Identification of more risks can lead to increased optimism

Posted on August 12, 2009 by wunderbarb

I am more and more strolling around the psychological sides of security and risks. Magne Jorgensen (Simula research lab, Norway) published a paper which result is counter-intuitive. Its title is Identification of more risks can lead to increased over-optimism of and over-confidence in software development effort estimates.

Through four experiments, he highlights that when people are going more in depth in risk analysis, it most often ends up with a lower effort estimation and higher success estimation than when people make a fast risk analysis!!

He proposes some potential explanations. Once more we end up with judgment-based (the Guts) versus reasoning-based (the Brain) (See Gardner’s book) Among the explanations:

illusion of control; people are more confident when they believe to be in control. Seeing more risks may give an illusion of control. Identifying a risk is already a little bit controlling it.
Availability heuristics: the more vivid in the memory, the higher the importance for the Guts. When analyzing risks, it is more probable that the most important ones will be find quickly whereas the last discovered ones will have the lesser probability. Unfortunately, the Guts will be biased by the last analyzed one for the overall risk. In other words, it will lower the global risk.

Jorgensen proposes a method to limit this bias. Analyze each risk and their impact together. Then sum the expected impacts.

May that study have some impacts in the way we make threat analysis? I am not sure. Threat analysis is a long process where the availability heuristic will probably be watered by time.

Nevertheless, it may impact the way we wrap up a threat analysis. Personally, I describe the threats in decreasing order of importance. In other words, the audience’s guts, when leaving the room, will remember the less important threats 🙁 I should present them in the increasing order. This would have two advantages: some thrill / suspense and the more dangerous threats in the Guts’ memory.

Storm on The Pirate Bay

Posted on August 10, 2009 by wunderbarb

In April, The Pirate Bay (TPB) was sentenced by a Swedish court. In the last months, the storm grew strong on the bay.

End of June, A company, Global Gaming Factory, announced that it would purchase TPB for 5.5 M€. The announced objective is to turn TPB into a legal distribution platform (using P2P) but for paid contents. The Global Gaming Factory owns a large network of cybercafes and develops cybercafe dedicated applications.

End of July,two gusts:

The US movie majors file in order to have the site shut down, citing the downloading of 100 TV shows and films download.
A Dutch court requires TPB to block access to their sites to all Dutch citizen. For each day the site remains accessible from Netherlands, the fine will grow by 30,000€. Funnily, it was probably the first time that a court sent a subpoena by Twitter.

4th August, one of the founders, Peter Sunde announced that he leaves the boat.

Meanwhile, many rumors circulated that Global Gaming Factory had not the money to purchase TPB. But, the company has just announced that it will officially acquire TPB on 27th August after its extraordinary shareholders meeting.

The Pirate Bay is still operating!

A password strength checker

Posted on August 7, 2009 by wunderbarb

I recently stumbled across a useful site for increasing security awareness. The Password Strength Checker evaluates the submitted password. The use is intuitive.

Sure, when a password is declared as strong, then it is strong. I played a little bit with. I discovered that my Firefox master key was 74%, my account password was 70%, and my password for this blog was only 30%!

When examining the poor result of this last password (rather long), I find that I was not in total agreement with the rationales of the penalties. Consecutive upper case letters, lower case letters or numbers are “penalized”. Intuitively, I would think that systematically you recommend to avoid consecutive upper case, lower case or numbers would give an advantage in brute force. If I select a upper case, then in brute forcing next character, I would avoid to use an upper case. It reduces (slightly) the space of passwords.

Nevertheless, a nice useful tool.

Is SSL still secure?

Posted on August 5, 2009 by wunderbarb

I know that the title is somewhat provocative. Nevertheless, the current system of certificates and more precisely the way the browsers handle them presents some weaknesses.

In security newsletter N°12, Mohamed Karroumi explained the latest attacks using forged MD5 certificates for mounting a man in the middle attack. The designers of the attack were Alexander SOTIROV and Mike ZUSMAN. At that time, the countermeasure seemed simple: do not use anymore MD5 certificates.

At last Black Hat 2009, the same researchers have disclosed a new attack that bypassed this protection. The Extended Validation (EV)certificates standard has been designed to have more secure certificate attribution (no simple online application…) and also banned RSA1024 and MD5. Thus, we could believe that a site using EV certificate should be safe against the MD5 based man in the middle. They demonstrated that it was wrong. In fact most browsers accept to start a session with an EV certificate and continue with a non EV certificate. Game over. SOTIROV and ZUSMAN showed the actual attack at the conference.

The countermeasure seems not simple if a smooth deployment is expected unless it is possible to ban ALL MD5 certificates. May be some news in our next newsletter.

Of the need to back up root CA

Posted on August 3, 2009 by wunderbarb

Germany is planning to roll out a system of electronic health care smart cards, as already deployed in France (Carte Vitale). The deployment is currently in a first phase of tests.

As usual, this type of system is using a PKI (Public Key Infrastructure). And every PKI is based on the use of a root key pair that signs the certificates and the revocation lists. Thus, the private key of the root Certificate Authority (root CA) is one of the most important secret of the system. Generally, this private key is stored in a Hardware Secure Module (HSM) that makes all the operations of certificate signatures, revocation list signature, … A HSM is a enhanced tamper resistant module that will stop to work when it detects an attempt to tamper.

The German system of course used such a HSM. Unfortunately, a voltage drop was interpreted by the HSM as an attack. It thus erased the private key. The normal procedure is to take the back up HSM, duplicate it and start again. HSM have special strict procedure to make back up of the secret keys on another HSM. Unfortunately, there was no such back up. The consequence is that the trial cannot anymore generate a new smart card.

Fortunately, this is only the test phase. For sure, there will be a backup for real deployment phase.

Root CA management, storage , and handling is an extremely complex task. Some companies (such as Entrust, Verisign…) have made a living of this activity. So if ever you use a root CA, either make a backup (and store ii somewhere in high security) or use a proven operator.

For more details, read here.

SF: L’agent des ombres (2)

Posted on August 1, 2009 by wunderbarb

Saturday, August 1, 2009

During this holidays, I decided to give a second chance to this saga. The second book is less basic. The hero takes some more roughness. He looks more and more like Elric The Menilbonean. He starts to have some pleasure in killing. He becomes less Manichean.

Funnily, I found in the following books references to another author: Roger Zelazny. One of the 6 free towns has the name of Amber. And even more explicitly, the hero announces that he has a passion for Zelaznian literature. So do I.

Zelazny is of of my favorite SciFi authors. The Amber chronicles are great. I am always surprised that Hollywood did not adapt this saga to screens. My second favorite author is Ursula K Le Guin (Earth Sea cycle, The dispossessed, The left hand of darkness…)

Big Brother is watching you(r Kindle)

Posted on July 29, 2009 by wunderbarb

On July 17th, some Kindle’s users had the surprise to see the following message.

We recently discovered a problem with a Kindle book that you have purchased. We have processed a refund to the payment method used to acquire this book. The next time the wireless is activated on your device, the problematic item will be removed. If you are not in a wireless coverage area, please connect your device to a computer using your USB cable and delete the file from the documents folder.

In fact, Amazon removed two George Orwell titles: 1984 and Animal farm. Amazon refunded the customers of the price of the erased eBooks. As expected, this immediately raised the fury of medias.

It is interesting to remind some real facts:

– Amazon erased only the versions from publisher Mobile Reference.
– Mobile Reference is specialized to distribute eBooks from titles that are in the public domain for the modest price of 1$
– Unfortunately, these books are not yet in the public domain (at least not in every countries)
-The same titles are available in digital format from other publishers but at higher price (around 10$)

Thus, the action of Amazon was legitimate. A publisher sold illegal content through Amazon. Amazon solved the issue by erasing the illegal books and redeeming the customers. What may be more questionable is the cryptic message. Jeff Bezos, Amazon’s CEO, later issued personal apologies.

This is an apology for the way we previously handled illegally sold copies of 1984 and other novels on Kindle. Our “solution” to the problem was stupid, thoughtless, and painfully out of line with our principles. It is wholly self-inflicted, and we deserve the criticism we’ve received. We will use the scar tissue from this painful mistake to help make better decisions going forward, ones that match our mission.

This is not the first time that Amazon removed a title. Recently, a version of Harry Potter was illegally available for a few hours.

What can we learn?

– e-sell through, ie. selling the right to access content for ever, is a complex task
– People have the same expectations of usage from digital content than from physical content. I’m still reading paper books I purchased twenty years ago. (I want to soon read again Zelazny’s Chronicles of Amber )
– Copyright issue is a complex problem. Not all countries have teh same laws. Thus, we end up with Ubuesque situations like here. 1984 is in public domain in Australia, but other visitors have to apply this notice.

Under Australian copyright laws, copyright in literary works of authors, who died before 1955, has expired. These works are now within the ‘public domain’ in Australia and this is why the University is able to reproduce such works on this site. HOWEVER, works may remain copyrighted in other countries. If copyright in the work still subsists in the country from which you are accessing this website, it will be illegal for you to download the work. It is your responsibility to check the applicable copyright laws in your country.
– When you are a digital store, it is your responsibility to check all copyright/infringement issues. This may be tricky if the store is large.

In any case, it was “funny” that the incriminated book was 1984. By the way, if you have not yet read it, read it

The blog of content protection

A site managed by Eric Diehl

Author Archives: wunderbarb