Friday, July 15

Weasels considered harmful

A message from Lorrie Cranor notes that the EFF is asking for aid in the hunt for Privacy Weasels, viz., websites who make empty privacy promises. They give examples such as:
Weasel language: "Although we take appropriate measures
to safeguard against unauthorized disclosures of
information, we cannot assure you that personally
identifiable information that we collect will never be
disclosed in a manner that is inconsistent with this
Privacy Notice."

Translation: "You can't sue us if we violate our own
policy."

Wednesday, July 13

One-liners for the digital age

I'm about half way through a wonderful book: The Inmates are Running the Asylum, by Alan Cooper. As an aside, the author's primary claim to fame is the invention of something truly horrible long ago. But I think he's sorry now.

The book does a good job of explaining why most industrial products are becoming increasingly unusable.

The simple reason is that it is cheap to add a microprocessor to anything. Once the manufacturer does this they: 1) can add new features at zero marginal cost, 2) put software engineers (and their feature mentality) in the critical path of product design. The book's issue is usability, my issue is security, and I'm quite certain we're on the slippery slope to downloading code into our kitchen appliances. I really have wanted to blog about the security aspect of this problem for some time [economist: apparently not]; the post would be called "Someday, your alarm clock will try to kill you".

Cooper has the first chapter of his book ask, successively:

  • What do you get when you cross a computer with an Airplane?
  • What do you get when you cross a computer with a Camera?
  • What do you get when you cross a computer with an Alarm Clock?
  • What do you get when you cross a computer with a Car?
  • What do you get when you cross a computer with a Bank?
The answer in each case, is: a computer.

Friday, July 8

More from SOUPS

Excellent paper on phishing from Dhamija and Tygar of UCB, The Battle Against Phishing: Dynamic Security Skins. Doug Tygar, you may know, was co-author of the security+HCI paper Why Johnny Can't Encrypt. They describe the problem of phishing, make a systematic analysis of the technical challenges, survey current phishing countermeasures, and describe countermeasures of their own.

Their proposed countermeasure attempts to address the lack of a trusted interaction path between users and servers for either data entry or security notices (such as the classic padlock). This is because of what they call the general purpose graphics property: on existing computer systems, anything a legitimate website can arrange to appear on the user's screen, a phishing site can put on the screen — or at least similar-looking enough that users won't notice.

A quick summary of how their system works:

  1. They use Tom Wu's Secure Remote Password protocol to allow low-entropy (bad) user-selected passwords as mutual authenticator for user and server. This is a verifier-based protocol where passwords aren't given to the server.
  2. Users choose an image to be used as a backdrop to a password entry window. Only the user's machine has this, so attackers can't guess it.
  3. The a visual hash of the verifier is used by the server to decorate data entry pages (i.e., as background), so that the website has a user-specific look.
...of course this stuff is still vulnerable to man-in-the-middle, but that's not the phishing problem.

And as an counter to sophisticates who despair that users can't be trained to distinguish between indicators (e.g., the padlock) in the browser chrome from indicators in the page, they show a Citicorp page where a teeny padlock is on the page next to the password entry box to show that although the page isn't protected, the form will be sent via an SSL-protected HTTP Post!

Thursday, July 7

Live from SOUPS 2005

Blogging from SOUPS 2005 at CMU and cross-posting to The Now Economy.

Ches just gave the keynote talk titled My Dad's Computer, Microsoft, and the Future of Internet Security, which like all good talks, has been evolving for some time. Money quotes:


  • "Dad, your computer is blowing blue smoke all over the Internet!"
  • "These virus-building tools have GUIs, *nice* GUIs."
  • On 0wn3rs: "They try not to be too disruptive. They've got uses for your computer. It's called time-sharing. They install patches for you to keep (other) attackers out, they work very hard to get bugs out of their software."
  • "You have to get out of the game. Or, as the Karate Kid's Mr. Miyagi says: ''Best block is not to be there.''"

Ches quoted spot prices for botnet cycles — 3 cents per week on the low end for spam forwarding, $40 each for machines on targeted networks. Also interesting, the Phatbot command list.

Ping and others are blogging the conference at Usable Security.