Observations Along The Road... at Dreamwidth

Saturday, and time to clear out the news links before a busy weekend. Hopefully, you’ll find something of interest in these:

• “Whiskey is for drinking but water is worth fighting over”. Four interesting articles related to the drought in California. Anyone who has used an automated toilet has run across the first waste of water: Phantom Flushing. Here’s an op-ed that opines that we should go back to non-automatic flushes, which will save water. The next scourge: unmetered households. Here’s an article about how a few communities are using a loophole in the law to fight water meters and keep their flat rate. The third scourge: bottled water. Want that Crystal Geyser that is advertised so heavily? Siskiyou County Water. But here in LA? We’re conserving so well we don’t need additional restrictions (for now).
• Death of an Icon. Two articles related to the death of the Riviera.  The first is a really nice piece about the last days of the Riv. The second is an opinion by Penn Jillette (who is doing his part for Vegas history by selling “The Slammer”) about how what is built in Vegas blows up in Vegas.
• Art is Revolting. No, not in that sense. I mean standing up for their rights and fighting back. At first, it was the intimate theatre community. Now, the entire USC First-Year MFA class has quit. They say it best: “We are a group of seven artists who made the decision to attend USC Roski School of Art and Design’s MFA program based on the faculty, curriculum, program structure, and funding packages. We are a group of seven artists who have been forced by the school’s dismantling of each of these elements to dissolve our MFA candidacies. In short, due to the university’s unethical treatment of its students, we, the entire incoming class of 2014, are dropping out of school and dropping back into our expanded communities at large”
• Death is Complicated. Here’s another complication: How do you keep up your websites after you’re dead? After all, you can’t pay the bills, you can’t update the registration, you can’t update the site. But they might be a vital piece of web history.
• Coffee May Be Bad For Your (Financial) Health. Do you drink coffee? Do you drink Starbuck coffee? Do you use the Starbuck app? If you said yes to all three, disable auto payments immediately.
• Coloring Your View. The infamous dress is back. More specifically, there’s an interesting science report about how the environment we work in colors our view of how we color the dress.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

As I sit here eating my lunch, I’m thinking about all the articles I’ve read over the last week concerning the Sony cybersecurity attack, the movie “The Interview”, and the reaction thereto. Thoughts are starting to gel together, so I thought I’d share them:

• How Could America Give In Like This? This is a question I’ve seen throughout Facebook, with an appropriate share blaming Obama for all these troubles. The response, however, shows a lack of critical thinking — for it is asking the wrong question. America — at least the government — has no connection to the capitulation to the hacker’s threats. That’s squarely on Sony’s shoulders. Further, Sony isn’t necessarily completely wrong. Put yourself in Sony’s shoes. A hacking group — which you believe to be connected to an unstable government — makes threats intimating mass casualties at theatres showing this movie. Further, a number of your exhibitors are publicly deciding not to show the film.  So which is better: Show the film, and if god forfend an attack occurs, deal with all the lawsuits… or take the economic hit for pulling it now (and possibly have insurance cover the loss). Sony made the correct business decision. Where they erred was stating the film would never be released, in any form. That’s stupid. Release it on video-on-demand across multiple platforms — there’s no way the adversary can attack all those individual homes, or all the individual servers serving the media (ETA: of course, after Obama’s statement, now Sony says they may do that). Put CDs in every Target and Walmart and Costco. Pulling it 100% is giving in to FUD (Fear, Uncertainty, and Doubt). I’m not only looking at Sony here — Paramount pulling Team America has given into the same FUD. Want another perspective? Read Ken Davenport. Oh, and by the way, Obama says Sony shouldn’t have pulled it.
• But this permits (name your county) to censor our movies! Oh, and you think your movies aren’t censored now? The government may not censor them, but studio executives do every day when they decide which projects to green light and which to stop. The MPAA does it when they rate movies and amp violence over sex. What happened here will not stop such movies from being made. What it will curtail is major studio distribution of such movies, making them harder to find. That, by the way, is where studios really “censor” — in what they agree to distribute or not. There are many movies that remain unseen for lack of a distribution partner.
• But how could this happen? Isn’t the government supposed to protect us? The government’s job is to protect government systems. There have been repeated attempts to strengthen overall cybersecurity, but they have never made it through Congress as they would involve private corporations working closer with government, and sharing information. This also appears not to be the result of a simple cracker; this seems to be a targeted attack by a determined nation state. Bruce Schneier has a good analysis of this. He also has some very good conclusions:

For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

The time to start is before the attack hits: Sony would have fared much better if its executives simply hadn’t made racist jokes about Mr. Obama or insulted its stars­or if their response systems had been agile enough to kick the hackers out before they grabbed everything.

My second piece of advice is for individuals. The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations­, gossip, medical conditions, love lives­ exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.

This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn’t something markets can fix.

• But why would they do this? A good question. This isn’t just because the movie makes fun of the leader of North Korea. That’s been done before. Vox has a good analysis of the reasons behind this. The short summary is: To show they can. North Korea gains much of its power through its military, and by presenting the appearance of that power outwardly and inwardly. Outwardly it does it through threats and intimidation; inwardly it does it to justify spending on military rather than the people. Vox summarizes it thusly:

This is belligerence meant to deter the much stronger South Korea and US, and to draw international attention that North Korea can use to bolster domestic propaganda portraying Kim Jong Un as a fearless leader showing up the evil foreign imperialists. It is meant to foment the isolation and tension that has allowed the Kim family to hold onto rule, impossibly, for decades. It has nothing to do with Sony’s film, however offensive it may be, with the film’s portrayal of Kim, or with free speech in America. In believing North Korea’s rhetoric strongly implying a connection, we are buying into the country’s strategy and helping Kim succeed.

[…]

This strategy of portraying itself as crazy is remarkably effective at securing North Korea’s strategic goals. But it is also quite dangerous. By design, the risk of escalation is high, so as to make the situation just dangerous enough that foreign leaders will want to deescalate. And it puts pressure on American, South Korean, and Japanese leaders to decide how to respond — knowing that any punishment will only serve to bolster North Korean propaganda and encourage further belligerence. In this sense, the attacks are calibrated to be just severe enough to demand our attention, but not so bad as to lead to all-out war.

Over on the Kapersky blog, they put it this way:

“It’s not about a movie or even Sony, at all,” wrote Immunity CEO and former NSA scientist Dave Aitel on the Daily Dave mailing list. “When you build a nuclear program, you have to explode at least one warhead so that other countries see that you can do it. The same is true with Cyber.”

• So what is the long term impact? As with anything, I believe there will be both good and bad impacts. On the bad side, we may see artists reluctant to tackle hard subjects in major films, knowing they will have difficulty getting them through the studio system. We may also see studios much more reluctant to distribute controversial films (for example, film studio New Regency has cancelled its planned movie adaptation of acclaimed graphic novel Pyongyang). This may end up being a boon for Science Fiction films, as they can often make the same point using metaphors without naming real countries and real people. More significantly, on the bad side, is the message this sends: For the controversial stuff that gets through, are we going to see more threats and intimidation? If some fundamentalist group doesn’t like the subject of a movie, can they just threaten a 9/11-type attack and have it pulled? This is bad, very bad — and it might even lead to the death of large-screen cinema (as you can’t attack video-on-demand with such threats — only large groups of people). On the good side, it may make corporations much more aware of the need for Cybersecurity, and it may help government efforts related to cybersecurity. In fact, the senate and house just passed a new cybersecurity bill that will bolster cyber research and development, the cyber workforce through training and education and technical standards for cybersecurity through NIST. It’s a start. It may also move controversial subjects back onto the live stage, as such performances often attract much less attention.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

Today’s weekly news chum stew leads off with a few items related to radio and items on the radio…. and goes rapidly downhill from there:

• Living By The Clock. This is an article from a few weeks ago, but it’s still interesting: On November 18th, NPR changed their news magazine clocks. Now you probably have no idea what this means. The clocks are the second-by-second scheduling of what happens when during the newsmagazines, including newscasts, music beds and funding credits. They also affect when stations can insert their own local content. In announcing the date for implementing the clocks, NPR also said that it will not impose limits on stations’ ability to replace newsmagazine segments with programming from other producers. That proposal had prompted criticism from station programmers, who argued for control over programming choices, and producers, whose programs would be excluded under the rule. This directly relates to the next article: some of those producers are podcast producers, whose segments are often included in NPR news magazines (and thus, it brings them in money).
• The Podcast Is The In-Thing. If you listen to podcasts (as I do), you know we’re in a new era of podcasts. The “This American Life” podcast has spun off a new #1 podcast, “Serial“. Roman Mars, of 99% Invisible (who was very concerned about the above clock change) used his Kickstarter success to create Radiotopia, and expanded it with this year’s Kickstarter to add new shows. Producer Alex Bloomberg left Planet Money to found a new podcast company, Gimlet Media, and is documenting the process in a new podcast. The Verge has an interesting article on this phenomena: “The New Radio Star: Welcome to the Podcast Age“. Never mind the fact that the “pod” has been discontinued, and no one really “casts” anymore. That’s like saying television is confined to networks over the air.
• You Can Get Anything You Want. Traditions are funny thing. Who would think a TV show would span a tradition that revolves around a pole? Here’s another one for you: A tradition of listening to a particular song on Thanksgiving, simply because the event described in the song happened on Thanksgiving. This latter one, of course, is referring to Arlo Guthrie’s song “Alice’s Restaurant”. Here’s an interesting article about Arlo looking back on the song, which turned 50 this year.
• Shaming and Discrimination is Never Acceptable. The events in Ferguson and in New York have finally started to make people aware about White Privilege, and being aware is the first step to doing something about the problem. But there’s another type of privilege people aren’t talking about: Thin Privilege. Our society is biased towards the thin — all it takes is one airplane ride or sitting at a booth in a restaurant to realize that. Thin Privilege can also be life threatening. Here’s an interesting article that explores that aspect of fat hatred: the particular fact that the auto industry refuses to make large-sized crash dummies, and so crashes are more likely to be fatal to the obese than the thin.
• Fighting Antisemitism. Here’s an interesting Indiegogo project: Yaakov Kirschen of Dry Bones is fundraising to turn Dry Bones into an antisemitism fighting engine. If you’re not familiar with Dry Bones, look here. I haven’t yet decided if this is an effect tool in the fight, or an attempt by Yaakov to obtain steady funding (after the success of his Dry Bones Haggadah). Still, anything that fights is a good thing.
• Your Username is Invalid. We’ve all been taught in security that you shouldn’t give away information in the login error message, and so you don’t indicate whether it was the user name or the password is bad. But here’s an article that points out that such care doesn’t buy you anything. It’s an interesting point of view.
• Should I Upgrade? For years, I’ve been using Paint Shop Pro. I’m currently on the last JASC version, Paint Shop Pro 9. PCWorld has a very interesting review of the current Corel Paint Shop Pro X7,  and I’m debating upgrading. Thoughts?

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

All this week, I’ve been following the news of the Heartbleed Flaw. If you haven’t heard if it — or if you have heard and don’t understand it — XKCD gives a good explanation. Basically, the flaw was an “old-school” programming error: someone allocated a buffer without clearing it first. In Orange Book terms, this was an “Object Reuse” error; the Common Criteria called it “Residual Information Protection”. Problems like this were common in old MS-DOS, where you could create a file, move the file pointer to some far out place, write a single character, and close the file. What would be left in the middle was whatever was lying on the disk. Heartbleed was the same thing:

When Heartbleed was first reported, panic ensued. You probably remembered this. This was the “Death of Commerce on the Internet!!!” Bruce Schneier (who I normally respect) said, “”Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.” I, however, felt that panic wasn’t warranted. I’m pleased to see that, as time goes on, others are realizing that as well.

Does that mean this isn’t a serious problem? Au Contraire! Rather, it is a problem on the system owners end, who need to change all potentially exposed certificates. It is a problem for all the hardware devices that embedded OpenSSL in firmware in an unchangable and un-updatable way. All those devices have to be trashed and replaced. It’s a problem for all those who depend on others to maintain their web site. For example, I’m on Westhost. Here are their instructions to site owners regarding Heartbleed.

Why was this problem so great? OpenSSL was free code, so everyone thought it was good and used it. Forbes thinks this is indicative of a big problem with open source and its funding — there were about 4 people who were charged with maintaining this, all volunteer. Again, I disagree. The problem is not the funding or the maintenance, but the fact that the authors were not thinking about security from the get-go. They hadn’t been inculcated with secure programming practices that would have eliminated any object reuse issue. Being aware of how to write secure code eliminates many problems: boundary errors, object reuse errors, mishandling of input errors. All showed up here, and all are techniques any secure programmer worth their salt would know.

So, again, should you worry about this? You certainly shouldn’t panic. If you have an account on an affected site, then you might change your password if you are really worried about your data (e.g., I don’t care about Yahoo; my mail account there is only for spam) or you use that password elsewhere. If, by rare chance, you have exposure on a financial website or a government website, then do change your password.

Most importantly, get a little perspective. Although this is a lot of work for site owners, this isn’t anywhere near the headache of a Target breach, or the breaches we hear about every day where this database or that database of credit card numbers is exposed, or major medical databases are exposed. Worry about those. Most importantly, continue to consciously think about cybersecurity in whatever you do, and whenever you authorized information. For example, does the Facebook android app really need all those permissions it asks for?

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

Yesterday, my RSS feeds highlighted a provocative article: “STEM Stinks for Cybersecurity” (Forbes Magazine). In this article, the author argues that we don’t need more people with university degrees in science, technology, engineering, or mathematics — what we need is more people with Vocational Training (he calls it VoTech) who are familiar with the security tools and know how to run the security tools. I think this position misunderstands both STEM and Cybersecurity.

Let’s start with STEM. The author seems to believe that the emphasis on STEM is at the university level — that we only want STEM degrees. That’s wrong and misguided. Emphasizing STEM is important much earlier — from the first days of education to the end of high school. We need to be raising students that are unafraid — who perhaps even love — science, engineering, math, and technology. The ability to understand these disciplines is key to having adults who think critically, and who can recognize pseudo-science when they see it (and thus, believe neither the creationists nor the climate-change-denouncers). Being familiar with these disciplines is also key if you are going to exist in the modern world, where technology is everywhere (and technical terms are everywhere). They are particularly important even if you are going into VoTech — just because you are working with tools doesn’t mean you don’t apply scientific principles or use mathematics. In fact, most CNC tool programmers use mathematics regularly. Familiarity with technology is required in almost every field today — even the soft fields are making extensive use of technology.

Let’s now turn to the question of whether VoTech is sufficient for Cybersecurity. I’ll start by saying that I have no problem with encouraging vocational technology — I think it was a disaster when shop classes were removed from schools, and I’ll support vocational training. Having trained machinists and technicians and repair support is vital to the success of most operations (and it should go without saying that all need to be familiar with STEM). But with respect to Cybersecurity, my opinion differs.

Technicians trained in using tools are only as good as the tools they use. While this is fine in manufacturing, it’s not in Cybersecurity. Cybersecurity tools can only find what they are programmed to find — which are signatures of yesterday’s attack. VoTech Cybersecurity experts, as a result, can typically only find what the best of their tools find. Perhaps, as they gain lots of experience, they will be able to go outside of that box and identify additional attacks. The basic trainee won’t; our systems won’t have time to wait.

Cybersecurity requires individuals who are familiar with technology, systems, mathematics, engineering… and can think critically, and can present their thoughts and findings (which is where the arts come in, and why you see a movement from STEM to STEAM). Successful cybersecurity is much more than running vulnerability scans. It is getting in with the engineering team from day 0 — identifying the security requirements and how they trade off other engineering and mission requirements. These are skills you learn in engineering courses and software and system design courses, not vocational training. It is being able to recognize results and findings that just seem off, and having the ability to track down the root cause (and not just the symptom of the day). The ability to recognize that “this doesn’t smell right” is a critical thinking skill; I don’t believe a VoTech trainee will have that without significant experience. Successful cybersecurity is being able to assess your findings in the context of the larger system, mission, and business picture — a perspective that someone who is only familiar with tools will not have. Successful cybersecurity is looking at all aspects of the system from the low hardware up through the design layers, from operational procedures and processes to suppliers. An emphasis on tools alone does not give that ability. Lastly, cybersecurity requires individuals that can think out of the box, because that’s what the adversaries do. Stopping the script kiddies is easy; VoTech can easily catch the low-lying fruit. The real threat comes from the determined adversary, and they don’t do what you (or your tools) expect.

Don’t get me wrong — technicians are important. If that is the highest level of skill you can obtain, and you’ve had that K-12 STEM/STEAM education, go for it. Some people work best with their hands. But if you can go on and get that STEM/STEAM degree, you will be much more successful and much more useful in the field (plus, you’ll earn significantly more over your lifetime — enough, perhaps, to pay off your student loans :-)).

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

Whereas last week’s stew was thin and barely filling, this week’s is quite hearty. Although I had trouble finding groups of three articles to link with a theme, I had bunches of groupatwos with interesting subjects. So in this week’s stew you’ll find mini-themes on milk, money, connections, bones, security, plus some other random stuff for flavoring. Shall we begin?

• Milking It. This is a groupatwo having to deal with milk and diet. (1) The first deals with the diet aspects — much as we think we know the foods that make us fat and the foods that don’t, we keep learning things that turn that understanding on its ear. For the longest time we thought it was simply calories, and low-cal food was in. We saw that didn’t necessarily solve the problem. Next we looked at low-fat and low-carb, and getting rid of animal fat. Here’s a survey that confounds that: it appears that full-fat dairy products help you lose weight better than low-fat dairy products. (2) The second item deals with milk itself — particularly breast milk. It appears that the chemical composition of breast milk differs based on whether the child is a boy or a girl. This actually dovetails with a segment that was on a recent Quirks and Quarks that cows produce more milk for daughters than for sons. This emphasizes the notion that breast is best — and more importantly, your mom’s breast is best for you.  Producing a one-size fits all formula just doesn’t work.
• Where The Money Is. This is a groupatwo that looks at where the money is. (1) The first item looks at Las Vegas casinos and where they make their money on table games. What’s interesting here is that they make a lot of money on table games — more than would be expected by just looking at the odds on the games. That’s because the odds are calculated on people playing the games in a perfect manner, and people rarely do. Translation: Not only does the house have an advantage, but unless you’re perfect, they have a greater advantage than you think. (2) The second item looks at the changing market for collectable American cars from the 50s and 60s. It appears that such cars are going down in value — boomers are less interested and millenials couldn’t care less. The translation here is not to depend on things you collect for your retirement nest egg (ask anyone who collected Beanie Babies). I’ve seen this with stamp collecting — once a popular hobby, you now don’t see it anywhere, and most collections aren’t worth all that much (I know mine isn’t, and there’s not much interest in my dad’s first day covers).
• Everything is Connected. This is a groupatwo dealing with connections. (1) The first item looks at the weird weather this year, and showing that it is all connected to the ridge of high pressure off the California coast, which has started changes in the jet stream that has created snow in the south, rain in Britain, and warmth in Sochi. (2) The second looks at the impact of all the chemicals we use, and how many we thought were safe may be leading to the growth in autism. Yup, it’s not vaccines at all; it is plastics and pesticides. Humans often get risk identification wrong, as this shows. So perhaps GMOs are safe?
• Great Bones. This last groupatwo looks at the underpinnings of some things here in LA. (1) The first item looks at a massive concrete pour here in Los Angeles — a continuous 20 hour pour with more than 2,000 truckloads of concrete, each of which must be delivered freshly made. This is all to build the foundation of the new Wilshire Grand, which will end up as the tallest building W of the Mississippi. Fascinating pour, especially when you look at the cooling issues. (2) The second item is a look at the Burbank Studios, and their history as the NBC Color City complex. I’ve actually been to the studios — I was there to see a taping of Flip Wilson, as well as the 2nd incarnation of Laugh-In. I’ve also been to CBS to see Cher filming. In any case, I love history like this.
• Security. I’ve grown more and more impressed with the work Brian Krebs does — and he’s the source for the last groupatwo. In the first article, Brian continues his in-depth study of the Target Breach — this time looking at how email was involved. What’s interesting here is how the metadata on innocuous files provided information that was later used on the attack. The second article is a bit more intriguing — it explores how some denial of service attacks are created by exploiting a flaw in the Network Time Protocol.
• Looking for Love. And a last singlet for flavoring. For Valentines Day, LA Metro introduced speed dating on the Red Line. So how did it go? Pretty good, according to the LA Times.  I wonder what this says about our city?

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

The news is reporting yet another problem with Target security: this time, the headline is screaming “Target says hackers took encrypted PIN data but can’t crack it“.

I can’t resist that headline, so I had to see how Target was doing an unbreakable encryption. Before I dive in, remember your encryption basics: Alice wants to talk to Bob, and they have a shared secret that they use to encrypt the data (called the plain text) using some algorithm. This shared secret can either be shared out of band, pre-installed, or via some secret-sharing protocol.

So, what is Target saying this time:

The PIN data is encrypted as it’s entered by a customer at a keypad at checkout, protected with what’s known as Triple DES encryption, according to Target.

The PIN information stays encrypted within Target’s system and “remained encrypted when it was removed,” the Minneapolis-based company said.

The code can only be cracked when the data is received by Target’s external, independent payment processor, according to the retailer.

“What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” the company said Friday.

First, let’s look at this shared secret. It must be known by both sides, meaning it has to be available to the independent payment processor and the keypad at checkout. There are three ways to do that: they could create a new secret each time and share it using a key exchange protocol (good, but expensive network-wise), they could store the secret on the Debit card (easy and flexible, and unique for each user, but vulnerable to readers, plus you need to send the card number in plaintext to retrieve the key), or they could store the secret in the device. Target doesn’t say which they were doing, but I’m guessing it is the same for every keypad device. This means: capture a keypad device, capture the key.

Next, they are using 3DES. While this is better than DES, it isn’t as good as AES. They also don’t state the key length they are using, and this is a big factor in the ability to break the key.

Next, think about the data itself. There is the card number and the pin likely being encrypted. If the badguys are capturing data, it is easy to get encryption of a number of known plaintexts, with a fixed key. You’ve now got a known plaintext attack.

In short: I wouldn’t trust Target’s platitudes here. If I had a debit card, I’d contact my bank to cancel it and get a new one. Yes, that will cost the bank, but they may convince Target to go to chip and pin. You simply don’t have any protection with a debit card.

Am I worried about Target and credit cards? Surprisingly, no. Target is no better or worse than any other American retailer, and you are still at greater risk giving your card to a strange waitcritter in a restaurant or over the phone when you order a pizza. Check your charges regularly, dispute any that aren’t valid, and if there is more than one disputed charge, cancel and get the card reissued. Enough of these problems, and the banks will move to chip and pin because it will be cheaper.

I’d welcome the thoughts of other cryptography folks on this one. Was my (admittedly limited) cryptographic analysis correct?

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

Last night, I wrote on Facebook that I had been invited to talk at ACSAC about the legacy of the “Orange Book” (TCSEC), as 2013 marks 30 years since it was first published. I was fishing for opinions from a number of people whom I respect (but I’d take them from folks I don’t respect as well ), but got few response. So let me expand on my current thoughts… perhaps this will get folks thinking.

The TCSEC was a seminal publication in security … one of the first security criteria out there. It defined preset grouping of functionality and assurance requirements (what today we would call a package or a profile) that were well thought out. This was a strength, but it was also a problem as the pre-defined packages didn’t work well for anything other than monolithic operating systems. The assurance paradigm that it had was based on in-depth design analysis — increasing the level of design details and analysis, as well as testing, to ensure all problems were found.

How well did this all work out? Well, there was the mantra of “C2 by ’92″, which admittedly got more and more systems to have discretionary access control, object reuse, auditing, and I&A. This was one of the factors that led to Windows having more security — NT had to have stronger security to meet C2 by ’92, and Windows NT is the basis of today’s Windows systems. Could one argue that the TCSEC beat up Windows 98 in an alley fight? Perhaps.

However, the assurance paradigm was in some sense flawed, and may have gone down the wrong path. There was a naive assumption that if we could get commercial vendors to follow that path, we would have more secure systems. Did that work? Those working with evaluated systems can answer that question — we never saw higher assurance take off, because it went against commercial practice.

The chafing against the pre-set packages of the digraphs also led to an unbundling of functionality of assurance, eventually leading to the Common Criteria of today. I’d argue that this eventually gave us the “control” notion we now see in 800-53: pick the functional and assurance requirements you need to meet your threats. This is a good thing, but it is also a loss of the forethought that went into the bundling. We are seeing a return to bundling in some sense with the move to standard protection profiles and  CNSS 1253 baselines and controlled ways to modify things. Did the TCSEC show the value of these bundles?

The TCSEC, just like 800-53 and the CC, is a catalog of requirements; it is not an evaluation process. Yet the evaluation process that grew up around the TCSEC also has a legacy. That process established a very in-depth process that took far too long. The legacy of that process — and the analysis the TCSEC required — affected how the process is viewed today. We’re still seeing fights against a process that takes too long, and we still haven’t found the balance between better / faster / cheaper that is satisfactory for both the vendors and users of evaluated products.

I’d like to think that the TCSEC has a greater legacy than just perl. Hopefully, my preliminary thoughts above have gotten you thinking, and you’ll share your thoughts in the comments. I’m going to keep thinking on this so that I can work all of this together into a coherent presentation.

======

Additional musings added a few days later:

Thinking more about the TCSEC, I’m seeing a number of dimensions of impact (think like a tag cloud), other than (of course) perl. Here are some thoughts on each in alphabetic order — feel free to add more in the comments:

• Assumptions. Familiarity with the TCSEC led to assumptions about functionality that didn’t propagate through to newer criteria. One can see this in the Common Criteria. Notions that were present in the TCSEC — such as protecting authentication data or having process separation — are no longer explicit in the CC. People assume they are there, but they are not. Are they tested for? 
• Assurance. The TCSEC codified the notion of design assurance, but most people didn’t see design assurance because they didn’t see above C2. Although the design assurance transferred to the Common Criteria (CC), there it was more of a failure — precisely because it never became commercial practice for the vendors. Instead, documentation was developed after the fact, which doesn’t improve assurance. Today, is there more thought given to making the design small, simple, and minimized… or are things large and complex with multiple failure paths? Did the TCSEC avenues to assurance survive?
• Awareness. Did the TCSEC make people more aware of security? Certainly, those working on the government side know what C2 security is — if only in terms of the functional requirements. But people in general? Most people probably don’t understand access control or audit — they never use the DAC mechanisms in Windows or Apple, and they’ve probably never looked at the event log. To most people, security is Passwords.
• Bundling. One characteristic of the TCSEC is it bundled functions with assurance. This was also its downfall, as the bundling was designed for a monolithic world and assumed MLS was a need. Yes, MLS needs high assurance, but high assurance doesn’t demand MLS. That was a failure, and that notion led to the unbundled CC. But bundling is returning with the new standard Protection Profiles, the -53 baselines, and overlays. There is thought being given to what requirements belong together. This is good. The problem is there’s often no thought about what these requirements need in terms of assurance. Assurance is typically “best possible” (the standard PP approach), which doesn’t necessarily correspond to what the functions need in their environment. We’re still faced with the eternal problem: people don’t pay for invisible assurance.
• Commercial Products. In my earlier part of this post, I argued that the TCSEC improved the security of some commercial products. Certainly it influenced Windows NT, and arguably influenced a number of Unixes, although whether any of those made it into the Unix base of today is a different question. But many products still think about security after the fact, or don’t incorporate it into the design process.
• Confidentiality. The TCSEC’s focus was confidentiality — access controls to prevent disclosure. This focus remained for many years, and might have hurt trying to grow the focus to integrity and availability.
• Controls. Did the TCSEC come up with the “control” paradigm, or did that exist in the financial world before 1983? Certainly the TCSEC began the Federal Criteria which begat the CC, and TCSEC requirements and CC requirements influenced the controls in NIST SP 800-53.
• Developmental Assurance. The TCSEC had the notion that a well-thought out design would lead to a higher assurance product. Has that been borne out, or is it like FDA studies of marijuana? Is there empirical evidence of what design approaches do best, and did that agree with the TCSEC? Did commercial vendors ever actually follow the TCSEC processes?
• Formal Methods. The TCSEC pushed the notion of formal methods at the higher levels. Yet we rarely see formal methods these days.
• Government Development. Here the TCSEC had more influence. The notion of C2 by 92 led to pushes to use C2 functionality, and this was captured in the 8500.2 controls and 800-53 controls. Many of the security requirements for systems today come from C2. However, the focus on functionality led to a loss of focus on assurance, and that’s only lately being recovered. There was also the assumption problem above.
• Multilevel Security. The TCSEC envisioned a world where MLS was everywhere. Yet MLS as a concept disappeared, reappeared under different names, and nowadays is present mostly in specialized guarding devices. Its become a dirty word — is that because of the TCSEC?
• Product Evaluation. The TCSEC showed the value that could come from product evaluation in the overall accreditation process. Countless dollars were saved because operating systems and other products did not need to be reexamined in depth. Yet the original process in the US (TPEP) was very expensive for the government and took a lot of time. Think “Better / Faster / Cheaper”. We moved to a cheaper process of having labs do the work. People still complained it wasn’t faster. The CC came in, and we’ve been tinkering with the process to make it faster and faster because of Internet time scales. Have we made it better than we had it during the TCSEC? Are the requirements as well understood today? How did the legacy of the TCSEC process color today’s process.

These are just some areas. Perhaps as we explore the legacy, there should be an additional question asked: For those areas where the legacy shows a form of failure, are there places were we can learn lessons and perhaps improve where we are today. Given I’m dealing with the TL;DR generation, perhaps that should be a topic for a future post … or ACSAC talk.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

After my wonderful plumbing experience yesterday, my mind cannot make sense — or find a theme — in this collection of news articles. I’ll leave it to you to find the theme, or determine whether these items need to be tossed into the garbage disposal and washed away. Let’s just hope they don’t clog your pipes…

• Survivor – My Guilty Pleasure. One of my guilty TV pleasures is the TV show Survivor. I’ve never been able to describe why this show is still head and shoulders above other reality shows. This article presents one analysis of why Survivor is successful. For me, its success comes from (a) the shifting alliance aspects of it –  the show is very much like the game Diplomacy with negotiation, trust, and bluffing at its heart; (b) the skillful editing used to craft a story and create characters; and (c) the quality shown in the casting to find a group with strong personalities that draw one to watch.
• This American Life. This week, TAL reaches a milestone – episode #500. To commemorate this, BuzzFeed presents the story of how TAL got started, and how it reached episode #500. Related to this, FlavorWire presents their take on their 15 favorite episodes to date.
• Hidden Environmental Impacts. Earlier this week, I wrote about how copper mining — required to move to a green environment — really isn’t so green. Another thing that isn’t green are music festivals. This article from LA Weekly is a great exploration on the trash problem created by many festivals.
• Autopsy Results. OK, here’s a real weird one. Some people decided, for the hell of it, to do an autopsy of a “Baby So Soft” doll. Here are the grisley results. You’ll never look at a child’s doll the same.
• Looking at Things Differently. Speaking of looking at things differently, here are 11 classic works of art reimagined with people of color.
• NSA and the CIA. On the grounds of the CIA is a sculpture with an encrypted message. The CIA recently believed they had solved the message. However, the NSA really solved it first.
• Places to Go in The San Fernando Valley. Here’s a nice article commemorating Universal City Walk reaching 20 years. City Walk was a trendsetter — it led to Downtown Disney and other integrated shopping areas that are regional draws at theme parks. Don’t like that? How about an old-fashioned soda shop in Canoga Park?
• Bringing Up The Rear. Bringing up the rear are a few totally pointless things. First, a gun that uses salt to shoot flies. I have no idea how effective it is. Secondly, a list from the good folks at Vanity Fair point out 40 signs that you’re a BuzzFeed list maker who has run out of ideas. Thirdly, there’s a Wesley Crusher Beer. Lastly, somebody put dummy names for the pilots of the Asiana 214 crash on a recent news report on KTVU. Alas, they made it onto the air. Yup. Today, your flight is commanded by “Sum Ting Wong”, assisted by “Wi Tu Lo”, “Ho Lee Fuk”, and “Bang Ding Ow”. I can only shake my head. Someone has likely been handed their walking papers. Naturally, the station has apologized.

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)

Well, it’s Saturday and you know what that means… it is time once again to clear out the links that didn’t form into a coherent theme over the last week:

• Some Things Never Die. For all the work being done in newer programming languages such as Java, it is either comforting… or scary… to realize that the old languages never die. I don’t know if ALGOL or APL are still in heavy use, but I know FORTRAN is (and in fact, it was recently updated, and has supported object-oriented programming since 2003). Also recently updated is COBOL for mainframes, which can now support  cloud and mobile platforms. Here’s a hint for those going into programming — everyone knows the new languages. Become an expert in the older languages (FORTRAN, COBOL), and you’ll be a rarer commodity.
• Some Things Do. Santa Monica is looking to tear down the Santa Monica Civic Auditorium and replace it with… hell, not even they know. The Santa Monica Civic is a 1960s box structure that is essentially a large multipurpose room. No one wants to do concerts there anymore, and it has been reduced to the level of hosting table-top craft shows.
• Some Things I Don’t Want To Do. The Rio Hotel in Las Vegas is planning a new thrill ride: a zip-line ride running from the top of the tall Rio towers to the main Rio building. The attraction, dubbed the VooDoo Skyline, is expected to open in Summer 2013. Rides will start from the VooDoo Lounge, atop the Rio’s 50-story Masquerade Tower. Via the zip-line (which is 450′ in the air), guests will travel down 845 feet to the top of the 20-story Ipanema tower, reaching speeds of up to 33 mph. Riders will then make a return trip — upward through a motorized pulley system while traveling backward at 25 mph — to the starting point. The total ride covers nearly one-third of a mile and takes 1 minute and 10 seconds from start to finish. Cost is expected to be $25.
• Some Things I Do. The LA Times has a really interesting article on a new course at UCLA: Physiological Sciences 7 – Food and Science — that looks at the chemical interactions that make our food what it is. The goal of the recent class was to do experimentation on the science behind apple pies to create an even better apple pie.
• Some Things Technology Doesn’t Affect. An article from Kapersky on Credit Card security provides a nice discussion on the non-technology risks of credit cards. I’ve always said that people don’t understand risk — they are scared to use the Internet for a credit card, but willingly give it to a server they don’t know who takes it away for a while. This article explains some of those concerns pretty well. As for me, as long as I’m using a reputable site, I have no problem using a credit card on the net. But never a debit card.
• Some Things Technology Does Affect. USA Today recently had an article on the tan losing its luster in Hollywood. However, one thing in the article caught my eye: “In Hollywood, technology gets some credit. When women like Blanchett started out in the industry, “it was tough,” Dougherty says. Studio lights washed out light faces and limbs, losing texture and depth — hence the desire for “everyone on set to be these neutral honey colors,” a la Jennifer Aniston. But “technology has come a long way,” Dougherty says. “Now, they can really light for these skin tones.”" In other words, tans for actresses are not out for health reasons or artificiality, but because they are no longer necessary to have faces show up on film. Those who are sufficiently old may remember odd makeup and color choices for actors specifically designed to pop on black and white film. Technology marches on.

Hmmm, maybe they did form a theme after all

This entry was originally posted on Observations Along The Road (on cahighways.org) as this entry by cahwyguy. Although you can comment on DW, please make comments on original post at the Wordpress blog using the link below; you can sign in with your LJ, FB, or a myriad of other accounts. There are currently comments on the Wordpress blog. PS: If you see share buttons above, note that they do not work outside of the Wordpress blog.

(Click Here to Comment)