October 30, 2024

Cheap CAPTCHA Solving Changes the Security Game

ZDNet’s “Zero Day” blog has an interesting post on the gray-market economy in solving CAPTCHAs.

CAPTCHAs are those online tests that ask you to type in a sequence of characters from a hard-to-read image. By doing this, you prove that you’re a real person and not an automated bot – the assumption being that bots cannot decipher the CAPTCHA images reliably. The goal of CAPTCHAs is to raise the price of access to a resource, by requiring a small quantum of human attention, in the hope that legitimate human users will be willing to expend a little attention but spammers, password guessers, and other unwanted users will not.

It’s no surprise, then, that a gray market in CAPTCHA-solving has developed, and that that market uses technology to deliver CAPTCHAs efficiently to low-wage workers who solve many CAPTCHAs per hour. It’s no surprise, either, that there is vigorous competition between CAPTCHA-solving firms in India and elsewhere. The going rate, for high-volume buyers, seems to be about $0.002 per CAPTCHA solved.

I would happily pay that rate to have somebody else solve the CAPTCHAs I encounter. I see two or three CAPTCHAs a week, so this would cost me about twenty-five cents a year. I assume most of you, and most people in the developed world, would happily pay that much to never see CAPTCHAs. There’s an obvious business opportunity here, to provide a browser plugin that recognizes CAPTCHAs and outsources them to low-wage solvers – if some entrepreneur can overcome transaction costs and any legal issues.

Of course, the fact that CAPTCHAs can be solved for a small fee, and even that most users are willing to pay that fee, does not make CAPTCHAs useless. They still do raise the cost of spamming and other undesired behavior. The key question is whether imposing a $0.002 fee on certain kinds of accesses deters enough bad behavior. That’s an empirical question that is answerable in principle. We might not have the data to answer it in practice, at least not yet.

Another interesting question is whether it’s good public policy to try to stop CAPTCHA-solving services. It’s not clear whether governments can actually hinder CAPTCHA-solving services enough to raise the price (or risk) of using them. But even assuming that governments can raise the price of CAPTCHA-solving, the price increase will deter some bad behavior but will also prevent some beneficial transactions such as outsourcing by legitimate customers. Whether the bad behavior deterred outweighs the good behavior deterred is another empirical question we probably can’t answer yet.

On the first question – the impact of cheap CAPTCHA-solving – we’re starting a real-world experiment, like it or not.

Counterfeits, Trojan Horses, and shady distributors

Last Friday, the New York Times published an article about counterfeit Cisco products that have been sold as if they were genuine and are widely used throughout the U.S. government.  The article also raised the concern that these counterfeits could well be engineered with malicious intent, but that this appears not to have been the case. There was an immediate Slashdot thread as well, but a number of issues are still worth commenting on.

First things first: the facts, as best we understand them.  The New York Times reports that approximately 3500 counterfeit Cisco components (worth $3.5M) have been discovered as a result of a two-year FBI investigation.  A Cisco spokesman is quoted saying that they found “no evidence of re-engineering.”  In other words, we’re talking about faithful knock-offs of legitimate products.

If you go to the FBI’s unclassified PowerPoint presentation (dated January 11, 2008), you’ll see all the actual information.  This is a fascinating read.  For starters, let’s talk about the cost.  The slides claim you can get a counterfeit router for approximately 1/6 the cost of a genuine router.  (You can do similarly well buying used gear on eBay.)  The counterfeit gear looks an awful lot like the genuine article.  Detecting differences here is as difficult as detecting counterfeit money, counterfeit Rolex watches, or counterfeit signatures from sports stars.  Given the apparent discrepancy between component cost and street value, we should be no more surprised to find knock-off Cisco gear than we are to find knock-off everything else.

Counterfeit vs. Original Cisco line card

It’s claimed that these counterfeits are built to lower manufacturing standards than the original equipment, causing higher failure rates. One even caught fire due to a faulty power supply.  Likewise, the fakers are making stupid errors, like building multiple components with the same MAC address.  (MAC addresses, by design, are meant to be unique – no two ever the same.)

The really interesting story is all about the supply chain. Consider how you might buy yourself a new Mac.  You could go to your local Apple store.  Or you could get it from any of a variety of other stores, who in turn may have gotten it from Apple directly or may have gone through a distributor.  Apparently, for Cisco gear, it’s much more complicated than that.  The U.S. government buys from “approved” vendors, who might then buy from multiple tiers of sub-contractors.  In one case, one person bought shady gear from eBay and resold it to the government, moving a total of $1M in gear before he was caught.  In a more complicated case, Lockheed Martin won a bid for a U.S. Navy project.  They contracted with an unauthorized Cisco reseller who in turn contracted with somebody else, who used a sub-contractor, who then directly shipped the counterfeit gear to the Navy. (The slides say that $250K worth of counterfeit gear was sold; duplicate serial numbers were discovered.)

Why is this happening?  The Government wants to save money, so they look for contractors who can give them the best price, and their contracts allow for subcontracts, direct third-party shipping, and so forth.  There is no serious vetting of this supply chain by either Cisco or the government. Apparently, Cisco doesn’t do direct sales except for high-end, specialized gear.  You’d think Cisco would follow the lead of the airline industry, among others, and cut out the distributors to keep the profit for themselves.

Okay, on to the speculation.  Both the New York Times and the FBI presentation concern themselves with Trojan Horses.  Even though there’s no evidence that any of this counterfeit gear was actually malicious, the weak controls in the supply chain make it awfully easy for such compromised gear to be sold into sensitive parts of the government, raising all the obvious concerns.

Consider a recent paper by U. Illinois’s Sam King et al. where they built a “malicious processor”.  The idea is pretty clever.  You send along a “secret knock” (e.g., a network packet with a particular header) which triggers a sensor that enables “shadow code” to start running alongside the real operating system.  The Illinois team built shadow code that compromised the Linux login program, adding a backdoor password.  After the backdoor was tripped, it would disable the shadow code, thus going back to “normal” operation.

The military is awfully worried about this sort of threat, as well they should be.  For that matter, so are voting machine critics. It’s awfully easy for “stealth” malicious behavior to exist in legitimate systems, regardless of how carefully you might analyze or test it. Ken Thompson’s classic paper, Reflections on Trusting Trust, shows how he designed a clever Trojan Horse for Unix.  [Edit: it’s unclear that it ever got released into the wild.]

Okay everybody, let’s put on our evil hats.  If your goal was to get a Trojan Horse router into a sensitive military environment, how would you do it and how would it behave?  Clearly, the weak supply chain is an excellent vector for getting the gear into place.  Given the resources of a nation-state intelligence agency, you could afford to buy genuine Cisco parts and modify them, rather than using low-cost, counterfeit gear.  Nobody would detect you; you wouldn’t screw up and ship multiple boxes with the same serial number.

How will you implement your Trojan Horse logic?  Pretty much any gear you’ll ever find of any modest complexity will have software running inside it.  Even line cards have embedded processors of some sort.  For all that hardware, there’s software, and that’s what you’d go to install your logic bomb.  The increasing use of FPGAs in industrial designs means you could also “rewire” those parts to behave arbitrarily, much like the Illinois hack; you’d really want to get a hold of the original VHDL “source code”, leveraging your aforementioned spying prowess, to simplify the design and implementation of your malicious behavior.  Hacking the raw netlists (the FPGA-equivalent of machine code) would be possible, but would be far more painful. [See Sidebar.]

What sort of behavior would you build in?  The New York Times raises the idea of a kill switch.  I send your router a magic packet and it dies.  That’s too easy.  How about I send your router a magic packet, it then forwards it on to all of its peers, repeatedly, and then they all die a few seconds later?  That’s a pretty good denial of service attack (nevermind a plot device that was the basis of a popular science fiction television series). Alternatively, following the Illinois idea, we could imagine that the magic packet turns on a monitoring feature, allowing our intelligence agency to gather all kinds of information, reconfigure the router, and so forth.  If they don’t want to generate extra traffic, which might be detected, they could instead weaken the encryption of a VPN tunnel, perhaps publishing the session key through a subliminal channel of some sort, acquiring the ciphertext through “other” means.

In summary, it’s probably a good thing, from the perspective of the U.S. military, to discover that their supply chain is allowing counterfeit gear into production.  This will help them clean up the supply chain, and will also provide an extra push to consider just how much they trust the sources of their equipment to ship clean software and hardware.

[Sidebar: Xilinx supports a notion of “encrypting” a netlist.  Broadly speaking, the idea behind the technology is to encrypt the description of your FPGA configuration with a crypto key, such that anybody who reads the file out of your board gets encrypted garbage.  However, the FPGA has the key material to decrypt the configuration and then initialize itself normally.  This sort of technology is meant to serve an anti-piracy / anti-reverse-engineering purpose.  It could ostensibly also serve an anti-Trojan Horse purpose, although at that point it’s really no more or less secure, semantically, than Microsoft’s Authenticode.  This technology, more broadly, is also an active research area (see, for example, Roy et al.’s EPIC: Ending Piracy of Integrated Circuits).  Again, if we’ve got a nation-state intelligence service tampering with the system, none of this is going to provide meaningful protection for the end-user against Trojan Horses.]

One Laptop Per Child (New Version), Reviewed by 12-Year-Old

[Today we welcome back SG, a twelve-year-old who previously reviewed the B2 version of the One Laptop Per Child computer. SG had a chance to examine the latest (B4) version of the OLPC machine and write a new review. As before, the review is unedited, just as SG wrote it. – Ed]

After my first review, the administrators at OLPC were kind enough to send Mr. Felten the newer model of the computer, the B4, for me to review. The difference between the two models was quite dramatic. Between new games, new applications, design changes, and a few touch ups for the system, the B4 clearly outshines the B2. I didn’t even know about a bunch of problems in the B2 until they got fixed in the B4!

The minute I picked the new computer up, I saw the physical differences. There are bumps on the handle of the B4. The B2 has none. The flip- up antenna on the B2 was encased in hard plastic, and on the B4, it’s just thick rubber. The keyboards are pretty much the same, apart from a few minor differences along the top. Once I opened it up and started it, I noted how much quicker it booted up than the B2. Then I saw the icons. The B2 has less than half the icons than the B4, which has 13!

As for games, entertainment, and the internet, this computer has bountiful resources. There were many new and fun programs. One of them, called “Block party”, is just plain old tetris with a different name. As I am not really gifted in tetris, I had a lot of fun losing repeatedly. The internet was a lot better on this newer laptop. In my last review, I complained about how slow it was and how the connection was so-so. In the B4, both of those problems have been fixed. It is quick, always connects, and is really very nice. If you don’t want to go on the web to read the new Freedom to Tinker article, “News Reader” lets you subscribe to websites’ feeds. In the games category, “Connect” is a game which can only be played on two separate OLPC laptops . The game is a little like tick tack toe. If you’ve ever played “Connect 4”, that’s the same game. If you want to watch some video clip from the web, “watch and listen”, OLPC’s media player, has you covered. Want some music? Use “tamtam”. This application is similar to Garageband, but not quite the same. Last but not least is “Record”. On the B2, “record” just took pictures with an okay camera. On the B4, you can take pictures with a pretty good camera AND record video with no time limit (as far as I can tell). I was surprised and overjoyed to discover I could take video with the new one.

One of the coolest applications is called simply “Chat”. It is basically an IM-ish kind of thing that works between all OLPC laptops. Since I got two laptops from OLPC, I could test out the chat application with my friends and family. I spent a lot of time having silent conversations with the friend sitting across the room, so that was fun. Etoys is another cool application, and it is definitely the program of a genius technologist. Although it is difficult to understand and use, once you get into the swing of things, it’s awesome. To use Etoys you make a “sketch” on the computer, then save it, and that’s where the fun begins. You can write “scripts” that make the sketch move around the screen in the way that you want. You can put it in “books” that have multiple pages for a flip book or make animations with it (ie. a bouncing ball, flying bird, eating kid, etc.). In Turtle Art, you get a chance to write a simple program that makes the turtle in the middle of the screen move. It’s very cool.

Last review, I said that my main problem with the computer was its slow speed and its battery charge. And I am happy to say that both of those problems have been fixed in the new version. It has more applications, higher quality camera, more games, a few design changes for the better, and much more. I tested how long it would stay alive by opening it and leaving it open. Surprisingly, it stayed awake for more than four hours! And some other testing revealed that the B4 does, in fact, auto save your documents and stuff if it runs out of battery while an unsaved document is on it. I like that feature, because there were many times with the B2 that I was typing and it just died, leaving me rather stunned for a couple seconds until I came to my senses and wearily plugged it in. Then it would take hours to charge up again. But in the B4, it charges up really quickly. Another minor turn for the better is the plug. Now they are greener, more round, easier to hold, and they have the XO sign on them.

I thought that this version was way better than the last one. It was just easier to figure out, more fun to spend time on, just better. It’s going to be hard to send it back to OLPC, but I’m going to have to. It’s great that they’re going to start selling them to the public. (You have to buy two, and you send one to a needy kid in a third world country and keep one for yourself. Read about it in the New York Times… …) I hope I can get one!

For a regular laptop, this would be the paragraph about its problems, its deficiencies. But the thing is, there aren’t any problems with this computer! Congratulations, OLPC. You’ve done it. Or will you come out with yet better laptops? Is that even possible? We’ll have to see…

OLPC Review Followup

Last week’s review of the One Laptop Per Child (OLPC) machine by twelve-year-old “SG” was one of our most-commented-upon posts ever. Today I want to follow up on a few items.

First, the machine I got for SG was the B2 (Beta 2) version of the OLPC system, which is not the latest. Folks from the OLPC project suggest that some of the problems SG found are fixed in the latest version. They have graciously offered to send an up to date OLPC machine for SG to review. SG has agreed to try out the new machine and review it here on Freedom to Tinker.

Second, I was intrigued by the back-and-forth in the comments over SG’s gender. I had originally planned to give SG a pseudonym that revealed SG’s gender, but a colleague suggested that I switch to a gender-neutral pseudonym. Most commenters didn’t seem to assume one gender or the other. A few assumed that SG is a boy, which generated some pushback from others who found that assumption sexist. My favorite comment in this series was from “Chris,” who wrote:

Why are you assuming the review was written by a boy?
At 12 we’re only two years from 8th grade level, the rumored grail (or natural default) of our national publications. SG, you’re clearly capable of writing for most any publication in this country, you go girl! (even if you are a boy)

Third, readers seem to be as impressed as I was by the quality of SG’s writing. Some found it hard to believe that a twelve-year-old could have written the post. But it was indeed SG’s work. I am assured that SG’s parents did not edit the post but only suggested in general terms the addition of a paragraph about what SG did with the machine. I suggested only one minor edit to preserve SG’s anonymity. Otherwise what you read is what SG wrote.

Though sentences like “My expectations for this computer were, I must admit, not very high.” seem unusual for a twelve-year-old, others show a kid’s point of view. One example: “Every time you hit a key, it provides a certain amount of satisfaction of how squishy and effortless it is. I just can’t get over that keyboard.”

SG is welcome to guest blog here in the future. Kids can do a lot, if we let them.

One Laptop Per Child, Reviewed by 12-Year-Old

[I recently got my hands on one of the One Laptop Per Child machines. I found the perfect person to review the machine. Today’s guest blogger, SG, is twelve years old and is the child of a close friend. I lent the laptop to SG and asked SG to write a review, which appears here just as SG wrote it, without any editing. –Ed]

I’ve spent all of my life around computers and laptops. I’m only 12 years old though, so I’m not about to go off and start programming a computer to do my homework for me or anything. My parents use computers a lot, so I know about HTML and mother boards and stuff, but still I’m not exactly what you would call an expert. I just use the computer for essays, surfing the web, etc.

Over the last few days, I spent a lot of time on this laptop. I went on the program for typing documents, took silly pictures with the camera, went on the web, played the matching game, recorded my voice on the music-making application, and longed for someone to join me on the laptop-to-laptop messaging system. Here is what I discovered about the OLPC laptops:

My expectations for this computer were, I must admit, not very high. But it completely took me by surprise. It was cleverly designed, imaginative, straightforward, easy to understand (I was given no instructions on how to use it. It was just, “Here. Figure it out yourself.”), useful and simple, entertaining, dependable, really a “stick to the basics” kind of computer. It’s the perfect laptop for the job. Great for first time users, it sets the mood by offering a bunch of entertaining and easy games and a camera. It also has an application that allows you to type things. The space is a little limited, but the actual thing was great. It doesn’t have one of those impossible-to-read fonts but it was still nice. When the so-so connection allows you to get on, the internet is one of the best features of the whole computer. With a clever and space-saving toolbar, it is compact, well designed, accessible, and fast.

But, unfortunately, the internet is the only fast element of the computer. My main problem with this laptop is how very slow it is. It’s true that I am used to faster computers, but that’s not the problem. It’s just really slow. I had to wait two minutes to get onto one application. That’s just a little longer than I can accept. Also, it got slower and slower and slower the longer I went without rebooting it. I had to reboot it all the time. We’re talking once every two or three hours of use! And one of the most frustrating things about the system was that it gave no warning when it was out of power (as it was often because it lost charge very quickly) but just shut down. It doesn’t matter if you’re working on your autobiography and you had gotten all the way to the day before yesterday and forgotten to save it, it just shuts off and devours the whole thing.

This laptop is definitely designed for harsh conditions. Covered in a green and white hard plastic casing, it is designed not to break if dropped. It has a very nice handle for easy transportation and two antennas in plastic that can be easily put up. Once you open it, you see the screen (pretty high resolution) and my favorite part of the computer: the keyboard. It’s green rubber so that dust and water won’t get in under the keys, and this makes the keyboard an awesome thing to type on. Every time you hit a key, it provides a certain amount of satisfaction of how squishy and effortless it is. I just can’t get over that keyboard. There is also a button that changes the brightness of the screen. The other cool thing is that the screen is on a swiveling base, so you can turn it backwards then close it. This makes the laptop into just a screen with a handle.

All in all, this laptop is great for its price, its job, and its value. It is almost perfect. Just speed it up, give it a little more battery charge hold, and you have yourself the perfect laptop. I’m sure kids around the world will really love, enjoy, and cherish these laptops. They will be so useful. This program is truly amazing.