Terminally Incoherent

I previously ranted about strange password restrictions that disallow usage of special characters such as spaces or alphanumerics. This time I want to complain about another boneheaded security feature out there - word length restrictions on your “secret” password recovery question. I was recently creating a Microsoft Live Passport account to register Visual Studio Express 2008 copy. Yeah, laugh all you want but PerfMonG is written in C# and it won’t maintain itself no matter how hard I try to ignore it. At some point during registration I saw this:

click on the image to embiggen

Don’t get me wrong. I’m all for keeping things more secure, but restricting the secret answer to strings of more than 5 characters is a bit silly. For starters, let’s consider pet names. I don’t know about you, but I find that most of them are relatively short. For example I did a quick google search of most popular dog names and I stumbled upon this ranking:

It turns out that half of the top 10 most popular dog names are shorter than 5 characters. If you look down that list, this trend continues. So roughly half the people won’t be able to use their pet name as their secret question, or will have to figure out a way to make it longer (for example by adding their last name) by simply adding confusion. Same goes for the childhood friend option. You may remember that your best buddy from the playground was named Bob, but will you always remember his last name was Szczebrzeszyński? Will you remember how you spell it? Hell, if on top of all this the place of your birth is Ido, Japan then you are totally fucked.

Now you are forced to make up answers - ones that you won’t remember 3 years from now when you need to recover your password making them absolutely useless. This minimum length limit is silly, because these hints are not really designed to be secure. Anyone can find out the name of my first pet, or the birthplace of my mother. It’s really not a secret, and it can easily come up in a casual conversation. The whole point of them is to provide another layer of protection for your account so that the attacker has to have both the secret answer, and access to the email account you used to open the service. Brute forcing the secret answer should not be a concern, because they’d be incredibly vulnerable to dictionary attacks anyway.

So why won’t you let us to use answers that are as short, or as long as we like or stop using them altogether. Otherwise it is just counter productive as people won’t be able to remember what they typed in to pad their answers to meet your arbitrary minimum length limit.

For a while now we knew that CAPTCHA’s were becoming irrelevant. There were a great solution when they were first introduced, but I think that everyone knew that they are not going to be around for a long time. The tend in technology is always constant improvement - so OCR engines will continuously improve each passing year. CAPTCHA strength on the other hand has an upper bound because it needs to be human readable. You can continue making the pictures more complex and tricky to solve but at some point they become as incomprehensible to a human being, as they are to some random bot. For example, how do you guys like the rapidshare dog/cat CAPTCHA?

I personally hate that one. Yes, you can sort of figure it out but you actually have to put some effort into it, and sometimes it’s just pure guesswork. Does it help against the automated scripts? I don’t know - I guess this is a question we should direct at Rapidshare. But it sure is annoying to regular users.

The OCR technology is not there yet - it’s getting better, but I presume that we could still get few years out of our CAPTCHA’s if their effectiveness boiled down to complexity of design vs. character recognition arms race. But we all know there is a growing cottage industry out there which uses real people to solve CAPTCHA’s by either tricking them into doing it or paying them per solved puzzle. I always imagined this to be rather shady business conducted in private spammer forums and via private channels. But it is not. They are actually doing this out in the open, as a legitimate paid service:

Here is a screenshot of imagetotext.com - a company which specializes in solving CAPTCHAS. They of course don’t say it like that, but I think the blurbs on their site make it pretty clear that they are not really interested in doing any sort of data entry tasks or into transcribing free hand text into digital format. They are interested in receiving a small image, and shooting back the text at $.02 a pop bought in “packages” of 500 images or more. With a narrow focus like that, what else could they be doing?

Note that I’m not linking to them, because sure as hell they don’t need any Google juice from me. The ubiquity of CAPTCHA basically created a new niche industry. All you need now is some clever script that will harvest CAPTCHAS, send them to Image to Text, receive responses and create accounts on popular online services. Thank god these sort of scripts are shady, and probably hard to get, right? You either have to make them yourself, or know where to find them, or who to ask for them. It’s not like anyone can just go to a website and buy, for example, an automated Myspace account creator? Right?

This one is from allbots.info - a website that seems to be selling precisely that: account generation scripts that create random profiles, and simply need a human being solving CAPTCHA’s really fast for them. So you buy one of these apps, then purchase a big ass package with ImageToText you can start building your brand new spam empire. All it takes is some cash - you can even be borderline retarded. It won’t slow you down.

Combine the two services, and you have yourself a deadly combo with no programing, and no thinking required. A bit scary if you think about it. I’m not sure how profitable are these two companies, but the fact that they exist indicates that there is demand for these type of services out there.

CAPTCHA’s may be effective in stopping your average home grown spammer, but they are actually creating a whole micro-industry revolving around circumventing them. In other words, they are actually performing natural selection - weeding out the week players with few resources, and leaving only the biggest, baddest and most determined in the game. They are the catalyst, helping to evolve bigger and better bad guys.

Public Turing tests may be doomed and I suspect they might get completely phased out from use on the web in next 5-10 years. And it’s not just CAPTCHA’s - all public Turing tests. After all, it doesn’t matter if you are interpreting an image, solving an equation, or answering a question - it doesn’t really matter if there is a low wage human worker solving it on the other end, and then handing control over to a script.

Google has an interesting idea going on with their text message based application. If you haven’t seen it, try signing up for one of their services such as Gmail or Google App Engine. Instead of using a CAPTCHA they send a text message with an activation code to your cell phone. At least for the time being this system remains much harder to game - which means we might see it being used more and more often by popular online services. Of course it does have serious downsides as not everyone with an internet connection may have a cell phone (think less developed countries) and not all cell carriers may be supported. We will need something else - but what?

It will be interesting to observe where will the anti-bot technology will go in the next few years.

Here is a question for you. Have you noticed a strange, non functioning, un-encrypted ad-hoc wireless network occasionally popping up on your Wifi network list in your area? Yeah, I did too. When I first saw it at work, I thought someone in the building is messing around with at-hoc networks. Good for them. Then I noticed the same network popping up at home. Then at school, in a coffee shop and other places. I talked to my co-workers who travel a lot and they too seem to notice this strange network popping all over the country. And these networks never work and disappear as mysteriously as they appear.

To sort of gauge the magnitude of this phenomenon, I decided to search for “Free Public Wifi” on WiGLE. This is what I found:

via WiGLE - see the interactive version of this map here

Bizarre. I assume some of these hits are from genuine free public wifi networks. But I have a feeling that most are not. If you click on the link below the map, and zoom out a bit, you will be able to see that these things are also popping up all over Europe and in other places of the globe too. It seems to be a worldwide phenomenon.

So I decided to investigate. After some googling, I found out a really nice writeup of this issue written by y Zaib Kaleem at wlanbook.com:

The answer to why this SSID seems to be everywhere can be blamed on Microsoft, more specifically a Windows feature called Wireless Auto Configuration (aka Wireless Zero Configuration). Wireless Auto Configuration “provides automatic configuration for the 802.11 adapters”. In an attempt to make it extremely easy to connect to WiFi networks, Wireless Auto Configuration does the following when an 802.11 adapter is enabled and starts to scan for WiFi networks. (…)

If there are no successful connections and there is an ad hoc network in the list of preferred networks that is not available, Wireless Auto Configuration configures the wireless network adapter to act as the first node in the ad hoc network (…).

At one time or another somewhere out there someone connected to a real ad-hoc WiFi network that had the SSID “Free Public WiFi”. They added this network to their preferred network list. They then traveled to a location where this WiFi SSID didn’t exist (airport, airplane, and/or hotel). They powered on their laptop with the wireless card on and Wireless Auto Configuration took over and starting searching for WiFi networks. After trying [failing to connect to any viable network in range], Windows gave up and configured WiFi card to ad hoc mode with the SSID “Free Public WiFi” (since it was a preferred network).

A second person in close proximity to the user above also has a wireless enabled laptop and is looking to connect to a WiFi network. They scan to see what is available and notice an SSID called “Free Public WiFi”….they connect to it not knowing that it is an ad hoc network. After a few seconds of wondering why they can’t surf the web they disconnect from the SSID, shrug their shoulders and move on with life. Now they have the viral SSID in their preferred list too. The next time they power on their laptop it starts to look for the “Free Public WiFi” SSID. This process is repeated in many locations across the US and world again and again. Soon this SSID is in preferred wireless networks lists everywhere spreads like a virus.

Joshua Wright likened it to a zombie outbreak in the way it has likely started with a single ad-hoc network, and now took over most of the eastern seaboard and created hot spots on the west coast, and Europe. He posted about this weird issue over a year ago, and he also did that WiGLE mapping thing. Go check out his post and compare our maps. You can clearly see how this odd infection has spread since May 07 - the difference is huge. It’s growing!

Is this wifi zombie plague dangerous? Not in and of itself, but it does create certain risk. Whenever your laptop is broadcasting the “Free Public Wifi” SSID, it is essentially revealing itself to all potential attackers. Whether or not you are actually vulnerable to an attack depends on your system setup, and security software you are running. But you clearly become a more of a target due to increased visibility. And naturally any open public wifi hotspot is arguably a dangerous place to be to begin with. This goes double for public ad-hoc networks.

Few people really use the ad-hoc functionality on a regular basis, so it is probably a good idea to configure windows not to automatically connect to them anyway. This way you both immunize yourself to this non-malicious viral wifi worm, and protect yourself from accidentally stumbling into a trap network set up by someone with malicious intent.

Let me preface this post by saying that I nitpick because I love. It seems that what started as a random nitpick will turn into a whole series of posts wot the “Cylons don’t use” in the title. This one is about encryption. Yes, I have another bone to pick with the writers. This time it is about this:

screencap © galacticabbs.com

This is the super-secret note that Colonel Tigh (a very senior military officer, and the former leader of the New Caprica resistance movement) passed to Chief Tyrol (who also had experience in NC resistance movement) about an incredibly secretive meeting which was accidentally intercepted by Tyrol’s wife Cally. This sort of thing happened to me too - back in grade school. Since then, I have learned to use encryption.

Let’s review - both Tigh and Tyrol are Cylons (if I just spoiled you, then go back and watch S3 finale already and stop complaining) and they must keep this secret. If anyone would find out about who or what they really are, their lives vrypotwould be in danger. Therefore keeping their true identity secret should be their paramount concern - and no effort should be spared to cover their own tracks. But here we have an experienced leader who had tons and tons of experience operating behind enemy lines make a colossal, bone headed mistake that might have exposed them. It is just stupid!

I do think about encryption all the time because of my education and my job - I’m conditioned to notice these things. A lot of people never even consider it. For example a housewife cheating on her husband may not have been exposed to concepts such as cryptography and information security so she may never even think about using anything but unsecured notes like this one. But these folks, for one have a military training. I have never been in the military so I might be wrong about this but I would think that security and simple cryptography would be part of basic training at least for officers. I’d think that they ought to know about cryptography in case they find themselves behind enemy lines, or in a position where all their communications are intercepted. If I’m wrong, please correct me.

Even if they didn’t get this knowledge in basic training, you can’t tell me they haven’t developed strong, low tech methods of encryption during the New Caprica occupation. Let’s face it - if a silly note like that ended up in the hands of the occupying forces it could mean many deaths, or loss of valuable resources. They simply could not afford to openly communicate their attack plans or resistance movement secrets in plaintext.

What should they have used? There are many low-fi methods to obfuscate or encrypt hand written notes. A simple Caesar Cipher would probably be good enough for plausible deniability in front of Cally. Would she be curious enough to try to crack it? Perhaps, but it is likely that Tyrol could easily play the gibberish note as some sort of an entry code he needed on a routine repair job or simply shrug and act as if it was just that - gibberish.

For real security they should probably use One Time Pad encryption. The pad is a long random sequence of symbols that is used as a key to encrypt and decrypt your message. This method was used successfully by CIA and KGB in the past. How does a pad look? It can be something like this:

image © ranum.com

It is really a relatively secure method as long as you destroy the pads after each use, and you have a foolproof method of securely exchanging them. Our protagonists do have one, since they meet regularly. On each meeting they could exchange pads, which they would then use for written communication until the next meeting. The pads can be small and easy to conceal. A very nice disguise for a pad is a stack of papers with random stream of characters printed on one side, and unrelated hand written notes on the back. Plausible deniability - it’s just scrap paper - some gibberish spit out by some malfunctioning printer and you are just using it for personal notes.

When handled properly, it’s virtually unbreakable and in my honest opinion would be near prefect for this setup. But it seems that the BSG writers have never took a cryptology class. I’d say they ought to hire a consultant who could advise them on blunders like this one, but the difficult part is that an average person wouldn’t even think that this part of the screenplay would need to be looked at by a technologically clueful person.

So this is my BSG nitpick for today. I love that show, and this is why I hold it to a high standard and will ruthlessly pick on the little annoying little bits like this one. They simply destroy my enjoyment and prevent me from buying into the drama. I should be freaked out that Cally found the note and she will expose the final 5 but all I can think of is that C. Thigh is an idiot for leaving that note in plaintext.

Sigh… Sometimes I think I would enjoy TV and movies much more if I was just absolutely, technologically inept and clueless.

I was in the City the other day, listening to a somewhat interesting talk on computer security. For my readers who are not from the area, let me explain. When we NJ dwellers say “The City” (in capitals), we mean a certain nearby city of York. This of course means skyscrapers, smog, hellish traffic, crowds, noise and dirt. I love big cities, they remind me of home. The are the only places where you can see the stark juxtaposition of a sharply dressed businessman in Armani suit stepping over a homeless bum sleeping on the sidewalk as he is hailing a cab. These places pulsate with life, and purpose and have this strange intensity. You can almost feel the weight of the accumulated human experience all around you. If the stone walls of the skyscrapers could talk, they would sing us a moving story about love, commitment, betrayal, hate, strife, happiness, sorrow - about hearts and dreams being broken or fulfilled every day on the busy streets. That said, I totally don’t mind living in the quiet and lazy suburbia.

The whole shindig was targeted more at the managerial types so it was sort of dumbed down out of necessity. You see, when you do a presentation of IT people or programmers you talk about technology. You throw it out there, say what it does, why is it good, and then you dive in and show how it works, how it can be broken, and how to hack it into submission. That’s what excites us. When you do a presentation for the decision makers, you briefly describe the technology, then you talk about “business scenarios”, costs, benefits, risks and tell “industry stories” and then try to sell them “solutions”. Abridged transcript would be as follows: “blah blah blah, interesting stuff, money money money money, risk, money money, opportunity, money money, buy buy buy!”

Still, the gist of the talk was interesting and I was able to sneak in one or two technical questions at the end so it was not a total loss. In fact I found it worth sharing here.

There are pretty much 2 ways to secure your machines. On the small scale you simply run a client antivirus, and software firewall on each desktop. On a large scale, you put trusted machines behind a big bad firewall, or perhaps build tiered architecture with firewalls between each tier. Both methods have flaws. The big scale method, ironically doesn’t scale well because large companies tend to have dynamic network architectures due to growth, mergers and work is more and more often done from beyond the firewall due to mobility of the workforce. So your firewall infrastructure end up looking like swiss cheese full of holes, exceptions, and strange rules no one remembers creating.

The small scale approach is similarly vulnerable. Your security applications are running in the context of the operating system so if the OS gets compromised by a new zero day exploit that installs a root kit you are dead. If you can’t trust your OS, how can you ever be sure every little piece of malicious code was removed? How can you even attempt to remove that stuff if the malware is actively killing all the anti-virus threads it can find? There are many cases when the best thing to do when it you get compromised is to reformat and start from scratch.

The new idea the talk tried to introduce was to run your security software in a virtual machine. This virtual machine would be a minimalistic, stripped down OS, which would act as your internet gateway, firewall, IPS and anti-mallware scanner. The idea is to divorce your security software from the host OS to make it less susceptible to attacks on that system. Instead of running a big static OS installation with many services, applications and points of attack, you are now exposing only a small, hardened, special force OS that provides no services to the outside network. It poses a much smaller target, and it is easier to aggressively patch and upgrade virtual machines than full blown operating systems that perform mission critical tasks. Furthermore a compromised virtual security layer can be easily switched odd, and “rolled back” to a “clean” state at any time. This is naturally not foolproof, but it does seem to offer slightly higher degree of protection than the traditional approach.

The point they were really trying to sell to us was the impact this has on large scale network architectures. They juxtaposed it against more traditional data center philosophy of putting physical firewalls between different parts of your infrastructure (ie. forward facing web servers are kept on a separate network from application and database servers. Using vitualization is like giving each machine it’s own dedicated hardware firewall and ips shielding it from everything else. The products they are selling are supposed to make it easier to organize machines into dynamic server pools, which can be reorganized on the fly using global policies, and the like.

There is a downside to this - running a security VM on each box is expensive in terms of performance. However, in the day and age of ubiquitous quad-core processors it is may not be such a huge concern. If you dedicate a single core and say 512 MB of RAM to run the VM you still have a 3-core powerhouse with 3GB of RAM on your hands. At least for now. I’m sure that the next version of Windows will probably need all 4 cores, and all your RAM to actually draw windows on the screen, but that’s a whole different story.