Category: Writing

Categories
Links Writing

The Problems of Domestic Labelling

While not related strictly to technology, Forbes has a good breakdown of why Kobe beef that is sold outside of Japan is (effectively) never the famed Kobe beef that myths are written about. It’s a good, direct, blunt piece. The kind of journalism I think we can, and want to, all support.

It (re)raises important questions that implicate technology. Wireless technologies are sometimes called “4G” but this is only true under revised ITU regulations. Originally 4G technologies were meant to be transformative – they referred predominantly to LTE and beyond – but this was revised in 2010 to refer to “3G technologies substantially better in performance and capability than earlier 3G technologies.”

Similar legal issues arise around the definition of public domain: with different international bodies possessing different copyright terms, the variance could lead to jurisdictional disputes around what is(n’t) public domain. Such disputes may lead to the removal of content if it happens to be stored or accessible in nations with the more onerous copyright terms.

These are just two areas where ‘labelling’ is important. In all three cases – beef, wireless speeds, and copyright – it’s legal terms that enable variable terminology associated with common goods. For consumers in a globalized world, who are often unable to spend the time to track down the ‘truth’ behind the labels, such labels can be incredibly confusing. We can do better, and we should do better, and find a means of rectifying confusions that arise from domestic labelling.

Categories
Links Writing

An Interesting USB-Drive Encryption System

A group of my colleagues and I are always on the hunt for affordable, easy-to-use,  secure drive encryption tools that can be deployed to non-technically savvy individuals. The most recent piece of software we’ve come across is LaCie’s Public-Private encryption which, as far as I can tell, is a pretty front-end for TrueCrypt.

I’ve reached out to the company in the hopes of learning what, if anything, they’ve done in making TrueCrypt a tiny bit easier for people to use. TrueCrypt is one of the more secure means of protecting data. LaCie’s software itself is free – available here – and runs on any USB drive, so you can use the software without having to purchase anything from the company. The only deficit that I’ve come across thus far is that you can only create 4GB partitions; this means that if you want to encrypt everything on an 8GB drive then you’ll need to establish two separate partitions.

I’ll be updating this site once/if I hear back from the company.

Categories
Writing

Less Than Impressed With 1Password

First, the good news: 1Password has released a new version of their product on iOS. The company outlines a whole pile of reasons for supposedly delaying security upgrades – some of which include the updates will slow the speed at which users can access their encrypted data – but fail to identify what I suspect is a key motive behind the upgrade. If you recall, I wrote a while ago about key failures in mobile password managers. 1Password was amongst those who had flawed security implementations.

To be clear: security, especially good security, is damn hard to engineer. 1Password didn’t have the gaping flaw that others did – i.e. storing passwords in plaintext!! – but it was flawed. In the security community this (ideally) is resolved when someone critiques your secured infrastructure. In today’s world you should also credit the security researcher(s) who identified the flaw.

Unfortunately, this isn’t what 1Password has done. As far as I can tell, there is no formal recognition from the company that they have had flaws in their mobile security model pointed out by a third-party. This is a shame, given that a key factor that builds genuine trust in security is transparency. It seems like 1Password is willing to address problems – they’re not dwelling in a security by obscurity paradigm, to be sure! – but not credit others with finding those problems in the first place.

Update: My very, very bad. I missed an earlier piece from 1Password, where they note the research. That is available here. It would have been ideal to see a reference to this in their update but, admittedly, credit had previously been given.

Categories
Links Writing

Incumbent Beats Competitor. Again.

A major challenge facing Canada’s “new” mobile companies is this: how can they extend network coverage across Canada to increase the utility of their product offerings? One way they address the challenge involves entering roaming agreements with incumbent carriers. As Wind Mobile is finding out, Rogers Communications is willing to both do the least possible to enable roaming and fight at the CRTC to maintain this minimal standard.

Specifically, from The Telecom Blog we find that

…Wind Mobile complained again to the CRTC stating that Rogers continues to discriminate against its roaming customers. Though RIM managed to muster support from the Consumer Association of Canada, the CRTC has ruled again in favor of Rogers. The upstart carrier claims that currently there’s no way for Wind subscribers to continue a live call when they hop onto Rogers network. The call is dropped and the subscribers are forced to redial.

Though Wind has been lobbying hard to get seamless roaming onto the Rogers network, the CRTC declined the request stating that “in view of its determination that RCP had not granted itself a preference, it would be inappropriate to deal with the issue of mandating seamless call transition.”

Needless to say, these are the actions of an incumbent doing what it can to limit the appeal of competitors’ products. The reason that Rogers wasn’t found to have granted itself a preference was because Rogers hadn’t rejigged their network in response to the roaming agreement: Rogers simply made the decision not to make technical improvements that would enable seamless live call transitions.

Much of the issue around transitions, and other telecom-related battles between incumbents and competitors in Canada, stem from the CRTC’s basic position that the Canadian telecommunications market should be directed by facilities-based competition. In other words, the position is (generally stated!) that competitors are recognized as temporarily needing access to incumbent networks when they first incorporate, but that the same competitors should build out their own infrastructure over time.

This CRTC’s preferred mode of competition is incredibly expensive and is arguably redundant; structural separation is postulated as one means of addressing the issue, as are spectrum sharing, and improved infrastructure sharing agreements that are driven by federal institutions’ fiats. Regardless of the particular solution you favour – if you see a problem as existing, in the first place! – something should be done to better enable new competitors in Canada. The CRTC theoretically attempts to promote market competition so that services are less costly for Canadians while simultaneously ensuring that offered services are of high quality and are efficient. Where something so basic as call transitions isn’t addressed, one has to wonder whether some federal institution shouldn’t be a lot more involved than they are in enabling competition in Canada’s mobile marketplace.

Categories
Links Writing

Major Critical Infrastructure Vulnerabilities Disclosed

For years, researchers have warned that the systems that run critical infrastructure have systemic and serious code-based vulnerabilities. Unfortunately, governments have tended to use such warnings as a platform to raise ‘cyber-warfare’ arguments. Many such arguments are thinly-disguised efforts to assert more substantive government surveillance and control over citizens’ rights and expressions of freedom. Few of these arguments genuinely address the concerns researchers raise.

In the face of governmental lacklustre efforts to secure infrastructure, researchers have disclosed critical vulnerabilities in many of the systems responsible for manufacturing facilities, water and waste management plants, oil and gas refineries and pipelines, and chemical production plants. What’s incredibly depressing is this:

The exploits take advantage of the fact that the Modicon Quantum PLC doesn’t require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC—essentially trusting any computer that can talk to the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a “stop” command to halt the system from operating.

These kinds of ‘attacks’ or ‘exploits’ are possible because the most basic security precautions are not integrated into the logic controllers running such infrastructure. On the one hand this makes sense: many PLCs and the infrastructure they are embedded in were created and deployed prior to ‘the Internet’ being what it is today. On the other, however, one has to ask: if the money spent on security theatre at airports had been invested in hardening actual PLCs and other infrastructure, where would critical infrastructure security be today?

Categories
Links Writing

Surprise: American Equipment Spies on Iranians

Steve Stecklow, for Reuters, has an special report discussing how Chinese vendor ZTE was able to resell American network infrastructure and surveillance products to the Iranian government. The equipment sold is significant;

Mahmoud Tadjallimehr, a former telecommunications project manager in Iran who has worked for major European and Chinese equipment makers, said the ZTE system supplied to TCI was “country-wide” and was “far more capable of monitoring citizens than I have ever seen in other equipment” sold by other companies to Iran. He said its capabilities included being able “to locate users, intercept their voice, text messaging … emails, chat conversations or web access.”

The ZTE-TCI documents also disclose a backdoor way Iran apparently obtains U.S. technology despite a longtime American ban on non-humanitarian sales to Iran – by purchasing them through a Chinese company.

ZTE’s 907-page “Packing List,” dated July 24, 2011, includes hardware and software products from some of America’s best-known tech companies, including Microsoft Corp, Hewlett-Packard Co, Oracle Corp, Cisco Systems Inc, Dell Inc, Juniper Networks Inc and Symantec Corp.

ZTE has partnerships with some of the U.S. firms. In interviews, all of the companies said they had no knowledge of the TCI deal. Several – including HP, Dell, Cisco and Juniper – said in statements they were launching internal investigations after learning about the contract from Reuters.

The sale of Western networking and surveillance equipment/software to the Iranian government isn’t new. In the past, corporate agents for major networking firms explained to me the means by which Iran is successfully importing the equipment; while firms cannot positively know that this is going on, it’s typically because of an intentional willingness to ignore what they strongly suspect is happening. Regardless, the actual sale of this specific equipment – while significant – isn’t the story that Western citizens can do a lot to change at this point.

Really, we should be asking: do we, as citizens of Western nations, believe that manufacturing of these kinds of equipment is permissible? While some degree of surveillance capacity is arguably needed for lawful purposes within a democracy it is theoretically possible to design devices such that they have limited intercept and analysis capability out of the box. In essence, we could demand that certain degrees of friction are baked into the surveillance equipment that is developed, and actively work to prevent companies from producing highly scaleable and multifunctional surveillance equipment and software. Going forward, this could prevent the next sale of significant surveillance equipment to Iran on grounds that the West simply doesn’t have any for (legal) sale.

In the case of government surveillance inefficiency and lack of scaleability are advantageous insofar as they hinder governmental surveillance capabilities. Limited equipment would add time and resources to surveillance-driven operations, and thus demand a greater general intent to conduct surveillance than when authorities have access to easy-to-use, advanced and scalable, surveillance systems.

Legal frameworks are insufficient to protect citizens’ rights and privacy, as has been demonstrated time and time again by governmental extensions or exploitations of legal frameworks. We need a normatively informed limitation of surveillance equipment that is included in the equipment at the vendor-level. Anything less will only legitimize, rather than truly work towards stopping, the spread of surveillance equipment that is used to monitor citizens across the globe.

Categories
Links Writing

Huawei Blocked on National Security Grounds

We recently learned that the Australian government had blocked Huawei from tendering contracts for Australia’s National Broadband Network. The government defended their position, stating that:

As such, and as a strategic and significant government investment, we have a responsibility to do our utmost to protect its integrity and that of the information carried on it.

Of note, internally Huawei had been a preferred choice but the company was ostensibly blocked for political/security, rather than economic, reasons. This decision isn’t terribly surprising given that American, Australian, and United Kingdom national intelligence and security agencies have all come out against using Huawei equipment in key government-used networks. The rationale is that, even were a forensic code audit possible (and likely wouldn’t be, on grounds that we’re talking millions of lines of code) it wouldn’t be possible to perform such an audit on each and every update. In effect, knowing that a product is secure now isn’t a guarantee that the product will remain secure tomorrow after receiving a routine service update. The concern is that Huawei could, as a Chinese company, be compelled by the Chinese government to include such a vulnerability in an update. Many in the security community suspect that such vulnerabilities have already been seeded.

Does this mean that security is necessarily the real reason for the ‘national security card’ being played in Australia? No, of course not. It’s equally possible that calling national security:

  • let’s the government work with a company that it already has ties with and wants to support;
  • is the result of the government being enticed – either domestically or from foreign sources – to prefer a non-Huawei alternative;
  • permits purchases of a non-Huawei equipment from vendors that are preferred for political reasons; perhaps buying Chinese goods just wouldn’t be seen as a popular move for the government of the day.

Moreover, simply because Australia isn’t tendering contracts from Huawei doesn’t suggest that whatever equipment is purchased will be any more secure. In theory, were Cisco equipment used to power the National Broadband Network then the American government could similarly compel Cisco to add vulnerabilities into routers.

In part, what this comes down to is who do you trust to spy on you? If you see the Americans as more friendly and/or less likely to involve themselves closely in your matters of state, then perhaps American companies are preferred over your economic and geographical next-door neighbours.

I should note, just in closing, that Huawei has contracts with most (though not quite all) of Canada’s largest mobile and wireline Internet companies. Having spoken with high-level governmental officials about security concerns surrounding Huawei’s equipment there seems to be a total lack of concern: just because GCHQ, NSA, and ASIO have publicly raised concerns about the company’s equipment doesn’t seem to raise any alarm bells or worries with our highest government officials.

Categories
Links Writing

The Problems With Smartphone Password Managers

In today’s era of hyperbolic security warnings one of the easiest things that people can do to ‘protect’ themselves online is select super hard passwords to crack, stuff them in a centralized password manager, and then only have to remember a single password to access the rest in the manager. I’ve used a password manager for some time and there are real security benefits: specifically, if a single service that I’ve registered with is hacked then my entire online life isn’t compromised, just that one service.

Password manager companies recognize the first concern that most people have surrounding their services: how do the managers protect the sensitive information they’re entrusted with? The standard response from vendors tends to reference ‘strong security models and usage of cryptography. Perhaps unsurprisingly, it is now quite apparent that the standard responses really can’t be trusted.

In a recent paper (.pdf), researchers interrogated the security status of password managers. What they found is, quite frankly, shocking and shameful. They also demonstrate the incredible need for third-party vetting of stated security capabilities.

The abstract for the paper is below but you should really just go read the whole paper (.pdf). It’s worth your time and if you’re not a math person you can largely skim over the hard math: the authors have provided a convenient series of tables and special notes that indicate the core deficiencies in various managers’ security stance. Don’t use a password manager that is clearly incompetently designed and, perhaps in the future, you will be more skeptical of the claims companies make around security.

Abstract:

In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection

Access the paper (.pdf)

The Problems With Smartphone Password Managers

Categories
Links Writing

On Hiring Hackers

Kevin McArthur has a response to firms who are demanding highly credentialed security staff: stop it!

Much of his argument surrounds problems with the credentialing process. He focuses on the fact that the time spent achieving an undergrad, MA, and set of professional certifications leaves prospective hires woefully out-of-date and unprepared to address existing security threats.

I recognize the argument but think that it’s somewhat of a strawman: there is nothing in a credentialing process forcing individuals to solely focus on building and achieving their credentials. Indeed, many of the larger companies that I’m familiar with hire hackers as employees and then offer them opportunities to pursue credentials on their own time, on the company dime, over the course of their employment. Many take advantage of this opportunity. This serves two purposes: adds ‘book smarts’ to a repertoire of critical thinking habits and makes the company ‘stickier’ to the employee because of the educational benefits of working for the company.

Under the rubric of enabling education opportunities for staff you can get security talent that is very good and also happens to be well educated. It’s a false dichotomy to suggest that you can have either ‘book smarts’ or ‘real world smarts’: there are lots of people with both. They don’t tend to be right out of university or high school, but they are out there.

What’s more important, and what I think the real focus of the article is meant to be, is that relying on credentials instead of work accomplished is the wrong way of evaluating prospective security staff hires. On that point, we entirely agree.

Categories
Links Writing

A Populist Critique of “Ladyphones”

Casey Johnston, over at Ars Technica, has a two-pager complaining about how tech companies design and market so-called “Ladyphones.” It’s a quick read that picks up on earlier critiques about how certain colours, and reduced technical capabilities, are associated with derogatory gender perceptions.

That said, there are at least two elements of her piece that fall short to my mind: her analysis of the BlackBerry Pearl and of the LG Windows Phone.

Johnston argues that the BlackBerry Pearl was a device marketed for women, and emphasizes the device’s high costs and pink colouration in the UK as an example of trying to extract more money from a female demographic than would be extracted from a male demographic. She also cites the Pearl’s bizarre keyboard format and limited technical specifications to further reinforce her thesis that manufactures sell second-rate products to the female market.

As someone who owned an original Pearl 8100 I don’t know how fair her critique of RIM’s product is. Pearls were RIM’s attempt to get into the consumer market generally, with the position that a full-sized keyboard was intimidating and offsetting to male and female consumers alike. Moreover, the sizes of RIM’s other smartphones at the time – designed pre-iPhone, let’s not forget! – were offsetting to most regular, non-business, consumers.

The Pearl tried to find a balance between size, consumer market expectations, and traditional BlackBerry functionality. It was also comparatively cheaper than most other smartphones at the time (and, I would note, cheaper than the popular Motorola RAZER phones), though RIM and its carrier partners haven’t necessarily reduced the costs of the phone appropriately in all regional markets. Original colours lacked pink entirely: you could buy them in black or red. New colouring – and targeting – towards particular market segments is arguably more the result of an expanded smartphone market than anything else.

I would note than Johnston is far more generous towards RIM’s marketing and branding departments than, well, any other journalist that I’ve previously read. Her assumption that RIM was so forward thinking as to brand a consumer device ‘Pearl’ to target women is massively overestimating RIM’s (traditionally very, very, very, very poor) marketing and branding departments. Finally, the technical specs of RIM’s devices are criticized from all corners, regardless of the colour or class of device (i.e. Pearl, Curve, Torch, Bold, etc), and regardless of whether the device is targeted at professional, prosumer, or consumer markets.

The other issue with the article is her analysis of the LG Windows Phone. What she’s dead right on: LG ‘partnered’ with Jill Sander to inflate the device’s cost and try to make it appeal to a certain market segment. Yep, that’s attempting to sell a device to consumers interested in or intrigued by Sander’s line of products. Where Johnston is wrong, however, is in her effort to equate low-speced Windows Phones with high cost phones.

Unlike Android and iPhone, Microsoft’s mobile phones almost universally have poor technical specifications compared to the competition. That said, Microsoft has tweaked their devices such that the specifications really don’t matter: you get excellent performance in spite of the device using older tech. As such, I don’t really think that the technical critique rings terribly true – women aren’t expected to purchase crappy Windows phones any differently then men are – though I certainly agree around the ‘branding’ of the LG device to unnecessarily inflate costs and attract a dominantly female market.

Anyways: go read the piece and develop your own opinion. Despite my two bones to pick with her evidence I think that the thesis holds and is well supported. She’s created a piece that’s short and critical, if not as deep or as powerful a critique as I’d have liked. Hopefully we see more tech sites – and mainstream news sources! – similarly take companies to task for their attempts to sell second-rate, unnecessarily gendered, products to women.