Month: April 2008

Level field for online games and hidden agendas

Security often makes for a convenient excuse for hidden agendas. An article from Gaming Today looks at the possibility of officially sanctioned modifications to the gaming console XBox 360 and concludes on a pessimistic note. Quoting a group manager from the XNA initiative:

“I’m a little disturbed when I think about other systems and people using what we call native code – code that goes right down to the metal – and then allowing people to run script mods on top of that without the right security measures. It could be really dangerous.”

This is no doubt a thinly-veiled reference to the Sony Playstation 3, which makes it very easy to install a different operating system: it’s there on the UI. Is that a dangerous security vulnerability? To answer that question, a different question must be posed: security of what? Dangerous to which persons?

It is well-known that one of the reasons for trying to lock down the hardware is that the consoles are sold at a loss. The revenue from games and additional services is expected to recoup that loss and move into the black on the balance sheet. If users could install Linux on the console, then they would have simply acquired a very capable general purpose computer on the cheap and opted out of the gaming ecosystem. This is a security problem all right, but it is the security of the revenue stream. It is not about user data.

Once that is acknowledged, the discussion quickly turns to the other bogey-man: cheating at online games. This is about to become the fifth horseman of the digital apocalypse, riding the coat-tails of rampant P2P content piracy horse. Stopping piracy was one of the arguments for closing down the open PC architecture and replacing it with the Trusted Computing Group vision where remote attestation capabilities would force users to run the “approved” software. Preventing cheating at online games falls into the same category and has also been used as an example for the benefits of attestation. If all the users in a multi-player game can prove they are running the official game software– instead of one tweaked and perhaps modified with cheating aids– the playing field is leveled. The same argument could be made in favor of locking down gaming consoles. Unofficial software can give the player an unfair edge; by design, each player’s computer receives a lot of information that the game keeps hidden, such as the location of other players. A modified client would not respect the rules of the game and could “see through walls” so to speak. Gary McGraw has done a lot of work on exploiting online games such as on Second Life. This is an example of what happens when game modifications are easy (because the software runs on PC) and the designers failed to appreciate the fact that user’s machine is outside the trust boundary.

This becomes the last refuge for arguing that modifications to a console pose a security threat. But even this is qualified: a user modifying their console at home is not a threat to the gamer ego of anyone else until they connect to a multi-player game. In that case the problem could have been framed as detecting modded consoles as opposed to preventing modifications in the first place, which also happens to be an easier problem.

cemp

Giga-pixel aerial imaging

Courtesy of a Google News Alert on the keyword “surveillance.”

Semi-professional digital SLRs have recently broken the ten megapixel barrier and very high-end models reach upwards of twenty MP. Impressive for printers but they can not even approach the gigapixel sensor described in this article. Don’t expect to find it at the local electronic retailer: it is designed for ISR (intelligence, surveillance, reconaissance) applications. In other words, this is the next generation eye in the sky. Mounted on a gyroscopically stabilized platform with 6 axis, this system boasts four focal planes with 92 five megapixels sensors on each to provide sixty-degree field of view at a resolution of 15cm on the ground. Dubbed ARGUS-IS, the design is as much an information processing marvel as it is an optical one: those sensors generate vast amounts of data, carried around by the same type of fiberoptic cables comprising the Internet backbone and compressed on board the airplane before being transmitted to the downlink through a broadband channel approaching 300 Mbps.

If the trickle-down effect holds for surveillance technology, there will be some traces of this in consumer electronics one day.

cemp

Cross-platform vulnerabilities: revisiting the mono-culture risks

One of the CNet articles covering the 2008 RSA conference makes a new point about the competitive standing between the different operating systems: namely it may not be the OS itself that matters at this point. The author Tom Krazit argues in “Mac Security Not So Much About the Mac” that as the operating systems have been hardened, threats moved up the stack to applications running on top of the platform, which are often written by vendors with no connection to the OS vendor:

“At the CanSecWest conference, no one was able to take control of three laptops in play (the MacBook Air, a Fujitsu running Windows Vista Ultimate, and a Sony Vaio running Ubuntu) when attacks were confined just to the operating system. But Miller’s Safari exploit, and the Flash flaw later exploited by Shane Macaulay, Derek Callaway, and Alexander Sotirov on the Vista laptop, show how security threats are now much more focused on the browser, rather than the operating system.”

The comparison is not quite accurate because Safari is written by Apple and distributed aggressively, including the recent 3.1 update forced on all Windows iTunes users who may have expressed no interest in having yet another web browser. Flash on the other hand is now associated with Adobe after its acquisition of Macromedia. No connections to MSFT there, and in fact they are arguably competitors. (Over the years, Flash emerged as a successful new platform on top of web browsers for delivering rich client experiences; something Java attempted with much fanfare before it flamed out and Sun re-focused its efforts on the enterprise market. More recently MSFT has positioned Silverlight as an alternative to Flash to regain developer mind-share.) Safari is a part of the Apple platform as much as Internet Explorer is rightly considered a part of the operating system; the latter was a central argument in the bundling question from the DoJ anti-trust trial of the late 1990s. This would not be the first time that Flash caused problems; for example its deliberate opening of backdoors in the same-origin policy and flawed implementation of controls  for the backdoor (namely the well documented over-zealous desire to see a cross-domain policy in any conceivable piece of random data) lead to significant problems for web sites in the past.

Still there is an interesting connection between this observation and the mono-culture argument from 2003. Flash-back: a group of security professionals including Bruce Schneier,  Dan Geer and Peter Gutmman co-authored a position paper titled Cyberinsecurity: cost of monopoly. Subtitled “How the dominance of Microsoft’s products poses a risk to security” the paper argued that having one operating system running on large number of machines created a single point of failure that provided attackers with an easy way to take out a large fraction of infrastructure by exploiting just one vulnerablity. No good deed goes unpunished: Geer was summarily dismissed (“promoted to customer”) from @Stake, which at the time had a business relationship providing auditing and penetration services to Microsoft.

Machines getting 0wned thanks to cross-platform extensions such as Flash pose a challenge for the mono-culture argument. After all one of the benefits of Flash, like its predecessor Java before, is to write portable code that works in any web browser on any platform. But this also opens up the possibility of cross-platform vulnerabilities. Not all of the code for Flash will be shared between say a Mac/Firefox version and the Window/IE7 version. But at least some critical components are: for example recently bugs were discovered in the regular expression engine affecting all platforms. The irony is that even when the installed base of operating systems diversified, a middle-layer designed to bridge the differences between these platforms will create similar risks as a mono-culture. The existence of such a middle-layer is a guaranteed by market conditions, whether it is Java, Flash or Silverlight. It is not economical for developers to target code to every possible hardware, OS and browser combination. An intermediate layer gives up some power and expressiveness that could have been achieved with code “native” to a specific platform, but in return promises greater reach across all plaforms. The mono-culture agreement taken to its logical conclusion would suggest not all users must have Flash: some should have Silverlight only and perhaps others rely on Java for rich-client experiences. (It’s not enough to also install the others; since the presence of the extension is enough to make it exploitable.) At this point it is running against market dynamics.

cemp

Clean coal, 2+2=5 and other delusions

The public relations salvo against global warming legislation is already underway, even before any concrete proposals were introduced in either the House or Senate. Washington Post notes that a group backed by the coal industry is spending $35M on a new ad campaign in primary and caucus states to spread the message that coal is a clean fuel. With the appropriately Orwellian name of Balanced Energy Choices (similar to how the campaigns against raising fuel economy standards used to be called  “Concerned/Anguished/Distraught Citizens for Vehicle Choice”) the TV spots use the catchy image of a power cable being plugged into a lump of coal. True enough considering that 50% of US power generation capacity comes from coal, and it is the one fuel that the world is not in any danger of running out anytime soon. The remainder is at best disingenuous: as the Post article points out, the definition of “clean” conveniently excludes carbon emissions.

Strangely the message has not made it very far online: Googling for clean coal will not return any top matches related to the slick campaign website and the commercial itself that praises the virtues of energy security. Not even a sponsored result. Instead the collective wisdom of the web responds with a balanced perspective on technologies such as IGCC that promise to extract comparable energy with a fraction of the emissions associated with directly burning the fuel. One of the hits points to an article from last year’s Sierra Club magazine and another one on the second page finds a blistering indictment of the concept from Washington Post op-ed side. That’s not exactly a success story, considering the commercial spots were produced by the same company responsible for the “what-happens-here-stays-here” themed advertising for Las Vegas.

cemp

The future of diesel: still cloudy

Treehugger looks at the possibility of diesel becoming more popular in the US for mainstream automobiles. After a bad experiment in the 1970-80s, diesel cars were relegated to niche status with only a handful of manufacturers, most notably Volkswagen, continuing to produce them for passenger cars. Many diesel models manufactured for sale in Europe were never imported states-side and large trucks for commercial use remained the primary application owing to better fuel-economy, reliability and cost factors. As diesels progressed far beyond their bad reputation for noise and soot, environmentalists continued to gripe about this state of affairs.  Some continued to pin their hopes on a diesel revival for reducing carbon emissions and because these engines can be converted to run on biodiesel mixtures, including 100% blends of used vegetable oil. Occasional success story, no matter how far removed from the mundane world of passenger cars, such as Audi winning 24 hours of Lemans in 2006 with a diesel race car, kept these hopes alive.

But the current prospects are not good. California tightened emissions standards related to sulfur in diesel, which restricts the type of fuel that can be used legally. More importantly the price difference between gasoline and diesel inverted: it is now more expensive to buy diesel. This was an abrupt change.

“Over the past year, the average price of diesel in America has risen by 117%—twice as fast as petrol. While both carry the same taxes in America, diesel now costs 60 to 70 cents a gallon more than regular gas. […]”

At least some economists are expecting this to increase to the point of canceling out the improved mileage from pure cost point of view. (Reduced carbon emissions remains as a benefit.) Meanwhile the cutting edge for high efficiency vehicles appears to be concentrated on gasoline-electric hybrids or fully electric vehicles, even though a few diesel-hybrids are in the works. Diesel just may become another beta-max: a better technology whose time never comes because of market quirks.

cemp

E-voting: how not to save money with IT

White-papers are full of case studies on how the judicious use of information technology can help organizations achieve more with fewer resources. Unfortunately for the state of Maryland, their brief experiment with electronic voting and Diebold touchscreen devices will not be one of them. My friend Kim Zetter has recently published a new article over at the Threat Level blog about the aftermath of the Maryland debacle. Sanity prevailed after a brief experiment with touch-screen voting that basically catalyzed the movement against direct recording electronic (DRE) machines and catapulted Diebold into the national limelight as the #1 enemy of fair elections. The state has gone back to optical scan machines, while the expensive equipment gathers dust but Diebold continues to collect on the maintenance contracts for equipment that is only trustworthy enough for electing the high-school mascot.

One of the interesting points in the article is that the machines are high maintenance. Quoting Rebecca Wilson of the Maryland based advocacy group SaveOurVotes.Org:

“They take up huge amounts of warehouse space in warehouses that need to be air-conditioned,” she continues. “They have to recharge the batteries every six months. And (yet) we only haul them out about once a year (for elections).”

According to their estimates, the state will have spent close to $100M of taxpayer money by the the time the dust settles. This is on average an increase of over 150% percent per voter across the board. For certain sparsely populated counties, it is close to an order of magnitude higher. Here is one IT deployment aspiring MBA students will not be reading about in their case-studies on cost cutting.

cemp

Making sense of identity management statistics

There is lies, statistics and identity management figures.

Are there a quarter billion OpenIDs? That would be the conclusion suggested by an announcement from OpenID website two months ago. How many of those users have actually used the OpenID protocol even once when authenticating anywhere? For that matter what percent even know what an OpenID is? This has been a major problem with any identity system that spans multiple sites. Users at this point have been trained to lower their expectations, and come to terms with islands of disconnected identity: each username/password works on one website only. Any system where users can authenticate to more than one relying party is confronted with the challenge of explaining this to users. (For example: “If you have a Hotmail or Messenger account, then you have a .Net Passport.”)

Does having 50% of desktops with Cardspace bits represent a tipping point for the technology to magically take off? By this logic, passwords ought to have been about as archaic as the vinyl record because nearly 100% of desktops have supported TLS client authentication and smart-cards since 2000. Even if we disregard Firefox and PKCS11 based interface and focus on IE running on Windows only, that is over 80% of all consumer PCs. Why isn’t everyone authenticating with digital certificates as the PKI vendors have  prophesied for the past decade?

cemp