Category Archives: Security

The Psychology of “Talking Paper”

Sometime in the late 1980s I managed to push a fake “bomb” screen to Macintosh users in networked computer labs. It looked something like this:

There wasn’t anything wrong with the system. I simply wanted the users in a remote room to restart because I had pushed an “extension” to their system that allowed me remote control of their speaker (and microphone). They always pushed the restart button. Why wouldn’t they?

Once they restarted I was able to speak to them from my microphone. In those days it was mostly burps and jokes, mischievous stuff, because it was fun to surprise users and listen to their reactions.

A few years later, as I was burrowing around in the dusty archives of the University of London (a room sadly which no longer exists because it was replaced by computer labs, but Duke University has a huge collection), I found vivid color leaflets that had been dropped by the RAF into occupied Ethiopia during WWII.

There in my hand was the actual leaflet credited with psychological operations “101”, and so a color copy soon became a page in my graduate degree thesis. In my mind these two experiences were never far apart.

For years afterwards when I would receive a greeting card with a tiny speaker and silly voice or song, of course I would take it apart and look for ways to re-purpose or modify its message. Eventually I had a drawer full of these tiny “talking paper” devices, ready to deploy, and sometimes they would end up in a friend’s book or bag as a surprise.

One of my favorite “talking” devices had a tiny plastic box that upon sensing light would yodel “YAHOOOOOO!” I tended to leave it near my bed so I could be awakened by yodeling, to set the tone of the new day. Of course when anyone else walked into the room and turned on the light their eyes would grow wide and I’d hear the invariable “WTF WAS THAT?”

Fast forward to today and I’m pleased to hear that “talking paper” has become a real security market and getting thinner, lighter and more durable. In areas of the world where Facebook doesn’t reach, military researchers still believe psychological manipulation requires deploying their own small remote platforms. Thus talking paper is as much a thing as it was in the 1940s or before and we’re seeing cool mergers of physical and digital formats, which I tried to suggest in my presentation slides from recent years:

While some tell us the market shift from printed leaflets to devices that speak is a matter of literacy, we all can see clearly in this DefenseOne story how sounds can be worth a thousand words.

Over time, the operation had the desired effect, culminating in the defection of Michael Omono, Kony’s radio telephone operator and a key intelligence source. Army Col. Bethany C. Aragon described the operation from the perspective of Omono.

“You are working for a leader who is clearly unhinged and not inspired by the original motivations that people join the Lord’s Resistance Army for. [Omono] is susceptible. Then, as he’s walking through the jungle, he hears [a recording of] his mother’s voice and her message begging him to come home. He sees leaflets with his daughter’s picture begging him to come home, from his uncle that raised him and was a father to him.”

Is anyone else wondering if Omono had been a typewriter operator instead of radio telephone whether the US Army could have convinced him via print alone?

Much of the story about the “new” talking paper technology is speculative about the market, like allowing recipients to be targeted by biometrics. Of course if you want a message to spread widely and quickly via sound (as he’s walking through the jungle), using biometric authenticators to prevent it from spreading at all makes basically no sense.

On the other hand (pun not intended) if a written page will speak only when a targeted person touches it, that sounds like a great way to evolve the envelope/letter boundary concepts. On the paper is the address of the recipient, which everyone and anyone can see, much like how an email address or phone number sits exposed on encrypted messaging. Only when the recipient touches it or looks at it, and their biometrics are verified, does it let out the secret “YAHOOOO!”

RSA Conference 2018: Tuesday Keynotes

Keynotes on 30 second delay stream to public

RSA Announcements

Women in tech

Message of diversity

Microsoft Announcements

Call for a digital Geneva convention (https://twitter.com/BradSmi/status/831553031422386176)
– No targeting
– Assist private sector
– Limit offensive ops
– Restrict cyber weapons
– Non-proliferation
– Report vulns

Shipping a secure linux kernel because “Microsoft now is a Linux company”

Tech Sector Accord
– protect all users and customers everywhere
– oppose all cyberattacks on innocent citizens and enterprises
– provide tools and info to help community protect self
– deepen co-operation & information sharing between companies

Five-eyes are collaborating on blaming attack on North Korea

Message of unity: “It about trust…we need the world to come together”

Message of diversity. Bring different kinds of people together: “learn, change and grow” to “build a safer world”

Award Stuxnet: Michael Assante
Award Public Policy: Admiral Michael Rogers
Award Math: Ran Canetti, Rafail Ostrovsky
Award Humanitarian (created by yours truly): Tim Jenkin

McAfee

An ode to the Skyjacking Threatscape security evolution
1961 became a crime after Cuban revolution
1972 peak of hijacking, nuclear threat
1973 passenger and bag screening
2001 post-sept slow and long lines
2006 3-1-1
2009 underwear scans

User the airline model: “if you look to the air travel industry, obsessive about safety and security”

“Think about what you can take back from this to our offices…try to drive a culture where security gets prioritization it deserves.”

Cryptographer Panel

Moxie
Paul
Whit
Adi
Ron

Interesting year

Ron
– elections interest. central to democracy. crit infra.
– spectre attack

Adi
– lack of preciseness in research. crypto has theorem/proofs. no cyber equivalent. need quantitative

Whit
– memory of wife, elder of cryptography, partner enthusiasm. everyone loved mary. marty’s fondness
– mayland doyle. most influential cryptographer at RSA (sig sally pivotal to development of cryptography). worked on KI-1. designed crypto for KY-3 used for 30 years. KG-30 designed, long-cycle decrypters.

paul
– performance security tradeoffs. security gains have equalized with performance

moxie
– shift in perception of technology. connecting the world no longer utopian. cyber now seen as weapons not connecting

Bitcoin

Adi
– pronounce differently

Whit
– spell differently

Ron
– hashing for crypto far greater than for security

Whit
– space heaters based on crypto, amortized cost of hashing

Blockchains

Ron
– not pixie dust. interesting decentralized, public, immutable. fail at scale, throughput and latency
– really bad for voting because centralized and secretive. electronic database doesn’t allow verification by voters. paper is better choice

Adi
– overhyped. post-quantum world ensure security of digital signatures. 50 years valid guarantee of digital signatures. generated today before quantum computers available. doesn’t matter if new tech comes, show early generation of signature

Whit
– when you don’t have to have secrets you shouldn’t

Paul
– commercial applications

Moxie
– distributed nature is valuable, not many applications of that in real world. consumers see as zero value. distributed systems tend not to work. like P2P craze of 2000s

Quantum compute

Adi
– Microsoft talk, prediction of his boss. first qbit by end of year. computer in five years. distanced self from prediction.
– 82 proposals, 64 remain. three main groups. 26 proposals based on lattice. 19 based on coding theory. 9 based on multivariate. 3 based on hash-based. all schemes had to be nailed-down, fully specified. surprised by speed. most few milliseconds. some hundreds of microseconds. key sizes 1 and 10 kbytes.

Ron
– how many came from proofs?

Adi
– proofs were fairly weak. NIST will have hard time within three years professing a winner. took 15 years for RSA to be accepted. took 15 years for eliptic (1985 to 2000s). hard to design and tricky. fortunately one suggestion time-tested. post-quantum RSA

Whit and Adi get into a fight

Paul
– don’t omit looking for hash-based solutions for digital signatures

Adi
– NIST will choose one of the hash-based because evaluated a long time
– only incremental progress on computers, long away from something that will break crypto

Adi
– would accept improvement in any area. instead, silence

System level bypass

Paul
– found old presentation and noticed the exploit. noticed google had done same. found twice within a few months.
– who can fix hardware in process, who can notify? press leaks ended up in panic end to embargo. decision was made to release early. failed twice with embargo. need ethicists to create a roadmap

Adi
– worried we get to point massive amount of processors would be bricked. huge disaster

Paul
– we have a huge mess. guidance is instructions on all your paths. slow and tools don’t exist. lots of work to be done.
– in context lots of bugs. hardware bug doesn’t change aggregate issues

Ron
– hard to avoid leakage on shared systems

Paul
– we have to start bifurcating and dedicating hardware
– build systems with primary security objective

Apple iCloud hosting in China, with keys there

Adi
– not exceptional when everyone has access

Paul
– China in for surprise when their data gets hacked. won’t end well

Ron
– EU commission report in favor of strong encryption. back doors bad for security, as well as privacy

Moxie
– it’s easier to say i can’t instead of i won’t. hard to resist

Broader implications beyond China

Ron
– FBI wants access, but they didn’t try very hard to get into SB phones

Paul
– idea that you suck up all the data to make sense of it. these kinds of processes create risk by putting tools/data in one place. corporate level trade-offs easy to see. nation-wide scary

Adi
– telegram told give keys to russia. refused. telegram became illegal. banning schemes they don’t have master key for

Moxie
– easier to say i can’t than i won’t. if design without key, then can’t give

Facebook

Paul
– wasn’t in their interest to protect our data. risks we incur are not us. facebook made decision to hurt users. didn’t build system to protect users. companies that benefit won’t help

Whit
– economics. more money means weaker processors. same for databases

Paul
– Bain conclusions on cost to society

Moxie
– Facebook is the Exxon of our time. indispensable tool everyone despises. as much as everyone hates Exxon, dumps oil in ocean. Exxon is civilization and Facebook is the Internet. Facebook going through Exxon moment and people thinking better tech investment time

Adi
– EU fines for GDPR huge (4%). plan B of EU to tax american companies (couldn’t get it one way, so get it other way).
– interesting issues there. look into it because can impact

Moxie
– GDPR can entrench monopoly. good for them because refuse service if don’t consent, but they’re the internet

Adi
– goes beyond. privacy by design, default, mandatory encryption, right to erasure

Silver Linings in Cloud of Security

Ron
– we’re in era we feel attackers are winning. where are they focusing, what will we defend. 2/3 people on paper ballots. voting the hard way is the silver lining

Adi
– moving at high velocity. didn’t mention forward or backward. silver lining is our job security guaranteed

Whit
– don’t have to find new job

Paul
– band on the titanic is small silver lining. complexity growth will lose us the battle. better hardware is optimistic. more things than just crypto being robust. make a chip of low-chance of buggy

Moxie
– privacy and crypto tech less about shards of info, more like infrastructure for the world we want

To Cyber or Not to Cyber…That is the RSAC Talk Analysis

I don’t know where you are, but the data analysis of the RSA Conference by the prestigious Cyentia Institute is amazing. They wrote algorithms to tell us what the “most important” talks are each year from 25 years of security conference data, and illustrate our industry’s trend over time. Who can forget “A top 10 topic in 2009 was PDAs”?

This is the slide that made everyone laugh, of course:

Trends going up? GDPR, Ransomware, Financial Gain and Extortion. Big Data exploded up and then trends down over the last five years.

Trends going down? BYOD, SOX, GRC, Hacktivism, Targeted Attack, Endpoint, Mobile Device, Audit, PCI-DSS, APT, Spam…

Endpoint going down is fascinating, given how a current ex-McAfee Marketing Executive war is going full-bore. RSAC 2018 Expo Protip: people working inside Crowdstrike and Cylance are hinting on the show floor how unhappy they are with noise made about a high-bar of attribution to threat actors given their actual product low-bar performance and value.

That’s just a pro doing qualitative sampling, though. Who knows how reliable sources are, so consider as well the implication of qualitative analysis.

Some cyber companies talk threat actor in the way that Lockheed-martin talks when they want to sell you their latest bomb technology. Is that bomb effective? Depends how and what we measure. Ask me about 1968 OP IGLOO WHITE spending $1B/year on technology based on threat actor discussions almost exactly like those we see in the ex-McAfee Marketing Executive company booths…

RSA Conference 2018: Fun Telco History in SF

Welcome to SF everyone! As the RSA Conference week begins, which really is a cluster of hundreds of security conferences running simultaneously for over 40,000 people converging from around the world, I sometimes get asked for local curiosities.

As a historian I feel the pull towards the past, and this year is no exception. Here are three fine examples from hundreds of interesting security landmarks in SF.

Chinese Telephone Exchange

During a period of rampant xenophobia in America, as European immigrants were committing acts of mass murder (e.g. Deep Creek, Rock Springs) against Asian immigrants, a Chinese switchboard in 1887 came to life in SF (just before the Scott Act). By 1901 it moved into a 3-tier building at 743 Washington Street. Here’s a little context for how and why the Chinese Telephone Exchange was separated from other telephone services:

Today when you visit Chinatown in SF you may notice free tea tastings are all around. This is a distant reminder of life 100 years ago, even for visitors to the Chinese Telephone Exchange, as a San Francisco Examiner report describes in 1901:

Tea and tobacco are always served to visitors, a compliment of hospitality which no Chinese business transaction is complete

At it’s peak of operation about 40 women memorized the names and switching algorithms for 1,500 lines in five dialects of Chinese, as well as English of course. Rather than use numbers, callers would ask to be connected to a person by name.

The service switched over 13,000 connections per day until it closed in 1949. Initially only men were hired, although after the 1906 earthquake only women were. Any guesses as to why? An Examiner reporter in 1901 again gives context, explaining that men used anti-competitive practices to make women too expensive to hire:

The Chinese telephone company was to put in girl operators when the exchange was refitted, and doubtless it will be done eventually. The company prefers women operators for many reasons, chiefly on account of good temper.

But when the company found that girls would be unobtainable unless they were purchased outright, and that it would be necessary to keep a platoon of armed men to guard them, to say nothing of an official chaperon to look after the proprieties, the idea of girl operators was abandoned.

“They come too high,” remarks the facetious general manager, “but in the next century we’ll be able to afford them, for girls will be cheaper then.”

Pacific Telephone Building

One of the first really tall developments in SF, which towered above the skyline (so tall it was used to fly weather warning flags and lights) for the next 40 years, were the Pacific Telephone offices. At 140 Montgomery Street, PacTel poured $4 million into their flagship office building for 2,000 women to handle the explosive growth of telephone switching services (a far cry from the 40 mentioned above at 743 Washington Street).

By 1928, the year after 140 New Montgomery was completed, the San Francisco Examiner declared “with clay from a hole in the ground in Lincoln, California, the modern city of San Francisco has come.”

It was modeled after a Gottlieb Eliel Saarinen design that lost a Chicago competition, and came to life because of the infamous local architect Timothy Pflueger. Pflueger never went to college yet left us a number of iconic buildings such as Olympic Club, Castro Theater, Alhambra Theater, and perhaps most notably for locals, a series of beautiful cocktail lounges created in the prohibition years.

AT&T Wiretap

Fast-forward to today and there are several windowless tall buildings scattered about the city, filled with automated switched connecting the city’s copper and fiber. One of particular note is 611 Folsom Street, near the latest boom in startups.

Unlike the many years of American history where telco staff would regularly moonlight by working for the police, this building gained attention for a retired member of staff who disclosed his surprise and disgust that President Bush had setup surreptitious multi-gigabit taps on telco peering links.

“What the heck is the NSA doing here?” Mark Klein, a former AT&T technician, said he asked himself.

A year or so later, he stumbled upon documents that, he said, nearly caused him to fall out of his chair. The documents, he said, show that the NSA gained access to massive amounts of e-mail and search and other Internet records of more than a dozen global and regional telecommunications providers. AT&T allowed the agency to hook into its network at a facility in San Francisco and, according to Klein, many of the other telecom companies probably knew nothing about it.

[…]

The job entailed building a “secret room” in an AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office and assigned to the Internet room. He asked a technician there about the secret room on the 6th floor, and the technician told him it was connected to the Internet room a floor above. The technician, who was about to retire, handed him some wiring diagrams.

“That was my ‘aha!’ moment,” Klein said. “They’re sending the entire Internet to the secret room.”

[…]

Klein was last in Washington in 1969, to take part in an antiwar protest. Now, he said with a chuckle, he’s here in a gray suit as a lobbyist.

In some sense we’ve come a long way since 1887, tempting us to look at how different things are from technological change, and yet in other ways things haven’t moved very far at all.