May 14, 2024

Posts Comments

Burn Notice, season 4, and the abuse of the MacGuffin

December 24, 2010 by

One of my favorite TV shows is Burn Notice. It’s something of a spy show, with a certain amount of gadgets but generally no James Bond-esque Q to supply equipment that’s certainly beyond the reach of real-world spycraft. Burn Notice instead focuses on the value of teamwork, advance planning, and clever subterfuge to pull off its various operations combined with a certain amount of humor and romance to keep the story compelling and engaging. You can generally watch along and agree with the feasibility of what they’re doing. Still, when they get closer to technology I actually know something about, I start to wonder.

One thing they recently got right, at least in some broad sense, was the ability to set up a femtocell (cell phone base station) as a way of doing a man-in-the-middle attack against a target’s cell phone. A friend of mine has one of these things, and he was able to set it up to service my old iPhone without anything more than my phone number. Of course, it changed the service name (from “AT&T” to “AT&T Microcell” or something along those lines), but it’s easy to imagine, in a spy-vs-spy scenario, where that would be easy to fix. Burn Notice didn’t show the necessary longer-range antenna or amplifier in order to reach their target, who was inside a building while our wiretapping heroes were out on the street, but I’m almost willing to let the get away with that, never mind having to worry about GSM versus CDMA. Too much detail would detract from the story.

(Real world analogy: Rop Gonggrijp, a Dutch computer scientist who had some tangential involvement with WikiLeaks, recently tweeted: “Foreign intel attention is nice: I finally have decent T-Mobile coverage in my office in the basement. Thanks guys…”)

What’s really bothered me about this season’s Burn Notice, though, was the central plot MacGuffin. Quoting Wikipedia: “the defining aspect of a MacGuffin is that the major players in the story are (at least initially) willing to do and sacrifice almost anything to obtain it, regardless of what the MacGuffin actually is.” MacGuffins are essential to many great works of drama, yet it seems that Hollywood fiction writers haven’t yet adapted the ideas of MacGuffins to dealing with data, and it really bugs me.

Without spoiling too much, Burn Notice‘s MacGuffin for the second half of season 4 was a USB memory stick which happened to have some particularly salacious information on it (a list of employee ID numbers corresponding to members of a government conspiracy), and which lots of people would (and did) kill to get their hands on. Initially we had the MacGuffin riding around on the back of a motorcycle courier; our heroes had to locate and intercept it. Our heroes then had to decide whether to use the information themselves or pass it onto a trusted insider in the government. Later, after various hijinks, wherein our heroes lost the MacGuffin, the bad guy locked it a fancy safe which our heroes had to physically find and then remove from a cinderblock wall to later open with an industrial drill-press.

When the MacGuffin was connected to a computer, our heroes could read it, but due to some sort of unspecified “cryptography” they were unable to make copies. Had that essential element been more realistic, the entire story would have changed. Never mind that there’s no such “encryption” technology out there. For a show that has our erstwhile heroes regularly use pocket digital cameras to photograph computer screens or other sensitive documents, you’d think they would do something similar here. Nope. The problem is that any realistic attempt to model how easy it is to copy data like this would have blown apart the MacGuffin-centric nature of the plot. Our protagonists could have copied the data, early on, and handed the memory card over. They could have then handed over bogus data written to the same memory stick. They could have created thousands of webmail accounts, each holding copies of the data. They could have anonymously sent the incriminating data to any of a variety of third parties, perhaps borrowing some plot elements from the whole WikiLeaks fiasco. In short, there could still have been a compelling story, but it wouldn’t have followed the standard MacGuffin structure, and it would almost certainly have reached a very different conclusion.

All in all, it’s probably a good thing I don’t know too much about combat tactics, explosives, or actual spycraft, or I’d be completely unable to enjoy a show like this. I expect James Bond to do impossible things, but I appreciate Burn Notice for its ostensibility. I can almost imagine it actually happening.

Filed Under: Privacy & Security Tagged With:

Smart electrical meters and their smart peripherals

December 7, 2010 by

When I was a college undergraduate, I lived in a 1920’s duplex and I recall my roommate and I trying to figure out where our electrical bill was going. He was standing outside by the electrical meter, I was turning things on and off, and we were yelling back and forth so we could sort out which gadgets were causing the wheel to spin faster. (The big power sinks? Our ancient 1950’s refrigerator and my massive-for-the-day 20-inch computer monitor.) Needless to say, this was more difficult than it should have been.

More recently, I got myself a Kill-a-Watt inline power meter which you can use at any power outlet, but it’s a pain. You have to unplug something to measure its usage. People with the big bucks will spring for a Ted 5000 system, which an electrician installs in your breaker box. That’s fantastic, but it’s not cheap or easy.

Today, I’m now the proud new owner of an LS Research “RateSaver”, which speaks ZigBee wireless to the “smart meter” that CenterPoint Energy installed on all the houses in our area. How did I get this thing? I went to a League of Women Voters “meet the candidates” event back in October and CenterPoint Energy had a display there. I asked the guy if I could get one of these things and he said he’s look into it for me. Fast forward two months later, and a box arrived in the mail. New toy!

So what exactly is it? It’s a battery-powered light-weight box with a tolerably readable two-inch monochrome LCD display. As I’m sitting here typing, it’s updating my “current usage” every few seconds and is giving me a number that’s ostensibly accurate to the watt. In the last minute, after I pressed the proper button, it’s been alternating between reading 650-750 watts, and 1400-1500 watts. (Hmm… maybe my fridge consumes 700 watts.) If you leave it alone, the refresh rate slows down to maybe once a minute. Also, it’s sometimes reading “0.000 kW” which is clearly incorrect but it returns to the proper number when I press the button. Wireless range is quite good. I’m on the opposite side of the house as our electrical meter and it’s working fine.

The user interface is all kinds of terrible. In addition to slow button response, the button labels are incorrect. LS Research is apparently just rebranding a Honeywell Home Energy Display (for which the Honeywell manual was included). LS Research apparently rearranged the button labels without changing the corrresponding software. Bravo! Thankfully, the Honeywell manuals have the proper labeling. Also amusing: there’s a message in the system saying that “non-peak price starts at 7:00 PM. Save Money by waiting” when in fact my electrical pricing deal is for a flat rate (which floats with market conditions and is presently $0.0631 per kWh).

Update: I’ve since learned that Honeywell acquired LS Research, so this is something of a transitional screw-up. Welcome to the world of beta products.

Since I’m a security guy, I assumed I’d have to go through some kind of protocol to get the thing activated, and the manual from inside the box describes an activation procedure where you make a phone call to your energy company, giving them the hardware ID numbers of the outdoor smart meter and the indoor display box. Conflicting instructions were also included with my display, describing setup which was as simple as “turn it on and hit the connect button” so I went with the easy instructions. Time passed and the box started working without requiring any additional input from me. I hope that my display box was pre-configured to work exclusively with my house, but this does lead me to wonder about whether they got the security right. (I experimentally turned lights on and off while watching the meter updates and validated that I am, in fact, looking at the usage of my own house.)

At the end of the day, I and everybody else here is now required to pay a $3.24 “advanced meter charge” in order to have all this functionality (which, incidentally, saves the electric company money since it no longer needs human meter readers). Is it worth it? Presumably, at some point I’ll have some kind of variable-priced electricity and I could then hack my refrigerator and air conditioning system to pay attention to the spot price of electricity. If electricity got extra cheap during a five minute window of the hot summer, the controller could then crank the A/C and drop the house an extra few degrees. Of course, if everybody was following this same algorithm, you’d either have insane demand swings, when everybody jumps on to consume cheaper electricity when it’s available, or you’d have to carefully engineer the pricing system such that you had stable demand. Presumably, if you got somebody who understood control theory to design this properly, you could end up incentivizing both demand and pricing to be fairly stable across the space of any given hour of the day.

Probably the biggest benefit of these smart meters will come the next time we have a major hurricane that comes through and knocks out power. Hurricane Ike left my house without power for ten days. At the time, CenterPoint Energy had a vague and useless web site that would give you an idea what neighborhoods were being repaired. Since it was too hot to stay in our house, we stayed instead with a friend who had power and drove by our place every day to see if it had power. This was very frustrating. (I unplugged all my computer equipment, since I didn’t want flakey power to nuke my equipment. Consequently, I couldn’t just do something simple like ping my home computer.) Today, I can log into CenterPoint Energy’s web site and see the power consumption of my house, in 15-minute intervals, and so can the people coordinating the repairs. If they integrated that with a mapping system, they’d have real-time blackout maps, which have obvious value to emergency planners and repair operations coordination.

I just hope they have somebody with a clue looking over the security of their system. (If somebody from CenterPoint reads this: people like me are more than happy to do private security evaluations, red-team exercises, and so forth.)

Future work: there’s a mini USB port on the side of the box. Now I just have to find some documentation. It’s probably bad form for me to go reverse-engineer it myself.

Filed Under: Uncategorized Tagged With: ,

Paper vs. Electronic Voting in Today's Election in Houston

November 2, 2010 by

(Cross-posted at the Computing@Rice blog at the Houston Chronicle.)

Back in late August, Harris County (Houston)’s warehouse with all 10,000 of our voting machines, burned to the ground. As I blogged at the time, our county decided to spend roughly $14 million of its $40 million insurance settlement on purchasing replacement electronic voting machines of the same type destroyed in the fire, and of the same type that I and my colleagues found to be unacceptably insecure in the 2007 California Top-to-Bottom Report. This emergency purchase was enough to cover our early voting locations and a smattering of extras for Election Day. We borrowed the rest from other counties, completely ignoring the viral security risks that come with this mixing and matching of equipment. (It’s all documented in the California report above. See Section 7.4 on page 77. Three years later, and the vendor has fixed none of these issues.)

Well, the county also spent the money to print optical-scan paper ballots (two sheets of 8.5″ x 17″, printed front and back), and when I went to vote this morning, I found my local elementary school had eight eSlate machines, all borrowed from Travis County (Austin), Texas. They also had exactly one booth set up for paper ballot voting.

After I signed in, the poll worker handed me the four-digit PIN code for using an eSlate before I could even ask to use paper. “I’d like to vote on paper.” “Really? Uh, okay.” Apparently I was only the second person that day to ask for paper and they were in no way making any attempt to give voters the option to vote on paper.

How did it work? They had a table with three blank ballots (each a stack of two sheets of paper), of which I could choose one. Both sheets shared a long serial number on the left column, which appears to serve two functions. First, it allows the two sheets to be kept together (notably, allowing the straight ticket voting option on the first sheet to apply to the second sheet). Also, these serial numbers, by virtue of being large and hopefully random, would act to prevent ballot stuffing (assuming the county kept records of which numbers were valid). Additionally, there was a signature from one of the poll workers at the bottom of the ballot, which I presume to be an additional anti-ballot-stuffing measure.

I was handed a Bic pen and pointed to a rickety standing table with a privacy partition. At the same time, my wife voted on a standard eSlate. I decided to ask a poll worker the question of how a straight ticket on the first sheet would apply to the second sheet. The first poll worker, who was operating the eSlates, said “sorry, I was only trained on the eSlates” and made me wait until the head guy came over. The head guy then proceeded to give me an extended tutorial in the ways of our straight ticket system, requiring me to interrupt him and say, “yeah, but all I want to know is how my tick of the straight ticket box on the first sheet is carried over to the second sheet.” We ultimately concluded that it must be due to the matching serial numbers.

Anyway, despite all this fun and excitement, I still managed to finish my ballot a solid minute faster than my wife. Also, by that time, a queue of maybe six people was waiting to vote while all the eSlates were busy. I asked the poll workers at the sign-in table if they were planning to offer paper ballots to anybody in line and they looked at me as if I was insane. I also mentioned that I finished voting faster than my wife and one poll worker went as far as to say “don’t tell anybody!” as if that might (gasp!) cause people to want to vote on paper.

What’s going on here? I blame our lame-duck election administrator, who has been urging voters to use the eSlate, and doing her best to ignore the paper ballot option that she was compelled to offer as a consequence of the warehouse fire. If there’s no emphasis on paper, from the leadership on top, one could hardly expect poll workers to behave any differently.

What’s happening next?

One way or another, Harris County will have a new elections administrator after our incumbent one retires, and the next one will be responsible for rebuilding our election systems. Curiously, Travis County recently announced that they’re retiring their eSlates after the 2012 election, replacing them with paper ballots that are scanned in the precinct. This gives Harris County the chance to buy their used gear at a fraction of the price of new equipment, should we choose to go that route, or we could instead follow Travis County’s lead and ditch our eSlates entirely (save for keeping one in each precinct for accessibility purposes). Either way, we would save literally millions of dollars, relative to the costs of purchasing new eSlates from scratch, and of course the new paper ballot systems are more secure and (gasp!) faster and easier to use.

Sidebar: Are these paper ballots really private?

The Texas Election Code actually has a requirement that ballots be “numbered”, which I understand is generally taken to mean that there must be mechanisms in place to prevent tampering and ballot stuffing. (You would require a very broad interpretation of that statute in order to have allowed traditional lever voting machines, used widely in Texas prior to 2000, where there is nothing approximating individual ballot numbers in the machine.) The sparse and hopefully unguessable serial numbers on our paper ballots appear to follow the letter of the law as well as offering the ability to have ballots larger than a single sheet of paper. That’s the good news, but let’s consider what it would mean in the case where somebody was attempting to bribe or coerce my vote and they had access to the output of the central ballot scanner, which presumably includes these ballot numbers.

Of course, the poll worker who puts out the blank ballots can track who gets which ballot. Furthermore, I could simply write down my own ballot number. Because these numbers are sparse, and thus hard to guess, somebody bribing or coercing me would have some serious leverage on me if I produced an invalid ballot number. If I sneakily remembered one of the other two ballot numbers from the table, I could present my coercer with one of those numbers instead, but then I would have no knowledge of how (or even if) that other ballot was cast, and could thus get in trouble with my coercer.

How can this coercion risk be mitigated? One simple option is to render the ballot numbers only as barcodes. Very few of us can visually read a barcode, much less the newer two-dimensional barcodes. So long as we ban smartphones or other cameras, we’re in good shape. Concerned voters or auditors, who want to ensure the same number exists on both ballot sheets could hold them up to a bright light, lining them up together, to make sure that they match up.

Oh, and ballots aren’t private with the current eSlate either. See the California report, linked above, “issue 25” on page 58. See also Section 7.1 which starts on page 72.

Filed Under: Uncategorized Tagged With:

On kids and social networking

June 29, 2010 by

Sunday’s New York Times has an article about cyber-bullying that’s currently #1 on their “most popular” list, so this is clearly a topic that many find close and interesting.

The NYT article focuses on schools’ central role in policing their students social behavior. While I’m all in favor of students being taught, particularly by older peer students, the importance of self-moderating their communications, schools face a fundamental quandary:

Nonetheless, administrators who decide they should help their cornered students often face daunting pragmatic and legal constraints.

“I have parents who thank me for getting involved,” said Mike Rafferty, the middle school principal in Old Saybrook, Conn., “and parents who say, ‘It didn’t happen on school property, stay out of my life.’ ”

Judges are flummoxed, too, as they wrestle with new questions about protections on student speech and school searches. Can a student be suspended for posting a video on YouTube that cruelly demeans another student? Can a principal search a cellphone, much like a locker or a backpack?

It’s unclear. These issues have begun their slow climb through state and federal courts, but so far, rulings have been contradictory, and much is still to be determined.

Here’s one example that really bothers me:

A few families have successfully sued schools for failing to protect their children from bullies. But when the Beverly Vista School in Beverly Hills, Calif., disciplined Evan S. Cohen’s eighth-grade daughter for cyberbullying, he took on the school district.

After school one day in May 2008, Mr. Cohen’s daughter, known in court papers as J. C., videotaped friends at a cafe, egging them on as they laughed and made mean-spirited, sexual comments about another eighth-grade girl, C. C., calling her “ugly,” “spoiled,” a “brat” and a “slut.”

J. C. posted the video on YouTube. The next day, the school suspended her for two days.

“What incensed me,” said Mr. Cohen, a music industry lawyer in Los Angeles, “was that these people were going to suspend my daughter for something that happened outside of school.” On behalf of his daughter, he sued.

If schools don’t have the authority to discipline J. C., as the court apparently ruled, and her father is more interested in defending her than disciplining her for clearly inappropriate behavior, then can we find some other solution?

Of course, there’s nothing new about bullying among the early-teenage set. I will refrain from dredging such stories from my own pre-Internet pre-SMS childhood, but there’s no question that these kids are at an important stage of their lives, where they’re still learning important and essential concepts, like how to relate to their peers and the importance (or lack thereof) of their peers’ approval, much less understanding where to draw boundaries between their public self and their private feelings. It’s certainly important for us, the responsible adults of the world, to recognize that nothing we can say or do will change the fundamentally social awkwardness of this age. There will never be an ironclad solution that eliminates kids bullying, taunting, or otherwise hurting one other.

Given all that, the rise of electronic communications (whether SMS text messaging, Facebook, email, or whatever else) changes the game in one very important way. It increases the velocity of communications. Every kid now has a megaphone for reaching their peers, whether directly through a Facebook posting that can reach hundreds of friends at once or indirectly through the viral spread of embarrassing gossip from friend to friend, and that speed can cause salacious information to get around well before any traditional mechanisms (parental, school administrative, or otherwise) can clamp down and assert some measure of sanity. For possibly the ultimate example of this, see a possibly fictitious yet nonetheless illustrative girl’s written hookup list posted by her brother as a form of revenge against her ratting out his hidden stash of beer. Needless to say, in one fell swoop, this girl’s life got turned upside down with no obvious way to repair the social damage.

Alright, we invented this social networking mess. Can we fix it?

The only mechanism I feel is completely inappropriate is this:

But Deb Socia, the principal at Lilla G. Frederick Pilot Middle School in Dorchester, Mass., takes a no-nonsense approach. The school gives each student a laptop to work on. But the students’ expectation of privacy is greatly diminished.

“I regularly scan every computer in the building,” Ms. Socia said. “They know I’m watching. They’re using the cameras on their laptops to check their hair and I send them a message and say: ‘You look great! Now go back to work.’ It’s a powerful way to teach kids: ‘I’m paying attention, you need to do what’s right.’ ”

Not only do I object to the Big Brother aspect of this (do schools still have 1984 on their reading lists?), but turning every laptop into a surveillance device is a hugely tempting target for a variety of bad actors. Kids need and deserve some measure of privacy, at least to the extent that schools already give kids a measure of privacy against arbitrary and unjustified search and seizure.

Surveillance is widely considered to be more acceptable when it’s being done by parents, who might insist they have their kids’ passwords in order to monitor them. Of course, kids of this age will reasonably want or need to have privacy from their parents as well (e.g., we don’t want to create conditions where victims of child abuse can be easily locked down by their family).

We could try to invent technical means to slow down the velocity of kids’ communications, which could mean adding delays as a function of the fanout of a message, or even giving viewers of any given message a kill switch over it, that could reach back and nuke earlier, forwarded copies to other parties. Of course, such mechanisms could be easily abused. Furthermore, if Facebook were to voluntarily create such a mechanism, kids might well migrate to other services that lack the mechanism. If we legislate that children of a certain age must have technically-imposed communication limits across the board (e.g., limited numbers of SMS messages per day), then we could easily get into a world where a kid who hits a daily quota cannot communicate in an unexpectedly urgent situation (e.g., when stuck at an alcoholic party and needing a sober ride home).

Absent any reasonable technical solution, the proper answer is probably to restrict our kids’ access to social media until we think they’re mature enough to handle it, to make sure that we, the parents, educate them about the proper etiquette, and that we take responsibility for disciplining our kids when they misbehave.

Filed Under: Uncategorized Tagged With: ,

Rebooting the CS Publication Process

June 16, 2010 by

The job of an academic is to conduct research, and that means publishing manuscripts for the world to read. Computer science is somewhat unusual, among the other disciplines in science and engineering, in that our primary research output goes to highly competitive conferences rather than journals. Acceptance rates at the “top” conferences are often 15% or lower, and the process of accepting those papers and rejecting the rest is famously problematic, particularly for the papers on the bubble.

Consequently, a number of computer scientists have been writing about making changes to the way we do what we do. Some changes may be fairly modest, like increasing acceptance rates by fiat, and eliminating printed paper proceedings to save costs. Other changes would be more invasive and require more coordination.

If we wanted to make a concerted effort to really overhaul the process, what would we do? If we can legitimately concern ourselves with “clean slate” redesign of the Internet as an academic discipline, why not look at our own processes in the same light? I raised this during the rump session of the last HotOS Workshop and it seemed to really get the room talking. The discipline of computer science is clearly ready to have this discussion.

Over the past few months, I’ve been working on and off to flesh out how a clean-slate publishing process might work, taking advantage of our ability to build sophisticated tools to manage the process, and including a story for how we might get from here to there. I’ve written this up as a manuscript and I’d like to invite our blog readers, academic or otherwise, to read it over and offer their feedback. At some point, I’ll probably compress this down to fit the tight word limit of a CACM article, but first things first.

Have a look. Post your feedback here on Freedom to Tinker or send me an email and I’ll followup, no doubt with a newer draft of my manuscript.

Filed Under: Uncategorized Tagged With: