Tomorrow, July 13, is “Computer Ate My Vote Day”. Rallies will be held in many states across the U.S, to ask state officials to use safe and reliable voting technologies. I’ll be speaking at the New Jersey rally, at noon on the steps of the State House in Trenton.
Archives for July 2004
Security Theater
July 9, 2004 by
Lots of people are telling airport-security stories these days. Thus far I have refrained from doing so, even though I travel a lot, because I think the TSA security screeners generally do a good job. But last week I saw something so dumb that I just have to share it.
I’m in the security-checkpoint line at Boston’s Logan airport. In front of me is an All-American family of five, Mom, Dad, and three young children, obviously headed somewhere hot and sunny. They have the usual assortment of backpacks and carry-on bags.
When they get through the metal detector, they’re told that Mom and Dad had been pre-designated for the more intensive search, where they wand-scan you and go through your bags. This search is a classic example of what Bruce Schneier calls Security Theater, since it looks impressive but doesn’t do much good. The reason it doesn’t do much good is that it’s easy to tell in advance whether you’re going to be searched. At one major airport, for example, the check-in agent writes a large red “S” on your boarding pass if you’re designated for this search; you don’t have to be a rocket scientist to know what this means. So only clueless bad guys will be searched, and groups of bad guys will be able to transfer any contraband into the bags of group members who won’t be searched, with plenty of time after the security checkpoint to redistribute it as desired.
But back to my story. Mom and Dad have been designated for search, and the kids have not. So the security screener points to the family’s pile of bags and asks which of the bags belong to Mom and Dad, because those are the ones that he is going to search. That’s right: he asks the suspected bad guys (and they must be suspected, otherwise why search them) which of their bags they would like to have searched. Mom is stunned, wondering if the screener can possibly be asking what she thinks he’s asking. I can see her scheming, wondering whether to answer honestly and have some stranger paw through her purse, or to point instead to little Johnny’s bag of toys.
Eventually she answers, probably honestly, and the screener makes a great show of diligence in his search. Security theater, indeed.
WSJ Political Diary on INDUCE Act
July 7, 2004 by
Yesterday’s “Political Diary” at the Wall Street Journal’s online OpinionJournal had a nice little piece on Sen. Hatch’s IICA (a.k.a. INDUCE Act). (Access to subscribers only, unfortunately.)
The piece, written by David Robinson, notes that Sen. Hatch, who had previously urged vigorous action against music downloaders, even suggesting “destroying their machines,” has now changed his tune.
Now he’s returned to the issue, this time with a different message: Young downloaders are not crooks, but victims. They have been “tragically” manipulated, he explained on the floor of the Senate, by adults who “exploit the innocence of children.”
The IICA doesn’t seem to be the solution:
Mr. Hatch may have a point – software businesses like Grokster and others do seem to be engaged in trying to profit from their customers’ urge to commit piracy. But his solution seems likely to open a Pandora’s box of frivolous lawsuits, ranging far beyond music downloads. As much as we enjoy Mr. Hatch’s magic similes, “back to the drawing board” would be our advice.
Fancy DRM For Academy Screeners?
July 6, 2004 by
Movie studios are considering an elaborate DRM scheme to limit copying of promotional “screener” videos distributed to Academy Award voters, according to an AP story by Gary Gentile.
The article’s description of the scheme is a bit confusing, but I think I can reconstruct how it works. The studios would distribute a special new DVD player to each person receiving videos. Each copy of a video would be encrypted so that only a particular person’s DVD player could decrypt it. The videos would also contain some kind of watermark to identify each individual copy.
The technology vendor, Cinea, makes a carefully calibrated technical claim:
Cinea executives said that with enough time and money, a hacker could eventually circumvent the encryption technology hardwired in a single DVD player, but the watermarking will help authorities track down that player.
The discs, by themselves, cannot be hacked, [a Cinea executive] said.
Assuming that this claim is correct, the discs must not be using the lame CSS encryption scheme used by normal DVDs. (CSS is so weak that encryption keys can be recovered easily from a single encrypted disc.) If the designers are smart, they’re using a standard encryption method, in which case it’s probably true that a single disc is not enough to recover the encrypted plaintext. Of course, it’s easy to access the video given a disc and a player – that’s the whole point of having a player.
It’s not clear how sophisticated the watermark would be. Last year, a simple, weak watermark was sufficient to catch a guy who distributed copies of Academy screener videos on the net.
All of this expensive technology might be enough to keep screener videos from leaking onto the net. But this kind of technology won’t work for consumer DVDs. Tethering each disc to a single player would cause major headaches for consumers – imagine having to buy all new discs whenever you bought a new player.
Worse yet, anybody could capture and redistribute the analog output of one of these players. Even if the watermark scheme isn’t broken (and it probably would be, if it mattered), the best the watermark can do is to trace the redistributed copy back to a particular player device. If that device was stolen, or transported to an outlaw region, there is no plausible way to catch the actual perpetrator. This might not be a problem for a modest number of devices, used for a short period by known people, as in the case of screeners; but it would be a fatal flaw on devices that are distributed widely to ordinary people.
UPDATE (July 7): Ernest Miller has some interesting comments on this issue.
Monoculture Debate: Geer vs. Charney
July 1, 2004 by
Yesterday the USENIX Conference featured a debate between Dan Geer and Scott Charney about whether operating-system monoculture is a threat to computer security. (Dan Geer is a prominent security expert who co-wrote last year’s CCIA report on the monoculture program, and was famously fired by @Stake for doing so. Scott Charney was previously a cybercrime prosecutor, and is now Microsoft’s Chief Security Strategist.)
Geer went first, making his case for the dangers of monoculture. He relied heavily on an analogy to biology, arguing that just as genetic diversity helps a population resist predators and epidemics, diversity in operating systems would help the population of computers resist security attacks. The bio metaphor has some power, but I thought Geer relied on it too heavily, and that he would have been better off talking more about computers.
Charney went second, and he made two main arguments. First, he said that we already have more diversity than most people think, even within the world of Windows. Second, he said that the remedy that Geer suggests – adding a modest level of additional diversity, say adopting two major PC operating systems with a 50/50 market share split – would do little good. The bad guys would just learn how to carry out cross-platform attacks; or perhaps they wouldn’t even bother with that, since an attack can take the whole network offline without penetrating a large fraction of machines. (For example, the Slammer attack caused great dislocation despite affecting less than 0.2% of machines on the net.) The bottom line, Charney said, is that increasing diversity would be very expensive but would provide little benefit.
A Q&A session followed, in which the principals clarified their positions but no major points were scored. Closing statements recapped the main arguments.
The moderator, Avi Rubin, polled the audience both before and after the debate, asking how many people agreed with each party’s position. For this pupose, Avi asked both Geer and Charney to state their positions in a single sentence. Geer’s position was that monoculture is a danger to security. Charney’s position was that the remedy suggested by Geer and his allies would do little if anything to make us more secure.
Pre-debate, most people raised their hands to agree with Geer, and only a few hands went up for Charney. Post-debate, Geer got fewer hands than before and Charney got more; but Geer still had a very clear majority.
I would attribute the shift in views to two factors. First, though Geer is very eloquent for a computer scientist, Charney, as an ex-prosecutor, is more skilled at this kind of formalized debate. Second, the audience was more familiar with Geer’s arguments beforehand, while some may have been hearing Charney’s arguments for the first time; so Charney’s arguments had more impact.
Although I learned some things from the debate, my overall position didn’t change. I raised my hand for both propositions, both pre- and post-debate. Geer is right that monoculture raises security dangers. Charney is also right that the critics of monoculture don’t offer compelling remedies.
This is not to say that the current level of concentration in the OS market is optimal from a security standpoint. There is no doubt that we would be more secure if our systems were more diverse. The most important step toward diversity would be to ensure true competition in software markets. Consumers have an incentive to switch to less-prevalent technologies in order to avoid being attacked. (See, e.g., Paul Boutin’s endorsement in Slate of the Mozilla Firefox browser.) In a properly functioning market, I suspect that the diversity problem would take care of itself.
(See also my previous discussion of the monoculture issue.)
