Monthly Archives: March 2011

Security

Hard Math CAPTCHAs – Easy As Pie

Leave a comment

I mean Pi. Funny example of security control failure:

It seems these scientists want to ward off ruffians who can’t do advanced math. After all, the service they’re offering is access to truly random numbers — a difficult computer science feat on its own, and one that only responsible adults should have access to.

The scientists thought it would be a good idea to give their viewers a math challenge — solve a basic calculus problem to prove they are human. An equation version of the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is posted on their sign up page. Would this be called a CAPECHA?

Solve Me

But these math elitists may have a problem on their hands. As calculus teachers around the world are now discovering, the Internet will now do your math homework for you. Just go to WolframAlpha and pop in the problem, and boom, you’ll have access to all the random numbers your heart could desire.

Perhaps they did it for the publicity, or just for the humor. Or maybe they did it to drive up the market price for hired CAPTCHA-solution labor. I wonder if the next Craigslist ad for “easy money, work from home” will include basic calculus as a required skill.

Energy, History, Security

It’s China! It’s Israel! It’s…

Leave a comment

Pick your favorite bogeyman. The latest outsider attack is probably their fault…

My presentation at BSidesSF this year tried to make the argument that attribution is harder than ever online. Attackers make extensive use of proxies and remote control, so it can be very difficult to trace all the points back to an actual person…and even if you do, they may only be one of a thousand mules following instructions. It was gratifying to hear General Alexander at the RSA keynote on February 17th after my presentation admit to his audience “We don’t have situational awareness”.

I could go into the complicated philosophy of why attribution is a double-edged sword (e.g. users on the Internet do not want to sacrifice their privacy) or go into the long history of technical issues with attribution (e.g. smurfing), but instead I just want to point out the two most recent spectacular attribution failures.

First, WordPress suffered a denial of service attack that came from systems in China. I asked my audience at BSidesSF “how many people in the audience use products made in China” and the entire room raised their hand. Granted, there were only three people in the room (jk), but my point is that “it came from China” should be immediately discounted as a strong attribution link. If a weapon found after an attack has “from China” stamped on it, investigators should not jump to the conclusion that the attacker therefore must also be from China. Even worse is to super-impose Chinese state motives onto a suspected Chinese attacker, all because the weapon is “from China”.

WordPress said last week the attacks might have been politically motivated and aimed at an unnamed Chinese-language blog, but it no longer has that view.

“Don’t think it’s politically motivated anymore,” WordPress Founder Matt Mullenweg said in an e-mail to IDG News Service. “However the attacks did originate in China.”

Mullenweg did not elaborate on the change in view or offer details on the source of the attacks.

I had tried to warn against this in my Operation Sloppy Night Dragon post.

Second, I have a lot of respect for Ralph Langner who has been credited with exposing the details of the Stuxnet attack. When I listened to his recent interview he made points like Stuxnet was very basic because it did not need to be complex and Stuxnet was directed at Natanz, never at Busheir. Why did he say at first it was probably directed at Busheir? In the interview he said it was because he assumed that would be a target of Mossad…in other words, his bias on international politics overshadowed his analysis of the facts. He recently reiterated it was the Mossad.

“My opinion is that the Mossad is involved,” Ralph Langner said while discussing his in-depth Stuxnet analysis at a prestigious TED conference in the Southern California city of Long Beach.

We should not lose sight of the fact that he already has admitted he made one serious mistake because he believed Mossad was to blame before his investigation started. The Mossad certainly has a lot of people spooked, but every suspicious bird and rock is not necessarily their handiwork.

Every piece of dog poop you see, on the other hand, should in fact be attributed to the CIA.

I appreciate Langner’s honest, clear and open style; yet it seems when he switches to geopolitical analysis he overlooks important data points like the significance of Pakistan and German intelligence operations.

Note the recent mass exodus of US special forces and operatives from Pakistan after the arrest of Davis. The US denies he was anything more than a diplomat, but let’s face the fact that a fight with Afghans and Iranians makes Pakistan a really good proxy. The British certainly made this point when they told the CIA under Tenet that Iran was stealing nuclear secrets from Pakistan. Without the Davis incident (he killed two motorcyclists that probably were trying to assassinate him) we would have far less data on how Pakistani operations might be attributed back to American objectives. Instead an exodus of US operatives now is suggested by some to be related to the drop in US drone attacks in Afghanistan (e.g. disruption of intelligence channels); it probably also is impacting other Pakistan-originated operations that could affect Iran (e.g. Stuxnet).

While there is a case to be made that Pakistan has been a proxy to US and Israeli objectives, that is far from achieving attribution. Maybe Britain was acting on its own, with the support of Germany, on behalf of the US. Time will tell and probably reveal a more complicated picture than we might believe today; and that is just for the physical world. Take for example the overthrow of Iran’s Mossadegh in 1953. It served British objectives, but today we know it was an American-led operation masked to look like an insider revolt against nationalism, despite the fact that the prior year Iran’s nationalist movement fit American interests. Attribution of crowd events was hard. Attribution of Internet crowd events is even harder.

Security

How the US Fell Behind in Broadband

Leave a comment

The CEO of Sonic.net, a broadband provider, has a blog post with some interesting details. Here is his argument for why the US has such slow broadband.

In 1996, the US Congress kicked off the broadband revolution when it passed the Telecom Act. The 1996 Act created a level playing field for competitive carriers, and brought about widespread deployment of DSL and other broadband technologies.

Then in 2003 and 2004, the then Republican led FCC reversed course, removing shared access to essential fiber infrastructure for competitive carriers and codifying instead a policy of exclusive use and “multi-modal competition”.

[…]

Elsewhere in the world, regulatory bodies followed the lead of the US Congress and separated essential copper and fiber infrastructure from the services and providers who used them, and the result has been amazing. In Asia and Europe, Gigabit services are becoming common, and the price paid by consumers per megabit is a tiny fraction of what we pay here at home.

The bottom-line seems to be a failure of politicians to fight for better management of shared (collective) resources. The US needs a national broadband policy that aggressively promotes true competition, based upon the separation of retail network services and wholesale network transport. Greater freedom and innovation clearly can come from shared roads, shared electric lines, shared stop-lights, shared fire-hydrants…why not shared fiber?

We must build new fiber all the way to your home, passing by along the way the idle fiber infrastructure that the FCC set aside nearly a decade ago.

The American government and phone companies in 1992 said they were working to put fiber to homes.

The phone companies painted a bright picture of the wonders of fiber optics and the Information Age — the latest movies available at the flick of a remote control, the Library of Congress via a personal computer and picture phones out of “2001: A Space Odyssey.

It was a good start under President Clinton, but serious impediments stood in the way. The Brookings Institute in 2002 tried to get the Bush Administration to turn up the heat and put the focus on improving broadband speeds:

The principal source of the problem is monopolistic structure, entrenched management, and political power of the ILEC and CATV sectors, worsened by major deficiencies in the policy and regulatory systems covering these industries.

The Sonic.net CEO explained above how that all turned out, as the US watches the world pass it by. One might think the following sentence would have received more attention, even from a President busy starting two wars:

Failure to improve broadband performance could reduce U.S productivity growth by 1% per year or more, as well as reducing public safety, military preparedness, and energy security.

Alas, while the US rapidly increased domestic broadband subscribers in 2001 to 2009 from 9% to 63.5% it actually has been in decline relative to the rest of the world. Today it does not even make the top ten — behind fifteen or more other countries.

US Broadband in 16th Place

Even European Mobile Broadband Penetration (e.g. smart phones) is twice that of the Americas.

Energy, Security

German Drivers Reject Ethanol

Leave a comment

Deutsche Welle reports that Germans are afraid of ethanol and refuse to use it.

E10 is safe for 93 percent of all cars registered in Germany and 99 percent of all German-made cars. But that has apparently done little to reassure drivers, 70 percent of whom are sticking to what they know.

Apart from concerns over the 10 percent ethanol, E10 is also less efficient, somewhat negating the price advantage.

Blame for resistance in Germany has been put on the industry that produces and sells E10 there.

Germany’s Environment Minister Norbert Röttgen heavily criticized the fuel industry for not properly advertising E10 at gas stations. “The confusion that the petroleum industry has created is unacceptable,” he fumed.

Haha, he fumed. For what it’s worth Deutsche Welle often has the best puns in the news; who says Germans have no sense of humor?

The German automobile association ADAC has thrown its support behind the minister. “The petroleum industry alone is responsible for the chaos that followed the introduction of E10,” said ADAC spokesman Maxi Hartung. “For there to be absolutely no information available on a newly-introduced product is the wrong approach.”

There is a lot of confidence in Maxi’s statement. Calling the petroleum industry “alone” with “absolutely no information” is a bit extreme, but it is easy to see why the ADAC is so upset.

Educating drivers would be a boon to the automobile industry. It increases the likelihood of engine upgrades or vehicle replacement. The problem, however, is that this also could lead directly to a shift into efficient engines (and a trade-in for diesel). That lowers consumption of fuel and moves more Germans away from petroleum. While this is the goal of government regulation (reducing dependence on petroleum) the petroleum industry is hardly an eager proponent of this scheme; they are not likely to want to push demand down for their primary product (gasoline) any farther unless forced by regulations.

All of that speculation aside, I thought this was the most interesting statement in the article:

Many drivers prefer the old gas, even though it costs up to eight euro cents (11 US cents) more per liter, for fear…

Aha! Drivers prefer more expensive fuel at the pump, despite the option to spend less, because they are worried about long-term costs!

Surprised?

What would they decide if offered more expensive fuel that has a lower long-term collective cost (e.g. clean, domestic, renewable)…?

Studies of biodiesel, by comparison, suggest that Germans have adopted it rapidly and worry only that it may come from un-ethical sources. Ironic, when you consider where/how petroleum hstorically has been sourced.

Germans switched to biodiesel so quickly, in fact, that the government feared a tax revenue loss. They added laws expected to drive down biodiesel enthusiasm and protect petroleum demand while introducing ethanol…but they apparently did not plan for a lack of support from the petroleum industry, or for resistance from drivers.

Biofuel Revenue Loss in Germany

The dark green bars above represent the extremely rapid adoption of biodiesel by German drivers and the plateau expected from taxation.

A smarter plan for the German government would have been to regulate ethical sourcing for fuels (to address consumer concerns) and then encourage consumers to move away from gasoline to diesel. Skip the ethanol phase.

Ethanol has become too small a step at a steep cost — high risk with little or no reward at all. The resistance from gasoline drivers makes it an even less attractive option. Biodiesel, meanwhile, has shown solid demand with far more supply options — low risk with high reward.