Superconductor

According to the New York Times, the US Congress is considering a law that will require making it easier for law enforcement to decrypt encrypted communications. Here's what the NYT claims are likely provisions of this law:

• Communications services that encrypt messages must have a way to unscramble them.
• Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
• Developers of software that enables peer-to-peer communication must redesign their service to allow interception.

I certainloy hope that the US government learned a thing or two from when they tried to mandate key escrow back in the '90s. If they didn't, this could easily escalate into Crypto Wars 2.0, which wouldn't really benefit anyone.

The US Department of Homeland Security puts together a daily report on events that have some impact on the integrity of the critical infrastructure of the US. They'll even send you an email that contains the summary of the previous day's events. It seems to run about 25 pages or so, so it's probably not the sort of thing that you'd actually completely read every day, but it's easy enough to skim it and then read just the interesting parts. And the price (free) is definitely right.

It looks like researchers from Symantec are going to give a talk at VB2010 tomorrow that gives details about exactly how the Stuxnet worm works. Stuxnet is apparently an attack program that targets industrial control systems, and there has been some speculation that it's designed to take out Iran's Bushehr nuclear power plant, much like it's thought that a CIA attack program took out the Urengoy - Surgut - Chelyabinsk pipeline back in 1982 as part of their Cold War program to sabotage western technology that the USSR stole.

Starting tomorrow, I'll definitely be looking for the slides for this talk.

If you roll two normal six-sided dice there's a 1 in 6 chance of rolling doubles. But what if you roll two dice that don't have the same number of sides? My sons are big fans of the game Dungeons and Dragons, so they have a fairly big collection of dice, most of which don't have 6 sides. They have dice with 3, 4, 5, 6, 7, 8, 10, 12,14, 16, 20, 24, 30, 34, 50 and 100 sides. Maybe others, also. That's all that they could think of when I recently asked them. In any event, there are definitely lots of ways to pick a pair of dice to roll that don't necessarily have the same number of sides each.

Suppose that you have two dice that have a sides and b sides each with a ≤ b. If we roll these two dice then the probability of rolling the same number of both dice is

a / (a x b) = 1 / b

Note that a, the size of the smaller die doesn't appear there, so that this probability is determined just by the size of the larger die. If you roll a four-sided die and a twenty-sided die, there's a 1 in 20 chance of rolling doubles. If you change that to a twelve-sided die and a twenty-sided die, there's still a 1 in 20 chance of rolling doubles. I found that to be a somewhat surprising result.

What do you get when you ask fantasy and science-fiction writers to tell a story based on a picture of someone who looks suspiciously like Wil Wheaton wearing a clown sweater and wielding a spear atop a unicorn-pegasus-kitten and attacking a green orc that looks suspiciously like John Scalzi? You get Clash of the Geeks, of course, a book that's actually free, although it's meant to get you to donate a few dollars to help the Lupus Alliance of America.

This book is actually absolutely hilarious. The last time that I laughed so loudly was when I recently reread some of P. G. Wodehouse's Jeeves stories. Or maybe it was Poetry for Cats. I'm not sure which one.

I can't really think of a connection to cryptography for this, but since it's Friday, maybe that's OK.

In a previous post I mentioned how a recent press release from our marketing people mentioned that we now have over 4.5 million licensed users of SecureMail, but due to the way that we license the software, it's not clear exactly how many total users that represents.

I was recently talking to the people who run our cloud computing offering, VSN, about what their experience says that the right multiple should be. Their answer was about 7, which means that those 4.5 million licensed users represent a total of about 31.5 million total users of SecureMail. That's even more than I first thought.

I have a fairly complicated trip to the east cost of the US coming up. This trip requires both lots or driving from place to place as well as lots of flights, so I've spent some time recently on Orbitz and other on-line travel sites trying to find a way to do this trip without paying too much for air fare. When I first looked at the cost of the necessary airline tickets I was astounded. The best deal that I could find on some of the tickets was over $300. Yesterday, however, I checked again and found tickets available for less than $80. The apparent unpredictability of the prices of airline tickets then led me to think that there might be a way to use these unpredictable prices in a clever way: why not use them as a source of randomness to create cryptographic keys?

Are the prices of air fares truly random? As far as I can tell, they certainly seem to be. And there's another good reason to use an air-fare-based random number generator (AFBRNG): nobody will ever attack a system that uses it. If a clever hacker finds a way to predict the prices of air fares, he'll use that information to make a killing by selling cheap air fares to people. He'll make way more money from that then he ever would from using his invention to predict peoples' cryptographic keys. What other source of random numbers can you say that for? So even if AFBRNGs aren't theoretically secure, they're probably good enough for most real-world applications.

I recently noticed that a former co-worker had disappeared from LinkedIn. When I asked him about this he explained that he had canceled all of his memberships in social networking sites because they were asking for too much personal information and didn't seem to take his concerns about privacy seriously. He then went to to say, "I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own. I resign."

I did warn him that things didn't work out too well for the person who said that the first time, but he didn't seem concerned. All I could think to say was, "Be seeing you."

Just like I predicted, some people read and believed the totally incorrect claims on StorefontBacktalk about how encrypting small fields can let an attacker easily recover a cryptographic key. One of these people actually brought this up on a recent call that I was on for a standard that's being developed for protecting credit card numbers.

Fortunately, everyone else except this single misinformed person knew that this claim was wrong so this error was quickly corrected. In this case we were lucky because there several of people with lots of expertise in cryptography on the call. People like that really aren't very common, however, so I'm fairly sure that there are lots of other cases where the misinformation is spreading and isn't being corrected and people are making all sorts of bad decisions based on it.

To its credit, however, the independent columnist and storefrontbacktalk.com published extensive articles correcting and clarifying the earlier article once the matter had been brought to their attention by cryptographic experts:

• Encryption really matters and associated comments
• Editors comment: The dangers of assuming perfection
  

I was recently talking to some coworkers about how arcane cryptography is and how it's inaccessible to non-specialists. In this discussion, someone made a comment something like, "It's not that small a niche is is? It's not like it's something as specialized as romance novels that only feature NASCAR drivers."

A few hours later I received an email containing a link to Harlequin's NASCAR series- a series of romance novels that only feature NASCAR drivers.

Hmm.

There's already a series of comics that features cryptographers. Maybe it's time for a series of romance novels that do too.  

Don't you worry about Wikipedia. We'll change it when we get home. We'll change a lot of things.

Homer Simpson, "Apocalypse Cow"

It took the US Postal Service quite a while to admit that email was affecting their First Class Mail business. It looks like publishers are admitting that e-books are affecting their business much faster.

If you walk into any of the big bookstores these days you'll see a fair number of horror books, but that won't be the case for long. The Leisure Books imprint of Dorchester Publishing, the only line of horror books from a US publisher, is officially moving to an e-book model. They'll no longer be publishing mass-market paperbacks. That particular niche of the publishing market is essentially gone and it's unlikely to return any time soon.

It's hard enough to make a living by being a fiction writer. It looks like it's going to get even harder in the future.

It looks like I'll be talking at the Rochester Security Summit next month about what we've learned at Voltage about the patterns that we can find in data breaches. Some of this material will be what I've mentioned on this blog as well as the article on this topic that I wrote for CSO Magazine, but there will also be lots of new material. If you're interested in this subject, you might want to stop by and see this talk.

Unfortunately, Rochester is three hours ahead of California, so a talk that's scheduled at 9 AM in Rochester feels like it's really at 6 AM to me, and for those of use who aren't morning people, this can be extremely unpleasant. Fortunately, I'll be out in New York a few days before the Rochester Security Summit, so the people that I'm visiting earlier in the week will probably be the ones that get to see me suffering the worst of the effects of the jet lag.

In one of the standards groups that we participate in there's now a big flame war going on over the meaning of the definition of "encryption." This is a particularly frustrating flame war because it's essentially over a mathematical definition and the people who don't quite understand this particular definition seem to think that if they just state their totally incorrect position loudly enough or often enough that it will somehow become true. I don't quite understand how people can argue about math like this, but the more I see of my high-school-aged son's textbooks, the more I understand how things like this can happen.

His state-of-California-approved writing textbook, for example, has a list of things that you should keep in mind as you read the book. One of these is essentially "How does reading this book make you feel?" When I pointed this out to my son he said, "I guess that this book makes me feel that this class is going to be a complete waste of time." In this particular case, I can't say that I disagree with him.

But there are even similar things in his other textbooks. Even the math book. I didn't ask my son how that particular book makes him feel, but it certainly makes me feel that there will be more flame wars in the future that are caused by people who didn't manage to actually learn much in their math classes.

Thinking about yesterday's post reminded me of another unusual job that I once heard about. An economics professor that I had in college liked to tell about a job that a friend of his had. It seems that this person worked for Proctor and Gamble, the biggest sponsor of those short, episodic works of dramatic fiction that are often called "soap operas."

Apparently, fans of these shows would often send gifts to the characters in the shows. If a female character would get married, for example, then fans would often send in lots of wedding gifts. And they would actually send these to the sponsors of the show, hoping that they be able to forward them to the character. This meant that P&G would end up with lots these gifts, and my professor's friend's job was to find a good home for them.

I'm not exactly sure how you'd describe that particular job on your resume. I doubt that the person's title was "Disposer of Ridiculous Soap Opera Gifts," so now I'm even wondering what their actual title was. 

One trend in the past few years is the elimination of printed paper bills, those things that used to arrive in your mail box every month. The San Jose Water Company was one of the last holdouts in this, and even they've finally made the move to electronic bills, so that I now write a total of ZERO checks per month.

This move to electronic bills has probably had some negative affects for some people, however. I remember talking to a person in the finance department of Cincinnati Gas and Electric several years ago who told me about how they had people whose job it was to just take care of the checks that were mailed to the wrong place. Apparently lots of people would accidentally mail the check for their utility bill to the phone company, for example, and each of the companies that sent out lots of monthly bills had people in their finance department whose job it was to correct this error.

With the increasing use of electronic bills, I'd guess that lots of those jobs have disappeared.

At the X9F4 meeting last week, we started work on a new document that will define a set of criteria for the secure use of PKI by financial institutions. There was unanimous agreement that the document needed two major parts: one that covers PKI that uses digital certificates and one that covers PKI that doesn't. Identity-based encryption is an example of using public-key technology in a way that doesn't require certificates. Using raw public keys also does. I've seen lots of use of IBE, of course, but I've also seen a few uses of raw public keys. Others in the X9F4 working group had also seen examples of that, and it seemed to me that the uses that we'd seen of it fell into two general categories.

In one case, if you're protecting things that are of relatively low value, you might decide that using certificate-based PKI just isn't worth the cost and headaches that it can cause, but you still want the benefits that using public-key technology can give you. I've seen cases of where exactly that happens.

In the other case, there are also cases where people just don't trust a certificate-based system to protect things which are of extremely high value. I've never seen examples of that myself, but other working group members had, and I have to admit that I was a bit surprised by these particular use cases.

I just read "Assessing Secure Web Gateways and Web Filtering Solutions" by the Burton Group. This report talks about filtering technologies, which isn't exactly new, but it did contain something that I hadn't seen before. In particular, the report says "An organization that blocks social networking sites may determine that there are business uses for those sites or that the organization's policy is hurting staff recruitment or retention."

That's the first time that I've seen someone say that you may have some very undesirable side-effects if you block employees from social networking sites. I'm not a big user of these myself, but I know lots of people who are and I can certainly understand that social networking sites are an important part of some people's lives, and that how they might be either reluctant or unwilling to work in a place where they can't use them.

There have been lots of discussion in the past few years about how the demographic trends, at least in the rich, industrialized countries, seem to indicate that the workforce will start shrinking in the not-too-distant future and that competition for skilled employees may heat up because of this. If this is the case, we may see employers more and more reluctant to do things like banning employees from using social networking sites. Maybe what the Burton Group is talking about now will become a much bigger issue in the future, and we'll find that corporate security policies will need to reflect the needs of the employees as well as the needs of the information security organization.

The Open Security Foundation, the people who maintain the most comprehensive and useful database of data breach incidents, are now also maintaining a database of cloud computing incidents. This is available at cloutage.org.

There are currently 213 incidents in this data base. Of these, 128 are classified as outages, 40 are classified as autofails, 37 are classified as vulnerabilities, 4 are classified as cases of dataloss and 4 are classified as hacks. Here’s how that looks when you graph it. Clearly, outages are still the most common problem, although they probably don’t cause users of cloud computing the same headaches that having sensitive data compromised does.

I just came across an article that talks about how the use of biometric data for identification can cause a security problem. Here's what this article said:

When biometrics get down to the local gym, however, serious questions must be raised. Your biometric identifiers are immutable and, once stored on a computer, impossible to take back. So if the 24-Hour Fitness database gets hacked and some enterprising Black Hat team of computer experts makes off with this sensitive information, many people could forever lose control of this permanent identification marker. Of course, you could scrape off your fingerprints and replace them with new ones. (This is probably possible). But that's getting a little too close to Total Recall for my taste.

This seems to miss the point of biometrics. Biometric data isn't secret and the security model of biometric identification systems doesn't assume that it is. Instead, biometrics need to ensure that the data that they capture is fresh instead of stored. This subtlety seems to have been missed by the author of this article.

It looks like that back in 2006 the determned people at Izanpe tried to get their root certificate added to the Mozilla browser. It took them four years to do this, and you can find the story of their adventure here.

At a bit over 14,000 words, this story should probably be called a novelette instead of a full novel, but that's probably not much of a consolation to the people at Izanpe.