Superconductor

I just came across an article that talks about how the use of biometric data for identification can cause a security problem. Here's what this article said:

When biometrics get down to the local gym, however, serious questions must be raised. Your biometric identifiers are immutable and, once stored on a computer, impossible to take back. So if the 24-Hour Fitness database gets hacked and some enterprising Black Hat team of computer experts makes off with this sensitive information, many people could forever lose control of this permanent identification marker. Of course, you could scrape off your fingerprints and replace them with new ones. (This is probably possible). But that's getting a little too close to Total Recall for my taste.

This seems to miss the point of biometrics. Biometric data isn't secret and the security model of biometric identification systems doesn't assume that it is. Instead, biometrics need to ensure that the data that they capture is fresh instead of stored. This subtlety seems to have been missed by the author of this article.

It looks like that back in 2006 the determned people at Izanpe tried to get their root certificate added to the Mozilla browser. It took them four years to do this, and you can find the story of their adventure here.

At a bit over 14,000 words, this story should probably be called a novelette instead of a full novel, but that's probably not much of a consolation to the people at Izanpe. 

The title of the article says it all: "The generation of random numbers is too important to be left to chance," (Robert R. Coveyou, Studies in Applied Mathematics, Vol. 3, 1969, pp. 70-111).

Our marketing people issued an interesting press release last week. There was some stuff in it about a huge growth rate, lots of consecutive quarters of profitability, and similar things, but what I found the most interesting is that we now have over 4.5 million licensed users of our SecureMail product.

Note that that's 4.5 million licensed users. Our sales guys typically license our email product to an enterprise by the number of internal users, so the actual number of users is actually much greater than that. Perhaps even much greater. So although it's impossible to get an accurate estimate for how many users we really have, it's not hard to believe that there are probably over 20 million users of SecureMail now.

That's a lot of users.

Before I came to Voltage I did mergers and acquisitions consulting. This can be very frustrating work because you put in lots of hard work and most M&A deals end up not closing. You typically have 90 days to do all of your due diligence for a deal, but you lose a week or two up front when you're getting organized and you lose a week or two at the end when you have to write reports and give presentations on what you learned. This means that you really have more like 60 days to learn everything, and that can mean lots of 20-hour days.

Fortunately, the work's interesting enough and the pay's high enough that you tend to not really mind that. On the other hand, it's very frustrating to see all of that work be for nothing when deals don't work out, and most of them don't.

I was having lunch with a former co-worker recently and was reminiscing about this particular frustration when it was pointed out to me that big IT projects have the same problem: most of them fail. The Standish Group has been tracking the success of IT projects for quite a while, at least since 1995, and here's what they had to say about how things are going now: 

"This year's results show a marked decrease in project success rates, with 32% of all projects succeeding which are delivered on time, on budget, with required features and functions" says Jim Johnson, chairman of The Standish Group," 44% were challenged which are late, over budget, and/or with less than the required features and functions and 24% failed which are cancelled prior to completion or delivered and never used."

"These numbers represent a downtick in the success rates from the previous study, as well as a significant increase in the number of failures", says Jim Crear, Standish Group CIO, "They are low point in the last five study periods. This year's results represent the highest failure rate in over a decade"

So IT projects, which have always been challenging in the past, have apparently gotten worse recently. I don't follow the Standish Group's CHAOS reports, their annual reports on the state of IT project management, like I used to, but I seem to recall that the trend was moving in the right direction in the past. Maybe cutting project management and risk management overhead due to the recent recession is responsible for this trend.

Software is notoriously behind schedule, but my experience with book publishers tells me that it's not just software that has this problem. Starting in 1999, for example, F. Paul Wilson wrote a series of five novellas about a future in which almost-human genetically-engineered beings called "Sims" exist and cause the usual moral complications and intrigue that you'd expect in a work of science-fiction. He eventually consolided these novellas into a single novel which came out in 2003. The fifth of these novellas ended up being delayed for some reason and was actually just published this year, at least seven years after it was completed.

Just like there's usually a good reason why software is delayed, I'm sure that there's a prefectly good reason why the fifth Sims novella was delayed that long. I can't think of what it could possibly be, but it's sort of reassuring to see that big, unexpected delays aren't just something that you see with software.  

I've mentioned before how I recently came across a game called Progress Quest. In this game you do absolutely nothing after you create your character except watch the game run and watch your character, well, make progress. I recently came across a new game that I thought might be able to displace Progress Quest as my favorite game, but it turns out that I was mistaken. This game is Foldit.

In Foldit, you play games that involve folding proteins. Knowing the three-dimensional structure of a protein is apparently very important if you want to understand how the protein will work in the chemical reactions that biologists are interested in, but it's apparently not obvious from the chemical formula for a protein exactly what its structure will be.

There are sophisticated computer programs that will try to find the right structure for a protein, but it seems that these programs aren't quite as good as skilled people. To take advantage of this fact, a team of computer scientists and biologists made Foldit, a game that teaches you how to work out the right way in which a protein will fold. You learn the basic principles through a series of example problems and can then move on to working on bigger structures. This is apparently a valuable aid to research, and "Foldit players" were actually listed as co-authors of a recent biochemistry paper that was published in the journal Nature.

In any event, I thought that Foldit sounded interesting, downloaded and installed the game and tried the first few protein folding challenges. After the first several, I realized that I just don't have the right stuff to be a champion protein folder. I might not even be able to become a competent Foldit player. Fortunately, Progress Quest is still there (where my character Elrond Hubbard is now level 71.). It seems to be a game that's more aligned with my game-playing skills.   

While trying Foldit I did wonder if if would be possible to create a similar graphical interface for a game in which the players are really doing cryptanalysis, but I didn't see an easy way to do that.

On Storefrontbacktalk.com, QSA Walt Conway talks about why encrypting short fields, like the expiration date of a credit card, can let an adversary decrypt your entire database. His conclusion is just plain wrong, but his article is actually very useful in other ways, because it may give us some insight into what the industry really needs.

First, let's see why Walt's conclusion is wrong.

If you encrypt a small field with non-randomized encryption, it may be possible for an adversary to carry out a chosen-plaintext attack. To do this he builds a table of all possible plain-cipher pairs and then uses that table to decrypt ciphertexts that he sees. But just because an adversary can do a chosen-plaintext attack does not mean that they can do a key recovery attack. That's typically much harder.

Building a table of all possible expiration dates is very feasible. Trying to recover a key that's used to encrypt all of those expiration dates isn't. This means that the fundamental premise of Walt's article is totally wrong.

That’s not surprising, however, because encryption is a tricky subject that’s often inaccessible to non-specialists. If we look at exactly what it means for encryption to be secure we see a good example of this.

There are actually several definitions of security for encryption, and each of these formalize what it means to be secure against the different types attacks that an adversary might try. One of the most common of these is IND-CPA security, which provides a careful definition of how hard it is for an adversary to carry out a chosen-plaintext attack.

The precise definition of IND-CPA security is fairly incomprehensible to non-specialists, so you can’t really expect them to spend the time and effort to understand it. If you’re not a crypto specialist, look at the Wikipedia article on IND-CPA security and see if its definition makes sense to you.

There’s another notion of the security of encryption that’s called “perfect secrecy,” and that’s really the security model that tokenization systems try to attain. This definition is also fairly incomprehensible to non-specialists, so even though tokenization systems violate the assumptions of the security model that they’re trying to meet, that’s not clear to most people.

On the other hand, there's a definite need for careful and precise definitions of what it means for encryption to be secure. These definitions are what you use when you prove that a cryptographic scheme is secure, and without these careful definitions, these proofs really aren't possible. The unfortunate side effect, however, is that things really get a bit too complicated for most people to understand.

In any event, if the subtleties of encryption and its security aren’t clear to a QSA, what that’s probably telling us is that there’s a need for some way for them to get complicated concepts explained to them in an easy-to-understand way. Maybe some sort of industry forum in which QSAs and others can ask experts about these things in a way that won’t make them feel foolish would be good for this.

I’ve found that having a few beers with the sales people selling crypto products is a fairly effective way to do give them a chance to ask questions about exactly how their technology works and why it’s secure, but that approach probably doesn’t scale very well. Maybe that industry forum would be a better approach.

I'm now firmly convinced that all but the simplest of metrics for security are doomed to failure. Something as simple as the fraction of workstations with anti-virus software installed is probably simple enough, but anything more that that is probably too complicated to be useful. I think this because of a conversation that I recently had with someone who didn't understand the difference between "4 square yards" and "4 yards square."

The person who didn't understand this difference had an undergraduate degree in engineering, so they must have had a few math classes in college. (I suppose that I should mention that this engineer does not work at Voltage.) If a person with that much technical education can't understand that difference, I'd guess that people with even less of a technical background would have a very hard time understanding any metric for security that had even a relatively modest level of complexity. I'm now wondering if even talking about the "average" amount of something is too much for many people to really understand. Even that fairly simple concept is commonly misunderstood or misinterpreted.

Even though it's been almost four years since John Morgan and Jennifer Brown published "Reputation in Online Auctions: The Market for Trust," it looks like things haven't changed much since then. This article describes how people use lots of small transactions at on-line auction sites to artificially inflate their reputation. In some cases they then use that positive reputation to give unlucky buyers unwarranted confidence in them that they then exploit.

This article has a story, for example, about a person who bought lots of items being sold on eBay for the very purpose of increasing a user's reputation. They apparently spent about $100 on this and then used the positive reputation from lots of successful $0.01 transactions to open the door to shady real estate deals in which they made several thousand dollars.

In any event, I was curious whether this was still the case. In Internet time, four years is quite a while, so I thought that things might have changed since then.

Apparently they haven't.

A quick search for "positive feedback" on eBay returns a list of lots of items that are still being sold just to increase a user's reputation. I didn't see what things were like back in 2005 to 2006 when Morgan and Brown were doing research for their paper, but I'd guess that they weren't much different.

Morgan and Brown talk about things being sold for $0.01 that were designed to just boost a user's reputation, and it looks like prices are a bit higher these days. I don't see any "Buy It Now" auctions for $0.01 for which you really don't get anything, and it looks like $1 is a more typical price now. This makes be think that scams that take advantage of the trust created by positive feedback are probably more prevalent now than they were four years ago.

A reader recently commented that he'd heard that the charge-off rates (the fraction that banks write off as bad debt) for credit card loans are typically around 4 percent, but hadn't seen a reference to that fact. Here’s a graph of the data from the Federal Reserve that shows the charge-off rates on credit card loans since 1985. Until recently, the rate hovered around 4 percent. It’s jumped to roughly 10 percent in the past year or two, but I’d expect it to go back down to about 4 percent again in the next year or two.

It looks like some researchers at RWTH Aachen University have an on-line tool for creating BN curves. These are elliptic curves that are particularly useful for pairing-based cryptography, like the identity-based encryption that Voltage uses. If you're interested in implementing pairing-based cryptography, this is a very useful resource to have.

It's generally true that there's no such thing as a free lunch, and this even applies to identity-based encryption. From the user's point of view IBE is great because it's simpler to use than alternatives. From an administrator's point of view IBE iss great because it's extremely simple to keep running. These two combine to make its TCO much lower than the TCO of alternatives.

On the other hand, all of these good features don't come for free, but they really involve things that users and administrators don't see. In particular, it can be very difficult to find elliptic curves that are suitable for use in IBE algorithms. Most elliptic curves don't work very well for this and it can be a bit tricky finding ones that do. BN curves happen to be an example of a type of curve that do work well, so having a place where you can get parameters for such curves can be very useful.

The parameters that you can get from this on-line tool aren't optimized to give you very good performance, so they're not what you'd want to use in a shipping commercial product, but if you're just doing development and testing they're very useful.

I know lots of people who are big fans of horror fiction. Many of them tell me that they read horror fiction because they like the way it makes them feel. Many of them apparently like the uneasy feeling that they get from reading it, even the really over-the-top stuff that does its best to make you feel the desperate need to take a shower after you finish it.

It seems to me that information security is also a bit like this - it also deals with lots of bad things happening, many which are really out of your control. Having an exploitable buffer overflow vulnerability discovered in your web server probably isn't as bad as the end of the world in which some sort of out-of-control secret government experiment leads to us all being eaten by zombies, for example, but it's not the sort of thing that you can really do much about, and neither one of these possibilities is really very appealing. 

There probably aren't many people why stay awake at night worrying about being eaten by zombies while there are people who stay awake at night worrying about the possibility of their web server having an exploitable vulnerability, so that's probably not the best example. But if there are people who like the feeling that they get from reading horror novels, I wouldn't be too surprised if there are also people who like thinking about information security for very similar reasons. If I remember to, I'll have to ask people about this at one of the vendor-sponsored parties at next year's RSA Conference.

I noticed a few interesting things is this data:

I wouldn't have expected any of those to be true.

In 2009, Mihir Bellare and Phil Rogaway shared the ACM's prestigous Paris Kanellakis Theory and Practice Award for their creation of the idea of "Practice-Oriented Provable-Security." Here's the citation for the award that explains why they received it:

Historically, cryptographic schemes used in practice were designed in ad hoc ways and subject to failure. Practice-Oriented, Provable-Security (POPS), developed by Bellare and Rogaway in a series of papers in the 1990s, changed this, giving us the means to create high-assurance practical cryptography, meaning schemes that were backed by the theoretical guarantee of provable security while meeting practical needs and expectations.

Today, POPS-based schemes are cornerstones of Internet security, implemented in most communication security protocols and software - these schemes are used every time someone makes a credit card-based Internet purchase. Meanwhile, the models, techniques and approaches that Bellare and Rogaway introduced, including the random oracle model, have become the foundation of a new subfield of cryptography, inspiring a great amount of follow-on work. Their papers are amongst the most cited in cryptography and their work is discussed in dozens of textbooks.

Bellare and Rogaway changed the perception of theory in practice. Prior to their work, practitioners ignored theory or were even antagonistic to it. Today, they not only choose to implement and standardize proven-secure schemes, but make provable security a requirement in some of their calls for algorithms. That this requirement can be met owes much to Bellare and Rogaway's work. 

In other words, Bellare and Rogaway created a framework for cryptographers to use to prove the security of their inventions and this framework is really the single thing that's most responsible for transforming cryptography from an art into a science.

Before POPS, the only way to ensure that a cryptographic scheme was secure was to wait a while to see if anyone could find a weakness with it. With the invention of POPS that's no longer necessary. It might even be a waste of time to wait to see if a weakness can be found because if there's a valid proof because the very existence of the proof tells you that there can't be one.

Many of the technologies that we use at Voltage have proofs of security. This includes both our Identity-based Encryption and Format-Preserving Encryption. The things that we use that don't have proofs of their security are just things that older standards define: techniques standardized before POPS typically don't have proofs of their security, but there's no really alternative to using them.

I'd hope that newer standards won't have this problem. All of the discussions that I've seen recently in various standards groups have required a proof of security before a new crypotgraphic scheme is taken seriously.

The economists at the Federal Reserve Bank of Kansas City do lots of interesting research. One of their recent publications, "The Changing Nature of U.S. Card Payment Fraud: Industry and Public Policy Options" by Richard J. Sullivan, has some interesting data about the rates of fraud. Here's what you can find in Table 3 in this document. It's a list of fraud rates for various countries.

Research in Motion has been in the news a lot recently. The governments of the United Arab Emirates and Saudi Arabia don't like the fact that RIM encrypts traffic to and from the ubiquitous BlackBerry phones and have threatened to shut down BlackBerry service unless RIM provides them a way to bypass the encryption.

In last Thursday's Wall Street Journal, Michael Lazaridis had the following to say about this:

This is about the Internet. Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off.

There's no easy solution to this problem. Governments want to be able to spy on people and people want privacy. You clearly can't have both.

It looks like we may have come a complete circle, from paper to digital and finally back to paper. Something that I recently stumbled across leads me to say this (although I really don't believe it).

In the Sherlock Holmes stories, for example, Holmes often gives his card to people to introduce himself. Maybe that's only in the Granada TV version of the stories. I can't quite keep straight the details of what I saw on TV and what I read because it's been so long since I read or saw either of them. In any event, Holmes certainly didn't send email or ask people to become his Facebook friends. He definitely didn't use Twitter. That sort of thing came much later. Holmes was definitely focused on printed ways to communicate.

It looks like Knock Knock, a store that sells that paper and paper products now has a paper-based answer to Twittter: Paper Tweet, pads of note paper that are marked with a grid of 140 characters so that your paper-based notes will have the same constraints as your tweets.

Maybe these are just meant to be clever gifts. I'm not sure that I'd want to leave an important message for someone on a piece of paper that's clearly labeled "PAPER TWEET." That's what Post-It Notes (preferably yellow) are for, after all.

I just read another interesting report from the Burton Group. This time it was "Information Confidentiality." The section of this report mentioned two possible uses of encryption that we may be seeing more of in the future. One of these was cloud computing. There's been so much talk about cloud computing in the past few years that it's probably not worth mentioning much more about the obvious use of encryption to protect data in a cloud environment. The second use was to cryptographically destroy information: encrypt data and throw away the key and the data is essentially gone for good.

Here's what this report said about this:

Information destruction is an important part of the information life cycle, but it's often neglected in information confidentiality architecture. An intensifying regulatory environment has caused organizations to pay closer attention to destruction. And with the increased use of encryption to protect data during its normal period of utility, the possibility of using encryption for destruction emerges. Specifically, disposing of encryption keys can effectively destroy at-rest data that is encrypted with strong ciphers and whose keys have been properly managed. Disposing of keys renders encrypted data unusable. Although some enterprises entertain the notion of using this data-disposal technique, caution is warranted to ensure that spare copies of keys or weak encryption implementation don't undermine destruction. Another caution is warranted: Combinations of ciphers and key lengths have anticipated protection life spans. In other words, encryption can protect sensitive information only for a certain time period, until advances in computing power or mathematics make recovery possible. This goes for information “destroyed” through intentional key loss or destruction, as well. If information is still valuable after a cipher or key length no longer protects it, then data may be exposed and cause harm.

I've heard of lots of cases where people unintentionally cryptographically shred data through careless key management or by using buggy products, but I haven't heard of many businesses using encryption to intentionally destroy data. Maybe we'll be hearing more about that in the future.

When I was a kid I had a tree house. What I built ended up with looked something like the one shown here, but with only one level. It seemed like a good idea at the time, but what I really ended up with was a hideous blob of boards that looked like they had been nailed to a tree in some sort of random pattern. Looking at that picture more than reminds me of my own tree house; it also reminds me of designing software.

Just like I thought I was building a good, solid tree house, software architects think that they're designing useful and elegant software. Andjust like I realize that the tree house that I built back then wasn't really as good as I thought it was, the software that we're getting these days really isn't as good as it could be.

There are probably lots of good pictures of ugly tree houses on the Internet. Maybe I'll find a particularly dramatic one to use the next time that I have to give a talk about software engineering.

What do digital certificates really mean? The best discussion of this may be the one that I recently read in Peter Gutmann's book Engineering Security. Here's how Peter describes this:

As a pure speech act, what a certificate is saying is that at some point some entity who may or may not be the one named in the certificate probably requested that another entity who may or may not be the one named elsewhere in the certificate took the public components of a private key that the first entity may or may not control and asked the second entity to sign it using a private key that they may or may not control. However once it’s gone through many, many layers of software this has changed to (for example) a statement that the user has definitely connected to a web site controlled by the named entity, and by the time it gets to the user it’s jumped even further to become an assurance that it’s safe to enter sensitive personal and financial information on the web site!

Key findings from this research are:

• Once an experienced analyst has the minimum information necessary to make an informed judgment, obtaining additional information generally does not improve the accuracy of his or her estimates. Additional information does, however, lead the analyst to become more confident in the judgment, to the point of overconfidence.
• Experienced analysts have an imperfect understanding of what information they actually use in making judgments. They are unaware of the extent to which their judgments are determined by a few dominant factors, rather than by the systematic integration of all available information. Analysts actually use much less of the available information than they think they do.

Understanding how often security breaches happen is important to understanding how many resources to allocate to preventing them. This can be tricky because there's not much reliable data about how often security breaches happen. People also don't estimate probabilities very well, so in the absence of good data we're likely to make mistakes that can lead to either too much or too little being spent. This problem isn't limited to just information security, of course. It also complicates things any time we don't have good estimates of probabilities.

I recently came across an interesting discussion of this in a book by the CIA: Psychology of Intelligence Analysis. Here's the book's summary of its Chapter 12, "Biases in Estimating Probabilities," and these comments seem to apply to information security just as well as it applies to intelligence analysis:

In making rough probability judgments, people commonly depend upon one of several simplified rules of thumb that greatly ease the burden of decision. Using the "availability" rule, people judge the probability of an event by the ease with which they can imagine relevant instances of similar events or the number of such events that they can easily remember. With the "anchoring" strategy, people pick some natural starting point for a first approximation and then adjust this figure based on the results of additional information or analysis. Typically, they do not adjust the initial judgment enough.

Expressions of probability, such as possible and probable, are a common source of ambiguity that make it easier for a reader to interpret a report as consistent with the reader's own preconceptions. The probability of a scenario is often miscalculated. Data on "prior probabilities" are commonly ignored unless they illuminate causal relationships.

So if you're interested in how people mis-estimate probabilities and ways to deal with this, this CIA book actually seems to have a fairly good discussion of it. And the price (free) is certainly right.

Most businesses aren't as enthusiastic about using information security technologies as many security experts would like them to be. As a general rule, businesses tend to make informed decisions, so maybe there's a reason for this lack of enthusiasm. A recent meeting at which I was the only non-economist in the room gave me an interesting insight into this, at least for some industries.

According to the economists at this meeting, the consensus of lots of research is that the value of information is only about 1 percent of the value of the finished product that it's used to create. So if you make widgets that you sell for $1 each, then all of your business' information is worth about only $0.01 of that $1. If that's the case, then we would certainly expect a fairly small level of resources to be allocated to protecting its confidentiality, integrity and availability.

I would expect that estimate of 1 percent to vary a lot from industry to industry. Some day, when I actually have some free time, I may track down some of the economics papers that make that estimate to see if my suspicion is right.

I recently received an email that asked me if the electric field and magnetic field of a propagating electromagnetic wave are always in phase. I vaguely recalled that you have something like

E = c B

in some situations, so the first thing that I did to check to see if this made sense was to compare the units of E to the units of cB. After all, if the units don't work out then something's wrong.

This led me to think about how the strength of encryption is probably the only place in the entire field of information security where it's easy to quantify something. In the case of encryption, the usual metric is the size of an ideal symmetric algorithm for which there no attack that's better that just trying all possible keys to see which one's the right one. By that metric, for example, encryption with either the 3DES or with 2,048-bit RSA provides 112 bits of security because cracking such a key takes about the same amount of effort as trying all possible 112-bit keys.

This metric isn't really that meaningful, of course, because there's always a better way for an adversary to beat a system than trying to beat encryption. The amount of work needed to crack a single 3DES key is huge. It's the sort of thing that takes much more that a person's lifetime on the world's most powerful supercomputers to do.

Key management is nowhere near as strong, so it's always better for an attacker to try to beat the key management that's used instead of trying to get billions of years of computing time somehow. But if we don't worry about the strength of key management and focus just on the strength of encryption, we find that we have a nice, clean way to measure the strength of that particular security mechanism.

After figuring out whether or not the electric field and magnetic field of a propagating electromagnetic wave are always in phase, I then thought about if there's any other part of information security where it's relatively easy to create a metric for the effectiveness of technologies that give the same level of information that the strength of encryption does. My conclusion was that there isn't one, but if you have a good one, I'd be happy to hear about it.

In a recent post I gave examples of elliptic curves for each of the cases that Mazur's theorem allows. One of these is particularly interesting. It's the curve

y² + xy – 5y = x³ – 5x²

Over the rationals this has that E_tors = Z₂ x Z₄ = <(10,20),(1,2)> = {(1,2), (10,-25), (0,5), (0,0), (-5/4,25/8), (5,0), (10,20), O}.

Note that one of these points, (-5/4,25/8), doesn't have integer coordinates. Doesn't that violate the Nagell-Lutz theorem, which tells us that torsion points need to have integer coordinates?

Not really, and here's why.

Here's one form of the Nagell-Lutz theorem:

Let y² = x³ + ax + b be an elliptic curve over the rationals with integer coefficients and let D = 4 a³ + 27 b². Then if P = (x_P,y_P) is a rational point of finite order then P has integer coordinates and either y_P = 0 or y_P²|D.

Note that this only applies to elliptic curves of the form E: y² = x³ + ax + b. So because the curve in this example isn't of that form, its torsion points don't have to have integer coordainates.

In a recent discussion with another information security industry veteran the follow industry veteran noted that there's an obvious parallel between cryptography and global warming. In both cases, people who really don't know much about the subject don't seem to let this lack of understanding keep them from talking about the field as if they're experts.

In the case of global warming, even though I studied various physical sciences as both an undergraduate (chemistry and physics) and in graduate school (physics, acoustics and meteorology), I don't feel qualified to interpret the scientific evidence either for or against global warming. I don't know much about the field, but I do know that I don't know much about it. That doesn't stop me from having opinions about global warming, of course, but I wouldn't really call these informed opinions, and I certainly wouldn't try to pass myself off as an expert on the topic.

The industry veteran that I was talking to noted that many people, particularly when they're talking about cryptography, seem to have a similar limitation – they really don't know much about the field, but this doesn't seem to constrain them in the same way that my lack of understanding of the scientific evidence for global warming constrains me.

This discussion also reminded of an airline flight a few years ago on which I sat next to an engineer who designed lighter-than-air vehicles, sort of like high-tech blimps. He complained about how people who know absolutely nothing at all about lighter-than-air vehicles feel qualified to give advice to experts in the field, apparently feeling that the technology is so simple that anyone can understand it.

Maybe this phenomenon isn't limited to just global warming and cryptography.

I've been writing articles for various magazines for a while, and one trend that I've noticed is that the length of articles that editors ask for has dropped dramatically in the past few years. About five years ago, it seems that the most commonly requested length for magazine articles was between 2,000 and 2,500 words. More recently, this average has dropped to a much shorter length. Now it's more like 750 to 1,000 words.

It's no coincidence that that's roughly how much will fit on a single magazine page. Editors that I've talked to recently tell me that the typical reader doesn't read past the first page of an article, so it may be the case that editors are shortening the articles in their publications to deal with that reality.

I recently had another credit card compromised. I only use this particular card at two on-line bookstores, so I'm fairly sure how it was compromised.

In any event, someone got my card information and charged a few months of membership at Skype India. When I pointed out these charges to my bank they immediately took care of the fraudulent charges, but I was still left with $0.36 in foreign transaction fees that I was charged for the fraudulent charges because they were made outside the US. The fraud people explained that I would have to talk to a different division to take care of those charges and gave me the number to call to take care of the problem.

After calling the second number, I was transferred around a bit and then put on hold. After being on hold for a couple of minutes I just gave up and decided to pay the $0.36 in fees instead of waiting on hold even longer.

After thinking about this for a while, I realized that I just provided a way to estimate how much my time is worth. If I'm willing to pay a $0.36 fee after 3 minutes, that seems to say that my time is worth about $0.12/min or about $7.20/hr, which is slightly less than the minimum wage in California.

As I mentioned a few days ago, a recent article in Popular Science listed some research that did what might be called confirming the obvious. This article claimed that research has shown that "environmentalists can be smug jerks." I assumed that this was just the editors of Popular Science trying to be controversial and that if I looked at the actual paper that they cite that I might find something different. Here's what I found.

The paper that this article cites is "Do Green Products Make Us Better People?" by Nina Mazar and Chen-Bo Zhong, both of the University of Toronto. Here's the abstract of this paper, which was published in the March 2010 issue of Psychologial Science.

Consumer choices not only reflect price and quality preferences but also social and moral values as witnessed in the remarkable growth of the global market for organic and environmentally friendly products. Building on recent research on behavioral priming and moral regulation, we find that mere exposure to green products and the purchase of them lead to markedly different behavioral consequences. In line with the halo associated with green consumerism, people act more altruistically after mere exposure to green than conventional products. However, people act less altruistically and are more likely to cheat and steal after purchasing green products as opposed to conventional products. Together, the studies show that consumption is more tightly connected to our social and ethical behaviors in directions and domains other than previously thought.

In other words, the Popular Science people may have been trying to be controversial, but they don't seem to have really misrepresented what the research showed.

I have to wonder if generalizations of the Mazar-Zhong research are also true. There are certainly types of computer hardware and software that seem to cause a certain level of smugness in their users and it might be the case that these users compensate for this in some way.

People who drive cars equipped with manual transmissions also seem to feel a meaningless sense of moral superiority over people who can't do this. Maybe they also make up for this by doing bad things. I hope that's not the case. I'm one of those people who feel smug about driving a stick. I'd like to think that this doesn't make me do bad things, but I might be wrong about this.

This time, from the 19th-century point of view.

Phil Smith of Voltage will be talking at the SHARE meeting in Boston next month. His talk will be on Tuesday, August 3 from 9:30 - 10:30 am, and the topic is Enterprise Encryption 101. Here's a quick summary of what he'll be talking about:

We've all seen the seemingly weekly news about yet another data breach: millions of credit card numbers, SSNs, or other personal information exposed. Encryption is the technology that minimizes the cost of such data breaches, by making the "leaked" data useless to the thief. So more and more sites are investigating encryption, some even before a breach occurs. But where do you start with this technology? How do you make a sensible choice among dozens of vendors, between hardware and software? Where and when do you encrypt data, and is that sufficient? What about emerging standards and legislation, such as PCI DSS, Red Flag, GLBA, SB1386, Directive 95/46/EC, et al.? Come hear about implementing encryption from a business perspective -- what you need to worry about and how to approach it. This is not a comparison of encryption technologies per se, but rather a look at the issues surrounding them. While the presenter works for an encryption vendor, this is a general presentation, with minor content at the end that discusses the Voltage SecureData product as an example.

If you can't make it to Phil's talk, you can download the slides for his talk here. That's probably not quite the same as seeing the talk in person, but it's probably much cheaper.

One big problem with the Internet is that security wasn't in its original design, so that security vendors need to provide products that try to overcome this original oversight. It looks like cars might have this same problem. A recent paper by a group of professors from UCSD and the University of Washington describes some of the security problems that cars have. Here's this paper's abstract:

Abstract—Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input— including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car’s two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car’s telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.

There may be additional security issues that the automobile manufacturers don't feel comfortable letting researchers discuss in public, of course. But because people are looking at the problem now, it's probably only a matter of time until these issues are addressed, either by the automobile manufacturers or by third-party security vendors.

After reading this paper I was curious about how many processors a typical car has these. The last estimate heard of this was 14, but that was several years ago. After using Google for a few minutes I didn't find that particular bit of information, but I did learn that both the BMW 7 Series and the Mercedes S Series vehicles actually have over 100 microprocessors in them these days. I'd imagine that there's also a fairly sophisticated network connecting those processors, but that's something that I'll probably never get around to learning about.

The article "Science Confirms the Obvious" was in the most recent issue of Popular Science. Here are some of the findings that it describes. There's peer-reviewed research behind each of these, so there may actually be more substance that the quick summaries might lead you to believe. Their wording, of course, not mine.

• Blowing up mountains is bad for the environment
• Old people prefer happy memories
• A mean gym teacher can turn you off sports
• People are happier on the weekend
• Most people drive poorly when talking on the phone
• Siblings who fight don't get along
• Young people want big money, big vacations
• Hard-drinking adrenaline freaks are prone to injury
• Environmentalists can be smug jerks
• Self-control makes students more manageable

I'll have to track down the research in a few of these cases and see how well Popular Science's summary matches what the papers actually say.

It looks like DARPA is interested in homomorphic encryption. Here's an extract from their recent call for proposals "PROgramming Computation on EncryptEd Data (PROCEED)."

PROgramming Computation on EncryptEd Data (PROCEED)

The Defense Advanced Research Projects Agency is soliciting proposals for innovative research in programming computation on encrypted data. The proposed research should investigate innovative approaches that enable revolutionary advances in science, devices, or systems. Specifically excluded is research that results primarily in evolutionary improvements to the existing state of practice.

Introduction

The goal of the PROCEED research effort is to develop practical methods for computation on encrypted data without decrypting the data and to develop modern programming languages to describe these computations. PROCEED is a comprehensive research effort with six primary research thrusts:

• Mathematical Foundations of Fully Homomorphic Encryption – Discovery and development of new mathematical underpinnings for efficient computation on encrypted data is needed in a noninteractive setting. The solution might involve fully homomorphic encryption [Gentry09, Gentry10, Smart10] that allow noninteractive computation on encrypted data. This area is captured in RA‐10‐80, and interested proposers are referred to that solicitation.

• Mathematical Foundations of Secure Multiparty Computation – Discovery and development of new mathematical underpinnings for efficient computation on encrypted data is needed in an interactive setting. Secure multiparty computation [Yao86, Bickson10] has a rich history of interactive computation on encrypted data, but requires further improvements to be truly practical.

• Mathematical Foundations of Supporting Security Technologies – Computation on encrypted data preserves the confidentiality of the data being computed on, but does not inherently protect the integrity of the computation, nor provide strong protection of the program, among other potentially desirable security goals. Techniques to address these and other related security issues are sought in the PROCEED research effort.

• Implementation/Measurement/Optimization – To make computation on encrypted data practical, highly optimized implementations, possibly including programmable hardware, will be needed. Experience shows there can be at least an order of magnitude difference in the performance of highly optimized cryptography implementations over less sophisticated implementations.

• Algorithms – Practical computation on encrypted data will require libraries of data structures and algorithms that are optimized for efficiency in the encrypted domain. Most current approaches to computation on encrypted data work by turning a program (with a bounded maximum input size) into a circuit.1 An important goal for optimization is minimizing circuit depth, which is traditionally a goal of hardware designers, not programmers.

• Programming Languages – More advanced languages are sought, with type systems that embed cryptographic knowledge, making programming computation on encrypted data no more difficult than conventional programming. Today’s languages for computation on encrypted data, such as the one in the FairPlay system [Malkhi04] are simple, imperative languages that have little, if any, type system support for cryptography.

I've heard lots of people call homomorphic encryption "interesting technology in search of an application," so I wonder exactly why DARPA is interested in this.

Consider the singular elliptic curve

E/Q: y² = x³

which is singular at the point S = (0,0).

Even though this curve is singular, we can still use the usual rule for adding points to get a group for all of the non-singular points: E_ns(Q) = E(Q) \ S. When we do this we find something interesting: the group of non-singular points on this curve is isomorphic to the rationals under addition, or that (E_ns, +) is isomorphic to (Q,+). And because this is true, we can see that E_ns(Q) isn't finitely generated, which is always the case with non-singular curves (the Mordell-Weil theorem).

To see why (E_ns, +) is isomorphic to (Q,+), we use the function

φ: E_ns(Q) → Q

defined by

φ(P) = φ(x,y) = x / y if P ≠O and

φ(O) = 0

This has an inverse

φ^-1: Q → E_ns(Q)

defined by

φ ^-1 (t) = (1 / t²,1 / t³) if t ≠0 and

φ ^-1 (0) = O

It's easy to see that φ is one-to-one and onto. Seeing why φ is a homomorphism is a bit more complicated.

Suppose that P_i = (x_i,y_i) are elements of E_ns with φ(P_i) = t_i.

What we want is that if P₁ + P₂ = P₃, then φ(P₁) + φ(P₂) = φ(P₃), or that t₁ + t₂ = t₃.

If we have that P₁ + P₂ = P₃ then P₁, P₂ and -P₃ are collinear. From the point-slope form of a line we have that the line through P₁ and P₂ is given by

y - y₁ = m (x - x₁)

where

m = (y₂ - y₁) / (x₂ - x₁)

or that

(x₂ - x₁) (y - y₁) = (y₂ - y₁) (x - x₁)

This line also passes through -P₃ = (x₃, -y₃) so we have that

(x₂ - x₁) (-y₃ - y₁) = (y₂ - y₁) (x₃ - x₁)

We also have that P₁ = (1 / t₁²,1 / t₁³), P₂ = (1 / t₂²,1 / t₂³) and P₃ = (1 / t₃²,1/ t ₃³). Substituting x₁ = 1/t₁², etc, we find that we have that

-(t₁ - t₂) (t₁ + t₃)( t₂ + t₃) (t₁ + t₂ - t₃) / (t₁³ t₂³ t₃³) = 0

If t₁, t₂ and t₃ are all different and non-zero, this gives us that t₁ + t₂ - t₃ = 0 or that t₁ + t₂ = t₃, so φ is a homomorphism like we want. The other cases can be handled similarly.

Last weekend I took my sons to a local game store where they run demos of various boardgames. This particular weekend the demo took longer that usual so I had some time to kill and I tried making entertaining anagrams for "Voltage Security."

One of them, "cattle ye vigours," seemed the one that might be deemed "most likely to be said by a pirate." Maybe this September 19 (talk like a pirate day), I'll hear a few people saying something like "Arr, cattle ye vigours matey!"

Another one, "evil cages tryout" seemed to be a reflection on our fairly rigorous hiring process.

When I got to "lots creative guy" I stopped, thinking that that particular anagram was fairly appropriate. We are known for our innovative technologies, after all.

Over the recent holiday I had time to catch up on some reading that I've meant to do for a while, and I noticed a pattern that's probably obvious to people in touch with literary trends. In particular, it seems to me that a big motivator for lots of the science fiction of the '50s and '60s was the Cold War mindset that started in the '40s and that a big motivator for the horror fiction of the '70s and '80s were the social and political trends of the '60s.

The terrorism that we're dealing with today seems to be something that we might see in future genre fiction. Maybe identity theft is also. Data breaches are certainly big news these days and the losses due to identity theft seem to be growing at an alarming rate. Maybe we'll see identity theft featured prominently in genre fiction of the next decade or two.

The cyberpunk sub-genre of science fiction, which I really don't know much about, seems to be where this might first appear, although there may be enough material there to create an entire new sub-genre.

In a previous post I described how the USPS might have been corrupted by transporting a copy of the Necronomicon, a fictional book of ancient and forbidden knowledge that appears in some of H. P. Lovecraft's stories. In this I suggested that the Necronomicon had been brought to the US by a soldier who somehow came across it in the Gulf War.

Several people have asked me to tell the story of exactly how this happened, so I started working on this last week when a short layover in the Atlanta airport turned into an unplanned overnight stay there. The working title for this was "War Story."

More than one person who later saw that title thought that I was writing something about what goes on at standards meetings.

Mazur's theorem tells us that the points of finite order on an elliptic curve over the rationals has to have a particular structure. In particular, if E_tors is the subgroup of E(Q) of points of finite order then E_tors has to have one of the following forms:

1. Z_n, a cyclic group of order n where 1≤n≤10 or n = 12

2. Z₂ x Z_2n, the direct product of a cyclic group of order 2 with one of order 2n for 1≤n≤4

There are examples of curves for each one of these possibilities in Exercise 8.12 on p. 238 of Silverman's The Arithmetic of Elliptic Curves.

I was curious what each of these curves looked like, so I decided to graph both the curves and the points of E_tors. Some of the cases were interesting. Others were not.

In any case, here's what I found.

Next year will mark the five-year anniversary of Waterfall 2006, the premiere conference on the benefits of sequential development processes. Maybe it's time to organize the next one. I'm sure that we've learned lots of interesting things about how to manage software development since then.