“Privacy issues aside, I’ve never had any trouble with Flash.”

To which I replied:

I like your logic: Aside from a single tile, the space shuttle Columbia’s last mission went flawlessly.

Seriously, though: you’ve underlined the single greatest problem in computer security today – what we don’t see can hurt us. I’ve written about this at greater length elsewhere, but to put it simply, privacy is the battleground of our decade.

The struggle to come to terms with privacy will manifest itself in the legal, moral and ethical arenas, but it arises now because of technology and the cavalier approach that the vast majority of people take to it.

The ramifications of our ability to transmit, access and synthesise vast amounts of data using technology are consistently underestimated by people because of the simple fact that, as far as they’re concerned, they are sitting in the relative privacy of their own room with nothing but the computer screen as an intermediary.

On the consumer side of things, this creates what Schneier calls a Market for Lemons in which the substance of the product becomes less valuable than its appearance. As long as we have the illusion of security, we don’t worry about the lack of real protection.

On the institutional side, we see countless petty abuses of people’s privacy. There is nothing stopping a low-level employee from watching this data simply out of prurient interest. In fact, this kind of abuse happens almost every time comprehensive surveillance is conducted. In a famous example, low-level staffers in the US National Security Agency would regularly listen in on romantic conversations between soldiers serving in Iraq and their wives at home. The practice became so common that some even created ‘Greatest Hits’ compilations of their favourites and shared them with other staffers.

They would never have done so[*] had the people in question been in the room, but because the experience is intermediated by an impersonal computer screen, which can inflict no retribution on them, their worst instincts get the better of them.

When discussing software in the 21st Century, we cannot ever treat privacy as just one incidental aspect of a greater system. Privacy defines the system. Starting an argument by throwing it aside in the first subordinate clause gives little weight to any argument that follows.

They would never have taken this unsanctioned action had they had any sense that they were being subjected to similar – or any – scrutiny.

“The People who once upon a time handed out military command, high civil office, legions – everything, now restrains itself and anxiously hopes for just two things: bread and circuses.”

The Roman poet Juvenal wrote these lines in his Satires a little over a hundred years after the birth of Christ. He accuses the people of Rome – at the time the most powerful empire in the world – of losing sight of their civic responsibilities, giving everything up in exchange for gifts of grain and public entertainments.

People are always quick to draw parallels between modern USA and ancient Rome in its decline. But we can draw a more direct lesson from Juvenal’s tirade: Whether through a lack of concern or naïveté, our own choices have led us to the apparent security crisis we face today.

At least the Romans got free food and entertainment out of the bargain. Here in Vanuatu, we don’t even get that. We relinquish our societal responsibilities to others, and receive only danger in exchange.

In fairness, the Millennium Challenge Fund and liberalisation of the telecommunications monopoly are fruit we all reap from the efforts of a determined few. The scope of these two projects is nationwide, but the needs of the nation extend far beyond basic infrastructure.

Security is an area where we’ve seen little if any progress. Indeed, some retired policemen I’ve spoken with recall the pre-Independence period with nostalgia, and say that things have gone steadily downhill ever since.

In recent months, a veritable hue and cry has arisen over what some characterise as the sieve-like security at our prisons. No sooner is someone incarcerated, it seems, then they slip back over the fence or even, in one notable case, are escorted through the front gate.

It’s a bad mix: Violent crime, prisoners escaping, an invisible police force, ineffectual Correctional Services and a growing sense of fear among a populace that sees itself as next in line for victimhood. These factors led to an awkward and overzealous response by authorities. Prison guards are now armed with shotguns while paramilitaries in full combat regalia go out in search of escapees. Many people have expressed satisfaction with these actions. Phrases like ‘zero tolerance’ are bandied about, accompanied by chest puffing and not a little swagger.

It can only end in tears. Judging by the exceedingly dangerous way they handle their weapons, prison guards have received no firearms training. I fear it’s only a matter of time before there’s an accidental shooting due to incompetence or over-enthusiastic pursuit.

In the past, crime among the ni-Vanuatu population was dealt with through kastom. In cases where the gravity of the offense was too great to ignore, police would intervene. There were regular (though not necessarily frequent) patrols throughout the islands, where police would liaise with chiefs and community leaders to keep the peace.

But these twin bulwarks of stability in society have been steadily eroded of late, partly because it was easier for all of us to let things slide than to do the hard yards needed to keep these institutions alive.

I am tempted to channel the spirit of Juvenal and state that, what with all the slack we gave them, the least our leaders could have done was put on a circus or two. Instead, we get a shadow play about bogeymen being chased by armed men with more enthusiasm than training.

The creation of the department of Correctional Services is a particularly vivid example of how we got things wrong. The principle of rehabilitation is a sound one. It could mesh well with kastom, if we made the effort. Ending the terrible human right abuses that happen in our jails – terrible enough that Amnesty International took note – was absolutely necessary. To do that, we had to replace police with properly trained guards.

The transition was disastrous. We got the ‘replace’ part right, but apparently not the part about adequate training.

It failed because nobody really understood what they were supposed to be accomplishing. Creating a humane, remedial environment for prisoners is necessary for the most selfish of reasons: if we don’t, they’ll never change their ways. This was misconstrued, of course, as creating a ‘country club’ for prisoners.

But mostly, nobody cared about the crime, the criminals or their treatment. Because we allowed them, our leaders neglected the issue entirely, leaving it up to New Zealand and a few well-meaning officials to shoulder a burden that simply could not be carried alone.

We need a clear national commitment to address issues of law enforcement, crime and punishment and to make them workable in our society. One integral step toward doing so is reconciling criminal justice mechanisms with social justice as described by kastom, making each stronger in the process.

Security is everyone’s problem. The only way to fix it is to quit giving our leaders – and ourselves – a free ride on it. If that means foregoing a bag of rice and a few shells of kava at election time, so be it. This security circus has simply got to stop.

There’s a pretty good subjective analysis of the nature of the error on Ben Laurie’s blog (thanks, Rich), and of course the Debian crew itself has done a fairly good job of writing up the issue.

The scope of this vulnerability is pretty wide, and the ease with which a weak key can be compromised is significant. Ubuntu packaged up a weak key detector script containing an 8MB data block which, I’m told, included every single possible key value that the Debian OpenSSL package could conceivably create.

The question that kept cropping up for me is: This one-line code change apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it? Numerous exploits on Microsoft Windows would have required far more scrutiny and creativity than this one. Given the rewards involved for 0-day exploits, especially in creating platforms for cross-site scripting attacks, why is it nobody bothered to exploit this?

My hypothesis – sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn’t notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.

The change itself was small, but not really obscure.  It was located, after all, in the function that feeds random data into the encryption process. As Ben Laurie states in his blog, if any of the OpenSSL members had actually looked at the final patch, they would almost certainly have noticed immediately that it was non-optimal.

In all this time, apparently, nobody using Debian’s OpenSSL package has actually (or adequately) tested to see whether the Debian flavour of OpenSSL was as strong as it was supposed to be.  That level of trust is nothing short of astounding. If in fact malware authors were guilty of investing the same trust in the software, then I’d venture to state that there’s a fundamental lesson to be learned here about human nature, and learning that lesson benefits the attacker far more than the defender:

Probe the most trusted processes first, because if you find vulnerabilities, they will yield the greatest results for the least effort.

P.S. Offhand, there’s one circumstance that I think could undermine the credibility of this speculation, and that’s if there’s any link between this report of an attack that compromised not less than 10,000 servers and the recent discovery of the Debian OpenSSL vulnerability.

If they wander from the beaten path, people now see a big red sign warning them about so-called ‘Attack Sites’ – websites that are reported to have used various means to infect visiting systems with malicious software:

The graphic is fairly well done, but interestingly, there’s no obvious way to over-ride the warning and go to the site anyway. Not that one would want to, but it does raise the bar for circumventing this anti-rube device while raising questions about who gets to decide what’s bad and what’s good.

The ‘Get Me Out Of Here!’ button smacks of Flickr-style smarminess, sending (in my humble opinion) the wrong kind of message. Either be the police constable or be my buddy, but don’t try to be both. That’s just patronising.

I followed the second button to see how the situation would be explained to the curious. I was brought to a page providing a less-than-illuminating statement that the site in question had been reported to be infected by so-called ‘badware’.

The StopBadWare.org service tracks websites whose content has been compromised, deliberately or not, and provides data about these sites to the public in order to protect Internet users from drive-by infection. With sponsorship from Google, Lenovo, Sun, PayPal, VeriSign and others, the service is obviously viewed in the corporate community as a necessary and responsible answer to the issue of malware infection.

At the time of this writing, the Stop Badware databases listed over a quarter of a million websites as infected.

The report page itself was less than a stellar example of information presentation, especially about a security-related topic. In the top left corner is a colour-coded circle with three states:

StopBadware testing has found badware behavior on this site. One or more StopBadware partners are reporting badware behavior on this site. No StopBadware partners are reporting badware behavior on this site.

So the difference between red and yellow here is not one of degree, it’s based on who reported it. Not only is this useless as a threat measurement, it sends the wrong message to people using the service, implying that there’s a distinction to be made between what Stop Badware finds out for themselves and what their partners find. By treating the sources differently, they’re inadvertently creating a distinction between gospel and rumour, implying that some sources are less reliable than others.

The report page for the domain in question is populated using the GET method, meaning that you can plug any domain name right into the address bar (if you know the URL components) and get a report on it. Unfortunately, it never occurred to the good people at Stop Badware that some might want to use this capability to check the status of an arbitrary domain. (Amusingly, this method also circumvents the captcha on the ‘official’ report page.)

When I checked the status of my own domain, I was informed that, in effect, I’d recently stopped beating my wife:

It’s interesting when you’re faced with a sentence in which nearly every word is wrong. Google has removed the site? Where am I? Isn’t this Stop Badware? Removed the warning for this site? There never was one. And even if there was a warning at one point in time, people don’t need to be told that. This message is a bit like saying, ‘So-and-so is a great guy! He doesn’t drink at all any more.‘

I applaud the Stop Badware service and the concept, and I look forward to the day when someone actually does a bit of usability research for them.

P.S. Could we please do something about the term ‘badware’? It’s almost sickeningly patronising. Some might argue that terms like ‘virus’, ‘trojan’ and ‘malware’ are too arcane, but I say we should just pick one and stick with it, regardless of how accurate it actually is.

People know and (ab)use the term ‘virus’, so why don’t we get the geek-stick out of our lexical butt and just use it? It’s a virus. You’ve got a virus. Who cares what it is or how you got it. You got a virus and now your computer needs to be treated before you can use it safely again. Now, how hard was that?

Cult of the Dead Cow Announces Goolag Vulnerability Search Engine.Once you get past the Chinese porn silliness, there’s a real story here:

Google’s effectiveness as a search engine also makes it an effective… well, search engine. Common website weaknesses are exposed by search engines such as Google, and anyone can access them by using specially crafted queries that take advantage of Google’s advanced searching capabilities. As the cDc press release indicates, there are approximately 1500 such searches published and readily accessible on the Internet. And now the cDc has built a(n a)cutely satirical web front end and are offering a downloadable desktop search application for Windows, giving script kiddies the world over something else to do with their time.

What effect has this had on website security? It’s difficult to tell. The principle of using Google as a scanning tool has been common knowledge since at least 2006, but according to Zone-H, who record large numbers of website defacements every year, the only significant increase in website attacks since then was the result of an online gang war between various Russian criminal factions, back in 2006. Ignoring that anomalous rise in activity, the rate of attack actually fell slightly in 2007 compared to recent years, relative to the number of active websites.

Zone-H’s latest report proves only that the percentage of insecurely configured websites scales on a roughly linear basis with the number of available websites, and that the choice of technology has almost no bearing on the likelihood of a successful attack. Indeed, most exploits are simple attacks on inherent weaknesses: guessing admin passwords or copying them when they’re sent in cleartext, misconfigured shares and unsafe, unpatched applications. Attacks requiring any amount of individual effort are not very common at all. Man-in-the-middle attacks rated only fifth place in the list of common exploits, representing only 12% of that total. But researchers have elsewhere noted that cross-site-scripting attacks are on the rise, and are being used mostly by spammers to increase the size of their bot nets.

The lesson here is fairly obvious: Making simple mistakes is the easiest way to expose yourself to attack. And search tools like Goolag make finding those mistakes remarkably easy. You won’t be targeted so much as stumbled across. Given the recent rise in the number of websites being used to inject malicious software into people’s computers, spammers and other online criminals appear to have a strong incentive to use even the less popular websites to ply their trade.

Your choice of technology won’t save you, either. Most popular web servers are fairly secure these days and though not all server operating systems are created equal, the big ones have improved markedly. But the same cannot be said of the applications and frameworks that run on them. The old adage that ease of use is universal still applies. When you make things easy for yourself and your users, you are liable to make things easy for other, less welcome guests as well.

The lesson for the average website owner: Do the simple things well. Don’t waste your time trying to imagine how some intrepid cyber-ninja is going to magically fly across your digital alligator moat. Just make sure your systems are well-chosen and properly patched, pay attention to access control and treat authentication seriously. Statistically, at least, this will drop your chances of being Pwned to nearly nil, or close enough as makes no never mind.

But it also looks like swearing, doesn’t it? In fact, the use of characters like this to denote swearing is a simple (dare we say crude?) kind of encryption. A child too innocent to know such words derives no meaning from the random collection of characters. Someone well versed in the ways of the world, though, can add up the number of characters and quickly deduce what was intended.

On and off over the last two months, we’ve been looking at various aspects of online security. This week, we’re going to consider what steps we can take to make the information we send over the Internet secure from prying eyes.

We’ll also consider why it is that no one uses these measures, and why most of us won’t any time soon.

When you talk with someone over the Internet, it’s useful to imagine that you’re sitting down with them in a busy café. It’s not exactly a wide-open place, but it’s not very private either. As long as you keep your voice down – and as long as the waiter doesn’t eavesdrop – you have a reasonable expectation of privacy. Nonetheless, there are some things you simply would not say.

The Internet, unfortunately, has very few truly private places. It takes a great deal of effort to establish security strong enough to be guaranteed that nobody knows who you’re talking to, or what was said. It’s often easier to learn a few little tricks to make sure that no one understands what you’re saying, even if they can hear you.

One technique that works really well for some people is to speak in a language that nobody else understands. The US Army used this trick during the Second World War. They enlisted a number of Navajo Indians to work as radio operators. The Navajo language was not documented anywhere, and the US was confident that no one aside from the Navajo people themselves spoke the language, so they took advantage of this, and used them extensively to provide secure communications in places where going through a lengthy encryption/decryption process would cost lives.

That’s more or less what encryption is. It’s a newly-minted code (language, if you like) that only you and the computer at the other end of the link can understand.

The most common kind of encryption on the Web today is something called Secure Sockets Layer, or SSL. It uses a fairly simple process to establish a kind of a tunnel between you and the server you’re connecting to. The mechanics of the transaction are actually somewhat complex, but in layman’s terms, the process works something like this:

Joe wants to log into GMail. He goes to gmail.com and clicks on the login link. The server sends some information back to the browser that says, “I really am the server that he meant to click on. Here’s my ID. I want to talk to Joe privately.” The browser examines the ID and, provided it’s legit, cooperates with the server to invent a language that only the two of them understand. Joe can now talk with the GMail server without fear of anyone else understanding what’s being said.

Setting up something like this is fairly easy when each party in the transaction is known to the other. Public servers can obtain virtual ID cards, called certificates, which allow us to verify that someone else isn’t just pretending to be them. A good web browser will warn you before it establishes a secure connection with a server that isn’t trusted in this way.

The process isn’t foolproof, but it’s much better than nothing.

There are two big problems with encryption, though. First, it’s too easy. Second, it’s too hard.

When used in a web browser, the process of establishing trust between two machines usually happens without any intervention from the user. The idea is that it should ‘just work’. Developers went to very great lengths to find ways to make that happen. Unfortunately, that means that most people are never aware whether they’re sending their information securely or not, or whether the information is actually going where they think it’s going.

In effect, browser makers are victims of their own success. They were so good at hiding the complex process of establishing trust that they made it too easy for users to ignore security completely. In fairness, they have all worked hard recently to try to provide visual clues about the nature of the sites people visit, but many users remain oblivious to the warning signs when things are not as they should be.

So the most common kind of encryption is one that we use everyday, but we never actually see. That’s possible because it’s based on knowing a given computer’s identity. Google is not likely to change from one day to the next; therefore it’s possible to infer that if it was trustworthy yesterday, it will be trustworthy tomorrow. It’s also well-known enough that we don’t have to rely so much on our own judgement as on the experience of others.

But what about those numerous occasions when someone whom you don’t know very well asks you to send them confidential information? Let’s say you want to send the results of a recent pregnancy test from the hospital in Australia to a doctor here in Port Vila. This is absolutely not the kind of information you would want to send out in the open. You wouldn’t paste such information onto the back of a postcard and send them that way, would you?

When you send information by unsecured email, that’s exactly what you’re doing. You’re relying on people not to let their curiousity get the better of them.

So why don’t we all use encryption then? The answer is very simple and very complex all at once.

The simplest way to explain it is that the process of setting up trust between two computers is a little complex. It’s not beyond the ability of an intermediate-level computer user, but it might take them a little while to get used to the process.

It’s just hard enough, however, to keep the majority of people from using it easily. And encryption is one of those things that’s kind of useless unless everyone can agree to use it, and to use it in the same way as everyone else.

The biggest problem is that we can’t see, touch or hear encryption, so software applications using encryption have to get in the way a little bit. They have to intrude on what would normally be a simpler process, asking questions, wanting confirmation for this or that. For many people, it’s disconcerting, even alarming to have their computer suddenly start talking about security using jargon they don’t understand.

We find ourselves caught in a bit of a dilemma. Most of the time, we’re happy with the notion of the Internet as a wide public plaza. We stroll around, taking in the latest sights, catching up on news, what have you. But occasionally we run into someone we really want to talk to, and lo, there’s no quiet place the two of you can go. The contortions required to establish your own special language for two require time, effort and knowledge, and most often there’s not enough of any of those.

Encryption is really the only useful way to protect what you send over the Internet from prying eyes. Given the number of prying eyes on the Internet today, it’s a shame that personal encryption techniques are so hopelessly behind the needs of the average computer user.

We’ll all use personal encryption some day, but that day is yet to come.

A ‘translator’ service,  for example. The user ‘invents’ an imaginary language, then decides who among her friends is allowed to speak it with her. She then instructs her ‘translator’ (e.g. her own personal Navajo) to convey messages between herself and her friend’s translator.

(Only the personal Navajos actually need to speak this ‘language’ of course. As far as the two correspondents are concerned, the only change is that they’re sending the message via the ‘translator’ rather than directly, but even that is a wafer-thin bit of functionality once the channel is established and the communications process automated.)

Quick encryption, well understood, and easy to implement. Most importantly, you don’t have to explain encryption, public and private keys,  or any other security gobbledygook to someone who really doesn’t want – and shouldn’t need – to hear it.

Update: Of course, the greatest weakness to this idea is if Microsoft were to create an implementation of this and name it Bob.

Before we go into detail, though, it’s important to establish a bit of context. We’ve already described how people often make the wrong assumptions about the level of privacy they enjoy when using computers and the Internet. But let’s look at this issue in more practical terms.

Everyone in Vanuatu knows what ‘Coconut Wireless’ means. It refers to the lively rumours that spread via word of mouth concerning anything – or anyone – of interest to people as they idle away their spare time. In small doses, it’s generally unreliable, but when information is amalgamated from numerous sources, an assiduous listener can gather a good deal of interesting (sometimes deliciously scurrilous) and surprisingly accurate information.

The ability to benefit from such information requires a degree of skill. It’s important to understand one’s sources and to rank them according to their authority on a particular topic. You also need to know how to play the game. One never takes information without giving as well. Our most trustworthy friends receive the best, most detailed information, while those whom we don’t know – or don’t trust – often receive only vague allusions to the facts.

Sometimes, it’s convenient to spread information widely; sometimes it’s more politic to keep our own counsel and to repeat nothing at all. The system is therefore incomplete, erratic and occasionally wildly off-base. But every newcomer to Vanuatu soon comes to the realisation that it’s an important and remarkably efficient way to pass the news.

To this day, word of mouth remains the most common medium for transmitting the news. People listen to the radio for cyclone warnings and other critical items, but the vast majority of detailed information is transmitted face to face.

Recently, this writer’s employer decided to start offering Internet services through WiFi. The decision to name the service Coconut Wireless represented more than just a cute play on words. It accurately reflects the nature of the technology, its resemblance to age-old patterns of communication, and most importantly, the fact that this medium is a public one.

Computer users often go to great lengths to ensure that nobody can peek over their shoulder and watch what they’re doing. But they seldom think much about what happens when what they’ve typed is no longer on the screen. It’s a reasonable reaction, of course. Out of sight, out of mind.

If only it were that simple. Consider this story: Somebody sees a friend of theirs walking along the other side of the street. They smile and wave, as people here always do, and shout, “So blong yu olsem wanem?” (i.e. “How’s that nasty infection?”) It’s just a joke, of course, and the two of them laugh and continue on their way.

But everyone else has heard this exchange. Those who know the two don’t think anything of it, but what about those who don’t? Suppose someone has heard this exchange, then sees the recipient of the joke talking to a nice girl outside the church after service the next Sunday? Suppose they feel the need to inform this nice girl about her interlocutor’s dark secret?

The Internet is a public place. Any conversation we have there should be considered the same as a conversation in Port Vila market on a Saturday morning. The only difference is that the market only has a few hundred people present, whereas the Internet has millions and millions. There is always someone within earshot. Unless you take steps to hide what you’re doing, everything you do is out in the open, accessible to prying eyes.

Whenever you send information using the Internet, try to imagine that you’re having a conversation in a public place. That email you sent to your lover, detailing the ways in which you would unleash your unbridled passion when you were next reunited? Public. That forum you posted anonymously in, lambasting your employer? Public, and possibly traceable.

Wireless Internet services are even more ‘public’. Anyone with a mind to do so can watch every single byte being transmitted over such a network. You see, the only way to make such networks useable to the average non-geek is to open them up entirely. The moment you start to put protections on them – passwords and the like – they become cumbersome and awkward for someone who just needs to check their mail quickly, confirm a flight departure time, or chat for a few minutes in Skype.

It’s possible to talk quietly in a public place. It’s possible to have a private conversation using the Internet, too. Some effort and care is required, but it’s not so hard to do. All the rules that we apply to our conversations can be applied to computers as well. We can alter how loudly we speak, we can choose where to say certain things, we can choose who we talk to, and more importantly, who we talk near.

Here’s a simple exercise to help you better understand computer privacy: Whenever you write something, imagine you’re dictating it to a friend standing on the other side of the street. If you feel the need to cross the road and say something quietly, you should take measures to ensure that your message is transmitted safely, and only to the right recipients. If you don’t want to say it at all, and would rather whisper it in the privacy of your own home, then use encryption to hide the document from anyone but your most trusted friends and colleagues. We’ll talk more about how to do this in the weeks to come.

Every community has its prying busy-bodies, its gossip-mongers and tattle-tales. There is also the occasional fraudster or con-man who abuses people’s goodwill to his own ends. Most commonly, there are well-meaning but naive people who try their best to be useful to others but who don’t think enough about the consequences of their actions.

All of these exist on the Internet, too, of course. The only difference being that the numbers we meet in real life are dwarfed by the number we’ll encounter online. Spammers take advantage of our propensity to forward emails and sign up for ‘fun’ websites and services. They abuse our desire to build online social networks, and they steal from us when they can.

The governments of the US, China and many other nations are world-class busy-bodies. They record literally every bit of Internet traffic that crosses their borders. They store it, cross-reference it and use it to spot threatening patterns and trends. None of us in tiny, innocent Vanuatu are likely to be under suspicion, but nonetheless, consider that it might be unwise to shout “So blong yu?” too loudly.

In the majority, though, are the websites and services that mean well, but sometimes make mistakes. They gather all kinds of information about us in order that we can more easily find stuff that’s interesting and useful. They help us manage our time, our relationships, even our idle chatter and gossip. There’s nothing intrinsically wrong with all of this, but it’s useful to treat sites like this as a well-meaning but slightly stupid friend who doesn’t always know when to shut up. By all means keep talking, but consider that what you say might get misconstrued, or just blurted out without forethought.

The Coconut Wireless is a useful – even essential – tool here in Vanuatu. The Internet is essential to communications now, too. But don’t let the gadgets fool you: We’re still standing on the sidewalk, chatting to our friends, catching up on gossip and making plans to meet.

Titled Microprocessor Bugs Can Be Security Disasters, the article makes an interesting argument. In fairly concise terms, Shamir outlines an approach that quickly circumvents much of the hard work in breaking private keys, no matter how heavily encrypted. He uses the RSA key encryption method in his example, probably out of humility. With even my limited knowledge of mathematics, I was able to follow the broad strokes of the approach.

Put most simply, if you know there is a math flaw in a particular kind of processor, then you can exploit that by injecting ‘poisoned’ values into the key decryption process. By watching what happens to that known value, you can infer enough about the key itself that you can, with a little more math, quickly break the private key.

And of course, once you’ve got someone’s private key, you can see anything that it’s been used to encrypt.

This is in some ways a new twist on a very old kind of attack. Code breakers have always exploited mechanical weaknesses in encryption and communications technology. During the Second World War, code breakers in the UK learned to identify morse code transmissions through the radio operator’s ‘hand’ – the particular rhythm and cadence that he used. This sometimes gave them more information than the contents of the communications themselves. Flaws in the Enigma coding machines allowed the Allies to break the device some time before Alan Turing and his early computers got their ‘Bombe’ computer working efficiently:

One mode of attack on the Enigma relied on the fact that the reflector (a patented feature of the Enigma machines) guaranteed that no letter could be enciphered as itself, so an A could not be sent as an A. Another technique counted on common German phrases, such as “Heil Hitler” or “please respond,” which were likely to occur in a given plaintext; a successful guess as to a plaintext was known at Bletchley as a crib. With a probable plaintext fragment and the knowledge that no letter could be enciphered as itself, a corresponding ciphertext fragment could often be identified. This provided a clue to message keys.

These days, computing processors and encryption are used in almost every aspect of our lives. The risks presented by this new class of attack are outlined in fairly plain English by Shamir:

How easy is it to verify that such a single multiplication bug does not exist in a modern microprocessor, when its exact design is kept as a trade secret? There are 2^128 pairs of inputs in a 64×64 bit multiplier, so we cannot try them all in an exhaustive search. Even if we assume that Intel had learned its lesson and meticulously verified the correctness of its multipliers, there are many smaller manufacturers of microprocessors who may be less careful with their design. In addition, the problem is not limited to microprocessors: Many cellular telephones are running RSA or elliptic curve computations on signal processors made by TI and others, FPGA or ASIC devices can embed in their design flawed multipliers from popular libraries of standard cell designs, and many security programs use optimized “bignum packages” written by others without being able to fully verify their correctness. As we have demonstrated in this note, even a single (innocent or intentional) bug in any one of these multipliers can lead to a huge security disaster, which can be secretly exploited in an essentially undetectable way by a sophisticated intelligence organization.

I’m surprised that I haven’t seen much concern voiced about this class of attacks. Maybe I just hang out with an insufficiently paranoid crowd….

Police and inspection officials don’t enforce the laws, and the drivers don’t make any real effort to clean up their act. Everybody knows they should. Everybody knows that this pollution causes health problems. Even the simplest metrics, like the dirt it leaves on our clothing, on our skin and under our nails, makes it impossible to deny that there’s a problem. And yet we do nothing.

Why? The answer is simple….

The driver doesn’t breathe his own black smoke. He doesn’t even see it. It’s behind him all the time. When he breathes black smoke from the truck in front of him, well, it’s not his black smoke. It’s someone else’s. Therefore it’s not his problem. Sure, a tune-up could make the bus run better, but the bus is running now, and tune-ups cost money.

Looking at it from a distance, the whole situation seems silly, but it’s common human behaviour to ignore bad things if they don’t have an immediate negative effect on the people doing them. It’s one of the reasons smoking and alcohol abuse persist – people don’t see the damage until it’s too late.

But what does any of this have to do with computers and IT? Just this: Our computers are belching a constant stream of ‘black smoke’. Odds are very good that your computer is guilty of it, too. It’s harming us and harming people elsewhere in the world. And we’re hardly doing a thing to stop it.

For most people, viruses are simply a fact of life. In the same way we assume that every sniffle or cough is an unavoidable part of everyday life in Vanuatu, we assume that our computers start out shiny, speedy and new, and then they gradually become sickly and slow. We accept it as inevitable when our email accounts eventually become so clogged with spam that they’re unusable.

These chronic infections have serious consequences. The fact that people’s computers run more slowly, or that the Internet connection gets clogged – these are just side-effects of something far more insidious. Trojans, spyware, viruses – call them what you like – they are all designed to steal your money.

Okay, maybe not your money in particular. At least, not yet. The vast majority of computer users in Vanuatu don’t use the Internet to buy and sell things. Few even use online banking services. Even if they wanted to, they couldn’t give their money to the criminals who write this rubbish software. But that’s going to change. It won’t be long before we start performing transactions over the Internet, and when we do, the risk to us will, relatively speaking, be greater than the average person in the developed world.

The loss of a hundred dollars from a bogus transaction is fairly easily written off by the average Sydney dweller. Even losing the entire contents of their bank account is not necessarily disastrous. Currently, those ni-Vanuatu who are online on a regular basis represent the most privileged elements of Vanuatu society. But even they can suffer when their income or resources drop by the smallest amount. The prospect of financial loss for someone operating a micro-business in the outer islands is much, much worse.

Just like the Monday morning bus-driver driving by, oblivious to the gouts of smoke pouring into his neighbours’ faces, we allow our computers to pollute the common space, making things more difficult and dangerous for everyone. Even when we see the effect that this software has, we don’t recognise it as our problem.

Most of us don’t see the problem at all. We assume that computer viruses are inevitable. We assume that Internet service is unreliable and slow, and put all the blame on TVL, our favourite whipping boy. We just assume that computers need to be wiped down and re-initialised from time to time. We accept anti-virus and anti-spyware software slowing down our computers and complicating our lives as a fact of life. We don’t recognise the black smoke even though we’re surrounded by a cloud of it.

Here’s a well-kept secret: None of this is necessary. Viruses are not inevitable. Computers don’t slow down on their own. Relying on anti-virus software is like taking antibiotics every day instead of cleaning our food. Internet service here in Vanuatu would be vastly better if we made even a nominal effort to limit the garbage we spew over the wire.

In the past, rubbish software was more a nuisance than anything else: A few hours downtime, a computer with ugly, embarrassing porn pop-ups, email inboxes chock-a-block with viagra ads and the like. But the stakes are starting to get serious now.

The problem is that online crime is remarkably profitable. Global income from illegal online activities is estimated to be in the billions of US dollars now. Some have even speculated that it’s comparable to money earned through the international drug trade. While this is probably an exaggeration, it underlines an important point: More and more often these days, the people who stuff our emails full of ads for pills are the same ones who sell heroin, supply the sex trade and profit immensely from it all.

Online crime is very attractive to criminal enterprises like the Chinese triads and the Russian Mafia. It’s much safer, requires less effort, and they make more money for dollar invested than they do in just about any other activity. Why run the risk of being arrested at a border crossing with drugs when you could stay at home hacking credit cards or just fooling innocent people into sending you the money themselves? Even if you do get arrested, it’s only ‘white collar’ crime. The absolute worst that happens is you get a slap on the wrist. Cyber-crime has really got their attention, and they’re beginning to invest.

One particular group in Russia has gained control over a network of infected computers that numbers somewhere between about 2 and 10 million individual PCs, according to recent estimates. Known as the Storm bot-net, this vast army is coordinated through a remarkably sophisticated command-and-control system that allows the controller to send massive amounts of spam. Recently, researchers have spotted the Storm net being used for other purposes. It was used to take the entire Estonian Internet service down for days. It’s also being used to crack valuable passwords. This development really worries people because Storm’s masters control more raw processing power than any known super-computer in the world.

These are our PCs. We are helping others steal money and ruin what would otherwise be a much nicer Internet. This is our black smoke. Until we learn to recognise it and accept responsibility, we will be continue to be engulfed by it. Rest assured that unless we do something it will get worse before it gets better.