Databasepunkbuster

CHAPTER23TheBleedingEdgeWhatinformationconsumesisratherobvious:itconsumestheattentionofitsrecipients.
Henceawealthofinformationcreatesapovertyofattention,andaneedtoallocatethatattentionefcientlyamongtheoverabundanceofinformationsourcesthatmightconsumeit.
—HerbSimonVotingmachinesoftwareisaspecialcasebecausethebiggestdangertosecuritycomesfromthepeoplewhoaresupposedtoberesponsibleforit.
—RichardStallman23.
1IntroductionOursecuritygroupatCambridgerunsablog,www.
lightbluetouchpaper.
org,wherewediscussthelatesthacksandcracks.
Weevenfoundsomevulner-abilitiesintheWordpressblogsoftwareweuseandreportedthemtothemaintainers.
Butweweren'taloneinndingaws,andinOctober2007,theblogitselfwascompromisedbyaRussianscriptkiddiewhotriedtoputonsomedrugads.
Theattackitselfwasonlyaninconvenience,aswespotteditquicklyandrecoveredfrombackup,butitbroughthomehowdependentwe'veallbecomeonavastrangeofapplicationsthatwejustdon'thavetimetoevaluate.
Andtheblogpoststhemselvesshowthatmanyoftheattacks,andmuchofthecutting-edgeworkinsecurityresearch,hingeonspecicapplica-tions.
TherewillstillbeexploitsagainstplatformslikeWindowsandSymbian,buttherearemanymorevulnerabilitiesoutthereinapps.
AsMicrosoftcleansupitsact,andassearchenginesmakeiteasiertondmachinesrunningspecicapps,that'swheretheactionmaywellshift.
727728Chapter23TheBleedingEdgeInthecaseofblogsoftware,theWordpresssecurityengineeringwasnotveryimpressive,butitscompetitorsareevenworse;andthisoneapplicationaloneexposesthousandsofmachinestocompromise.
Therearemany,manyapplications,andtheirdevelopersusuallydon'tcareaboutsecurityuntiltheygethacked.
ThesamelearningprocessthatMicrosoft'sgonethroughsince2000willberepeatedinonedomainafteranother.
Butnotallapplicationsarethesame;whilesome(likeblogsoftware)simplyopenupPCstobotnetrecruitment,thereareothersfromwhichmoneycanbeextracteddirectly,othersthatpeoplerelyonforprivacy,andothersthatmediatepower.
I'vealreadydiscussedanumberofmoreorless'embedded'apps,frombankingthroughalarmstoprepaymentmeters.
InthischapterI'mgoingtobrieydescribefourtypesofapplicationthatmakeupthebleedingedgeofsecurityresearch.
Theyarewherewendinnovativeattacks,novelprotectionproblems,andthornypolicyissues.
Theyare:onlinegames;webapplicationssuchasauction,socialnetworkingandsearch;privacytechnologiessuchasanonymizingproxies;and,nally,electronicelections.
GamesandWeb2.
0highlightthefactthatthereal'killerapplication'oftheInternetisotherpeople.
Asmorepeoplecomeonlineinevermorecontexts,we'recreatingcomplexsocio-technicalsystemsofakindthatneverexistedbefore.
Thatmeansquitenovelattacks,exploits,tusslesanddisputes.
We'vealreadyseenseveralexamples,suchasclickfraudandimpressionspam,aswellasnewvariantsonoldscams.
Anonymitysystemsfollownaturally:ifyouwanttoreapsomeofthebenetsofwebapplicationsbutnotendupexposingyourprivacytothem,youmaywishtoplayunderapseudonym.
Mechanismstodothishavebeendiscussedfordecadesandrealsystemshaveemerged;butasyou'dexpectfromourdiscussionofinferencecontrolinChapter9,anonymityismuchharderthanitlooks.
Finally,electionsareaclassicexampleofanapplicationwhereanonymityisrequired,butcoupledwithaccountability:youwantvotersinanelectiontobeabletosatisfythemselvesthattheirvotewascounted,yetnottobeabletoprovetoanyoneelsewhotheyvotedfor(sotheycan'tbebribedorbullied).
Electionsarealsothekeyinterfacebetweensocialcomputingandpower.
23.
2ComputerGamesGameswereoneoftherstapplicationsofall—prettywellassoonastheworld'srstpropercomputer,theEDSAC,wasoperational,researchstudentswerewritinggamesforit.
TheearlyAIresearchersstartedwritingchessprograms,believingthatwhenthisproblemwassolved,computerswouldbeabletofunctionmoreorlessaspeople.
Andinmyownspottyyouth,therst23.
2ComputerGames729cryptanalysisprogramIwrotewastoletmepeekaheadintotheroomsofadungeongame.
Therearelimitedopportunitiesforcheatingatgamesofperfectinformationlikechess,especiallywhenplayingagainstacomputer.
Buttherearemanywaystocheatinothergames,andthey'rebecomingabigdeal.
Millionsofpeopleplayonlinegames,manyofthembrightandalotofthempoor;thelargeonlineworldshaveaturnoverlargerthansomesmallcountries;andthousandsofpeoplemakealivingfromonlinegames,fromthedeveloperswhocreateandmaintainthemtoChinesegoldfarmers.
Sothemotivesforcheatingexist;andasgamesaresoftware,andsoftwarehasbugs,themeansforcheatingexisttoo.
Yetifcheatingbecomespervasiveitspoilsthefun.
Peopledon'tenjoyanunfairght—andinthelongrunevensuccessfulcheatersgetbored(unlesscheatingandcounter-cheatingbecomethenewgame).
Eventheperceptionofcheatingdestroysplayers'enjoyment,sotheygoelsewhereandthegamevendorlosesatonofmoney.
Sovendorsmakeaseriousefforttostopit.
Alltold,onlinegamesprovidearst-classsociallaboratoryforthestudyofhacking,andgamesecurityhasbecomethesubjectofseriousstudy.
Computergamesarealsobigbusiness,astheyhavebeenfordecades.
Theydrovethehome-computerboomofthe1970sthatinturnspawnedthePCindustry;gamesconsoleshavebeenahugemarketformicroprocessorsandmemorychips;andgaming—whetheronconsolesorPCs—haslargelydriventhedevelopmentofcomputergraphics[1367].
By2001,gamesalesintheUSAhit$9.
4billion,outperformingmoviebox-ofcesalesof$8.
35billion.
Comparingthetwoindustriesisn'tstraightforward,asmoviestarshaveothersourcesofincometoo,andtheindustriesaregettingentangledwithmoreandmoremoviesbeingmadewithcomputergraphicseffects.
Butinorder-of-magnitudeterms,computergamesareprobablyofcomparableeconomicimportancetomovies.
Certainlyablockbusteronlinegamegrossesmuchmorenowadaysthanablockbustermovie;asgamesgoonline,you'resellingsubscriptions,notjustone-offtickets[203].
'Security'ingameshasmeantdifferentthingsdownthroughtheyears.
Theearlyarcadegamesofthe1970sconcentratedonprotectingthecoinboxagainstrobbers.
WhenNintendomovedconsolegamesintothehome,theysubsidisedtheconsolesfromlatersalesofsoftwarecartridgesandotheradd-ons,soalotofeffortwasputintocontrollingwhichaccessoriescouldbeused,asIdiscussedinsection22.
6;theirlatercompetitorsfromSegatoSonyandMicrosoftendedupghtingbothlegalandtechnicalbattlesagainstreverse-engineers.
Copy-protectionofgamesoftwareforPCshasalsobeenabigdeal,andtherehavebeenpre-releaseleaksofstandalonegames,justlikeprereleaseleaksofmovies.
Howeverthemovetoonlinecomputergameshastrimmedtheconcerns.
Asacriticalpartofthegamelogicrunsonaserver,theclientsoftwarecanbegivenaway,andtheresidualissueiswhetherplayerscangetanunfairadvantage.
That'swhatI'llfocusonnow.
730Chapter23TheBleedingEdge23.
2.
1TypesofCheatingTherearebasicallythreetypesofcheating.
Therstiswheretheoriginalgamehasaknownvulnerabilitythatgoesacrossintotheonlineworldandmaybemadeworse.
Forexample,ahandofcontractbridgestartswithplayerstakingturnstobidhowmanytrickstheythinktheycantake.
Eachhandhasfourplayers,intwoteams,andduringthebiddingno-onemaycommunicateanyinformationaboutthecardsintheirhandtotheirpartnerotherthantheirpublicbids.
Incompetitiveplay,ascreenisplaceddiagonallyacrossthetableduringbiddingsothatno-onecanseetheirpartner.
Yettherearestilloccasionalsuspicionsthatsomecovertcommunicationhastakenplace,forexampleintheplayers'toneofvoice.
Intherealworld,allegationsofcheatingareheardbyajuryofexperiencedplayers,whotakeaviewonwhethertheoutcomewasbetterthancouldhavebeenexpectedinhonestplay.
Evenso,somedecisionsremaincontroversialforyears:playersmaybeexceptionallyskilful,orlucky,andpartnerswho'veplayedtogetherforyearsmaycommunicatesubconsciouslywithouttryingto.
Bridgeisanexampleoftwomuchmoregeneralproblems,namelyexploitinggamerules,andcheatingbycollusion,bothofwhichexistedlongbeforecomputers.
Movingtoonlineplaycreatesbothanopportunityandaproblem.
Theopportunityisthatifplayersarehonest,allthebidscanbemediatedthroughthesystem:there'snotoneofvoicetogiverisetoadispute.
Theproblemisthatiffourpeopleareplayingonlinebridgetogetherfromtheirownhomes,thenthere'snothingtostopapairsettingupaseparatecommunicationschannel—asingletextmessageofthecardsinahandisallittakes.
CantechnologyhelpWell,onlinebridgemeansonlinerecords,soyoucanminetherecordsoflargenumbersofgamestodeterminewhetherasuspectpairdobetteroverthelongrunthantheyshould.
Italsomakesiteasiertoruntournamentswhereeachmatchisplayedsimultaneouslybymanyplayersusingthesamedealofcards—whichmakesacheateasiertospot.
Finally,itfacilitatesnewwaysoforganisingplay:ifyouhaveanonlinegameserveravailable24by7,peoplecanturnupsinglytoplayandstartagamewheneverfourhavearrived.
Sopeopleplaywithmanypartnersratherthanjustone;boththemotivetocheatandthemeansarereduced,whiletherisksareincreased.
Where'sthere'sasingleforum,suchasasingledominantserver,youcanalsoconstructglobalcontrols.
Forexample,aprobleminsomegamesisescaping,wheresomeonewho'slosingsimplydropstheconnection.
Withaglobalservice,youcanremovetheincentiveforthisbyrecordinganescapeasaloss(butonlysolongasyourserviceisreliable—somegameserversendaquarterofsessionsincrashes,andthisstrategywouldn'tbepopularthere).
Otherexploitsthatarealsofoundinreal-worldgamesincludepretendingtobelessskilledthanyouare,losingafewgames,butthenwinningoncetheotherplayergetscondentandplaysformoremoney;pool-roomandpoker23.
2ComputerGames731sharkshaveusedsuchstrategiesforages,andtherearemanyteamvariantstoo.
Insomegames,youcangetanadvantagebyhavingmultipleplayers,andgetsometokilloffotherstoaccumulatepoints.
Thesusceptibilityofonlinegamestothissortofriggingdependstoagreatextentonwhetheridentityisdurable.
Ifpeoplecaneasilycreate,orcheaplybuy,newidentities,thenrigginggamesusingmultiplefrontidentitiesbecomessimpler.
(ThisisknownasaSybilattackandisalsoaprobleminpeer-to-peersystems[396].
)Onewaytodealwiththisisareputationsystem—atopictowhichI'llreturnwhenwediscussauctions.
Inothers,ratherthanhavingmanycharactersoperatedbyonehumanplayer,youusethereversetrickofhavingonecharacteroperatedbyshiftsofsuccessivehumanoperators;thisistypicallydoneinonlinemulitplayergameswherethegoalistoaccumulateonlinetimeandpoints.
Thesecondtypeofcheatingiswhereknowncomputer-securityissuesapplystraightofftotheworldofgaming.
FivepercentofthebadwaremeasuredbySymantecinthersthalfof2007wasaimedatonlinegames,withthetwomostcommonitemsbeingTrojansdesignedtostealaccountinformationfromplayersofGampassandLineage[1239].
There'sagreatvarietyofotherattacks,fromstraightforwardphishingtodenial-of-serviceattacksthatpushupthenetworklatencyofyouropponentsoyoucanbeathimatblitzchess.
Alotofthematerialinthisbookappliesonewayoranothertogaming:cheatershackservers,eavesdroponcommunications,andtamperwithclientmemorytomakewallsinvisible(there'sasurveyandtaxonomyat[1368]).
Policyissuessuchasprivacyturnouttomatterheretoo:alotofpeopleinSecondLifewereannoyedwhenanenterprisingcompanybuiltasearchenginethatwentthroughtheirhomesandindexedtheirstuff.
Andjustasinotherapplications,alotofexploitsarisebecauseofthechancediscoveryofbugs—suchasinonegamewhereyoucoulddriveuptoawallinajeep,hitthe'disembark'button,andappearinstantlyontheothersideofthewall[203].
Manygameshaveglitchesofthiskind,andknowledgeofthemspreadsquickly.
Thethirdtypearethenewcheatingtacticsthatemergebecauseofthenatureofcomputergames,andtheonlinevarietyinparticular.
Intacticalshooters,forexample,successshoulddependontheplayer'stacticsandshootingskill,notonthegamemechanics.
Yettherearealwaysshortcomingsinthegame'sphysicsmodel,oftenintroducedbynetworklatencyandbytheoptimisationsgamedesignersusetodealwithit.
Ineffect,thedeveloperstrytodeceiveyouintobelievingthattheirworldisconsistentwithitselfandwithNewton'slaws,whenitisn'treally.
Forexample,you'dnormallyexpectthatinashootingduel,you'dhaveanadvantageifyouhavethelowestnetworklatency,orifyoumoverst.
Yetthepredictionalgorithmsusedinmanygameclientscantwistthisorintoanexclusive-or:ahigh-latencyplayerhasanadvantageifhemovesrst.
Thisisbecauseclientscacheinformationaboutnearbyplayers,soifyouleaproundacorner,seeyourenemyandshoot,thentheslower732Chapter23TheBleedingEdgeyournetworkconnectionis,thelongeritwilltakebeforehecanseeyouandrespond.
(There'sawiderangeofsuchtactics:see[203]foradiscussion.
)Therearemanyinterestingborderlinecaseswhereanactivitycanbeskillorcheatingdependingonthecircumstances.
MikeBondcoinedtheterm'neo-tactic'torefertoplayerssubliminallyexploitingnetworkeffects,suchasthelatencyadvantageforrstmovers.
Areneotacticsgenius,orcheatingAsinBridge,theonecaneasilybemistakenfortheother.
Butmostpeoplewouldsayit'sdenitelycheatingifyouusemechanicalassistance,suchasaproxyserverthatslowsdownyourpacketstreamjustbeforeyoulaunchanattack.
23.
2.
2AimbotsandOtherUnauthorizedSoftwareThatbringsusontooneoftheclassicgamecheats,namelybots.
Oneofthepersistentcheatingstrategiesistohavecodeofyourowntoprovideyouwithautomationandsupport.
Peoplehavewrittenahugevarietyoftools,fromsimpleroutinesthatrepeatedlyclickarebutton(tohackthegameswheretherateatwhichyoucanphysicallyreisafactor)throughproxiesthatintercepttheincomingnetworkpackets,identifythebadguys,examineyouroutgoingshots,andoptimisetheiraim.
Theseaimbotscomewithdifferentlevelsofsophistication,fromcodethatdoesallthetargetacquisitionandshooting,tohuman-controlledversionsthatmerelyimproveyouraim.
Theycanhookintothepacketstreamasproxies,intothegraphicscard,orevenintotheclientcode.
Anothervariantonthesamethemeisthewallhack,whereaplayermodieshissoftwaretoseethroughwalls—forexample,bychangingthegraphicssoftwaretomakethemtranslucentratherthanopaque.
Gamecompanieswhosellrst-personshootersreckonthataimbotsseri-ouslyspoilotherplayers'fun,sotheyuseencryptionandauthenticationmechanismstoprotectthepacketstream.
(Theseareusuallyproprietaryandhackablebutthatwillnodoubtgetxedintime.
)Theyalsouseguardsoftware,suchasPunkbuster,thatusesanti-virustechniquestodetectattemptstohookintogamecodeorthedriversonwhichitrelies.
Arecentinnovation,foundinCallofDuty4,istoofferactionreplaysofkills,seenfromtheviewpointoftheplayerwhomakesthekill:thisenablesthekilledplayertoseewhetherhewaskilled'fairly'ornot.
Thismaynotonlyreducecheating,butalsotheperceptionofcheating—whichisalmostasdamagingtothegameoperator[204].
Inappropriatesoftwarecanalsoberunongameservers.
Acommonhackistogetanobjectsuchasaguntorunmultiplecopiesofascriptinparallel—atrickthatcouldhavebeenpreventedbyproperresourceaccountingattheserver.
However,serversfacecriticalreal-timedemandsandtheirdesignerstrytokeepthemassimpleaspossible.
Self-replicatingobjectsareusedtorunservice-denialattacks,ortocreatetemporarybuildingsthatescapetheresourcecontrolsonpermanentstructures.
Andpeopleprogrammagicswordstodounexpectedtricks.
23.
2ComputerGames733Itmustbesaid,though,thattherelativelyuncontrolledgamescriptinglanguageswhichmakethispossiblehavealsobeenturnedtocreativeuse.
Peoplehaverealisedthatgameenginescanbeusedtorenderwholemoviesin3-d;thequalitymaynotbeasgoodasonPixar'srenderingfarms,butitworks,andit'sessentiallyfree.
Thishasledtothegrowthofawholenewartformofmachinima(machinecinema).
Astheysay,it'sararewindthatblowsnobodyanygood.
23.
2.
3VirtualWorlds,VirtualEconomiesBotsarealsousedinfarming,whereentrepreneursdotheboringlegworkofaccumulatinggameobjectssuchasgoldcoinsormagicswordsforsaletoimpatientplayers.
However,mostofthefarmingisdonebyrealpeopleinlow-wagecountriesfromRomaniatoChina.
'Goldfarming'isnowasignicantexportthat'screatingneweconomicopportunitiesforyoungpeopleinremotevillagesthathavefewotheremployers[384].
Theeconomyofalargeonlinecommunity,suchasWorldofWarcraft—with8millionsubscribers,ofwhomhalfamillionareonlineatanytime—islargerthatthatofsomecountries.
Thismeansinturnthatmacroeconomiceffects,suchasexchangeratesandrents,starttomatter.
SecondLife,forexample,isessentiallya3-dchatroomrunbyLindenLabs,whichrentsoutspacetothirdparties,whocanthencus-tomisetheirpropertyastheywant.
IthasalocalcurrencyofLindendollars,thatcanbeboughtforU.
S.
dollarsusingacreditcard,eitherthroughLindenLabsorviathird-partybrokers.
Thecurrencyenablesin-gameentrepreneurstosellvalue-addeditemssuchasclothes,artwork,pornographyandservices.
AftertheFBIcrackeddownononlinecasinos,therewasasurgeofinterestingamblinginSecondLife;soinApril2007theFedsvisitedLindenLabs[1006].
Justbeforethevisit,26%ofannouncementswereaboutgambling;afterit,commercialrentsfell.
Andtheworldofanti-money-launderingcontrolsmadeitsappearancewhenLindenLabsstarteddiscriminatingbetween'veried'and'unveried'accounts(theformerbeingthosewheretheplayerhadusedacreditcardtosubscribe)1.
Marketsforgamegoodsarealsogettingbetterorganised.
Forseveralyears,magicswordsandgoldcoinsweretradedingreymarketsoneBay,butstartingwithSony's'StationExchange'in2005,gameoperatorsbeganrunningproperauctionsiteswhereplayerscantradegamegoodsforrealmoney.
In2006,wehadreportsoftherstseriousfraud:crooksusedstolenidentitiestosetuphundredsofthousandsofaccountsontheSouthKoreangameLineage,with1TheFinancialActionTaskForce—aninternationalbodythatbulliescountriesintoask-ingpeoplewhoopenbankaccountstoprovidegovernment-issuephoto-IDandtwoutilitybills—wantspaymentsystemsthatdon'tparticipateintheir'identitycircus'toimposelimitsonpaymentamountsandvelocity.
That'swhyaccountsatPayPalorevenAfricanmobile-phonepaymentsystemsrestrictwhatyoucandoifyou'reunveried.
734Chapter23TheBleedingEdgeallegedlysomeinsidehelp,andcashedoutbysellingsome$15mingamegoods[758].
Thisallhelpstoraisethestakesingaming,andtomakestabilitymoreimportant.
ItalsobringsusnaturallytoeBayandtoother'real-world'webapplications.
23.
3WebApplicationsWhileonlinecomputergamesarepartlyimplementedinserversandpartlyinclientsoftware,anincreasingnumberofservicesareentirelyonlineandaccessedviaastandardwebbrowser.
TheyrangefromauctionserviceslikeeBaythroughsearchenginessuchasGoogleandYahoo,onlinemailserviceslikeHotmailandAOL,onlinewordprocessorssuchasGoogledocuments,ande-commercesitessellingallkindsofgoodthings(andbadthings).
Someindustries—travel,entertainment,insuranceandbookselling—havemovedmuchoftheirsalesonline.
Andtherecenttrendtosocialnetworkingbringsinallsortsofnewangles.
Therearemanyproblemscommontoallmannerofwebsites.
Oneisthatwebserversareofteninsufcientlycarefulabouttheinputtheyacceptfromusers,leadingforexampletotheSQLinsertionattacksIdiscussedinsection4.
4.
2.
Anotherincreasinglycommonvulnerabilityiscross-sitescripting(XSS).
Scriptinglanguagessuchasjavascriptaresupposedtoobserveasameoriginpolicyinthatscriptswillonlyactondatafromthesamedomain;youdon'twantascriptfromaMaa-runpornsiteactingonyourelectronicbankingdata.
Butthispolicyhasbeenrepeatedlycircumvented,exploitingeverythingfromcarelessly-writtenwebservicesthatletusersuploadhtmlcontainingscriptsthatotheruserscanthenreadandexecute,toerrorsinthedesignofvirtualmachines—suchastheFirefoxjavascriptbugdiscussedinChapter18.
WebservicesasdiverseasHotmail,Orkut,MyspaceandevenPayPalhavebeenhackedusingXSSexploits,andremovingthemcompletelyfromyoursiteinvolvesverycarefulprocessingofalluser-suppliedhtmlcode.
However,evenifyourownsiteisclean,yourcustomersmaystillbevulnerable.
Thelatesttricksinvolveusingwebservicestolaunderorigin:forexample,theattackermakesamash-upofthetargetsiteplussomeevilscriptsofhisown,andthengetsthevictimtoviewitthroughaproxysuchasGoogleTranslate[1239].
Theproblemsarecompoundedwhenasinglermprovidesawiderangeofservices.
Google,forexample,offerseverythingfromsearchthroughmapstomailandword-processing,andotherlargeservicecompaniesalsohavebroadofferings.
Wheremanyservicesliveatthesamedomain,thesameoriginpolicydoesn'tdomuchwork,andtherehaveindeedbeenanumberofXSS-typevulnerabilitiesbetweenapplicationsatGoogleandelsewhere.
Therearealsoprivacyconsequencesofserviceaggregation,whichI'llcometolater.
23.
3WebApplications735Afurtherbundleofproblemswithwebservicesisthattheirstructureisusuallyatleastpartiallyopentoinspection.
Auserispassedfromonepagetoanotherashegoesthroughaprocesssuchasbrowsing,search,productselectionandpayment;theattackercanreadthehtmlandjavascriptsource,observehowparametersarepassed,andlookfornuggetssuchasSQLqueriesthatcanbemanipulated[78].
Hecanalsolooktoseewhetherinputchoicesarescreenedbyjavascript,andtrybypassingthistoseeifinterestingthingscanbedone(thisneedn'tmeanbufferoverows,butevenjustsuchsimplehacksasorderingstuffatadiscount).
Hecanalsomonkeywithhiddeneldstoseeifthey'reusedtopassinterestingdata.
Aprudentdeveloperwillassumethatclientsaremalicious—butmostdevelopersdon't;therushonlinebymillionsofbusinesseshastotallyoutpacedtheavailablesecurityskills(andtools).
Asaresult,manyservicesarenotonlybuggybutopentomanipulation.
Somuchpersonalinformationisnowstoredonweb-basedapplicationsthatasuccessfulattackercanmakeoffwithlargeamountsofexploitabledata.
InNovember2007,Salesforce.
comadmittedthatithadlostthecontactlistsofanumberofitscustomersafteranemployeegotphished;forexample,itscustomerSunTrusthad40,000ofitsowncustomerscompromisedofwhom500complainedofbademailsthatseemedtocomefromSunTrust[743].
Theseemailstriedtoinstallmalwareontheirmachines.
Inanearlierincident,Monster.
com'sresumedatabasewasbreached,compromising1.
3millionjobseekers.
(Theseincidentsraiseaquestionabouttheadequacyofcurrentbreachdisclosurelaws,manyofwhichdon'tconsidersomeone'semailaddressandthenameofoneoftheirbusinesscontactstobe'personalinformation'whoselossisnotiable—butclearlysuchlossesshouldbenotied.
)Somuchforgeneralvulnerabilities.
Let'snowlookatthespecicproblemsofsomecommonwebservices.
23.
3.
1eBayTheleadingauctionsite,togetherwithitspaymentservicecompanyPayPal,aresignicanttothesecurityengineerforquiteanumberofreasons.
Forstarters,they'rethephishermens'largesttargetbyfar,aswellasbeingtheplatformforlotsofold-fashionedfraud.
PhishingattacksagainstPayPaldirectlyarenotmuchdifferentfromtheattacksagainstbanksthatIdiscussedinChapter2(exceptinthatasPayPalisn'tabank,itscustomersdon'thavetheprotectionofbankinglaw,suchastheU.
S.
RegulationE,andrelyonPayPal'sgoodwilltomakegoodtheirlosses).
Manyotherfraudsarevariantsofoldcommercialscams.
Forexample,huckstersemailtheunderbiddersinanauction,offeringgoodsimilartothosethatwereonsale—butwhichturnouttobeshoddyornonexistent.
AndoneofthebiggestscamsoneBaywasrunbyatraderinSaltLakeCitywhosoldlaptopsonline.
Firsthetradedhonestly,selling750laptopslegitimatelyandaccumulatingagoodreputation;thenhe736Chapter23TheBleedingEdgetookmoneyfor1000morethathedidn'tdeliver.
Thatsortoftradingstrategyhasbeenaroundaslongascommercehas.
Buttheauctionsiteaddsanothertwist.
Itprovidesareputationservicewherebyhonesttradersaccumulategoodreferencesfromtheirtradingpart-ners,andmanysmall-timeoccasionalsellershaveacquiredhightrustratings.
Soanincreasinglycommonattackistohijackoneoftheiraccounts—whetherbypasswordguessing,phishingorsomethingmoretechnical—andusethisforfraud.
Accounttakeovershavebeenreportedtobegrowingrapidlyfromthestartof2007[542].
Theeasywaytoexploitahijackedaccountistosellnonexistentgoods,takethemoneyandrun,buttherearemanyvariants.
Atrickthat'sgrowinginpopularityin2007isthefakeescrowsite.
Thebadguyoffersacarforsale;youwintheauction;hethensuggeststhatyouuseanescrowservicetowhichhe'llshipthecarandyou'llpaythemoney.
Realescrowservicesdoactuallyexist,suchasescrow.
com,butsodomanydodgyservicessetupbyfraudgangs[57];ifyouwirethemthemoneythat'sthelastyou'llseeofit.
Escrowscamsareanexampleofreputationtheft,whichbringsustoGoogle.
23.
3.
2GoogleGoogle'ssecuritymanagerlookssettohaveoneofthemostinterestingjobsinthebusinessoverthenextveyears,justashercounterpartsatMicrosofthavehadoverthelastve.
ThesheerscaleofGoogle'sactivitiesmakeitbothatargetandaconduitforallsortsofwickedness.
Again,someofit'sasoldassin,butotherattacksarequitenovel.
AgoodexampleisGooglehacking,wherepeopleuseasearchenginetolookforvulnerablemachines.
TheonlineGoogleHackingDatabasehashundredsofexamplesofsearchstringsthatturnupeverythingfromunpatchedserverstolescontainingpasswords[810].
Suitablesearchescanalsobeusedagainsthumantargets:thesecanbesearchesforanyonewho'sexposedthemselvesinsomespecicway,suchasbyleavingtheirsocialsecuritynumbervisibleonline,orsearchesforusabledataonsomespecicperson.
Ifyou'reapossibletarget,it'sagoodideatodothesearchrst.
Forexample,Iwasatargetforawhileofananimal-rightsterrorgroup2,soIusedthemainsearchenginestondoutwheremyhomeaddresscouldbefound.
Companiesandgovernmentsregularlysearchfortheirownsecretstoo.
SearchhassimplychangedtheworldsinceAltavistaburstontheworldalittleoveradecadeago;inquiriesthatpreviouslywouldhavetakentheresourcesofamajorgovernmentcannowbeconductedfromanyone'slaptopormobilephoneinseconds.
Andalthoughthebenetsofthisrevolutiongreatlyoutweighthecosts,thecostsaren'tzero.
2IwasanelectedmemberofthegoverningbodyofCambridgeUniversity,whichwasthinkingofbuildingamonkeyhouse.
23.
3WebApplications737ThetwomaininnovationsthatenabledGoogletopullawayfromtheothersearchengineswerethePagerankalgorithm,whichranksapagebasedonthenumberofotherpagesthatlinktoit,andtheideaoflinkingsearchtotargetedadvertising,ratherthanthebanneradsusedbyearlierengineslikeAltavista.
Anumberofsmalltextadsareplacedonthesearchresultpage,andadvertisersbidagainsteachotherforspecicsearchtermsinacontinuousauction.
Advertisersarechargedwhenauserclicksononeoftheirads.
Googlealsoletspublishersputlinksontheirwebpagesinwhichitservesadsrelevanttothepagecontent,andpaysthemapercentageoftheclick-throughrevenue.
Thishasturnedouttobehugelypopularandprotable,andhasrevolutionisedclassiedadvertising.
Yetit'sbroughtwaveafterwaveofattacks.
Thebigproblemin2006wasclick-fraud;yourrm'scompetitorsclickrepeatedlyonyourads,therebyburningupyouradbudget.
Click-fraudcanalsobedonebypublisherswhowanttomaximisetheircommissions.
Googleaddedvariousalgorithmstotrytodetectclickfraud:repeatedclicksfromoneIPaddress,forexample,arediscountedwhenitcomestobilling.
Attackersthenguredoutthattheorderinwhichadsappeareddependsontheclick-throughrate,asGoogleoptimisesitsownrevenuebyrankingpopularadshigher.
Thisledtoafurtherservice-denialattack,impressionspam,inwhichyourcompetitorrepeatedlycallsuptheresultspagesinwhichyouradsappearbutdoesn'tclickonthem.
Thiscausesyourclick-throughratetoplummet,soyouradsgetdowngraded.
In2007,oneofthebigproblemswasGooglearbitrage.
Apublisherbuyscheapadstodrivetrafctohissite,wherehewritesabouttopicsthatattractmoreexpensiveads.
Ifcustomerswhoarriveathissitecheaplyleaveviaamoreexpensiveroute,hemakesaprot.
Attitudestothisaremixed.
Buyingadsinordertoselladshasalongenoughhistory;yourlocalpaperprobablylivesfromclassiedadvertising,andmayalsohavepostersallovertown.
Someadvertisersthinkit'sfraud:theypayforclicksfrompeoplefreshoffsearches,andinsteadgetsecond-handtrafcfrompeopleescapingboringwebpagesthattheydidn'treallywanttogoto.
Googleactsfromtimetotimeagainstthearbitrageurs,whoseprotsweredwindlingbyyearend.
Butthisisjustasmallpartofalargerproblem,namely'MadeforAdsense'(MFA)sites.
Onepatternwe'vedetectedisthefakeinstitution:thescamstercopiesanexistingcharitableoreducationalwebsitewithonlyminorchangestothecontentandusestheknock-offtohostsomethingwithahighcost-per-clicksuchasjobads.
Theideaisthatwherewebsitesarehighlyranked,copiesofthemwillbetoo:andsomeoftheboguscharitiesevensetouttoexchangelinkswithrealonestofurtherconfusetheissue3.
3That'showwestumbledacrossthenetwork,whentheyofferedanadexchangewiththeFoundationforInformationPolicyResearch,whichIchair.
738Chapter23TheBleedingEdgeAnotherseriesofsitesisrunbyarmthatbuysupabandoneddomainnames,writesrelevanteditorialcontent,andllsthemwithads.
(Thecontentiswrittenforfreebyjournalismstudentswholookforplacesatwhichto'intern'aspartoftheircourse).
WhenIpresentedananalysisofsuchsitesatGoogle,thereactionwasmixed.
There'saseriouspolicyquestionhere:althoughonemightnotthinkverymuchofthecontent,thisisinsomesenseanewliterarygenrethat'semergedonthebackoftheAdsensemodel,justassoapoperasemergedonceTVstationsstartedbeingfundedbyadvertsforfast-movingconsumergoods.
Googlers'viewonbalancewasthatsuchsitesshouldbelefttomarketforces.
Butthereareclearlysomeclosejudgmentcallsbetweenwhat'sabuseandwhat'smerelytiresome.
Therearemanyinterestingresearchproblemshere,suchashowonegoesaboutidentifyingandmappingboguscommunities,wherelinkshavebeenmanufacturedtocreateasemblanceofrealsocialoreconomicactivityinordertofoolthePagerankalgorithm,andhiddencommunities,suchasthenetworkofsitesbasedonabandoneddomainnames.
Thelatter,atleast,issimilartotheproblemsfacedbypoliceandintelligenceagenciessearchingforinsurgentgroups,whiledistinguishingboguscommunitiesfromgenuineonesmayalsocometodependonincreasinglysophisticatedtrafcanalysisandsocial-networkanalysisofthesortdiscussedinsections19.
3.
1,21.
5and24.
3.
2.
ThisbringsusinevitablytotheissuethatmostobserversconsidertobeGoogle'sAchillesheel:privacy.
Privacyconcernsoperateatmanylevels.
First,there'sunauthorizedaccesstodata.
Whenarmwithtensofthou-sandsofemployeesholdspersonaldataonhundredsofmillionsofpeople,there'saclearriskthatinformationwillleak—perhapsviaadisgruntledinsider,orperhapsviaanexploitofsomekind.
ThesearebasicallytheissuesIdiscussedinChapter9,althoughonamuchlargerscalethaneverbefore.
Second,there'sprivacylaw.
Forexample,theEuropeanCommissionisindisputeabouthowlongclickstreamdatashouldbekept:Google'sagreedto'de-identify'clickstreamsafter18months,butthisdoesn'treallysatisfytheCommission.
Insection9.
3.
1IdiscussedhowAOLreleasedanonymisedsearchhistoriesfor'research',andsomeuserswerepromptlyidentiedfromtheirsearchpatterns;fromthetechnicalpointofview,achievingprivacyviaanonymityrequiresfrequentchangesofpseudonym.
(I'llreturntoprivacylaterwhenIdealwithpolicy.
)Third,there'slawfulaccesstoauthoriseddata,aswhentheFBI(oradivorcelawyer)turnsupinMountainViewwithasubpoena.
Variouspeople,forvariousreasons,willwanttolimitthepossibledamageresultingfromoneofmoreofthesepossibletypesofprivacyexposure.
23.
3WebApplications739Andthetensionslooksettobecomesteadilymoreseriousasmoreinformationaboutusbecomesavailableandsearchable.
Butbeforewegoontoexamineprivacytechnology,there'sathirdtypeofwebservicethatcancollectevenmoreintimateandpervasiveinformation:thesocial-networkingsite.
23.
3.
3SocialNetworkingSitesSocialnetworkingsitessuchasMySpaceandFacebookhavetakenoffrapidlysinceabout2004,andarenowusedbylargenumbersofyoungpeopletoorganisetheirsociallives.
Othersitesaimatorganisingprofessionals.
Theeldisdevelopingrapidly,butasIwriteinJanuary2008,themainusersarestilltheyoung,andthetypicalsiteoffersnotjustaplacetostoreahomepagebutwaystolinktoyourfriends'pagestoo.
Thekeyideaisthatthesitemirrorstheunderlyingsocialnetwork:theaddedvalueisthatitenhancesyoursocialnetworkbyhelpingyoucommunicatewithfriendsmoreconve-nientlyandbymakingnewfriends.
Theaccess-controlmechanismstypicallyletyourfriendsseemoreofyourstuff;therearemessagingservicessuchasforums,chatroomsandinstantmessenger,tosupportsocialinteraction;andtherearevariousstructuredmethodsofgettingtoknowpeople.
Onsomesites,youhavetobeintroducedbymutualacquaintances;onothers,youcansearchforpeoplewhomeetgivencriteriasuchasage,location,musicaltastes,hobbies,sexandsexualorientation.
Societyalwayshadsuchmechanisms,ofcourse,intheformofclubs,andsomepeopleseesocialnetworkingmerelyasakindofonlinecocktailparty.
However,thesocial-networkingrevolutionenablesrapidinnovationofthemechanismsthatpeopleusetoformfriendships,lookforpartnersandsetupprofessionalandbusinessrelationships.
Theputativebusinessmodelis,rst,thatthehugeamountofinformationsubscribersmakeavailabletotheoperatorsofthesesiteswillenableevenbettertargetedadvertisementthanonGoogle;andsecond,thatfriendshipnetworkscancreatemassivelockin,whichisthesourceofvalueintheinformationindustries.
It'shardnottohaveapageonFacebookifallyourfriendsdo,andhavingahundredmillionpeoplekeepingtheiraddressbooksandmessagearchivesonyourserversratherthanontheirownPCsmayseemlikealicensetoprintmoney4.
Sowhatproblemsshouldyouanticipatewhendesigningasocial-networkingsiteMuchgovernmentadvicecentresonthefearmongeringaspects:youngpeoplerevealalotaboutthemselvesonsocialsites,andcanattractsexpreda-tors.
It'scertainlytruethattheInternethashadaneffectonsexcrimes,while4Don'tforgetfashionthough:inEnglandeveryoneseemstohavehadaMySpacepagein2006,andmostpeoplehaveaFacebookpagenowin2007—butBraziliansuseOrkut,andwhocantellwhatwillbecoolin2012740Chapter23TheBleedingEdgenosignicantimpacthasbeendetectedonanyothercategoryofoffense.
ItsuptakeacrossU.
S.
statesandothercountrieswasassociatedwithasmallrisein'runaways',thatis,under-18sleavinghomewithouttheirparents'permis-sion.
Somerunawayswerenodoubtkidsescapingunsatisfactoryhomesorsimplyheadingofftoseektheirfortunes;thekeyquestionishowmanyofthemwereabused.
TheguresshowthatInternetuptakewascorrelatedwithadropinreportedcasesofrape,andthattherewasnoincreaseinthemurderrate[709].
Onemightworryaboutwhetherrunawayteensturntosexwork,butprostitutionalsofellastheInternetspread.
Itmightstillbearguedthatasmallincreaseinsexualabuseofrunawayteenswasmaskedbyalargerfallinsexcrimesoverall,causedinturnbythegreateravailabilityofpornography;butthedropinsexcrimeswassignicantonlyamongmaleoffendersaged15–24andtherewasnocorrespondingincreaseofolderoffenders.
AndyoungpeopleI'vetalkedtotaketheviewthatfendingoffunwantedadvancesfromoldermenisjustpartoflifeanyway,whetherofineoronline.
Theviewyoutakeofallthis,ifyou'rebuildingsuchasystem,maydependonwhetheryoursiteisaimedatdistancenetworking—aswithphotographersfromdifferentcontinentstradingpicturesandtipsonFlickr—oratnetworksinvolvingphysicalrelationships.
Inthesecondcase,thenextquestioniswhetheryourestrictmembershiptoteensandabove,asFacebookdoes,orletanyonejoin,asMySpacedoes.
There'sareasonablediscussionofthepolicyandtechnicalissuesfromENISA[615].
Asforyoungerchildren,it'sclearlyprudentforparentstokeepaneyeononlineactivities;thejuniormembersofourfamilygettousethecomputerinthekitchen,whichalsohelpsgetacrossthemessagethattheInternetispublicspaceratherthanprivatespace.
ENISAalsorecommendsthatschoolsshouldencourageratherthanprohibitsocialnetworkuse,sothatbullyingcanbereportedanddealtwith.
Bullyinghasalwaysbeenalow-gradeproblemforschools,eruptingintoveryoccasionaltragedywithsuicidesorkillings.
BeforetheInternet,bulliedchildrencouldescapeforlongperiodsoftimeathomeandwithfriends;nowadaysthetauntingcanfollowthemtotheirbedrooms.
ThiscanmakeitallthemoremiserableiftheirInternetuseissecretandfurtive.
Thecureistobringthingsintotheopen.
Theseare,ofcourse,broadissuesthatapplytoInternetusegenerally,notjusttosocialnetworkingsites.
Andonthefaceofit,youmightexpectsocialnetworkingsitestobelessdangerousthanrandomonlinechatrooms,astheserviceoperatorhasanincentivetolimitegregiousabusebecauseoftheasso-ciatedreputationrisk.
ButwhataretheinterestingsecurityengineeringissuesOneemergingpropertyofsocialnetworkingsystemsisthesheercomplexityofsecuritypolicy.
InChapter4,Idiscussedhowaccesscontrolsaresimpleclosetothehardware,butgetmorecomplexasyoumoveupthestackthroughtheoperatingsystemandmiddlewaretotheapplication.
Socialnetworkingapplicationsattempttoencapsulateasignicantsubsetofhumanbehaviour23.
3WebApplications741ingroups;theresultisever-morecomplicatedsetsofrules,whichareverydifcultforuserstomanage.
Forexample,settingprivacypolicyonFacebookinOctober2007meanswadingthroughnolessthansixscreensofaccessoptions—essentiallyasetofaccesscontrolliststodifferentpartsofyourprole.
Andthecontrolsaren'tlinear;photos,forexample,haveapolicyofopt-inandopt-out.
IfIrecogniseyouinaphotoonsomeone'spage,Icantagthatphotowithyourname,butthetagwon'tbepubliclyvisibleuntilthephotoowneragrees(theopt-in).
Ifyou'reaFacebookmemberyou'llbenotied,andyoucanremovethetagifyouwant(theopt-out)[450].
Howeveryoumightnotnoticethetag,andthiscouldhaveconsequencesifthephotowereembarrassing—say,adrunkenparty.
Forexample,onNewYear'sday2008,followingtheassassinationofBenazirBhuttoinPakistan,theUKpresspublishedaphotoofhersonandpoliticalheirBilawalBhutto,dressedupinadevil'scostumewithredhornsforaHalloweenparty,whichwasfoundontheFacebooksiteofoneofhisstudentfriends.
Manypeoplejustdon'tunderstandwhatthetermsusedintheaccesscon-trolsmean.
Forexample,ifyoumakephotosavailabletothe'community',thatmeansbydefaultanyonewithanemailaddresswithinyourinstitu-tion—whichhasledtocampuspolicehavingdiscussionswithpeoplewho'veuploadedphotosofassortedkindsofrulebreakingactivities[463].
Facebookalsodoesn'tdealwithmultiplepersonae;forexample,I'mRossthecomputerscientist,Rossthetechnology-policyguy,Rossthemusician,Rossthefamilyman,andsoon—andasIcan'tseparatethem,I've'friended'onlypeopleIknowfromthersttwocommunitiesonFacebook.
Therearealsosomequitesubtlepolicyissues:forexample,you'dthinkitwasalrighttopublishinformationthatwasalreadypublicWrong!
TherewasahugerowwhenFacebookaddedanewsfeedfeaturethatnotiedallyourstatuschangestoallyourfriends.
Previously,ifyou'dbrokenupwithyourgirlfriend,thiswouldbepubliclyvisibleanyway(assumingyoumadepartnershipdatapublic).
Suddenly,suchachangewasautomaticallyandinstantlybroadcasttoyourentiresocialcircle—whichupsetalotofpeople.
It'snotjustthatthesitehadautomatedsomeofthesocialaspectsofgossip;itsuddenlymadesocialfauxpasveryvisible[216].
Thisfeaturecannowbeturnedoff,buttheextracomplexityjustmakesitevenharderforpeopletomanagetheirprivacy.
Anotherexampleissearch.
Mostwebservicesrmsaretemptedtouseprivatedatainpublicsearchesinordertomakethemmoreprecise.
Backintheearlydays(2004),itturnedoutthatsearchonFriendsterleakedprivatedata:achainofsuitably-chosensearchescouldinferauser'ssurnameandzipcodeevenwherethisdatahadbeensetasprivate[902].
Themoralwasthatpublicsearchesshouldneverbeallowedtoreturnresultsbasedonprivatedata.
Anotherlessonthatshouldhavebeenmorewidelylearnedisthatoncethesocialnetworkisknown,inferencecontrolbecomesmuchharder.
Friendster742Chapter23TheBleedingEdgedulyxeditssystems.
YetthebugwasrediscoveredinFacebookin2007:Facebookhadsimplyleftittouserstodecidewhethertheywantedtoturnoffsearchonprivateterms,andessentiallynoneofthemhaddoneso[1197].
That'snowxed,buttheissuearoseyetagainwhenFacebookmadeavailablestripped-downversionsofuserprolestoGoogle.
Oncemore,ithadbeenlefttouserstobecomeawareofthisriskandturnofftherelevantfeature;oncemore,almostnobodydidso[694].
Facebookappearstohaveastrategyofdumpingallthereallyhardsecuritydecisionsontheusers—sotheycanrespondtocriticismbyblamingusersfornotturningofffeaturesXandY.
Searchabilitybydefaultmaybeintheirshort-termnancialinterest,buttheendresultcantooeasilybeunusablesecurityplusunsafedefaults.
Anothertensionbetweencorporategrowthandsecurityusabilitywasarecentdecisiontoallowthird-partyapplicationdevelopersaccesstoproledata.
Whensomeonebuildsanappthatallowspeopletoexportphotos(say)fromFlickrtoFacebook,thenhowoneartharewetoevaluatethatEvenifthetwosystemsaresecureinisolation,there'snoguaranteethatthiswillcompose—especiallywheresystemshavecomplexandever-changingAPIs,andcomplexhard-to-useprivacypolicies.
Then,inlate2007,Facebookfacedarevoltofitsusersafteritintroduced'Beacon',anadvertisingsystemthattoldusers'friendsaboutwhatthey'djustpurchasedonotherwebsites,andmadethefeatureopt-outratherthanopt-in.
MarkZuckerberg,founderandchiefexecutive,apologizedtothesite'susersforhandlingthematterbadly.
(Itremainstobeseenwhetherfuturemarketingideaswillbeopt-in.
)Thereareboth'soft'and'hard'issuesbundleduphere.
Atthesoftend,peoplepresentdifferentpersonaeatdifferentsites;forexample,byplacingdifferentkindsofphotosonFlickrandFacebook[1276].
Atthenastierend,notallapplicationsarewrittenbylarge,respectablecompanies.
Yetonceyouauthoriseathird-partyapplicationtoaccessyourprole,itcandomostanythingyoucan—includingspammingyourfriendsandsellingtheirpersonalinformationtothirdparties.
There'sasenseinwhichmakinga'friend'onFacebookisthedigitalequivalentofunprotectedsex—you'reexposedtoeverythingthey'vegot.
Alltheusualtusslesbetweenfreespeechandcensorshippopuptoo.
Forexample,inFlickr,you'renotsupposedtouploadphotosyouwouldn'tshowyourmumunlessyoutagthemas'restricted'(i.
e.
adult).
You'renotallowedtoviewsuchmaterialifyou'reinGermany,orsearchforitinSingapore.
Yetacolleaguewhouploadedartnudeshadhisaccountblacklistedas'unsafe',eventhoughhe'squitehappytoshowhismumhiswork.
Andasfarasdataprotectionlawisconcerned,Facebooktendstorevealthedatasubject'srace,sexlife,health,religion,politicalbeliefsandwhetherhebelongstoatradeunion—preciselythose'sensitive'typesofdatathatgetspecialprotec-tionunderEuropeanprivacylaw[235].
23.
3WebApplications743There'safurtherbunchofproblemsattheinterfacebetweentechnicalandsocialmechanisms.
Forexample,youmakecondentialinformationavailabletoyourfriends,oneofwhomgetshisaccountcompromised,andyourdataendsuppublic.
Whenthiswasrstreported(in2003),pioneersexpectedthatsocialpressureswouldmakeusersmorecareful[961],butthishasn'thappened.
Theunderlyingreasonsmaybefamiliar:inaworldofstrongnetworkexternalities,systemsstartoffinsecureinordertogrowasquicklyaspossible.
ButwhileWindowsandSymbianwereinsecureinordertoappealtocomplementerswhilebuildingadominantpositioninatwo-sidedmarket,social-networksiteoperatorsbiastheiralgorithmsandtheirpresentationtogetpeopletoenrolasmanyfriendsaspossible.
Thisunderminesanypossiblesocialdiscipline.
Othersocio-technicalattacksincludecross-sitescriptingvulnerabilities,ofwhichtherehavebeenplenty[902].
Spamisrisingfast,andaparticularlyominousproblemmaybephishing.
ArecentexperimentatIndianaUniversitysentphishtoasampleofstudents,askingthemtocheckoutanoff-campuswebsitethatsolicitedentryoftheiruniversitypassword.
Thesuccessratewiththecontrolgroupwas16%butagrouptargetedusingdataharvestedfromsocialnetworksweremuchmorevulnerable—72%ofthemwerehookedbythephish[653].
Alreadythere'sasignicantamountofphishingbeingreportedonMySpace[796].
I'llnishupthissectionbymakingtwomoregeneralpoints.
Therstisthat,asthesocial-networkingsiteslearnrapidlyfromexperienceandcleanuptheiract,thelargestmedium-termproblemsmaywellbe,rst,themigrationonlineofreal-worldsocialproblemssuchasbullying;andsecond,thatmanyteensputstuffonlinethatthey'lllaterregret,suchasboastsofexperimentswithdrink,drugsandsexthatgetdugupwhentheyapplyforjobs.
InSeoul,agirlwasaskedtopickupsomepooleftbyherdog,andrefused;abystanderlmedthis,shebecameknownas'dogpoogirl',andshewashoundedfromuniversity[1201].
Althoughthat'sanextremecase,theprincipleisnotreallynew:peoplewhopostedimmoderatelyontheoldnetworknewssystemsometimesfoundthemselveshauntedby'theGhostofUsenetPostingsPast'[507];andtheretalesgoingbackcenturiesofsocialfauxpasthatruinedlives,familiesandfortunes.
Butwhileinoldentimesitwouldmostlikelybealapseofmannersatcourtthatgotyouinbadtrouble,nowitcanbealapseofmannersonthesubway.
Theworldissteadilybecomingmoredocumented—morelikethevillagesmostofuslivedinuntiltheeighteenthcentury,whereeveryone'sdoingswereknown.
Backthen,thevillagegossipswouldserveupam`elangeofassortedfactoidsaboutanyonelocal—sometrue,andsomefalse—whichpeoplewouldusewhenformingopinions.
Nowadays,Googlehastakenoverthatrole,andit'smuchlesssusceptibletosocialpressuretocorrecterrors,744Chapter23TheBleedingEdgeorforgivetheoccasionalblundersofotherwisedecentpeople.
Also,muchoftheanonymitythatpeoplegotfrommovingintotownsduringtheindustrialrevolutionisbeinglost.
Theeffectofpersistentsocialmemoryonsocialproblemswillbemixed.
Bullyingmaybemitigatedbecauseoftherecordleftbehind,whiletheembarrassmentproblemmayberesolvedbysomecombinationofamorerelaxedattitudetoyouthfulindiscretions,plusgreaterdiscretiononthepartofyouth.
We'llhavetowaitandseewhichdominates,butearlysignsarethatpeoplearebecomingmorerelaxed:thePewInternet&AmericanLifeProjectfoundthat60%ofAmericansareunconcernedin2007aboutthe'digitalfootprint'theyleavebehind,whileinasurveyin2000,84%wereworried.
Sowe'relearningtocope'[1229].
(Discretionispartofcoping,andthatmayinvolvetheuseofapseudonymornicknamethatisn'ttooeasyforoutsiderstolinktoyourrealperson,butI'lldiscussallthatinthenextsection.
)Second,socialnetworksystemshavethepotentialtodoanawfullotofgood.
TheHarvardsociologistRobertPutnamdocumented,inhisinuentialbook'BowlingAlone',howsocialnetworksinAmericaandelsewhereweredamagedbytheadventoftelevision,themovetothesuburbsandeventhemovebywomenintowork(thoughTVdidbyfarthemostdamage)[1052].
Thebaby-boomgeneration,whowerethersttoberaisedwithTV,aremuchlesslikelytojoinclubs,knowourneighbours,meetfrequentlywithfriendsorparticipateinteamsportsthanourparentsdid,andthesucceeding'generationX'arelesslikelystill.
Nowitseemsthatsociabilityistickingupwardsoncemore.
WhatTVandmassconsumerculturetookaway,thePCandthemobilephonemaybegivingback.
Easiercommunicationnotonlymakespeoplecommunicatemorebutindifferentways;theoldcommunitiesbasedongeographyarebeingsupplementedbycommunitiesofsharedinterest.
Weacademicswereamongthersttobenet;thecommunitiesofpeopleinterestedincryptography,orprotocols,ornumbertheory,havebeenheldtogetherasmuchbytheInternetasbytheconferencecircuitformanyyears.
Nowthesebenetsarespreadingtoeverybody,andthat'sgreat.
Social-networkingsitesalsoprovideaplatformforrapidexperimentationandinnovationinnewwaysofmakingandmaintainingfriendships.
Andtheymaybebrilliantforthegeeky,theshy,theugly,andpeoplewithborderlineAsperger's.
Buttotheextentthattheytrytoencapsulatemoreandmoreofthecomplexityofrealsociallife,theirpolicieswillbecomeevermorecomplex.
Andjustaswe'relimitedinourabilitytobuildlargesoftwaresystemsbytechnicalcomplexity,sosocial-networkingsystemsmayexploreanewspaceinwhichpolicycomplexity—securityusability,inanewguise—mayprovideoneoftheultimatelimitstogrowth.
Itwillbeinterestingtowatch.
23.
4PrivacyTechnology74523.
4PrivacyTechnologyAsbusinessmovesonline,vastamountsofinformationstarttogetcollected.
Intheolddays,youwalkedintoarecordstoreandboughtanalbumforcash;nowyoudownloadatrackfromaserver,whichdownloadsalicensetoyourPC.
Thecentrallicenseserverknowsexactlywhoboughtaccesstowhat,andwhen.
Marketersthinkthisismagnicent;privacyadvocatesareappalled[410].
Themovetopervasivecomputingisalsogreatlyincreasingtheamountofinformationheldonusbyothers—forexample,ifpeoplestartusingapplicationsintheirmobilephonestotracktheirsocialnetworksandhelpthemmanagetheirtimebetter[407].
Therewillnodoubtbeallsortsof'musthave'applicationsinthefuturethatcollectdataaboutus,whichmeansgrowinguncertaintyaboutwhatwillbeavailabletowhom.
Technologyisalreadyputtingsomesocialconventionsunderstrain.
Inpre-technologicalsocieties,twopeoplecouldwalkashortdistanceawayfromeveryoneelseandhaveaconversationthatleftnohardevidenceofwhatwassaid.
IfAliceclaimedthatBobhadtriedtorecruitherforaninsurrection,thenBobcouldalwaysclaimtheconverse—thatitwasAlicewho'dproposedtooverthrowthekingandhewho'drefusedoutofloyalty.
Inotherwords,manycommunicationsweredeniable.
Plausibledeniabilityremainsanimportantfeatureofsomecommunicationstoday,fromeverydaylifeuptothehighestreachesofintelligenceanddiplomacy.
Itcansometimesbexedbyconvention:forexample,alitigantinEnglandcanwritealettermarked'withoutprejudice'toanotherproposingasettlement,andthislettercannotbeusedinevidence.
Butmostcircumstanceslacksuchclearandconvenientrules,andtheelectronicnatureofcommunicationoftenmeansthat'juststeppingoutsideforaminute'isn'tanoption.
WhatthenAnotherissueisanonymity.
Untiltheindustrialrevolution,mostpeoplelivedinsmallvillages,anditwasarelief—infactarevolution—tomoveintoatown.
Youcouldchangeyourreligion,orvoteforaland-reformcandidate,withoutyourlandlordthrowingyouoffyourfarm.
Nowadays,thephrase'electronicvillage'notonlycapturesthewayinwhichelectroniccommunicationshaveshrunkdistance,butalsothefearthattheywillshrinkourfreedomtoo.
CantechnologydoanythingtohelpLet'sconsidersome'users'—somepeoplewithspecicprivacyproblems.
1.
AndrewisamissionaryinTexaswhosewebsitehasattractedanum-berofconvertsinSaudiArabia.
Thatcountryexecutescitizenswhochangetheirreligion.
Hesuspectsthatsomeofthepeoplewho've746Chapter23TheBleedingEdgecontactedhimaren'trealconverts,butreligiouspolicemenhuntingforapostates.
Hecan'ttellpolicemenapartfromrealconverts.
Whatsortoftechnologyshouldheusetocommunicateprivatelywiththem2.
Bettyisyourten-year-olddaughter,who'sbeenwarnedbyherteachertoremainanonymousonline.
Whatsortoftrainingandtoolsshouldyougivehertohelphermanagethis3.
CharlesisanengineerataSiliconValleystartupthat'sstillinstealthmode,andhe'srunningablog—incontraventionofhiscompany'srules.
Howcanheavoidgettingcaughtandred4.
Daiisahuman-rightsworkerinVietnam,incontactwithpeopletry-ingtosetupindependenttradeunions,micronancecooperativesandthelike.
Thepoliceharassherfrequently.
Howshouldshecommu-nicatewithco-workers5.
Elizabethworksasananalystforaninvestmentbankthat'sadvisingonamerger.
Shewantswaysofinvestigatingatakeovertargetwith-outlettingthetargetgetwindofherinterest—orevenlearnthatanybodyatallisinterested.
6.
FirozisagaymanwholivesinTeheran,wherebeinggayisacapitaloffence.
He'dlikesomewaytodownloadpornwithoutgettinghanged.
7.
GrazianoisamagistrateinPalermosettingupahotlinetoletpeopletipofftheauthoritiesaboutMaaactivity.
HeknowsthatsomeofthecopswhostafftheofceinfuturewillbeintheMaa'spay—andthatpotentialinformantsknowthistoo.
HowdoeshelimitthedamagethatfuturecorruptcopscandoThishelpstoillustratethatprivacyisn'tjustaboutencryptingphonecallsorwebtrafc.
Forexample,ifAndrewtellshisconvertstodownloadanduseaparticularcryptographyprogram,thensowillthepolicespies;andthenationalrewallwillbesettodetectanyonewhosendsorreceivesmessagesusingthatprogram.
Andrewhastomakehistrafclookinnocuous—sothatthereligiouspolicecan'tspotconvertsevenwhentheyhavefullknowledgeofwhatapostatetrafclookslike.
AndwhilesuitabletechnicalmeasuresmaysolvepartofAndrew'sproblem,theywon'tbemuchusewithBetty's.
Therisktoherislargelythatshewillgiveoutinformationcarelesslythatmightcomebacktohaunther.
Filteringsoftwarecanhelp—ifshe'snotallowedtogiveoutherhomeaddressovertheInternet,altercanlookforit,andbeepifshegetscareless—butmostoftheeffortwillhavetogointotrainingher.
There'salsowidevariationinthelevelatwhichtheprotectionisprovided.
Betty'sprotectionhastobeprovidedmostlyattheapplicationlayer,asthemainproblemisunintentionalleaksviacontent;thesameappliestoCharles.
23.
4PrivacyTechnology747However,Charlesmightfacemoresophisticatedanalysis,perhapsatthehandsofsomeonelikeElizabeth:shemighttrawlthroughhispostingslookingformetadatafromcameraserialnumbersintheimagestonamesofworkgroupsorevenprintersembeddedindocuments,sothatshecangureoutwhohe'sworkingwithonhissecretproject.
Theintensityofattackswillalsovary.
CharlesandFirozmightfaceonlysporadicinterest,whileDaiissubjectedtoconstantsurveillance.
She'lluseanonymouscommunicationsnotsomuchtoprotectherself,buttoprotectotherswhohaven'tyetcometothepolice'sattention.
Therearehugediffer-encesinprotectionincentives:Andrewmaygotoalotoftroubletomakehiswebsiteasharmlessaspossibletoitsvisitors(forexample,byhostingitonthesamemachineasmanyinnocuousservices),whilethesitesinwhichFirozisinteresteddon'tcaremuchabouthissafety.
Andrew,DaiandGrazianoallhavetothinkhardaboutdishonestinsiders.
Differentprobabilitythresholdsmarkthedifferencebetweensuccessandfailure;plausibledeniabilityofanassociationmightbeenoughtogetCharlesoffthehook,whilemeresuspicionwouldfrustrateElizabeth'splans.
Andtherearedifferentcostsoffailure:Elizabethmaylosesomemoneyifshe'scaught,whileFirozcouldlosehislife.
We'vecomeacrossanonymitymechanismsbefore,whenwediscussedhowpeoplewhodon'twanttheirphonecallstracedbuyprepaidmobilephones,usethemforawhile,andthrowthemaway.
Eventhat'shard;andevenAl-Qaidacouldn'tdoitright.
Sowhataretheprospectsforhardprivacyonline23.
4.
1AnonymousEmail–TheDiningCryptographersandMixesAsweremarkedinseveralcontexts,theopponentoftengetsmostofhisinformationfromtrafcanalysis.
EvenifthecommunicationsbetweenAliceandBobareencryptedandtheciphertexthiddeninMP3les,andevenifoninspectionneitherAlice'slaptopnorBob'scontainsanysuspiciousmaterial,themerefactthatAlicecommunicatedwithBobmaygivethegameaway.
Thisiswhycriminalssetmuchmorestorebyanonymouscommunication(suchasusingprepaidmobilephones)thanbyencryption.
Therearemanylegitimateusestoo,fromthefolksonourlistabovethroughanonymoushelplinesforabusevictims;corporatewhisteblowers;protestgroupswhowishtodiganelephanttrapforthegovernment;anonymousstudentfeedbackonprofessors;anonymousrefereeingofconferencepapersubmissions,andanonymousHIVtestswhereyougettheresultsonlineusingaone-timepasswordthatcamewithatestkityouboughtforcash.
Youmaywanttoapplyforajobwithoutyourcurrentemployerndingout,toexchangeprivateemailwithpeoplewhodon'tuseencryption,orghtaharmfulandvengefulcult.
Therearetwobasicmechanisms,bothinventedbyDavidChauminthe1980's.
Therstisthediningcryptographersproblem,inspiredbythe'dining748Chapter23TheBleedingEdgephilosophers'problemdiscussedinsection6.
2.
4.
Severalcryptographersaregatheredaroundatablefordinner,andthewaiterinformsthemthatthemealhasalreadybeenpaidforbyananonymousbenefactor,whocouldbeoneoftheparticipantsortheNSA.
Thecryptographerswouldliketoknowwhich.
Sopairsofprincipalsshareonetimepads,afterwhicheachprincipaloutputsafunctionofher'Ipaid/Ididn'tpay'bitandeveryonecanlaterworkoutthetotalparityofallsuchbits.
Aslongasnotmorethanoneofthecryptogra-pherssays'Ipaid',evenparitymeansthattheNSApaid,whileoddparitymeansthatoneofthedinerspaid,evenifnobodycangureoutwho[286].
Thismechanismcanbeconsideredtheanonymityequivalentoftheone-timepad;itgives'unconditionalanonymity',albeitatthecostofalaboriousprotocolandalotofkeymaterial.
Variousextensionshavebeenproposed,includingoneinwhich'diningdrugdealers'canauctionaconsignmentofcocainewithoutthebidders'identitiesrevealedtotheotherbiddersortotheseller.
Nobodyexceptbuyerandsellerknowwhowontheauction;andeventhesellerisnotabletondouttheidentityofthehighestbidderbeforecommittingtothesale[1219].
However,forpracticalanonymityapplications,thepioneeringinnovationwasanotherideaofChaum's,themixoranonymousremailer[284].
Thisacceptsencryptedmessages,stripsofftheencryption,andthenremailsthemtotheaddressthatitndsinside.
Initssimplestform,ifAlicewantstosendanonymousemailtoBobviaCharlieandDavid,shesendsthemthemessage:A→C:{D,{B,{M}KB}KD}KCCharlienowstripsofftheouterwrapper,ndsDavid'saddressplusacipher-text,andsendstheciphertexttoDavid.
DaviddecryptsitandndsBob'saddressplusaciphertext,sohesendstheciphertexttoBob.
BobdecryptsthisandgetsthemessageM.
Anonymousremailerscameintouseinthe1990s.
Tostartoffwith,peopleusedsingleremailers,but,asImentionedinsection22.
3.
3,anearlyremailerwascloseddownfollowingcourtactionbytheScientologists,afteritwasusedtopostmaterialcriticalofthem.
AlotofpeoplestillrelyonservicessuchasHotmailandHushmailthatprovidesimple,low-costanonymity,butifyoumightbesubjectedtolegalcompulsion(orsophisticatedtechnicalattack)it'swisenottohaveasinglepointoffailure5.
Chainableremailerswereinitiallydevelopedbythecypherpunks;theynotonlydidnestedencryptionofoutgo-ingtrafcbutalsosupportedareplyblock—asetofnestedpublickeysandemailaddressesthatletstherecipientreplytoyou.
Therearealsonymserversthatwillstorereplyblocksandhandleanonymousreturnmailautomatically.
ThemostcommondesignatpresentistheMixmasterremailer,whichalso5'Wired'wassurprisedinNovember2007whenitturnedoutthatHushmailrespondedtowarrants[1177]—whichitselfissurprising.
23.
4PrivacyTechnology749protectsagainstbasictrafcanalysisbypaddingmessagesandsubjectingthemtorandomdelays[899].
Acommonapplicationisanonymouspostingtomailinglistswithsensitivecontent—applicationsrangefromreportingsecurityvulnerabilitiesthroughabusesupporttoanonymouspoliticalspeech.
Ofcourse,ananonymousremailercouldbeanattractivehoneytrapforanintelligenceagencytooperate,andsoit'scommontosendmessagesthroughanumberofsuccessiveremailersandarrangethingssothatmostofthemwouldhavetoconspiretobreakthetrafc.
Evenso,selectiveservice-denialattacksarepossible;iftheNSArunsremailersXandY,andyoutryapaththroughXandZ,theycancausethattonotwork;soyouthentryXandY,which'works',andyou'rehappy(asarethey).
Remaileroperatorscanalsobesubjectedtoallsortsofattacks,rangingfromsubpoenasandlitigationtospamoodsthataimgettheoperatorblacklisted;DavidMazi`eresandFransKaashoekhaveapaperontheirexperiencesrunningsuchaservice[849].
Thetechnologyisstillevolving,withthelatestproposalsincorporatingnotjustmorerobustmechanismsforxed-lengthpacketsandsingle-usereplyblocks,butalsodirectoryandreputationservicesthatwillallowuserstomonitorselectiveservice-denialattacks[344].
23.
4.
2AnonymousWebBrowsing–TorAnonymousconnectionsaren'tlimitedtoemail,butcanincludeanycommu-nicationsservice.
Asthewebhascometodominateonlineapplications,TheOnionRouter(Tor)hasbecomethemostwidely-usedanonymouscommuni-cationsystem,withover200,000users.
TorbeganitslifeasanexperimentalUSNavyLabssystem,calledOnionRoutingbecausethemessagesarenestedlikethelayersofanonion[1062].
TheNavyopenedituptotheworld,presumablybecauseyoucanusuallyonlybeanonymousinacrowd.
IfTorhadbeenrestrictedtotheU.
S.
intelligencecommunity,thenanywebsitegettingTortrafccoulddrawanobviousconclusion.
U.
S.
NavalpersonnelintheMiddleEastuseTortoconnectbacktotheirserversinMaryland.
Theydon'tthinkofitasananonymitysystembutasapersonalsafetysystem:theydon'twantanyonewatchingthehousethey'reintolearntheirafliation,andtheydon'twantanyonewatchingtheserversinMarylandtolearnwheretheyare.
Ineffect,theyhideamonglocal(IraqiandMaryland)menlookingforporn;andporntrafcalsoconcealshuman-rightsworkersinthethirdworld.
Tormaybeapartofthesolutionadoptedbyseveralofourrepresentativeprivacyusers(Charles,Dai,Elizabeth,FirozandmaybeevenGraziano),soI'llnowdiscussitsdesignanditslimitations6.
6Bywayofdeclarationofinterest,IholdagrantfromtheTorProjectthatpaysoneofmypostdocstohelpdeveloptheirsoftware.
Therearealsocommercialservices,suchasAnonymizer[79],thatletyoubrowsethewebanonymously,butthey'reroutinelyblockedbyrepressivegovernments.
750Chapter23TheBleedingEdgeTheTorsoftwareconsistsoftheTorclient,whichforwardsTCPtrafc,awebproxythroughwhichittalkstoyourbrowser,andoptionallya'TorButton'thatactsasanextensiontotheFirefoxbrowserandletsyouswitchrapidlybetweennormalandanonymousbrowsing.
Inthelattermode,theTorbuttondisablescookies,javascriptandallotherplugins.
Volunteerswithhigh-bandwidthconnectionsenabletheTorclienttoalsoactasaserver,ofwhichtheremaybeafewthousandactiveatanytime.
WhenyouturnonaTorclient,itopensacircuitbyndingthreeTorserversthroughwhichitconnectstotheoutsideworld.
Itnegotiatesanencryptedsessionwiththerstserver,thenthroughthisitnegotiatesanotherencryptedsessiontothesecondserver,throughwhichitthensetsupathirdencryptedsessiontotheexitnode.
Yourwebbrowsertrafcowsintheclearfromtheexitnodetoyourdestination.
Thisbringsusimmediatelytoonewidely-publicisedTorvulnerability—themaliciousexitnode.
InSeptember2007,someonesetupveTorexitnodes,monitoredthetrafcthatwentthroughthem,andpublishedtheinterestingstuff[917].
Thisincludedlogonsandpasswordsforanumberofwebmailaccountsusedbyembassies,includingmissionsfromIran,India,JapanandRussia.
(Thisgaveaninsightintopasswordrobustnesspolicy:Uzbekistancametopwithpasswordslike's1e7u0l7c'whileTunisiajustused'Tunisia'andanIndianembassy'1234'.
)YettheTordocumentationandwebsitemakeclearthatexittrafccanberead,socluefulpeoplewouldhaveeitherusedawebmailservicethatsupportsTLSencryption,likeGmail,orelseusedemailencryptionsoftwaresuchasPGP(whichI'llmentionlater).
Thesecondproblemwithanonymouswebbrowsingisthemanyside-channelsbywhichmoderncontentcallshome.
ThisiswhytheproxydistributedwiththeTorclientkillsoffcookiesandjavascript,butthat'sjustthebeginning.
IfFirozdownloadsapornmovie,andhisWindowsMediaPlayerthencallsthepornserverdirectlytogetalicense,thepackettrafcfromhisIPaddresstoa'knownSatanic'sitemaybeagiveaway;butthen,ifheblocksthelicenserequest,hewon'tbeabletowatchthelm.
ActiveXcontrols,Flashandotherbrowseradd-onscanalsoopenconnectionsoutsidetheproxy.
Forsurveysofwaysinwhichwebsitescandefeatanonymisingservices,see[1091,1194].
Third,whiletheMixmasterandlaterremailerscanmaketrafcanaly-sisharderbydicing,paddinganddelayingtrafc,thisintroduceslatencythatwouldnotbeacceptableinmostwebapplications.
Low-latency,high-bandwidthsystemssuchasTorareintrinsicallymoreexposedtotrafcanalysis.
AglobaladversarysuchastheNSA,thattapstrafcatmanypointsintheInternet,cancertainlyrecoverinformationaboutsomeTorcircuitsbycorrelatingtheiractivity;infact,theyonlyneedtotapasmallnumberofkeyexchangepointstogetagoodsampleofthetrafc[920](soiftheU.
S.
governmentguresinyourthreatmodel,itmaybeprudenttosetupnewTorcircuitsfrequently).
23.
4PrivacyTechnology751Finally,manyapplicationsgetuserstoidentifythemselvesexplicitly,andothersgetthemtoleakinformationaboutwhotheyarewithoutrealisingit.
Insection9.
3.
1IdiscussedhowsupposedlyanonymoussearchhistoriesfromAOLidentiedmanyusers:acombinationoflocalsearches(thattellwhereyoulive)andspecial-interestsearches(thatrevealyourhobbies)maybeenoughtoidentifyyou.
Soifyou'reusingTortodoanonymoussearch,andtheseiseventheslightestpossibilitythatyouropponentmightbeabletoserveasubpoenaonthesearchengine,youhadbettersetupnewcircuits,andthusnewpseudonyms,frequently.
Ifyouropponentislesscapable,thentrafcpatternsmaystillgivethegameaway.
First,supposeyouwanttobrowseaforbiddenwebsitethathasaknownandstablestructure;amoderncommercialwebpagemightcontainsome30objectsranginginsitefromafewhundredbytestoafewtensofkilobytes.
ThispatternisusuallyuniqueandisclearlyvisibleevenafterTLSencryption.
EvenalthoughTortrafc(asseenbyawiretapclosetotheuser)liesunderthreelayesofTorencryption,andeventhoughcellsarepaddedto512bytes,randomwebpagesstillleakalotofinformationabouttheiridentity.
SoifAndrewwantshisconvertstoviewhiswebsitethroughTor,andthere'sarealriskthatthey'llbekilledifthey'recaught,heshouldthinkhard.
Shouldbepadhiswebpagessothat,encrypted,theywillbethesamesizeasapopularandinnocuoussiteShouldbeputshortsermonsonYouTube,ofthesamelengthaspopularmusictracksOrshouldheuseadifferenttechnologyentirelyAnopponentwhocanoccasionallygetcontroloftheforbiddenwebsitecanplayyetmoretricks.
Graziano,who'sworriedaboutMaatakeoverofthepolice'sMaatip-offsite,shouldconsiderthefollowingattack.
TheMaatechniciansmakeanumberofprobestoalltheTorserversasthepageisloaded,andfromtheeffectsonserverloadtheycanidentifythepathalongwhichthedownloadwasmade.
TheythengotothelocalISP,whichtheybribeorcoerceintohandingoverthetrafclogsthatshowwhoestablishedaconnectionwiththeentrynodeattherelevanttime[919].
(SofromGraziano'spointofview,atleast,therecentEuropeandirectivecompellingISPstoretaintrafclogsmaynotalwayshelpthepolice.
)There'snodoubtthatTorisanextremelyusefulprivacytool,butithastobeusedwithcare.
It'smoreeffectivewhenbrowsingwebsitesthattrytorespectusers'privacythanwhenbrowsingsitesthattrytocompromisethem;andit'softenusedincombinationwithothertools.
Forexample,human-rightsworkersinlessdevelopedcountriescommonlyuseitalongwithSkypeandPGP.
23.
4.
3CondentialandAnonymousPhoneCallsIdiscussedinChapter20howcriminalslookingforanonymouscommunica-tionsoftenjustbuyprepaidmobiles,usethemforawhile,andthrowthemaway.
Theyareausefultoolforotherstoo;amongourrepresentativeprivacy752Chapter23TheBleedingEdgeusers,Andrewmightthinkoftellinghisconvertstousethem.
Butarenottheonlyoption,andtheydon'tprovideprotectionagainstwiretapping.
Ifyouropponenthasthetechnologytodoautomatickeywordsearchorspeakerrecognitiononphonetrafc,astheNSAdoes,orthemanpowertorunalargenumberofwiretaps,asatypicalthird-worlddespotdoes,thenyoumightwanttoconsidervoiceoverIP.
Intheory,youcanrunVOIPcommunicationsthroughproxieslikeTor[665];butinpractice,notmanypeopledo;andasanonymityusuallymeanshidinginacrowd,thatbringsustoSkype.
SkypeisnotonlythelargestVOIPoperator,whichgivessafetyinnumbers;it'sgotapeer-to-peerarchitecture,soyourcallsgoend-to-end;andthetrafc'sencrypted,withmechanismsthathaveundergoneanindependentevaluation[165].
SowhatcangowrongWell,ifAndrewweretouseSkypetotalktohisconvertsthenhe'dbetternotusethesameusernametotalktoallofthem;otherwisethereligiouspolicewilllearnthisusernamefromtheirbogusconvertandsearchforeveryonewhocallsit.
Fortunately,youcangetmultiple,throwawaySkypeusernames,andprovidedAndrewusesadifferentusernameforeachcontactSkypemaybeasuitablemechanism.
Thenextproblem,forsomeapplicationsatleast,isthatSkypebeingownedbyalargeU.
S.
companyislikelytorespondtowarrants7SoifyourthreatmodelincludestheU.
S.
Government,you'dbetterassumethatthecallcontentcanbedecryptedoncetheNSAidentiesyourtrafcasofinterest.
Youmightbeatriskifyou'reopposingagovernment,suchasthatofUzbekistan,withwhichtheUSAhasintelligence-sharingagreements;andyoumightalsobeatriskifSkype'sparentcompany,eBay,hasanofceinthecountrywhosepoliceyou'retryingtohideyourtrafcfrom.
SoifAndrew'sunsureaboutwhethereBaywouldhelpouttheSaudigovernment,hemightuseSkypelargelyasananonymitymechanism,anduseittomaskthetransferoflesthatareencryptedusingaproductsuchasPGP.
Human-rightsworkerssuchasDaidoinfactuseSkypeplusPGPplusTortoprotecttheirtrafc,andtheattackstowhichthey'resubjectedarethestuffofintelligencetradecraft.
Thepoliceentertheirhomescovertlytoimplantrootkitsthatsniffpasswords,androombugstolistentoconversations.
Whenyouencryptaphonecall,youhavetowonderwhetherthesecretpolicearegettingonesideofit(orboth)fromahiddenmicrophone.
Counteringsuchattacksrequirestradecraftinturn.
Someofthisisjustlikeinspymovies:leavingtelltalestodetectcovertentry,keepingyourlaptopwithyouatalltimes,andholdingsensitiveconversationsinplacesthatarehardtobug.
Otheraspectsofitaredifferent:ashuman-rightsworkers(likejournalistsbutunlike7SkypeitselfisactuallyaLuxembourgcompany,anditsofcerswhorespondtolawenforcementarebasedthere:soanFBINationalSecurityLettermaynotbeeffective,butajudicialwarrantshouldbe.
23.
4PrivacyTechnology753spies)areknowntothehostgovernment,theyneedtoavoidbreakingthelawandtheyneedtonurturesupportstructures,includingovertsupportfromoverseasNGOsandgovernments.
Theyalsoneed—whileunderintermittentobservation—tomakecovertcontactwithpeoplewhoaren'tthemselvesundersuspicion.
23.
4.
4EmailEncryptionDuringthe'CryptoWars'onthe1990s,cyber-activistsfoughttheirgovern-mentsfortherighttoencryptemail,whilegovernmentspushedforlawsrestrictingencryption.
I'lldiscussthepoliticsinthenextchapter.
Howeveronefocusofthatstruggle,theencryptionproductPrettyGoodPrivacy(PGP),alongwithcompatiblefreeproductssuchasGPG,havebecomefairlywidelyusedamonggeeks.
AtypicaluseisbyComputerEmergencyResponseTeams(CERTs)whoencryptinformationaboutattacksandvulnerabilitieswhentheyshareitwitheachother.
ManyprivateindividualsalsohavePGPencryptionkeysandsomeencrypttrafctoeachotherbydefault.
PGPhasanumberoffeaturesbutinitsmostbasicform,eachusergeneratesaprivate/publickeypair.
Toprotectamessage,yousignahashofitusingyourprivatekey,encryptboththemessageandthesignaturewitharandomlychosensessionkey,andthenencryptthesessionkeyusingthepublickeyofeachoftheintendedrecipients.
Thus,ifAlicewantstosendanencryptedemailtoBobandCharlie,sheformsthemessage{KS}KB,{KS}KC,{M,{h(M)}1KA}KSThemanagementofkeysislefttotheuser,therationalebeingthatasinglecentralizedcerticationauthoritywouldbecomesuchanattractivetargetthatitwouldlikelybecrackedorcomeunderlegalcoercion.
Sotheintendedmodeofoperationisthateachusercollectsthepublickeysofpeoplesheintendstocorrespondwithandbundlesthemintoapublickeyringthatshekeepsonhersystem.
Thepublickeyscanbeauthenticatedbyanyconvenientmethodsuchasbyprintingthemonherbusinesscard;tomakethiseasier,PGPsupportsakeyngerprintwhichisaone-wayhashofthepublickey,presentedasahexadecimalstring.
Anothermechanismisforuserstosigneachothers'keys.
Thismaysimplybeusedasanintegrity-protectionmechanismontheirpublickeyrings,butbecomesmoreinterestingifthesignaturesareexported.
ThesetofpubliclyvisiblePGPsignaturesmakesuptheweboftrust,whichmaybethoughtofasanearlyformofsocialnetworkofpeopleinterestedincryptography.
Yetanothermechanismwastoestablishkeyservers;yetasanyonecoulduploadanykey,weendedupwithkeysforaddressessuchaspresident@whitehouse.
govnotcontrolledbythepeopleyoumightthink.
ColleaguesandIalsopublishedabookofimportantpublickeys[67].
754Chapter23TheBleedingEdgeManythingswerelearnedfromthedeploymentanduseofPGPduringthe1990s.
Oneofthemostsignicantwasusability.
Inaseminalpaper,AlmaWhittenandDougTygardidacognitivewalkthroughanalysisofPGP5.
0followedbyalabtest,toassesswhethermotivatedbutcryptologicallyunso-phisticateduserscouldunderstandwhatwasgoingonwellenoughtodrivetheprogramsafely—tounderstandtheneedtogenerateapublic/privatekeypair,gureouthowtodoso,encryptmessagesandsignkeysasneeded,andmakegrosserrorssuchasaccidentallyfailingtoencrypt,ortrustingthewrongpublickeys.
Theanalysisshowedunsafedesigndecisionsanddefaults,suchasdownloadingkeysfromtheMITserverwithoutmakingclearthatthiswashappening.
Theactualtestthrewupmuchworsehorrors.
Onlyfouroftwelvesubjectswereabletocorrectlysendencryptedemailtotheothersubjects,andonlythreeofthemexpressedanydoubtaboutkeysfromthekeyserver.
Everysubjectmadeatleastonesignicanterror[1342].
Themoralisthatifyou'regoingtogetpeoplewithoutdegreesinmathorcomputersciencetouseencryption,youhavetoburyittransparentlyinanotherproduct(suchasanonlinecomputergame)oryouhavetotrainthem—andtestthemafterwards.
SoPGPandsimilarproductscanbeanoptionforhuman-rightsworkers(andareusedbythem);butforlonelyconvertsinahostilecountry,encryptionaloneisquestionable.
Theremaybeotherreasonswhyencryptingemailisonlypartofthesolution.
Insomecountries,includingRussia,ZimbabweandtheUK,thepolicehavethepowertorequireyoutodecryptciphertexttheyseize,orevenhandoverthekey.
Thispowerisalsoavailabletothecivilcourtsinmanymorecountries,andtomanytaxauthorities.
Othersituationsinwhichcoercionmaybeaproblemincludewheresoldiersorintelligenceagentscouldbecaptured;wherepolicepowerisabused,forexampletoseizeakeyonthegroundsofasupposedcriminalinvestigationbutwhereinrealitythey'vebeenbribedtoobtaincommerciallycondentialinformation;andeveninprivatehomes(kidscanbeabusedbyparents,asInotedinthechapteronmedicalprivacy,andhouseholdersaresometimestorturedbyrobberstogetbankcardPINsandtoopensafes[1326]).
Makingencryptionresistanttorubberhosecryptanalysis,asit'scalled,ishard,butit'spossibleatleasttoblockaccesstooldmessages.
Forexample,theU.
S.
DefenseMessagingSystemsupportstheuseofpublicencryptionkeysonlyonce.
Eachuserhasakeyserverthatwillprovideafreshpublicencryptionkeyondemand,signedbytheuser'ssigningkey,andoncetheuserreceivesanddecryptsthemessagehedestroysthedecryptionkey.
ThisforwardsecrecypropertyisalsofoundinSkype;beatingsomeone'spassphraseoutofthemdoesn'tletyoudecipheroldconversations.
Asforstoreddata,makingthatcoercion-resistantbringsustothetopicofsteganography.
23.
4PrivacyTechnology75523.
4.
5SteganographyandForensicsCountermeasuresWhenyourthreatmodelincludescoercion,simplydestroyingoldkeysmaynotalwaysbeenough,astheveryexistenceofprotectedmaterialcanbesufcienttocauseharm.
Insuchcircumstances,morecompleteplausibledeniabilitycanbeprovidedbytheuseofsteganography,whichisabouthidingdatainotherdata.
Asanexample,FabienPetitcolaswroteaprogramcalledMP3stego,whichwilltakesomeinformationyouwanttohide(suchasanencryptedmessage)andhideitinaudio:ittakesanaudiotrackandcompressesitusingtheMP3algorithm,andwhereveritcanmakearandomchoiceaboutthecompressionitusesthistohidethenextbitofmessage.
AndtheCIAisreportedtohavehadacamerathathiddataintheleastsignicantbitsofrandomly-selectedpixels[1020].
Therearemanysteganographyprogramsoatingaroundonthenet,butmostofthemareeasytobreak:theysimplyhideyourmessageintheleast-signicantbitsofanaudioorvideole,andthat'seasytodetect.
Recallourdiscussionofsteganographytheoryinsection22.
4:thetwoparticipants,AliceandBob,havetocommunicateviaawarden,Willie,whowinsthegameifhecandetecteventheexistenceofahiddenmessage.
Theclassicuseofsteganographyishidingsensitivedata(suchasciphertext,wherethatarousessuspicion)ininnocuouscommunications,thoughincreas-inglynowadayspeopleworryaboutprotectingstoreddata.
Mostcustomsauthoritieshavethepowertorequiretravellerstodecryptanymaterialfoundontheharddiskoftheirlaptopinordertocheckforsubversivematerial,pornographyandthelike.
Therearemanycrudewaystohidetheexistenceofles;atmostbordersit'sstillenoughtohaveanApplelaptop,oraseparateLinuxpartitiononyourharddiskwhichrunsLinux,asthenormalcustomstoolsdon'tdealwiththese.
Butthatproblemwillbexedeventually,andagainstacapableopponentsuchlow-leveltricksarelikelytobeineffective.
Filescanbehiddenusingsteganographytoolsinlargermultimediales,butthisisinefcient.
AdiShamir,RogerNeedhamandIinventedthesteganographiclesystem,whichhasthepropertythatausermayprovideitwiththenameofanobject,suchasaleordirectory,togetherwithapassword;andifthesearecorrectforanobjectinthesystem,accesstoitwillbeprovided.
However,anattackerwhodoesnothavethematchingobjectnameandpassword,andlacksthecomputationalpowertoguessit,cangetnoinformationaboutwhetherthenamedobjectevenexists.
ThisisanevenstrongerpropertythatBell-LaPadula;LowcannotevendemonstratetheexistenceofHigh.
Inourinitialdesign,thewholediskwasencrypted,andfragmentsofthelesarescatteredthroughitatplacesthatdependonthepassword,withsomeredundancytorecoverfromcaseswhereHighdataisaccidentallyoverwrittenbyaLowuser[75,856].
756Chapter23TheBleedingEdgeInrecentyears,le-encryptionprogramssuchasTrueCrypthaveadoptedthisideaalthoughinTrueCrypt'scasetheimplementationissimpler:eachencryptedvolumehasitsfreespaceoverwrittenwithrandomdata,andtheremayormaynotbeahiddenvolumeintherethatcanberevealedtoauserwiththerightpassword.
NowTrueCryptisoneofthetoolscommonlyusedbyhuman-rightsworkers;woulditbesensibleforFiroztouseittooTheansweris,asusual,'itdepends'.
IftheIranianreligiouspolicenormallyonlyndTrueCryptinstalledbyhuman-rightsworkersthere,he'slikelytobetreatedasoneofthemifhe'sraidedandit'sfound.
Ingeneral,iftheexistenceofaproductisinitselfincriminating,hemightwanttohidethattoo.
Thefundamentalproblemfacingforensicinvestigators,asI'lldiscussindetaillaterinsection24.
5,isthesheervolumeofdatafoundwhensearchingahousenowadays:therecanbeterabytesofdatascatteredoverlaptops,mobilephones,cameras,iPodsandmemorysticks.
Ifyoudon'twantaneedletobefound,buildalargerhaystack.
SoFirozmighthavealotofelectronicjunkscatteredaroundhisapartment,ascoverforthememorystickthatactuallycontainstheforbiddenpicturesstashedinahiddenTrueCryptcontainer.
Hemightevenhavesomestraightpornintheordinaryencryptedvolume,sohe'sgotsomethingtogivethepoliceiftheytorturehim.
Andtherearemanyad-hocwaysinwhichcontentcanbemadeinaccessibletothecasualsearcher;hemightdamagethememorystickinsomerepairableway.
IfhehadaforbiddenmovieinWMVformat,hemightdeleteitslicensefromtheWMPstore—sothelicensestorehadtoberestoredfrombackupbeforethemoviecouldbeplayed.
(AmovieforwhichalicenseisnolongeravailableisamuchlesssuspiciouskindofciphertextthanaTrueCryptvolume.
)Inshort,astheworldadaptstothedigitalage,peopleadoptwaysofdoingthings,andtheseproceduresinturnhaveweakpoints,whichleadsusbacktotradecraft.
Whatworkswillvaryfromoneplaceandtimetoanother,asitdependsonwhatthelocalopponentsactuallydo.
Buttherearesomeprinciples.
Forexample,anonymitylovescompany;it'smucheasiertohideinacrowdthaninthemiddleofadesert.
Andinsomeapplications,deniabilitymaybeenough:Crowdswasasysteminwhichusersgrouptogetheranddowebpageforwardingforeachother,sothatifoneofthemdownloadedasubversivewebpage,thesecretpolicehaveseveralhundredsuspectstodealwith[1067].
Asimilarschemewasdevisedbyawell-knowncompanyCEOwho,eachmorning,usedtoborrowatrandomoneofthemobilephonesofhismanagers,andhavehisswitchboardforwardhiscalls.
Forensicsaresubtlydifferent:copstendonlytohavetoolsforthemostpopularproducts.
Theycanusuallysearchfor'obvious'wickednessinWin-dowsPCsbutoftencan'tsearchMacsatall;theyhavetoolstoextractaddressbooksfromthethreeorfourmostpopularmobilephones,butnotobscuremakes;theycanwiretapthelargeISPsbutoftennotthemom-and-popoutts.
23.
4PrivacyTechnology757They'realsousuallyabitbehindthecurve.
TheymayknowhowtodealwithFacebooknow,buttheyprobablydidn'tin2004.
Coolkidsandgadgetfreaksmayalwaysbeafewstepsahead.
23.
4.
6PuttingItAllTogetherReturningnowtoourlistoftypicalprivacytechnologyusers,whatcanwesay1.
Themissionary,Andrew,hasoneofthehardestsecurecommunicationtasks.
Hecan'tmeethisconvertstotrainthemtouseTorandPGPprop-erly,andreligiousfactorsmightpreventthemcommunicatingcovertlybyjoininganonlinecomputergameinwhichtheyplayedtherolesofdragons,wizardsandsoon.
PerhapsthesimplestsolutionforhimisSkype.
2.
InthecaseofyourdaughterBetty,alltheevidenceisthatparentalcon-cernsovertheInternetaregrosslyover-inated.
RatherthantryingtogethertosurfthenetusingTor(whichshe'djustconsidertobecreepyifherfriendsdon'tuseittoo),you'dbebettertomakethatscams,phishingandotherabusesintoaregularbutnotobsessivetopicofconversa-tionroundthedinnertable.
(Onceshegetsthecondencetojoinintheconversation,shemayturnouttohavebettertalesthanyoudo.
)3.
Thecorporateengineer,Charles,mayndhismainriskisthatifhepostsfromaworkmachine,thenevenifhe'susingathrowawaywebmailaddress,hemightinadvertentlyincludematerialindocumentssuchaslocalprinterorworkgroupnamesoracameraserialnumberthatthecorporatesecurityguythenndsonGoogle.
Thesimplestsolutionistousehomeequipmentthatisn'tcross-contaminatedwithworkmaterial.
EssentiallythisisamultilevelpolicyofthesortdiscussedinChapter8.
4.
Thehuman-rightsactivistDaihasoneofthehardestjobsofall,butasshe'sbeingregularlyshakendownbythepoliceandisincontactwithanetworkofotheractivistswithwhomshecanshareexperiences,sheatleasthasanopportunitytoevolvegoodtradecraftovertime.
5.
TheM&AanalystElizabethmaywellndthatTordoesprettywellwhatsheneeds.
Hermainproblemwillbeusingitproperly(evenIoncefoundthatI'dmisconguredmysystemsothatIthoughtIwasbrows-ingthroughTorwhenIwasn't—andI'msupposedtobeasecurityexpert).
6.
Firozisinaprettybadway,andquitefranklywereIinhissituationI'demigrate.
Ifthat'snotpossiblethenheshouldnotjustuseTor,butgetaMacorLinuxboxsohe'slessexposedtoporn-sitemalware.
Somecom-binationofcryptographichiding,camouageanddeceptionmaysave758Chapter23TheBleedingEdgehislifeifhegetsraidedbythepolice;andperhapsheshouldjointheRevolutionaryGuardsothepolicewon'tdareraidhimintherstplace.
7.
Grazianoalsohasanextremelyhardjob.
It'sbadenoughdefendingacovertnetworkagainstoneortwotraitorsattheclientend(asAndrewmust);defendingagainstoccasionaltreacheryattheserversideisevenharder.
WereIdesigningsuchasystemI'destablishclearpublicpoli-ciesandexpectationsonhowinformers'identitywouldbeprotected,sothatanyattemptbyafuturecorruptwebmastertosubvertthepro-cedureswouldbevisible.
I'dalsotestthesystemregularlybyhavingundercoverpolicemencallinasinformers,andtracktheirrevelations,tospotbentcopswholoseinformation.
Whereinformersdididentifythemselves—deliberatelyoraccidentally—I'densurethatonlyonehandlerandhissupervisorknowthis.
Wickedpeopleuseanonymitytoo,ofcourse,andthemanytalesofhowtheyfailunderlinethedifcultyofndingtrueanonymityinthemodernworld.
Inachild-custodycaseinTaunton,England,thewife'slawyeremailedaboguslegaljudgmenttothefather,pretendingtheemailwasfromafathers'rightscharity.
Whenthefatherreadthisoutincourt,thelawyerstoodupandaccusedhimofforgery.
Outraged,thefathertrackedtheemailtoashopinLondon'sTottenhamCourtRoad,wherethestaffrememberedsomeonecomingintousetheirserviceanddugoutstillimagesfromtheirCCTVcamerawhichidentiedthelawyer,BruceHyman[397].
MrHymanwassenttoprisonfortwelvemonthsatBristolCrownCourt.
Hewasanexpertonevidence—andtherstBritishbarristertobeimprisonedinmoderntimesforpervertingthecourseofjustice.
RichardClaytonwroteathesisonanonymityandtraceabilityincyberspace,whichMrHymanshouldperhapshaveread[300].
Therearemanywaysinwhichpeoplewhotrytobeanonymous,fail;andtherearealsomanywaysinwhichevenpeoplewhomadenoparticularefforttohidethemselvesendupnotbeingtraceable.
It'shardtoestablishresponsibilitywhenabusivetrafccomesfromaphonelineinamulti-occupiedstudenthouse,orwhensomeoneaccessesadial-upaccountonafreeISPfromaphonewhosecallinglineIDhasbeenblocked.
ISPsalsooftenkeepquiteinadequatelogsandcan'ttraceabusivetrafcafterwards.
Soinpractice,asopposedtotheory,anonymityisalreadyprettywidespread.
Thismaygraduallycontractovertime,becausepressureoverpeer-to-peertrafc,spamandphishingmaymakeISPsmanagethingsmoretightlyandrespondbettertocomplaints.
TheviewofUKISPs,forexample,isthat'Anonymityshouldbeexplicitlysupportedbyrelevanttools,ratherthanbeingpresentasablanketstatusquo,opentouseandmisuse'[307].
23.
5Elections759Asprivacytechnologyevolves,itmaymodifytheshapeofthetrade-offbetweenprivacyandsurveillancethatisconditionedbythemuchlarger-scaledevelopmentofonlinetechnologyingeneral.
Privacytechnologywillbedriventosomeextentbythedesiretoevadecopyright,byvariouspoliticalliberationagendas,andbycriminalinnovation.
Toolsinventedtoprotecttheprivacyofthelaw-abiding,andofforeignlawbreakerswhosesubversionwesupport,willbeusedoccasionallybycriminalsinourcountriestoo.
Sofar,there'slittlesignofit,butit'sboundtohappeneventually.
Forthisreasonanumberofpeoplehaveproposedidentityescrowschemesinwhichnetusershavepseudonymswhichnormallyprovideidentityprotectionbutwhichcanberemovedbyorderofacourt[255].
Butsuchsystemswouldputmostoftheprivacyuserswedis-cussedinthissectiondirectlyinharm'sway.
What'smore,escrowmechanismstendtobeexpensiveandfragile,andcauseunforeseenside-effects[4].
InthenextchapterI'lldescribethe'CryptoWars'—thelongstrugglethroughthe1990sbygovernmentstocontrolcryptography,bydemandingthatkeysbeescrowed.
Eventuallytheygaveuponthat;andthesameargumentsapplytoanonymitysystems.
Ibelievewejusthavetoacceptthatprovidingprivacytopeopleweapproveofmeansthatoccasionallysomepeoplewedon'tapproveofwilluseittoo.
AsWhitDife,theinventorofdigitalsignaturesandaleadingcryptowarrior,putit:'Ifyoucampaignforlibertyyou'relikelytondyourselfdrinkinginbadcompanyatthewrongendofthebar'.
23.
5ElectionsOneapplicationofwhichalldemocraciesbydenitionapprove,andinwhichalmostallmandateanonymity,istheelection.
However,themovetoelectronicvotinghasbeenhighlycontroversial.
IntheUSA,Congressvotedalmostfourbilliondollarstoupgradestates'electionsystemsfollowingtheFloridaascoin2000,andalotofthismoney'sbeenwastedonvotingmachinesthatturnedouttobeinsecure.
Therehavebeensimilarscandalselsewhere,includingtheUKandtheNetherlands.
Researchintoelectronicelectionmechanismsgoesbacktotheearly1980s,whenDavidChauminventeddigitalcash—apaymentmediumthatisanony-mous,untraceableandunlinkable[285,287].
Insection5.
7.
3Idescribedthemechanism:acustomerpresentsabanknotetoabank,blindedbyarandomfactorsothatthebankcan'tseetheserialnumber;thebanksignsthenote;thecustomerthenunblindsit;andshenowhasanelectronicbanknotewithaserialnumberthebankdoesn'tknow.
Thereareafewmoredetailsyouhavetoxtogetaviablesystem,suchasarrangingthatthecustomer'sanonymityfailsifshespendsthebanknotetwice[287].
Digitalcashhasn'tsucceeded,760Chapter23TheBleedingEdgeasit'snotreallycompatibleeitherwiththeanti-money-launderingregimeorthebanks'businessmodels8.
Howevertheapplicationonwhichanumberofresearchteamsarestillworkingisthedigitalelection.
Thevotercanbegivenaballotpapermanufacturedusingthesamegeneraltechniquesasadigitalcoin;shecanspenditwiththecandidateofhischoice;andshecangetcaughtifshecheatsbydouble-spending.
Thereareanumberoffurtherrequirementsonelectronicvotingsystems,ofwhichperhapsthetwomostdifculttosatisfysimultaneouslyarethatthevotershouldbeabletosatisfyherselfthathervotehasbeenproperlycountedandthatsheshouldnotbeabletoprovetoanybodyelsehowshevoted.
Ifshecan,thenthedoorsareopenedtovote-buyingandintimidation.
Gettingtheanonymityandauditabilityrightsimultaneouslydependsonagoodcombinationofphysicalsecurityandcomputer-securitymechanisms.
Digitalelectionsremainedsomethingofanacademicbackwateruntil2000,whentheoutcomeoftheU.
S.
PresidentialelectionturnedonahandfulofdisputedvotesinFlorida.
Atthetime,IwasattendingtheApplicationsSecurityconferenceinNewOrleans,andweorganisedadebate;itrapidlybecameclearthat,eventhoughpoliticiansthoughtthatmechanicalorpapervotingsystemsshouldbereplacedwithelectroniconesasquicklyaspossible,securityexpertsdidn'tagree.
Alargemajorityoftheattendees—includingmanyNSAanddefensecontractorstaff—voted(onanold-fashionedshowofhands)theydidn'ttrustelectronicelections9.
NonethelessCongresswentaheadandpassedtheHelpAmericaVoteActin2002,whichprovided$3.
8billionforstatestoupdatetheirvotingequipment.
Bythefollowingyear,thisparticularbarrelofporkhaddegeneratedintoanationalscandal.
Manyproblemswerereportedinthe2002elections[551];then,thefollowingsummer,theleadingvoting-machinesupplierDieboldleftitsvotingsystemlesonanopenwebsite,astunningsecuritylapse.
AviRubinandcolleaguesatJohnsHopkinstrawledthroughthemfoundthattheequipmentwasfarbelowevenminimalstandardsofsecurityexpectedinothercontexts.
Voterscouldcastunlimitedvotes,insiderscouldidentifyvoters,andoutsiderscouldalsohackthesystem[731].
Almostoncue,DieboldCEOWaldenO'Dell,whowasactiveinthecampaigntore-electPresidentBush,andwrote'IamcommittedtohelpingOhiodeliveritselectoralvotestothepresidentnextyear'[1320].
Thisledtouproar.
ElectronicequipmenthadactuallybeenusedforsometimetocountballotsinanumberofU.
S.
districts,butthereareanumberofdifferentwaystodo8AvariantmaybeusedforpseudonymouscredentialsinTrustedComputing[220].
9Oneofthestrongestargumentswasasimplequestion:doyouknowhowtocleartheInternetExplorercacheAsthehoteldidn'thaveanInternetconnection,weallhadtocheckouremailatacafeinBourbonStreetthathadtwoPCs,onewithNetscapeandtheotherwithIE.
TheattendeespreferredNetscapeasitwaseasytostopthenextuserretrievingyourpasswordfromthecache.
23.
5Elections761this.
Oneoptionisopticalscanning,wherepaperballotsareusedbutfedintoasystemthatrecognisesvotes,getsanoperatortoadjudicatedifcultcases,andoutputsthetally.
Thishastheadvantagethat,ifthecountischallenged,ofcials(oracourt)cansendfortheoriginalballotsandcountthembyhand.
Anotheralternativeistheballotmarkingmachine:thevotermakesherchoicesonatouchscreen,afterwhichthemachineprintsoutavotingformthatshecaninspectvisuallyanddropintoaballotbox.
Many(butnotall)oftheproblemsarosefrom'Direct-recordingelectronic'(DRE)votingsystems,inwhichthevoter'schoiceisentereddirectlyintoaterminalthattalliesthevotesandoutputstheresultattheendoftheday.
Ifthesoftwareinsuchadeviceisbuggy,oropentomanipulation,itcangivethewrongresult;andunlesstheresultiswildlyoutofkilterwithcommonsense,there'ssimplynowaytotell.
Theonlyvericationprocedureavailableonmanymodelswastopressthe'count'buttonagaintogetittoprintoutthetallyagain.
EvenalthoughvotingmachinesarecertiedbytheFederalElectionCommission(FEC),theFECrulesdon'trequirethatatallybeindependentlyauditable.
Thisiswrong,accordingtothemajorityofexperts,whonowbelievethatallvotingsystemsshouldhaveavoter-veriableaudittrail.
Thishappensautomaticallywithscanningsystems;RebeccaMercuriadvocatesthatDREequipmentshoulddisplaythevoter'schoiceonapaperrollbehindawindowandgetthemtovalidateitpriortocasting.
(Thatwasin1992,andwasreiteratedinherthesisonelectronicvotingin2000[875,876].
)ThelatestroundintheU.
S.
votingsagacomesfromCalifornia,FloridaandOhio.
TheCalifornianSecretaryofStateDebraBowenauthorizedandpaidforalargeteamofcomputerscientists,ledbyUniversityofCaliforniaprofessorsDavidWagnerandMattBishop,todoatop-to-bottomevaluationofthestate'svotingsystems,includingsourcecodereviewsandread-teamattacks,inordertodecidewhatequipmentcouldbeusedinthe2008elections.
Thereports,publishedinMay2007,makedepressingreading[215].
Allofthevotingsystemsexaminedcontainedseriousdesignawsthatleddirectlytospecicvulnerabilitiesthatattackerscouldexploittoaffectelectionoutcomes.
Allofthepreviouslyapprovedvotingmachines—byDiebold,HartandSequoia—hadtheircerticationwithdrawn,andwereinformedtheywouldneedtoundertakesubstantialremediationbeforerecertication.
Alate-submittedsystemfromES&Swasalsodecertied.
Californiacouldstilltakesuchradicalaction,asperhapsthree-quartersofthe9millionpeoplewhovotedin2004didsousingapaperoroptical-scanballot.
AsthisbookwenttopressinDecember2007,MsBowenhadjustsaidthatelectronicvotingsystemswerestillnotgoodenoughtobetrustedwithstateelections.
'Whenthegovernmentndsacarisunsafe,itordersarecall',shesaid.
'Herewe'retalkingaboutsystemsusedtocastandtallyvotes,themostbasictoolofdemocracy'.
[1343].
AsimilarinspectionofFloridaequipmentwascarriedoutbyscientistsatFloridaStateUniversity;theyreportedabundleofnewvulnerabilitiesintheDieboldequipmentinJuly2007[514].
Ohiofollowedsuit;theirevaluation762Chapter23TheBleedingEdgeofelectionequipmentandstandardscametosimilarconclusions.
Alltheevaluatedequipmenthadserioussecurityfailings:datathatshouldhavebeenencryptedwasn't;encryptiondonebadly(forexample,thekeystoredintheclearnexttotheciphertext);bufferoverows;useless(andmisapplied)physicalsecurity;SQLinjection;auditlogsthatcouldbetamperedwith;andundocumentedbackdoors[855].
Interestingly,theFloridaandOhioteamsfoundplentyofnewvulnerabilitiesthattheCaliforniateammissed,andallwereworkingquickly;thisraisesinterestingquestionsaboutthetotalnumberofsecurityawsinthesesystems.
OurexperienceintheUKisbroadlysimilar,althoughthedetailisdifferent.
TonyBlair'sgovernmentprogressivelyexpandedtheuseofpostalandotherabsenteeformsofballot,whichwascriticisedbyoppositionpartiesasitmadevote-buyingandintimidationeasier.
Partyworkers(ofwhichBlair'sLabourpartyhadmore)couldpressurevotersintooptingforapostalballot,thencollecttheirballotforms,llthemout,andsubmitthem.
Planstoextendvotingfromtheposttoemailandtextwerecriticisedformakingthisexistinglow-gradeabuseeasierandpotentiallyopentoautomation.
Finally,intheMay2007localgovernmentelections,electronicvotingpilotswereheldinelevenareasaroundtheUK.
TwoofmypostdocsactedasscrutineersintheBedfordelection,andobservedthesamekindofshamblesthathadbeenreportedatvariousU.
S.
elections.
Thecountingwasslowerthanwithpaper;thesystem(optical-scansoftwareboughtfromSpain)hadahigherrorrate,resultinginmanymoreballotsthanexpectedbeingsenttohumanadjudicatorsfordecision.
(Thiswasbecausetheprintershadchangedtheinkhalfwaythroughtheprintrun,andhalftheballotpaperswerethewrongshadeofblack.
)Evenworse,thesoftwaresometimessentthesameballotpapertomultipleadjudicators,anditwasn'tclearwhichoftheirdecisionswerecounted.
Intheend,sothateveryonecouldgohome,thereturningofceracceptedaletterofassurance(writtenonthespotbythevendor)sayingthatnovotewouldhavebeenmiscountedasaresult.
Yettheexerciselefttherepresentativesfromthevariouspartieswithseriousmisgivings.
TheOpenRightsGroup,whichorganisedthevolunteers,reportedthatitcouldnotexpresscondenceintheresultsfortheareasobserved[987].
TherewasaninterestingtwistintheNetherlands.
DREvotingmachineshadbeenintroducedprogressivelyduringthe1990s,andcyber-rightsactivistswereworriedaboutthepossibilityoftamperingandfraudalongthelinesobservedintheUSA.
Theydiscoveredthatthemachinesfromtheleadingvendor,Nedap,werevulnerabletoaTempestattack:usingsimpleequipment,anobserversittingoutsidethepollingstationcouldseewhatpartyavoterhadselected[541].
Fromthesecurityengineer'sperspectivethiswasgreatstuff,asitledtothedeclassicationbytheGermanintelligencefolksofalotofColdWartempestmaterial,asIdiscussedinsection17.
4.
2(theNedapmachinesarealsousedinGermany).
Theactivistsalsogotaresult:onOctober12007theDistrictCourtinAmsterdamdecertiedalltheNedapmachines.
23.
5Elections763Asforothercountries,thepictureismixed.
TheOpenNetInitiative(ofwhichI'vebeenamembersince2006)monitorselectionabusesinthethirdworld.
Wehavefoundthatinsomeless-developedcountryelections,thestatehassystematicallycensoredoppositionparties'websitesandrundenial-of-serviceattacks;inothers(typicallythemostbackward),electionsareriggedbymoretraditionalmethodssuchaskidnappingandmurderingoppositioncandidates.
Theevidenceofelectroniccheatingislessclear-cutbutisoftensuspected.
TakeforexampleRussia.
Iwroteinthersteditionin2001:'IsincerelyhopethattheelectionofVladimirPutinasthepresidentofRussiahadnothingtodowiththefactthatthenationalelectoralreportingsystemisrunbyFAPSI,aRussiansignalsintelligenceagencyformedin1991asthesuccessortotheKGB's8thand16thdirectorates.
Itshead,GeneralStarovoitov,wasreportedtobeanoldKGBtype;hisagencyreporteddirectlytoPresidentYeltsin,whochosePutinashissuccessor'[509,678].
YetbythetimePutin'spartywasre-electedin2007,thecheatinghadbecomesoblatant—withgrossmediabiasandstateemployeesorderedtovotefortherulingparty—thattheinternationalcommunitywouldnotaccepttheresultasfreeandfair.
Whereveryougo,electronicabusesatelectiontime,andabusesofelectronicelectionequipment,arejustoneofmanytoolsusedbythepowerfultohangontopower.
It'sworthrememberingthatinFloridain2000,morevotersweredisenfranchisedasaresultofregistrationabusesthantherewereballotsdisputedbecauseofhangingchads.
Andjustasthegovernmentcanbiasanelectionbymakingithardertovoteifyouhaven'tgotacar,hecouldconceivablymakeithardertovoteifyouhaven'tgotacomputer.
It'snotunknownfortheballottobemadesosomplexastodisenfranchisethelesseducated.
Andlarge-scaleabusescandefeateventechnicalballotprivacy;forexample,inanumberofless-developedcountries,districtsthatelectedthe'wrong'candidatehavebeenpunished.
(AndalthoughweshakeourheadsinsorrowwhenhappensinZimbabwe,wejustshrugwhenaBritishgovernmentchannelsextramoneytoschoolsandhospitalsinmarginalconstituences.
)Infact,ithasstruckmethatifanincumbentwantstochangenot1%ofthevotes,but10%—saytoturna40–60defeatintoa60–40victory—thenbribingorbullyingvotersmayprovideamorerobustresultthantinkeringwiththevote-tallyingcomputer.
Voterswho'vebeenbribedorbulliedarelesslikelytoriotthanvoterswho'vebeencheated.
ThebulliedvotersinRussiadidn'triot;thecheatedvotersinKenyadid.
Sohigh-technologycheatingshouldn'tgetall,orevenmost,ofanelectionmonitor'sattention.
Butitneedstogetsome.
Anditbehovescitizenstobemorescepticalthanusualaboutthelatestwizzotechnologywhenit'sbeingsoldtousbypoliticianswhohopetogetreelectedusingit.
Finally,evenwherepoliticianshavecomfortablemajoritiesandaren'tconsciouslytryingtocheat,theyareoftenvulnerabletocomputersalesmen,asthey'rescaredofbeingaccusedoftechnophobia.
Ittakesgeekstohavethecondencetosaystop!
764Chapter23TheBleedingEdge23.
6SummarySomeofthemostchallengingsecurityengineeringproblemsatthebeginningofthetwenty-rstcenturyhavetodowiththenewonlineapplicationsthataresweepingtheworld,fromonlinegamesthroughsearchandauctionstosocialnetworking.
Thischapterwasreallyjustahelicoptertourofnewservicesandthenewcheatingstrategiesthey'vespawned.
Muchofwhatgoeswrongwithonlineservices,aswithanonymityservicesanddigitalelections,isjustthesameaswe'veseenelsewhere—theusualsadlitanyofbugsandblunders,ofprotectionrequirementsignoredintherushtomarketorjustnotunderstoodbythedevelopersoftheearlysystems.
Electionsinparticularprovideasoberingcasehistoryofproprietarysystemsdevelopedforanapplicationthatwasknowntobesensitive,andbydeveloperswhomadeallsortsofsecurityclaims;yetoncetheirproductswereexposedtofreshairandsunlight,theyturnedouttobeterrible.
What'salsostartingtobecomeclearisthatasmoreandmoreofhumanlifemovesonline,sothecriticalityandthecomplexityofonlineapplicationsgrowatthesametime.
Manyofthefamiliarproblemscomebackagainandagain,ineverlesstractableforms.
Enforcingprivacyisdifcultenoughinalargehospital,butjustaboutdoable.
HowdoyouenforceprivacyinsomethingasbigasGoogle,orascomplexasFacebookAndhowdoyoudosecurityarchitecturewhenevermorefunctionalityisprovidedtoevermorepeoplebyevermorecodewrittenbyconstantlygrowingarmiesofinexperiencedprogrammersTraditionalsoftwareengineeringtoolshelpeddevelopersgeteverfurtherupthecomplexitymountainbeforetheyfelloff.
Howdoyouseetoitthatyoudon'tfalloff,orifyoudo,youdon'tfalltoohardResearchProblemsThisleadsmetosuggestthatoneofthecriticalresearchproblemsbetweennowandthethirdeditionofthisbook(ifthereisone)willbehowprotectionmechanismsscale.
Thehardmechanism-designproblemmaybehowonegoesaboutevolving'security'(oranyotheremergentproperty)inasocio-technicalsystemwithbillionsofusers.
Inthesimple,million-usergovernmentapplicationsofyesteryear,acentralauthoritycouldimposesomeelementaryrules—a'Secret'documenthadtobelockedinalingcabinetwhenyouwenttothetoilet,anda'Secret'computersystemneededanOrangebookevaluation.
Butsuchruleswerenevernatural,andpeoplealwayshadtobreakthemtogettheirFurtherReading765workdone.
Tryingtoscaleaccess-controlrulestosocialnetworkingsiteslikeFacebookisprobablyalreadybeyondthecomplexitylimit,andtherevolutionhasonlyjuststarted.
Inatrulycomplexsocio-technicalsystemyoucanexpectthattheruleswillevolveinaprocesswherebythetechnologyandthebehaviourcontinuallyadapttoeachother.
Butatpresenttheincentivesfacedbythesystemdevel-opersarealsowrong;siteoperatorswantsearchwhileuserswantprivacy.
Governmentswillwanttogetinontheact,butthey'reanorderofmagnitudetooslowandhaveperverseincentivesoftheirown.
Sowhatsortsofmech-anismscanbeevolvedforrulenegotiationWillitsimplybesurvivalofthettest,spicedwiththedrivesoffashion,asonesocial-networkingsitereplacesanotherOristheresomelegalframeworkthatmighthelpFurtherReadingThestandardreferenceongamesecurityatpresentisbyGregHoglundandGaryMcGraw'sbook[617].
Forthehistoryofcomputergames,andcheating,readJeffYanandBrianRandellin[1367];Jeff'sthesisdiscussesonlinebridge[1364].
There'sanannualconference,NetGames,whichusuallyhasanumberofpapersoncheating,andtheTerraNovablogonvirtualworldshasregulararticlesoncheating.
ThebestgeneralworkIknowofonsecurityinwebservicesisMikeAndrewsandJamesWhitaker's'HowtoBreakWebSoftware'[78].
Therearemanybooksonspecicservices,suchasJohnBattelle'sbookonGoogle[125]andAdamCohen'sofeBay[310];andifyouneedtoexplaintheproblemtomanagement,read(orgivethem)thearticlebyJeremyEpstein,ScottMatsumotoandGaryMcGrawabouthowweb-servicedevelopersgetsoftwaresecuritywrong[436].
Asforsocialnetworking,Idon'tthinkthedenitivebookhascomeoutyet.
Asforprivacytechnology,thebestintroductiontoanonymousremailersisprobably[849].
Idon'tknowofagoodtreatmentofprivacyandanonymitytechnologyinreal-worldcontexts;theabovevignettesofAndrewandothersaremyownmodestattempttollthatgap.
Togointothissubjectindepth,lookthroughtheanonymitybibliographymaintainedbyRogerDingledine,NickMatthewsonandGeorgeDanezis[82],andthesurveyofanonymitysystemsbyGeorgeDanezisandClaudiaDiaz[347].
Fortrafcanalysis,youmightstartwiththesurveybyRichardClaytonandGeorgeDanezis[346].
There'snowquitealiteratureonelectronicvoting.
Theissuesarelargelythesameaswithvotingbymailorbyphone,butnotquite.
Anearlysurveyoftherequirements,andofthethingsthatcangowrong,waswrittenbyMike766Chapter23TheBleedingEdgeShamos[1149],whoisalsoaprominentdefenderofelectronicvoting[1150];whileRoySaltzman(formanyyearstheauthorityatNIST)discussesthingsthathavegonewrongintheUSA,andvariousNISTrecommendations,in[1103].
TheleadingcriticsofcurrentelectronicvotingarrangementsincludeDavidDill'sVeriedVotingFoundation,andRebeccaMercuri,whose2000thesison'ElectronicVoteTabulation—Checks&Balances'[876]mightperhapshavebeenheededmore,alongwithanearlyreportonthefeasibilityofInternetvotingfromtheStateofCalifornia[253].
Certainly,therecentevaluationreportsfromCalifornia[215],Florida[514],Ohio[855]andBritain[987]lendstrongconrmationtothescepticalviewpoint.