Financial Cryptography

Who v. Who - more on the dilemma of the classical attacker

In the military they say no plan survives the first shot, and call this aptly "the fog of war." The best laid plans of the security industry and various parliaments (US Congress, the European Union, etc) are being challenged in war as in music. Now comes news that one DRM supplier is threatening to reverse-engineer the DRM of another supplier.

A company that specializes in rights-management technology for online stores has declared its plans to reverse-engineer the FairPlay encoding system Apple uses on iTunes Music Store purchases. The move by Cupertino-based Navio Systems would essentially break Apple’s Digital Rights Management (DRM) system in order to allow other online music retailers to sell downloads that are both DRM-encoded and iPod-compatible by early 2006.

“Typically, we embrace and want to work with the providers of the DRM,” said Ray Schaaf, Navio’s chief operating officer. “With respect to FairPlay, right now Apple doesn’t license that, so we take the view that as RealNetworks allows users to buy FairPlay songs on Rhapsody, we would take the same approach.”

In 2004, after unsuccessfully courting Apple to license FairPlay, RealNetworks introduced its Harmony technology, which allowed users to buy music from online sources other than the iTunes Music Store and transfer it to their iPod. RealNetworks’ move was then denounced by Apple as adopting “the tactics and ethics of a hacker to break into the iPod.” In December of 2004, Apple shot back by releasing an iPod software update that disabled support for RealNetworks-purchased songs.

I forgot to add: This trend is by no mean isolated, as pointed to by Adam. Here's an account of AOL inserting capabilities into our computers. I noticed this myself, and had to clean out these bots while making a mental note to never trust AOL with any important data or contacts.

Big mistake. That was my list, not AOL's. They've violated my personal space. By doing this they've demonstrated that my data — my list of contacts — can be tampered with at their whim. I have to wonder what comes next? Can my lists be sold, or mined for more data? Will they find out if my buddies purchase something online and then market that thing to me, on the assumption that I share mutual tastes? Just what is AOL doing with my data?

Frank Hecker goes to the Mountain - mapping the structure of the Certificate Authority

Frank takes aim at the woeful business known as certificate authorities in an attempt to chart out their structural elements and market opportunities.

Frank argues that CAs can be viewed as providers of one of encryption, DNS-fixes, site identity proofs, or as anti-fraud services. Depending on which you choose, this has grave ramifications for what follows next -- Frank's thesis implicitly seems to be that only one of those can be pursued, and each have severe problems, if not inescapable and intractable contradictions. In the meantime, what is a browser manufacturer supposed to do?

For those who have followed the PKI debate this will not surprise. What is stunningly new -- as in news -- is that this is the first time to my knowledge that a PKI user organisation has come out and said "we have a problem here, folks!" Actually, Frank doesn't say that in words, but if you understand what he writes, then you'd have to be pre-neanderthalic not to detect the discord.

What to do next is not clear -- so it would appear that this essay is simply the start of the debate. That's very welcome, albeit belated.

Security is failing - more evidence from Sony

In the fall-out from the Sony root-kit affair, here's an interesting view:

Sony Rootkits: A Sign Of Security Industry Failure?

Nov. 18, 2005 By Gregg Keizer TechWeb News

One analyst wonders why it took so long to catch onto Sony's use of rootkits on CDs and whether customers may have a false sense of security.

Sony's controversial copy-protection scheme had been in use for seven months before its cloaking rootkit was discovered, leading one analyst to question the effectiveness of the security industry.

"[For] at least for seven months, Sony BMG Music CD buyers have been installing rootkits on their PCs. Why then did no security software vendor detect a problem and alert customers?" asked Joe Wilcox, an analyst with JupiterResearch.

"Where the failure is, that's the question mark. Is it an indictment of how consumers view security software, that they have a sense of false protection, even when they don't update their anti-virus and anti-spyware software?

"Or is it in how data is collected by security companies and how they're analyzing to catch trends?"

Ouch! I wondered before who was attacking who, but this is a good point that goes further. Why didn't anti-virus programs detect the attack from Sony? We rely on the anti-virus sellers in the Microsoft field to protect from the weakness of the underlying OS.

It shouldn't be a surprise to discover that there is some form of selective detection going on in the Microsoft security world - the rest of the article identifies that their source of information is problem reports, honeynets, and a vague but interesting comment:

"Frankly, we were busy looking for where the [spyware] money was going," said Curry. "We weren't looking at legitimate industries."

This is probably as it should be. Microsoft creates the vulnerabilities and the rest of the industry follows along cleaning up. It isn't possible to be more than reactive in this business, as to be proactive will lead to making mistakes - at cost to the company selling the security software. So companies will routinely promise to clean up 100% of the viruses on their list of viruses that they clean up 100% of.

(Note that this still leaves the cost of missed attacks like the Sony rootkit, but that is borne by the user, a problem for another day.)

The next interesting question is whether Sony, or the inevitable imitators that come along, are going to negotiate a pass with the anti-virus sellers. That is, pay blood money to anti-virus scanners for their rootkit. In the spam world, these are called "pink sheets" for some obscure reason. Will an industry in acceptable, paid for attacks on Microsoft's OS spring up? Or has it already sprung up and we just don't know it?

If so, I'd have to change the title of this rant to "Security is getting more economic..."

Addendum:

• Also see Adam's musings on "why we don't seen more of these things."


• Bruce's column for wired covers much the same ground as the article above (and a day earlier) and also poses similar questions to mine above. A good summary and lots of other links.

After 10 years, a new policy on adding CAs

Frank announces the new Mozo policy for CAs.

This is a significant piece of news in an otherwise moribund field - there hasn't been anything happening in the CA business since Verisign bought Thwarte. In brief here's the story: since the dawn of SSL time, all browsers have more or less inherited a list of favoured buddies created by Netscape. When Mozilla started to ship significant numbers of browsers, they started to get calls for new CAs to be added.

Looking around, it was discovered there were no rules, other than "must be WebTrust Audited!" Well, that fell by the wayside when it was pointed out that Mofo was supposed to be working in the open source world and WebTrust audits start at $50k. Not to mention serious irregularities in the WebTrust process itself, and evolving security failures of the overall browser system...

Policy guru Frank Hecker burnt many candles to craft a compromise between the reds and the blues. Bitter debate ensued, but the end result is OK, although it does kind of highlight that Mofo (or is it Mozo?) is a meta CA and and has not or cannot escape some responsibility for the CAs that are added.

To cap it off, rumour has it that Microsoft has also started a policy review, no doubt following the quite serious discussion on the n.p.m.crypto lists over this major issue. Last I heard, Konqueror, Opera and Safari were expecting to follow Mozo on this policy, so this may result in a minor shakeup.

(Some minor disclosure - I have been helping the CAcert people with their policy ...)

Amazon starts a Task Market

Amazon have started what looks like a task market with an unusual name - the Amazon Mechanical Turk. Pointed to by C Walsh.

This could be successful if only for its two cool features: the cool name and the incorporation of webservices. The core idea itself has been around for yonks and even well before I presented on task markets at FC97.

What is curious is that instead of going for the geek in everyone, they've actually listed very small low value tasks. They truely are targetting the brains of the net, not the geeks. Here's such a task:

You are presented with the name and address of a business as well as a set of photos taken along the street where the business is supposed to be located. Your task is to identify the best photo of the business that is listed.

For that task you will be paid 3 cents into your Amazon account!

anti-forensics - why do vapourware security tools sell so well?

Hagai Bar-El points to a paper on the market for anti-forensic tools - ones that wipe your tracks after you've done your naughty deed.

I have just enjoyed reading "Evaluating Commercial Counter-Forensic Tools" by Matthew Geiger from Carnegie Mellon University. The paper presents failures in commercially-available applications that offer covering the user's tracks. These applications perform removal of (presumably) all footprints left by browsing and file management activities, and so forth. To make a long story short: seven out of seven such applications failed, to this or that level, in fulfilling their claims. ...

The next thing I was wondering about is how come these products sell so well, given that they do not provide what they state they do, in a way that is sometimes so evident.

I think a partial answer to why these things sell so well might be found in the debate about security as viewed as a market in insufficient information. It has been suggested that security is a market for lemons (one where the customer does not know the good from the bad) but I prefer to refer to security as a market for silver bullets (one where neither the customer nor the supplier know good from bad).

Either way, in such insufficient markets, the way sales arise is often quite counter intiutive. In a draft paper (html and PS), I make the claim that sales in the market for security have nothing to do with security, but are driven by other factors.

So, once we appreciate that disconnect in the market, it's quite easy to prediuct that vapourware sells better than real product, because the real product has higher costs which means less marketing. All other things being equal of course.

Another partial answer is that the bad guys that do need to evade the FBI (and competitors) will know the score. They also know something that shows them
to be generally astute: they generally mistrust privacy-oriented technology as being fraudulent in claims because it can't be easily checked up on. So sales of products will tend to go to people who believe claims - being those who actually have no strong reason to rely on the claims.

Sony v. their customers - who's attacking who?

In another story similar in spirit to the Cuthbert case, Adam points to Mark who discovers that Sony has installed malware into his Microsoft Windows OS. It's a long technical description which will be fun for those who follow p2p, DRM, music or windows security. For the rest I will try and summarise:

Mark bought a music disk and played it on his PC. The music disk installed a secret _root kit_ which is a programme to execute with privileges and take control of Microsoft's OS in unknown and nefarious ways. In this case, its primary purpose was to stop Mark playing his purchased music disk in various ways.

The derivative effects were a mess. Mark knows security so he spent a long time cleaning out his system. It wasn't easy, well beyond most Windows experts, even ones with security training, I'd guess. (But you can always reformat your drive!)

No hope for the planet there, then, but what struck me was this: Who was attacking who? Was Sony attacking Mark? Was Mark attacking Sony? Or maybe they were both attacking Microsoft?

In all these interpretations, the participants did actions that were undesirable, according to some theory. Yet they had pretty reasonable justifications, on the face of it. Read the comments for more on this; it seems that the readers for the most part picked up on the dilemmas.

So, following Cuthbert (1, 2, 3) both could take each other to court, and I suppose Microsoft could dig in there as well. Following the laws of power, Sony would win against Mark because Sony is the corporation,and Microsoft would win against Sony, because Microsoft always wins.

Then, there is the question of who was authorised to do what? Again, confusion reigns, as although there was a disclaimer on the merchant site that the disk had some DRM in it, what that disclaimer didn't say was that software that would be classified as malware would be installed. Later on, a bright commenter reported that the EULA from the supplier's web site had changed to add a clause saying that software would be added to your Windows OS.

I can't help being totally skeptical about this notion of "authorisation." It doesn't pass the laugh test - putting a clause in an EULA just doesn't seem to be adequate "authorisation" to infect a user's machine with a rootkit, yet again following the spirit of Cuthbert, Sony would be authorised because they said they were, even if after the fact. Neither does the law that "unauthorises" the PC owner to reverse-engineer the code in order to protect his property make any sense.

So where are we? In a mess, that's where. The traditional security assumptions are being challenged, and the framework to which people have been working has been rent asunder. A few weeks ago the attackers were BT and Cuthbert, on the field of Tsunami charity, now its Sony and Mark, on the field of Microsoft and music. In the meantime, the only approach that I've heard make any sense is the Russian legal theory as espoused by Daniel: Caveat Lector. If you are on the net, you are on your own. Unfortunately most of us are not in Russia, so we can't benefit from the right to protect ourselves, and have to look to BT, Sony and Microsoft to protect us.

What a mess!

Addendums:

• Sony DRM is worse than you might think


• Sony BMG's DRM provider does not rule out future use of stealth


• Sony's 'Rootkit' Is on 500,000 Systems, Expert Says

And in closing, I just noticed this image of Planet Sony Root Kit over at Adam's entry: