Computers Aren’t Magic – Page 2

Interesting Windows Security Issue

Note that I didn’t say security hole nor security flaw, that was intentional. The nerd part of my brain has been working in overdrive as of late which means I’ve been looking into geeky things. One thing that always intrigues me is the field of security. Well I found the following story on Wired that talks about a security issue in SSL/TLS (The security mechanisms used prominently by web browsers to secure web pages). The article leads to a “no duh” paper that shows how government entities can use their power to subvert SSL/TLS security by cohering certificate authorities into issuing valid certificates (Anybody who knows how SSL/TLS work already knew this was a possibility).

The part that interested me most was an exert from one of the sited sources in the paper. See back in the day there was some kerfuffle over the fact that Microsoft included a couple hundred trusted root certificates in their operating system. Root certificates are what ultimately get used to validate a certificate issued to a website. Thus root certificates are the ultimate “authority” in determine if a website you are visiting is valid or not. The more root certificates you have the large the possibility of a malicious certificate being certified as trusted (Statistically speaking of course. This assumes that with more root certificates the possibility of one of those root certificate “authorities” being corruptible increases). Anyways Microsoft eventually trimmed down the number of root certificates included in their operating system. But they didn’t actually cut down the number of certificates because according to their own developer documentation:

Root certificates are updated on Windows Vista automatically. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks the appropriate Microsoft Update location for the root certificate. If it finds it, it downloads it to the system. To the user, the experience is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically, behind the scenes.

Microsoft just pulled a security theater here. They didn’t cut down the number of trusted certificates, they just moved them somewhere people wouldn’t see them. If you connect to a web page that has a certificate that can’t be validated against a root certificate Windows will automatically go out to Microsoft’s servers and see if a root certificate there will validate the web site’s certificate. If one of those root certificates will validate the web site certificate it is downloaded onto your machine automatically and the site is listed as trusted. In essence Windows trusts more root certificates than it lets on.

So what does this mean? Well it means the window for having corrupted root certificate authorities is larger. With the exception of Firefox all major web browsers depend on the underlying operating system’s root certificate store to validate web pages (Firefox actually ships with it’s trusted root certificates and uses it’s own store as opposed to the underlying operating system’s). This also gives two potential locations to place a malicious root certificate. If an attacker was able to gain access to Microsoft’s online root certificate store and upload their own root certificate any SSL/TLS page they created using that root certificate for validation would show as trusted in all versions of Windows (Firefox still would show the site as untrusted). Granted the window for this attack would be small as Microsoft would most likely find it almost immediately and remove it. Likewise the likelihood of such an attack occurring a very small considering the short time frame it would be valid for. But it’s interesting thing to ponder regardless. Additionally the same attack could create a binary of Firefox with the same malicious root certificate included and make it available for download causing the same problem for Firefox users.

No matter what operating system or browser you use the validity of SSL/TLS connections eventually requires that you trust somebody (Which goes against the trust no one security motto). The question here is who are you willing to trust. Only you can determine that but knowing how a security system works and how it’s implemented are important in making that decision. Anyways I just thought that was interesting.

The Weak Link in Computer Security

People often talk about the inherit lack of security in Microsoft Windows and Internet Explorer. Very seldom does anybody talk about the weakest link in computer security, the users. In the latest Pwn2Own contest, a contest where participants attempt to break into various computers to win them, 64-bit Windows 7, Mac OS X, and even the iPhone all fell. But there was a common theme running here, none of the systems feel to a direct attack.

All the hacked systems were broken into via exploits in their web browsers. Internet Explorer 8 and Firefox 3.6.2 were used to break into the 64-bit Windows 7 systems while Safari was used to break into both Mac OS X and the iPhone. Each browser was broken into by crafting a malicious web page and have the users of the system navigate to it.

But once again none of the systems at this contest were broken into without the need for human interaction. This brings up the fact that human beings are now the main component being attacked (Granted it’s been like this since the dawn of computers). The only way to protect yourself is through education. Do not click on random links that people send you regardless if you known them or not. It’s a simple thing to learn really but the motto in security is trust no one and you should follow that slogan when on a computer.

And People Want This Stuff in Their Cars

One thing people seem to clamber for more and more are methods of tracking and disabling cars remotely. Usually people talk about wanting to be able to track their car and disable it if it gets stolen. There are various methods of implementing such a device allowing for these things to be done via SMS or a web page. Of course companies that make these devices promote them as enhanced security and peace of mind. Parents love the idea of being able to track their teenager’s every move. The problem made apparent by Bruce Schneier is such devices are double-edged swords:

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.

Oh yeah and the part to concern yourself with:

Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.

Any device that you can use to remotely disable your vehicle can be used by somebody else as well. In this case the devices were put into place by banks since the people buying the cars had been delinquent on payments. But after the WAY over-blown Toyota fiasco there is a lot of talk by government officials about requiring automobiles to be equipped with black boxes. If the government does that you can bet money they will also put in a remote kill switch.

Web Scam From Formally Honest Commerce Sites

Further proof people are out there trying to scam you out of your money. I heard about this little fiasco a while ago but never knew who sites were helping in it.

This article on CNet does a good job covering the actual scam. But to sum it up in a small bit of information it’s this. When you go to a website signed up with a company called WebLoyalty a pop-up appears asking you if you want to receive a coupon for your next purchase. All they ask you to input is your e-mail address.

Well when you do that they begin charging your credit card every month. See the companies listed on the previous link give your credit card information to WebLoyalty who give that said company a cut of the monthly charge. The surprising thing are the names of the companies on this list. It’s not just a series of no-name retailers. Here is a list from the article linked:

Partners Paid Over $10 Million

1-800-Flowers.com
Buy.com
Classmates.com
Columbia House
Confi-Check
Expedia/Hotels.com
Fandango
FTD
Hotwire
InQ
Intelius
MovieTickets.com
Orbitz
Priceline
Redcats USA
Shutterfly
Travelocity
US Airways
VistaPrint

Partners Paid Between $1 and 10 Million

1-800 PetMeds
Adteractiv
Airtran Airways
Allegiant Air
Allposters.com
American Greetings
Auto Parts
Avon
Barnes & Noble
Bizrate.com
Bookspan
Boston Apparel Group
BuySeasons/Celebrate Express
Campusfood.com
Cendant Intercompany Agreements
Channel Advisor
Cheap Tickets
Choice Hotels
CollectionsEtc.com
Continental Airlines
Currents USA (123 Prints)
Custom Direct
Digital River
Dr. Leonard’s
Drugstore
eHarmony
eTix
eToys
Fareportal
FragranceNet
From You Flowers
FTD Florists Online
Gamestop/EBgames
Gevalia
Haband
Half.com
Hanover Direct
Hertz
HiSpeed Media
Infinity Resources
J.C. Whitney
Joann.com
Lillian Vernon
Live Nation
Marketworks
Miles Kimball
Musicnotes
MyLife.com
MyPoints
Pizza Hut
Potpourri
Restaurants.com
Riverdeep
Shoebuy
Simplexity
Spirit Airlines
Suresource/Americart
Thompson Group
Tiger Direct
TimeLife
True.com
True Credit (True Link)
Upsellit.com
US Search
Victoria’s Secret
Vitacost
WayPort
West
Yahoo

You may ask why this scam works since the charges appears on your credit card statement every month. It works because nobody checks those. This scam here is a good lesson to always check EVERY item on your credit card bill.

Of course now there’s talk of legislative action yadda yadda. Really it’s another pony show by legislators to make people think they’re doing something. In all honesty if you aren’t checking your credit card bill every month and disputing things you didn’t buy this is on your hands.

AES Encryption Explained with Stick Figures

As most of you guys have figured out by now I like security. Being I like security I find the AES encryption scheme to be very useful as it’s a scheme that, as of yet, doesn’t have a practical attack against it. This is rather funny considering how simple the implementation of AES is (the algorithm itself, implementing it in code correcting isn’t quite so easy do to unforeseen attack vectors being introduced by poor implementation).

So how simple is it? Simple enough where the entire algorithm can be explained with a stick figured comic strip. A hat tip goes to Bruce Schneier’s blog for this one.

Quantum Computers Aren’t Magic Either

Let me it shown that “super intelligent” talk does occur on gun forums. And by “super intelligent” I mean buzz word laden talk about theoretical topics that really have no bearing on modern society yet. In the computer science world quantum computers are the big next thing buzz word. They are based on a technology few have any understanding of (quantum theory) and therefore are perfect devices to make insane claims. One of these insane claims is that quantum computers will instantly destroy all modern cryptography methods and instantly make the entire security structure of the universe collapse causing the world to end.

Case in point Secure Socket Layer (SSL) is a security scheme used by most finical institutes to prevent prying eyes from seeing what you’re doing while on your banks web site. More or less it just sends normal Hyper Text Transfer Protocol (HTTP) data through an encrypted tunnel which should be impossible for an outside person to see. In actuality this isn’t the case and there are functional attacks against SSL but they involve vulnerabilities in the protocol itself not the encryption being used. The perviously mentioned end of the world claims would be direct attacks again the encryption itself.

Well like most over the top fear mongering done about poorly understood theoretical technology, the fear that quantum computers will make modern encryption scheme useless is far from factual. An article I found via Bruce Scheier’s blog does the math for us and shows that quantum computers aren’t anything to fear.

Quantum computers could in fact speed up the time it takes to decrypt modern encryption schemes but there are two major things to note. First of all quantum computers are in their pre-infancy, meaning they are still in the extremely experimental stages. The post I liked to in Scheier’s blog is about how they were able to finally factor the number 15 using a quantum computer. Note the number 15 was chosen because it is a special case and can be represented by a specific form (discussed in the Emergent Chaos article I linked to). Factoring the primes of any number is not currently feasible with quantum computers.

The second thing to note about quantum computers is that they will start out slow and have to build up speed so to speak. The first quantum computers will be extraordinary slow at performing the tasks given to them just like modern semi-conductor computers once were. They will have to be developed over time and make them faster and better suited to perform the tasks put before them.

Currently RSA keys of 4096-bits in length are the largest supported by most software programs. According to the linked Emergent Chaos article if everything advanced as quickly in the quantum computer field as it has in the semi-conductor field 4096-bit RSA keys wouldn’t be broken until 2053. Assuming quantum computers advanced much quick these keys would still be viable for 25 years.

Likewise with current computing technology 4096-bit RSA keys are calculated to be safe until 2060. That means if quantum computers advance as quickly as current computers they would be able to break 4096-bit RSA keys only 7 years ahead of modern computers. This demonstrated that getting our knickers all in a bunch over emerging technologies is once again premature at best. Computers are not magical machines capable of any feat put before them, they are machines based on the reality they have been built in meaning they can only do tasks in the realm of their capabilities. The sooner people realize this the better.

Movement to Get Britain to Apologize for Persecution of Turing

If you’re in the computer science circle you will know the name Alan Turing. Mr. Turing is considered by many to be the father of computer science. His claims to fame are laying the ground work for computing in general, helping defeat the Nazi enigma cipher scheme, and coming up with a scientific method to determine if machines can think (call the Turing test).

But he was gay and back in the era of World War II that wasn’t considered acceptable. After helping win World War II this is how he was treated:

In 1952 Turing was prosecuted under the gross indecency act after admitting to a sexual relationship with a man. Two years later he killed himself.

Of course when there is prosecution there is punishment:

Alan Turing was given experimental chemical castration as a “treatment” and his security privileges were removed, meaning he could not continue work for the UK Government Communications Headquarters (GCHQ).

Well there is now a movement to get the British government to apologize for their persecution. I don’t know if it will go through but I’d like to see those British royals have to apologize for treating a war hero this way.

And yes I call him a war hero even though he didn’t fight on the front lines. He was paramount in breaking the Nazi communication cipher scheme. Breaking this scheme ultimately helped us win the war since we were able to decipher and read their communications. An apology by the British government for persecuting somebody who helped saved their little island is the least they could bestow upon Mr. Turin.

The Blame Game Episode 1, Blaming the Cat

Ah yes the blame game, one of America’s favorite games to play. The rules are simple screw up and find somebody or something besides yourself to blame it on. The screw up is called as such and the object of blame is called the excuse. The more idiotic the excuse the more points you receive. But here is the trick you need to pass the excuse and have other people believe you, if you fail to make something believable you lose instantly.

Today’s contestant is Keith Griffin. He is 48 years old and hails from Jensen Beach, Florida. His screw up is downloading child pornography, approximately 1,000 images worth. At stake is possible life in prison, registry as a sex offender, and being anally raped in prison by a guy named Bubba. He is currently being held on $250,000 bail. So what’s his excuse?

His excuse is he often leaves his computer running an unattended. While the computer is unguarded his cat will walk across the keyboard causing the computer to download strange stuff.

That’s it. As far as points go he nabs a great many for the stupidity of his excuse. It’s crazy and off the wall as can be while certainly stretching the truth past its limits. The only problem is it’s completely unbelievable and there is no way in Hell he’s going to convince a jury of this unless the entire jury is stacked with total idiots meaning he’s automatically lost the game.

Sorry Keith you just weren’t meant to win. Next time try doing something believable such as blaming some hacker or malware for breaking into your system and downloading those image. Join us next time on the Blame Game.

Outrage and Lies

I saw a video posted on John C. Dvorak’s site entitled “Log into Cars.gov and Turn Your Computer Over to Obama” yesterday. I didn’t think much of it but I see it’s making the rounds now so I thought I’d comment.

In the video Glenn Beck says when you visit the cars.gov web site provides a disclaimer stating that once on the site your computer becomes federal property. Once I saw this I headed over to the site to check it out and couldn’t find the said disclaimer. I figured the site owners probably removed it once this aired due to public outcry but I’ve since discovered it only applies to the dealer’s site. Here is the text of the disclaimer:

his application provides access to the DoT CARS system. When logged on to the CARS system, your computer is considered a Federal computer system and is the property of the United States Government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized CARS, DoT, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion CARS or the DoT personnel.

That is a pretty severe disclaimer. In essence it states that certain people have unrestricted access to your system and its files. I agree that this in itself is outrageous but further in the video is where the lies come in.

Mr. Beck goes on a tirade about the government having all sorts of evil software that can infect your system and turn it over to government control. Further he implies that if you go to that website the government will probably upload this software onto your system (at least that’s how I understood what he was saying). This of course if after a series of hysteric disclaimers saying people shouldn’t go to the website on their computer.

This is pure lies and hysteria. Let me sum it up in three words computer aren’t magic. A properly secured computer system will not allow remote entities to place software on the said system. The only way to place software on a system remotely is either through administrator tools which restrict access to system administrators (if properly setup) or through security holes. Many malicious software engineers use the later to upload things like worms, which are self replicating software packages that use vulnerabilities found in operating systems to install itself on un-patched systems. The key world there is un-patched. Once a security hole is discovered the operating system manufacturers are usually very quick to get out a patch which fixes the vulnerability. This is what Windows Update does and why Microsoft is so insistent that people either run it or set it to run and install patches automatically.

Furthermore most worms doesn’t come out until the patch has been released. This is because of two reasons. First most people don’t know about the vulnerabilities as security advisors who find them usually keep quiet until the patch is released. The second reason is most malicious hackers (there are good hackers to hence I’m designating the bad ones as malicious) take the patch and reverse engineer it to understand the exploit and then write their worm based off of that newly learned understanding.

But we’re dealing with the government which plays by different rules. Some people believe the government has backdoors in every operating system on the planet or at least in corporate backed operating systems such as Microsoft Windows and Apple Mac OS. Here again we have two points. the first is if they already have these back doors why the Hell would they tell you that your computer is federal property when visiting their dealer site as that would potentially tip people off that they have access to the machines files? But the second point is why would any corporation be willing to place those back doors in their systems?

First off people will say money. Their understanding is the companies will put in back doors for the government because the government is willing to pay them for it. This argument doesn’t hold water because no operating system is totally autonomous. There are security experts combing through modern operating systems, especially Microsoft Windows, looking for previously unknown means of compromising the system’s security. We are not talking about a couple experts but thousands. These people are paid by finding these vulnerabilities and reporting them to the operating system manufacturers and generally will release the details of the discovered exploit after a patch is released to increase their portfolio.

See a security expert whom hasn’t discovered anything isn’t much of an expert while one who has published exploits has some clout and hence is more likely to get a job. Now here is where money for the operating system producers comes in. With each security hole likely being published and certainly being eventually patched people get a feel for the number of security exploits that have been found in each operating system. People don’t want to trust a system they don’t feel is secure, which is why Microsoft has had such an issue getting more people to adopt or at least not dump Windows for secure systems. To this effect operating system producers have been putting tons of time and money into making their systems more secure and have done quite a good job of it.

Now with how little people trust Windows to be secure just imagine if people found out they placed a back door for the federal government in their system? This applies to all operating system producers but since Microsoft is the largest I’m using them as an example. I can guarantee that within minutes of this being discovered and announced (which it would be either via discovery or through a whistle blower at Microsoft) major companies would be hauling in their entire IT staff for an emergency meeting on how to deal with this security threat. The only conceivable outcome of that meeting would be to dump Windows for something more security and probably not corporately controlled such as Linux of FreeBSD. Microsoft would in essence lose thousands if not millions of Windows licensees within the period of time required to move critical systems over to another operating system. Hence it’s not in Microsoft’s, or any other company who produces an operating system’s, best interest to create a back door for anybody in their system.

I’m sorry for the extent of this post but people need to realize that computers aren’t magic. They are designed systems created for human use by mostly paranoid developers.

Now this doesn’t mean don’t be paranoid when using a computer and visiting a web site. There are plenty of exploits out there that can take control of systems, although fully patched systems are generally pretty safe. But don’t let people like Mr. Beck make you believe that your systems is going to be fully exploited and taken over by the federal government because you visiting a website. Honestly the government wouldn’t gain enough to justify the risk of it being revealed that they are breaking into citizens’ computers without any warrant or due process.

Further Research

A good write up about the disclaimer only applying to dealers and the ramifications of that.