Tag Archives: security

Screening systems and the base rate fallacy
0

Screening systems and the base rate fallacy

| By | No comments yet

Kellan Elliott-McCrea has a great post about the high cost of false positives when it comes to building software that detects fraud, spam, abuse, or whatever. The cost of false positives is explained by the base rate fallacy. The BBC explains the base rate fallacy very well. Here’s a snippet:

If 3,000 people are tested, and the test is 90% accurate, it is also 10% wrong. So it will probably identify 301 terrorists – about 300 by mistake and 1 correctly. You won’t know from the test which is the real terrorist. So the chance that our man in the mac is the real thing is 1 in 301.

Anybody who wants to talk about screening systems without an understanding of the base rate fallacy needs to do more homework.

Security is a cost
1

Security is a cost

| By | One comment

At work, we’re switching things to encrypt a lot of information in our databases for security reasons. The project has been time consuming and painful, and in the end, our database is far less usable from a developer’s standpoint than it was before. Soon the days when I can quickly diagnose issues on the production system with a few well-placed SELECT statements will be a thing of the past.

As far as the implementation goes, I’ll tell Hibernate users who want to implement an encryption system that there’s only one way to go — UserTypes. Don’t bother with anything else.

What this project really has me thinking about, though, is the high cost of security. It ties into something from the Bill James interview that I linked to the other day. Here was his response to the question of whether we overestimate or underestimate the importance of crime:

We underestimate it, because it’s our intent to underestimate it. We only deal with it indirectly. We all do so many things to avoid being the victims of crime that we no longer see those things, so we don’t see the cost of it. Just finding a safe place for us to have this conversation, for example — we needed a quiet place, but before that, we needed to find a safe place. A hotel lobby is what it is because of the level of security. I’ve checked out of this hotel, but I’m still sitting here in the third-floor lobby, because it’s safe. When you buy something, it’s wrapped in seven layers of packaging in order to make it harder to steal.

I think that people are generally excessively afraid of crime but underestimate the day to day costs that crime imposes. In software engineering, we spend a lot of time and effort on security. If everyone were honest, we wouldn’t need passwords, encryption, or any of the other stuff that occupies a lot of time on every project. We’d still need to take precautions against damage caused by user error, but most of the hours we spend on security could be spent on other things.

The other cost of security, beyond implementation time, is the ongoing cost related to the inconvenience of security. Whether it’s the time we take to unlock our screen or set up SSH tunnels or deal with the fact that we have to decrypt data in the database in order to see it, it all counts. Security is almost always a form of technical debt.

In many cases security precautions are necessary (or even mandated by law), but it’s important to be vigilant and not add more of it than is necessary, because it’s almost always painful in the moment and forever thereafter.

The FBI does not understand Web hosting
4

The FBI does not understand Web hosting

| By | 4 comments

The New York Times has a report on an FBI raid that knocked some of my favorite sites offline yesterday. The FBI visited a colo facility and seized at least one full rack of servers leased by DigitalOne, taking down sites like Instapaper and Pinboard. Apparently they were going after a specific host but they had no idea how to seize only the hardware associated with that host, and in the age of virtualization, going after one VM could still cause many hosts to be taken down.

How Microsoft responded to Stuxnet
1

How Microsoft responded to Stuxnet

| By | One comment

John Borland at the Wired Threat reports on a talk by Bruce Dang, the engineer at Microsoft whose job it was to break down the Stuxnet worm. It’s an interesting look at exactly which vulnerabilities Stuxnet exploits, and how Microsoft’s security team broke down the problem.

A video of the talk will eventually be posted at the Chaos Computer Congress Web site. I’m going to try to remember to go back and watch it.

Update: Video of the talk is available here.

Everything you needed to know about backscatter
8

Everything you needed to know about backscatter

| By | 8 comments

Bruce Schneier has rounded up all the links on the backscatter X-ray scanners and related issues. Bullet points:

  • The health risks of the scanners are overblown.
  • The claims that the scanning/groping will make flying safer are even more overblown.
  • The deployment of these scanners has more to do with lobbying than with a rational evaluation of the best way to make flying safer.

In this piece (not yet linked by Schneier), TSA screeners surveyed say that conducting the more invasive patdowns makes their job worse. My inclination in the face of this new scanning is to request the patdown for exactly that reason. Walking through the machine imposes a cost on the person being scanned, and no cost on the person doing the scanning. The patdown sucks for the person conducting the patdown and the person being patted down. Seems more fair to me.

As far as predictions go, my guess is that the money has been spent and we are not likely to see the government back off on the scanning. As irritated as people are now, they’ll eventually come to accept it, and it will become one more permanent contributor to the horrible experience that air travel has become.

When should you change your passwords?
0

When should you change your passwords?

| By | No comments yet

One of my closely held beliefs is that expiring passwords reduce rather than increase security because the more often you have to change your passwords, the less likely you are to remember them. That is offset by the fact that people tend to use one password everywhere, so if you force people to change them, that pattern can be broken to some extent.

This week, Bruce Schneier has an essay on the subject. Here’s his bottom line, but read the whole thing:

So in general: you don’t need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you’ve shared a computer with, change them all.

Blizzard continues to innovate on the security front
14

Blizzard continues to innovate on the security front

| By | 14 comments

It would probably surprise people to learn that Blizzard, a game company, provides better security options for players of its games (World of Warcraft and now Starcraft) than nearly all banks and financial services companies do for their customers. The problem Blizzard faces is that people steal World of Warcraft accounts all the time, either to use the characters to farm gold, or to just strip all of the cash and things that can be sold from the account and pocket the cash.

A number of methods are used to steal passwords, including phishing, catching the passwords using key loggers, and just brute forcing them. Blizzard’s first big attempt to solve the problem was to give users the option of protecting their account using two factor authentication — their password and an authenticator that is tied to the account. The authenticator is a key fob (or an phone app) that generates a number every few seconds that must be entered in order to log in. Once an authenticator is tied to your account, getting your password stolen is no longer a problem.

Despite the fact that the authenticator app is free and the physical authenticator only costs $6, many players do not use them, and accounts still get stolen all the time. Indeed, account thieves almost always attach their own authenticator to compromised accounts as soon as they’ve been compromised, making it that much more difficult for players to get them back. (I shudder to think about how much money Blizzard spends dealing with account theft.)

To enable players who haven’t gotten an authenticator to secure their accounts, Blizzard has introduced a dial-in authenticator. With it, you can assign a phone number to your account. If there’s something unusual about an authentication attempt, you will be required to dial in to a toll free number from that phone and enter a PIN in order to log in successfully.

There’s bound to be an interesting article written about the economics of account security that explains why Blizzard finds it more worthwhile to implement robust authentication solutions when so many businesses that are susceptible to financial fraud do not. Are people that much more likely to steal your World of Warcraft characters than they are to steal your Amazon.com account and use the credit cards you’ve saved there? Or is it that people are more willing to go to extra trouble to secure their game accounts?

Update: There are lots of smart comments about this at Hacker News as well.

The growing misperception of HTML5
4

The growing misperception of HTML5

| By | 4 comments

Today the New York Times Opinionator blog ran a piece by Robert Wright made the following assertion about HTML5:

In principle, HTML 5 will allow sites you visit to know your physical location and will make it easier for them to keep track of your browsing and shopping history.

That assertion is based on this news article from the Times, which says:

In the next few years, a powerful new suite of capabilities will become available to Web developers that could give marketers and advertisers access to many more details about computer users’ online activities. Nearly everyone who uses the Internet will face the privacy risks that come with those capabilities, which are an integral part of the Web language that will soon power the Internet: HTML 5.

All of this talk is about one piece of HTML5, client storage. For the details, check out Mark Pilgrim’s chapter on local storage in Dive Into HTML5.

There are two points to make. The first is that Web sites won’t have access to any information that they don’t have already already. In that sense, the talk about “access to many more details” is misleading. It’s not that Web sites will have access to new information, but rather that they’ll have a new place to store information that they already collect that may make it more convenient for them.

For example, if I don’t share my current location with FourSquare, they won’t suddenly be able to retrieve it if I use a browser that supports local storage. However, if I do give them access to my current location, they could store it in local storage on my own computer rather than using their own resources to store it on their server. In that sense, the information may suddenly be worth storing and easier to access, but it’s information they could already obtain and store on their own servers if they chose to do so. This aspect of local storage subjects users to no real risk beyond the risk already posed by cookies or other vectors for storing information about users.

What’s really gotten people wound up is evercookie (mentioned in the New York Times story), a proof of concept that demonstrates how the variety of ways Web sites can store information on the client can be exploited so that it’s nearly impossible to delete tracking cookies. Browser cookies are one way to store information on the client, as is local storage. Flash Local Shared Objects (also known as Flash cookies) can also store information on behalf of Web sites on your computer. evercookie uses a number of other methods for storing information as well. The nefarious thing about it is that when the information is deleted in one of these locations, evercookie replicates it again from another location where it is still stored. So if I delete my browser cookie, evercookie will copy that information from Flash and put it back in place. If I delete the Flash cookie, it will look in one of the other locations where it stashes information and copy it back again.

Using tricks like this to make it difficult for users to prevent Web sites from tracking them is unethical. Web sites who take this approach should be classified as spyware. But the existence of these techniques has nothing to do with HTML5.

What concerns me is that we’re on a path toward HTML5 being perceived negatively by regular users because the only thing they’ve heard about it is that it is likely to compromise their privacy. This perception could become a major stumbling block on the road to wider usage of browsers with HTML5 support. As developers, it’s important to educate users and perhaps more importantly, the media, so that people don’t conjure up risks where they don’t exist and damage the HTML5 brand in the process.

Your password should not be “password”
7

Your password should not be “password”

| By | 7 comments

Today I got to look at the user table in an application with passwords stored as plain text. Out of around 7100 users, over 170 have the password “password.” Around 10 other users had heard that your passwords should contain letters and numbers, and thoughtfully chose the password “password1.” Needless to say, this application should probably store hashes of the passwords rather than storing them in plain text and also use some basic test of strength for the passwords that requires more than just lower case letters. What the experience left me with, though, was a burning desire to thwart users who specifically want to use the word “password” or any variation thereof as a password. I even want to create a special error message just for them, just to let them know that their combination of laziness and cleverness is not appreciated.

Here’s a regular expression that matches many, many variations on the word password:

/^p[a4@][s5][s5]w[o0]rd(\d*|\W*)$/i

You too can stamp out the blight of your users using “password” as their password.

Update: Accounted for people who substitute the letter “s” with the number “5.”

Update: Now “p@ssword” is not allowed, either.