Understanding the Real Threat (NY Times Editorial)

Today the New York Times Opinion pages offered an editorial titled ‘Combating the Real Threat to Election integrity’. Authored by the Times Editorial Board the essay has two faults. One is that it continues to pile on the story that the Russian Government is responsible for cyber attacks aimed at the United States electoral system. The second perhaps more glaring fault is that the United States Federal government should somehow pay for securing the voting infrastructure to be used in future elections.

The Times Editorial Board attribution of various cyber attacks to the Russian government is just plain wrong. While various unnamed sources in the United states Intelligence Agencies (we are told by the US Media) have evidence that the Russian Government is responsible for these attacks; I’ve not read any report from any credible Internet security specialist that ca provide hard evidence to back these claims.

Suggesting that the US Federal government pay to secure the electoral system is wrong. A vote is the right of every US citizen. Sadly, slightly better than half choose to exercise this right. However the US voting system is structured so that citizens vote where they live. Local election officials should bear the responsibility of securing elections. Providing them with financing care of the Federal government is a mistake in that those local officials would not be accountable to the source of the funds. Local election officials and local governments should bear the cost of securing the vote and be accountable to local citizens.

What is needed from the US Federal government are standards regarding cyber security and the electoral process that local election officials can both understand and implement.

The State of Internet Privacy? In Shambles. Moving on.

Many would consider me an Internet Old Timer. I used ‘The Internet’; then ARPAnet back in the days when I worked as a Software Engineer for a US defense contractor. Securing communications and having confidence in message integrity; both in the identity of the sender and in the integrity in the content have always been important if not vital to communications over the Internet. I was struck by this blog post in part because I have heard of Filippo’s work but most of all because I completely agree with his message.

Digits that Define Your life? Look at your Cellphone.

It’s always interesting when a technology story makes the front page of the Sunday New York Times. On this day ‘Your trusty Cellphone Number: 10-Digit Code to Trove of Secrets’ by Steve Lohr grabbed mu interest from the lower left corner of the paper. Lohr writes an interesting and well researched article about about the use of an individual’s cellphone number effectively not only taking place of another more sensitive value (the social security number). Lohr also points out that the importance in communications (as people move away from landlines) as well as a means of creating a numeric index.

The article references a second line service available for smart phones; a free application called Line 2. Computerworld’s Rick Broida wrote a good review of second line services in May of this year. That article features a comprehensive comparison chart that included services such as Google Voice, Sideline, and eVoice in addition to Line 2.

1Password & Chrome on the Mac: “code signature could not be verified”

Over the past two weeks I’ve noticed that on my iMac 1Password and Chrome have not been playing nice together. When i try to use 1Password to fill in passwords in Chrome I’m seeing the message “code signature could not be verified” pop-up. In typical 1Password fashion the message includes a link to the troubleshooting guide with steps that need to be taken to resolve the problem. I thought I ran this down twice or three times. Was it my AV? Was it a needed login? Was it a needed update? It turns out the fix was incredibly simple. Chrome had gotten stuck on a version upgrade. Opening up Preferences from the Crome menu you need to look at the ‘About’ section. My instance was not up to date. The fix was easy; I just selected ‘Relaunch’ from that same menu. Problem solved.

Websites Intentionally Disabling Password Managers

It wasn’t just me. The folks at Wired have noticed that some web sites are not really very password manager friendly.

I travel fairly often. Lots of that travel is for work but I do get around on personal business and to get away. One of my go to sites for travel is Hilton dot com. I’ve been a Hilton customer for a long time. I like their hotels. I think they treat me well where ever I go. This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.

When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser. This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.

The annoying thing is that Hilton has added a check to see if you are a robot. It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached. I found the test usually involves matching text to pictures. The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).

If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails. Once that fail happens I have to complete the form and the robot test manually and then submit.

It is mildly annoying but I’m still spending lots of time at Hilton properties.

Respect and the Internet

Perhaps my lowest moment as a user of the Internet came years ago. Until recently if you searched for me by name on Google and used the keyword ‘Firewall’ you’d see at the top of the search list a reference to an email exchange I had with some anonymous Internet user back in the early 2000’s. This person was on a Firewall mailing list and making assertions about the Cisco PIX Firewall. At that time I worked for Cisco and worked closely with the PIX team. This person made the statement that ‘the PIX ran Linux’. I responded that it did not. This person then went on to tell everyone that it did and stated some incorrect reason. I reasserted that it did not. This went on for several messages. Finally in a moment that I wish I could take back I wrote that this person “did not know what they were talking about”.

While that may not sound harsh; I escalated the level of confrontation in this conversation. The other party didn’t just have the facts wrong about the PIX. They didn’t know what they were talking about.

As I write this; what I did doesn’t sound so bad. It was. At that time the Firewall community was smaller and the list this appeared on was important. What I did was step down to a level lower than I was comfortable with. I wouldn’t have said this if the person was in front of me or even on a conference call. I didn’t hide behind a false pseudonym; I had attached my up until that point good name to this message. Other people saw this and commented back to me that I should not have ‘lost it’.

This was ages ago in Internet time. Since then my son has grown up on the Internet and I’ve heard way, way worse coming from the speakers attached to our Playstations and xBoxen. I rarely read the comments associated with news articles for the same reason. Because we allow anonymity in many forums and don’t require people to attach their real name to their comments; we are left with often vile filed and worthless comments and diatribes.

What I learned from that exchange was an important lesson about respect. Both respect for other’s and self respect. I had stooped low. I should ‘t have. I’ve learned that on the Internet it’s better to be silent than disrespect another user whether they are anonymous or not. I now know better that these type of exchanges are too often meaningless in that they don’t change anyone’s mind and only serve to lower other’s opinions. I learned that I have more self respect than that.

Surveillance Law from Standford University via Coursera

In the past week I completed the work for the first MOOC (Massive Open online Course) that I’ve ever taken. The course was Surveillance Law which I completed via Coursera. Let me start by saying that this course was fantastic. The presenter, Jonathan Mayer from Stanford did a great job delivering a series of short lectures that introduced and discussed US surveillance laws from technical and legal perspectives. The readings were great on that Mayer and the course team choose great materials but also advised participants when to read and when to skim. The lectures and materials covered topics and news that happened just weeks and months ago; so the overall course was tremendously relevant and informative.

The discussion forums in a MOOC can be pretty daunting. There were many, many people participating. I read a number of messages and threads that I felt were off topic and became less interested in participating there. I regret that now as I later learned that a number of regional, online (Google hangouts?), and over the phone study groups formed. I would have liked to participate in one of those. The constant “we’re screwed’, ‘the government is watching us’ attitudes expressed and off topic back and forth in some (many) of the discussions had turned me off. I realize now they turned me off too soon.

Among what I thought were the highlights of the course:

– How to Read a Legal Opinion, A Guide for New Law Students by Orin Kerr was a fantastic read. Thank you.

– Liberty and Security in a Changing World, Report and Recommendations of The President’s Review group on Intelligence and Communications Technologies. I had seen and read this document before but i reading it again in contect with the lectures i got so much more out of it.

– Jonathan’s great red t-shirt

– An archive of all of the course lectures appears on Youtube!

I would highly recommend this course to anyone interested in criminal justice or surveillance law. I’d also highly recommend Jonathan Mayer as a course instructor.

Security Via Fingerprint Versus Pass Code

A topic of much discussion of late has been reporting about a Virgina court ruling involving access to a data stored on a phone. In this case a man was charged with assaulting a woman and evidence of the crime was believed to have been recorded. A video of the assault was suspected of being stored on the man’s phone. Prosecutors sought a court order to force the defendant to unlock his phone so they could search it for that video.

The judge in the case ruled that the defendant providing a pass code would be divulging knowledge that could incriminate themselves. The defendant giving investigators that pass code would provide access to data on the phone that could incriminate the defendant. The judge ruled that defendant did not have to provide the pass code given their right against self incrimination as described in the fifth amendment to the U.S. Constitution. But the judges ruling didn’t end there.

The judge ruled that giving police a fingerprint is akin to providing a DNA or handwriting sample or an actual key, which the law permits. The FBI description states:

Fingerprints vary from person to person (even identical twins have different prints) and don’t change over time. As a result, they are an effective way of identifying fugitives and helping to prove both guilt and innocence.

The US Marshals Service maintain a page dedicated to the history of fingerprints noting that the first systemic use of the technology was the NY State Prison System in 1903.

It is interesting that as fingerprints are ‘something you are’ like other identifying characteristics such as skin, eye, or hair color; and unlike a pass code (or social security or drivers license number) or ‘something you know’ you cannot withhold your fingerprint from law enforcement personal seeking to determine your identity.

Google to Prioritize Secure Websites

BBC News is reporting today that Google has updated their search engine algorithm to provide a higher rank to websites that use HTTPS. The web news site Gigaom explains further that the algorithm identifies web sites that use HTTPS / TLS and uses it as a ‘light factor’ that impacts less than 1% of global queries.

New Apple Guidelines Explain What Data the Company Will Provide to Law Enforcement

ars technica has a great article that explains recently published Apple guidelines regarding what customer data the company will provide to law enforcement. Reviewing and understanding Apple’s position is important as the companies consumer devices such as the iPhone, the iPad, and Mac computers running OS/X readily provide users the capability to use both local and cloud storage for data.

The guidelines that are referenced in the ars article were posted by Apple under the heading “Legal Process Guidelines for U.S. Law Enforcement” and were released on May 7th, 2014.

Brian's End of the Internet

Ramblings that the whole world can see!