Emergent Chaos

In the eight months that I was the head of security under the Andolino administration, the commissioner of the busiest airport of the world, depending on who’s taking the survey, the busiest airport in the world, never once had a meeting with the head of security for the busiest airport in the world. Never once.

Mayor Richard Daley, who appointed the former security boss, says the man is just “disgruntled.”

Daley’s comment is a fascinating confirmation. Maurer, the head of security, ought to be disgruntled if he was completely blocked from getting anything done.

And good for him for speaking out.

Audio at WBEZ and comments (quoted) from Consumerist.

In related news, “TSA told airport to issue badge to convicted robber.”

In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.”

After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).

Or, Security and Privacy are Complimentary, Part MCVII:

Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash the ID and credit card in front of the camera. That way, he could sell the credit card number and address of someone who had no reason to report their card as stolen. Presumably they could then use it on the internet as many sites require the billing address when using a credit card. The corporation decided that there was too much liability in a restaurant employee having access to someone’s drivers license and began specifically requesting servers to not do so except to verify that the person was of legal drinking age. (“How I Learned To Start Worrying And Hate Showing My ID“, Consumerist)

I hadn’t thought about this particular aspect of stealing credit cards. It seems pretty helpful to have address and date of birth. When I think about this, the chaotic nature of how those around us accumulate and use information is hard to predict or track. There’s a value of minimal disclosure here. It’s yet another example of how protecting privacy protects security as well. Asking people to be aware of what emerges from the chaotic swirl of information is expensive.

Historically, the card brands have demanded that their cards be honored based only on the card system. They used to back you if a store asked for ID. As the system has come under attack, they’ve backed away from that, but the current state is hard to discern.

Consistency is an important part of how people form mental models. The whole world is making different demands about what’s secret (is your address a security string? Your frequent flyer number? The first street you lived on?) The demands banks and merchants are changing rapidly from a consumer perspective. (Quick, do you know what the CARD act changes?) When the rules for consumers are chaotic, what emerges is misconceptions, superstition and best practices.

In the world of security, we’re going to have to work hard to provide a comprehensible set of workable and effective advice for people to follow.

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars.

When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of Saltzer and Schroeder, illustrated with scenes from Star Wars.”

So if you’re not familiar with Saltzer and Schroeder:

Let me start by explaining who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That paper has been referred to as one of the most cited, least read works in computer security history. And look! I’m citing it, never having read it.

If you want to read it, the PDF version (484k) may be a good choice for printing. The bit that everyone knows about is the eight principles of design that they put forth. And it is these that I’ll illustrate using Star Wars. Because lets face it, illustrating statements like “This kind of arrangement is accomplished by providing, at the higher level, a list-oriented guard whose only purpose is to hand out temporary tickets which the lower level (ticket-oriented) guards will honor” using Star Wars is a tricky proposition. (I’d use the escape from the Millennium Falcon with Storm Trooper uniforms as tickets as a starting point, but its a bit of a stretch.)

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency.

In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google workers:”

Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks…The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

If friends lists were not being aggregated, this attack would have been harder to execute. How much harder is tricky to judge without more information about possible attack vectors.

Also, this is a nice example of the sort of externality that Facebook imposes on the networks of their users. Because Facebook exposes the fact that we’re friends, I have to treat communications from my friends with more suspicion.

Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they’ve broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it’s only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you’re wondering if this is last week’s news, it isn’t. It’s next week’s news.

The paper isn’t up on IACR’s Eprint archive yet, but copies of it are circulating around privately. I’m writing about it with Adi Shamir’s permission.

KASUMI is a modified version of the MISTY cipher. The KASUMI designers made MISTY faster and more hardware friendly by changing the key schedule and modifying some internal parameters. However, they also made it vulnerable to related key attacks.

Of all the weaknesses that a cipher can have, related key attacks are the ones to worry about least. Operationally, crypto engineers know that they should never reuse keys and when in doubt just pull another one off of the random number generator. Consequently, this doesn’t mean that the guys at Weizmann Institute of Science are listening to 3G calls.

Nonetheless, related key attacks are bad to have because implementers do screw up, and related key attacks indicate that the cipher designers didn’t have as tight a handle on things as they thought they did. It is no cause for panic, but it is no cause for either warmness or fuzziness (particularly since the DKS team point out that the KASUMI designers wrote that they’d taken care of related-key issues when they simplified MISTY into KASUMI).

Moreover, the attack here is completely practical. Here is a quote from the abstract:

In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2^?14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 2²⁶ data, 2³⁰ bytes of memory, and 2³² time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2¹²⁸ complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem.

It will be interesting to see the response from the GSM Association. They have the opportunity to show leadership. If they recognize that this is a real problem, reassure us that it’s not a catastrophe, and show that they’re taking it seriously, then this can be an all-around good thing for them and us.

We’re all adults (well, okay, most of us are adults and act like adults some of the time), and if we know that there will be an upgrade in a few years, then that’s great. We lived through the WEP issues. We are living through the SSL evil proxy issues. This is less acute than either of those. But we need to have some assurance that in a few years, we’ll just get wireless devices with a safety net. Their challenge is to have a response before this news metastasizes into a common perception that 3G crypto is worthless.

Photo “bag_contents” courtesy of openfly. Selected because it looked good and it was the only photo that came back on a search of “3g crypto.”

The paper is here.

The very sane opening paragraph is:

On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve (NFS, [19]). The number RSA-768 was taken from the now obsolete RSA Challenge list [37] as a representative 768-bit RSA modulus (cf. [36]). This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA modulus is several thousands times harder to factor than a 512-bit one. Because the first factorization of a 512-bit RSA modulus was reported only a decade ago (cf. [7]) it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by an academic effort such as ours or the one in [7]. Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years.

It’s an interesting read if factoring fascinates you.

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways:

• Failures are rare
• Partial failures are generally secret
• Actual failures are analyzed in secret
• Procedures are secret
• Procedures seem bizarre and arbitrary
• External analysis seems to show that the procedures are fundamentally flawed
• Those charged with doing the work appear to develop a bunker mentality

In this situation, anyone can offer up their opinions, and most of us do.

It’s hard to figure out which analysis are better than others, because the data about partial failures is harder to get than opinions. And so most opinions are created and appear equal. Recommendations in airline security are all ‘best practices’ which are hard to evaluate.

Now, as Peter Swire has pointed out, the disclosure debate pivots on if an attacker needs to expose themselves in order to test a hypothesis. If the attacker needs to show up and risk arrest or being shot to understand if a device will make it through a magnometer, that’s very different than if an attacker needs to send packets over the internet.

I believe much of this swivels on the fact that most of the security layers have been innocently exposed in many ways. The outline of how the intelligence agencies and their databases work is public. The identity checking is similarly public. It’s easy to discover at home or at the airport that you’re on a list. The primary and secondary physical screening layers are well and publicly described. The limits of tertiary screening are easily discovered, as an unlucky friend discovered when he threw a nazi salute at a particularly nosy screener in Amsterdam’s Schiphol airport. And then some of it comes out when government agencies accidentally expose it. All of this boils down to partial and unstructured disclosure in three ways:

1. Laws or public inquiries require it
2. The public is exposed to it or can “innocently” test it
3. Accidents

In light of all of this, the job of a terrorist mastermind is straightforward: figure out a plan that bypasses the known defenses, then find someone to carry it out. Defending the confidentiality of approaches is hard. Randomization is an effort to change attacker’s risk profiles.

But here’s the thing: between appropriate and important legal controls and that the public goes through the system, there are large parts of it which cannot be kept secret for any length of time. We need to acknowledge that and design for it.

So here’s my simple proposal:

1. Publish as much of the process as can be published, in accordance with the intent of Executive Order on Classified National Security Information:
   

   “Agency heads shall complete on a periodic basis a comprehensive review of the agency’s classification guidance, particularly classification guides, to ensure the guidance reflects current circumstances and to identify classified information that no longer requires protection and can be declassified,”

   That order lays out a new balance between openness and national security, including terrorism. TSA’s current approach does not meet that new balance.

2. Publish information about failed attempts and the costs of the system
3. Stop harassing and intimidating those like Chris Soghoian, Steven Frischling or Christopher Elliott who discuss details of the system.
4. Encourage and engage in a fuller debate with facts, rather than speculation.

There you have it. We will get better security through a broad set of approaches being brought to the problems. We will get easier travel because we will understand what we’re being asked to do and why. Everyone understand we need some level of security for air travel. Without an acrimonious, ill-informed firestorm, we’ll get more security with less pain and distraction.

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground.

This is a failure for the terrorists. A big one. Think about it; put yourself on the other side of the chessboard and read this movie-plot description. Yemeni Al Qaeda has a newly-radicalized, rich engineering student who wants to strike a blow against the evilness of George Clooney and Vera Farmiga. Despite being ratted out by his father, the student gets a visa, likely because he’s “wealthy, quiet, unassuming.” Using the very clever tactic of getting on a plane in Africa and transferring onto an American flight, he has one of the most powerful high explosives known sewn into his pants. Before landing in MoTown, he — fails to detonate it. Think about that again. An engineering student from one of the best universities in the world fails to set off a bomb in his lap. Worse, he ended up with a fire in his pants, leading to many humiliating jokes.

Fail, fail, fail. Epic fail. Face-palm-worthy epic fail. Worse, the US is sending counter-terrorism folks to Yemen to help find the people who planned this epic failure. For them, this is just bad, and about as bad as it gets. Supposedly, recruit these guys with promises of a half-gross of virgins, not with burning their nuts off. Ridicule is one of the most powerful forces there is, and this is deserved.

On top of this, now that the would-be bomber has been captured, he is singing like the proverbial canary. So that means that the planners really should be looking for new places to stay, because even their allies will want to purge losers from their ranks, or at least not take the fall for them.

Yet, all is not lost for the forces of terrorism. The world’s security services have panicked and instituted to security procedures that will actually make it easier for the next person by setting up rules that everyone’s supposed to stay in their seats in the last hour of flight. But that’s pretty slim pickings for them. It’s not even as good as the one-last-shocker in the traditional horror film.

Defense-in-Depth Works. The major problem in fighting terrorism is that the fraction of figure to ground is between six and nine orders of magnitude. If you look at it as a signal processing issue, that’s -60 to -90 decibels of signal in noise.

Any detection system has to deal with false positives and false negatives. In the counter-terrorism biz, that means you have to deal with the inevitability that for every terrorist, you’ll be stopping tens if not hundreds of thousands of innocents. And remember as well, the times that the terrorist is not actually on a terror mission, they’re innocents.

So yeah, the guy was on a watch list. So are a million other people. (And yes, this is a reason why we need to trim the watch list, but that’s a different issue and has a different set of problems.) (And yes, yes, those million other people are only the US citizens on the list.) This still leaves the problem of what they’re supposed to do when some rich guy complains that his son has fallen in with the wrong crowd.

Here are some hard questions: Do we search every kid who pissed off a relative? Do we search everyone who ever went to Yemen? Damascus? How about people who change planes? Travel in carry-on? Have funny underwear?

The answer is that we can’t do that, and even if we do, we merely teach the bad guys how to adapt. The point of defense-in-depth is that you stack a series of defenses, each of which is only a partial solution and the constellation of them works, not any given one. Airport screening worked some — he didn’t get in a good detonator. Passenger resistance worked some — once there was a firecracker-like explosion and a fire, they saved the plane. Defense-in-depth in toto worked.

This is not the reason to disband DHS. This is not the reason to sack Napolitano. Note that I did not say that DHS shouldn’t be disbanded. Nor did I say that Napolitano shouldn’t be sacked, merely that if you’re looking for a reason, this isn’t it.

If we look at what happened and think about what we could do better, DHS isn’t involved. The visa issue is the one to examine and DHS doesn’t give out visas, State does.

My criticism of DHS is that they flinched. They’ve put up these brain-dead stupid policies that are going to annoy travelers and are as likely to make us less safe, not more safe. They should have said that the system worked and there will be no changes so have a happy new year and stay calm.

I am willing to cut them a bit of slack, but if they don’t change their tune to “Keep Calm and Carry On,” then there will be a reason to start demanding heads. Sending people to Yemen was the right response. No headphones on the plane is the wrong one.

If DHS and TSA want to give people reason to call for firings and disbandings, they should keep doing what they’re doing now, not then.

Life is Risk. Keep calm and carry on is good advice for the rest of us, too. The vast majority of us are more likely to be struck by lightning while being eaten by a shark than we are to be a victim of a terrorist. Nonetheless, there are bad, crazy people out there. Sooner or later, no matter what we do, somethings’s going to happen. A plane will go down, a ship will have a bomb on it, a train will be attacked, or something will happen.

The actual risk of terrorism is so low that most adaptations are worse than the threat. More people died in traffic accidents as a result of shunning airplanes after 9/11 than in the actual attacks. After those attacks, the best terrorist second punch would have been a simple suicide bomber in the airport security lines.

When we wring our hands because we think that risk should be zero, we’re part of the problem, too. Schneier is right: we need more investigation and counter-terrorism and less security. Kudos to CNN and Maddow for airing a bit of reason.

So we should all thank our lucky stars that PETN isn’t as easy to detonate as we’re told. We should thank the same stars for passenger resistance. And we should breathe a sigh of relief for an incident that was botched so badly it’ll make others think twice or three times or more. And while you’re at it, don’t play with sharks in a thunderstorm.

For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well.

The major reason for my thinking is that I never heard any of the venomous railing against water extending to any other drinks that come in bottles. To my mind, it seemed that a Coke, hey, that’s okay, but if you start with one and take out the sugar, the caffeine, the artificial flavors, and CO₂ you end up with water. Coke okay, water evil.

Me, sometimes all I want is a cool drink of water. More often, I want something a little more. I’m very fond of those fizzy waters with a bit of essential oils in them, as well as iced tea. But I don’t want the sugar. I want an artificial sweetener even less, and often when faced with decisions, water is what’s available. When I’m traveling nearly anywhere, I think I’d rather have it in a bottle, thanks.

The prejudice against water comes from thinking that it’s just water. Rarely is there such a thing as just water. The only just water there is is distilled (or in a pinch deionized) water, and that is itself special because it is unusual for something to be just water.

And now, I can’t help but think, “Uh huh” as I read, “Millions in U.S. Drink Dirty Water, Records Show.”

The summary is that more than 20% of US water treatment systems have violated key provisions of the Safe Drinking Water Act over the last five years. The violations include sewage bacteria, known poisons and carcinogens, parasites, and so on. Mid-level EPA investigators say that the government has been interested in other things and just not enforcing things, and they don’t think change will happen.

Security isn’t just going after terrorists, it’s basic thing. Like water.