Category: InfoSec

Collection of data is not the only problem

What the NSA has taught us is that mass surveillance is not as hard as people used to think. Other governments, and most commercial companies, do that, too. With the advent of smartphones we’ve learned to ignore most of that for the sake of convenience, and most of the time, it’s ok.

It’s true that the bulk surveillance from governments can spark enough false positives to make people worried, or that Google and Facebook are using your personal details to make a bucket load of money, and some others are selling those details, sometimes not even realising.

When you think of all the power that the government can do with your data, or all the money that big corporations are making with your personal information, it’s nor surprising to think: “where’s my share in this?”. Some people even tried to evaluate how much would you get for selling different types of personal information to corporations. But, is that the real question that we should be asking?

Should we be concerned with what data do we leak and try to minimise it, or should we really be thinking what can they really do with that information? Of course, any answer will be a mix of both (since not all investigating parties are well intentioned or law abiding), but there is the limit of government and corporation’s powers that can go a long way of making the data useful but not harmful.

Privacy

I said this before and I still maintain my position that no one has ever had privacy. Parents eavesdrop on their kids behaviour since the dawn of humanity as a way to grow them into responsible adults. The concept of “being responsible” has changed over the millennia, but parents have not.

Law making and enforcing bodies have eavesdropping as their primordial way of acquiring information. Since people normally only do bad stuff when no one is looking, expecting the police to only use highly visual enquiring methods (such as asking personally or patrolling an area) become impossibly expensive very quickly. It is true that random checkpoints, fake speed cameras and signs do help awareness, but that’s also not optimal from a monetary point of view.

Privacy also goes against any common sense in the outside world. If you take a bus, every one in that bus knows you’re there, even if they don’t know who you are. If there is a picture of you on the bus saying “wanted, dead or alive”, they will see you and report you. There’s little you can do, besides hiding and never showing your face again. Famous people (actors, etc) have the same problem and the solution is pretty much hide.

Data

The data you “leak” is also the data that defines you. Where you have been, what you like, where you work and live, what food you eat and what you do on Saturdays. Collecting that data and providing a service on that is actually extremely beneficial to you. The problem is who has access to that information.

Tesco knows what I need to buy better than I do. They send me vouchers with discount on fresh mozzarella cheese, fresh basil and fresh tomato on the vine. They know I love Caprese salad, and I actually like Tesco knowing that, because I get a slightly cheaper Caprese salad once in a while.

Google Maps knows where I live and work, so that when I’m going home I can just say: “Ok Google, go home”, and it does the rest. If I don’t share that kind of information with Google, it would never be able to do what I want it to. Examples like that are everywhere, and each company must have access to a wide range of data from you (location, shopping habits, browsing habits) for them to be able to do so. It’s the unavoidable fact of information theory that you need enough entropy to find patterns.

Legality

The real problem here is what companies end up doing with your data, and how well they protect it from malicious outsiders. Even if the company is benign, once they get hacked, your bundle of personal data which is enough to infer pretty accurate patters about your personal life, are out there. Who know what the attackers will do you that?

Another problem is blanket approvals to bypass any legal system and arrest, judge and execute individuals solely based on bulk surveillance patterns that are known to generate an immense amount of false positives, not only because the algorithms are inexact, but because the people filtering and creating the rules don’t posses enough knowledge to know what they’re looking for in the first place.

Finally, what happens if the benign company that provides you an invaluable service is suddenly acquired by an unscrupulous company? Can the reach of the service widen based on the parent company’s privacy policy? Or is the data protected like source code that is licensed as open source with, for example, the GNU license?

Solutions

So, a pragmatic view on surveillance should attack the problem of the legality of actions on data, not just the legality of acquiring data in the first place. The legal system can already cope with that, for instance when evidence is found via illegal means (unapproved wire or microphone), it cannot be used against the accused. The “Patriot Act” changed all that in the US, and in other countries, and that’s the first thing that has to be changed back to a sane standard. Governments should never have the ability to bypass the judicial and executive system based on *any* collected data, especially if it was done in bulk, with irrelevant patterns to match.

Another topic that needs addressing is licences on data, especially collected data for the purposes of personal services. There are licenses that cover open data, such as Creative Commons, but these cannot be applied to private data that a company has access with the sole purpose of providing a service. Each company has a different privacy policy and the EFF has great tools to monitor them all, but all of that is solely dependent on the company’s ethics.

A change of the board, or the managing directors, or even an acquisition, is enough to pervert the privacy policy and render the previous data they had on you (that you cannot ever delete any more) to their benefit. What we need is a data license that is not open (since it’s private data), but that is protected in the same way against future changes.

There may be cases for more or less stringent licenses (like GNU vs. BSD) for different uses, but once they’re standard licenses, we don’t need to read every single privacy policy of every company every time they change some minor wording, we’d know what kind of freedoms and guarantees we’re getting, and companies won’t have the right to subversively change it.

Finally, there should be a guarantee in the license that the company is required to store such data in a protected way, following a set of standard cryptographic techniques and solutions, and there should be a clause on how they would destroy the data on the minimal attempt of intrusion. To compensate the total loss of service for all users, they must store such data in different locations, using different techniques and keys, and distribute it across multiple locations.

It may seem daunting for small companies to provide small services, but so did cheap scalable storage and service providing until Amazon created the AWS and all others followed suit. If there is a demand, someone will create the solution. That has been the human response to everything since we came down trees to conquer the planet and we won’t stop here.

Conclusion

It’s not the data, it’s what governments and corporations can do with the data, and how to protect it from malicious parties.

Acceptable

A long time ago I read an article about some dangerous psychological studies in the 70’s. It’s funny to think that, at that time, things that we don’t even consider doing, were acceptable.

Can you imagine yourself with a periscope counting the seconds some truck drivers take to piss in a public toilet? Or pretending to rape a girl and risk getting shot (especially in the US)? It’s not just ethically incorrect, it’s dangerous!

Recently, I read an article about some students monitoring 350 million mobile calls just to figure out if the callee’d call you back. Not only in the 70’s that would be nonsense, but people would explode in rage, as it’d be just enough to prove all conspiracy theories at that time (not to mention the cold war).

This is not the first research using “unnamed” data from carriers or websites, nor will be the last. I myself proposed something similar to Yahoo! when I worked there to get the trends and act on the average (rather than tag individuals), and I see now that it’s becoming acceptable to allow research groups to openly read entire databases that before was considered private.

I don’t particularly dislike such type of research, especially when they’re done by universities, but the slight paranoia feeling creep up my spine sometimes. I guess that’s one of the issues that is dividing people into two very distinctive groups: those that ignore completely the privacy for the sake of comfort, and those that ignore comfort for the sake of privacy.

I am in between the two groups, but I can’t say I’m exactly average. I think I’m an extremist on both sides. I don’t mind storing my private emails on Google but I disable all Facebook add-ons and restrict access to all my personal data. I pay everything on the internet with my credit-card but I’ll refuse to the end of my days to use the biometric passport or iris recognition at airports.

There is no logic, really, it’s just the kind of thing you stick with. It is true that governments have more power to dig your data when they want, while Amazon will probably only have my credit-card number. But it’s also true that no government in the world can dig everyone’s data all the time, so it’s pretty improbable that someone is monitoring how many times I cross the Heathrow border.

In the end, only one thing makes out as logic in the whole scene: during the recent years, it was far more likely the government loosing all banking details of everyone in the country than some hacker invading Amazon to get my credit-card. Maybe that’s what’s keeping me from accepting IDs and biometric passports… or maybe I never will…

Online gaming experience

Why is it so hard for the game industry to get the online experience? I understand the media industry being utterly ignorant about how to make sense of the internet, but gaming is about pure fun, isn’t it? The new survey done in UK is more than proof of the obvious fact that people will use all resources of the internet to get what they want, whether it’s illegal or not.

After all, who defines what’s legal and what’s not? The UK government already said that it’s OK to invade one’s privacy for the matter of general security, even when everybody knows that any government has no clue on what’s security and what’s not. Not to mention the Orwellian attitudes of certain US companies seem not to raise any eyebrow from the local government or the general public…

That said, games are a different matter. Offline games still need have some kind of protection, but online games should rely on online commerce, and that can only be complete if the user has a full online experience. So, what do I mean by full online experience?

You don’t always have access to your own computer. Sometimes you have just a remote connection, sometimes only your mobile phone or a web browser. Sometimes you have an old laptop with no decent graphic card and those golden times when you have a brand new game machine with four graphic cards. 10 years ago, mobile phones were not as today, but even though my current mobile has a 3D graphic card in it, it’s closer to the lower end when compared to desktops or even laptops.

So, what’s the catch? Imagine a game that you can play exactly the same game irrespective of where you play it.

There are lots of new online games, so called ORPG (online RPG) or the bigger brothers (MMORPG, massively-multi-player ORPG), but all of them rely on a Windows machine with OpenGL2 and DirectX 10 to play it, even though not half of it really need that kind of realism to be fun.

Moreover, when you’re at the toilet and you want to keep playing your battles, you could easily get your mobile and use a stripped down version with little graphic elements but with the same basic principles. When you’re at your parent’s and the only thing you have is dial-up, you can connect via SSH and play the console version. At least to manage your stuff, talk to your friends or plan future battles.

The hard part in all this, I understand, is to manage different players playing with different levels of graphic detail. Scripts on online games are normally prohibited because it eases too much cheating, and that would be the way of battling via a SSH connection… Players with better graphic cards would have the advantage of seeing more of the battlefield than its friends with a mobile phone, or even using a much better mouse/joystick and a much bigger keyboard (short-cuts are *very* important in online gaming).

With the new mobiles and their motion sensor and GPS interfaces, that wouldn’t be a much bigger difference, as you could wave the mobile to have a quicker glance and even use voice-control for some features that is still lacking support in desktop but it’s surprisingly popular in mobile devices. All in all, having at least three platforms: high-end and low-end graphics plus a mobile version, would be a major breakthrough in online gaming. I just wonder why game makers are not even hinting in that direction…

The console version is pushing a bit, I know, I just love the console… 😉

Net neutrality

Since the early days (millions of years ago), the human race is being watched. Not by any sort of god or alien race, but by itself.

During the cave age, human-apes lived in groups. Either on trees or proper caves, they were all together. It was, then, pretty impossible to do something and not being noticed. If you want to enjoy the sunset while all others are working hard on protecting the cave, you’ll be spotted. If you get someone’s else wife for a ride, people would know.

Empires came and went and the only thing they brought as a relief for that was the number of unknown people around you. People would know you on your neighbourhood, but you could go away a few blocks and you’d be a total stranger. Moving cities was even better, but that was nothing that you couldn’t do during the cave age.

Even with the ability of changing homes, during your stay in a particular place, you are being watched. Not all vigilance is bad, though. Some might learn that you like football and invite you for the local team. Others could notice you left your door open and warn you, and even babysit your children.

Whenever you interact with the people, you invariable leave a trace. If a policeman asks your neighbour where have you been, he’ll probably have a good hunch and that will probably help the police to find you. The only thing that matters, really, is if you’re lost (and needs finding) or running away.

The Internet is a much bigger place than any city or country, it’s far easier to go on without being noticed. But, as with real life, people are watching. Sometimes for good, other times for bad, and that doesn’t make the Internet any different than the real world.

If you come to my house, I’ll remember. When you visit websites, your IP and page you visited is logged on their servers. We eventually forget your visit, if you were not that important, or clear old logs from the server, but for a while, you are there.

Being logged in a server is no different than being remembered, and that’s hardly a bad thing. What is bad is what you do with that piece of information. And for that, it doesn’t matter if you’re on the net or at my house, it’s a violation of your freedom for me to use that information solely to my profit. Hiding behind proxies is not the way to go, because that is only pushing your freedom even further away.

So, what is neutrality?

Net neutrality is to give the freedom to people do whatever they want, whenever they want and not cap their ability for profit or legal reasons. This may seem dangerous, if someone is trying to do any harm, the chance they’ll succeed is big, but that is also the case with real life. Suicide bombers,, for instance, always manage to explode themselves and no one can do anything about it.

Well, they can, and that leads us to a much worse scenario: Guantanamo Bay. Caping everyone’s connections and inspecting everyone’s packets because some will abuse is against human rights. The same with locking people in far away prisons without any charge just because there was a hunch that he/she would do something wrong whenever they would.

Society is complex and evil. Freedom comes with a high price: harm. If you start guessing who’ll do the wrong thing and punishing them before they do, you can surely save a lot of harm being done, but also you’ll harm lots of innocent people to a no return point. Your society will be as bad as the quality of your guess.

So, judging people for the crimes they have commited won’t change the harm they have done, but will save the lives of people that didn’t commit any crime. Crime is part of the nature. Not human nature, but life itself. It’s not possible to stop it once and for all, it’s not possible to accurately predict when it’s going to happen and the outcome of trying is far worse than not, so don’t even start.

Not only that, but these guess-works give permission to certain people (or groups) to deviate the logic for their own profit. That’s the case of recording companies and the fight against copying and borrowing. That’s the case of idea patents and the inherent inability to think. That’s the case of all major wars since the second world war (and probably many more before that).

Guessing on people’s freedom is evil, not even hideous crimes are that evil.

Spam is good for you

Spam is good for you, at least better than you may think. Spam accounts for three quarters of all emails sent worldwide and some even attached carbon footprint to it (and here one of the reasons why it’s nonsense). But it’s good for you in ways that does not meet the eye very easily and very few people would even consider it as good in the first place.

Not only emails, think on how much regular mail you receive is really worthy and how much is spam, it’ll probably account for three quarters as well. How much of that is really mean, how that really hurts you so bad that you’d put the sender in jail for it?

Sure spam is a nuisance, sure it gets in the way of the real work, but at what cost are we, the society, willing to pay to eradicate such problem? Well, lets take a look on how spam really started…

Local business

You’re a window cleaner and recently moved to Shlobershire in a very quite little village. How would you let people know about your business? You can go on, talking to each one of the local residents but that’s a nuisance, so you print some pamphlets and post through the door of everyone.

Some will read and call you, some will be pissed off but most will just ignore you. You’ll figure out pretty quickly about those that got pissed off (if you live in a small village you know that already), but then you buy them a pint and everything is settled.

What’s the final cost? A few pamphlets, a couple pints and you got two great things: one or two windows to clean and the whole village knowing who you are. This is, by far, the cheapest marketing ever. The rest of us that can’t afford a real marketing campaign have to find ways to promote our business.

With all the fuss about global warming, organic farming and fair competition in business (if there is such thing), we want to promote and use more of local business than big brands. We’re loosing creativity, diversity and quality if we don’t.

ROI

Just like the local business, some people can’t afford big marketing campaigns. Either because they’re poor or because their business is not so legal in every country.

So, why people still send those stupid ill edited loosely formatted emails, even when it’s obvious what they want? Who wants pills, fake degrees or enlarge their penises? Well, apparently some do and the do reply and may well get what they want!

The return of investment is much, much better than most marketing campaigns. Take Microsoft’s campaign with Jerry Seinfield or the “I’m a PC” thing? It was the most expensive piece of crap ever done. Seriously, I prefer spam than that!

The return rate is very low, one reply in millions of email, but if they send billions of emails, go figure.

But that’s clearly bad, isn’t it?

Well, illegal activities are bad, of course. Either on-line of off-line, drug dealing is bad, banking scams are bad, but not all spam is a scam or a drug selling point.

First, people receive so much spam from normal companies (even those that they have explicitly opted-out) including broadband providers, software, telephone and TV etc and etc.

The smaller companies are still sending physical spam and it’s probably working much better than the electronic spam, but that’s the deal: it works and it’s cheap.

Second, what’s really illegal? Downloading a music you haven’t paid for is illegal? What if you will pay later? What if the author allowed you to? Ripping your CDs to MP3 to listen in your car is illegal? You have paid for it already!

Google has become target of many accusations of illegal behaviour because they host a number of websites, videos, personal profiles on social networks. If people started to massively upload child pornography to YouTube, would the Google guys be in jail? I bet my little finger they wouldn’t.

RIAA kills a kitten every time you download (or rip) a CD while governments detain people for years on maximum security prisons without a single charge, what’s really legal?

Pirate Bay scam

I still don’t believe it happened, even though it was on all major journals for a week, but the Pirate Bay guy actually got a jail sentence for owning a website that allowed people to share files. They’re not criminals, they’re not killing people or (more importantly) getting in the way of the course of business (after all, money is more important than peoples lives nowadays). They just set up a list of things.

File sharing is one of the biggest revolutions of the recent internet and more and more people are asking the industry to finally adopt the technique rather than fight it. Whether they like it or not, it will prevail.

What is worse, a few old ladies downloading very old music (unavailable from any shop in the world) or the fear that the recording industry poses on most governments today that allowed such a scam to ever being turn into reality?

One mistake does not justify the other, but many (sane) people are already saying: Stop fighting reality, come back to it, be part of it.

You can’t fight them, help them!

I can’t imagine a world where we wait people to deliver a pamphlet to hand-cuff them, or where someone is jailed for listening music in his player’s speakers. Unfortunately, we’re not that far from it.

Why spam works? Because there isn’t any other way for those people. Yellow pages? Who reads them? Journal advertisement? Banners? People got used to them and can ad-block automatically. Our brains are trained to ignore them, it’s just not effective any more.

Some companies say they can provide a much better ad experience for the users by spying their lives closer than their lovers. I would object that approach…

There are many (free) systems for local business, but none of them seem to cut it. Maybe because people are always trying to get money in return (weird world, isn’t it?) and end up putting paid ads bigger, colourful and in the front page, and let the real local business somewhere between marriages and obituary.

I have no idea how a system would get rid of spam once and for all and it’s not my cup of tea to think about it, but I’m sure there are many people that could tackle this problem, they just need a bit of money (from the government) and time. It’s not a matter of filtering emails, it’s a matter of removing the need to send them in the first place!

If governments are really worried about spam, let them be creative and help freedom, privacy and good relationships rather than the totalitarianism we’re seeing around the world.

A new world is rising, new machines are taking life much faster than most governments would like and the digital hand-cuffs are showing that none of them understand a bit of what’s going on. All blinds, living in their caves watching the shadows on the wall. Whoever cry wolf is right for no one knows what wolf really is and where is it. Technology is like children, the more oppressed they are, the more you loose control over them.

Einstein didn’t go to the US because he liked the land of freedom, he moved because he hoped (in vain) that they would know how to use wisely the technology he knew how to build. He knew that others would be able to build it and it was just a matter of time before any bomb was actually available. Holding it back was not the answer and he knew it.

I just hope people figure it out sooner rather than later, or 1984 will seem like a pretty boring fairy tale for our children…

Gates the Hutt

Jabba the Hutt
Jabba the Hutt

Bill Gates might not be heading Microsoft anymore but his legacy (through his stupid padawan, Ballmer) still remains.

Not only they’re careless when writing bogus software, not fixing security holes and creating useless solutions to help you protect you, now they’re using the money you pay (if you do buy Windows, anyway) to set bounties to capture the creator of the new worm.

It might just work, of course. Worm writers are normally bounty hunters themselves. Like Greedo, they might end up capturing Han Solo. But, what the heck? Wasn’t there a better use for that money? Like fixing the bugs in the first place?

Recursive hacking law

According to BBC, the new European strategy against cybercrime encourages the police to hack the hacker.

I just wonder if the European Union has any idea of what the word ‘hack’ really means or how gray is the area between white hats and black hats and, more importantly, that both types live on both sides of the fence! Ask a hacker to define hacking and you’ll need a comfy sofa and someone else to actually hear the whole story.

The only problem with that is that it’s recursive. Once the police (and the private sector) hacks me, they become a hacker themselves, allowing me to hack them, on the interest of security based on the same law. Right?

False security

False security is worse than no security. It’s that simple.

Bruce Schneier won’t stop saying how CCTV cameras are not only plain ineffective, but they bring the false sense of security even on police forces that won’t patrol the streets as good as they would without cameras. People won’t worry as much as they would without cameras and become easy baits for common robbers.

The same apply to computer security, of course. Building up a firewall in your computer, running an updated version of the latest anti-virus / anti-rootkit / anti-malware / anti-whatever won’t protect you from the most simple of the attacks: social engineering. One email or phone call done right to the right person is enough to render the whole network inoperative for hours or to pass sensible information to black hats do whatever they want or need in order to hack a system. Yours or any other.

As if it was not enough, as Bruce always point out, placing cameras will make robbers attack on places without cameras. In the same line, placing personal firewalls will make viruses mutate and attack on more subtle ways. Placing proxies and snooping hardware on your network will only make the real offenders care more when they’re accessing prohibited websites or protocols, for they will anyway.

The fact is simple: You can’t assure 100% of security.

Money is hardly the issue here. Think on the amount of money the US spend on securing their own classified data. Probably more than what they spend on wars around the world. But it wasn’t enough, Gary McKinnon could get into all of that to search for UFO information (yes, I do believe him). Apple spends a whole bunch on securing their devices and Brazilian hackers unlocked it only 3 days after the new iPhone 3G was released.

DRM is the other myth I can’t understand how people with a bit (not much) of clarity and intelligence can ever think it’s worth the shot. All major locks imposed to consumers were broken immediately after they were released. Hackers (good and bad ones) can easily break into any security scheme but the normal public will have to use the digital handcuffs. It’s not only unfair, it utterly stupid and pointless.

There is no sensible choice other than agree with Richard Stallman’s philosophy: ideas should be open and free. Competitive advantage must be on what you are doing rather than on what you’ve done. It’s impossible to secure the past, let it go, walk forward, invent!

What’s the value (worth of stealing) of your previous achievements if your future ones are much better? What could a hacker possibly want with old things? If they’re hacking, it means you’re not fast enough! Keep up!!

My first Linux virus?

Wandering around my Linux filesystem I found a weird directory in /home …


drwxr-xr-x 2 root root 4096 2007-08-19 12:03 eb588afc0325b12eeb074fd6

Ok, I thought, I didn’t create that. If it’s a virus, it’s the most stupid virus in existence, but, we never know… Then I got inside and see what files it had, and found this:


$ l eb588afc0325b12eeb074fd6/
total 956
-rw-r--r-- 1 root root 865822 2007-08-02 21:41 mrt.exe._p
-rw-r--r-- 1 root root 96216 2007-08-02 21:34 mrtstub.exe
-rw-r--r-- 1 root root 45057 2007-08-19 12:03 $shtdwn$.req

Mamma mia, if it really is a virus, it’s even more stupid trying to put .exe files in my Linux box! Anyway, The Oracle would know the answer… Searching for mrtstub, the first hit is this page, directly from the enemy’s site. Not too far I found the origin:

mrtstub is part of the Malicious Software Removal Tool. It is responsible
for copying mrt.exe to the correct location and launching it.

Long story short: I have dual boot (which I never use but my son plays sometimes) and my Linux home directory is mounted using an ext3 driver for Windows. Microsoft asked me to install this Malicious Software Removal Tool which I denied 10 times asking every bloody time NEVER TO INSTALL IT IN THE FUTURE until the 11th was my son that wasn’t even asked but turned it off as he always do and Microsoft stealthily installed this piece of crap in my computer.

That’s enough, I’ll spend a fiver and buy a cross-over software to run my son’s games on Linux and remove this crap out of my computer once and for all.