Documentation of the Red Terror

Official records of the Derg in Ethiopia now are being archived at the Ethiopian Red Terror Documentation and Research Center (ERTDRC) by the University of North Dakota (UND) Center for Human Rights and Genocide Studies (CHRGS).

The BBC explains the significance of the archive.

Ethiopia’s obsessive bureaucracy meant that everything was documented. Every arrest, every execution, every act of torture was authorised, signed for and rubber-stamped – and every piece of paper was filed away and kept.

At the time it meant that the offiicals “covered their backs”.

If any of their acts was queried, they could prove someone else had authorised them to do it.

But in the last days of the military regime, when it was threatened by rebels advancing on the capital, no-one seems to have made any attempt to destroy these incriminating papers.

Parental Computing

I love reading the Atlantic. I have a vivid memory of it from 1987 when I was glued to Robert Kaplan‘s in-depth report on the seeds of the Eritrean fight for independence from Ethiopia (I think it was called Surrender or Starve: the Wars Behind the Famine). His words were a major factor in my decision to focus undergraduate and graduate work on the security of the Horn of Africa. Here’s an excerpt from his 1988 report called The African Killing Fields, published in the Washington Monthly

…disturbing was the ambivalence of President Reagan on this important issue. What communists were doing in Ethiopia was far more horrible than what communists were doing in Angola or Nicaragua. But while other administration officials frequently criticized the regime in the strongest possible terms, President Reagan himself was practically silent.

A communist regime brutally uprooted its own citizens against their will, forcibly separating hundreds of thousands from their families and killing tens of thousands through deliberate mistreatment. But the impact of this cataclysm on the media, a conservative White House, and the American public was minimal.

Rather than a catastrophe, the famine was a godsend for this regime.

Castro and Mengistu
An AFP photo of Fidel Castro and Mengistu Haile Mariam, from the BBC

It still amazes me to this day how few people realize that it was an army of 300,000 active troops on the high plains backed by Soviet and Cuban advisors and technology that failed to defeat the EPRDF rebels (associated with the EPLF, TPLF, EPDM and OPDO). Even fewer realize almost half the EPLF troops (in a conservative, patriarchal Islamic area) were women.

Now when the US military, current advisors to the Ethiopian Army, watch venerable Soviet T-55 tanks roll into Somalia it makes me curious all again about the role of authority in the region. Anyway, the Atlantic reporters have delivered some fantastic analysis and been a great source of inspiration.

With that in mind I found a recent technology post by a senior editor amusing but sorely lacking in analysis. He titled it “The Cloud’s My-Mom-Cleaned-My-Room Problem

…the freedom of usage that defined personal computing does not extend to the world of parental computing. This isn’t a bug in the way that cloud services work. It is a feature. What we lose in freedom we gain in convenience. Maybe the tradeoff is worth it. Or maybe it’s something that just happened to us, which we’ll regret when we realize the privacy, security, and autonomy we’ve given up to sync our documents and correspondence across computers.

I don’t see the same conclusion at all.

The author settles with one extremely narrow, perhaps even rare, ideal of parental authority and stretches it into a simile for cloud computing. Authority is an element of any relationship; but what is the probability that all cloud providers will choose to be like a parent who cleans your room? The author fails to assert why this is the only outcome or definition of parental computing.

This is not to say parental computing is a bad simile as far as authority goes (it’s bad for other reasons), but simply to state the obvious that parental styles are diverse — not all parents are authoritarian or even authoritative. It seems entirely possible for cloud computing to be based on a permissive parent computing or uninvolved parent computing model. The freedom of personal computing therefore easily could extend into a world we would call parental computing.

Water-bottles as light source

There seems to be some kind of buzz around a story on water-bottles as a light source. The past couple days it’s been mentioned numerous times. The story I heard first was from Brazil. This video was posted May, 2008:

Then in 2009 or 2010 I heard about it in Africa. Apparently the new story is from Indonesia, in an advertisement.

It’s a great story of finding efficiencies on several levels. It reminds me of the large tubes of water in some high-end solar homes that connect to the roof and not only light a room but heat it as well. They are more than just sun tunnels but actual vertical columns of water that run floor to ceiling in a room and radiate energy. Of course I can’t find any images of one right now…need some buzz to get them to appear again. Maybe the water-bottles will help.

Clean Water Using Banana Peels

Impressive work by Brazilian scientists. They first noted that banana peels have elements useful in water filtration systems. So they made a filter from minced peel and measured the effect on river water, which showed a local solution from an abundant waste product can significantly reduce the risks from lead and copper.

Minced banana peel was applied in the preconcentration system and showed approximately 20-fold enrichment factor and the column was reused for 11 cycles without loss in the percentage of recovery. The proposed method was applied in the determination of Cu(II) and Pb(II) in a sample of raw river water and was validated by comparison with a standard reference material.

This reminds me of how an Ethiopian figured out how to wipe out the Rinderpest virus. Controls most successful are adaptable to human and environmental variation, not to mention inexpensive.

The method used to test and eliminate the virus had to be administered locally, which meant under uncontrolled environmental conditions by non-professionals.

CBC Attack on TLS 1.0

Nice summary by Adam Langley

Thai Duong and Juliano Rizzo today demoed an attack against TLS 1.0’s use of cipher block chaining (CBC) in a browser environment. The authors contacted browser vendors several months ago about this and so, in order not to preempt their demo, I haven’t discussed any details until now.

Contrary to several press reports, Duong and Rizzo have not found, nor do they claim, any new flaws in TLS. They have shown a concrete proof of concept for a flaw in CBC that, sadly, has a long history. Early reports of the problem date back nearly ten years ago and Bard published two papers detailing the problem.

The problem has been fixed in TLS 1.1 and a workaround for SSL 3.0 and TLS 1.0 is known, so why is this still an issue?

Bottom line is that researchers have proven elements of a theoretical flaw in block ciphers (stream ciphers like RC4 are not affected) but their method is still more difficult to wage than other more common attacks.

FreshBooks to customers: “probably don’t want to use us”

You may remember the huge kerfuffle that Rackspace caused among the security community last year. Alison Gianotto, also known for cranky haikus, captured the essence of the problems an open letter to Rackspace Hosting.

And thanks to your logfiles not being able to be viewed in real time (as they are owned by root), this leaves web developers that actually have a clue very few options for forensically backtracking the vector.

I would like to know what Rackspace is doing to help developers isolate these issues? Are logfiles being programmatically reviewed for malicious traffic? Without SSH access and the ability to tail apache logs, we cannot do this ourselves within any kind of timeframe that will be useful in preventing or mitigating an attack. If I am going to continue hosting with Rackspace, I want to be assured that Rackspace is actually doing something to help us protect ourselves other than send emails that overstate the obvious.

Your support staff, at least most of the level 1 techs, are completely and utterly incapable of handling anything relating to hacks. They are slow and under-educated, regardless of how well meaning they might be.

Lack of transparency and lack of talent. Harsh words but it comes straight to the point of trust in a provider will only get you so far before you need to step in and verify that they have the security capabilities you need.

I bring this up as FreshBooks recently spammed me with a “we’re secure” message, which created the following thread with a comical ending. First, here’s the excerpt from their message that caught my attention.

We want you to save time every month by using FreshBooks so you can focus on what you love to do. […] If you…need a nudge, here are some nuggets:

If you’re thinking: “I don’t know if my data is safe on the cloud”

We’d suggest: FreshBooks takes extra steps to ensure your data is kept secure. Having your data in the cloud makes sure it’s always safe and accessible (from anywhere).

Ok, well done. I’m paying attention to a message I would have otherwise tossed into the spam bucket. I wrote a quick reply.

My concern is with security/compliance. What are the extra steps?

I received a response from someone with this signature

xxxxxx from FreshBooks
(very) Small Business Consultant

I suspect the “(very)” is supposed to be humorous. It would be much more humorous if they put “non-VIP”, “n00b” or perhaps even “peasant” in their sig to reinforce a lack of support I should expect. Howdy, I have been assigned to your really tiny and unimportant issues. Now, how may I be of (very little) help? Hilarious.

Here is the actual response they sent me:

I’m not sure I understand. Extra steps to what, exactly? Are you talking about PCI compliance, or the security we have on our servers, or?

Yes, I actually was talking about or. What are the extra steps to or? But that is not what I responded. Instead I simply wrote the following reply to try to get back to their original statement in the email they sent me:

Hi, I was just quoting your email message. I don’t know what steps you meant.

That seemed to help as they then sent back the following response with URLs

Ah, I understand. You can see our security measures here: http://www.freshbooks.com/security-safeguards.php

We also use RackSpace for our server hosting, and you can see their info here: http://www.rackspace.com/

I hope this helps! Let me know if there is anything else I can help with :)

The rackspace URL is the generic front-page. Not a good sign, per the start of this post. I asked about extra steps. So I dig into the Freshbooks security page and it raises far more questions than answers. Here are some examples:

Any unusual behaviour is analyzed by AlertLogic’s CISSP-certified security experts, and responses are coordinated between them, Rackspace, and our system administration team.

Odd. They hold up the CISSP as a qualification for monitoring network traffic? I find that discouraging — indicates a lack of understanding about both the CISSP certification and network monitoring. Responses are coordinated by their system administration team, which suggests no security team. That would explain why they have to delegate. Still looking for the extra steps.

Particularly sensitive information – credit card numbers, bank account information, and your payment gateway account details – are encrypted in our database using AES.

Who gets the keys? How are keys setup and managed? Nothing extra here either. So little information on such a critical issue reads like a Drobbox catastrophe just waiting to happen. Speaking of lessons learned, I then read this section:

FreshBooks has chosen Rackspace for our hosting needs. With clients like General Electric, Hershey, Cisco, Pfizer, EMI Music, Scott’s, Hilton, Sony Music, Columbia House and the US Marines, we know Rackspace provides the hardware, service and expertise you expect.

What are the chances that FreshBooks is going to be able to get good customer support/service while stuck behind a list of giants like Sony who are probably taking up every minute of Rackspace support time during their breaches?

And what are the chances that FreshBooks will be adequately protected from a mess like Sony? Have they verified segmentation? Transparency comes directly to mind. So, of course, I had to ask for clarification again but by this point I confess I was losing patience in finding any extra steps, which their original spam promised me.

your page does not mention compliance standards or third party assessments. are there any? CISSP-certification does not mean anything for analysis of vulnerabilities or threats. it is a general knowledge test, like a bachelor degree does not mean you are qualified to be a doctor.

rackspace disallows physical audits of their datacenter. how do you verify their security? the list of their clients only means you are all going to be competing for lifeboats when that ship sinks, not that it is well run. have you had any audits of your equipment there?

Then came the reply, short and to the point, which confirmed to me that there are no extra steps. I could even make the case that their security page is lacking important details and so they are in fact missing steps. They delegate their security and they simply hope that you will too. Here is their reply:

I spoke to my IT team about your questions, and I’ll quote a response: “If they don’t trust RackSpace, then they probably don’t want to use us”.

Doesn’t look like we’ll be the right fit for you. Better to find out earlier than later :)

Good thing I asked. Thought others might want to know. And with a nod to Alison Gianotto, here is my cranky haiku:

Freshbooks to Davi;
Security extra steps
can’t be verified

Update: An old video has surfaced that shows a trivial exploit of FreshBooks. The attacker logs in as a client who received an invoice and then deletes the invoice simply by changing the SetAction “print” command to “delete” in their browser.

L’envol

A new poetic video, filmed in the door of the desert, is called “L’envol” or “The Flight”. An advertisement for Air France, it prompts the viewer to reflect on trust and risk.

Suchablog gives credit to French choreographer Angelin Preljocaj, of the ballet “Le Parc” (“inspired by the story of a woman’s resistance to love“). The dancers on a 400 sq meter mirror in the cold are Benjamin Millepied and Virginie Caussin. Stéphane Fontaine was the photographer. The music is an adagio of the concerto No. 23 for piano by Mozart, performed by “Les Siècles” Symphony Orchestra featuring pianist Vanessa Wagner, conducted by François-Xavier Roth.

PCI DSS drops ATM fraud 90% in Nigeria

At the RSA Conference in 2009 I presented “Top Threats to Personally Identifiable Information” for SafeNet where I attempted to prove from breach data that PCI DSS was having a tangible positive effect. My charts illustrated that despite breaches overall in a rise a filter for PCI DSS revealed a decline for industries adopting prescriptive compliance controls.

It was a tough illustration because of so many moving parts and the quality of data. My prediction that overall breaches would go down, because they already were going down in specific areas, was fun to try and prove. Yet everyone seemed to ask for more data on the biggest breaches instead of analysis of the overall trends. That is how my following presentations turned into the popular series called “Top 10 Breaches“.

Well, that’s not entirely the case. Each time I ran into Robert Hanson (RSnake) he asked for updates on the overall breach trend analysis. He kept reminding me that more people needed to see my contrariness. So credit goes to him for encouraging me to update the analysis and data for a presentation called “Message in a Bottle” for MetriCon. Unfortunately the Metricon presentation did not happen. It feels like it might be time to dust it off. This week I ran into an interesting update from Nigeria.

The Central Bank of Nigeria (CBN) announced six months ago that it was increasing compliance controls based on PCI DSS to combat financial fraud

…due to the failure of the nation’s banks to obey the CBN’s ATM regulatory framework and ensure compliance with these rules the apex bank rolled out penalties for non compliance with Payment Card Industry Data Security Standards (PCIDSS)

Modest fines were linked to the presence of audit trails and timeliness of response

…an ATM deployer would be made to refund the full amount involved in any fraud perpetrated on its ATM for failure to provide video recordings on the disputed transaction when required.

It pointed out that failure to respond to the customer or to the CBN on ATM complaints within 72 hours would attract a fine of N50, 000 [USD$300] per day for each complaint after the 72 hours until the response is received, adding that failure to resolve any ATM dispute with evidence of resolution within 14 days, would result in the deployer refunding the total amount involved in the fraud.

Similarly, the CBN stated that non-compliance with migration to EMV after September 30, 2010, will attract a fine of N50, 000 and the issuer will bear full liability for any fraud perpetrated with the magnetic-stripe card, adding that failure to provide audit trails and journals for ATM transactions would attract a fine of N50, 000 per week.

It further stated that for non-compliance with Payment Card Industry Data Security Standards (PCIDSS), a fine of N50, 000 per week will apply to the defaulter until compliance is established. It, however, said that non-compliance of ATM terminals with EMV levels 1 and 2, would attract a fine of N50, 000 and temporary suspension of the affected terminal unit until compliance is established.

Then, just this past week, the CBN reported that its compliance program has had a dramatic effect on ATM fraud

The Central Bank of Nigeria has said that the banking sector was on the way to recovery as banks Automated Teller Machine (ATM) frauds reduced by 90 per cent.

The governor of the apex bank and chairman, Steering Committee on Financial System Strategy 2020(FSS2020), Mallam Sanusi Lamido Sanusi, made this known on Wednesday in Abuja at the opening of the Strategy Execution Master Class of the FSS 2020.

In the banking sector, he said there had been a drastic drop in the level of non-performing loans adding that there had been structured growth of banks in the areas of capitalisation, capital adequacy and liquidity ratio.

They have not yet released data points to support this news. I am a skeptical believer and wonder how such a profound change can be extrapolated to the future from such a short time. It was announced with a suspicious amount of confidence. There must be more to the story than meets the eye. I can’t wait to see the numbers and roll them to the global data I collect for analysis of the trends and effects of compliance.

the poetry of information security