I’ve been taking a class in computer forensics and, possibly because the textbook is very dull, sometimes my mind wanders to odd implications of what I’m reading. There are some known facts about most operating systems that work in favor of forensic investigators. For example, the contents of deleted files linger on a system, sometimes for a very long very long time. The traces can be found and reconstructed by someone with the right tools and know how.

There are times when there are legitimate reasons to try to avoid this. The most widely known of these is when the defense department gets rid of old equipment. It’s important to wipe the data on a hard drive in such a way that it is close to impossible to recover, in order to protect defense secrets. And whatever porn and games the poor defense workers may have downloaded during lunch.

What about resistance members (assuming there are any) in totalitarian countries (assuming they can even get their hands on a computer)? Don’t they also have legitimate reason to hide the traces of what they’ve done? How about spies? When someone from a free country tries to gather hidden information in a totalitarian country (let’s say British spies in Iran, since the Soviet Union is gone and the CIA is not what it once was), being caught could mean torture and death. For them, having an operating system that reliably deletes evidence could literally be a life saver.

That was what got me thinking, wouldn’t it be goo dif those people had access to an operating system that automatically did things to protect their lives?

This is the same principle that is behind the advocacy in some areas of the widespread use of encryption and Internet anonymizing systems such as Tor. Less free countries may define things as crimes that those of us in more free places take for granted, things like advocating democracy, or buying and selling tools for free speech (It was said that in the old Soviet Union, a person needed a license to possess a typewriter), or practicing the wrong religion. Just as a thought experiment, I’m extending that idea to a range of other things.

Besides secure deletion, what other things would an operating system do to protect the life of its operator?

Obviously, anonymized Internet connections would be needed. That’s difficult. Network cards have built in identifiers. It would be nice to forge those without specialized hardware. However the IP address, a higher level identifier, is changeable and systems should change their IP frequently as well as forging the numbers whenever feasible (note: It’s not feasible if you need return traffic to find you. Outgoing email it may be possible but you won’t get any sort of confirmation back.

Required encryption is important. Even two different users on the same computer should have absolutely no ability to read each other’s data without the correct passwords. I remember seeing on some awful TV mini series about aliens, a character played by the wonderful Matt Frewer had rigged his computer so that it would execute something (I don’t remember what) if he failed to log in every 24 hours. On a business computer this would be highly inconvenient but for a spy or “freedom fighter” it could really be a life saver to have the system automatically and securely delete a user’s entire account including all data if they did not log in after a specified period of time.

This is harder to do than it sounds. It can only be done if the system is running. If it is turned off, no dice. That means that the hardware needs to be set up to automatically boot up – on battery power if necessary – at least every 24 hours to check to see if accounts need to be deleted.

A related area of concern is the swap file (or paging file, depending on the system). Modern operating systems can’t keep all the data needed to operate all their running programs in memory at once. Instead, they write currently unused data to the hard drive and read it back in when needed. Typically, a system may be swapping some data out of memory and some other in many times per second. The problem is that there is data in this swap file that can be recovered and used against the owner of the system. Since it’s unlikely to create a workable system that does not use some form of swap file, the only answer I can think of is encrypting it with a one time key generated at boot up. This will inevitably slow down the entire system. Hopefully, things can be optimized to minimize the performance hit. For safety sake, the swap file should still be deleted (securely) whenever the system is shut down.

Even more importantly, though, the same swap file and encryption key should not be shared between different users. That means that logging out and logging in as someone else should not allow data written to swap by the previous user to be accessed in any way by the system during the new user’s session. The best solution to this problem is probably to force a complete reboot whenever switching users. This could be inconvenient in some ways but, so far, I haven’t thought of anything better.

Camouflage is important, too. In the kind of places where people will need this sort of system for the kinds of uses envisioned here authorities might simply outlaw the operating system on the not complete insane assumption that whoever has it must be trying to hide something.So if the system is accessed without the correct passwords, it should pretend to be some more innocuous operating system, like Windows or Mac. It’s tempting here to have it pretend to be something really unusual, like Beos or Next, but that would attract too much attention. We don’t want attention.

A real danger to one of these systems would be having someone copy the hard drive and examine it forensically without ever booting it up.  There is no complete defense against this, though some possible partial defenses include setting up the BIOS to refuse to copy data from user space (unless over the Internet, which is not nearly as desirable forensically) and putting a bomb inside the case.

Hmmm. This is sounding like a tough job. Good deletion is the easiest thing I’ve come up with so far. There’s probably a reason for this. For one, operating systems are hard. For another, most of the things people do take place above the OS level. Here’s a simple example: How about a web browser that keeps no cache and only records urls in history and bookmarks that have nothing to do with places the user has visited? It may not be a great browser but it won’t give too much away about the user when the secret police examine it. You do have to take care that the list of fake urls avoids sites that serve up malware, kiddie porn, and in some cases unapproved news and opinion. Of course, the way those lists can change, keeping the list “secret police safe” may be a tall order. Better not to keep any of this data at all.

One of my basic rules of thumb is that if I’ve thought of something, probably someone else has too. I haven’t ever run across research about such a super private OS but that could just mean I don’t look at the right journals. It could also mean that the problem is so hard it’s hardly worth the effort. Of course, if some agency such as the NSA has done this kind of research – which they should – someone on the outside like I am would never know.

Note to the NSA or other such interested agency: Feel free to offer me a really big grant to follow up on this kind of thinking. I don’t actually know much about OS programming but I can definitely think about it!

It seems that everywhere I look lately there’s news about a new “weakness” found in the RSA algorithm. This has been reported with headlines screaming about the “severe” weakness and how everything in the universe that is encrypted depends on RSA. For examples of those rather overheated stories look here and here.

Let’s have a moment of sanity please. The sky is not falling. The attack described depends on manipulating the power supply of the targeted system, making tiny changes in the voltage to generate bad output from the algorithm. It’s a very interesting attack technique but the actual risk of it happening in the real world is incredibly low. Anyone who can get close enough to manipulate the power to a unit can do lots of other much more interesting things to it.

In general, no one can get close enough to perform this kind of attack.  Locking the doors on the server rooms is a standard IT practice. You see, most criminals who get close enough to attach the equipment needed to play games with the power supply are much more likely to simply unplug it and steal the computer.  We guard against that sort of thing and, incidentally, against creative attacks on the power as well.

This is just one more example (in a nearly infinite list) of why the news should never be taken at face value. Read carefully. THINK. Apply salt liberally and move on to something less ridiculous.

The big tech story of the week is the one about Google making people mad with it’s new “Buzz” service. The most interesting aspect of this story is that everyone seems to have gotten it wrong.

Here’s the short version of the story: Google has some new social media application that makes all your email contacts into “friends” in the social networking sense and a lot of people objected to that, claiming that email contacts should be kept private, not advertised to the world as a friends list. This is stupid on so many levels – Google, their users, all the “analysts” – it’s hard to know where to start. So I’ll start at the beginning as far as I knew it.

The other morning, as I do most mornings, I brought up my gmail account and glanced to see if there was anything new. There was some kind of banner or thing about something called “Buzz.” I immediately thought “Hmm. Could this be a whack at Yahoo’s boring Buzz bookmarking service?” But no. I saw that my boss had already been there and made a comment. I also saw that to reply to his comment I had to create a “profile” that would make all of my email contacts into friends who I could then get Buzzy with, or some such thing.

I decided not to create the profile because I don’t use my gmail account for general email purposes. I have a yahoo account for that. My gmail account is mostly for poetry and other writing. I use it to communicate with the members of the Science Fiction Poetry Association, a lot of editors and a few close friends and family. It’s the kind of account – intentionally – receives the kind of joke emails that people forward all the time. In other words, while it’s a public address, I tend to use it for more private purposes.

Weirdly, Buzz shows that I have 6 followers, including 4 who do not have public profiles – which I also do not have. How do you follow someone who does not have a profile to follow? And if you don’t have a profile, how is it possible to follow someone else without a profile? What the hell is going on here?

Anyway, notice the one interesting bit here: The complaint the privacy advocates have is that this new Buzz thing is advertising information people want kept private and that Google should have given them more warning of that fact. Google did give warning – enough that I decided not to sign up for the thing (but it still tells me there’s new stuff for me to look at there, which I find truly annoying). But, apparently, a lot of people failed to notice the warning and are mad AT GOOGLE FOR THEIR OWN FAILURE TO READ.

Don’t take my word for it. Here are some links to stories about privacy concerns with Gmail Buzz:

• http://www.theregister.co.uk/2010/02/11/google_buzz_privacy/
• http://www.businessinsider.com/warning-google-buzz-has-a-huge-privacy-flaw-2010-2
• http://abh-news.com/google-buzz-privacy-issues-for-gmail-users-1126.html
• http://www.washingtonpost.com/wp-dyn/content/article/2010/02/12/AR2010021201490.html

Believe it or not, this was highly predictable. At a previous job I used to take help desk calls sometimes (It wasn’t exactly my job but it had to be done). One of the things I found amazing was how often someone would call up complaining about an error message when they tried to do something and then not know what the error message was. The conversation went something like this:

Idiot User: “Hi. I’m trying to use [name application here] and it doesn’t work.”
Me: “What do you mean it doesn’t work? Does it give you an error message?”
Idiot User: “Yeah. It does.”
Me: “What does the error message say?”
Idiot User: “I don’t know. I just clicked okay.”

Of course, it’s impossible to diagnosis a problem when the only symptom is that you clicked okay but that’s not important right now. What’s important is that it is perfectly and absolutely normal for people to look for that little “okay” button and click it WITHOUT READING ANYTHING ELSE. For Google’s Gmail Buzz and any other service anyone ever wants to create the implication of this long standing and widely known user behavior is that people will almost alays accept the defaults, even if it is not in their best interests to do so.

As Facebook has shown many times and Google has proved yet again, when people accept the defaults without even looking at them and later find out there was something about those defaults they didn’t like, THEY’LL BLAME YOU, NOT THEMSELVES. Therefore, as Facebook has had shoved in their faces over and over again, forcing users to opt in instead of allowing them to opt out, saves you a lot of bad publicity and hassle down the road.

Yes, the users messed up by not reading. Google’s even bigger mistake was expecting the users to read in the first place (btw: This is an easy mistake to make and despite having articulated the lesson here, I can not claim to be too smart to be immune from this same error. Funny, huh?)

But there’s more that Google did wrong on this one and to understand that, we need to spend a few words discussing social networking theory and practice. Most of the world was introduced to social networking by websites like MySpace, Facebook and Twitter. However, the theory of social networks is not new nor is it restricted to the Internet. The social sciences have long studied the way humans for associational networks and how information and influence travels along those networks.

Also, completely independent of social networking websites, there has long been interest in the way email can be used to learn about a person’s social network. Who do you receive the most emails from? Who do you send the most emails to? A lot can be learned about relationships by studying these things.

I was first exposed to these ideas years ago when I was testing a demo of software being sold to law enforcement as an aid to complex investigations. One of the things the software did was take phone records as input and produce a visual depiction of communication patterns. The idea was that this was how police could find out who was really running the gang they were investigating (though really it would only discover who was running the operations, rather than who was calling the shots but that’s another story). The application to email is obvious.

And this is where Google really tripped up. They have wanted to get involved in the social networking arena for some time (check out orkut.com, for example) but have never found anything that caught fire. Then some genius found out about social science research into using email to examine people’s social networks and thought, “Hey! We’ve already got all their social network info! All we have to do is start using it!”

This completely overlooked an aspect of email that comes up very often when dealing with users (yes, back in my pseudo help desk days): The expectation of privacy. The upshot is that, no matter how many times you tell people that the company reserves the right to monitor their communications, and no matter how often you explain to them that nothing on the internet is truly private, people still think of their email as being private communications. They put their most personal stuff into email, things they wouldn’t want anyone else to know about.

It’s not all just forwarded jokes. It’s stuff that gets dragged into court in cases of sexual harassment, divorce, fraud, product tampering, negligence, even murder (In an unusual twist to that with immense privacy implications, see here). Everything people would ever talk about, and anyone they would ever talk to, can be discovered in their email, including their deepest and most humiliating secrets.

Even people who don’t have humiliating secrets to hide can be very touchy about their email. Even if they only use it for work, that doesn’t mean they want the boss reading it. The flip side to privacy is trust. When someone snoops into someone else’s email, or their contacts, or their desktop files, or whatever, the person whose stuff is being snooped feels distrusted. The response is generally anger.

Contrary to the popular formulation, privacy is important to nearly everyone, not just those who have something to hide. And by exposing people’s email contacts in one huge batch, Google ran head on into this deep need for privacy. They got anger in return. This is the real story. It’s not that Google failed to display their instructions in neon with all kinds of opt in notices to force people to think about what they were doing. It’s that by touching email AT ALL, Google made people worry about who they trusted and who trusted them. Consequently, Google lost trust from some of its users.

In this particular aspect, the users are not at fault. Google made the enormous mistake of thinking of email as a resource to be leveraged. Ironically, they tried to develop a social networking feature without giving enough thought to the social context.

The really funny part about this is that they needn’t have bothered. My second thought when I first saw that there was such a thing as Gmail Buzz, was, “I already have this stuff on Facebook. I don’t need yet another social network.”

UPDATE (same day): I found a link wayyyyy down at the bottom of my gmail page that said “turn off buzz.” So I did. That’s one annoyance out of the way!

UPDATE 2 (also the same day): How did I get all the way through this post without commenting that the backlash on this issue was like Google walked into a buzzsaw?

In a computer forensics class I’m currently taking, we studied a federal document that goes in to great detail about how to handle computer security incidents. Malicious code, intrusions, denial of service attacks, the whole gamut of computer/network events that can cause an organization trouble. The document, put out by the National Institute of Standards and Technology is called the Computer Security Incident Handling Guide (aka SP800-61) and it is some of the most useful, albeit hideously boring, reading available for IT professionals currently available.

However, useful and wonderful though it is, I have some problems with this publication. There is very little I can point to and say, “This is wrong.” It covers a lot of territory in an organized way. It gives good advice. Yet I find the total effect to be unsatisfying. Sure, any organization that implements all of the recommendations in this document will be well protected and very capable at responding to incidents when they happen. The trouble is that no organization on Earth is ever going to implement ALL of the recommendations. I don’t think there is enough trained manpower or enough time or money in the world to ever achieve the level of protection detailed (I could even say mind-numbingly detailed) herein.

There is discussion of plans, policies and procedures, guidelines and knowledge bases. The document includes checklists and tables, incident categories and even a marvelous equation for rating the severity of an event. It’s all very complete and very thorough and, as I said, all very sound and reasonable.

I just can’t imagine it can possibly work in practice.

Maybe it’s just me, but I think that when your computers have been compromised, the last thing you want is to run to a file cabinet (or open a password protected pdf, or pull out your cheat sheet) and look for the correct checklist or procedure (Wait! Do we want the procedure or the plan at this point? What’s the policy on that?) for figuring out what you have. Or are we in the containment phase now? I hope someone knows because the training budget on that was cut last year before all of our people could take the class. Come to think of it, they cut a bunch of our people, too.

Time and manpower are two of the real world influences that I think damage the implementation of this very idealized (if intense bureaucracy is your ideal) approach to incident handling. In the real world, incident reporting often comes down to, “Hey! The server is acting funny. Andy, what did you do?” (Real life example). And the responder (in this case a hypothetical server jockey/help desk/programmer/janitor named Andy) begins learning about incident handling AT THAT MOMENT.

Yes, this real world system is screwed up. If it could be implemented, SP800-61 would be an improvement over this ad hoc “OMG! What do I do?” system. If it could be partially implemented, it would be an improvement. That’s what got me started thinking. In even a well funded organization, implementation of these recommendations will take a concerted effort over a period of years. This increases the chances of overall failure (to about 99%) while still giving at least some benefit.

That’s what go me thinking. One of my problems with the whole system is the incredible emphasis on up front paperwork. Policies, plans and procedures certainly seem important but they take a lot of time to write and in the real world no one reads them. Or else one or two people read them when they first come out and then argue over what they said (or how they should be interpreted) when it’s time to follow them. This is one of the huge flaws in bureaucracy. In order for it to function, everyone has to be a lawyer. That’s not what you want when some hacker has broken into your systems and is stealing all your customer’s credit card numbers.

Yet, decisions have to be made at some point and planning them up front is important. Can we balance that with the real world?

Tax software offers some potential help for all sorts of paperwork problems, including this one. It would be helpful if there was a tool that could ask some simple questions (Is the file system encrypted? What are the most critical servers? How much monetary damage should there be before you call the lawyers?) and store them for retrieval at the right time. That would be interesting.

• Computer: “Are you experiencing a hacking incident now?”
• Me: “YES!!”
• Computer: “How many servers/workstations are compromised?”
• Me: “How the hell should I know? I just walked in the door and found 30,000 alerts from the Intrusion Detection System in my email!”
• Computer: “If you do not know, click here for guidance on how to run a scan on each system. Would you like to watch a video about liability issues?”
• Me: “NO! I want to kill the SOB!”
• Computer: “I’m afraid I can’t do that, Dave.”

Well, there may be some bugs to work out in this system. The basic idea, though, is to ditch some of the grunt work of generating paperwork that no one will read in favor of something that can answer people’s questions when they come up. This is a massive undertaking. As I type this, I’m thinking about starting a wiki or writing a survey program (or a combination of both) to start the ball rolling on this. The trouble is, like everyone else in the IT world, I doubt I have enough time to sustain the effort. I feel like I should take a stab at it though, simply to prove that I’m not just a complainer. Still, complaining is easier.

Anyway, the planning software idea only addresses part of the problem. Setting up the systems that SP800-61 quite reasonably recommends (IDS and centralized logging, for example) is to my mind much more important than doing the paperwork (Which is probably why I’m not in management). There are lots of those kinds of things that should be tackled too and they can’t be done all at once.

I’m thinking that in this instance an approach similar to agile development would be helpful. Pick a short period of time (say 2 weeks). Pick a task (getting anti-virus software on all the servers, or doing a penetration test of the web server, or centralizing the logging for X number of machines, whatever). do the task. Tell the software it’s done and move on. Yes, I’m (in my head) integrating actual practices into the incident response assistance tool (IRAT – note to self, come up with a better acronym). This way, during an event, the tool can provide guidance on responding, not just on paperwork.

• Me: “I have a report of suspicious activity on the web server”
• Computer: “You have few possible actions: Centralized logging is not enabled. File system integrity checking is not enabled. What have you been doing all this time, moron?”

Keeping the software up to date can be as much of a nuisance as filling out paperwork, of course. So the next step in this plan, (Besides teaching the computer better manners. I always have trouble with that part) is to set it up to allow people to enter data by voice. From their iPhone.

Then we just have to get management to pay for the phones and the voice software and the IRAT software. Maybe paperwork is the better way to go.

Two unrelated things clicked in my head today as actually being related on a theoretical level. Thing one I spent some time the other day looking over the websites of some potential vendors. I’ve done this sort of thing lots of times before. As per usual, I was unimpressed by the websites themselves (which may or may not say much about the company itself). Thing two: Someone cracked the algorithm for cell phone signal encryption (really a sort of hiding) to the internet. Both these things show the conflict between the old industrial era way of doing things (let’s call it web 0.5) and the newer Twitter-ified way of doing things (web X.0). It tells us a lot about the changing generations and the growing struggles of the information age.

After that slightly pompous lead in, it’s tempting to just stop but I’ll add some detail, starting with the cell phone encryption code, which is a pretty big deal news-wise. The biggest weakness of cell phone security – and it’s a very big weakness – is that, in order to work, cells broadcast their signal in all directions at once. It’s not like the old fashioned landline phones that send their signal down a wire. In order to intercept the signal of one of those old phones, you have to tap the physical wire. In order to intercept a broadcast signal, on the other hand, you just need to be within range with the right equipment.

For a couple decades now, most cell phones have attempted to evade broadcast interception by (somewhat) randomly changing frequency multiple times during every transmission. That way it’s very hard to intercept more than a single tiny portion of the signal, hopefully too tiny a portion to make sense out of the message. The flaw in this scheme is that for the message to be received, the other end (the cell tower) must be able to follow all the frequency hops and put the complete transmission back together. So both ends need to be synchronized. True randomness is impossible.

News came out the other day that Karsten Nohl, a researcher with the A5/1 security project, has developed a way to crack that frequency hopping protection and released it to the public (See here and here and especially here or just google “GSM crack” for a horde of other sources). The first question that came up was, “Is it ethical to make dangerous information public?” This is an old debate in security circles. On one side are the people who believe that it is always wrong to make life easier for hackers, that keeping systems and methods secret is an essential part of protection. On the other side (and the side I’m on) are those who say that secrecy gives mostly the illusion of protection and that learning from failures is an essential tool to building better systems.

But there’s another, more basic, way of looking at this conflict, which brings me to the other thing I mentioned, looking at the websites of vendors. What the vendors were for is unimportant. What is important is that I found all of the websites to be visually very nice, sometimes using state of the art technology, professionally designed and almost completely devoid of useful information. I’ve done these sorts of surveys numerous times both as part of my job and through the course of formal education and there is nothing unusual about these findings.

Companies tend to design their websites as very fancy advertising brochures. They have a link for investors. They have a link to logos or names of famous clients. They have a link to information about “our team” or some such. They may have a link to their blog, though it’s not much like a real blog because it contains almost exclusively corporate cheerleading and marketing approved advertising copy. They might have a link to a twitter stream but that’s just another promotion channel to them. What they don’t have is the kind of information customers really want and that was once envisioned as being available through means like Amazon customer reviews and ratings. There’s no way to find out anything about the products, services or company that is not directly approved as part of the “corporate message.”

Ten years ago none of this would have been a big issue. Companies were considered to be riding the wave of Internet innovation if they had a website at all. The marketing brochure approach to web communication was considered a professional and effective thing to do. This is no longer true on an Internet where Facebook and Twitter are generating more traffic than every other corporate website combined. But note my criticism above of the way that blogs and twitter feeds are usually implemented. Even when they do them, they don’t do them in a way that seems to me to give people what they want: Actual communication.

If you’re one of those people who says things like, “I don’t get Twitter. Who cares what you’re about to have for lunch?” You may have a future in corporate communications – if there is such a future to be had. Because what ties together the current state of corporate websites AND the hacking of 20 year old cell phone code AND the debate over disclosure vs secrecy is the thing that seems to me to separate a successful Internet presence today  from the methods and even personalities of the last century:

The old way emphasizes control. Control of the message. Control of presentation. Control of the program code and the way people interact with the product and the other people. The new way demands giving up a large measure of control in favor of more fluid and fluidly evolving communication.

I highlighted that point because I believe it is key to success on the Internet as it is developing and is something even very large companies need to understand and cope with over the coming years. Probably because of the presence of the Internet in their lives, younger people seem to be much more likely to take the less control is better side of most issues (we’re talking about technology and interacting with others and with companies, here, not about politics). This has profound implications for the future, both near term and long term.

It means, I believe, that attempts to maintain complete control over the corporate message or even over source code of products are, over time, going to become harder to do (there will be leaks and hacks) and more repugnant to the public. As the older generations (ie: mine) grow old, retire, die, the people who will become the prime consumers and decision makers, will have lived most of their lives under the assumption that the old levels of control are both impossible and undesirable. Sure, as they age, they will want more control. But they will be aiming at a lower bar than previous generations. Someone who grew up with twitter will never have the same view of communications (corporate or otherwise) as people who used to buy newspapers printed on physical paper.

I mentioned newspapers for a reason. I believe the failure to understand the loss of control is one of the central problems the newspaper industry has right now. I don’t know the answer yet but, hopefully, I’ve framed the problem in a way that will help people work on that.

According to the Wall Street Journal, up until recently the United States Air Force was too stupid to encrypt the video feed from attack drones such as the predators used in Afghanistan and Iraq.

I know that sounds harsh. Maybe it’s even too harsh. Let’s look at the story (original report here) and see how it develops. The short version is that sometime “late last year” (apparently December 2008) the computer of a captured Shiite fighter in Iraq was found to contain video from U.S. aerial drones. In July, more of these intercepted videos were found. The WSJ report claims that the interception was done with (or with something like – the writing is unclear) Skygrabber, software advertised as intercepting satellite transmissions of various file types. The price on the website is $45.95 (apparently was $26.95 a few days ago. Did they raise the price to capitalize on increased demand due to the publicity?).

According to the WSJ report, the Air Force has understood that these feeds were vulnerable to interception since the 1990s but did not do anything to encrypt them because a) It costs a lot of money and b) This kind of interception is too hard for the primitives we fight against anyway. (Okay, I’m paraphrasing, but the gist seems accurate.)

In their defense, Skygrabber probably did not exist in the 1990s. The Internet was less developed in those days too. According to Defense Tech the Global Information Grid used by the U.S. military to transfer data is 25 years old. One consequence of this is that security measures that are considered basic today are completely lacking. Defense Tech estimates that upgrades needed could run to $65 billion over the next three years.

Hackers work faster than that.

There are some points about this story that should be considered.

• Headlines (including the WSJ one) claiming that drones had been hacked are incorrect. There is no evidence in the report that the drones themselves were in any way compromised. The video feed was transmitted by wireless communication (i.e. radio) and were intercepted out of the open air. This is one of the inherent weaknesses of broadcast media. It will not be resolved by encrypting the video. More on that in a bit.

• No software can intercept radio signals on its own. There has to be specialized hardware to grab the signals. The software then filters and interprets them. This means the $26.95 pricetag mentioned is misleading. An interception system, including an antenna and satellite modem (external or, more likely, an internal card), had to be purposely built in order for the software to do its job. I have little knowledge of this particular equipment but a very brief Google search on satellite cards found $129 to be a common price, though (of course) they can cost much more. Likewise, a quick search on satellite dishes found prices ranging from $54.95 to $1,000. (note: I am not qualified to judge whether any of the items found in these searches is truly suitable for the purpose. Does someone have a Drone Feed Hacking for Morons book I can borrow?). None of this is hideously expensive but it raises the price considerably above what was reported int he WSJ.

• The WSJ reports the Air Force is working on upgrading hardware to encrypt the drone transmissions. This is good but insufficient for two reasons:

1. Any encryption can be broken. The only question is how long it will take. If it takes 20 years to break the encryption on a video feed, it is probably secure enough for battlefield conditions. However, there is no guarantee that some new development (such as cloud computing or even quantum computing) won’t make it possible for a determined and well financed enemy to cut the timeline down a great deal. Also, the more a particular encryption key is used, the easier it becomes for attackers to find patterns that can allow them to break it. The encryption used for the drone feeds must be strong, have strong, frequently changed, keys, and must be amenable to upgrades, or it is guaranteed to be worthless in the long term.
2. Even if you can’t decrypt a feed, if you can catch it, then you know that there is a source nearby. It is quite possible that enemies could use several stations working together to triangulate the location of a drone and destroy it. In this case, there would be no further need to decrypt the transmission, would there? For this reason, the signal should also be masked with frequency hopping or some other method that makes it difficult to intercept.

It is entirely possible that the pentagon is pursuing all of these solutions. The WSJ report does not say so but even unnamed sources may feel the need to protect some secrets in the name of national security. If these considerations are not being dealt with, then someone is not doing their job.

Someone didn’t do their jobs in the first place. Expecting enemies to stand still rather than do their best to respond to the technologies arrayed against them is idiotic. Any web system administrator can attest that hackers are constantly developing new ways around existing defenses. Would people whose lives are on the line do less?

This is why I am so harsh in my judgment of the people who allowed drone feeds to go unprotected for at least 10 years. Unfortunately, this level of negligence is normal throughout information technology. The attitude of too many managers is, “Well we haven’t been hacked yet, so our security must be strong enough. Anyway, why would anyone even bother?” The trouble with that attitude, as the military has discovered, is that the time lag between when you are hacked and when you find out about it may be years. The days when hackers were satisfied with defacing a web page with pictures of marijuana and insulting messages are long gone. Some still do that (as in the recent Twitter hack) but when they grow up there are for more satisfying and often profitable ways to use those skills.

One last point that I hesitated to include because it is so speculative:

• SkyGrabber appears to be Russian software. Does this mean that the other side in Iraq and Afghanistan is getting technical assistance from the Russians? Answer: No, of course it doesn’t mean that. Anyone can buy this software. They take Paypal. On the other hand, if I worked for the DIA, I would be very curious about the development of the technical expertise to use this software among enemies who do not have a deep R&D establishment, the way the U.S. and other countries do. Much of the opposition in Afghanistan and Iraq has been backed by Iran. And the Iranians do have considerable technical/computer/Internet expertise (see Google search here) and they do have some ties to the Russians. There is no evidence here of some deep dark conspiracy but those people whose job it is to be paranoid about such things should still look into it.

It’s time to be serious about cyber defense. And it’s time for the military to remember rule 1 of warfare: Never underestimate the enemy.

Cyberwar and related issues have been in the news lately. Since the cyber attacks on Estonia during the Russian invasion of 2007 (see here and here) the topic is popular. Maybe even almost sexy.

Since there are lots of news articles lately (mostly without much substance, but there are a few links at the bottom of this post if anyone’s interested) I’ve been giving the subject some thought. The first thing I think about it is that fears are somewhat overblown. To date, I am not aware of even one confirmed case of a cyber attack actually killing anyone. That’s what war is about, remember. Even in Estonia, the cyber attacks were much less of an issue than the Russian tanks.

This doesn’t mean cyberwar can’t cause problems, including problems for the military. Cyber attacks can be used to target communications, to block (or alter) global positioning systems (see this report) and possibly change the behavior of critical infrastructure items like dams and nuclear power plants. In the near future it may be able to cause traffic jams or accidents, make hospital systems go haywire, redirect ships and planes and many other potentially devastating things. At least those are some of the potentials. Fortunately, none of that potential has yet been reached.

Yet.

The second thing I think about cyber attacks is, how do you make sure to get the most (virtual) bang for the buck? Not, how do you know if your yber attack worked, but how do you know how well it worked?

In non-cyber war, there is always uncertainty about results. The enemy doesn’t send you an email saying, “That last bombing raid killed 47 people, wounded 24 more and crippled 11 tanks. Thanks for the memories.” So you have to estimate results. In the cyber world, as with nearly everything else computer related, there is probably the chance to acquire and analyze much more data than in the real world.

Simple example. The enemy has a web site (it can be any enemy. Doesn’t even have to be countries at war. Companies can do cyberwar, too. It’s cheaper than regular war, you know). It’s a site that they use to get updates on emergency procedures. So if you bring it down, there will be increased confusion when the emergencies happen. They could be physical emergencies (tanks) or cyber emergencies (every traffic light in the country has just been turned green and then the controlling computer frozen).

The attack is going to be a denial of service attack. We want the web site to be unavailable. That’s great. Lots of people know how to do DoS attacks. But how many people probe the web site response times every 10 seconds for a week, starting before the attack and continuing until it is over? Hackers might be satisfied with “We brought the sucker down, dude!” But warriors need to know how far down (did it freeze completely or was it just really slow?) and for how long. They may also want to see exactly when the enemy responses begin to kick in (router rules can often be used to mitigate this kind of attack) and alter the attack method to compensate,or maybe abandon it and devote the resources to another target.

See, cyberwar isn’t just hacking for your country. It’s WAR.

Being a lifelong computer geek, I find this idea of measuring the effect on the targets extremely interesting. Just for something to do (that’s just a figure of speech. I have plenty to do!), I designed a small program to repeatedly get the load time from a web site and log it to a database, with a running analysis of how much it is degraded from some pre-determined baseline (cyberwar requires reconnaissance just like regular war) with (fake) recommendations to add servers to the attack stream if the load time is too fast.

Web site load time is the easy metric. How much email has been degraded takes much more sophisticated measures. Tracking the damage done by targeted viruses and trojans (oooooh! Cyber “bio” war!) is going to be more interesting. Malicious code of that kind can be programmed to”phone home” but that increases the likelihood that the victim of the attack will find out where home is and launch a counter attack. Therefore, gathering information must be done carefully.

Information gathering can be done in a lot of ways. There are companies that will gather information from blogs, Twitter and similar web sources to tell you what people think of your company. Such sources could definitely be adapted to gather information about an attack. The trick is having something where you can just enter some attack parameters, rather than re-writing half the code for every attack. This is the computer age. You want to automate as much of the work as possible.

The eventual goal is to combine several of these measures and show a single view of how badly the target has been hurt. A damage dashboard, if you will.

If anyone would like to give me a grant to work on this rather than just theorizing, please get in touch. All offers will be seriously considered. Who knew cyberwar could be so much fun?

Recent cyberwar news links:

• In National Journal, a brief history of the known state of cyberwar today (meaning there doesn’t seem to be any juicy classified info in this article).
• 2009 report from the U.S-China Economic Review Commission. China has a reputation for being a leader in cyber-espionage, mostly for economic reasons, though they are interested in everything.
• Here’s a short item about plans by South Korea to formally get involved in cyberwar (mostly to defend themselves against the North Koreans).
• An intelligent and informed analysis of the possibilities of a strategic cyber attack on the U.S. Hint: The odds aren’t as favorable as they used to be.

That should be enough to get people thinking about what cyberwar means. Personally, I’d like it to mean that I will be gainfully employed (at a very high pay rate) for as long as I want. In other words, I want it to stay fun.

A guy can hope.

Arguably the biggest buzzword in computing today is “cloud computing.” Other candidates include “real time web,” “social computing” and (my favorite) “monetization.” Briefly, cloud computing means deploying internet based applications and services in a way that abstracts hardware needs out so that dependence on any particular server is limited and adding more servers (or virtual servers) makes scaling relatively easy. The example of cloud computing I am personally most familiar with is Amazon Electronic Compute Cloud which hosts the web site I have been developing at my job (Trailmeme). There are numerous others.

A recent study reported at Dark Reading claims that adoption of cloud computing is being hampered by concerns about security. I think this at least somewhat misleading.

The article gives two numbers related to this. First, almost exactly half of companies are not using the cloud and do not plan to at this time. The second number is that half of those mention security as one of their reasons for not rushing to adopt cloud computing. The conclusion of the article is that security is a major concern in cloud computing. I wish this were true but I don’t believe it.

The obvious problem with this is the math. One half of one half means that only one quarter (0.25 or 25% for those who went to public school) considered security a significant point against cloud computing.  But it goes deeper than the math. When most people think of security in the cloud what do they think of? What do they think of when they consider security at all?

Security professionals may be able to describe specific concerns such as side channel attacks on shared hosts in Amazon’s virtualization structure (see article here. Later news indicated the vulnerability had been fixed. See here) or denial of service attacks on the infrastructure itself. There may also be questions about how targeted services such as Microsoft SQL Azure are locked down against hacking (That’s one I have wondered about but haven’t had time to examine in depth). They may also worry about backups and disaster recovery. This is a legitimate concern when storing anything on someone else’s servers.

Information technology professionals who are not security specialists probably also have many of the same questions, if they have time to explore them. In my experience, those in IT often find themselves wishing they could devote more time and energy to security but unless management is willing to reduce the priority of some project, security gets a “patch and pray” approach more often than not.  Management claims to value security but rarely understands it deeply enough to know how to factor it in to their estimates of time and resources required (notice how kind I’mbeing here. I haven’t called anyone an idiot in this entire post, so far! But from what I’ve seen of the corporate world, the management attitude towards security is usually something like this).

Anyway, I have many questions about what people mean when they say that security is a reason for not using cloud computing. Do they mean it’s the most important reason? Or is it just one reason of several? Do they mean they heard that the cloud isn’t safe and they’re afraid? Do they mean that they are perfectly satisfied with their current security and don’t want to have to set up a new system (that should be an important one)?

Security should be an important consideration when choosing a technical platform. Maybe the conclusion of the article is backwards, in that case. Maybe instead of lamenting that too many people are worrying about the security of cloud computing, maybe they should worry that not enough are worrying about it. Either way, I’m not convinced people are worrying about the right things, even if they say they are worried about security.

A little while ago I saw a TV commercial that offered to pay people to make themselves targets for identity theft.

Oh, that wasn’t the intention. It was more a side effect of the campaign, which offered to pay people for referring friends to use the service. The part that made me start thinking about ID theft was the line that advised that, in order for you and your friend both to receive the cash the program offers, your friend must use your account number to sign up.

Have you seen the one? Sounds enticing, doesn’t it? It’s like free money!

Just as long as you trust your friends with access to your account. I have nightmares (well, not really, but play along with me on this) of greedy people putting their account number on a business card, or in an ad on Craig’s List, to get others to help them cash in on this program. So what if a complete stranger then hijacks their account? In a way, anyone that stupid deserves what happens to them.

I have an even worse nightmare that the company that ran the ad would say that their security is too good for someone to misuse an account just by knowing the account number. They have to also know something else, like a social security number! (For those folks who came in in the middle, SS number should never be used as a customer identifier because every use exposes it to possible theft).

Anyway, that’s just speculation. Maybe it’s not that bad. I hope not.

I’ll admit that an account number is not the prime target for identity theft. A single account number for a single business is much less useful than a social security number – and thank God for that! It would be scary to think of a company offering money to give up their social security numbers. How many people would fall for that?

But, believe it or not, that little account number still has some value. It’s still what’s known as personally identifying information. Laws that attempt to protect consumer privacy ordinarily list account numbers as the kind of information that companies should protect from sharing. In particular, Gramm-Leach-Bliley covers financial information that’s transferred electronically (such as when signing up for something on the web) and GLB includes account numbers in the list of things requiring enhanced security in order to protect privacy.

Notice, though, that the company isn’t violating GLB here. They’re not violating anyone’s privacy. They’re paying people to violate it themselves.

Brilliant marketing? Probably not, though it may be effective. The real question is, are the people who thought up this promotion hideously unethical or just morons?

That’s a trick question. They could be both.

There’s a big push in the U.S. right now to computerize health records so they can be more easily searched, transferred and analyzed. The potential benefits touted include greater portability – go to a new doctor and never worry about getting all your records for them – and wonderful new technologies like automatic checking for unsafe drug interactions.

Of course there’s a lot of money involved, too. The American Recovery and Reinvestment Act of 2009 (you know. The stimulus bill) created an Office of the National Coordinator for Health Information Technology and allocated billions of dollars to promote adoption of electronic health records (see article here). Yeah. That’s what the health industry needs: More bureaucracy.

The Spring 2009 issue of Rand Review (no link. I’m working from a hard copy) has an impressive array of charts and graphs and numbers claiming that health technology can save vast amounts of money. They even make the hilarious claim that computerizing people’s health records will improve privacy! Usually at this point I would put a list of links to articles about hacking incidents related to the subject I’m discussing but that doesn’t begin to show the magnitude of the problem. Instead, here’s one link to a Google search for medical records compromised: http://www.google.com/#hl=en&q=medical+records+compromised. It’s showing me 649,000 records when I run it today. Interestingly, there doesn’t seem to be a lot of duplications.

Note that I used the word “compromise” in the search because there are many different kinds of problems with electronic records (not just health related ones) beyond “hacking” by malicious and probably unknown people. In all areas of electronic records, insiders misusing their privileges to access records they shouldn’t is a common problem. And hardly a day goes by without news of someone, somewhere, misplacing a laptop that just happened to have tens of thousands of records (including social security numbers) on it.

To date, hospitals have not been eager to adopt centralized health record systems (see here). Security is probably one of the reasons. At least, I hope it is! Related to that is the vulnerability of electronic systems to outages. At the beginning of June this year the Indianapolis Star reported that Indianapolis’s Methodist Hospital was forced to turn patients away after a problem with their electronic health records system (See here. Interestingly, the original newspaper article seems to have disappeared).

In somewhat related news, it turns out that medical devices such as heart defibrilaters and new, cutting edge devices implanted directly in the brain, often have little or no security (See articles from Mindhacks, Schneier and The Journal of Neurosurgery – I love this last one just for the wonderful term neurosecurity.) Problems include lack of authentication for system updates and lack of encryption to protect information transfers. These are extremely basic measures! Ignoring them seems indefensible not to mention reckless. Without even those simple protections of data and code, the door is wide open for unauthorized manipulation (as the journal article proves).

Sometimes I write science fiction and this sets up exactly the kind of story I would write: Wily hacker digs through someone’s online health information records to discover the make and model of a device implanted in the victim’s brain, then uses the poor security on that device to directly take over the person’s body. It’s sneaky, nasty and rooted in existing technology. Here’s the thing about stories like that: It’s not just us writers who think of them. Hackers can be just as creative (and more determined to use the scenario, rather than just write it up).

Again, I want to stress that I’m not saying that we should stay away from the deadly evil of electronic health records. They are coming and there will be great benefits in the long run. But if we don’t slow down and start doing something about the inherent risks, the road is going to be chaotic and deadly for a lot of people.