Trust Works All Ways

Over the weekend, I’ve been thinking about last week’s disclosure concerning Debian’s OpenSSL package, which in effect stated that all keys and certificates generated by this compromised code have been trivially crackable since late 2006.

There’s a pretty good subjective analysis of the nature of the error on Ben Laurie’s blog (thanks, Rich), and of course the Debian crew itself has done a fairly good job of writing up the issue.

The scope of this vulnerability is pretty wide, and the ease with which a weak key can be compromised is significant. Ubuntu packaged up a weak key detector script containing an 8MB data block which, I’m told, included every single possible key value that the Debian OpenSSL package could conceivably create.

The question that kept cropping up for me is: This one-line code change apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it? Numerous exploits on Microsoft Windows would have required far more scrutiny and creativity than this one. Given the rewards involved for 0-day exploits, especially in creating platforms for cross-site scripting attacks, why is it nobody bothered to exploit this?

My hypothesis – sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn’t notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.

The change itself was small, but not really obscure.  It was located, after all, in the function that feeds random data into the encryption process. As Ben Laurie states in his blog, if any of the OpenSSL members had actually looked at the final patch, they would almost certainly have noticed immediately that it was non-optimal.

In all this time, apparently, nobody using Debian’s OpenSSL package has actually (or adequately) tested to see whether the Debian flavour of OpenSSL was as strong as it was supposed to be.  That level of trust is nothing short of astounding. If in fact malware authors were guilty of investing the same trust in the software, then I’d venture to state that there’s a fundamental lesson to be learned here about human nature, and learning that lesson benefits the attacker far more than the defender:

Probe the most trusted processes first, because if you find vulnerabilities, they will yield the greatest results for the least effort.

P.S. Offhand, there’s one circumstance that I think could undermine the credibility of this speculation, and that’s if there’s any link between this report of an attack that compromised not less than 10,000 servers and the recent discovery of the Debian OpenSSL vulnerability.

You Get What You Pay For

(Originally published in the Vanuatu Daily Post‘s Weekender Section.)

Since the Australian Federal Police brought Project Wickenby to Vanuatu with the arrest of local resident Robert Agius and raids at PKF House and elsewhere, people here have been outraged over what they characterise as Australian arrogance. Australia, they charge, feels it’s bought the right to act as it pleases here. By making the government of Vanuatu dependant on their money and advisors, many argue, Australia has subverted Vanuatu sovereignty and now operates as it pleases here.

Mr. Agius stands accused of funneling about $100 million into Vanuatu as phony consulting fees. Prosecutors claim these fees – minus a commission for Mr. Agius – were then sent back to Australia as loans. The loans’ tax-free status allowed participants in the alleged scheme to avoid paying as much as $13 million in taxes.

News reports indicate that Mr. Agius is accused of having earned about $1.4 million from his involvement in this scheme.

The Agius affair is treated as a business story by Australian news sources. The contrast with how it’s reported in Vanuatu could not be starker. Mr. Agius’ guilt or innocence is secondary in the local narrative. This is, above all, a story about Vanuatu’s sovereignty, or lack thereof.

Continue reading

Kastom in the Virtual Nasara

In Vanuatu, Kastom takes a lifetime to learn. More complex than any set of laws, it’s a tightly woven fabric of behaviour that is in a constant state of redefinition. Defined by respect and mutual support, it is measured and arbitrated by our chiefs and enforced by the community as a whole. It is at once amorphous and innately understood.

Although it manifests itself differently from one island to another, the importance of one’s name is integral to finding one’s place in local kastom. Indeed, the highest honour an expat can earn in Vanuatu is to be given a name. A naming ceremony implies the attainment of (usually honourary) chiefly rank. One’s name, in short, is the ultimate expression of one’s place, standing and role in the community. It conveys the very essence of its bearer.

Practices vary from island to island, but choosing – and using – a person’s name is rife with overtones about one’s relation to others. Expats are often confused, and sometimes amused, by most ni-Vanuatu’s unwillingness to address others by name. People are instead referred to in terms of their familial relationship to the speaker. Where relationships are unknown or ambiguous – between strangers, for example – a local default usually exists. It’s common to be addressed as ‘tawi’ in Tanna, though strictly speaking that would make you the person’s brother or sister in law. In a delightful example of linguistic drift, young women in North Malekula are almost universally addressed as ‘uncle’.

So why, when names possess such a strong tabu here in Vanuatu, do we put no stock at all in how Vanuatu’s name is used on the Internet?
Continue reading

Steaming Piles

I give up. I can’t support OpenOffice Write any more, and it’s nobody’s fault but their own. For anything more than simple tasks, the application is terrible. Their only saving grace is that Microsoft Office has its own brand of polished turd, named Word. Collectively, they are racing to the bottom of a decade-long decline in useability.

No, that’s too generous. The thing is, they’re at the bottom. They are useless for any but the most trivial tasks, and the most trivial tasks are better accomplished elsewhere, anyway.

Yes, I’m ranting. Let’s put this into a proper context:

I hate word processors. For any but the simplest tasks, their interfaces are utterly ridiculous. I haven’t liked a word processing interface since WordPerfect circa version 5, and if I had my own way, I’d author all my documents in either emacs or vi, depending on the circumstances.

Why do word processors suck so badly? Mostly, it’s because of the WYSIWYG approach. What You See Is What You Get, besides being one of the most ghastly marketing acronyms to see the light of day in the digital era, is ultimately a lie. It was a lie back in the early 1990s when it first hit the mainstream, and it remains a lie today. The fact of the matter is that trying to do structuring, page layout and content creation all at the same time is a mug’s game. Even on a medium as well understood as paper, it’s just too hard to control all the variables and still have a comprehensible interface.

But the real sin that word processors are guilty of is not that they’re trying to do WYSIWYG – okay it is that they’re trying to do WYSIWYG, but the way they go about it makes it even worse. Rather than insisting that the user enter data, structure it and then lay it out, they cram everything into the same step, short-circuiting each of those tasks, and in some cases rendering them next to impossible to achieve.

Learning how to write, then structure, then format a document (or even just doing each through its own interface) is easier to accomplish than the all-in approach we use today. For whatever reason, though, we users are deemed incapable of creating a document without knowing what it’s going to look like right now, and for our sins, that’s what we’ve become. And so we are stuck with word processors that are terrible at structuring and page layout as well as being second-rate text authoring interfaces. They do nothing well, and many things poorly, in no small part because of the inherent complexity of trying to do three things at once.

It doesn’t help that their technical implementation is poor. The Word document format is little better than a binary dump of memory at a particular moment in time. For our sins, OpenOffice is forced to work with that as well, in spite of having the much more parse-worthy ODF at its disposal these days.

There’s no changing any of this, of course. The horse is miles away, and anyway the barn burned down in the previous millennium. The document format proxy war currently underway at the ISO is all the evidence I need to know that I’ll be dealing with stupid stupid stupid formatting issues for years to come. I will continue to be unable to properly structure a document past about the 80th percentile, which is worse than not at all. I will continue to deal with visual formatting as my only means to infer context and structure, leaving me with very little capacity to do anything useful with the bloody things except to print them out and leave them on someone’s desk.

Maybe I’ll just stop using them at all. Maybe I’ll just start doing everything on the web and never print again.

I’m half serious about this, actually. At least on the Web, the idea that content and presentation are separate things isn’t heresy. At least on the Web, I can archive, search, contextualise, comment, plan, structure and collaborate without having to wade through steaming piles of cruft all the time.

At least on the Web, I can choose which steaming piles I step into.

I’m going to start recommending people stop using Word as an authoring medium. There are far better, simpler tools for every task, and the word processor has been appropriate for exactly none of them for too long now. Sometimes you have to destroy the document in order to save it.

Only the Angels Cry

Nathan’s little boy died of nothing. The seven year-old got a boiler in his nose. It was painful, but nothing a course of antibiotics couldn’t fix. Nathan dutifully brought his boy to the island hospital, and requested treatment. As usual, there was no doctor present, but a nurse gave him some medicine. The pills were past their expiry date, but they were better than nothing.

The inflammation subsided, and the boy was able the sleep again for a while. The infection, however, didn’t disappear. Once the under-strength antibiotics had run their course, it came back with a vengeance.

To look at the boy, there wasn’t much wrong. A little swelling around one eye and nostril, but otherwise nothing. What you couldn’t see was the constant, excruciating pain as the infection moved into his sinuses and began to press against his brain.
Continue reading

Clearing the Ground

The Vanuatu National Training Council (VNTC) recently presented their vision of an industry-driven training regime here in Vanuatu. The approach is based on what they call Competency Based Training. In simple terms, this approach is aimed to help people learn relevant and useful skills, and importantly, to be able to earn formal recognition for skills they already have. By measuring these skills using well-understood benchmarks, people would be assured that their skills are recognised by employers throughout the Pacific and even beyond.

Continue reading

Stop Bad Errors

I recently upgraded to Ubuntu 8.04, which comes with the most recent beta of Firefox 3.0. The new version of Firefox has a number of interesting features, not the least of which is a set of measures to reduce drive-by infection of PCs.

If they wander from the beaten path, people now see a big red sign warning them about so-called ‘Attack Sites’ – websites that are reported to have used various means to infect visiting systems with malicious software:

The graphic is fairly well done, but interestingly, there’s no obvious way to over-ride the warning and go to the site anyway. Not that one would want to, but it does raise the bar for circumventing this anti-rube device while raising questions about who gets to decide what’s bad and what’s good.

The ‘Get Me Out Of Here!’ button smacks of Flickr-style smarminess, sending (in my humble opinion) the wrong kind of message. Either be the police constable or be my buddy, but don’t try to be both. That’s just patronising.

I followed the second button to see how the situation would be explained to the curious. I was brought to a page providing a less-than-illuminating statement that the site in question had been reported to be infected by so-called ‘badware’.

The StopBadWare.org service tracks websites whose content has been compromised, deliberately or not, and provides data about these sites to the public in order to protect Internet users from drive-by infection. With sponsorship from Google, Lenovo, Sun, PayPal, VeriSign and others, the service is obviously viewed in the corporate community as a necessary and responsible answer to the issue of malware infection.

At the time of this writing, the Stop Badware databases listed over a quarter of a million websites as infected.

The report page itself was less than a stellar example of information presentation, especially about a security-related topic. In the top left corner is a colour-coded circle with three states:

Safe StopBadware testing has found badware behavior on this site.
Caution One or more StopBadware partners are reporting badware behavior on this site.
Badware No StopBadware partners are reporting badware behavior on this site.

So the difference between red and yellow here is not one of degree, it’s based on who reported it. Not only is this useless as a threat measurement, it sends the wrong message to people using the service, implying that there’s a distinction to be made between what Stop Badware finds out for themselves and what their partners find. By treating the sources differently, they’re inadvertently creating a distinction between gospel and rumour, implying that some sources are less reliable than others.

The report page for the domain in question is populated using the GET method, meaning that you can plug any domain name right into the address bar (if you know the URL components) and get a report on it. Unfortunately, it never occurred to the good people at Stop Badware that some might want to use this capability to check the status of an arbitrary domain. (Amusingly, this method also circumvents the captcha on the ‘official’ report page.)

When I checked the status of my own domain, I was informed that, in effect, I’d recently stopped beating my wife:

Google has removed the warning from this site.

It’s interesting when you’re faced with a sentence in which nearly every word is wrong. Google has removed the site? Where am I? Isn’t this Stop Badware? Removed the warning for this site? There never was one. And even if there was a warning at one point in time, people don’t need to be told that. This message is a bit like saying, ‘So-and-so is a great guy! He doesn’t drink at all any more.

I applaud the Stop Badware service and the concept, and I look forward to the day when someone actually does a bit of usability research for them.

P.S. Could we please do something about the term ‘badware’? It’s almost sickeningly patronising. Some might argue that terms like ‘virus’, ‘trojan’ and ‘malware’ are too arcane, but I say we should just pick one and stick with it, regardless of how accurate it actually is.

People know and (ab)use the term ‘virus’, so why don’t we get the geek-stick out of our lexical butt and just use it? It’s a virus. You’ve got a virus. Who cares what it is or how you got it. You got a virus and now your computer needs to be treated before you can use it safely again. Now, how hard was that?

Housework

Re-worked from an older post for this week’s Daily Post Weekender edition. ed.

Ever since I arrived in Vanuatu almost five years ago, I’ve woken every morning to the rhythmic shushing of the scrub brush as the women in the neighbourhood do the morning wash. It’s often the last thing I hear before sundown as well.

Anyone who’s ever washed their clothes by hand knows just how arduous the process is. Most women in Vanuatu have extremely well-defined arm muscles, and many of the older women on the islands are built like wrestlers. Laundry is one of the reasons why.

When my tawian Marie-Anne approached me some time ago with the news that she’d begun participating in a micro-finance scheme, I encouraged her to do so, and immediately began wracking my brains for an activity that would allow her to earn money and still take care of her little girl full-time. I tossed out an idea or two, but nothing I suggested seemed very compelling. Marie-Anne was patient with me, and waited for me to wind down before telling me that she already knew what she wanted to do. She wanted to buy a washing machine, and charge the local women to use it.

How very stupid of me not to have thought of it before.

Continue reading

Cargo Culture

The phrase ‘cargo cult’ is well known here in Vanuatu, and probably better understood than anywhere else in the world. Pop anthropologists, TV crews and trivia hounds love to belittle the ‘silly’ idea that performing the proper rituals will result in good things happening. They snicker at the uniformed, marching figures in Tanna, wondering what kind of person could believe such a simple tale.

The fact is, we are all, to some degree or other, members of a cargo culture.

Magical Thinking is the term applied to the kind of behaviour that assigns more importance to a sequence of events than to actual causation. We indulge in this kind of behaviour when we put on a ‘lucky’ shirt on important days, or avoid stepping on spiders for fear of bringing the rain. It’s in our daily horoscope and a significant number of expressions that we use everyday.

We use Magical Thinking when we touch wood, say ‘God bless’ to someone who sneezes, keep a rabbit’s foot on our key chain, or sing a certain song to ward off bad luck. We also use a certain degree of Magical Thinking when we smoke a cigarette, drink too much or practice unsafe sex. We assume that certain rituals can make good things happen or keep bad things at bay.

We also use a fair amount of magical thinking when we start our computers in the morning, when we make a phone call or send an email.

Continue reading

Paradise Dreams

Over the last few years, investment in Vanuatu has boomed. It’s been estimated that the amount of cash in the economy is increasing by an astounding 150% per year. Compare that with the period between 1990 and 2004, when economic activity grew more slowly than the population.

But for most of the residents of this so-called paradise, little has changed.

Prices have increased somewhat, but curiously many of the more common expenses have not. Bus fares, for example, have not budged even though fuel prices have soared. Consequently, Vanuatu’s minimum wage has about the same buying power today as it had years ago.

That’s not entirely good news….

Continue reading