November 26, 2024

Insecurity Features

An “insecurity feature” is a product feature that looks like it provides security, but really doesn’t. Insecurity features can make you less secure, because they trick you into trusting something of value to a product that can’t properly protect it.

A classic example is the “Password to Modify” feature of Microsoft Word, as revealed recently on BugTraq by Thorsten Delbrouck-Konetzko. This feature allows a document’s author to establish a password that must be entered before the document can be modified. That would be a pretty useful feature – if Word actually provided it. But as Mr. Delbrouck-Konetzko revealed, it is easy for anybody to modify such a file without knowing the password. In other words, Password to Modify is an insecurity feature.

The flaw that caused this is pretty easy to understand. Word implemented the Password to Modify feature by storing the hash of the password at a special place in the Word document file. The problem was that there was nothing to connect the stored password-hash with the rest of the file, so there was nothing to stop somebody from moving a hashed password from one Word file to another. So suppose Alice created a file and put the password “A” on it. Bob could create his own file with password “B” and then copy his password into Alice’s file; then Bob could modify Alice’s file (since it contained his password, which he knew). For extra style points, when Bob was done he could copy Alice’s password back into the modified file.

Microsoft responded to this report by issuing a bulletin helpfully explaining that the feature was never really meant to provide security. The bulletin contains such statements as this:

Not all features that are found on the Security tab are designed to help make your documents and files more secure.

Unfortunately, Word’s user interface doesn’t do much of anything to help users distinguish insecurity features from real security features. For example, here is the relevant dialog box from my copy of Word 2000:



I’ve outlined the relevant area in red. The box on the left lets you establish a password to open the file; that’s a real security feature. The box on the right lets you establish a password to modify the file; that’s an insecurity feature. Nothing in the user interfaces tells you that the features provide very different levels of protection.

There’s another lesson here, in the fact that such an obvious problem exists in a popular Microsoft product, despite Microsoft’s recent focus on security, and despite all of the genuine security experts who work there. This flaw reflects a bad decision made by some non-expert programmer or manager a long time ago, a decision that has persisted for so long, one assumes, through sheer inattention and inertia. And it’s not only Microsoft who failed to notice this for so long. Any good cryptographer, on hearing a description of what the Password to Modify feature supposedly did, should have been very suspicious. The problem was there to see for a long time; but apparently nobody looked.

Panel on Copyright and Free Speech

Lawrence Solum reports on a panel discussion at the American Association of Law Schools conference. It’s an interesting discussion, and everybody seems to agree that there are significant and increasing conflicts between copyright and free speech.

In her presentation, Jessica Litman used my experience as an example of the chilling effect of the DMCA. Somehow this reminded me of the caption (but not necessarily the title!) on this classic despair.com poster: “It could be that the purpose of your life is only to serve as a warning to others.”

Radio Revolution

Smart radios are a sleeper technology. They’re being developed right now; they’ll have a huge impact; but they’re not getting anywhere near the attention they deserve.

Smart radios rely on computer processing power, rather than simple analog circuits, to extract information from the electromagnetic spectrum. This simple idea has profound implications for wireless communication, implications that we are only just beginning to understand.

Radio Revolution” is a new paper by Kevin Werbach, published by the New America Foundation and Public Knowledge. It’s the best introduction I’ve seen, for a nontechnical or semitechnical audience, to smart radios and their implications.

So far, this area is one of the real success stories for the U.S. government’s technology policy. The FCC seems to “get it” and is moving in the right direction, although cautiously.

Predictions for 2004

Happy New Year! This time of year, journalistic convention requires even micro-pundits like me to make predictions for the upcoming year. This goes for the rest of you bloggers too – let’s see your predictions!

Like everybody else’s predictions, some of my predictions are obvious, some will be hilariously wrong, and all of them will be conveniently forgotten later. Also like everyone else, I’ll look back at the end of 2004 and wonder how I left out the year’s biggest story. But here goes anyway.

(1) Some public figure will be severely embarrassed by an image taken by somebody else’s picture-phone or an audio stream captured by somebody else’s pocket audio recorder. This will trigger a public debate about the privacy implications of personal surveillance devices.

(2) The credibility of e-voting technologies will continue to leak away as more irregularities come to light. The Holt e-voting bill will get traction in Congress, posing a minor political dilemma for the president who will be caught between the bill’s supporters on one side and campaign contributors with e-voting ties on the other.

(3) A new generation of P2P tools that resist the recording industry’s technical countermeasures will grow in popularity. The recording industry will respond by devising new tactics to monitor and unmask P2P infringers.

(4) Before the ink is dry on the FCC’s broadcast flag order, the studios will declare it insufficient and ask for a further mandate requiring watermark detectors in all analog-to-digital converters. The FCC will balk at the obvious technical and economic flaws in this proposal.

(5) DRM technology will still be ineffective and inflexible. A few people in the movie industry will wake up to the hopelessness of DRM, and will push the industry to try another approach. But they won’t be able to overcome the industry’s inertia – at least not in 2004.

(6) Increasingly, WiFi will be provided as a free amenity rather than a paid service. This will catch on first in hotels and cafes, but by the end of the year free WiFi will be available in at least one major U.S. airport.

(7) Voice over IP (VoIP) companies like Vonage will be the darlings of the business press, but the most talked-about VoIP-related media stories will be contrarian pieces raising doubt about the security and reliability implications of relying on the Internet for phone service.

Spammers Concerned by CAN-SPAM?

Alan Ralsky, one of the biggest spammers, thinks the new CAN-SPAM act will hinder his spamming business, according to Saul Hansell’s story in today’s New York Times. Naturally, eventhing this guy says should be viewed skeptically, but the article is interesting nonetheless.

Mr. Ralsky talks a lot about himself in the article, and a revealing picture emerges. He has constructed a (rationalized) view of himself as a legitimate businessman who has been forced by those nasty antispam technologies to resort to practices like operating underground, forging mail headers, using open relays, and so on. Now the CAN-SPAM Act will ban some of those practices – and he wants us to feel sorry for him!

Mr. Ralsky also claims that he has been inactive (i.e., not spamming) for the past few weeks. I’ve been remarking to people for the last couple of weeks that there seems to be less spam than there was before. I almost wrote a blog entry asking all of you whether you had seen the same thing. Is it just the holiday season? Or is this one guy sending lots of my incoming spam?

Mr. Ralsky says he will soldier on, continuing to spam while complying with the new law. But he worries that his compliance will make it easier for people to filter out his messages. Let’s hope so.