Koz and Effect

The Price of Freedom

“Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.”

-Benjamin Franklin

I often wrestled with the above statement, re-quoted so many times by so many people in the face of any security argument. In the urge to “connect the dots” after 9/11,  I often wondered what Ben Franklin would have thought of his now famous statement. Would he still agree? Is it too much to ask to purchase a little safety?

The world we live in today is much different from that 234 years ago to the day. We live in a time of magic and awe. Six billion people inhabit this planet, many of them able to share their thoughts and ideas with millions of others instantly regardless of distance or location. We are able to send anyone or anything anywhere on the globe within 24 hours. A butterfly flapping it’s wings in Africa may be able to eventually spawn a hurricane in the north Atlantic, but that’s nothing compared to the speed of an email or  Twitter wave.

Never before has the world been so open and interconnected, and every day the lives of thousands everywhere gets incrementally better as the walls that held back human progress in the remote locations of the world come crumbling down. Yet the same mechanisms that whisk thoughts and goods and people from place to place also send threats and malcontent over the same channels. Some are terrified at the rapid changes in people’s lives, and are driven to violence. Others believe that the rest of the world should stay as it is, that we should build the walls again, and leave the rest to it’s machinations.

To the latter group, it is a fool’s wish. The world will never close up again. And it is here we find ourselves today.

I wondered what Ben Franklin would have said. If we were not to give up liberty for security, then were we to give up security? Would it be inevitable that people would be bossed and shoved around? Terrorized? Harmed? Killed? Who would advocate this? No, I thought, people were being too thin-skinned. It doesn’t matter if the FBI or so is reading your email, they’re not out to get you anyways. An extra security line here or there to check for bombs is fine. The nation got it’s fill of seeing people jump out of skyscrapers to their deaths to avoid being burned alive, and we would all toughen up to avoid having to go through that ordeal again.

I thought this for a while, until I passed a New Hampshire license plate.

It’s been said so much from such an early time that the words became meaningless to me, and yet one day, driving down the interstate, it clicked. There was a time, when people didn’t have a say in how their affairs were run. They were forced to pledge loyalty to some guy an ocean away, who didn’t give a shit about them unless the taxes we note being paid. People were tried and convicted in mock courts, under laws that were suspended at will, and where death by hanging could be the penalty for a trivial offense.

The people who endured this chose not to fall in line, but rather, they declared war.

The statements “Live Free or Die”, “Give Me Liberty, or Give Me Death!” are quotes that are referred to often. They were spoken by ordinary men who were fully willing to embrace the threat of harm to ensure the right to live as they pleased. A terrible conflict ensued, and thousands perished.

We honor this day and others during the year and speak to those days when those citizens before us decided enough was enough and they would be terrorized no longer. We celebrate, rightfully, what was a monumental occasion.

It has been over two centuries since that conflict. But these days I feel that sentiment, the lessons from that struggle, are more relevant than ever. Our world holds untold promise and prosperity, but also new threats and dangers. We face risks and read about horrors that the founding fathers never would have imagined.

Many in this country think we should do everything we can to protect our citizens from every conceivable threat and attack. This is a laudable, if unrealistic, aim. Nevertheless, we try. But in doing so we often erode those liberties the founding fathers spoke of. We read email, install full body scanners, take off our shoes at airports. You can no longer photograph some buildings or officials, for fear of undertaking reconnaissance. Some declare that the constitution should no longer apply to those accused of terrorism, U.S. citizen or not.

Those in the security business would tell you that these measures work to a marginal extent. A determined attacker will get through eventually. However, many would argue that any measurable increase in security is worth the price.

The founding fathers would disagree.

No one would argue the need for practical measures, for vigilance, for a strong military and law enforcement. But the day will arrive, occasionally, where harm is done or lives are lost. And it is we, the ordinary U.S. citizen, who must remember that it is the price we pay for enjoying such little interference in our affairs, for the right to do as we please while upholding the rights of others, for the right to choose, to speak out, to condone and complain.

We are not defenseless. Bravery, ingenuity, cleverness, and tenacity continue to protect this nation of 300 million every day. We are not on the verge of being annihilated, and we were wise to structure our government in such a way in that we rely on no one man or family for continuity. Our military, our intelligence agencies, federal and local police, all of our lines of defense filter and stop so much. But there is a threshold at which point security begins to trump liberty, and it is there where we must accept that residual risk and bear the burden ourselves, as the revolutionaries once promised to do, and did.

Have a happy 4th of July everyone. =)

Cyber Command

I was reading over Schneier’s blog on the recent hearings for Lt. Gen. Alexander’s nomination to head the US Cyber Command, which would be a new unified DoD command to address IA issues, both offensive and defensive. Reading through Schneier’s comments and those who replied to his post, I was a bit taken aback.

I didn’t find anything in his remarks that are particularly alarming, (the comment that DHS and the FBI would be the primary agency to address domestic IA issues spoke volumes to his views on his command’s AOR)  but lots of snide comments from the peanut gallery that somehow, the military is wasting it’s time and that the threat to DoD information assurance is somehow a myth.

Granted, DoD, just like a private organization, is loathe to acknowledge when they’ve been compromised, but most readers here I’m sure would recognize that it’s occurred many times in the past. So I’m a bit puzzled when DoD starts discussing a unified command to deal with these issues that they’re met with ridicule.

There is justifiable and wholly appropriate questions being asked on just how DoD intends to defend it’s networks, and they and outside individuals correctly recognize that the nature of the internet means that threats will originate from inside and out, across a myriad of state lines, sovereignties, various agencies and organizations. People have a right to know how DoD will respond in these cases, but don’t be surprised or offended if they come knocking.

Government agencies, which control VAST networks handling everything from taxes to health care and military communications is starting to finally get serious about network security, and they need our help. (They can start by dropping the “cyber” part of their name. =P ) But the cries of “BULLSHIT”, “Buy American!” and “wahhh! Wiretapping!!!” echo Tea Party-like cries of boogymen and conspiracies that are not there.

Be concerned. Question, critique. But please, don’t expect them to sit back and do nothing while they’re getting lambasted online and off. The Government moves much slower than we’d all like them to, but at least we’re starting somewhere. The Cybersecurity Act and this command are at least a starting point. The former got lots of good input and revision before it was done. We can do the same here.

P.S. Everyone knows what a probe is. (Hint, it’s not just a ping sweep.) No, he didn’t spell it out for the congressmen in the room, and he didn’t need to. Remember, these people interviewing him send “internets” to one another. =P

Pwn2Miss the point.

There’s been a lot of coverage on the Pwn2Own event, in which various browsers are hacked in seemingly under 3 seconds.

My friend Ken had a really excellent analogy.

“that would be like saying someone ran the new york marathon in 12 hours, implying anyone can do it that quickly. But forgetting the years of training it would take to build up that endurance. ”

The media never assumes that someone just wanders up to the starting line on a whim and cranks out a record time. So why is it always misreported that it took these researchers cracked a browser in so many seconds? They didn’t hack the browser in 3 seconds, the 3 seconds was the time it took to execute the script they spent the previous year creating. =P

Trusting SSL

New School has a recap and a commentary on the disclosure of an internet appliance that can be used to eavesdrop on HTTPS communications. That is, web applications such as banking, e-mail, commerce, and the like.

Before anyone panics, it’s not a hack, exploit, or otherwise. Actually the box itself doesn’t do much at all. The device relies on a certificate authority to forge a certificate of a legitimate website (The CA having assigned the certificate in the first place) so that the box will appear, for all intents and purposes, to be the actual site. Man in the middle.

What New School does a good job of pointing out is that this is not, as stated above, an exploit or hack, but a breakdown in trust. The company that markets the device does so to law enforcement and intelligence agencies, and I have no reason to suspect that they have not been able to convince a CA to forge a certificate for them on request. The fault lies soley with the CA that created the forged certificate that allowed the appliance to appear as the legitimate site. (s0mething digital certificates were designed to protect) It is, essentially, the ultimate irony. The groups asked to be the most trust worthy could easily destroy that trust, and undermine the system in the process.

There’s no evidence that any of this is taking place on a wide scale, or by which CAs, if any more than one or two at all. But as the author points out, browsers come preloaded with the certificates of hundreds of CAs, which can then be used to validated most certificates on the net. I can only guess at a future where users would be recommended to be more selective in the CAs they use, based on a history of those shown to abuse that trust or not.

Security Questions

You’ve seen them. The Security Question. Sign up for an account, pick a password, then fill in the answers for a few questions so that the system can identify you in case you lose your password.

The problem with these is that the answers to the questions are weaker alternatives to the passwords themselves.  Both require the user to identify themselves via a string that only they should know. The questions however, has two flaws:

1. The answers to the questions are generally not considered confidential. “Your mother’s maiden name” is a piece of information that may not be commonly known, but is not exactly often considered secret either. Same for the names of the schools you attended. With the rise of social networks and the vast amounts of personal data individuals fill out in these, it’s become easier than ever for someone else to answer these questions correctly.

2. The answers are not random character strings. Think of all of the times you were told that a good password must contain symbols and numbers or what have you. This is a good practice, and it’s to help ensure that (to some degree) the password is as random as possible. Security questions often prompt for a word however, and this greatly lessens the amount of possible correct answers. An eight character password, using just lowercase letters, numbers, and ten different symbols, gives a possibility of over 20 trillion combinations, a steep hill for a brute force attack. Yet the English language has, at the high end of estimates, barely a million words. Quite a lot, but far less daunting. (This is a very simplistic example, but I believe the point stands.)

There’s been a lot of talk on the first point, but Light Blue Touchpaper has a really neat post focusing on the second. They reference a recently published paper that goes into the details on how successful drive-by brute forcing of accounts via the security questionnaire is, and it’s surprisingly high.

So what does one do about it?

1. Refuse to play along. One of the best pieces of advice I received from one of my infosec professors: If you have a security question, answer it with something else entirely. If it asks for say, your mother’s maiden name, put in the name of your school. Make it something hilarious, and you’ll be better able to remember it. Even if someone does find out your mother’s maiden name, an attacker will be puzzled as to why it doesn’t work.

2. According to the paper though, even that may not be enough. While the paper focuses on single names, (and the above, I think, will give you a reasonable level of security) the use of an actual word is still relatively weak for the reasons I outlined above. So use a password. Make it the same as the one you use for the account, or a different one. Both the question and the actual password challenge (and you do use a strong password, right?) will be protected at the same level.

But what if you do actually forget your password? Isn’t that what this was supposed to fix? The first suggestion would be to use a password escrow manager, such as KeePass, so that you only have to remember one password, and can then access all of the others. The other suggestion? Write it down. Seriously. Write it on a pad of paper, and protect that paper. If you’re in a work environment, then this does not apply. Your office is not private. (No, really, it’s not. You don’t own or control the building.) But for home, it’s more than sufficient. Keep it hidden in a desk or so, and pull it out when you need to. You’ll lessen the number of passwords you need to remember and make it easier to create more complex ones.

The Dislike Button

Over the past months/year, Facebook users have been clamoring for a “Dislike” button in addition to the “Like” button that exists. Imagine my surprise when I saw a page claiming to be “THE DISLIKE BUTTON***OFFICIAL APPLICATION”

I wanted to see just what was here, so I fired up VMware with a sandboxed machine, and created a dummy Facebook account.

First thing there was a giant image map made to look like Facebook. This ran under it’s own tab on the Dislike Button wall page.

The button it points to isn’t actually a button at all, but an image map that consumes the whole right side of the page. Clicking it expands a window asking the user to fill out a survey in order to download the app. The window was actually loaded from “the-dislike-button.com”. Loading the app in Firefox with Adblock installed prompted me with a message asking me to disable the adblock software before I could view the page. Interesting.

So I did. Then I got this:

See that text at the very top? Just what it says. $9.99 a month. The fine print below was even better:

“Summary terms:  This is an auto renewing subscription service that will continue until canceled anytime by texting STOP to short code 70438. Available to users over 18 for $9.99 per month charged on your wireless account or deducted from your prepaid balance”

The survey was a 10 question quiz which then prompted the user to enter their telephone number to get the results. I entered a bogus 555 number and clicked through.

At that point, I got a number of other ads, a “mywebsearch” toolbar installer,  followed by a few other popups.

Meanwhile, the Dislike Button app page is still waiting for me to complete my surveys. After clicking through whatever I could, I still didn’t manage to install the app. I can only imagine what would have happened then. (at the very least, this organization would now have whatever facebook private info I had posted.)

The strategy behind this isn’t new: Something is offered, which will be given after a free survey or the like, which collects the user’s contact info as well as inadvertently signing them up for purchases they didn’t intend to make. First time I’ve seen it on Facebook however.

What surprised me was the number of fans. Over 300k as of this evening.

So! Lessons learned? Be wary of disingenuous apps. My thoughts on Farmville or anything else aside, no app will ask you for anything other than a “install” button through the actual Facebook site. No surveys or anything required. Also, read the fine print.

For those of you who do have third-party apps installed, consider how they’re configured and what data you’re sharing with them. For a good guide on how to limit or remove apps, I recommend the excellent Ars Technica Facebook Privacy Guide.

When it comes to free apps or amazing offers, it helps to remember that “there is no such thing as a free lunch”. No one, (except for maybe the most diehard open source geeks =P ) sits and codes for days and then releases their app for free. Everyone has an angle, or something they’re getting out of it. Read the fine print, and ask yourself what the motive is. You’ll usually find the price soon after.

That’s not to say the price is never worth it, but when it’s your personal info or security at stake, it never hurts to ask.