Category Archives: Security

History, Poetry, Sailing, Security

This Day in History: 1812 Luddites Attack to Save Society From Itself

Leave a comment

“Luddites confined their attacks to manufacturers who used machines in what they called ‘a fraudulent and deceitful manner’ to get around standard labor practices. ‘They just wanted machines that made high-quality goods and they wanted these machines to be run by workers who had gone through an apprenticeship and got paid decent wages. Those were their only concerns.’ The British authorities responded by deploying armed soldiers to crush the protests.” Source: Smithsonian Magazine, 2011

People often incorrectly brand Luddites. The followers of a man named Ludd were very much in favor of proper and skilled (ethical) use of technology. But that’s not often what people mean when they invoke the Luddites.

Luddite advocacy was undermined by fraudulent counter-claims (those opposed tried to frame any ethical regulation of technology at all as an outright ban on use)… which resulted in armed aggression by private and government forces.

So why exactly were Luddites protesting for safety in technology and why were they shamelessly murdered for it?

On this day in 1812 a group of a hundred or more (some say thousands) Luddites near Manchester attempted to enter Burton’s Mill as a peaceful protest. Armed guards of the mill as well as British soldiers fired live rounds into the crowd, killing up to a dozen people.

Hopefully someday soon this unfair chapter in history will stand corrected, and the Luddites’ cause cleared.

It’s still a very common misnomer and easy to find people unfortunately saying Luddites were opposed to technology.

They were not.

Sites like the Smithsonian have tried to clarify, yet obviously more still needs to be said.

The label now has many meanings, but when the group protested 200 years ago, technology wasn’t really the enemy.

Technology was not the enemy of Luddites!

Perhaps it helps if I put it like this. To say Luddites were anti-technology is like saying Robin Hood was anti-technology. Could anyone say “Robin Hood really hated the bow and arrow”?

No. That makes no sense, yet Robin Hood in fact has a lot in common with the Luddites. His story was about a moralist’s use of bow and arrow (use of disruptive technology in his day towards victory, as proven in the 1415 Battle of Agincourt).

Robin Hood was a folk hero who popularly protested elites misusing technology to exploit the larger population.

Similarly to the legend of Robin Hood, a populist character of Ned Ludd rose out of the exact same Sherwood forest area of Nottingham. He also represented the fight for morality in the use of technology; Luddites demanded quality and expertise to be valued in technology above exploitation.

“It has been said that more British soldiers were fighting the Luddites than were fighting Napoleon on the Iberian Peninsula.” Source: Working Class Movement Library

The Luddites therefore were latter day Robin Hood adherents, experts at technology who disliked machinery owners doing things known to increase the death and suffering of a worker.

The Wailers famously wrote a more modern lament into their 1970s lyrics as:

Today they say that we are free
Only to be chained in poverty
Good God, I think it’s illiteracy
It’s only a machine that make money.

In some sense, you might say these protests made them hackers of their day, experts at machines while at the same time protesting misuse.

Texts were written about “machine breaking” that emphasized the need for improving safety and quality…

“Machine-Breaking, and the changes occasioned by it in the village of Turvey Down. A tale of the times,” November, 1830

Now think about their opposition. The heavily armed mill owners in 1800s, targeted by Luddites, were like the Sheriff of Sherwood Forrest only 400 years later.

I find some people in tech at first glance don’t want to be associated with Luddites. Yet in actual fact who really wants to associate instead with a Sheriff in Robin Hood’s time let alone four centuries afterward, let alone today?

Nottingham Forrest Sheriff, known for being “completely unsympathetic to the poverty of the town’s people, using immoral ways to collect taxes”

That is to say, in today’s terms, people in technology roles protesting immoral practices (e.g. the industrial dumpster fires of Zoom or Tesla) are… like the Luddites. Those (including myself) who have been calling for Zoom usage to be ended immediately are not rejecting technology — we’re holding it to a higher bar!

Luddites thus today would be the technical champions calling for and end to Zoom’s obviously deceitful and harmful business practices, and calling for technology made safer for everyone.

Those who have been taught that Luddites didn’t like technology thus have been misled; the entire point of the group was to righteously protest against immoral use of technology (wielded selfishly by owners towards obvious harms).

Even more tragically, people often leave out the fact that Luddites were ruthlessly murdered by factory gunmen and hanged for daring to defend society under a concept of greater good.

In truth, they inflicted less violence than they encountered. In one of the bloodiest incidents, in April 1812, some 2,000 protesters mobbed a mill near Manchester. The owner ordered his men to fire into the crowd, killing at least 3 and wounding 18. Soldiers killed at least 5 more the next day.

Earlier that month, a crowd of about 150 protesters had exchanged gunfire with the defenders of a mill in Yorkshire, and two Luddites died. Soon, Luddites there retaliated by killing a mill owner, who in the thick of the protests had supposedly boasted that he would ride up to his britches in Luddite blood. Three Luddites were hanged for the murder; other courts, often under political pressure, sent many more to the gallows or to exile in Australia before the last such disturbance, in 1816.

At least 8 killed in just one protest. Some estimates are double. But in all cases the government was using overwhelming force.

To be fair, Luddites reportedly also did commit violent acts against people, even though it ran counter their overall goals of social good.

Some claims were made that Luddites intimidated local populations into sheltering and feeding them, similar to charges against Robin Hood. That seems like dubious government propaganda, however, as Luddites were a populist movement and “melting away” was again a sign of popular support rather than violent intimidation tactics.

Indeed, more often there were accounts of Luddites sneaking into factories at night and cleverly taking soldiers’ guns away to destroy only the machines as a form of protest. People were set free and unharmed.

An exception was in the case above where a mill owner “boasted” of murdering Luddites and was arming guards and calling in the military… escalation unfortunately was set on a path where Luddites stepped up their defense/retaliation.

Don’t forget 1812 was a very violent time overall for the British, with tensions rising around inequality (food shortages) and protracted European war (1803–1815), including rising tangles with America over its relations with France.

Prime Minister Spencer Perceval, who extremely opposed the Luddites, was assassinated May 11, 1812 by a merchant named John Bellingham.

Bellingham walked up and shot Perceval point-blank, then calmly sat down on a bench nearby to wait his arrest. Conspiracy theories soon circled, suggesting American merchants and British banks were conspiring to end trade blockades with France.

A month after the May assassination was when the War of 1812 began with America.

All that being said, if you want to ensure technology improves, and doesn’t just exploit unsuspecting consumers to benefit a privileged few, read more about the populist Luddite as well as Robin Hood stories from Nottingham.

These legends represent disadvantaged groups appealing for justice against a tyranny of elites.

Also, consider how “General Ludd” was another (science) fiction about the Sherwood Forest by design.

Here’s a quick Ludd rhyme that was turned into a ticket to entry for meetings.

“This simple stamped ticket with its message showing support for General Ludd would have allowed entrance to one of the local meetings.” Source: Chethams

It was his (and Robin Hood’s) inauthenticity, as a face of the very real populist cause that made them impossible to kill.

On a remote yet related note, the “Jayhawk” was a mythical Irish bird that became the mascot of abolitionist militias in Kansas (and today is still the mascot of Kansas University)

The legend of Ludd kept “his” cause of justice alive despite overwhelming oppositional military forces. Allegedly British authorities invoked “posse comitatus” (it’s a thing Sheriffs are known to do) and deployed more military soldiers domestically to stop Luddites than during war with Napoleon.

Nottingham took on the appearance of a wartime garrison… authorities estimated the number of rioters at 3,000, but at any one time, no more than 30 would gather…

In American history we have similar heroes, such as the inauthentic yet also real General Tubman. She fought plantation owners in the same sense that Ludd fought mill owners; targeting the immoral use of machinery. The cotton engine (cotton ‘gin) was a machine invented to end slavery (by Catherine Greene), yet its IP was stolen and turned into a reason to expand and perpetuate slavery.

Surely slave owners would have called Tubman an anti-technology radical at war with their manufacturing if they could have made such absurd accusations stick (instead of her being remembered rightly as an American patriot, veteran, abolitionist and human rights champion).

History, Security

Anonymous Donates Rare Film to Bletchley Park

Leave a comment
Codebreakers seen working at Bletchley Park in rare old film reel recently revealed.

Big news from the Park itself:

Dr. David Kenyon, Research Historian at Bletchley Park highlights the rarity of this find: “No other film footage of a site intimately connected with Bletchley Park exists. We don’t know who filmed it and the footage doesn’t gives away any state secrets or any clues about the work the people in it are doing. If it fell into the wrong hands, it would have given little away, but for us today, it is an astonishing discovery and important record of one of the most secret and valuable aspects of Bletchley Park’s work.”

The reel of wartime footage, preserved in its original canister, has been donated to Bletchley Park by a donor who wishes to remain anonymous.

A 5 minute documentary about the new film already has been posted to YouTube

Security

White House Reveals Secret Head of COVID-19 Policy

Leave a comment

In a breathtaking move of transparency, the White House has come forward to reveal the head of its COVID-19 policy and response coordination all along.

Behind the scenes, held as a tight secret until now, was the highly decorated and very well known General Buck Turgidson. The General formerly had led efforts to drive the world towards global cyber annihilation.

The American government plan to delay its COVID-19 response is said now to have been intentional, pushing to the highest death rates in the world within just one month.

Source: Johns Hopkins

Mass casualties was estimated to have the effect of positioning US government as the most helpless victim, to set up vicious attack campaigns and fire angry missives against China and WHO.

Proud of delays and confusion of the American people, that led so quickly to tens of thousands killed, the White House posted also the following example of detailed analysis from the General:

Mr. President. I’m not saying we wouldn’t get our hair mussed. But I do say no more than 10 to 20 million killed, tops.

General Buck Turgidson in mid-January, advising White House to wait on #covid19 response and then launch attack campaigns against China and WHO
Security

Simple Illustration of Zoom Encryption Failure

1 Comment

Zoom engineering management practices have been exposed as far below industry standards of safety and product security. They have been doing a terrible job, and it is easy now to explain how and why. Just look at their encryption.

The Citizen Lab April 3rd, 2020 report broke the news on Zoom practicing deception with weak encryption and gave this top-level finding:

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

It’s a long report with excellent details, definitely worth reading if you have the time. It even includes the famous electronic codebook (ECB) mode penguin, which illustrates why ECB is considered so broken for confidentiality that nobody should be using it.

Tux

I say famous here because anyone thinking about writing software to use AES surely knows of or has seen this image. It’s from an early 2000s education campaign meant to prevent ECB mode selection.

There’s even an ECB Penguin bot on Twitter that encrypts images with AES-128-ECB that you send it so you can quickly visualize how it fails.

A problem is simply that using ECB means identical plaintext blocks generate identical ciphertext blocks, which maintains recognizable patterns. This also means when you decipher one block you see the contents in all of the identical blocks. So it is very manifestly the wrong choice for streams of lots of data intended to be confidential.

However, while Citizen Lab included the core image to illustrate this failure, they also left out a crucial third frame on the right that can drive home what industry norms are compared to Zoom’s unfortunate decision.

The main reason this Linux penguin image became famous in encryption circles is because it shows huge weakness faster than trying to explain ECB cracking. It makes it obvious why Zoom really screwed up.

Now, just for fun, I’ll still try to explain here the old-fashioned way.

Advanced Encryption Standard (AES) is a U.S. National Institute of Standards and Technology (NIST) algorithm for encryption.

Here’s our confidential message that nobody should see:

zoom

Here’s our secret (passphrase/password) we will use to generate a key:

whywouldyouuseECB

Conversion of password from ASCII to Hex could simply give us a 128 bit block (16 bytes of ASCII into 32 HEX characters):

77 68 79 77 6f 75 6c 64 79 6f 75 75 73 65 45 43

Yet we want to generate a SHA256 hash from our passphrase to get ourselves a “strong” key (used here just as another example of poor decision risks, since PBKDF2 is a far safer choice to generate an AES key):

cbc406369f3d59ca1cc1115e726cac59d646f7fada1805db44dfc0a684b235c4

We then take our plaintext “zoom” and use our key to generate the following ciphertext blocks (AES block size is always 128 bit — 32 Hex characters — even when keys used are longer such as AES-256, which uses 256 bit keys):

a53d9e8a03c9627d2f0e1c88922b7f3f
ad850495b0fc5e2f0c7b0bf06fdf5aad
ad850495b0fc5e2f0c7b0bf06fdf5aad
b3a9589b68698d4718236c4bf3658412

I’ve kept the 128 bit blocks separate above and highlighted the middle two because you can see exactly how “zoom” repetitive plaintext is reflected by two identical blocks.

It’s not as obvious as the penguin, but you still kind of see the point, right?

If we string these blocks together, as if sending over a network, to the human eye it is deceptively random-looking, like this:

a53d9e8a03c9627d2f0e1c88922b7f3fad850495b0fc5e2f0c7b0bf06fdf5aadad850495b0fc5e2f0c7b0bf06fdf5aadb3a9589b68698d4718236c4bf3658412

And back to the key, if we run decryption on our stream, we see our confidential content padded out in blocks uniformly sized:

z***************o***************o***************m

You also probably noticed at this point that if anyone grabs our string they can replay it. So using ECB also brings an obvious simple copy-and-paste risk.

A key takeaway, pun intended of course, is that Zoom used known weak and undesirable protection by choosing AES-128 ECB. That’s bad.

It is made worse because they told customers it was AES-256; they’re not disclosing their actual protection level and calling it something it’s not. That’s misleading customers who may run away when they hear AES-128 ECB (as they probably should).

Maybe run away is too strong, but I can tell you all the cloud providers treat AES-256 as a minimum target (I’ve spent decades eliminating weak cryptography from platforms, nobody today wants to hear AES-128). At least two “academic” attacks have been published for AES-128: “key leak and retrieval in cache” and “finding the key four times faster“.

And the NSA published a revealing doc in 2015 saying AES-256 was their minimum guidance all the way up to top secret information.

On top of all that, the keys for Zoom were being generated in China even for users in America not communicating with anyone in China.

Insert conspiracy theory here: AES-128 was deemed unsafe by NSA in 2015 and ECB has been deemed unsafe for streams by everyone since forever… and then Zoom just oops “accidentally” generates AES-128 ECB keys on Chinese servers for American meetings? Uhhhh.

It’s all a huge mess and part of a larger mismanagement pattern, pun intended of course. Weak confidentiality protections are pervasive in Zoom engineering.

Here are some more examples to round out why I consider it pervasive mismanagement.

Zoom used no authentication for their “record to cloud” feature, so customers were unwittingly posting private videos onto a publicly accessible service with no password. Zoom stored calls with a default naming scheme that users stored in insecure open Amazon S3 “buckets” that could be easily discovered.

Do you know what encrypted video that needs no password is called? Decrypted.

If someone chose to add authentication to protect their recorded video, the Zoom cloud only allowed a 10 character password (protip: NIST recommends long passwords. 10 is short) and Zoom had no brute force protections for these short passwords.

They also used no randomness in their meeting ID, kept it a short number and left it exposed permanently on the user interface.

Again all of this means that Zoom fundamentally didn’t put the basic work in to keep secrets safe; didn’t apply well-known industry-standard methods that are decades old. Or to put it another way, it doesn’t even matter that Zoom chose broken unsafe encryption routed through China and lied about it when they also basically defaulted to public access for the encrypted content!

Zoom sold you an unsafe barn AND forgot to put doors on. Any reasonable person should be very surprised to find horses inside.

It would be very nice, preferred really, if there were some way to say these engineering decisions were naive or even accidental.

However, there are now two major factors prohibiting that comfortable conclusion.

  1. The first is set in stone: Zoom CEO was the former VP of engineering at WebEx after it was acquired by Cisco and tried to publicly shame them for using his “buggy code“. He was well aware of both safe coding practices as well as the damage to reputation from bugs, since he tried to use that as a competitive weapon in direct competition with his former employer.
  2. The second is an entirely new development that validates why and how Zoom ended up where they are today: the CEO announced he will bring on board the ex-CSO of Facebook (now working at Stanford, arguably still for Facebook) to lead a group of CSO. The last thing Zoom needs (or anyone for that matter) is twelve CSO doing steak dinners and golf trips while chatting at the 30,000 foot level about being safe (basically a government lobby group). The CEO needs expert product security managers with their ear to the ground, digging through tickets and seeing detailed customer complaints, integrated deep into the engineering organization. Instead he has announced an appeal-to-authority fallacy (list of names and associations) with a very political agenda, just like when tobacco companies hired Stanford doctors to tell everyone smoking is now safe.

Here’s the garbage post that Zoom made about their future of security, which is little more than boasting about political circles, authority and accolades.

…Chief Security Officer of Facebook, where he led a team charged with understanding and mitigating information security risks for the company’s 2.5 billion users… a contributor to Harvard’s Defending Digital Democracy Project and an advisor to Stanford’s Cybersecurity Policy Program and UC Berkeley’s Center for Long-Term Cybersecurity. He is also a member of the Aspen Institute’s Cyber Security Task Force, the Bay Area CSO Council, and the Council on Foreign Relations. And, he serves on the advisory board to NATO’s Collective Cybersecurity Center of Excellence.

We are thrilled to have Alex on board. He is a fan of our platform…

None of that, not one sentence is a positive sign for customers. It’s no different, as I said above in point two, from tobacco companies laying out a PR campaign that they’ve brought on board a Stanford or Harvard doctor to be on a payroll to tell kids to smoke.

Even worse is that the CEO admits he can’t be advised on privacy or security by anyone below a C-level

…we are establishing an Advisory Board that will include a subset of CISOs who will act as advisors to me personally. This group will enable me to be a more effective and thoughtful leader…

If that doesn’t say he doesn’t know how to manage security at all, I’m not sure what does. He’s neither announcing promotion of anyone inside the organization, nor is he announcing a hire of someone to lead engineering who he will entrust with day-to-day transformation… the PR is all about him improving his own skills and reputation and armoring against critics by buying a herd to hide inside.

This is not about patching or a quick fix. It really is about organizational culture and management theory. Who would choose ECB mode for encryption, would so poorly manage the weak secrets making bad encryption worse, and after all that… be thrilled to bring on board the least successful CSO in history? Their new security advisor infamously pre-announced big projects (e.g. encryption at Yahoo in 2014) that went absolutely nowhere (never even launched a prototype) is accused of facilitating atrocities and facing government prosecution for crimes, and who demonstrably failed to protect customers from massive harms.

Zoom just hired the ECB of CSOs, so I’m just wondering how and when everyone will see that fact as clearly as with the penguin image. Perhaps it might look something like this.

Update April 12: Jitsi has posted a nice blog entry called “This is what end-to-end encryption should look like!” These guys really get it, so if you ask me for better solutions, they’re giving a great example. Superb transparency, low key modest approach. Don’t be surprised instead when Zoom rolls out some basic config change like AES-256-GCM by default and wants to throw itself a ticker-tape parade for mission accomplished. Again, the issue isn’t a single flaw or a config, it’s the culture.

Update April 13: a third-party (cyber-itl.org) security assessment of the Zoom linux client finds many serious and fundamental flaws, once again showing how terrible general Zoom engineering management practices have been, willfully violating industry standards of safety and product security.

It lacks so many base security mitigations it would not be allowed as a target in many Capture The Flag contests. Linux Zoom would be considered too easy to exploit! Perhaps Zoom using a 5 year out of date development environment helps (2015). It’s not hard to find vulnerable coding in the product either. There are plenty of secure-coding-101 flaws here.

These are really rube, 101-level, flaws that any reasonable engineering management organization would have done something about years ago. It is easy to predict how this form of negligence turns out, and the CEO attacked his former employer for using his buggy code, so ask why did Zoom believe they could get away with it?

Update November 11: The FTC calls out Zoom for being a fraud, yet neither penalizes them nor compensates their victims.

…’increased users risk of remote video surveillance by strangers and remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances,’ the FTC said. The FTC alleged that Zoom’s deployment of the software without adequate notice or user consent violated US law banning unfair and deceptive business practices.

And they basically lied for years and years about security.

…Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides… also claimed it offered end-to-end encryption in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers… In fact, Zoom did not provide end-to-end encryption for any Zoom Meeting…

Since June 2016 Zoom lied repeatedly about its encryption practices in order to juice sales in American healthcare while diverting traffic through China. Think hard about that.