Tag: security

Privacy -vs- information conservation time

In my opinion privacy issues are a by-product of information conservation times reaching infinite.

For centuries and more humans were used to their own type of memory. When information reaches the brain, it is stored in short-term memory. When relevant and/or repeated, it is gradually consolidated into long-term memory (this is roughly the process).

Schematic memory consolidation process

The invention of oral transmission of knowledge, written transmission (incl. Gutenberg) and, to a certain extend, internet, all these successively increased the duration of retention of information shared with others. The switch from oral to written transmission of knowledge also sped up the dissemination of information as well as its fixed, un-(or less-) interpreted nature.

Duration of information over time

With the internet (“1.0” in order to put some buzzword) the duration of information is also extended but somehow limited ; it was merely a copy of printing (except speed of transmission). Take this blog, for instance: information stored here will stay as long as I maintain or keep the engine alive. The day I decide to delete it, information is gone. And the goal of internet was to be able to reach information where it is issued, even if there are troubles in communication pipes.

However on top of this internet came a serie of tools like search engines (“Google”) and centralized social networks (“Facebook”). Now this information is copied, duplicated, reproduced, either because of the digital nature of the medium that allows that with ease. But also because these services deliberately concentrate the information otherwise spread. Google concentrate (part of) the information in its own datacenters in order to extract other types of information and serves searches faster. Facebook (and other centralized social networks) asks users to voluntarily keep their (private) information in their own data repository. And apparently the NSA is also building its own database about us at its premises.

In my opinion, whenever we were sharing information before, privacy issues were already there (what do you share? to whom? in which context? …). But the duration of information is now becoming an issue.

OS need an immune system and not a CDC-like

In an IT World article, Tom Henderson gives many details about a US-government-led CDC-like organisation to fight malware. In summary, he states that companies and consultants providing security and prevention around operating systems don’t have any real motivation to eradicate malware. And in case of an “outbreak” of these malware, he added one needs a US government body to look after every computer “health”, coordinate the surveillance and the response. He even pushes the comparison with the human medical system by introducing a Hippocratic Oath for computer healthcare.

With all the respect I have for someone I’ve never heard of before, I think Tom Henderson misses one crucial point that make his flight of lyricism totally irrelevant. The missed point is that human beings (as well as every animal species and especially vertebrates) have a immune system. It’s our immune system that gives the first answer to any external “invasion”, it’s our immune system that can adapt to the diversity of threats out there, it’s our immune system that allow our body to recover.

Today computers have a nice body, nice mechanics. Operating systems are behaving like we tell them, not as separate entities. We constantly add foreign bodies (software) and they are constantly in contact with potential external aggressions (via file exchanges, media insertion, network connections). What we begin to give them are sentinels monitoring critical parts of the system, a kind of basic neural system. We invented the body-in-the-body (virtualization) to prevent one failing organ (software) to contaminate the remaining parts of the body (a.o.). We also give some vitamins (firewalls e.g.), strengthening  some defences. And finally we think that “anti-virus software” are enough while it’s only some kind of very basic, un-natural innate immune system.

Before thinking of a CDC-like body for our computers security, one should maybe think of adding a immune system to our computers. At least a basic one, where there is a response even to currently unknown threats. Then we might think of something more sophisticated, with memory and specific response. Look, there was no network, no communication outside: the body/computer can easily cope with the threat by itself. Research is already looking at such applications. And, yes, finally, if you insist, bring your CDC-like organism.

Belgian State Security report 2008

When I first opened the Belgian State Security Report 2008 (PDF in French or in Dutch), I had the a feeling of déjà vu: the cover picture is in fact a part of the Great Court of the British Museum in London, UK. Strange for a report on Belgian security and surveillance …

The British Museum as illustration for a Security report
Comparison between an actual photo of the British Museum Great Court (left, by Guillermo Viciano, under CC-by-sa) and the cover of the Belgian State Security Report 2008 (right)

Then I saw it’s only a light version for the web, not the full version. I had a look at the Justice website and the Security web page but I couldn’t find the original version (if you have the full version, I’m interested).

The report summarizes all the activities done by the Security in 2008, including the groups, countries and activities watched, a report on the cases where it was involved (Belliraj, Benali, Trabelsi cases, a.o.) and a broad view of what they did to check people background, protect some others and check various accreditations.

The most interesting part for me, however, was a short description of a bill about data collection methods by the Security. This bill was submitted to the Belgian Senate in December 2008 and was recently adopted (the full text is here, in French). It’s now submitted to the Belgian king for signature.

Briefly, this bill modifies an existing law from 1998 and, among other things, tells apart ordinary data collection methods from specific (articles 18/7 and 18/8) and exceptional ones (articles starting from 18/9). As expected, the bill allows the use of techniques to intercept and read private communications between persons. The bill also allows entering into computer systems, removing protections, installing spyware, decrypting and collecting data (but it does not allow their destruction).

All these methods are controlled post hoc by two different bodies, an ad hoc administrative commission composed of magistrates (renewed each year by the king following a suggestion by the government) and a permanent “R” committee. Specific and exceptional methods needs to be approved first by the administrative commission but there is always the possibility for the Security hierarchy to bypass this and send a written notice to the commission later on. How many times can this last step be forgotten?

Although it’s nice to have the reference to the bill and be able to look for it on the internet, I would have liked to see some statistics about how many times these specific and exceptional measures were applied, how many times they were refused by the administrative commission, how many times the hierarchy allowed a mission and informed the commission later on, etc. in the same way they proudly show graphs of the number of hours spent protecting VIPs. I know details are protected by secret but it would still have been nice to have an idea on how often these methods are used.

3DSecure not secure

You may have seen in various places that “3-D Secure” (aka “Verified by Visa” or “Mastercard Securecode”) is not as secure as it says. The original paper is here (PDF).

Unfortunately, having implemented the 3-D Secure system via a third-party somewhere in Europe, I have to agree with the authors. I will insist here on one aspect – the inline frame – but the authors are giving more aspects and some solutions worth considering in their paper.

The first issue is that most merchants or banks embed the 3-D Secure page in an inline frame: the 3-D Secure page appears as if it was served by the merchant website although it comes from another website. This is similar to the hypothetical case where that image in your newspaper comes from another newspaper. You wouldn’t notice the difference (unless/until the image is completely different from your newspaper content). And, back to our topic, if a fake 3-D Secure page is given inside the inline frame, it’s difficult to notice it, the most common way of noticing it (a different URL in the address bar) is indeed hidden by the inline frame. During the development and testing, I put in place an internal, fake but similar-looking payment page and we sometimes have to think twice before knowing if we were on the fake page or in the test environment. Webpages at a merchant or a bank website are of course supposed to be kept far from crackers and villains 😉 But a man-in-the-middle attack (replacing on the fly the real payment page by a fake one allowing to collect card details) is rather easy to implement (considering actual villains know-how) and wouldn’t be noticed until they collected a certain number of card details …

To illustrate the above, please insert your card details below.

Card number:
Expiry date:
Secure code:

Fake 3D Secure

Apart from the fact this form was done in 30 seconds and doesn’t really look like a real a real payment form (and does nothing), how can you tell the difference? So, be careful when using 3D secure (with Firefox you can always right-click to see the security information about the form you are about to fill in). And always try to check the URL if it’s possible.