NSA spies us: what a surprise!

I twill start this new year (for which I wish you all the best) by some ranting.  Since the Snowden’s story started, I never commented.  Now I will a little bit as I start to be upset by all this hypocrisy.  Snowden shed some lights on the behavior and skillset of the NSA.   This is interesting.  But what is not acceptable, is that media seem to be surprised.  WE KNEW IT FOR YEARS.

 

NSA spies our electronic personal communications!  We knew it for years.  Echelon was  known in the 90s.  The new systems are just a natural evolution to new communication means and enhanced computing capacities. It was even known that the scope was larger than military/political actions.   NSA published patents about semantic analysis of natural speech.  The purpose was obvious.  I remember an initiative that asked people to generate random mails with gibberish inside but also some alleged keywords (such as terrorism, NSA,…) that should trigger the scrutiny of NSA.  The aim was to try to flood the system.

 

NSA is studying advanced techniques such as quantum computing to crack ciphers!  I would expect any serious governments to have their black cabinet studying this topic.  Once more, it is known that NSA may have some advances over the academic/public domain in this field.  In 1974, US banking industry asked IBM to design a commercial cipher to protect electronic banking transaction.  With the help of the NIST, IBM designed the famous DES.  End of 80s, academic world discovered a new devastating technique: differential cryptanalysis.  In 1991, Eli BIHAM and Adi SHAMIR demonstrated that surprisingly DES was immune to this ”unknown” attack (which was not the case for many other ciphers).  In 1994, Don COPPERSMITH, who was part of the DES design team, revealed that DES had been designed to resist to differential cryptanalysis.  In 1974, NSA knew already differential cryptanalysis but kept this knowledge secret as it gave a competitive edge to US secret agencies.

Secret services do not play fair democratic games!  This is why they are called secret services.  Hollywood told about that so often as well as John LE CARRE. 

 

So please, let us stop this hypocrite surprise: we knew about (but not the details).

 

E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” Journal of Cryptology, vol. 4, Jan. 1991, pp. 3–72 available at http://link.springer.com/article/10.1007/BF00630563.

D. Coppersmith, “The Data Encryption Standard (DES) and its strength against attacks,” IBM Journal of Research and Development, vol. 38, 1994, pp. 243–250.

Mega is running: does it hold its promises?

King Dot Com, the owner of previous MegaUpload, is back.  And he is making the headlines of the Internet and other medias.  Hiimages new baby is the sharing site Mega.   Since Monday, it is online.  Where is the difference with MegaUpload?   You have noted “the privacy company”.

The uploaded data are encrypted before being sent to the server.  Encryption uses AES 128 bit and the encryption key is protected by a personal RSA 2048 bit key.  Every crypto calculations are done in your browser.   Therefore, Mega does not know what is uploaded.  This is safe harbor for Mega, at least in theory.

Furthermore, the Terms of Services are very clear.

Protection against copyright holders.

17. You can’t:

17.3 infringe anyone else’s intellectual property (including but not limited to copyright) or other rights in any material.

Good faith and will with copyright holders

19. We respect the copyright of others and require that users of our services comply with the laws of copyright. You are strictly prohibited from using our services to infringe copyright. You may not upload, download, store, share, display, stream, distribute, e-mail, link to, transmit or otherwise make available any files, data, or content that infringes any copyright or other proprietary rights of any person or entity.

We will respond to notices of alleged copyright infringement that comply with applicable law and are properly provided to us…

It will be interesting how Mega will handle the cease and desist form content owners.  mega is not supposed to know if the claim is legitimate or not.   Blind obedience or nit picking?   The future will tell.

Furthermore, Mega protects itself from its users.

5. If you allow others to access your data (e.g. by, amongst other things, giving them a link to, and a key to decrypt, that data), in addition to them accepting these terms, you are responsible for their actions and omissions while they are using the website and services and you agree to fully indemnify us for any claim, loss, damage, fine, costs (including our legal fees) and other liability if they breach any of these terms.

 

Of course, with the claims of security, Mega got a lot of attention from the security community.  It seems already that it is possible to get the master key of somebody if you intercept her confirmation email.  Steve Thomas has published a first hack (MegaCracker).  Some other weaknesses seem around.

 

The blogosphere is no claiming that Mega did a bad job.  Is it really true?  I am not sure.  of course, if you believe that Mega’s purpose is to securely store your data, then it may be true.  I would not recommend to use it if confidentiality is at stake.   If you believe that encryption is just a way to claim safe harbor for Mega and build a new MegaUpload (without taking the infringing risk) then it is another story.  Then Mega does not care to be hacked (by the way, the TOS do not guarantee confidentiality of your data).

 

In any case, weak security or not, Mega did already an extremely good job of public relation.   The news of Mega launch is all around the world.

Facebook, privacy protection and civil lawsuit

Is Facebook a privacy harbor in case of a civil lawsuit?   Can  your Facebook posts be used against you even if they are tagged as private?   This is the question that the court of Pennsylvania- Franklin county (USA)  answered last November.

Following an accident, the plaintiffs claimed serious injury.  She testified that she suffered from chronic physical and mental pains, and used a cane to walk.  The defendant claimed that on the plaintiff’s Facebook account, the plaintiff announced that she went to gym and posted family pictures that contradicted the allegations.  The plaintiff claimed that it could not be used in front of the court.

The judge ruled differently and  detailed his objections in a 14 page opinion document.  The rationales:

  • Discoverability; the court made it clear that material on social networks was discoverable on civil cases
  • Privacy;  the court made it clear that there was no expectation of privacy on social networks because their purpose was to share with others.

Almost all information on Facebook is shared with third parties, and there is no reasonable privacy expectation in such information…   even “private” Facebook posts are shared with others.

  • Embarrassment; The judge estimated that contrary to  personal sure that may create embarrassment, it is not the case for Facebook posts and posted pictures as their purpose is to be shared with others.

This is an interesting statement that highlights that privacy in social network is more related to access control than to actual privacy, at least for the US law.   An interesting reading that shows all the complexity of privacy in front of the law.

PS: I was not able to find out if the use of these posts helped the defender to win or not.  

Notes of PST2012: Day 2

As for yesterday, these notes reflect what pinged my interest and do not attempt to be non-biased, exhaustive reporting of the presentations.

Co-utility: rational cooperation for privacy, security and functionality in the information society (J. Domingo Ferrer , University of Tarragona)

He started with an environmental analogy: privacy  preservation is essential and should be sustainable for the survival of information society.   To limit privacy “pollution”, he proposes reducing identifiable information, reusing data to reduce utility,

He uses the game theory to define co-utility; Co-utility means that the two players have the best strategy if they are cooperating.  Using different equilibriums, he defines Nash, Mixed Nashed, or Stackelberg (when one player can impose his strategy to the rest of the players) co-utility. 

Application to PIR applications

Currently PIR assumes cooperation of database which is not always true. ( Not true if using Zero-Knowledge such as Micahli)  Potential solutions:

  • Standalone approach: Track Me not  generates fake queries or adding fake keywords
  • P2P: reuse queries submitted by other users.  He explores this venue.  If each player collaborates by submitting queries of the other players to flatten his profile (Nash equilibrium)

Trust session

Building robust reputation systems for travel-related services (H. DUAN, Heidelberg)

How to stop manipulation that inject fake reviews (promoting, demoting, system destructor)

The idea was to use the review helpfulness  as a reputation measurement.  They did not use textual analysis.  It was OK for one set (New York City) and  not for another town.

They were challenged on how they distinguished promoter, demoter from innocent reviewers.

Collaborative Trust Evaluation for Wiki Security

The issue is that malicious or incompetent contributors may modify documents. (Estimation 4-6% contribution of Wikipedia is vandalism)

Security Wiki Model is a layered model with promotion of authors on the quality of their contributions.  A document has an integrity level  (IL) and only author with higher quality level can contribute.  The author attributes the first IL (necessarily less or equal  his level)

Author increases his reputation by reviewing that are validated by other reviewers

Very conservative approach.

The theory of creating trust with untrusty principals  (J. Viehmann, Fraunhoffer)

State of the art: Vote, democratic vote (majority), centralized Trusted Third Party

Using game theory  with peer monitoring to detect manipulation in different cases:

  • plain
  • Law enforced
  • using mistrust (by testing through fake requests to see if somebody is trustworthy)

Theoretical, no real experiment to test the reaction of users.

Security Session

Effects of displaying access control information near the item it controls (K. Vaniea, Carnegie Mellon)

They tried on gallery with distinction between everybody, co-workers, friends and family.

When the icon is near the picture it has better effect than in sidebar.   It has no better memory retention impact.

Detecting JavaScript-based attacks in pdf file (Schmitt F., University of Bonn)

Static detection is not sufficient if the code is building a malicious code. 

The attack is typical with heap spraying, calling a vulnerable API method with the return address being overwritten.

They use PDF scrutinizer that has a JavaScript emulator, a reader emulator without actual rendering.

Interesting detectors: heap spray detector observes strings added to an array too often and with the same identical strings.

Automatic Detection of Session Management Vulnerabilities in Web Applications (Y. Takamatsu, Japan)

Typical attack with session fixation and cross site Request Forgery (CSRF)

They implemented a plug-in for Amberate to detect these vulnerabilities.  Not convincing as it created false positives on PhPNuke

Linksys and the cloud snafu

A new trend in management of gateways and routers is to use the cloud. Currently, gateways and routers are locally managed by the user, and often remotely managed by the operator through protocols such as TR69.    The new trend delocalizes the device management to the cloud.   In other words, to modify the router/gateway, you have to use a remote service.  Most manufacturers, if not all, are following this path.

Last month, Cisco launched its Cisco cloud connect service that offers this capability.  For that purpose, Cisco has to install new firmware into deployed Linksys routers.  Cisco launched such update. Thus, many customers who had opt-in the automatic firmware upgrade (which, by the way, is usually a smart decision) where automatically upgraded loosing the local ability to manage their device.   This automatic upgrade started a huge rumpus on the forums; many people having the feeling that loosing the local management was equivalent to lose the ownership of their router.  This was the first issue.  Many people believed that this upgrade would be systematic for every Linksys router.

Unfortunately, inside the Terms Of Services (TOS) of Cisco Cloud Connect, it was mentioned that Cisco might keep track of a variety of information including Internet history and might share “aggregated and anonymous user experience information” with service providers and other third parties.  This second issue was even more devastating for Cisco.

Cisco quickly reacted and took a set of appropriate actions:

  • Explaining that the upgrade was done only if the customer requests it or if he opted-in of automatically upgrading.  Cisco provided a method to revert to local management,
  • Modifying the TOS to remove the section related to collection of data such as Internet history,
  • And highlighting that Cisco does not use the routers to collect information about Internet usage.

Lessons:

  • Full remote management of a user owned device may be adversely perceived.   Hardware ownership is strongly connoted of control.
  • Privacy is important for some people and not necessarily rationale.   Privacy’s perception is complex.  How many of the people who complained regularly use Google (or whatever search engine) and click on the proposed link leaving a trace of their Internet usage to Google?    An interesting sociological study to do;  Privacy is a touchy complex topic.
  • There are some people who carefully read TOS!!!

 

Thanks to RG for the initial pointer.

The older, the more security concerned

This is the conclusion of a study performed by Dimensional Research for ZoneAlarm (a division of Check Point).   For memory, ZoneAlarm offers a free Antivirus and Firewall, as well as two paid security suites.

The result is not surprising.  One of the questions requested to rate relative importance of computer related activities between Community, Entertainment, Information, Productivity, and Security.  Following picture summarizes the rating.

Without surprise, for younger generations, the computer is mainly used for entertainment and community (40% compared to the 8% of the baby boomers).    Security and privacy will be sacrificed if they interfere with the access to community.   This is normal in view of the addictive behavior related to social networking.   I would guess that this trend will grow the pyramid of ages as more and more people will be enrolled in social networking (Facebook has more than 1 billion accounts, whereas Twitter has more than 500 millions).

Interestingly, Gen Y (18-25 years) believes to be more knowledgeable about security than baby boomers (63% versus 59%) but suffered of more security incidents in the last two years.   This most probably comes from different activities and larger exposition to risk by  more risky sites.

And without a surprise, the cost of security is one excuse for not implementing security solutions.   Which highlights that some vendors such as ZoneAlarm, or Avast do not a good work on communication as they all offer free versions of their tools.  Trans generational, half of the respondent estimated that security should be free.

Lessons:

  • Ideal security should be transparent for users (price, and ease of use).  It must not impair the user experience.
  • Expect many more attacks on social networks in the future.  Many people will not sacrifice their community for a more secure environment.   This is usual for addiction.