BitLocker, Computers and Internet, Encryption, Microsoft, Security, Trust

commoditizing the shaft

Lorenzo Franceschi Bicchierai wrote about BitLocker and our conversations with government agencies. Excerpt below:

“Fuck, you guys are giving us the shaft,” the agent said, according to Biddle and the Microsoft engineer, who were both present at the meeting. (Though Biddle insisted he didn’t remember which agency he spoke with, he said he remembered this particular exchange.)

Biddle wasn’t intimidated. “No, we’re not giving you the shaft, we’re merely commoditizing the shaft,” he responded.

Biddle, a believer in what he refers to as “neutral technology,” never agreed to put a backdoor in BitLocker. And other Microsoft engineers, when rumors spread that there was one, later denied that was ever a possibility.

Full article:
Did the FBI Lean On Microsoft for Access to Its Encryption Software?

Android, apps, Computers and Internet, Encryption, Security, Trust

Code Identity and the Android Master Key Bug

Android invasion, Sydney, Australia

Android invasion, Sydney, Australia (Photo credit: Pranav Bhatt)

I was part of the effort to drag MSFT security into the modern era. It was extremely painful. I assumed (perhaps stupidly) that our highly-public lessons would mean other late-comers to the security party would look at our wrecked living room, burned furniture and bad tattoos and then not make the same mistakes we made in our irresponsible youth.

But perhaps no. This Android bug could prove to be extraordinarily bad.

Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference.

The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if it’s as described, destroys the chain. All bets are off. You’d be better off without the assertions and chain at all: Treat everyone as adversarial and move all critical operations off-device and into something you know you can trust.

I am not saying this automagically makes Android phones infinitely vulnerable to horrible deeds. It doesn’t. As of July 4th 2013 there are no known exploits in the wild that make use of this attack. To really hit something out of the park based on this bug the bad guys are going to need a way to get an offending app onto a phone. This means getting it through a heretofore unknown exploit in Google Play or onto the phone via side-loading or another distribution method.

So we’re all okay, right? Well, no. Not necessarily. Perimeter security – which is what Google uses to keep bad apps off of phones in the first place – is notoriously bad. It’s so bad that Google (and Apple, MSFT, and everybody else) use techniques like sandboxing (perimeters within perimeters), privilege, code signing and code validation to make up for its deficiencies.

Malicious software has an annoying habit of finding it’s way onto devices with considerably stronger perimeters than Android so validation of code that is on the system is critically important.

Unfortunately it’s not just the exploit that is distressing. One of the the things we eventually got good at at MSFT back when we routinely had our pants around our ankles on security was in our responses. There’s no way you can survive forever in an environment of constant adversarial attack if you don’t get much better at defending yourself technically AND much better at working with the public about what you’re doing.

In this blog post, Google advocate that companies “should fix critical vulnerabilities within 60 days”  and that “after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves”.

Google espouses 60 days to fix exploitable bugs and going public one week after private notification. According to Bluebox they told Google about this via bug  8219321 in February 2013. That’s a little bit more than 60 days ago. Seeing as it’s now July, I think (and I’m not very good at math, so bear with me here) that’s at least twice as many. It’s especially more than 7 days. I’m not sure how Google are following their own disclosure policy.

Let me speak from personal experience (again) that you need to be really good at dealing with the public on security stuff. If you are going to make clear and solid statements that have numbers in them (eg 60, 7) then you really REALLY need to make sure you are always on the right side of those numbers.

I am also not saying this automagically makes Google evil. As I said at the beginning of this post – I’ve been there when it was bad. Sometimes you are trying your hardest to be good but you’re tripping and falling down. People see you fucking up and assume it means you are evil when really you’re just trying to stay alive long enough to fix your broken shit and learn so you can be better.

I don’t wish anyone at Google any ill will over this. I’ve been there, it’s no fun.

Personal, Security, Trust

Thing 3

“Fasten your seatbelts, it’s going to be a bumpy night.”

A multi-part series…

Thing Three

Do you believe in ley lines?

Me neither.

However I can observe that, for whatever reason, some places have proven to be “stickier” for me than others. When I say sticky, I mean that these places have a statistically abberrant presence in my life. They stick to me, or I stick to them, I don’t know which… In some cases the reasons for this are quite obvious, but in others the reasons remain a mystery. I have a few places like this. (If Google maps wasn’t such an absolute piece of shit, and I hadn’t spent the past hour trying to create something to share with you, well, then I’d share all of them with you… as it is, you will have to settle for and just one place…)

That one place is, nearly exactly, right here. I’ve had 5 memorable experiences within streaking distance of this spot so far in my life. 3 of those events are the basis for stories which I tell now, and which I will likely be telling the day before I die. These stories are, in chronological order, “The Kegger on the Freeway”, “Strip Penny”, “Stranded”, “The Frogmen”, and “The Giant Dude with the Rake”. (I don’t tell “Kegger” and “Stranded” often because they aren’t really in the same class as the others. Pretty normal high school OMFGLOL.)

All of these stories – in fact nearly all of my stories – have particulars that I include or exclude, depending on the audience, to make them “age appropriate”, to protect people who haven’t given me permission to talk about their roles, or to try to keep from giving anyone any smart ideas. So if you know any of these stories, you may notice some slight changes or omissions, that’s why: The interwebz are forever.

This is the story of “Giant Dude with the Rake”.

It was a pleasant evening, about 10 PM, sometime in 2000 or 2001. I was driving from Broadmoor, out the back gate and heading to the Big White House on Capitol Hill. As I approached the intersection of Foster Island and Lake Washington, my internal alarm bells started going off. There was a small line of cars in front of me, and they didn’t seem to be going anywhere. Not the right time for a traffic jam…  Beyond them, there seemed to be cars moving very slowly along Lake Washington Blvd. Hmmm. I thought “Accident?”, but there were no flashing lights, no aid cars, no cops.

Back up a little bit: I lean towards the “get involved” side of the engagement continuum. Okay, not just lean, kind of veer. I do like to be a hero, but I also know that there’s nothing more annoying than heroes looking for problems to solve. As it happens, at this exact time in my life I was trying to push the needle on my knight-in-shining-armor gauge more towards the “normal people” end of the spectrum. I was actively working on not stepping in…

Back up even more: I have lots of weird but, to me at least, interesting training and real world experience. I was involved with the Seattle chapter of Q-Patrol in the early 90’s, first as a recruit and later as a trainer. It was there that I learned, in some very hard-core and indispensable training as well as on patrol, how to be a good witness. I know what details to look for, to note when they happened sequentially as well as in relation to an unfolding series of events, so that I can recount them for anyone, including the police or in court.

In Q-Patrol we frequently role-played dozens, probably hundreds, of scenarios. A few people would be “mutants” (our code word for all bad guys), some victims, others  just participants. The rest was patrol. Mutants would come up with a real-world based scenario together, something we’d seen in real life, and then they’d start acting it out. If it was a guy beating up his girlfriend, that’s what the mutant role players would start to do. There would be screaming, hair pulling, slapping. Bloody lips, noses, bruises, scratches, scrapes, all par for the course.

This sometimes (but not always) got very physical. It was always extremely intense. The goal was to make it so real that when someone vastly bigger than you gets in your face and says “fuck you, you fucking faggot”, you’ve done that before and you neither punch the guy nor do you start to cry.

This training is called “Force on Force” training now (to be clear, we don’t think we invented it!) and if you want to be good at dealing with real-world problems, I strongly suggest you find a way to do it. Seeing Q-Patrol train this way is what got me interesed in the first place – I ran into them training in Volunteer Park, and I was soon hooked.

Once we were training in Volunteer Park and a rookie cop, fresh out of the military with his hair still cut very short, drove up on the grass and drew on us because he thought he was interrupting a real gay bashing. About a dozen cop cars and lots of talking later, I heard him say “I just got out of the Marine Corps, and we never trained that hard! You guys are crazy!”

In addition to Q-Patrol, at that point in my life I’d studied, in some cases seriously, in others less so, a bunch of martial arts, including, but not limited to, fencing, medieval sword fighting and weapons, at least 3 flavors of jits (some seminars, some belted) and Cuong Nhu. I’ve done a bunch more stuff since rake-night, including adding guns to my repetoire and airsoft-based Force On Force (FoFAST).

Back to the Arboretum! (I think my old writing teacher Rick Mar would call that “foreshadowing”.) My immediate instinct, sitting in the car, stopped, a length or so behind this small traffic jam, was “something weird is going on, I should jump out and help!”, but I caught that before I acted on it. Remember, I was trying to be Less Involved.

To the right of the traffic and headlights and concentrated energy of “something” was the shoulder, and so I decided to pull into the shoulder, skirt the of backed up cars, to skip whatever was going on… to just head home. So I pulled over, and slowly drove in the shoulder, heading for the Montlake cut. As I pulled through, to my right there were about a half dozen people on the grass, at least one on a cel-phone, others talking to each other or just staring. (For you young whelps, this was before cel-phones had cameras. I wish someone had video running, it would have been really fun to watch later!) They were all staring, looking or pointing into the center of the traffic conflagration.

As I drove past them I could now see what they were looking at. I have a vivid memory of it, but I also know that we sometimes make terrible witnesses. On the flip side, I’ve actually studied being a good witness, and I’m kinda OCD about recording things in my head. Here’s what I vividly remember from that moment, as seen through my car window and then, as I got back onto the road driving away very slowly, out of the rearview mirror:

A man, very large. Probably 6 foot 5, 300 pounds. He was wearing a tank top or a t-shirt and shorts. Maybe flip flops on his feet? I want to say his shorts were red, but I’m not sure. He was holding a large landscaping rake, the kind that only the pros seem to have. The pic isn’t exactly right, but close.

He alternated holding onto the rake like a bat or a wand (like a conductor). Like a bat, he would pound on the hood of a stopped car he was nearly on top of, and as a conductor he’d wave traffic along past the stopped car with the rake. The ushering part was very poetic, actually, nearly graceful, even, especially as it was contrasted with the pounding. He had one leg braced against the stopped car, as if he was holding it back. He would pound on the car, then usher cars past with the rake, then maybe take a swing at one of the passing cars, then hit the stopped car again.

Okay, so. As I am occasionally prone to holler in paintball: “wudda we got?”

  1. Giant guy pounding on cars with a lansdcaper’s rake.
  2. Stopped car, which presumably could drive over him at any time, but which hasn’t yet.
  3. People watching, at least one of whom has a cel phone, presumably having called the cops.
  4. Lots of cars.
  5. No sign of cops.

I drove on. End of story! Ha ha ha.

Yeah right… I made it a little ways down the road, then I stopped and turned around. (It was easier to turn back then – they keep making it harder and harder to whip a youee around there.)

The stopped car was what bugged me – everything else was pretty much okay. No one was in visible jeopardy, they were just driving away, and the bystanders were young and fit looking and far enough away to run from the dude, and really, they chose to stop and watch… It did piss me off that they seemed so willing to look, but not do. That bothered me.

But that car? Why was it stopped? Maybe it was broken down? So I drove back and pulled over on the shoulder of the road beside the mutant with the rake and the stopped car. I was maybe about 30 or 40 feet away now.

I could now see the driver of the car, she was a little old lady, I swear to god, white hair, blue rinse, the works. Aunt May.

Olay, so, this guy is Aunt May’s grandson, and he’s throwing a tantrum. That would make sense and explain why she didn’t just run him over. My window was already rolled down, so I kind of leaned out and yelled to her, and she rolled down her window.

Me: “Do you know this guy?” (Smash, rake hits car.)

Aunt May: “NOOO! HELP ME! HE’S GOING TO KILL ME!!!!!!!!!”

Okay, so. Really, up to this point, I was totally rational about what I was doing. If she’d said “he’s my grandson!” I might have just been, okay, your family, you get to solve the problem. One thing Q-Patrol had drilled into my head is that you don’t get involved in family disputes if you can possibly avoid it.

Really, I swear, that’s what I was intending. This was a new me, a no-lycra-wearing normal guy, driving home.


I came up with a rule for what happened in this moment. It’s Peter Biddle’s “little old lady clause”. Most of us have things inside us that can cause us to do something that we wouldn’t otherwise do, events or circumstances that significantly alter our behaviors. Taking a look at the chart from the last “Thing” post, these things are manipulations which push us away from “do nothing” towards “do something”.

In this case, it wasn’t just the little old lady.

  • I have a predispostion to heroic action and even specific training for it.
  • In the immediate moment, I had bystanders standing around doing nothing (WTF????)
  • a crazy mutant bad guy that is so bizarre he wouldn’t be believable in anything but real life
  • a little old white haired lady pleading for her life.

Yeah, I was pretty much fucked. I was going to Do Something. <sigh> I can’t remember my own circumstance of 911 and the cops. Maybe I called them, maybe my batt was dead (that would be nothing new!) or maybe I forgot my cel? Don’t know. Help other than me didn’t seem to be immediately forthcoming, and in the means, oppty, motiveequation, he:

  • clearly had the means (the dude could have torn her in half with his bare hands)
  • oppty, well, yeah, she’s just sitting there like 10 feet from him
  • motivation? No clue, but clearly whatever it is, it’s allowing him past the general inhibitions that keep the rest of us from beating on cars with a rake.

Okay, so:

  1. make sure that if you die, they can find your ID. So, out comes the wallet, it goes into the passenger seat.
  2. Then you want to make sure you can drive away later if you aren’t dead or in an ambulance, so the car keys go on the dash board.
  3. Keep the window rolled down so you don’t wind up locked out of your own car when it’s all done
  4. turn off the headlights so your battery doesn’t die.
  5. Empty your pockets of everything: change, money, pet frog, 3 loose bolts, stray busines cards from Japanese executives… the usual stuff you are carrying in your pockets.

You’ll note I didn’t have a knife, pepper spray, nor a gun. I did carry a knife back then but I started losing them to airport security a lot (they had savvied onto all my tricks!) and so there would be times I didn’t have them. Very annoying. Pepper spray and guns I didn’t ever have with me back then, that was when I was just a latent gun nut. Pepper spray might have been really nice.


Get out of the car. Put your hands up in front of you, palms outward, in a highly defensible, but also non-threatening manner, arms bent, appearing relaxed but alert. Smile confidently!

Start walking slowly. Say, and in your Voice of Command Authority: “HEY! WHAT’S GOING ON!” You do this to get his attention, to divert him from everything else. You want to see his eyes, to see if you can talk him out of this activity. This is something that most martial arts and self defense training miss – sometimes you can talk your way out of it. In fact, most times you can.

Your whole attitude is now that you two are having a relationship (whether he likes it or not) and in this relationship, it simply isn’t acceptable to be hitting cars with rakes and holding poor little old ladies hostage. It’s just not done.

He looked at me, and I saw his eys, and there wasn’t really a person there. Pupils the size of plates, he couldn’t even focus on my face, just sort of scanned past me, looking for whatever that annoying noise was. I think I actually snapped my fingers at that point, like you do when you are trying to take a picture of a fidgety toddler or a dog, and said “HEY! OVER HERE!”.

Nothing. Okay, he’s a particularly stupid dog. Not even a toddler. Not much to reason with. Crap!

Well, as I said, you’ve already decided that rake-assault is not an approrpriate behavior in this new relationship. You’ve given him a chance to talk things through, he’s, erm, declined… So if you can’t talk to him, then you need to get him away from the things he clearly wants to damage (cars) and the things he might decide to damage (little old ladies, damn them and their blue-rinse maniuplations!). Then maybe you can sort things out, have a cup of tea.

Keep walking, keep talking with your Voice of Command Authority.

What is this magic voice? It’s the voice you use, if you are dog owner, to make your dog sit. If you are a mom it’s the voice you save for when you use their entire name, including the middle names, in full. “MICHAEL PHILLIP SAMUEL SMITH! Come here RIGHT NOW.” If you are a dad it’s the voice you use when your kid is running towards the street… It’s NOT JUST YELLING!!!!!!!. In fact, it may even be somewhat quiet. It will usually be lower in tone, and always steady. It is your projection of power. I once watched a 110 pound young woman make a drunk and violently brawling guy at least twice her size sit on the sidewalk by pointing at him and saying “SIT!” and then pointing at the ground. (Julia, you rock!) He just sat.

For this to work, you have to really mean it, and you have to believe it yourself.

If you have kids, this voice is one of the most important first steps you can take to teach them to take of themselves. It’s extremely important. Dogs can really help with this. If the dog sits when you say “Sit!”, but not when the kid says “uhm, please sit?“, you need to teach your kid how to compel the dog to obey with her voice. Kids need to earn respect from dogs, dogs will naturally consider them to be part of the pack.  If the dog only obeys them because of you, then the dog may still think they are second in command, rather than last, which is where they should be, behind you and all your kids. Your kids should be able to make the dog do anything you can make it do, even when you are 100 miles away.

As you approach the mutant, formulate a general plan. Mine went something like this:

  • Avoid getting hit by the rake, punched by those ham-sized fists, or grabbed. (Later I had to add “bitten“. Those were situational tactics, rather than an over-arching strategy.)
  • Control the mutant so you can keep him from hurting you too badly and so you can compel him to go away from the scene and towards somewhere else.
  • Choose somewhere that won’t hurt as much when you fall down, possibly with 300 pounds of drugged out and/or insane whack-job on top of you. Real fights are sloppy and ugly, and it seemed quite possible that this might now be a real fight.

Note that I’m not saying take him out where he stands. I control this relationship, if were are going to conflict, I make it where I want it to happened. He picked this place, my next step in asserting my dominance over him will be to compel him to go somewhere else. Also, he’s Very Big, I am Not So Big, and pavement and cars are very hard and have sharp edges that will hurt if you hit them. So, those are bad.

Grass is nice and soft comparatively speaking. So grass is good! Fortunately, there was grass just beyond the mutant, pretty much in a straight line. The grass currently occupied by the Innocent Bystanders.

Well, they are just going to have to move off of your grass, because that’s what it is now. Yours.

First things first: negate the rake. As I got to him, I shot my hand out and put it over one of the hands he had on the rake. He hadn’t decided to smack me yet, that was nice. As soon as I grabbed the rake, he tried to smash me in the face with it, but that didn’t work, because I was on the rake too. It’s now our rake! We share, so nice. So the rakes negated for the moment.

Now, I want him on the grass, that’s behind him. He was just too big to actually carry there on my own, so I want him to want to head towards the grass, or away from me, and based on his total lack of humanity, I needed to rely on lizard-brain-stem responses. Choking should be good. Lizards will try to get away from choking. I took my other forearm, the one not attached to the hand attached to the hand attached to the rake, and I shoved it, hard, against his wind pipe, which was as high as my forearm would go. He was tall.

Then, you lean forward and shove as you walk. He’s choking, it’s unpleasant, so he pulls his head back. Now, if he doesn’t take some steps backawards, he’ll fall down on his ass, so he’ll take the steps. You, you just keep walking.

All this shoving and choking and controlling behavior will start to annoy him. He was having a perfectly fine time doing the rake thing, and here you are, RUINING EVERYTHING! Sooner or later he may decide that he’s not having anymore of it. He decided this in my case by trying to punch me in the face with his right fist right about when we got to the grass, and the Innocent Bystanders were moving out of the way.

It’s a big roundhouse, head under the punch, then head back up when it passses, now the back and side of my head are against his tricep and I push on him with the rake hand so he spins around. This actually works! So he’s now standing with his back to me. I want to choke him out, but there’s no way I can get an arm around his neck from behind him, so I need to be higher or he needs to be lower.

I take lower, so I reach around his face to find his nose so I can use that to tilt his head back, then I can drag him backwards onto his ass, but now he’s all riled up, and I barely have any control of him. He drops the rake, and is turning, when one of the Innocent Bystanders – one whose little old lady clause has now gone off and standing around is no longer an option for him – sees what I’m doing, so he runs up, bends down, grabs the guys ankles, and pulls. So I’m pulling back on the face, but his feet, while planted, aren’t moving anywhere.

I’m pulling back over the with the bridge of his nose, +1 dude is pulling in the opposite direction on his ankles, and down he goes. We are scrambling around on him now, me and the +1, when two more +1’s jump on. We now have a guy on each leg, one on his chest, and I’m on his right arm, and now he starts trying to bite me, I’m trying and failing to get an armbar while I’m avoiding his foaming mouth and his biting, and now he’s yelling, he actually speaks now, in English!

He yells “get off of me!” The guy on his chest, bless his heart, actually says “stop struggling and we’ll let you go!” I look at him and say something like “are you fucking crazy? we’re not letting this guy go until the cops get here!” At which point the dude on his chest, who seems to want to actually strangle the guy until I tell him to knock that off too, says “okay! we aren’t letting you go!” <sigh> Giant dude then tries to bite me more, and do stuff with his left, but we’ve pretty much got him pinned, all 4 of us.

Finally – and it was minutes on the ground, it felt like hours but I think the total elapsed time of the entire event was about an hour – a cop car shows up. We cheer. Yay, cops, woo hoo! FINALLY! Out of the cop car steps a single, 100 pound female cop. No partner. She shines her mag lite at us, shines it in the guys eyes, they don’t dilate. She steps back. The mutant now speaks: “Get these guys off of me!!!!!!!!!”. She says something into her radio, something like “please send about 20 really big guys to the arboretum” and then says to us “you guys doing okay?” we say sure. She says “Then I think we’ll wait for backup.”

A few minutes later, all of the SPD shows up. After some brief talking amongst themselves, one of them walks over and shines his light in the mutants eyes. Still no dilation. He says, in his Voice of Command Authority, and I swear to go he had this great NY accent: “Okay, here’s how this is going to work. On the count of three, these guys are going to let you go, and you are going to WALK over to that police car. If you do anything else, I’m going to have these guys kick your ass some more.”

Recall that there were many cops present now. He repeats these instructions, and as he does, like magic, the mutant starts to calm down. It’s amazing, he’s like a horse whisperer, a drugged-out-mutant-with-a-rake whisperer, and when he says three, we step away, and a small crowd of cops walks with him over to the car. It’s like he’s in a trance. But the trance breaks when he puts his hands on the hood of the car. He takes a swing at one of the cops, and then, of course, it’s all over for him. He goes down in a pig pile of blue.

We give our statements. The head cop, NY accent dude. says that calls to 911 about “someone running around the arboretum with a rake” aren’t given top priority. Calling back and saying the same thing doesn’t get their attention any faster. Calls that say something like “there’s a guy trying to kill an old lady with a rake” get more attention.

I drive away. No one ever calls me back, I don’t even know the names of the guys who were involved.

I really do think, if it hadn’t been for these things, I never would have gotten out of that car:

  • The car just sitting there.
  • Those do-nothing, just watching losers on the grass.
  • The old lady’s cry for help, which by itself might well have done me in.

The thing that I really appreciate from all this, is that I now know that I HAVE a little old lady clause.

It’s not just little old ladies, it’s more than that. But I know a lot more about it now than I used to, and that means that when I find myself about to do things that I haven’t fully thought through, or that I may be about to undertake, things that aren’t clearly in my own best interest, I have more tools to examine myself and the situation, and I think that makes me at least more intentional and less prone to any manipluation that seeks to take advantage of my good nature.

Remember those 419s? They are all about finding our little old lady clauses. It turns out that some of them we all have – we are all at least a little bit greedy, for example.

But the personalization of them – eg making some Evangelical Christian – is all about trying to boost the chances of sinking a hook in, in exchange for a smaller audience. The more personalized a scam, the better the chances it will work, because it can be tailored to target very specific LOLCs.

If it is targetting ones that I, Peter N. Biddle, have, or better yet combinations of ones that are known to push me from a do nothing to a do something place, then the chances of them working are much higher.

A combination of things not making sense (car not moving), people not doing anything (The Innocent Bystanders) and real jeopardy (thanks little old lady!) were enough to get me involved in a stuation that could have gotten me really badly hurt, or even killed. If mutant dude had gotten the better of me, and the Innocent Bystanders didn’t step in (they only got involved in force when it was clear the danger to themselves was substantially reduced, AND when my actions had shrunk their balls to the size of peas), he could have put a world of hurt on me before the cops finally got there.

This is Really Important. In the next posting, I will try to make it All Make Sense.

Security, Trust, Uncategorized

thing one

“Fasten your seatbelts, it’s going to be a bumpy night.”

A multi-part series… 

Thing One

I remember my very first 419.

I had the (mis?)fortune of having posted on Usenet before any but the most incredibly prescient, experienced, or paranoid of us had figured out that we shouldn’t use our real email addresses. My earliest postings date to around early 1991, although the earliest ones you can still find in google groups were from 1992 (and what a cornucopia of geekdom they are! I really liked the early 90’s…).

One of the places my MSFT email address was listed was one of the early rec.martial-arts FAQs, and after that FAQ got broad distribution, I simultaneously heard about “daemons” and “spiders” and I got my first spam from a FL martial-arts gear distributor.

I switched most social postings to a non-work address, and changed my .sig to disguise my email as, figuring, incorrectly as it turns out, that most people who would want to reach me would be able to figure that out, because usenet had been invaded by hoards of AOLers who Just Didn’t Get It.  

All of this meant that my official MSFT address became part of the fabric of the interwebz, where it lives to this day, along with some of my posts. I’ve been on the bleeding edge of spam management (solely as a user) as I was getting spam before many people knew what it was, actually since well before most of us associated the word “spam” with “unsolicited broadcast email”, although the term has been in use since well before then

Because my work email addy was so easy to find, eventually I was  inundated with waves of spam that were then thwarted by the mighty engineering forces deep inside the bowels of the MSFT email system.  It was interesting watching this war. The waves would hit, I’d get 100s of spam in just a few minutes, and I would read some of them to try to figure out what counter-measures they were using to get around the MSFT filters. Fairly quickly (props to whomever was doing that work!) the spam would be stopped again, with the cycle to be waged anew days or weeks later.

My first 419 came after I started getting spam but before anyone I knew personally had ever gotten one. I remember calling people into my office and showing it to them. Someone wanted me to actually email them, and give them my bank account information…

I printed it and put it on the wall outside my office. Why? I had never done that with spam before. 419s felt interesting and different somehow from spam… I’m not sure I really understood why then. I realize now that it’s because they attempt to lead me down a road that ultimately has a very intimate connection with an adversary who wants to take things from me, ideally wants to take everything I possess, everything I own, doesn’t care if it destroys me or not, just wants wants wants. 

All 419s are variants on “The Spanish Prisoner”, which dates back to at least 1910, however I personally believe that as a scam, it must date back to cavemen. 

“I is Thag! I make for my tribe 1000 flint spear heads, but I no like dem no more! Chieftain is total wanker! But I not able to carry 1000 spear heads! How ’bout you loan me some beasts can carry 1000, I bring them back here, you take 25%?”

“What 25% mean?”  

“It mean you be loaded in spear heads!” 

“Sound like good deal to me!”

So, why did 419s feel so different from spam? Why did those go up on a wall outside my office, where spam never had? For a 419 to work, someone needs for me to believe that they are someone they aren’t, and they need to use my belief to string me along a path, interact with me, talk to me… 

I think it’s because 419s are personal and deceptive, whereas most spam is impersonal and transparent.

To be continued… 

Trust, Uncategorized


Dan Gillmor is guest blogging over on BoingBoing. He posted something here about civilization failing, which has an interesting comment thread… this line of thinking and the ensuing debate are becoming more and more frequent on Boing Boing… and really, who doesn’t like a little apocalypse fantasy meme now and then? 

People get all up in arms about this stuff, and when they do, here’s something I’m noticing:

The people who are most passionate about society not failing are usually the ones who are most screwed if it does. (EG they tend to be city-folk, bankers, etc). The ones who keep saying it WILL happen are the ones who at least think that they are least screwed if it does. (These people are sometimes well ready, other times they are kidding themselves. Some wouldn’t last a second, they probably can’t even walk very far on their own.) 

Both sides love to argue about whether or not it’s going to happen. It being TEOTWAWKI, of course. (short hand for The End Of The World As We Know It)

Societies are poorly understood complex man-made systems, and if there’s one thing we know about those kinds of structures, it’s that eventually they fail.

Denying the possibility of TEOTWAWKI happening is, quite simply, dumb. OF COURSE IT CAN HAPPEN. No math in the world that anyone should rely on can prove that it can’t happen, because it can. If there’s one thing we know about societies, it’s that they crumble. ALWAYS. 

Der. It’s just a question of when, not if. JUST ASK THE MAYANS. 

Now, do I think society will collapse tomorrow? Next month? This summer? No. Seriously, predicting when society will fail is just straight up crazy talk. Apocalyptic fantasies. End of Days BS! Fear mongering! Profiteering? It’s not science. 

This brings us to my next rule of trust: Complex man-made systems can fail and they will fail eventually, but we don’t know when. 

You really shouldn’t trust anyone who says that they know exactly when a complex system will fail, and equally you shouldn’t trust anyone who says that a complex system can’t fail.  

No one actually knows when we will crash. NO ONE.

Okay, there may be one person out there right now who does, but he looks, acts and sounds like every other compelling nutter who was wrong before him. You can’t tell the difference until it’s too late, there’s no way to tell the difference, between now and TEOTWAWKI, between the one right guy and everyone other crazy whack job.

Every prediction of total societal failure we’ve heard in our lifetimes has been wrong. If someone says we should do or don’t do something because they know WHEN society will crash, they are crazy or wrong. Don’t listen to these people!

But conversely, if someone says do or don’t do something because they know society WON’T crash, they are also crazy, or wrong.  

So we must assume two things: Society will evenutally fail (because they always do), and we won’t know before it fails when it will. It could happen next month, it could happen in 200 years…

So us practical folks should take the middle road… Be ready, but not TOO ready. You should have a plan, think through the scenarios, have the knowledge you need.

Don’t plan for it to happen, just plan that it can happen. 

If it were to happen today, right now, somehow we’ve gone from my typing this to looters in the streets and no electricity, I have a plan, both specific and general. I know who I’m getting, I have a place to go. I’ve had some skills that will come in handy since I was a lad (I grew up in the country, I’m no farmer but I’ve eaten food I’ve grown and animals I’ve killed) and I’ve picked up lots since then that are also potentially handy. I like to be better at stuff, it’s fun, so I do things, like get my HAM radio license, or learn to build houses, or wire electricity, or run plumbing. It’s fun and geeky, and it might turn out to be really handy… but really I do it all mostly because I think it’s fun and lots if it is useful here and now, not just there and then.

Sometimes I say it’s for the zombie apocalypse, but that’s just me being dramatic. Do I really think it is going to happen, like, tomorrow? Zombies? This summer? Next year? No! We both know that’s total crazy talk. I have no idea when our society will crash, it probably won’t happen in my lifetime, and I hope it doesn’t! I like TV and my car and the interwebz and cel phones and modern medicine and all those stuphs. 

But all complex systems will eventually fail, so will I be shocked to find that this one has failed? No, I don’t think I will.  

Will you?

BitLocker, Development, Encryption, Security, Trust

The Thames River Scenario and XKCD

This is a great comic, and I love XKCD.  Love it! However the attack referred to in this comic is one good crypto systems understand and counter.

I refer to it as “the thames river scenario”, and BitLocker (Windows Vista) will actually mitigate it if you want it to. 

Let’s back up for a second, and consider the scenario. I’ll simplify it for a second. There’s a key – called a password – that is needed to get at some information. PW are handy as a “thing you know” factor in authentication because we carry them around in our brains, but that is also the problem with them. Because they are in our brains they wind up being easy to remember, and anything easy to remember is easy to guess. Or to extract from someone’s brain… 

Most of us will never be tortured because someone wants the information off of our laptops. That’s because most of us don’t have the stuff on our laptops which people who feel the urge to torture want. However, there are people out there with things on their laptops that people want really really badly…

Meet Kumar. (Kumar isn’t a real person. I just made him up. However there are people like Kumar.)

Kumar works in the domestic intelligence in his central European country. He has been working very hard to crack a terrorist group  in his country, a group which he knows is responsible for at least 14 deaths and which has aspirations for many, many more.  We’ll call this group “El Patriots”, or EP for short. EP is at least thought to be funded by at least one foreign government, possibly more, because it seems better organized and more effective than it ought to be.

EP is also famous amongst the intelligence community for being cagey and extraordinarily secretive and very violent. They kill people. 

Kumar’s agency tracks EP in a variety of ways – cel phone data, GPS, data mining, and good old informants. Kumar is an affable and thoughtful man and thus he’s particularly effective at  “humint” – human intel, aka informants. The people he works with are often directly or indirectly involved in EP and usually speak to him because they think EP are evil and must be stopped, but also because they want money, or revenge, or like the excitement involved in being involved. 

Because Kumar is also organized, he keeps notes and lists about his network of informants – over 100 of them. He has spreadsheets, photos, files, extensive background checks, family trees, social networks… he knows a lot about these people and he keeps detailed notes about them because that’s his job. You never know if a trifling little fact – a mention that a suspected EP supplier stops at a certain coffee shop every Thursday after dropping his kids off at school – will turn out to be incredibly important. 

Kumar stores all of this information on his laptop. He uses data synching to keep as little of it as he can on the laptop, but there’s still quite a bit. If EP were to get the information on his laptop, people would die in a matter of days, perhaps even hours. Families living in other countries would be killed or kidnapped and tortured. It would be really bad.

When Kumar’s infosec team considered what security he needed on his laptop, they included Kumar in their threat model. They assumed they had a very skilled adversary with an essentially unlimited amount of money (foreign intelligence), and they assumed that this adversary actually knows that Kumar is an intelligence agent, so they and EP will be targetting Kumar’s laptop specifically because they are pretty sure that what’s on there is really worth stealing. Possibly worth killing for, possibly worth torturing for. 

So how do they protect that data? There are a variety of architectures to do this, but presuming that there’s data that Kumar needs on his laptop to SAVE lives, and at the same time that same data in the wrong hands will LOSE lives, then he’s going to need either access to the data locally or to actually possess the data locally to do the job of SAVING while minimizing the risk of LOSING. 

First off, encrypt the entire laptop. That’s a no brainer.

Then never rely on a single factor of authentication which is easy for Kumar to remember. PW = bad. It would be really lame if EP snatched the laptop and the PW turned out to be something they can brute-force in a few hours. 

If the hard drive is always encrypted, then the attacks shift to getting at the laptop in state where it is cheerfully giving up unencrypted data – eg when Kumar is logged in.

Aha! Kumar is now part of the threat model!

This has to happen sometimes, so you use policy enforcement to make sure that the system is in hibernate whenever the lid closes or it isn’t used for more than just a few minutes. That ensures that the keys used to managed the system aren’t in memory as well, where they are vulnerable. Reduce moments of “logged in” to when Kumar wants them to happen, like in a secure location. 

Okay, so what about Kumar? If they get Kumar along with the laptop, what happens then? Let’s say that Kumar is crossing a bridge in a foreign country and a van rolls up, out jump 3 armed men, they drag Kumar into the van and away they go… The best security system would mean that Kumar wouldn’t have to do ANYTHING and yet the laptop would be invulnerable. The hard part about this is that it implies the laptop is smarter than Kumar – it knows that Kumar has been snatched and so now it refuses to unlock even though Kumar is begging, pleading with it to open…

…this is hard. There are some really neat ideas for pulling this off, but as yet they tend to be so error prone that you might as well just not let Kumar carry the data (or access it) around. Dumb terminals on encrypted airgap copper networks in physically secure locations make SAVING lives too hard. 

Okay, so you are going to want to require multiple forms of authentication – eg one-time passwords, or smart cards, or biometrics are all examples…You want something that isn’t on the machine itself (needs to be separate, otherwise he can’t lock it if he’s, say, running away from the laptop which is now snatched). It needs to be small and portable, and it has to be impossible for Kumar to recreate, even under duress or subpoena.

You also want something that Kumar CAN’T give up. Thumb prints are terrible solutions for this – Kumar can’t stop someone from cutting his thumb off his dead body.  

I call this the “the thames river scenario” because it’s easy shorthand to encapsulate the situation. Kumar is on a bridge on the Thames and has a few seconds to render both himself and his laptop secure. In BitLocker the solution to this is to use a USB dongle containing a Very Large Key as an additional factor of authentication to the TPM and the PIN. Toss the USB dongle into the Thames and now there’s NO WAY that the system, which is in hibernation so there are no keys in memory (so no freon attacks)  can be unlocked. Kumar can’t unlock it, even if he wants to. Beat the crap out of him, it won’t matter. The key is huge and he couldn’t remember it even if he wanted to try. 

Smart crypto architects will note that there may be another key which can unlock it – a recovery key. But that is never with Kumar and Kumar doesn’t know it, can’t know it, has never even seen it. It’s printed on a piece of paper locked up in a very secure place inside Kumar’s intelligence agency and they won’t let it out, not even to save Kumar’s life.

So Kumar gets tortured, which is horrible and awful and bad. The only thing he can give up is what he remembers and the torturers now have to try and break him to get the data that he has in his head – eg names, addresses – out. It’s much harder. More people may die but then some evil-doers might die to as Kumar gives up names he knows of suspected EP members who aren’t his informants… Kumar is brave and dedicated and he knows if he talks then people die so feeds EP the wrong names, gives them false trails… in the end he coughs up everything he can remember but by then it’s less than it might otherwise be because the torturers are too violent and by the time Kumar is talking he’s so muddle headed and woozy he’s very compromised. EP has far less than they would have if they had the laptop. 

Note that in the less dramatic scenario where Kumar has his dongle in his pocket and the laptop in the briefcase and EP snatches the briefcase, they still can’t get in because he has the dongle.

If they get the dongle and laptop but no Kumar they still don’t have the PIN, which means, again, that they aren’t getting the data.

They need Kumar, concious and compliant (to get the PIN out of his head), the laptop, and the dongle. Not impossible, but now much much harder to pull off. Nearly as hard as we can make it. 

For us normal folks, BitLocker with TPM+USB+PIN is a bit much, but TPM+PIN w/hibernate is a good compromise.  

Good laptop encryption systems are capable of treating the possessor of the laptop as an adversary and are also capable of treating the rightful user of the laptop as no longer trustworthy. 

Be happy there are people like Kumar out there fighting the good fight against terrorist organizations who want to kill us, and be happy that there are good technologies out there which can help them.

Microsoft, Palladium, Security, Trust

Perception (or, Linus gets away with being honest again)

The more I learn about Linus Torvalds, the more I like. I like that he’s “just” an engineer (and near as I can tell a very good one).

As he is just an Engineer, he is prone to clear, logical thinking, and thus also prone to clear logical statements. Here is an oldie, but a goodie where Linus essentially tweaks the noses of an entire generation of wankers, erm, make that “opinionated people who have no place making real engineering decisions” by essentially declaring that DRM is a perfectly reasonable security model and as such by itself it can’t be evil. (Clearly my interpretation, you are welcome to interpret it yourself.)

People who aren’t engineers, or at least aren’t very good ones, often try to argue with these kinds of statements as if they are religious issues. This approach doesn’t work so well with engineers or logicians.  It’s kinda like trying to convince an engineer he should build a truck bridge out of wet sand instead of steel because “ironz is teh evel!”.

Yeah, not such a good argument. But sometimes these arguments actually work! And when they do, the world isn’t a better place. This brings us to my Third Law of Trust: The Perception of Trustworthiness Can Be as Important as The Reality of Trust Itself.

A great case study in the phenomenon of perception is a recent post from Linus, here. Imagine, for just a second, that this statement came not from Linus, but instead from either Steve Jobs or BillG.

If Steve Jobs had said this, people would say “well der, Jobs is all about the user experience”. It might not even make headlines.

If Bill said it, even though he’s now retired from his role at MSFT and so it shouldn’t matter, there may well be massive coverage, the gist of which would be “see! MSFT doesn’t give a crap about security! I knew it! M$ is teh evel!”.

This is perception. The notion that this is true should come as no surprise to anyone. But if we dig a little deeper we find that this perception issue has significant implications.

Implication 1: Perception allows mediocre or even bad ideas to be treated as if they are good.  

Example: The public seems to believe that the security precautions which are currently in place in major airports in places like America and Europe are good and make sense. We can assume this because they continue to fly. Do I think for a second that if 50% of the planet stopped flying tomorrow to protest the stupid fluids ban that the ban would last even a week? Of course not.

But people think that the people in charge must know what they are doing. That’s their perception. And so they tolerate it when someone won’t let them fly with an extra ounce of toothpaste, or when they are told they must drink their own breast milk to prove it’s not pure hydrogen peroxide.

This is in spite of the fact that not a single competent security engineer has ever come forward and made the claim that the fluids ban actually works. (Not that I am aware of, at least.)

Perception, rather than reality, is ruling the day and letting a bad idea continue on.

Implication 2: Perfectly reasonable ideas which are offered up by people or groups who are perceived as being un-trustworthy may be lost in the ensuing maelstrom of idiotic public wankery and flagellation.

Example: Something called Palladium (even when it was named NGSCB “it’s pronounced Palladium”). The general perception of Palladium was, well, bad. Very bad. It was very bad for a variety of reasons, but the biggest perception was that it was very very evil because some people thought that MSFT was very very evil.

Linus posted his bit about DRM in April of 2003. In September of 2002 I posted this, which you can see is part of a larger thread. Re-reading my posts, I can’t find any major faults anywhere.

But clearly that wasn’t enough. The perception of MSFT was that it was evil, and if MSFT was evil, that made Palladium the hellmouth from which pure, unadulterated evil would pour forth.

Here’s an interesting quote from this page: “XenSE is designed to allow desktop users to create securely separated compartments to run applications that contain highly confidential information. The system would prevent such data from overflowing from one compartment to another.”

Replace XenSE with “Palladium” and you have, well Palladium. Note the lack of public outcry about XenSE, however. Clearly NOT Palladium in that sense. Of all the things that “killed” Palladium, negative perception was the most important factor.

When I look around I find lots of examples of things we were doing in Palladium being done in the open source community. Linux has TPM drivers, people are looking at secure boot, there are complete Palladium near-clones in a number of universities.

This makes me happy, actually. I still believe in the principles of Palladium and I think that they are required to make the world a better and safer place. If it takes smart people in the OSS community to make it happen, well you go.

If you are right and you have time on your side (like Linus does) then sooner or later people will come round to your way of thinking, and that will, over time, significantly improve perception.

It takes a community with both the best technical expertise AND good public perception to best make the world a significantly better place. If I have to choose between the two I know that I will always place my bets with the former, but I really appreciate just how important the latter is.

In the case of Trustworthy Computing at least this stuff is happening. Maybe that’s the most important thing.