April 28, 2015

Ed Felten

avatar

FREAK Attack: The Chickens of ‘90s Crypto Restriction Come Home to Roost

Today researchers disclosed a new security flaw in TLS/SSL, the protocol used to secure web connections. The flaw is significant in itself, but it is also a good example of what can go wrong when government asks to build weaknesses into security systems.

Back in the early 1990s, it was illegal to export most products from the U.S. if they had strong cryptography. To be exportable, a system had to use small keys that could be defeated by a brute-force search over the (reduced) key space. Because of this, the secure web protocol, SSL, was designed to allow either party to a communication to ask to use a special export mode. [Note for crypto geeks: “export mode” refers to certain cipher suites whose names start with “EXP”.] When it became legal to export strong crypto, the export mode feature was not removed from the protocol because some software still depended on it. Export mode is still an option today.

This creates the possibility that a network “man in the middle” (MITM) can downgrade the security of a connection. If Alice and Bob are setting up a connection, the MITM can tell Alice that Bob is asking for export mode, and vice versa. This kind of “downgrade attack” is well known, and the TLS/SSL protocol has features designed to detect it. In this case, for complicated reasons beyond the scope of this post, the anti-downgrade protections could be evaded by a clever MITM.

Having tricked Alice and Bob into using export mode, an adversary could then crack the 512-bit RSA keys used in this mode. Back in the ‘90s that would have required a heavy-duty computation, but today it takes about 7 hours on Amazon EC2 and costs about $100.

Many web sites are vulnerable to this attack, allowing an adversary in the network to spoof or spy on traffic to vulnerable sites. About 12% of popular sites appear to be vulnerable, including americanexpress.com, groupon.com, bloomberg.com, kohls.com, marriott.com, and usajobs.gov.

Even the National Security Agency’s own site is vulnerable. That’s not a big national security problem in itself because NSA doesn’t distribute state secrets from its public site. But there is an important lesson here about the consequences of crypto policy decisions: the NSA’s actions in the ‘90s to weaken exportable cryptography boomeranged on the agency, undermining the security of its own site twenty years later.

Next time you hear a government official ask to modify a security system to protect their own access to data, ask yourself: What are the side effects? How do we know we won’t regret this later?

avatar

Lenovo Pays For Careless Product Decisions

The discovery last week that Lenovo laptops had been shipping with preinstalled adware that left users wide open to security exploitation triggered a lot of righteous anger in the tech community. David Auerbach at Slate wrote that Lenovo had “betrayed its customers and sold out their security”. Whenever a big company does something so monumentally foolish, it’s worth stepping back and asking how this could have happened.
[Read more…]

avatar

In Partial Defense of the Seahawks’ Play Calling

The conventional wisdom about last night’s Super Bowl is that the Seahawks made a game-losing mistake by running a passing play from the Patriots’ one yard line in the closing seconds. Some are calling it the worst Super Bowl play call ever.

I disagree. I won’t claim it was the right call, but I do think it was reasonable. Let me explain why.

To analyze the decision we have to put ourselves in the shoes of the Seahawks’ coaches at the time. They did not know that an opposing defender would make a spectacular interception. They knew that was possible—and needed to take it into account—but a fair analysis of the decision can’t use the hindsight knowledge we have now.

With that established, let’s make a simple model of the Seahawks’ strategic choices. They needed a touchdown to win. It was second down, so they could run three plays. The clock was running down, so let’s assume that if they run two running plays, the clock will expire before they can get a third play off; but an incomplete pass on the first or second play will stop the clock and give them time to run a third play. There are three play sequences they can use: run-run, pass-run-run, run-pass-run. (Passing more than once is bad strategy.)

Suppose that a run play with Marshawn Lynch scores 85% of the time, and gets stuffed at the line 15% of the time. If you run twice, there is a 2.25% chance you’ll get stuffed twice, so you win the game with 97.75% probability.

Suppose that passing on second down has these results: score: 50%, incomplete: 49%, interception: 1%. So if you call the pass-run-run sequence, the game outcome probabilities are: score: 97.90%, stopped short: 1.10%, interception: 1%. The odds of winning are a tiny bit better than if you just ran twice.

It’s counterintuitive that passing might be the right choice even though a running play is more likely to score. The reason it comes out this way is that you’re not passing instead of running, you’re passing because passing gets you an extra play and you can still try to run twice, absent a spectacular interception play by the opponent.

Now you can quibble with these probability estimates; and you can argue that the Seahawks might have had time to do three run plays. Change these assumptions, and the strategic calculations are different. But the argument so far should establish that the Seahawks weren’t crazy to pass.

The real kicker comes, though, when we consider the remaining option of run-pass-run. If the outcomes of a pass are still 50/49/1 on third down, then run-pass-run is a clear winner. But maybe a pass comes as less of a surprise on third down, so the outcomes of a pass might be worse. Even so, run-pass-run turns out to be the best strategy. For example, if the outcomes of a third-down pass are score: 25%, incomplete: 73%, interception: 2%, the run-pass-run strategy still scores 98.06% of the time, which is better than either of the other options.

The conclusion that run-pass-run is the best sequence is fairly robust against changes in the probability assumptions. If it’s wrong, it’s probably because of the assumption that run-run-run isn’t an option.

The Seahawks’ decision to pass on second down wasn’t crazy, but a better choice would have been to pass on third down. Announcers who said “just run twice” were giving bad advice. The Seahawks didn’t make a terrible play call; they made a reasonable choice but were defeated by a great defensive play.

avatar

On the Sony Pictures Security Breach

The recent security breach at Sony Pictures is one of the most embarrassing breaches ever, though not the most technically sophisticated. The incident raises lots of interesting questions about the current state of security and public policy.
[Read more…]

avatar

“Information Sharing” Should Include the Public

The FBI recently issued a warning to U.S. businesses about the possibility of foreign-based malware attacks. According to a Reuters story by Jim Finkle:

The five-page, confidential “flash” FBI warning issued to businesses late on Monday provided some technical details about the malicious software used in the attack. It provided advice on how to respond to the malware and asked businesses to contact the FBI if they identified similar malware.

The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up.

“The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” the report said.

The document was sent to security staff at some U.S. companies in an email that asked them not to share the information.

The information found its way to the press, as one would expect of widely-shared information that is of public interest.

My question is this: Why didn’t they inform the public?
[Read more…]

avatar

PCLOB testimony on “Defining Privacy”

This morning I’m testifying at a hearing of the Privacy and Civil Liberties Oversight Board, on the topic of “Defining Privacy”. Here is the text of my oral testimony. (This is the text as prepared; there might be minor deviations when I deliver it.) [Update (Nov. 16): video stream of my panel is now available.]
[Read more…]

avatar

On the value of encrypting your phone

This is a true story.

Yesterday my phone crashed, and it wouldn’t reboot. Actually it would do nothing but reboot, over and over, with a seemingly different error message every time. I tried all of the tricks available to a technically handy person, and nothing worked—I couldn’t get it out of the crash-reboot cycle.

So I need to send my phone in for service. The problem is: the phone is full of my data, and I don’t want a random service guy to get his hands on that data. Nor do I want a random service guy to be able to resume whatever logged-in sessions I had on apps and sites when the phone started crashing.

What I want is to have the data on my phone encrypted. Strongly encrypted. Without a backdoor, because the service guy has no need to see my data and no right to get it. I would have wiped the phone’s memory before sending it in for service, but that would have required the phone to stay functional long enough to wipe itself.

What I don’t want is for the service guy to have access to a “secure golden key” that gives him access to my data.

avatar

Airport Scanners: How Privacy Risk Leads to Security Risk

Debates about privacy and security tend to assume that the two are in opposition, so that improving privacy tends to degrade security, and vice versa. But often the two go hand in hand so that privacy enhances security. A good example comes from the airport scanner study I wrote about yesterday.
[Read more…]

avatar

Researchers Show Flaws in Airport Scanner

Today at the Usenix Security Symposium a group of researchers from UC San Diego and the University of Michigan will present a paper demonstrating flaws in a full-body scaning machine that was used at many U.S. airports. In this post I’ll summarize their findings and discuss the security and policy implications.
[Read more…]

avatar

Princeton likely to rescind grade deflation policy

A Princeton faculty committee recommended yesterday that the university rescind its ten-year-old grading guideline that advises faculty to assign grades in the A range to at most 35% of students. The committee issued a report explaining its rationale. The recommendation will probably be accepted and implemented.

It’s a good report, and I agree with its recommendation. Princeton would be better off without its grading quota.
[Read more…]