header image
Collection of data is not the only problem
November 13th, 2014 under Digital Rights, InfoSec, Life, Politics, rengolin. [ Comments: none ]

What the NSA has taught us is that mass surveillance is not as hard as people used to think. Other governments, and most commercial companies, do that, too. With the advent of smartphones we’ve learned to ignore most of that for the sake of convenience, and most of the time, it’s ok.

It’s true that the bulk surveillance from governments can spark enough false positives to make people worried, or that Google and Facebook are using your personal details to make a bucket load of money, and some others are selling those details, sometimes not even realising.

When you think of all the power that the government can do with your data, or all the money that big corporations are making with your personal information, it’s nor surprising to think: “where’s my share in this?”. Some people even tried to evaluate how much would you get for selling different types of personal information to corporations. But, is that the real question that we should be asking?

Should we be concerned with what data do we leak and try to minimise it, or should we really be thinking what can they really do with that information? Of course, any answer will be a mix of both (since not all investigating parties are well intentioned or law abiding), but there is the limit of government and corporation’s powers that can go a long way of making the data useful but not harmful.

Privacy

I said this before and I still maintain my position that no one has ever had privacy. Parents eavesdrop on their kids behaviour since the dawn of humanity as a way to grow them into responsible adults. The concept of “being responsible” has changed over the millennia, but parents have not.

Law making and enforcing bodies have eavesdropping as their primordial way of acquiring information. Since people normally only do bad stuff when no one is looking, expecting the police to only use highly visual enquiring methods (such as asking personally or patrolling an area) become impossibly expensive very quickly. It is true that random checkpoints, fake speed cameras and signs do help awareness, but that’s also not optimal from a monetary point of view.

Privacy also goes against any common sense in the outside world. If you take a bus, every one in that bus knows you’re there, even if they don’t know who you are. If there is a picture of you on the bus saying “wanted, dead or alive”, they will see you and report you. There’s little you can do, besides hiding and never showing your face again. Famous people (actors, etc) have the same problem and the solution is pretty much hide.

Data

The data you “leak” is also the data that defines you. Where you have been, what you like, where you work and live, what food you eat and what you do on Saturdays. Collecting that data and providing a service on that is actually extremely beneficial to you. The problem is who has access to that information.

Tesco knows what I need to buy better than I do. They send me vouchers with discount on fresh mozzarella cheese, fresh basil and fresh tomato on the vine. They know I love Caprese salad, and I actually like Tesco knowing that, because I get a slightly cheaper Caprese salad once in a while.

Google Maps knows where I live and work, so that when I’m going home I can just say: “Ok Google, go home”, and it does the rest. If I don’t share that kind of information with Google, it would never be able to do what I want it to. Examples like that are everywhere, and each company must have access to a wide range of data from you (location, shopping habits, browsing habits) for them to be able to do so. It’s the unavoidable fact of information theory that you need enough entropy to find patterns.

Legality

The real problem here is what companies end up doing with your data, and how well they protect it from malicious outsiders. Even if the company is benign, once they get hacked, your bundle of personal data which is enough to infer pretty accurate patters about your personal life, are out there. Who know what the attackers will do you that?

Another problem is blanket approvals to bypass any legal system and arrest, judge and execute individuals solely based on bulk surveillance patterns that are known to generate an immense amount of false positives, not only because the algorithms are inexact, but because the people filtering and creating the rules don’t posses enough knowledge to know what they’re looking for in the first place.

Finally, what happens if the benign company that provides you an invaluable service is suddenly acquired by an unscrupulous company? Can the reach of the service widen based on the parent company’s privacy policy? Or is the data protected like source code that is licensed as open source with, for example, the GNU license?

Solutions

So, a pragmatic view on surveillance should attack the problem of the legality of actions on data, not just the legality of acquiring data in the first place. The legal system can already cope with that, for instance when evidence is found via illegal means (unapproved wire or microphone), it cannot be used against the accused. The “Patriot Act” changed all that in the US, and in other countries, and that’s the first thing that has to be changed back to a sane standard. Governments should never have the ability to bypass the judicial and executive system based on *any* collected data, especially if it was done in bulk, with irrelevant patterns to match.

Another topic that needs addressing is licences on data, especially collected data for the purposes of personal services. There are licenses that cover open data, such as Creative Commons, but these cannot be applied to private data that a company has access with the sole purpose of providing a service. Each company has a different privacy policy and the EFF has great tools to monitor them all, but all of that is solely dependent on the company’s ethics.

A change of the board, or the managing directors, or even an acquisition, is enough to pervert the privacy policy and render the previous data they had on you (that you cannot ever delete any more) to their benefit. What we need is a data license that is not open (since it’s private data), but that is protected in the same way against future changes.

There may be cases for more or less stringent licenses (like GNU vs. BSD) for different uses, but once they’re standard licenses, we don’t need to read every single privacy policy of every company every time they change some minor wording, we’d know what kind of freedoms and guarantees we’re getting, and companies won’t have the right to subversively change it.

Finally, there should be a guarantee in the license that the company is required to store such data in a protected way, following a set of standard cryptographic techniques and solutions, and there should be a clause on how they would destroy the data on the minimal attempt of intrusion. To compensate the total loss of service for all users, they must store such data in different locations, using different techniques and keys, and distribute it across multiple locations.

It may seem daunting for small companies to provide small services, but so did cheap scalable storage and service providing until Amazon created the AWS and all others followed suit. If there is a demand, someone will create the solution. That has been the human response to everything since we came down trees to conquer the planet and we won’t stop here.

Conclusion

It’s not the data, it’s what governments and corporations can do with the data, and how to protect it from malicious parties.


Google knows what you searched last summer
March 3rd, 2012 under InfoSec, rvincoletto, Web, World. [ Comments: 3 ]

Despise all the controversy, Google started his new Privacy Policy last Thursday and whether you like it or not, you are being watched.

Being realistic, this is not far from what they were already doing: Google already tracked your searches, what you are watching on Youtube or your emails.

But before March, 1st, Google Plus, Youtube, Gmail and almost 60 Google products, were in different databases. With this change, Google guys are giving themselves the right to put all those products in just one big place, put one and one and one together to build a better and more complete online behaviour of YOU. And use it to chase YOU with their ads.

And you can’t opt out. If you want to use any Google product you are under their privacy policy.

It should be nonsense for me to tell you to stop using Google products. Almost everything you do in the internet today, from searches and emails, to finding a street and comparing products’ prices, is somehow through a Google product or related to it.

But you can at least reduce the amount of information that Google will be able to collect from you.

You can, for instance, delete your Google history going to https://www.google.com/history/ and clicking the button “Remove all Web History”

You can also configure your advertising settings here:  https://www.google.com/settings/u/0/ads/preferences/

You can edit your settings or even opt out.

 

Another way to “confuse” Google is creating a different account for each Google service (if you can keep up with all usernames and passwords).

Or, when watching a video on Youtube or searching the Web, make sure you are not logged in to your Google account.

There is also the possibility to use browser plugins that work to protect your data, or even anonymous proxies.

But, the truth is, as soon as you type into your computer, click anything, visit at a page, talk through Skype, or even talk on a telephone, (mobile or fixed), those who want to, can spy on you.

At least now Google is coming clear and telling you that they are spying on you. It makes better sense to me than living in a fool’s paradise, where you still believe that you have control over your life.


Acceptable
February 8th, 2010 under InfoSec, Life, Politics, rengolin, Science. [ Comments: none ]

A long time ago I read an article about some dangerous psychological studies in the 70’s. It’s funny to think that, at that time, things that we don’t even consider doing, were acceptable.

Can you imagine yourself with a periscope counting the seconds some truck drivers take to piss in a public toilet? Or pretending to rape a girl and risk getting shot (especially in the US)? It’s not just ethically incorrect, it’s dangerous!

Recently, I read an article about some students monitoring 350 million mobile calls just to figure out if the callee’d call you back. Not only in the 70’s that would be nonsense, but people would explode in rage, as it’d be just enough to prove all conspiracy theories at that time (not to mention the cold war).

This is not the first research using “unnamed” data from carriers or websites, nor will be the last. I myself proposed something similar to Yahoo! when I worked there to get the trends and act on the average (rather than tag individuals), and I see now that it’s becoming acceptable to allow research groups to openly read entire databases that before was considered private.

I don’t particularly dislike such type of research, especially when they’re done by universities, but the slight paranoia feeling creep up my spine sometimes. I guess that’s one of the issues that is dividing people into two very distinctive groups: those that ignore completely the privacy for the sake of comfort, and those that ignore comfort for the sake of privacy.

I am in between the two groups, but I can’t say I’m exactly average. I think I’m an extremist on both sides. I don’t mind storing my private emails on Google but I disable all Facebook add-ons and restrict access to all my personal data. I pay everything on the internet with my credit-card but I’ll refuse to the end of my days to use the biometric passport or iris recognition at airports.

There is no logic, really, it’s just the kind of thing you stick with. It is true that governments have more power to dig your data when they want, while Amazon will probably only have my credit-card number. But it’s also true that no government in the world can dig everyone’s data all the time, so it’s pretty improbable that someone is monitoring how many times I cross the Heathrow border.

In the end, only one thing makes out as logic in the whole scene: during the recent years, it was far more likely the government loosing all banking details of everyone in the country than some hacker invading Amazon to get my credit-card. Maybe that’s what’s keeping me from accepting IDs and biometric passports… or maybe I never will…


Smart Grid Privacy
December 2nd, 2009 under Digital Rights, Distributed, InfoSec, Politics, rengolin, World. [ Comments: 1 ]

I have recently joined the IETF Smart Grid group to see what people were talking about it and to put away my fears on security and privacy. What I saw was a bunch of experts discussing the plethora of standards that could be applied (very important) but few people seemed too interested in the privacy issue.

If you see the IEEE page on Smart Grids, besides the smart generation / distribution / reception (very important) there is a paragraph on the interaction between the grid and the customers, being very careful not to mention invasive techniques to allow the grid to control customer’s appliances:

“Intelligent appliances capable of deciding when to consume power based on pre-set customer preferences.”

Here, they focus on letting the appliances decide what will be done to save power, not the grid or the provider. Later on, on the same paragraph:

“Early tests with smart grids have shown that consumers can save up to 25% on their energy usage by simply providing them with information on that usage and the tools to manage it.”

Again, enforcing that the providers will only “provide [the customer] with information”. In other words, the grid is smart up to the smart meter (that is controlled by the provider), where inside people’s houses, it’s the appliances that have to be smart. One pertinent comment from Hector Santos in the IETF group:

“Security (most privacy) issues, I believe, has been sedated over the years with the change in consumer mindset. Tomorrow (and to a large extent today) generation of consumers will not even give it a second thought. They will not even realize that it was once considered a social engineering taboo to conflict with user privacy issues.”

I hate to be pessimist, but there is a very important truth in this. Not only people are allowing systems to store their data for completely different reasons, but they don’t care if the owner of the system will distribute their information or not. I, myself, always paranoid, have signed contracts with providers knowing that they would use and sell my data to third parties. The British Telecom is one good example. He continues:

“Just look how social networking and the drive to share more, not less has changed the consumer mindset. Tomorrow engineers will be part of all this new mindset.”

There is no social engineering any more like it used to be. Who needs to steal your information when it’s already there, on your Facebook? People are sharing willingly, and a lot of them know what problems it may cause, but the benefit, for them, is greater. Moreover, millions bought music, games and films with DRM, allowing a company control what you do, see or listen. How many Kindles were bought? How many iPhones? People don’t care what’s going on if they have what they want.

That is the true meaning of sedated privacy concerns. It’s a very distorted way of selfishness, where you don’t care about yourself, as long as you are happy. If it makes no sense to you, don’t worry, it makes no sense to me too.

Recently, the Future of Privacy Forum published an excellent analysis (via Ars) on the smart grid privacy. Several concepts that are easy to understand how dangerous they can be, became commonplace to not think about it or even consider it a silly worry, given that no one cares anyway.

An evil use of a similar technology is the “Selectable Output Control“. Just like a Kindle, the media companies want to make sure you only watch what you pay for. It may seem fair, and even cheaper, as they allow “smart pricing”, like some smart-grid technologies.

But we all have seen what Amazon did to kindle users, of Apple did to its AppStore, taking down contents without warn, removing things you paid for from your device, allowing or disallowing you to run applications or contents on your device as if you hadn’t pay enough money to own the device and its contents.

In the end, “smart pricing” is like tax cut, they reduce tax A, but introduce taxes B, C and D, which double the amount of taxes you pay. Of course, you only knew about tax A and went happy about your life. All in all, nobody cares who or how much they pay, as long as they can get the newest fart app


Online gaming experience
August 15th, 2009 under Fun, Games, InfoSec, Media, Politics, rengolin. [ Comments: none ]

Why is it so hard for the game industry to get the online experience? I understand the media industry being utterly ignorant about how to make sense of the internet, but gaming is about pure fun, isn’t it? The new survey done in UK is more than proof of the obvious fact that people will use all resources of the internet to get what they want, whether it’s illegal or not.

After all, who defines what’s legal and what’s not? The UK government already said that it’s OK to invade one’s privacy for the matter of general security, even when everybody knows that any government has no clue on what’s security and what’s not. Not to mention the Orwellian attitudes of certain US companies seem not to raise any eyebrow from the local government or the general public…

That said, games are a different matter. Offline games still need have some kind of protection, but online games should rely on online commerce, and that can only be complete if the user has a full online experience. So, what do I mean by full online experience?

You don’t always have access to your own computer. Sometimes you have just a remote connection, sometimes only your mobile phone or a web browser. Sometimes you have an old laptop with no decent graphic card and those golden times when you have a brand new game machine with four graphic cards. 10 years ago, mobile phones were not as today, but even though my current mobile has a 3D graphic card in it, it’s closer to the lower end when compared to desktops or even laptops.

So, what’s the catch? Imagine a game that you can play exactly the same game irrespective of where you play it.

There are lots of new online games, so called ORPG (online RPG) or the bigger brothers (MMORPG, massively-multi-player ORPG), but all of them rely on a Windows machine with OpenGL2 and DirectX 10 to play it, even though not half of it really need that kind of realism to be fun.

Moreover, when you’re at the toilet and you want to keep playing your battles, you could easily get your mobile and use a stripped down version with little graphic elements but with the same basic principles. When you’re at your parent’s and the only thing you have is dial-up, you can connect via SSH and play the console version. At least to manage your stuff, talk to your friends or plan future battles.

The hard part in all this, I understand, is to manage different players playing with different levels of graphic detail. Scripts on online games are normally prohibited because it eases too much cheating, and that would be the way of battling via a SSH connection… Players with better graphic cards would have the advantage of seeing more of the battlefield than its friends with a mobile phone, or even using a much better mouse/joystick and a much bigger keyboard (short-cuts are *very* important in online gaming).

With the new mobiles and their motion sensor and GPS interfaces, that wouldn’t be a much bigger difference, as you could wave the mobile to have a quicker glance and even use voice-control for some features that is still lacking support in desktop but it’s surprisingly popular in mobile devices. All in all, having at least three platforms: high-end and low-end graphics plus a mobile version, would be a major breakthrough in online gaming. I just wonder why game makers are not even hinting in that direction…

The console version is pushing a bit, I know, I just love the console… ;)


Net neutrality
May 29th, 2009 under Digital Rights, InfoSec, Life, rengolin, World. [ Comments: none ]

Since the early days (millions of years ago), the human race is being watched. Not by any sort of god or alien race, but by itself.

During the cave age, human-apes lived in groups. Either on trees or proper caves, they were all together. It was, then, pretty impossible to do something and not being noticed. If you want to enjoy the sunset while all others are working hard on protecting the cave, you’ll be spotted. If you get someone’s else wife for a ride, people would know.

Empires came and went and the only thing they brought as a relief for that was the number of unknown people around you. People would know you on your neighbourhood, but you could go away a few blocks and you’d be a total stranger. Moving cities was even better, but that was nothing that you couldn’t do during the cave age.

Even with the ability of changing homes, during your stay in a particular place, you are being watched. Not all vigilance is bad, though. Some might learn that you like football and invite you for the local team. Others could notice you left your door open and warn you, and even babysit your children.

Whenever you interact with the people, you invariable leave a trace. If a policeman asks your neighbour where have you been, he’ll probably have a good hunch and that will probably help the police to find you. The only thing that matters, really, is if you’re lost (and needs finding) or running away.

The Internet is a much bigger place than any city or country, it’s far easier to go on without being noticed. But, as with real life, people are watching. Sometimes for good, other times for bad, and that doesn’t make the Internet any different than the real world.

If you come to my house, I’ll remember. When you visit websites, your IP and page you visited is logged on their servers. We eventually forget your visit, if you were not that important, or clear old logs from the server, but for a while, you are there.

Being logged in a server is no different than being remembered, and that’s hardly a bad thing. What is bad is what you do with that piece of information. And for that, it doesn’t matter if you’re on the net or at my house, it’s a violation of your freedom for me to use that information solely to my profit. Hiding behind proxies is not the way to go, because that is only pushing your freedom even further away.

So, what is neutrality?

Net neutrality is to give the freedom to people do whatever they want, whenever they want and not cap their ability for profit or legal reasons. This may seem dangerous, if someone is trying to do any harm, the chance they’ll succeed is big, but that is also the case with real life. Suicide bombers,, for instance, always manage to explode themselves and no one can do anything about it.

Well, they can, and that leads us to a much worse scenario: Guantanamo Bay. Caping everyone’s connections and inspecting everyone’s packets because some will abuse is against human rights. The same with locking people in far away prisons without any charge just because there was a hunch that he/she would do something wrong whenever they would.

Society is complex and evil. Freedom comes with a high price: harm. If you start guessing who’ll do the wrong thing and punishing them before they do, you can surely save a lot of harm being done, but also you’ll harm lots of innocent people to a no return point. Your society will be as bad as the quality of your guess.

So, judging people for the crimes they have commited won’t change the harm they have done, but will save the lives of people that didn’t commit any crime. Crime is part of the nature. Not human nature, but life itself. It’s not possible to stop it once and for all, it’s not possible to accurately predict when it’s going to happen and the outcome of trying is far worse than not, so don’t even start.

Not only that, but these guess-works give permission to certain people (or groups) to deviate the logic for their own profit. That’s the case of recording companies and the fight against copying and borrowing. That’s the case of idea patents and the inherent inability to think. That’s the case of all major wars since the second world war (and probably many more before that).

Guessing on people’s freedom is evil, not even hideous crimes are that evil.


Spam is good for you
April 27th, 2009 under Digital Rights, InfoSec, Life, Media, Politics, rengolin, Web. [ Comments: none ]

Spam is good for you, at least better than you may think. Spam accounts for three quarters of all emails sent worldwide and some even attached carbon footprint to it (and here one of the reasons why it’s nonsense). But it’s good for you in ways that does not meet the eye very easily and very few people would even consider it as good in the first place.

Not only emails, think on how much regular mail you receive is really worthy and how much is spam, it’ll probably account for three quarters as well. How much of that is really mean, how that really hurts you so bad that you’d put the sender in jail for it?

Sure spam is a nuisance, sure it gets in the way of the real work, but at what cost are we, the society, willing to pay to eradicate such problem? Well, lets take a look on how spam really started…

Local business

You’re a window cleaner and recently moved to Shlobershire in a very quite little village. How would you let people know about your business? You can go on, talking to each one of the local residents but that’s a nuisance, so you print some pamphlets and post through the door of everyone.

Some will read and call you, some will be pissed off but most will just ignore you. You’ll figure out pretty quickly about those that got pissed off (if you live in a small village you know that already), but then you buy them a pint and everything is settled.

What’s the final cost? A few pamphlets, a couple pints and you got two great things: one or two windows to clean and the whole village knowing who you are. This is, by far, the cheapest marketing ever. The rest of us that can’t afford a real marketing campaign have to find ways to promote our business.

With all the fuss about global warming, organic farming and fair competition in business (if there is such thing), we want to promote and use more of local business than big brands. We’re loosing creativity, diversity and quality if we don’t.

ROI

Just like the local business, some people can’t afford big marketing campaigns. Either because they’re poor or because their business is not so legal in every country.

So, why people still send those stupid ill edited loosely formatted emails, even when it’s obvious what they want? Who wants pills, fake degrees or enlarge their penises? Well, apparently some do and the do reply and may well get what they want!

The return of investment is much, much better than most marketing campaigns. Take Microsoft’s campaign with Jerry Seinfield or the “I’m a PC” thing? It was the most expensive piece of crap ever done. Seriously, I prefer spam than that!

The return rate is very low, one reply in millions of email, but if they send billions of emails, go figure.

But that’s clearly bad, isn’t it?

Well, illegal activities are bad, of course. Either on-line of off-line, drug dealing is bad, banking scams are bad, but not all spam is a scam or a drug selling point.

First, people receive so much spam from normal companies (even those that they have explicitly opted-out) including broadband providers, software, telephone and TV etc and etc.

The smaller companies are still sending physical spam and it’s probably working much better than the electronic spam, but that’s the deal: it works and it’s cheap.

Second, what’s really illegal? Downloading a music you haven’t paid for is illegal? What if you will pay later? What if the author allowed you to? Ripping your CDs to MP3 to listen in your car is illegal? You have paid for it already!

Google has become target of many accusations of illegal behaviour because they host a number of websites, videos, personal profiles on social networks. If people started to massively upload child pornography to YouTube, would the Google guys be in jail? I bet my little finger they wouldn’t.

RIAA kills a kitten every time you download (or rip) a CD while governments detain people for years on maximum security prisons without a single charge, what’s really legal?

Pirate Bay scam

I still don’t believe it happened, even though it was on all major journals for a week, but the Pirate Bay guy actually got a jail sentence for owning a website that allowed people to share files. They’re not criminals, they’re not killing people or (more importantly) getting in the way of the course of business (after all, money is more important than peoples lives nowadays). They just set up a list of things.

File sharing is one of the biggest revolutions of the recent internet and more and more people are asking the industry to finally adopt the technique rather than fight it. Whether they like it or not, it will prevail.

What is worse, a few old ladies downloading very old music (unavailable from any shop in the world) or the fear that the recording industry poses on most governments today that allowed such a scam to ever being turn into reality?

One mistake does not justify the other, but many (sane) people are already saying: Stop fighting reality, come back to it, be part of it.

You can’t fight them, help them!

I can’t imagine a world where we wait people to deliver a pamphlet to hand-cuff them, or where someone is jailed for listening music in his player’s speakers. Unfortunately, we’re not that far from it.

Why spam works? Because there isn’t any other way for those people. Yellow pages? Who reads them? Journal advertisement? Banners? People got used to them and can ad-block automatically. Our brains are trained to ignore them, it’s just not effective any more.

Some companies say they can provide a much better ad experience for the users by spying their lives closer than their lovers. I would object that approach…

There are many (free) systems for local business, but none of them seem to cut it. Maybe because people are always trying to get money in return (weird world, isn’t it?) and end up putting paid ads bigger, colourful and in the front page, and let the real local business somewhere between marriages and obituary.

I have no idea how a system would get rid of spam once and for all and it’s not my cup of tea to think about it, but I’m sure there are many people that could tackle this problem, they just need a bit of money (from the government) and time. It’s not a matter of filtering emails, it’s a matter of removing the need to send them in the first place!

If governments are really worried about spam, let them be creative and help freedom, privacy and good relationships rather than the totalitarianism we’re seeing around the world.

A new world is rising, new machines are taking life much faster than most governments would like and the digital hand-cuffs are showing that none of them understand a bit of what’s going on. All blinds, living in their caves watching the shadows on the wall. Whoever cry wolf is right for no one knows what wolf really is and where is it. Technology is like children, the more oppressed they are, the more you loose control over them.

Einstein didn’t go to the US because he liked the land of freedom, he moved because he hoped (in vain) that they would know how to use wisely the technology he knew how to build. He knew that others would be able to build it and it was just a matter of time before any bomb was actually available. Holding it back was not the answer and he knew it.

I just hope people figure it out sooner rather than later, or 1984 will seem like a pretty boring fairy tale for our children…


Genome
March 24th, 2009 under Biology, Digital Rights, InfoSec, Life, rengolin. [ Comments: none ]

Would you give away your genome to research? It’s a bit tricky to define what kind of research and who will have access to it to do what…

I would kindly give mine, if it was licensed GPLv3.


Gates the Hutt
February 14th, 2009 under Computers, InfoSec, rengolin. [ Comments: 1 ]

Jabba the Hutt

Jabba the Hutt

Bill Gates might not be heading Microsoft anymore but his legacy (through his stupid padawan, Ballmer) still remains.

Not only they’re careless when writing bogus software, not fixing security holes and creating useless solutions to help you protect you, now they’re using the money you pay (if you do buy Windows, anyway) to set bounties to capture the creator of the new worm.

It might just work, of course. Worm writers are normally bounty hunters themselves. Like Greedo, they might end up capturing Han Solo. But, what the heck? Wasn’t there a better use for that money? Like fixing the bugs in the first place?


Who’s afraid of the big bad code?
January 14th, 2009 under Articles, Devel, InfoSec, Politics, rengolin. [ Comments: none ]

What would Bruce Schneier say about the magic list that the NSA is putting together with Microsoft and Symantec of the 25 biggest errors in code that normally lead to a security flaw.

Don’t get me wrong, putting out a list of bad practices is a fantastic job, that’s for sure. It makes programmers more aware of the dangers, and as the article says itself, newbies can learn from experience before getting into a new field.

But the way that (lay) people take it makes it so magical that the practical side of such list is greatly reduced.

Order and size of the list

I understand that the order must have some sense, but which? Is it ordered by number of attacks in the last 12 months? Or by the sum of all reported losses caused by them? Or by number of such errors found in common code (on those companies’ code, of course)? Or by any other subjective “importance” factor from a bunch of “Security Experts”?

Also, why 25? Why not 30? Who says that the 25th is so important to show up in the list and not the 26th?

Real-world

We programmers know about most of them, know the problems they pose and normally how to fix them. We often want to fix them, but that normally requires some refactoring and now it’s time to implement those features that our client needs for the demo, right? We can think about that later… can we? Will we?

Than, NSA decides to make this a priority for the country and claim it as a national security problem. Big companies like fancy terms, and would strive to adopt any new standard that shows up in the market.

Then, comes down the VP of engineering and say:

“We need to make sure every programmer knows how to write code that is free of the top 25 errors.”

Done, he can put the GIF image from the NSA saying his company’s software is secure against all odds, according to the NSA and DHS.

Now, coders and technicians, tell me: Would any editor, IDE or compiler ever be able to spot those errors with 100% accuracy?

“Then we need to make sure every programming team has processes in place to find and fix these problems [in existing code] and has the tools needed to verify their code is as free of these errors,”

Of course not, but they will try, and Microsoft will put a beta on Visual C++ and other companies will tell their clients that their software is being tested with the new product and the clients will buy, after all, who are them to say anything about that matter?

Protect against who?

Now, after so much time and effort, 30+ companies and government departments working hard to come up with a (quite good) list of the most common errors that lead to security flaws for what?

“The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent – ankle-biters if you will – would be deterred from breaking in.”

WHAT?!?! All that to stop script-kids? For heavens’ sake, I thought they were serious on that… Well, maybe I expected too much from the NSA… again…

(Note: quotes from original article, ipsis litteris)


« Previous entries 


License
Creative Commons License
We Support

WWF

EFF

National Autistic Society

Royal Society for the Prevention of Cruelty to Animals

DefectiveByDesign.org

End Software Patents

See Also
Disclaimer

The information in this weblog is provided “AS IS” with no warranties, and confers no rights.

This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion.

Feel free to challenge and disagree, and do not take any of it personally. It is not intended to harm or offend.

We will easily back down on our strong opinions by presentation of facts and proofs, not beliefs or myths. Be sensible.

Recent Posts