Fake Fish and Security

fish on a dish.jpg
There was a very interesting article in the New York Times, “Fish Tale has DNA Hook,” in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors:

Dr. Stoeckle was willing to divulge the name of one fish market whose products were accurately labeled in the test: Leonards’ Seafood and Prime Meats on Third Avenue. John Leonard, the owner, said he was not surprised to find that his products passed the bar code test. “We go down and pick the fish out ourselves,” he said. “We know what we’re doing.” As for the technology, Mr. Leonard said, “it’s good for the public,” since “it would probably keep restaurateurs and owners of markets more on their toes.”

I was amused by this, but Robin Hanson had an interesting comment:

This is a huge fraud rate. Will diners continue to tolerate it? Probably, yes – I suspect diners care more about affiliating with impressive cooks and fellow diners than they do that fish is correctly labeled.

I think that there’s a related phenomenon in software security. It’s hard to accurately identify secure or insecure software. It’s usually easier to look at other elements of what makes a program useful. Which makes for a very fishy market.

Photo: “Dinner at Masa: O! Fishy fishy fishy fish” by mobil’homme.

“Secure Flight” now part of the Bush Administrations Legacy

We welcome the Bush administration’s continuing dedication to excellence and security in developing clear and appropriate rules to prevent terrorists from flying:

In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the notice).

The essence of the Secure Flight final rule would be to (1) impose a new, two-stage, requirement for all would-be air travelers to obtain government permisison to fly, first in the form of a discretionary government decision to issue an acceptable form of identification credential and second in the form of a discretionary decision to send the airline a “cleared” message authorizing a specific person to board a specific flight, and (2) require all would-be air travelers to provide identifying information to the airline and the government prior to each flight.

We applaud the government’s long-lasting impact on Americans. The Bush presidency, from the price of gasoline to the permission to fly system announced today, to license plate scanners on the Seattle ferries, has left a mark on the Republic like few presidencies in history.

Canadian Privacy and Private Action

In reading Arthur’s post on “Canadian PM FAIL,” I was thinking of the odds that this would be investigated and dealt with under Canadian privacy law. Now, I’m not an expert on that, but my recollection is that the main private sector law, PIPED complements a Federal Privacy Act which would likely be the relevant law for the office of the Prime Minister. I also recall that neither law contains any sort of right of private action.

So, will the Privacy Commissioner investigate? She has limited resources, and perhaps she doesn’t see this the way that Arthur does, “there are few groups who care less for this sort of tracking than Jews.” Perhaps she has other priorities. (Does anyone know if a formal complaint has been filed?)

Regardless of if the Commissioner investigates, I think there’s value to society in allowing citizens to balance government, rather than having to act as supplicants, asking one department to investigate another. The ability to act as a party in a case can be a powerful balancing factor.

Buffer Overflows and History: a request

overflow.jpg

One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow. These were known and understood no later than 1972, and clearly documented in the Computer Security Technology Planning Study:

The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine. (Page 61)

I believe that more open discussion of the technique by Aleph One led to a variety of defensive techniques getting baked into compilers and operating systems. Those defenses are now widespread, and it’s getting hard to find a stack smashing attack 10 or so years later. Had we not let the problem fester in secret, we’d be better off.

I’ve been told that the Bendix G-20 and the Burroughs B5500 had hardware level protection against buffer overflows as an intentional security mechanism. That is, there was an understanding that user supplied data could alter the flow of control.

I’m wondering if this is documented as clearly as the statement in the Security Technology Planning Study. It is very clear what the attack is and what the impact is. I’ve spent some time looking for a similarly clear published statement about one or the other of those machines. (Or heck, even a clear statement of the stack smashing attacks, rather than fuzzy statements about problems.)

Can you help me find such a thing?

Photo: Overflowing Glass 3, by nosheep on Stock.xchng.
[Update: We’ve got very interesting debate flowing in the comments.]

Discipline and Art

Stephan Bugaj has a fascinating article up, “Steve Kurtz: Tactical Art.” I wanted to tie this to my post “The Discipline of ‘think like an attacker’

Kurtz only briefly mentioned his four year ordeal with the Department of Justice (this is also a good article about it), and only as a single exemplar of his overall thesis that the role of art is to push back against the social mechanisms of what he’s termed “expression management.”

In staging this mock bioweapon release in front of the U.S. Embassy, what Kurtz found was that his own internal microfascisms were causing him to attempt to derail his own project by listing things he was sure they wouldn’t be allowed to do: march and then assemble in front of the embassy, then use a city tower to release the smoke with the (harmless) biological sample in it, and then bring skin samples from the participants to a lab for testing.

What he found instead was that the Leipzigers, despite Germany’s decades longer ordeal with terrorism (from not just Islamists, but also neo-Nazis and Communists), were quite willing to support the project. When the sponsoring Leipzig arts institution asked, the city gave them use of the tower, and permission to march to and in-front of the embassy, with no fuss. The biological laboratory in the city was equally obliging.

It’s a very interesting post about the intersection of art with ‘the policeman within.’ The lecturer in question has certainly had enough encounters with the policemen to have developed an interesting orientation towards their relationship with society.

In security engineering work, we often have to overcome internal filters, such as “why would anyone do that?” I think that powerful art, like that of Banksy or Wendy Richmond has an ability to transform the way we see the world for the better. It’s a shame when our artists need to contend with arrest for doing things which are not illegal, but merely confusing to our armed public servants.

Previously on Emergent Chaos: Banksy on anonymity, England, and Disneyland.

Buffett Vs Paulson

I was listening to Joseph Stiglitz on NPR this morning, and he had a very interesting comparison. (Quoting from an op-ed in the Guardian):

For all the show of toughness, the details suggest the US taxpayer got a raw deal. There is no comparison with the terms that Warren Buffett secured when he provided capital to Goldman Sachs. Buffett got a warrant – the right to buy in the future at a price that was even below the depressed price at the time. Paulson got for the US a warrant to buy in the future – at whatever the prevailing price at the time. The whole point of the warrant is so we participate in some of the upside, as the economy recovers from the crisis, and as the financial system starts to work.

The Paulson plan responded to Congress’s demand to have something like a warrant, but as a matter of form, not substance. Buffett got warrants equal to 100% of the value of what he put in. America’s taxpayers got just 15%. Moreover, as George Soros has pointed out, in a few years time, when the economy is recovered, the banks shouldn’t need to turn to the government for capital. The government should have issued convertible shares that gave the right to the government to automatically share in the gain in share price.

He also mentioned (as I recall) that Buffett got an end to dividend payments during the crisis and a higher deferred payment than Paulson imposed.

Interesting listening.

The Costs of Secrecy

Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge.


Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” In it, they look at how phishing sites are taken down, and estimate how much faster it would be if there were better sharing of data. From their blogpost:

Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

I haven’t had time to read the paper in depth, but I have a lot of respect for both Richard and Tyler. Have you read the paper? Impressions? (Here or on their blog.)

Investing in the finance crisis

The Wall Street domino has toppled just about everything in sight: U.S. stocks large and small, within the financial industry and outside of it; foreign stocks; oil and other commodities; real-estate investment trusts; formerly booming emerging markets like India and China. Even gold, although it has inched up lately, has lost 10% from its highs earlier this year. Not even cash seems entirely safe, as money-market funds barely averted a “run on the bank.”

So reads the Wall St Journal’s “Intelligent Investor” for September 30th. Me, I’ve paid off my car loan–I figure JPMorganChaseLehmanWashigtonMutual could really use some more cash, and it’s a guaranteed 6% for me.

But that was my last debt, which means that I have no other safe returns. As I think about the crisis, one element that jumps out is how poorly the financial sector has matched money to risk. But I figure I might be able to do better. So I started looking at the well-publicized Kiva, to make loans, but it seems that these loans are all of the ‘feel-good’ variety, which is to say there’s no premium or return. And while I might place some money through Kiva for feel-goodness, I don’t want my best outcome for investing to be “and I don’t lose money.” So I’m looking at organizations like Prosper or Zopa (personal loans) or Fynanz (student loans).

I like the dis-intermediation aspects of these services and their chaotic and libertarian nature. Do any of our readers have experience with these, or services like them? Should I instead look to loan to people I know?

It seems that as the entire financial system of the US is consolidated into three institutions, there’s room and demand for some interesting and new structures to emerge from the chaos.

Elections Are Done For Me

I Think I Voted

Forty Percent of California voters are “permanent absentee” voters. Oregon runs entirely by mail-in votes. Other US states have some sort of mail-in or absentee status that people can assign themselves to.

For those people, including me, elections are a slice of time that ends on election day. This isn’t new, until relatively recently, it all worked that way. You couldn’t expect everyone to all be in town on that one day. It is only urbanization that allows us to have elections be an event rather than a process. I sat down last night and waded through the whole mass of offices, measures, and initiatives. I have now completed my civic duty.

This is probably a good idea, as many of the issues with voting and counting votes and securing them have in their model that it has to be done on one day, and as quickly as possible after the polls close. It improves security and accountability to allow and encourage people to vote over an interval of a few weeks.