Weak Crypto Contest

The 2007 Underhanded C Contest has a marvelous theme — weak crypto.

The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library.


Your challenge: write the code so that some small fraction of the time (between 1% and 0.01% of files, on average) the encrypted file is weak and can be cracked by an adversary without the password. The poorly encrypted file must still decrypt properly by your own software.

Other great comments:

Short programs are innocent, and more impressive. If your source file is over 200 lines, you are not likely to win. You can hide a semi truck in 300 lines of C.


Of course, there are other factors: we award points for humor value and irony. I have always been impressed with the winner of the 2004 Obfuscated V contest, who concealed an error in a vote-counting program by adding a voter-verifiable paper trail function that overflowed a buffer. That’s evil with style.

What a great idea.

Credentica White Paper & Presentation

The title of Stefan Brands’ blog post, “New Credentica white paper and other materials,” pretty much says it all. If you think about identity management, you should go check these out.

Our white paper discusses all of the features of the U-Prove SDK without going into technical detail. The basic features are: transient ID Tokens; long-lived ID Tokens; protection against forgery, modification, eavesdropping, and phishing; universally unique token identifiers; encoding of token attribute information; user-authenticated presentation transcripts; digital signing with ID Tokens; and, user-driven and verifier-driven revocation. The advanced features include: untraceability; unlinkability; hiding attribute information from verifiers; removing attribute information from presentation transcripts; hiding attribute information from issuers; protecting against transferring and discarding of ID Tokens (software-only); issuer-driven revocation; limiting reuse of ID Tokens; and a range of device-based security measures that can protect against any imaginable unauthorized actions with ID Tokens (without contravening their privacy properties). The white paper also explains how to use the U-Prove SDK to protect identity-related assertions in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.

Frontiers of Data Disclosure

Howard Schmidt made a glib suggestion that made me laugh, but he has a point. He asked why don’t we just take names, social security numbers, and everyone’s mother’s maiden name and put it in a huge searchable database, so everyone knows that it’s not security information and we can once and for all stop using SSNs for anything.
I’m still chuckling over it, but you know — it’s not a bad idea.

More on Crappy Credit Reports

In October, 2006, I commented on the story of a man in Acarta, California whose credit report bizarrely includes a claim he’s the son of Saddam Hussein. (“The Crap in Credit Reports“) Now, via Educated Guesswork, “If OBL can buy a used car, the terrorists have won” we learn of a fellow who can’t buy a car in northern California:

Tom Kubbany is neither a terrorist nor a drug trafficker, has average credit and has owned homes in the past, so the Northern California mental-health worker was baffled when his mortgage broker said lenders were not interested in him. Reviewing his loan file, he discovered something shocking. At the top of his credit report was an OFAC alert provided by credit bureau TransUnion that showed that his middle name, Hassan, is an alias for Ali Saddam Hussein, purportedly a “son of Saddam Hussein.”

Sounds like the same guy, unable to solve his problem. From Free Internet Press, “Private Businesses Flag Ordinary Customers As Terrorists.” Different first and last names. Different years and days of birth. Different countries of birth. Should TransUnion be held accountable for inserting that OFAC alert? When?

Month of Owned Corporations

exxon-valdez.jpgRichard Bejtlich points to a very dangerous trend in his TaoSecurity blog, the “Month of Owned Corporations“:

Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest of Abuse (DOA) report which lists autonomous system numbers of networks hosting those systems.

SI published the latest DOA report Monday and they are now using that data to illustrate individual companies hosting compromised systems. They started with 3M, then moved to Thomson Financial, AIG, and now Aflac. For these examples SI cites corporate machines sending spam, among other activities. Brian Krebs reported on other companies exhibiting the same behavior based on his conversations with SI.

He irresponsibly spreads… Oh, heck. I can’t do it. This is great stuff. Let’s actually look at what networks are spreading junk. I like this as a start, and the weekly Digest of Abuse claims to look at:

We analized over 22,000 ASNs for every kind of eCrime including DDoS, Scanning, hosting Malware, sending Spam, hosting a phish, or transmitting virous.

Hmmm, so while I’m glad that they’re collecting and sharing data, what does it mean to be scanning? How do they define “hosting malware?” I really like the idea, and would suggest that Support Intelligence share more about what their data gathering methods look like, how they define each term, and how many of the incidents they see are of each type. (I’ve looked in their FAQ, how it works page, and product tour.)

Photo: The Exxon Valdez, courtesy of the Alaska Fisheries Science Center. Why? Because talking about breaches helps get them noticed and cleaned up.

Micropayments Company Bought or is that Sold?

Micropayments company Peppercoin, started with technology by Rivest and Shamir has been bought by Chockstone, a company doing loyalty programs. Supposedly, they bought Peppercoin because it will “increase consumer ‘stickiness’ and brand affinity” and “increase average ticket price more than 12%.” Okay…. I thought that the reason for bearer-level micropayments was the opposite. Right here on the label that the payment-punks have been pushing, it says that you get increased market efficiencies, lower costs, and liberty for the end user. We’ll have to see how this one turns out. I suppose if this lets you buy books with airline miles, or something like that, you could get both.

Psychology & Security & Breaches (Oh My!?)

I’ve been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There’s a decent argument that many things are the way they are because they’ve emerged that way. There existed a froth of competing ideas or ways of doing things, and the best one(s) won. Some may have hitched themselves to a winning idea. They may be bad ideas. But on both a design and a psychological level, change is hard.

On the design side, there are arguments that I haven’t heard. Some of which may be good. Someone may think that our situation isn’t really so bad, and so we don’t need change. I think that they are wrong, but I have to overcome that argument. I’ll set aside the origin of our situation and the argument from conservativeness, and turn to the psychological.

At a human level, change involves loss and and the new. When we lose something, we go through a process, which often includes of shock, anger, denial, bargaining and acceptance. The new often involves questions of trying to understand the new, understanding how we fit into it, if our skills and habits will adapt well or poorly, and if we will profit or lose from it.

These are the sorts of issues which confront managers as a company goes through changes, and they are difficult and challenging. Companies change because the market changes when new competitors or new products emerge, or old ones go away. Often times, it is easier to ignore these changes and keep doing what you have been doing, rather than to change.

Many American companies chose to react this way. They created a rust belt.

The world in which we worked as security professionals has gone through upheavals in the past. Things changed when UIUC released the Mosaic web browser, things changed when Aleph1 released ‘Smashing the Stack for Fun and Profit,’ and things changed when Cantor and Seagul sent their email. Things will change again.

Preventing the effective flow of information is one way to avoid change. If we can claim everything is the same as it has been, or if we can sweep things under the rug, we can keep doing what we’ve been doing. We can avoid change because change is hard, and the consequences long term. We’re supposed to be good at thinking about such things here in security.

Sometimes, in security, when we talk about psychology, it’s interpreted as an attack. This not intended as an attack on anyone. I’m trying to draw out all of the reasons why people are opposed to change in disclosure habits, so we can overcome them.

Sometimes true things are uncomfortable. Sometimes going to the dentist is uncomfortable. Being in denial about the state of things is often worse.

Bejtlich gets it: It’s about empiricism

When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt

60 percent of the incidents involved organizational mismanagement

as a way to question my assertion that insiders account for fewer intrusions than outsiders.

At the outset let me repeat how my favorite Kennedy School of Government professor, Phil Zelikow, would address this issue. He would say, “That’s an empirical question.” Exactly — if we had the right data we could know if insiders or outsiders cause more intrusions. I would argue that projects like the Month of 0wned Corporations give plenty of data supporting my external hypothesis, but let’s take a look at what the Howard/Erickson paper actually says.

I think Richard’s analysis (“Exaggerated Insider Threats“) is spot on, and I admit to slightly twisting Howard and Erickson’s words a little to make a point. Security is all about the empirical questions. Answering them involves having data, having collection methodologies, and having conversations and debates about their validity. As I say in the PDF version of the talk:

We can use data to answer questions, like what fraction of incidents are
caused by insiders? This has long been contentious, but if we can agree
on what an incident is, what an insider is, and what cause is, we can
learn something.

One question for Richard. You write:

In brief, this report defends the insider threat hypothesis only in name, and really only when you cloak it in “organizational ineptitude” rather than dedicated insiders out to do the company intentional harm.

Why should I care about motives? Shouldn’t I be first focused on the insider/outsider question, then on the methodology, and only then on the motives?

Bad Advice on Tax Shelter Patents


Techdirt carries marvelous coverage of the increasing devolution of our intellectual property system. However there is some bad advice in “Be Careful Not To Use Any Patented Tax Shelters This Tax Season.”

The bad advice is in the last sentence:

So as we get to tax day, besides going over all your tax forms and deductions carefully, you may need to spend an extra day pouring over patents to make sure you’re not infringing.

This is bad advice because of of the way that intellectual property, especially patents work. It is the responsibility of the intellectual property holder to police their property. In other words, it’s not up to me to see what patents I might be infringing, it’s the patent holder’s job.

There are lots of good reasons for this, including that it’s hard to know exactly what infringes and what doesn’t, especially as patents get more complex and ubiquitous. Many patent holders aren’t vigorous in their enforcement. I recommend that in most cases, it’s best to use patents defensively, rather than offensively. If I am using a patent defensively, that means I don’t really care if you’re infringing, as long as you’re not trying to get me to pay you for your patents. (And in such a case, the more infringers, the better.) So if you patent breathing oxygen, I pull out my patent on picking one’s nose and say, “Let’s cross-license!”

That’s just the start however. Patent law has a provision in it that there are triple damages for knowing infringement. Consequently, if you are in a situation where you might stumble over some stupid patent or other, don’t check to see if you might be infringing. If you don’t know you’re infringing, you might be surprised and have to pay some royalties. If you know you’re infringing, you’ll have to pay triple damages. We technologists have been lectured by our attorneys about this issue. You may think it stupid, but ignorance is a defense in intellectual property.

As a practical matter here, if you have taken some deduction that might be patented, it’s up to the patent holder to find you and shake you down. Given that tax records are considered private, that puts them at a disadvantage. If you know you’re infringing, you could get triple damages. The patent holder will probably be shaking down accountants, makers of tax preparation software, and others. They aren’t going to be shaking you down, and even if they do, a reasonable royalty on a license would be about 1%. That’s another reason they will go after the other folks.

So as stupid as tax deduction patents are, and as much as I agree with Techdirt on the rest of the article, trust me, it’s better for you to never read a patent than to read lots of them.

Photo “TaxMan” courtesy of pixieclipx.

How Long To Be Identified?

Today I spent nine (9) (no, that’s not a typo) hours in line to apply for a passport.

What happened was, since the U.S. changed the rules to say everyone’s gotta have a passport, a lot of Americans and Canadians who were used to going back and forth between the countries suddenly needed passports, and the systems are buckling under the strain. (Hmm… I wonder if Mexico’s is as well?)

My passport’s good till July, but I’m traveling a whole bunch and don’t have much time here in Vancouver. Last Monday, April 3rd, was the start of two no-international-travel weeks. I’d heard about the line-ups but had no idea, so I went down there after lunch and got in front of a human being by 3:30. She sent me away because I was applying for an expedited passport but hadn’t brought documents to prove I was traveling. When I told people this story they were astounded, saying the only way to be sure of getting in on any given day was to be waiting at 6AM when the building doors opened.

So writes Tim Bray in “Passport Hell.” I figure that if a day’s time is worth $100, and every Canadian needs to get a passport to enter the US, this will cost the 30 million people of Canada $3 billion. That’s ignoring the roughly $100 cost of each passport (total, $6 billion), and the $100 is just about minimum wage for a day. Still, it seems an awful lot to pay to make Canadians all have more bits of identification.

The photo is of Japanese Americans waiting in line, courtesy of the US government. It’s from “Camp Harmony” exhibit at UW Libraries.

[Update: clarified writing around estimates.]

[Update 2: Yoshi, in comments, calls my use of the original photo here insenstive and offensive. See the comments for my thinking, and I’ve moved the photo out of the post so as not to be offensive. Apologies to those who were offended.]

Investment Opportunity of the Year

El Reg reports that Microsoft claims to be sticking to its timetable for shutting down XP.

No fewer than three people told me yesterday, “This means I have to buy that Mac Book Pro this year. They can’t be alone. I have several co-workers running Vista running on laptops, and even without the overhead of a VM, it’s slow.

Thus, an investing opportunity presents itself — buy a number of copies of XP this year, and then resell them at a profit. There are, of course, many risks in this strategy too obvious to name, but hey, money is risk.

If during the holiday shopping season, you see a run on copies of XP, take note.

Your Bribe, Should You Choose to Accept It

In the secret language of corruption in India, an official expecting a bribe will ask for Mahatma Gandhi to “smile” at him. The revered leader of the independence movement is on all denominations of rupee notes.

zero rupee note.jpg

With rampant dishonesty ingrained in the bureaucratic culture, an anticorruption group has decided to interpret the euphemism literally by issuing a zero-rupee note.

From the Times Online, “Can this note stamp out corruption in a land where it’s the norm?” Image from India Watch. I forget who sent me the link, sorry!