot be examined for security flaws — and in fact, the Digital Millennium Copyright Act makes it illegal to even attempt such an examination in most circumstances. Basically, you have to run this code, for even if you are technically capable of modifying it, doing so would be illegal. (In response to this situation, Jim Blandy proposed a new slogan: "It's my computer, damn it!")

I believe that now is a critical moment in the fight against DRM: if we don't scotch the snake soon, it will turn into a hydra. To win, we need to convince "ordinary" people that DRM is mad, bad and dangerous to use; the points raised above could well prove important additions to the anti-DRM armoury.

Opening Our Eyes to OpenID

Sign-ons can be a real pain, as you are forced to create ever more accounts at sites. A single sign-on is the obvious solution, but getting everyone to agree on a standard is hard. So it's particularly good to see that OpenID is not only taking off, but an open standard to boot.

Here's one of the best introductions to OpenID that I've come across:

As the most basic level, your OpenID identity is a unique URL. It can be a URL that you directly control (such as that of your personal Web page or blog) or one provided to you by a third-party service, such as an OpenID provider. In that sense, a site's use of OpenID identities is no different than using email addresses as identifiers: they are unique to each user and are verifiable. But you can publicly display an OpenID identity without attracting spam.

Going Qwaqqers About Qwaq

Even though Second Life gets the lion's share of the attention, there are several other virtual world systems out there, including some that are fully open source. One such is Croquet:

Croquet is a powerful open source software development environment for the creation and large-scale distributed deployment of multi-user virtual 3D applications and metaverses that are (1) persistent (2) deeply collaborative, (3) interconnected and (4) interoperable. The Croquet architecture supports synchronous communication, collaboration, resource sharing and computation among large numbers of users on multiple platforms and multiple devices.

The ideas behind Croquet are undeniably powerful, but it's always looked a little clunky when I've investigated it, more like a research project than anything that you might use. In other words, a solution in search of a problem.

Well, the problem has just turned up, and involves creating a secure virtual workspace for distributed teams. In the corporate context, the Second Life gew-gaws are less important than functionality like security and the ability to collaborate on any application. A new company called Qwaq, which includes many of the key people from the Croquet project, has been set up to meet that need.

It adopts a hybrid approach for its licensing: the core code is Croquet, and hence open source, but Qwaq adds proprietary elements on top. Obviously, I'd prefer it if everything were free code from the start, but it's understandable if new companies are cautious when dabbling with this tricky open source stuff. The existence of Qwaq, which obviously has a vested interest in the survival and development of Croquet, is already good news for the latter, but I predict that in time the company will gradually open up more of its code in order to tap into the community that will grow around it.

Its business model could certainly cope with that: it offers two versions of its product - one as a hosted service, the other run on an intranet. Although it is true that other companies could also host and support the product in this case, Qwaq has a unique strength that comes from the people working for it (rather like the advantage that Red Hat's roster of kernel hackers confers.)

One of the benefits of using Croquet as the basis of its products is that the protocols are open, and this allows Croquet-compatible products to interoperate with Qwaq's. This means that the dynamics of the Croquet ecosystem are similar to that of the Web, which is never a bad thing.

At the time of writing, there's not much to see on Qwaq's site, but I imagine that will change soon, and I'll update this post to reflect that (and also be writing elsewhere about the technology and its applications). In the meantime, Qwaq's arrival is certainly welcome, since it signals a new phase in the roll-out and commercialisation of standards-based virtual spaces. I'm sure we'll see many more in the future.

Update: The Qwaq site has now gone live, with some info and a screenshot of the Qwaq Forums product, as well as a link to a datasheet. There is also a short press release available.

The Biter Bit - by Bits

Now that the flow of highly-personal "security" information between the US and other countries is a two-way thing, I predict people in the former are going to become as unenthusiastic about it as those in the latter:

Welcome to the new world of border security. Unsuspecting Americans are turning up at the Canadian border expecting clear sailing, only to find that their past -- sometimes their distant past -- is suddenly an issue.

While Canada officially has barred travelers convicted of criminal offenses for years, attorneys say post-9/11 information-gathering, combined with a sweeping agreement between Canada and the United States to share data, has resulted in a spike in phone calls from concerned travelers.

...

Oh, and by the way, if you don't need to travel to Canada, don't think you won't need to clear your record. Lesperance says it is just a matter of time before agreements are signed with governments in destinations like Japan, Indonesia and Europe.

"This," Lesperance says, "is just the edge of the wedge."

Oh, yes, indeedy.... (Via Slashdot.)

Second Life Opens up the Client

Fantastic news: Linden Lab has released the source code for the Second Life client under the GNU GPL v2. Nice historical context, too:

In 1993, NCSA released their liberally licensed, but proprietary, Mosaic 2.0 browser with support for inline images arguably heralding the start of the web as we know it today. In an act of either acceptance of the inevitable or simple desperation, Netscape Communications released the bulk of the Netscape Communicator code base to form the foundation of projects as Mozilla, Firefox, and Thunderbird.

We are not desperate, and we welcome the inevitable with open arms.

Stepping up the development of the Second Life Grid to everyone interested, I am proud to announce the availability of the Second Life client source code for you to download, inspect, compile, modify, and use within the guidelines of the GNU GPL version 2.

This is a great move by the Lindens, and a major step towards an open, standards-based virtual world. It will be interesting to see what comes of this. Sad, though, to see the deeply ignorant comments on the Linden Lab blog post lamenting this move because of the increased griefing they claim it will cause - as if security by obscurity ever worked.

Coders of the (virtual) world, unite!

ID Cards: Cracked in All Senses

And talking of ID cards, here's more bad news.

Update: And how could I leave out the inimitable Mr. Lettice's wise words on the subject?

Of Google and China

An interesting coupling of Google with China - but not for the usual reasons.

Dr. Kai-Fu Lee, the head of Google in China said:

Open source software affords Google the flexibility it needs to be able to respond to market demands. Since Google can redesign its software anytime, it can follow market changes quickly.

Open source also gives Google better control over sensitive business information. "If we buy software from other companies, they can tell how many servers we have from how many we pay. Now, that's only our own business," Lee said.

Meanwhile, Ni Guangnan, an academician at the Chinese Academy of Engineering, spoke of

"taking our fate into our own hands." Ni says that China is promoting open source as part of its strategy of being an innovative country, for national information security, and to solve the software pirate problem. He estimates China's open source industry will boom in upcoming years.