SpyPhones and Unlocked Dropboxes

April 21st, 2011

John Naughton has posted a good summary of the varying reactions to the 'spyPhone' story as it has developed over the last day or so:

Firstly, lots of people began posting maps of where their iPhones had been, which is a clear demonstration of the First Law of Technology – which says that if something can be done then it will be done, irrespective of whether it makes sense or not.

To my mind, this story is much like the Dropbox insecurity stories that broke over the last week.

Geeks who are motivated enough to pay attention will mostly understand that:

  1. Mobile phone carriers have always been able to plot the approximate location of your phone over time according to which cell towers it connects to. Which means that the truly interesting element of this story is that iOS 4 seems to keep an unencrypted version of that data on your smartphone and in your phone's backups, meaning that anyone who can access your phone or an unencrypted backup of your phone on your computer could – in principle – access this data.
  2. At least some of Dropbox's system administrators are bound to have a way to access the contents of users' dropbox folders, if only in order to comply with legally-binding requests for information from the appropriate authorities.1 The big questions here are how widespread and carefully monitored access to unencrypted copies of users' data is among Dropbox staff, and the extent to which the company's marketing claims actively misled users about how secure data held in their Dropbox is.

Never mind the geeks: the big question in both cases is whether ordinary users (and/or their employers) get so freaked out about these security issues that they look for an alternative with a better balance of convenience and security. I'm guessing that they won't, unless either company completely mishandles their response to these stories or there are new, scary developments suggesting that these vulnerabilities are being actively exploited.

  1. If you really want to secure the data you share via Dropbox, create an 'secure' container for it on your computer – be it a TrueCrypt volume, a Mac OS encrypted disk image or just a password-protected .zip file. – and put that in your Dropbox folder. Of course, you'll then lose the convenience of Dropbox seamlessly doing versioning of individual files and will be dependent upon all your Dropbox client devices being able to access the same type of encrypted container. Also, the more you require users to enter passphrases to delve down to the level where they can access their files via Dropbox, the less likely they are to want to bother. Dropbox users mostly value convenience over absolute security, IMHO.

Comments Off

Sing it back, sing it back, sing it back to me…

March 30th, 2011

From One Thing Well, a clever way to come up with a secure but memorable password:

Talking of password generation, if you need to come up with a secure password without the help of software, you should make it one you can sing!

[...]

As an example, my favourite Prince & The Revolution B-side is She's Always In My Hair, and the second verse has been stuck in my head for a decade or two:

Whenever I feel like not 2 great at all
Whenever I'm all alone
And even if I hit the wrong notes
She's always in my boat
She's always there

Take the initial letters, and you get:

wifln2gaawiaaaeiihtwnsaimbsat

Nice. My only problems with this technique are that

  1. I have a lousy memory for lyrics.1
  2. Given the number of passwords I have to remember these days, I have a horrible feeling that I'd end up forgetting not just the password, but which song was associated with which account/password.
  1. The consequences of which could be ameliorated by my making sure that whichever track I chose is on my iPod and has lyrics. I'm fairly confident that once I saw the lyrics I'd quickly remember which verse I'd used to generate the password.

1 Comment »

The SpyTunes Saga

February 21st, 2011

Andrew McAfee has found a hole in the iTunes Store privacy model: if you try to gift music (or an App, or a Tv programme or film) to an iTunes Store user, iTunes warns you if the user already has that item.

This snooping process is iterative and cumbersome, but I'm pretty sure it could be at least somewhat automated. It's also a little fluky; to learn what I have, [the snooper] has to gift media to me in the same form I bought it. For example, if he sent me only a single episode of "Breaking Bad" season 3 iTunes wouldn't send him a message like the one above. This is because I bought the whole season at once, so [the snooper] has to gift me the whole season to learn about my purchase. Similar rules appear to hold for music.

Even though [the snooper] has to work a bit, I'm not thrilled that he (or anyone else) can so easily learn about my media purchases and tastes. If I want to share my iTunes holdings with my friends or broadcast them to the world Apple gives me tools to do so, but if I want to keep them private I can't.

McAfee says that Amazon handles this sort of problem differently; it simply converts duplicate items to store credit, informing the recipient of the duplicate items but not the gift-giver, and suggests that Apple would do well to adopt this approach. My online gift-giving is usually selected from users' wishlists so I've never encountered this problem in the wild, but if I were giving a gift I think I'd prefer to be given the chance to choose a different item rather than have my gift silently converted to an impersonal store credit: if I'd wanted to give an iTunes Store credit I'd have chosen that option. However, I can see that both approaches have their merits.1

My feeling about this is that whilst it's technically a privacy breach, it's not a terribly scary one. The would-be snooper needs to:

  1. Guess the email address I use with my iTunes Store account.2
  2. Guess what music/apps/ebooks etc I might own and whether I bought them as individual items or as part of an album/season purchase.3
  3. Automate this process so that Apple won't notice that some rabid fan of mine has made X attempts to gift me Y different tracks/apps/ebooks without ever going through with a purchase and throttle or block their access.

Having successfully negotiated those hurdles, the snoop is now in possession of … a listing of a small portion of the contents of my iTunes Library. Given that I display ample evidence of my taste in music on the internet for the whole world to see as a matter of course, you'll understand if I'm not terribly worried by this potential attack vector.

That being said, I do take the point that users who wish to keep their music choices to themselves should have the ability to do just that: Apple should probably get right on it.4

[Via Risks Digest]

  1. Perhaps iTunes Store users should be allowed to specify in their account settings whether gift-givers should be warned of duplicates.
  2. Admittedly not everyone sets up a distinct email address to use just for iTunes, so this could be straightforward in some cases where the snooper already has your email address.
  3. Which raises another question: what if I have a track that I ripped from a CD in MP3 format and the potential snooper tries to gift me the iTunes Store version of that track in AAC/m4a format. Does iTunes recognise that it's the same track despite the format difference?
  4. Interestingly, McAfee points out that in the US it an offence to give out details of an individual's video rental/purchase history and suggests that if the iTunes Store makes it possible to find out what films a user has purchased this might leave the firm open to legal action. That sounds more like the sort of motivation Apple will need to close this hole.

Comments Off

iPad multi-user login

January 18th, 2011

I posted last October about my surprise that the iPad didn't allow for multi-user logins to preserve the security of each user's logins. Matt Jones has done Apple the favour of sketching a multi-user UI for the iPad.

It's nice but, like commenter Michael O'Brien, I wonder if I'd be able to live with the asymmetry if my iPad had only three users and had to leave a corner vacant. Come to that, what if my iPad had five users and it ran out of corners? Simpler, I think, to have a centred list of potential users to choose from, much like the standard login dialog for OS X.

All this remains academic until Apple decide to build in the requisite functionality, but surely that'll come one day.1 Even if the price of an iPad falls by 50%, I find it hard to believe that enough households will buy multiple iPads to keep Apple ahead of the pack. Though if any company can persuade families to buy an iPad Family Pack – 5 for the price of 4 – it's Apple.

There again, Apple being Apple they'll just as likely be thinking at least three steps ahead of us mere mortals even as I type this. Perhaps they're going to wait as the clamour for a multi-user iPad grows, then release an iPad 3 that does facial recognition on the fly so that it 'knows' who is using it and invokes Fast User Switching to fire up the appropriate account automagically, or the Guest account if the user's face isn't recognised.

  1. It all depends, to my mind, upon whether they have to contend with rival tablet makers whose devices make it easier for individual users to protect their login details so they can safely share their tablet with family members. As long as the iPad is the only serious game in town tablet-wise Apple will be under no great pressure to change their approach.

Comments Off

Wikileaks is "transparent," like a cardboard blast shack full of kitchen-sink nitroglycerine in a vacant lot.

December 27th, 2010

Bruce Sterling on the Wikileaks saga:

Assange didn't liberate the dreadful secrets of North Korea, not because the North Koreans lack computers, but because that isn't a cheap and easy thing that half-a-dozen zealots can do. But the principle of it, the logic of doing it, is the same. Everybody wants everybody else's national government to leak. Every state wants to see the diplomatic cables of every other state. It will bend heaven and earth to get them. It's just, that sacred activity is not supposed to be privatized, or, worse yet, made into the no-profit, shareable, have-at-it fodder for a network society, as if global diplomacy were so many mp3s. Now the US State Department has walked down the thorny road to hell that was first paved by the music industry. Rock and roll, baby.

[Via The Null Device]

Comments Off

Representing. Comfort-seeking. Advancing.

December 26th, 2010

Professor Ross Anderson's response to a request by the UK Cards Association1 that the university take down an MPhil thesis published by a student that included information about the No-PIN attack and "give [the UK Cards Association] comfort about [the university's] policy towards future disclosures." may not be as pithy as the best reply ever committed to paper, but it's equally robust:

Your letter of December 1st to Stephen Jolly has only this week been passed to me to deal with. I'm afraid it contains a number of misconceptions and factual errors.

First, your letter was not correctly addressed. The University of Cambridge is a self-governing community of scholars rather than a corporate hierarchy. [...] Omar's work was not 'published by the university' as you claim but by him. If you wanted him to take his thesis offline, you should have asked him.

However, given that the material on the No-PIN attack appears on my page as well as Omar's and Steven's, and given that Mr Jolly passed the matter to me to deal with, I expect that I can save us all a lot of time by answering directly.

Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. [...]

[Via James Nicoll]

  1. That's 'cards' as in credit/debit cards, not playing cards or collectible card games.

Comments Off

Taking sharing several steps too far?

October 8th, 2010

Tim Bray's post about taking a Samsung Galaxy Tab out on the road raised an issue that I haven't seen mentioned in the reviews of the new generation of tablet computers:

… at this point in history [the Galaxy Tab's] primary use is starting conversations. Obviously, when you're surrounded by Android-lovin' Japanese geeks at Google Developer Day Tokyo, you're going to draw a crowd. But I also got chatted up by lots of random strangers, notably including my waiter at a restaurant in the Copenhagen train station.

Which has revealed a feature that the Tab needs; a button in Gmail called "in strange hands". The device is profoundly shareable, but mine has my Google email, full of threads that are distinctly not for public eyes. So I need to switch to disable that while letting people look at interesting web sites or play games or check stock prices or whatever.

Given that one of the use cases for iPad-type computers is as a family resource that can be left lying around for anyone to pick up and use if they want to indulge in a bit of web browsing while watching the TV, I'd have thought that some sort of user login system would need to be baked in to the operating system. Actually, it never occurred to me that a modern portable computer, regardless of form factor, wouldn't have that ability.1

I know the new generation of tablet computers typically don't store much of a user's data locally, preferring to access data in the cloud, but I take it that the apps and web browsers installed on a tablet still use cookies2 to store a user's login details for their various online accounts. Without some form of user login – or, at the very least, a quick way to enable Fast User Switching and go into 'Guest Mode' – won't passing the family iPad over to your teenage son also mean handing them the login details to Dad's email and online banking account, Mum's Amazon account, his sister's blog's admin page and who knows what else besides?3

Admittedly, a lot of home users – especially of Windows-based systems, in my experience – will only ever set up a single user account on their PC anyway. But they do at least have the option on Windows – or any other modern desktop OS – of setting up restricted user accounts for some users and of quickly logging out of one account so that another user can log in. It seems to me that an eminently shareable piece of kit like a tablet computer would demand at least that level of security.

  1. Admittedly my current portable computer – a slightly-battered-but-still-functional Palm T|X – doesn't have the facility to set up different user accounts. But then, it's not the type of computer that gets passed from person to person: like a smartphone, it's inherently a personal device. I'm sure Apple would love it if households bought every family member over the age of 10 their own iPad, but that's not going to be a commonplace scenario any time soon.
  2. Or a keychain, or some other device-specific system that provides similar functionality.
  3. True, some web site login pages allow you to specify whether the cookie stores only your user name, or your user name and password. However, I'll bet that in a lot of cases convenience wins out over security and users default to letting the system store both credentials so that to access the site is to log into the site.

Comments Off

Twitter Terrorist II: The Reckoning

May 12th, 2010

Remember Paul Chambers, the Twitter terrorist? Back in January, when the harsh winter was threatening to close Doncaster's Robin Hood airport, he posted:

"Robin Hood airport is closed. You've got a week and a bit to get your shit together, otherwise I'm blowing the airport sky high!!"

Guess what happened next:

I never expected to be charged, but a month later I was: not under the offence of making a bomb threat, for which I was originally arrested, but under the communications act for the offence of sending a menacing message. [...] Even after all the preceding absurdity and near-breakdown-inducing stress, I was confident common sense would prevail in my day in court.

Unfortunately, yesterday I was found guilty and ordered to pay £1,000 in fines and legal costs, which I have to find along with my own legal costs of another £1,000. I am considering an appeal, though I have no means, having left my job due to the circumstances.

I wonder if our new Justice Secretary has any thoughts about whether taking Chambers to court really served the interests of justice.

Comments Off

I understand completely.

May 1st, 2010

Laszlo Thoth is determined to have some fun with the secret questions and answers he supplies to his bank:

A real live human operator always asks the question and waits for a real live answer. This measure has the potential to not just improve my account security but add entertainment value as well:

[...]

Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.

A: Go forth, and kill. Zardoz has spoken.

[...]

[Via Waxy.org Links]

Comments Off

Nose scanning

March 10th, 2010

Fingerprints? DNA? Iris scanning? Old news. Nose scanning is the wave of the future:

[Bath University...] researchers scanned noses in 3D and characterised them by tip, ridge profile and the nasion, or area between the eyes.

They found 6 main nose types: Roman, Greek, Nubian, hawk, snub and turn-up.

Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance. [...]

Presumably when you walk up to an ATM you'll be required to turn to the right, so the camera can capture your profile.

[Via Bruce Schneier]

Comments Off

Time to close your account?

March 6th, 2010

Not the sort of message you want to see when you walk up to an ATM.

Comments Off

Twitter terror

February 11th, 2010

Was this tweet from unhappy traveller Paul Chambers in poor taste?

"Robin Hood airport is closed. You've got a week and a bit to get your shit together, otherwise I'm blowing the airport sky high!!"

Perhaps so. Perhaps not. Depends who he was talking to. I'd imagine that any family/friends/acquaintances were following him on Twitter probably knew his sense of humour and, quite possibly, his travel plans.1

Was this a textbook case of an official overreaction?

A week after posting the message on the social networking site, he was arrested under the Terrorism Act and questioned for almost seven hours by detectives who interpreted his post as a security threat. After he was released on bail, he was suspended from work pending an internal investigation, and has, he says, been banned from the Doncaster airport for life.

Hell, yes! Unless, that is, the prosecution reveal that their trawl through Chambers' computer has revealed evidence that he actually is a spectacularly dim terrorist wannabe.

I'm not going to hold my breath.

As an added bonus, I'll bet Chambers will be on various watch lists for the rest of his days, or until officials everywhere develop a sense of proportion in dealing with 'terrorist threats.'2

[Via Groc's various musings]

  1. He was due to fly out from the airport the following week.
  2. Again, I won't be holding my breath while I await the blessed day.

Comments Off

sed 's/naughty/nice/'

December 23rd, 2009

Oh no! Santa's been hacked

You're probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source of the leak is unclear. It may have come from a renegade reindeer, or it could be the work of a clever programmer in the Ukraine. Either way, it's a terrible black eye for Santa. [...]

[Via Bruce Schneier]

Comments Off

If only they'd use their powers for good

October 6th, 2009

Perhaps it would be best if we just shut down all online banking systems now:

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim's dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim's machine that alters html coding before it's displayed in the user's browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances. [...]

Alternatively, and more realistically, banks need to start routinely requiring confirmation of transactions via some means not involving the user's web browser: ringing the user on a preset phone number to confirm that they authorised any transaction to a new recipient, or any transaction over a certain value.

[Via Bruce Schneier]

Comments Off

Stick Figure AES

September 26th, 2009

A Stick Figure Guide to the Advanced Encryption Standard. Impressively geeky, yet perfectly intelligible.1

[Via The Browser]

  1. Until the maths arrives in Act 4, at which point I decided that I'd learned quite enough about encryption for one day.

Comments Off

Intriguing

May 5th, 2009

Credit where it's due: Bruce Schneier certainly knows how to come up with an arresting post title. How can you scroll past a post entitled Security Considerations in the Design of the Human Penis?

(Shouldn't that be "Security Considerations in the Evolution of the Human Penis"?)

Comments Off

Physical Security

September 30th, 2008

Physical Security Maxims:

Rohrbach’s Maxim: No security device, system, or program will ever be used properly (the way it was designed) all the time.

Rohrbach Was An Optimist Maxim: Few security devices, systems, or programs will ever be used properly.

[Via Schneier on Security]

Comments Off

CAPTCHA: TNG

September 20th, 2008

The next generation of CAPTCHAs?

[Via mystyk, commenting at MetaFilter]

Comments Off

Page 2 of 212