Wednesday, 19 July 2017

Evil Thoughts: be the fox in your own hen house lot of people feel that we only really wake up to security when we’re stung by an attack. I’m not sure this is true. For example, we might learn less about security when our house is burgled than we do when we lock ourselves out. We always manage to get back in eventually, after all. We might find inventive ways to gain entry or call a locksmith who will have the door open in about five seconds. Either way, we learn something about our house’s vulnerabilities and how secure it really is.

We might remember that one slightly dodgy window latch we’ve been meaning to fix and wonder if we might be able to wiggle it open from outside. We might use an improvised device to see if we can open a door from the inside through the letterbox. We wonder whether we could use that rock in the garden to smash a window. We worry about setting off the alarm, but then remember that nobody takes any notice of alarms anyway.

Whatever – and regardless of whether we succeed – we’ve suddenly thought a lot more about home security than we ever have before. In contrast, when we’re burgled we tend to assume that the burglars have secret knowledge or skills because, well, that’s what burglars do. We expect burglars to be able to gain entry if they try long and hard enough, but we assume this is because of their ninja skills, not because our houses are all fundamentally insecure.

It’s only when we try to break in ourselves that we realise the truth.

This is why penetration testing (aka pen testing) exists. A pen test is an authorised attack on a system designed to expose its vulnerabilities so that they can be fixed. It’s the equivalent of the desperate householder trying to break in to their own home. There are many pen testing specialists out there and the field seems to be growing. This is because to take security seriously, you must see the system from outside and tech companies are increasingly recognising this.

This is also true of our own personal systems: our networks of computers, tablets, phones, ebook readers, digital assistants, smart devices, connected lightbulbs, software, services (such as social networking, online purchasing etc) and – importantly – our friends and family. We need to think about those things as if we were trying to gain elicit access to our own stuff if we are to protect our privacy and safety.

A trivial example: we might not feel a need to lock our computers when we leave the house, because the house itself is locked and anyway, it’s annoying to have to type in passwords every time the screen locks. But we’ve just seen how easy it is to break into a house. It’s not unreasonable to expect that – increasingly – burglars will enter our homes to gain access to our devices for the information they contain as much as for the value of the hardware. Leaving aside for now the standard (and incorrect) defence that “there’s nothing interesting on my devices anyway” (which I’ll talk about a lot more in weeks to come), our devices are very useful to people with ill intent. They might not have any particular grudge against us, but might use the data on our devices to steal our identities, creating new credit accounts in our name, spending the contents and saddling us with the debt and the damage to our credit ratings.

We need to think about the things a bad guy might do if they had physical access to our devices and implement safeguards which will stop them doing harm or at least make it too difficult to bother. We need to think like the burglar rather than like the complacent homeowner.

A more complicated example: a security setup is only as good as its weakest link. Sometimes the weakest link is a person or our relationship with that person. Our friends and family might be leaking information about us that could be useful to an attacker. Which means, of course, that we are probably doing the same to them. Here is one way we can weaken other people’s security without necessarily knowing it:

When we use Amazon to buy a gift for someone (to be sent to them directly), we’re telling Amazon an awful lot about that person. We’re telling Amazon that they are associated with us in some way, that perhaps it is their birthday or anniversary, the kind of things they like (or at least the things we think they like) and so on. If our friend also has an Amazon account – which is very likely – then Amazon will know even more. It will know about the people they buy gifts for, the other people you buy gifts for and might be able to track which of these other people also buy gifts for each other. They’ll be able to infer how good we all are at gift buying, based on the differences between what we buy for other people and what they buy for themselves. They can infer the strength or quality of relationships based on the money we all spend on each other and even on how late we leave it before ordering something, whether we look at their wish lists and so on. We’ve given away a lot of potentially exploitable information about people who didn’t give us permission to do so and probably don’t know that it has happened. And chances are they’re doing the same to us.

All this information could be available to criminals whenever Amazon is hacked, which will certainly happen quite often.

This is why we need to think like burglars rather than householders. We need to act like we’re locked out and have to find interesting ways to get back in through improvised means. We need to be the fox in our own hen-houses.

But while I think this is sound advice, it isn’t very practical yet. I’ll get around to more practical advice in the coming weeks. In the meantime, here is an example to get you thinking about the criminal mindset you’ll need to keep you and your friends safe.

When you last changed a password because you forgot the old one, did you do something like open a new message in your email client to temporarily store it before you could memorise it or store it somewhere more secure (I’ve seen people do this)? Do you know whether the email client saved that message as a draft? Draft emails are often a rich source of useful information, partly because we all tend to forget they exist.

Be sneaky! Tell me about your sneaky ideas in the comments.

Tuesday, 18 July 2017

DRM needs to protect people other than the rights holders

I'm all for people being able to protect the content they've created from being abused, but DRM
(Digital Rights Management) is frequently used for less noble purposes.  I'll go into this in this week's Wednesday post.

The World Wide Web Consortium (W3C) and partcularly its director Tim Berners-Lee (yes, that Tim Berners-Lee) recently decided to ignore numerous objections by W3C members and the internet-using public in general to go ahead with its plan to incorporate DRM into the web's body of standards.

There are numerous problems which I'll talk about tomorrow (or you can read the text of the EFF's apppeal against the decision here).  For now, read the EFF's appeal to get a sense of who and what we're fighting.

Creators deserve protection but publishers shouldn't get to decide how consumers use the content they've bought or how resarchers investigate the security of DRM systems or which innovations are allowed to succeed. This is the battleground. I'll write more about it tomorrow.

Breaking encryption

Breaking encryption is a really bad idea. There's no such thing as a back door that 'good' people (such as governments) can use and bad people such as criminals can not. This doesn't prevent virtually every government from pledging to force technology companies to implement encryption back doors in the false name of security against terrorist attacks. This won't work because terrorists do not have much incentive to obey the law. This rather reminds me of the little green visa forms you had to fill in when flying to the US. You had to tick a box to say you hadn't committed any genocides as though lying on the visa form was the greater offense.

Australia's government is the latest to adopt this pre-beaten dead horse of a stupid idea. They're copying the UK, which makes me feel guilty. I feel I must apologise for the conduct of our nation. Sorry, Australia.

The article I quoted goes over the usual stuff but I found the following amusing (emphasis mine):
But some experts, as well as Facebook, warned that weakening end-to-end encryption services so that police could eavesdrop would leave communications vulnerable to hackers.
The quote from Australian Prime Minister Malcolm Turnbull is exactly as terrifying as it is hilarious:
The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia.
I look forward to the anti-gravity bill. 

Absolutely not what this blog was named after.
Welcome to the relaunched evilwednesday. There will be a few changes around here.

The biggest change is that I'll be posting more often and more briefly. I'll try to limit myself to a few sentences on each post unless I don't. It is my blog :) I'll also write some commentary every Wednesday about various topical things. That's generally where I'll be more expansive.

As always the topics will relate to privacy and open rights. Other topics I'm interested in such as human rights, social justice, atheism, skepticism, cats will appear on another blog (URL to follow when I've decided where to put it) and those posts will be cross-linked here without comment so you can more easily ignore them.

Finally, I'll be trying to publicise this content more widely and generate some interest in privacy/open rights activism.

If you have anything to contribute, the comments are your playground.