Side Channels

In 1992, when I was 17, I traveled with my father to the US for a few weeks. We had a family friend living in Huston, whom we wanted to visit. He was away and due back a day of so after we arrived so he gave my father the alarm access-code so we can help ourselves in. We arrived at the house late at night, something went wrong with entering the code, and the alarm went off. Almost instinctively my dad rushed me to the car and we drove off to check into a motel for the night. My dad explained that we were likely to end up in jail if the police got to the house, regardless of our explanation. Back then I thought it was a bit extreme; surely we can reason our way out of it, like we would be able to back in Israel. Looking back at it, it was probably a reasonable choice given the circumstances.

Today, if we were caught, in addition to being arrested we would surely be additionally tased for bad measure. The near-daily news of people being tased for no good reason reminded me of my story above. Some taser cases and videos can be found on top hits from reddit on the topic; Andrew Meyer coined the “don’t tase me, bro” catch phrase while being tased after making a bit of a fuss asking John Kerry some questions; here’s the comic. Some people die after being tased, though the marketing says that the tool is supposed to be non-lethal. But when you give people a “non-lethal” alternative to verbally or physically dealing with other people, it is a natural outcome that it turns from an alternative to a norm. This is the situation today, with cops tasing without much thought and it seems as though the chances of being tased is largely random, mostly depending on how the cop feels at the moment. With the general sense of paranoia and justification that anything is permissible in the name of security and anti-terrorism, all you have to do is act out of the ordinary, like being slow to hand a cop your proof of insurance; Schneier calls this “The War on the Unexpected“.

This arbitrary taser treatment given by trigger happy cops is scary, and certainly does not contribute to a general feeling of security it was meant to promote. The long term effect is the continuous erosion of trust in police and the “system” — not that it is in any good shape currently — which will be difficult to recover from even if tighter controls are placed on taser use. When this happens the unintended consequence would be that police lost the “touch” of actually dealing with people, and even worse, they would use their lethal weapons (guns) more casually than before. I wouldn’t be surprised to hear in the near future of a case where a cop claims that he/she reached for the taser, but instead shot the poor speeder in the chest with a lethal bullet.

studentuniverse.com sells cheap airline tickets for students. They also have a neat little bonus they give for free to every student who signs up!

That’s like me demanding a medal for my good social conduct because I don’t go around randomly punching people in the face.

Well, thank you very much studentuniverse.com for protecting me from yourself and for practicing restraint with regards to your right to spam me and sell my information! It is also much appreciated that you are using my private information only for the purpose I am providing it for. (link to page imaged above).

The Times is a pretty popular newspaper here (I always have to ask the locals, since there are so many). A couple of weeks ago, subsequennt to our Chip & PIN relay attack, I got a call from a journalist regarding the use of Chip & PIN cards in petrol (gas!) stations (there has been a surge of fraud lately, particularly in these shops). This is the resulting article with my quote below:

Saar Drimer, a security expert and researcher at Cambridge University, also said he had stopped using his cards at petrol stations. “The more we look into the ways that you could be defrauded, the more worrying it becomes. Cash is always better to use because there is no record and you’re not giving away any of your secrets,” he said.

After talking to the guy I learned that he first called Steven, who refused to spoon feed him the quote that he was after. Namely, “I recommend people not use Chip & PIN cards at petrol stations.” Then, he called me, the media novice. I told him many things, among them that I don’t own a car and therefore, I don’t use petrol stations. He then massaged the questions such that I gave him the above (general) quote, which he wrapped in an untrue preamble. Ah, well, I should have known.

One of the things I told him was that I wouldn’t use those stand-alone ATMs because they are easier to manipulate (attachements or complete fakes, etc.); a point he wanted me to elaborate on. However, that may have put him in a bind because his point was that people should use cash in stations, but where would they get it? From the station’s ATM…

Anyway, next time a journalist type calls I’ll cut the bullshit and ask him what exact quote he is after and see if I am comfortable saying it. Someone suggested that next time I should write it down for him so there are no mistakes, and that’s what press releases are for. Lesson learnt ;)

A few weeks ago Steven J. Murdoch and I released a video of a Chip & PIN terminal playing Tetris (YouTube version). Back then, I alluded to the fact that this is just a small part of something grander. We were working on an experiment that showed a particular vulnerability Chip & PIN is prone to. This is important because banks now maintain that if the PIN was used, then the customers must prove they were not negligent, which is impossible (given that they do not have access to the evidence and no way to show that no one has been looking over their shoulder, for example). Therefore, due to at least one way of defrauding customers who clearly have not been negligent with their PIN, they should be reimbursed.

Anyway, there is a somewhat of a technical article on ZDNet, with more info here, and Steven dissecting an insulting response from the Financial Ombudsman Service to a customer who seeks to know on what grounds he has been refused a refund.

What was missing from the media hype over this is what is included in the academic paper. In it, not only do we describe the attack in detail, including background, we also describe and implement a defense against it called “distance bounding”, which is the main contribution.

In addition, we spilled the beans on prime-time TV here on the island’s BBC1, in a program called “Watchdog“, which is a popular and long running consumer-watch program. This was quite an experience and I learned a lot from it. We spent about 11 hours with the crew, with the outcome of about 2 minutes of us appearing and a not-so-clear representation of the attack. Sigh. Before all this, I thought TV was evil; let’s just say I have not changed my mind.

I cannot post the video publicly (it would probably infringe on someone’s rights) but if you’d like to see yours truly say the line in the heading of this post on TV, email me at <first name><last name>@gmail.com.

UPDATE: Someone has posted the segment on YouTube, here. If you want a better quality version, email me.

All good things, though…

On Christmas day, Steven Murdoch and I decided it would be fun to post a video of a Chip & PIN terminal playing Tetris on our group’s weblog. It was an excuse to say merry Christmas and happy new year to our readers. Then, I spent a week in Edinburgh, which is a lovely city, even in the winter. If you haven’t been, I’d recommend. Rosslyn chapel was really nice. They are doing really well due to the “Da Vinci Code Effect”–people flocking places Brown mentions in the book. Regardless, worth a visit. The Scottish parliament was nice, people were nice… I’ve seen enough castles for a year or so, though. I also learned about the Scottish history and now understand better the “situation” between them and the English. The Hogmanay on new year’s eve was canceled due to 70 mph winds, but that wasn’t a big deal.

When I got back I found out that a paper of mine got accepted to a workshop, and I need to produce a final version. Then, our little “Tetris stunt” was picked up by some blogs and it went crazy from there… newspapers, radio… I’ll save you the details. It did, however, culminated in a Slashdot mention, which made us pretty damn happy.

Since no one is reading this very weblog anyway, I can say that there is more surprises to come on the “Tetris” front! Stay tuned.

Todd Shriber contacted, what may be considered, random people online soliciting them to hack into his former college and give his GPA a face lift. He gave them all his personal information, including SSN, and some pictures of local squirrels the “hackers” required as “proof”. They, in turn, put the e-mail correspondence online, of course.

Turns out the idiot works as a communications director for a Montana congressman. He was later fired after his extracurricular contractual endeavors were publicized in sites like reddit.

So, two things. Firstly, not everyone who talks shop is an expert… this applies to real life too. Secondly, if people still have not realized that other people are not who they say they are (in real life too!) they deserve this kind of treatment. The more this happens, the more people be careful what they say or write, mostly in consideration of their future. In our world, where everything is recorded and archived, nothing is forgotten. Memory is cheap. Remember this when, in five years’ time, your potential employer asks you about the time you got drunk, busted, and jailed on new years’ eve, as you detailed with pride on your now moldy myspace page. Old-school cool becomes new-school stupid.

Oh, yeah, some fucker stole my bike; the joy of living in Cambridge. Somehow, uncharacteristically to the island, no security cameras covered the scene.

Through reddit.com.

Edit: I found the proper credit for the image… Clay Bennet… who appears to do great work!

Last week I attended most of the WEIS and PET sessions. The topic is a bit removed from my interests but it was good to hear what is out there and chat with all the interesting people. The most valuable thing I learned, however, was that I am happy where I’m at, as far as research interests goes.

I have a Dell Inspiron 9300 laptop, better described as a “desktop replacement.” It’s a great computer, but not for hauling around. I don’t take it to conferences or workshops; some of it has to do with the weight of the thing, but mostly, I believe that if I am somewhere, I should be fully there and give my undivided attention to the person on the podium–they deserve it.

As an experiment, I tried to phase out the speaker’s voice and listen to what I’ll call “conference clicks,” it’s quite astounding, you should try it. Looking around, I see that many people stare at their screens, meaning that they are not fully there; I can only imagine how the speaker feels (I have not spoken in front of this large crowed before.) I’d feel quite insulted, to be honest; I’d rather people not be there at all than not being fully there.

My solution? Cut the WiFi during sessions and have cabled ports outside the hall for people who choose not to attend the lecture. This may sound outrageous to some, but I think this is where we are headed.

To tie in one of my other rants, I’d ban laptops from business meetings too. When I am king/CEO, that will be corporate policy and I think this will become more wide spread soon as well.

Say no to “conference clicks”!

I was in Cologne, Germany for a few days attending SHARCS ‘06- Special-purpose Hardware for Attacking Cryptographic Systems workshop. It was great meeting people in the field and talk hardware and crypto and hear the presentations. I came back with a few ideas for projects and increased motivation. I’ll have a more detailed and technical post on our group’s weblog in a couple of days. One notable hardware project is COPACOBANA: “How to Break DES for € 8,980[in 9 days]” by Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer, Andy Rupp and Manfred Schimmler. It uses 120 low-cost Spartan3’s (XC3S1000) from Xilinx.

I’d like to thank the organizers for providing for my attendance; it is much appreciated.

On a questionably related topic… why do taxi drivers never wear seat belts? I’ve taken a few taxi rides recently to notice that it is common practice even outside Israel (where no respectable taxi driver be caught … wearing one.) I mean, do they think statistics don’t apply to them? physics? Someone have a good answer? Just wondering out loud here.

In case anyone is interested (seems like most Israeli’s don’t, judging by the turnout) Israel is voting today. I thought it would be nice to provide some details on the how elections are done in Israel. Purely on a mechanical level, no politics.
If you are over 18, you can register to vote. Once you do, you get a little certificate telling you where you can vote, usually it’s in a school or other public venue near your residence. You may only vote there. If you are a soldier, you vote at your base. If you are not present in Israel on the day of elections, you cannot vote unless you were sent abroad by the country; in this case you vote at an embassy.
When you get to the polling station (there are observers from multiple parties present) you hand in your certificate with an ID (Israel has national IDs) and are marked on a pen-and-paper list and given a single blue envelope. You then go behind a cardboard set on a table that conceals most of your upper body. You are faced with a frame that has many compartments.
In each compartment lies a stack of rectangular pieces of paper with one to three Hebrew letters printed on them designating each party; there is also a blank stack so you can abstain. These letters may or may not correspond to the actual name of the party. For example, the “Labor” party has the designation אמת which means “truth” or “true.” But this is more an exception than the rule. This year there is confusion between the “Kadima” party with the designated letters כן that mean “yes” and the “Green Leaf” party that promotes the legalization of marijuana, designated קנ which is short of cannabis. Yes, these designations sound the same: “ken.” I doubt there will be an equivalent chad fiasco over this; although these confusions should have been thought of upfront. So, you are there, behind this cardboard… you pick one piece of paper of your choice, put it in the envelope and seal it. Then you come out and drop the envelope in a slotted box in full view. Then you leave. If there is more than one piece of paper, or it is defaced in any way your vote will not be counted.
As you noticed, the whole process is purely manual, there are no electronics involved or fancy punch machines. I, for one, think it is better this way. There is no reason to automate or complicate (i.e. jeopardize, open to mass cheating and coercion and so on) the process by introducing functions that are foreign to the voter; putting a piece of paper in an envelope is a universally simple task. If this means that manual counting will take a few more hours, so be it, it’s not a big deal; there are exit polls for people who can’t wait for the real numbers. The only time where we should consider electronic voting is when it can produce a paper trail that would enable the voter to verify that his or her vote was counted towards their choice candidate or party without the ability to be coerced. We are not there yet, and frankly, I don’t think we ever will be. I can think of one powerful attack against most proposed systems: the cellphone camera.

Art by Banksy.

The couple who wrote the Trojan horse that was the tool of choice by numerous top Israeli companies to spy on each other confessed to all charges as part of a plea bargain. Ruth, the wife and distributor, took most of the blame basically saying “what? Was this wrong? That’s news to me!” and Michael, the author of the software said “What? I was just playing around! Did my wife sell this crap? That’s news to me!” Before being extradited to Israel from the UK, they agreed to their prospective sentence; basically, this trial is a charade, a joke. Everything was preordained.
The prosecution asks for 4 years in prison for Ruth and 2 for Michael; both will pay $1M damages.

Update/revision:
My prediction promised by Richard… I had to re-visit it, in light of the potential attention… so here is rev.2:
The issue here is that these crimes are not considered serious enough by the local population to constitute a long term prison sentence… 4 years is a long time. While it was obvious from the beginning that most of the work was done by Michael and he should carry the load, they (as in Michael and Ruth) chose to make Ruth take most of the heat. This was, I believe, a strategy to get reduced sentences for both (the couple share a two year old daughter.) So in practice, they might get a couple of years in prison but I don’t think they will sit in prison, each, for more than a year. We’ll see if the Judge accepts the plea on March 27th.

… if this story by Vincent Cheung is mostly true (I should add that I disapprove his own extra racial profiling.)

Then I see that in fact they opened up the router (which was in its box) and by doing so they voided the warranty on my brand new router!!!! (the warning sticker was broken)… Who cracks open routers!!!! The only reason I noticed was because they didn’t put it back together properly - one of the reset buttons was constantly being pressed.

That’s absurd. What he describes might be excusable or adequate for an Israel-bound flights, but not a leg in a code sharing one. I usually don’t go through these checks because I carry an Israeli passport, but then again, I avoid El-Al when possible. This is due to two main reasons: 1) they monopolize Israeli traffic by limiting competition using questionable/unfair means so I don’t want to give them my business and 2) they are always more expensive than the alternatives (at-least in my experience.) This story may add a third reason because I hate it when my luggage is opened.

That said, what is El-Al’s alternative? A lax (or lax LAX in this case :) check on the first leg and a more rigorous one on the second? After all, El-Al is a target on all its flights regardless of where it is bound. Maybe El-Al should only fly Israel-bound flights. No clear answer here.

In any case, it’s always a good idea to check who is the operator on a code-sharing flight — they all are these days. As an Israeli, I wouldn’t feel terribly comfortable in a Syriaair flight, you see.

I’ve heard that most people say 2005 was a bad year and they can’t wait for it to be over. We had all bunch of disasters and stuff that fill the plethora of “23 best” and “42 worst” lists that seem to be more abundant than previous years.

CNN says 2005 was a “record bad year for tech security.” Their motives for hyping this issue are obvious: sensationalism and a back-up topic for a disaster-free “lull time.” Schneier pointed out what logically makes sense: Identity theft is over-reported and most stolen identities are never used. If Adam, Chris and Arthur* ever produce statistics for his “breaches” category, that would be more believable and useful than anything from the mainstream media. On the other hand, that media-hype makes “security people” more employable so I’m not sure where is the balance, considering my situation.

Oh yeah, don’t forget to impress your friends with your geekiness superiority by pointing out the critical leap second delay before the countdown. You’ll be highly popular and the star of the party and would surly get a kiss this year.

Have a good one.

* Updated 5/1/2006 to reflect correct distribution of credit.

The following quote is from Bruce Schneier’s weblog:

The police and the military have fundamentally different missions. The police protect citizens. The military attacks the enemy. When you start giving police powers to the military, citizens start looking like the enemy.It’s

It’s a powerful statement that is worth noting. I’m still thinking about it.

Discuss.

In 1992, the “software publisher’s association” released this video to educate youth on the “hazards” of software piracy. It’s so early 90’s it cracked me up. It tried to be hip with a rap theme… just watch it (the lyrics of the outrageous song are here.)

It contains all the basic arguments that we hear today about file-sharing:

1. Responsibility: Piracy will kill the industry because there will be no incentive for creativity (from the video: “welcome to the end of the computer age! booooha ha ha.”)

2. Sympathy: You are stealing from the nice artists/programmers who are working hard to produce a fine product for you (in the video there are 3 programmers and one lawyer interview.)

3. Threat: Piracy is illegal (video: “You can make one backup and install the software only on one PC.”)

4. Benefit: If you buy the product you get all the goodies (video: “you’ll get the manual and all…”)

Well guess what? The software industry is alive and is doing quite well. Music will also prevail.

.

.

.

.

.

.

.

.

.

The lecturer from the last post had this cartoon in one of his slides. Although it’s a bit old, I have not seen it before.

Yesterday we had a lecture about voter verification. In short, you go vote, you get a receipt, there’s some anonymizing action going on the background and something that matches your receipt shows up on a public bulletin board. You compare and what you get is the knowledge that your vote was counted.

Now, I contend that this whole thing is purely academic since it simply isn’t practical.

First, people don’t care if their vote was counted if they don’t know who it was counted for! This is at-least what I believe, correct me if I’m wrong. I don’t think any significant portion of the population would even check their receipts without having confirmation that their vote got to where they intended. Researchers should come up with a mechanism to achieve that by still voting anonymously. Sure, it’s tough, but anything less wouldn’t cut it. (I’m sure there are suggestions for this out there… one that I thought of is displaying a secret to the voters in the booth for them to remember. When they get home they see a 100 outcomes and can see their vote and still point to another outcome for Jimmy that payed them $20 to vote for Johnny.)

Second, any system wouldn’t prevent coercion in the way of bribery. There will always be simple ways to circumvent the technological mechanism by exploiting human nature. Some people cheat; one can only hope that in elections the signal overcomes the noise.

A “retired” profesional casino cheater is giving his 2 cents on the use of technology to mitigate the casino losses due to him and his likes (like putting RFID tags in all chips.) It’s insightful. In line with my fascination with unintended consequences, this rings very true:

Marcus argued that technology is still only as good as the casino’s workers, who he fooled for years. If cheaters don’t draw too much attention to themselves, quickly getting onto and then away from the table, it’s unlikely their records will be checked. “And even if they do check, I’d be long gone,” Marcus said. In fact, having technology to fall back on is actually making pit bosses and dealers less attuned to what might be happening right under their noses, he argued. “These people rely upon their technology too much,” he said. “There is no room for maneuver in their thinking. I don’t have to fool the camera or the technology, I only have to fool the dealer or his pit boss. If I fool them, the technology doesn’t come into play.”

_{(emphasis mine)}

As with other examples such as this one, the eventual outcome will be more loss due to cheating not less. Casinos will stop training their pit bosses to spot cheating until they’ll notice the reverse trend. Meanwhile, creative cheaters will enjoy more earnings.

I’m getting older, I guess. Well, I know I am since a monumental birthday is approaching. Argg, I wish I could skip it.

I’ve always been able to store all the events in the coming weeks in my head and never needed a calendar or a PDA. I hate carrying things around… especially things I need to depend upon. They always end up elsewhere when I need them… so I remembered pretty much everything I needed to know (dates, phone numbers, etc…)
Lately, I feel like I might not be able to efficiently handle it anymore and I’d like to think that it’s because more is happening in my life (ahem!)

I figured the best thing to do is to have an online calendar. This way I will not haul anything around and be able to access it from anywhere. But, of course, I am a “bit” concerned about privacy; potentially everyone and their grandmother would be able to know where I’m at. On the other hand, who gives a crap where I am, right? But, that second argument still doesn’t let me sleep well at night.

Sooooo, anyone know of a good and simple online calendar that can also cater to my developed sense of paranoia?