Criminalise Your Enemies.

Is it strange that so much WAN traffic is unencrypted? That became a live issue for me when we were setting up a new recovery facility. Part of the project includes links between the machine rooms, and the service provider offered us a significant cost saving by using their network to replace a hop that would cost tens of thousands ordered from COLT. Everyone was happy except me. I saw it as a tap risk.

I hate taps. A network tap is one of the points where the balance tips in favour of the attacker. They are totally stealthy and very reliable. They can be serviced by a leave-behind -- a laptop running Ethereal or TCPdump with USB disks exchanged whenever the access can be had. The only real problem the attacker faces is getting access to a good network segment -- plugging in to a workstation LAN and risking an ARP spoof is going to get some user passwords, and that's not bad, but it's not the key to the domain.

But a trunk between machine rooms is another thing entirely. Modern domain traffic ought to be harmless if overheard, but console sessions on to the DCs, SNMP strings, enable passwords on switches ... One way or another, it's the place to be if you want passwords, not to mention seeing what the fileservers see.

So, OK, taps are bad. But is it any more risky to run our traffic over a service provider's network? The contract gives them a duty to keep our data confidential, and you won't find that in a service agreement from BT or COLT.

The short answer is the criminal law. Between the termination points of section 8 licensed telecoms providers like Colt and BT, special law applies: I think it's the Interception of Communications Act 1985, but anyway there are criminal penalties for tapping their systems without a warrant. They can't even do it themselves, and that's why there's no confidentiality in the contract.

The point here is not so much the penalties but the criminal liability. Evidence of a crime -- and an unexpected laptop stuffed with traffic logs is evidence -- lets the police investigate. Serious industrial spies always seek to operate below the radar of Babylon, and that makes for real protection.

IoCA is protection, but it's limited. It doesn't stretch beyond the endpoints. If we found a tap on the service provider's network, we could remove it, but no crime has been committed. To get any recourse we would have to mount our own surveillance and investigation, and that is a place I don't want to go.

We're sticking with the service provider's network, but some of the savings are going on hooking it through our firewalls with the encryption turned on.

Fingered by the Make-up Girl

It appears that Italian MPs have been tricked by a TV show into submitting sweat samples. The samples were analysed to show that a large minority had been taking what local law treats as drugs of abuse. The gimmick is that the swabs were taken as the dupes were being made up to quote opinions on camera for a fake documentary about the budget.

It would have been more fun to ask them their opinions on drug abuse. It doesn't take much insight into the political mind to speculate that those opinions would be pretty uniformly negative, regardless of the blood THC level.

If you live with integrity -- some degree of consonance between words and actions -- it's easy to laugh at those poor mugs. They must be sweating more than ever now. The trouble is that the effort that goes into keeping us honest drains the fun out. We're prigs and bores. There's no help for it. Each one of those men will be better company than me, and his children will love him more. We should protect them, not laugh.

And the question has to be, whether anybody other than the police has the right to gather that sort of history, the evidence that we are all scattering more widely and more unconsciously: DNA on the laundry, web browsing at the ISP, fibres on the trousers, drug abuse at the barber's, traffic histories and mast use on the mobile, spending on the card .... What will trip you up? Is being too dull to notice the only possible defence?

Commuter

Coming home yesterday evening I watched in the twilight as the mist off the river poured through gaps in the grown-out hedge and evaporated in the warm meadow. But now heading back the other way, everything is cool and there is a deep silvery blanket shining in the bright moonlight.

H. Sapiens

On Tuesday I was working with the owner of information risk on the information security policy. She's a jew and we were talking about her reflection on the day of atonement just gone. I was, and am still, upset by the stupid emails I've been reading as part of this current investigation. Jewish spirituality has that ancient focus on the ethical value of mindful compliance with God's law, and she compares that with the chaotic response of colleagues to our sane and reasonable policy, or even the idea of policy: "Everyone would much happier if we just obeyed the rules and got on with the fun stuff ....."

I know she's right, or at least I agree, but there's something else too, and as I groped for the words to express it, I looked around the open plan office and for a moment my vision changed. What I saw then was a colony of great apes, that third chimpanzee species, created by language and bipedalism on the journey from forest to office, but still the same animal: obsessed with rank and sexual display, endlessly inquisitive, endlessly communicating and endlessly systematising. And utterly unconcerned about rules that try to stop us being what we are.

When we accept law, we defy our own natures. Against resistance like that, the policy of the IT security ape is so much desert wind.

Chain, chain chain

I've been collecting MTA logs from one of our Exchange servers. They're one of my favourite logs -- a little forbidding at first, but yielding mountains of information if you put in the time. I forgive them for breaking the mapping between text line and event. Browse them on the tracking.log share, and view in a decent text editor with word wrap off.

Now these logs are valuable, at the moment. That's why I'm collecting them -- they may be required to prove a point in court. So I want to copy them off the share and put them in a safe place. But that's not enough. What's to stop me editing them after the fact to show anything I want to show? Enough care with dates and formatting would make it the devil's own job to prove that I'd fabricated the record, and it's that capacity to make a perfect forgery that lies at the heart of the problem with computer evidence.

What courts want is swearing, and plenty of it. Each step of the chain needs a claim that can be fairly made, on oath, that the data passed on, is the data received.

The traditional method would be to print out the file and sign and date every page. That signature isn't the oath that would be made in court, but it's the basis on which you could swear that oath: "yes -- I signed it that day, so that must be the printout I had on that day." If you didn't sign it, how could you be confident enough to swear? After all, one printout looks much like another. Computer people laugh at this as a defence against forgery -- if you were planning to fake it, surely you can lie about the date too? but in fact courts are using an important tool here. It's consistency that makes lying difficult and it's inconsistency that lawyers concerned about the quality of opposing evidence seek to expose. By signing and dating, you are offering up a hostage to fortune, secure in the knowledge that no inconsistency can arise because this is actually what did happen.

Now these log files are a hundred thousand events long and I am not printing them out a) because it would be nonsensical and b) because it wouldn't help anyone. Whoever's going to check?

This is what cryptographically secure hashes are for. If I can vouch not for the file, but for the hash value, the chance of a subsequent modification being meaningful and preserving the hash value is negligible. So, every day I use Microsoft File Checksum Integrity Verifier -- FCIV. In a command shell, I run:

FCIV -sha1 \\EX1\tracking.log
(this prints a line of hash for every archive)
copy \\EX1\tracking.log\*.* h:\myarchive
FCIV -sha1 h:\myarchive
(will give the same values above)

Then I print off the transcript and sign and date it, transforming a bunch of editable files into a record that is set as if in stone. Anyone who cares can take my copy of the data and check it against the printout theselves in a minute or so. All the colossal contingencies boil down to a single question: did I fake my signature? and if so how is that to be shown? Since I didn't fake it, I should be OK, and so will my evidence.

Business Continuity (Because it does continue)

It seemed appropriate to spend the day looking over the new DR site. Unlike the current site, it's a long way out of town and the reason for that is five years old.

No particular agenda. Joined in one of the project meetings, nosed about the machine hall, asked about the physicals. Really, all I need is for the team to know that I care, that I'm interested, and to hear me praise what I can.

Because I haven't been praising it all. I've been in this role two years, and still people offer me solutions which are absolutely barking. This lot wanted to run plaintext ethernet through the switched infrastructure of the DR supplier and install our servers and network in cabinets in the shared machine hall. We're getting a cage, screed to screed, and the supplier's LAN is a red network.

What Security Angle?

We're just starting a weekly reward scheme for the less mad son -- he gets a trip to the pool or the pictures, guaranteed, if the week's Kumon has been done without too much pain. So we went to see Cars.

It's good. Better than Nemo or The Incredibles As good as Monsters Inc. or Toy Story II though less dense than either, and perhaps that's just total confidence peeping through after fifteen or twenty years.

I'm a simple person, and I loved the jokes -- the scenery, the governor of California (was that a cameo?), casting Jeremy Clarkson as the odious Harv, and I suspect I missed a bunch of stuff in race organisation and commentary. And the story was heartwarming if somewhat daft -- my heart is perennially cold and I like it warmed up.

One thing that struck me was that the animators are just showing off now. There's a logical next step coming, though I don't know if Pixar will take it. Somebody's going to make a movie where animation is a detail of the production -- not chosen to create a fantasy world or to let the characters do impossible things, but simply because they can't be arsed to deal with real actors and locations, and the audience won't notice the difference. I wonder what it'll be? (Hope it's not porn -- that would be sad.)

The Cost of Secrecy

I've been keeping a secret for a few months now, but it's not a secret any more. All very banal -- just the sale of a division that needed a separation of of computer systems before the announcement day.

That day has come, and suddenly:

• I can talk to the technical staff instead of asking their bosses to guess
• I don't have to figure out compromises between approval policies and the need to keep the authorised approver in the dark.
• The helpdesk don't think I've gone mad.
• I don't find myself as the only person with the rights, skill and clearance to carry out a whole bunch of mundane tasks.

I know that there are sometimes good reasons for secrecy. And despite there being fifty-odd people on the list at the end, it didn't get into the press, so it was a success. But it was not cheap.

I'm guessing now, but I think that the human budget for a task that has to be carried out in an organisation that can't know what's going on needs something like a 50% uplift to cover confusion, error and unskilled staff. Try justifying that.

The UK is a Nest of Hardened Criminals

I'm not sure how many times I broke the law last week. It must be hundreds -- I did it eleven times just now.

I've bought a music player and I'm ripping my albums. (It's a Samsung -- Ogg Vorbis is definitely smaller than MP3.) The law in the UK specifically provides for sound recordings, a CD is universally acknowledged to be a copyright work, an OGG (or an MP3, or WMA) ripped from it is obviously a copy, and copying infringes the Chapter II rights of the copyright holder. None of the Chapter III permissions applies, and it looks like I'm bang to rights -- up to two years in the chowkey. I have checked and there's definitely nothing in the act about "unless everyone is doing it, in which case it's OK."

I could call the police but I'm afraid they'll laugh at me. I could call the BPI, but I don't think they'll care either.

There are two ways to look at this. We can go with the BPI and say that it's an anomaly that needs to be cleared up. Or we can face the fact that intellectual property, so called, is so different from property that concepts like theft just don't work, and change the law accordingly.

In the meantime, it's fun to watch Samsung, Microsoft, Dell and all the other keeping mousy quiet and hoping the whole issue will go away.

A Use for Security Theatre

Just lately in the UK we've had Red Mercury, Forest Gate, Ricin and the Liquid Explosive plane bombers. But red mercury is a con, home-made binary explosives are hard to believe (as a weaponised, deliverable threat -- and so is ricin), and Forest Gate saw 250 Babylon fail to find the cyanide bomb they knew was there...

It looks worrying:

• British security forces are so gullible they think that mugs pursuing non-existent weapons are dangerous
• British security forces are so gullible they think it's practical to manufacture explosive from harmless-looking liquids
• British security forces are so gullible, they think that cyanide and ricin are practical weapons

Or really worrying:

• These threats actually exist, and are definitely more likely than jiggering an Li-ion laptop battery to burn through the cabin wall, swallowing remote-detonated explosive packages like a cocaine smuggler, or any of the obvious infrastructure attacks
  [Updated years later, 24/10/2010 with helpful links: http://xkcd.com/651/ and http://www.theregister.co.uk/2009/09/21/bum_bombing/]

Happily, there's at least a third possibility, and it's this: The activity is security theatre designed to send a message to radicalised muslims that loose talk costs careers and long periods on remand in gaol.

A lot of lightly-educated male muslims in the UK are flaming away to each other about the war against Islam, the punishment that the West deserves, and the luscious fantasy glamour targets that can be conjured up by someone who doesn't actually have to plan and execute a terrorist attack.

These men are on a continuum. Some just blether. Some go a stage further and do something really dorky like buying a tonne of fertiliser -- ending up incriminated as can be, but no nearer the ANFO bomb they seek. And some have the capability, intention and a target.... and since speech is free, it's only these last who really matter. And, in the nature of things, they're rare -- colossally outnumbered by the tens and hundreds of thousands who agree, but won't go beyond ugly talk. So why arrest and prosecute people who were unlikely to achieve subtantial acts? The answer is the source of the "intelligence" which is identifying these nutters: communication intercepts. If GCHQ isn't automatically scanning at least some emails, IMs and blogs for dodgy words and links, I'll eat my hat. And if these automatic scanners can distinguish between real threats and radical show-offs, I'll eat my knickers.

Here's the problem -- a real, valuable source of hard intelligence is being undermined by noise. Too many hits to use. What's needed is a way to ensure that the only people sending incriminating commumunications are those prepared to risk arrest. And here's the solution: arrest, and prosecute, to send a message:

MI5 to loudmouth radical muslims: "Shut the fuck up so we can listen to the good stuff. Or we will wreck your life."

The Man in the Middle for All Purposes

I love simple ingenuity, and FormSpy is ingenious. From the McAfee writeup:

... a malware that is installed as a Mozilla/Firefox component extension.

Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.

This malware was modified from the "NumberedLinks 0.9" which is an open source Mozilla component available off the Internet. To the victim, he or she would only notice the "NumberedLinks 0.9" extension being installed

Minimum effort, maximum effect. Nice.

Saving the Appearances

News like this is a bit puzzling. The basic story is straightforward: nasty Chinese government wants to keep its people in ignorance to preserve the despotism, and nasty western (in this story, given the source, read American) firms are way too ready to help.

Except. Except.... I don't believe there's the slightest hope of it working. I can't see that anybody can believe it'll work. It's just bollocks. For certain Skype can censor keywords like "Falun Gong" and "Dalai Lama" and those words won't get through. But unless they are using something a lot better than our spam filters (among the best that money can buy), "F4lun G0ng" and "Da1ai L4ma" will work just fine. Is this just quaint? And for sure google.cn can slant its results (but not that much). The great firewall (it must actually be transparent proxy) can even put up polite panels explaining that such and such a site conflicts with government policy and is therefore blocked. But it doesn't matter.

The effect of the Internet is not to link poor confused foreigners to proper liberal western thought. I wish it was sometimes, but it's not. And I'm sure that there are plenty of people in the middle and upper levels of provincial and national PRC Party and government who imagine that a nice Middle Kingdom Internet without alien pollution and troublemaking would give all of the benefits and none of the trouble. They're wrong too. The Internet puts people in touch -- terrorists, racists, grey-haired security bores and the rest. It's such powerful communication that you can cut and hack away at it, and unless you shut it off entirely it'll pass ideas, rumour, gossip and news better than the world ever saw before.

The last twenty years of the Soviet Union were run in a state of hysterical denial. Everyone from factory foreman up all the way up to the all-union politburo was aware of the choice between muffled giggles and bare-faced lies. The self-confidence of the national intelligentsia had been undone in the sixties by a few hundred dissidents writing and circulating hand-copied and roneoed samizdat publications. Pretty much everyone in that key group went to prison and all that did was keep the lid on for a while.

Agile Deng, the octagenarian contortionist, dodged the fate of the USSR. The focus on economic development, dropping socialism while retaining the central position for the party, has diverted, as it was intended to, the art and skill of the whole nation. And a cultural entity as big as Han+Mandarin doesn't need to look outside much. Nonetheless, the basic battle has been lost. There is a middle class with weak or absent Party affiliations. Those people know they're smart, they know they've done something amazing, and they know the Party needs them more than they need it. And their communications are slicker than rubber stencils and biros.

They hardly need outside thought -- their own is dangerous enough. The corrosive, indelible idea: people like them should choose their own rulers, is there already. The rest, as they VoIP, email and blog, will emerge from their side of the great firewall, not ours. They may act this year. It may have to wait for a big shock: the coming bank failures, a corruption & incompetence scandal like SARS, too big to hush up, or even a failed military adventure. It may be a polite handover, stage by stage. It'll be Chinese, but the end result will be a multi-party state and a bigger and more frightening democracy than India.

And the Chinese network perimeter? It's just saving appearances. I doubt if anyone who works on it really believes that they can freeze or channel political thought. Sure sells a lot of firewalls though.

The Scent of 1995

This summary is not available. Please click here to view the post.

How Security Policies Fail (5)

Policy: No plain text password storage.

Failure: The real failure here is my failing to find words able to describe this. Maybe I should have written: "no encryption technology more than a thousand years old...."

Private Function Encrypt(strPlain As String) As String
    Dim i As Integer, j As Integer, n As Integer
    n = Len(strPlain)
    Encrypt = ""
    For i = 1 To n
        j = Asc(Mid$(strPlain, i, 1))
        j = (j + 33) Mod 256
        Encrypt = Encrypt & Chr$(j)
    Next i
End Function

Public Function Decrypt(strCode As String) As String
    Dim i As Integer, j As Integer, n As Integer
    n = Len(strCode)
    Decrypt = ""
    For i = 1 To n
        j = Asc(Mid$(strCode, i, 1))
        j = (j - 33) Mod 256
        Decrypt = Decrypt & Chr$(j)
    Next i
End Function

Why Perl?

It's looks like line noise, and if it was ever in fashion it's dropped out now. But Perl suits me, and I think this is why:

• Some people see the world as tables or XML -- I see it as text files with easy to parse lines
• Security does a lot of work with "fairly regular" data. (It doesn't seem possible to get the admins to stick to strict group naming conventions.) Putting regular expressions at the heart of the language acknowledges that the data are a bit dodgy.
• Security has many command line utilities that do roughly what you want. Perl runs external code, gathers output, skips the irrelevant bits and tidies up the good lines, all without too much pain.
• I've never written a right-first-time program in any other language. (I don't think I've ever written a right-at-all program in any language where I have to do my own garbage collection.)
• Languages that let me say what I want get my vote:

  $a++ unless ($its_time);

  foreach ( <STDIN> ) {reformat($_)};

Perhaps I'll grow out of it. Perhaps I'll just get frustrated with weak Windows integration. Perhaps I'll write that integration the way it should be done. Perhaps the Active State port will blow up once too often. We'll see.