Sleepycatz

Security through absurd obsurity?

Those who know me know I have a problems with the notion of security through obscurity — the idea that one can achieve some measure of real security by hiding the item or knowledge which needs to be protected. As a security measure, obscurity has been around since man first hid from a predator. It has never been a consistently successful strategy. The pilfered tombs of the Pharaohs illustrate that no matter how cleaver or determined one is to hide something away, an equally cleaver thief will eventually find the treasure. That the most guarded secrets of the cold war usually flowed between adversaries in a matter of weeks speaks to the ineffectiveness of obscurity when confronted with a determined and resourceful foe. Nonetheless, obscurity remains with us as a natural response to threatening situations. The desire to protect ourselves, or our possessions, immediately invokes the evolutionary response to hide from threats.

I was fascinated to read a recent NY Times article on the obscurity devices of Aya Tsukioka. Ms. Tsukioka has created camouflaging fashions for Japan’s urban dwelling population. Though violent street crime is down in Japan sensationalist news reports have created an air of fear among city dwellers. Among Ms. Tsukioka’s inventions is a skirt which allows the wearer to disguise oneself as a vending machine:

The wearer hides behind the sheet, printed with an actual-size photo of a vending machine. Ms. Tsukioka’s clothing is still in development, but she already has several versions, including one that unfolds from a kimono and a deluxe model with four sides for more complete camouflaging.

Other creations by Ms. Tsukioka include a purse which can be disguised as a manhole cover — presumably to be thrown into the middle of the street when the carrier feels threatened — and backpack which allows a child to disguise her/himself as a fire hydrant.

There is something more then a bit disturbing with the idea that women and children should need to take on the appearance of common inanimate urban objects in order to protect themselves. Certainly it can be argued that historically these two groups have been objectified in this manner for thousands of years, and the need/desire to obscure the body in this manner is a reflection of a conservative cultural mindset. Fear, in general, tends to evoke the most primitive of responses in the human mind. The response suggested by Ms. Tsukioka’s creations is that we need to hide our humanity until the fear passes. I couldn’t disagree more.

DHS Deceit

For the past couple of weeks some friends and colleagues and I have been discussing a CNN story on the vulnerability of SCADA controlled generators. The story fed to CNN by the DHS is that power generators, under SCADA control, can be destroyed via cyber attack by telling or tricking the PLC into over-cycling the generator and thus adversely effecting the local or national power grid . After some discussion, most of us have decided that the story is largely bunk. Even if we ignore the fact that the generator shown in the DHS video appears to in the ~1500 kW size range (significantly smaller then the multi-megawatt generators used for local or regional grid generation), the idea that a critical piece of power generating equipment would lack a something as simple as a mechanical governor - an 18th c. technology - let alone an electronic one to prevent the system from operating beyond safe levels seems patently absurd. An electrical engineering friend has suggested that the current steam turbine generators used by utilities do not currently include deep levels of automatic systems — so any such attack on a utility could never effect online turbine speed. Additionally, even if such a vulnerability did somehow exist is would be very simple to insert PLC programming which did not allow for the system to run out of tolerance.

So why would DHS release such a report — we know why CNN engages in fear mongering where ever it can. The purpose seems to be alluded to near the end of the piece where CNN explains that the DHS cyber-security budget is a scant 100 million dollars. The goal here seems to be to get people riled up to pressure congress to flood DHS with more money. As fear-mongering coup de grâce, CNN finds someone to say that Iran has the same generators, SCADA systems, and passwords as those used in America. This is so appallingly absurd and transparent it simply causes my head to spin.

The problem is, that there are security concerns with SCADA systems and the desire of managers to save money and place them on an Internet connected network. The problems though instead of being related to evil cyber-terrorists are much more mundane. Such as the effect of Viruses, Trojans, and Denial of Service Attacks on these systems. If a virus should interrupt communications with a water filtration control system, for instance, this could cause response problems leading to some contamination. Fighting viruses, however, does not get you billions in taxpayer funding. Nowadays only the most fearful scenarios get the money — regardless of merit.

Very Cool

The worldwide lack of potable water is one of the least covered crisis facing man. Michael Pritchard, of Ipswitch UK, decided to do something about it after watching coverage of the great tsunami of 2004 and hurricane Katrina in 2005. Mr. Pritchard was shocked that people had to wait for days to receive potable drinking water. He set out to invent a portable, chemical-free, filtration system; and viola the “Life Saver” bottle was born.

The bottle incorporates a filter system which can remove bacteria, viruses, and foreign matter down to 15nm. The bottle is designed to treat about 4000 ltr per filter. Unfortunately, he bottle remains a little expensive at £190 — about $400; however, pricing will no doubt drop as manufacturing increases and variations appear on the market. This kind of personalized filter offers hope for the millions in disaster struck areas around the world, as well as those in under-developed regions with no water treatment facilities.

Tales From Beyond - Sanity

There are days when I wonder if I have stumbled into some poorly written parody of reality. In assessing the greatest threats that law enforcement will face in the future, Australian Federal Police Commissioner, Mick Keelty announced this week that the greatest future threat we face is . . . wait for it . . . Cyborgs. Yes, Cyborgs:

“Our environmental scanning tells us that even with some of the cloning of human beings - not necessarily in Australia but in those countries that are going to allow it - you could have potentially a cloned part-person, part-robot,” he told a parliamentary inquiry into the future impact of organised crime in Canberra.

Putting aside the Commissioner’s all too sci-fi sounding ‘environmental scanning’ — which seems to suggest absolutely nothing connected to reality — Keetly believes that aside from bilking people out of money through virtual worlds, that organized criminals will begin to create hybrid human-robot henchmen. Of course, one would assume that eventually the cyborgs would simply overthrow the puny non-hybrid mobsters and take over, leaving simply a cyborg mafia. Nonetheless, the Commissioner did not seem to suggest the need to start building cyborg policemen to counter the threat, but I am sure he was just priming the pump for his budget request.

I understand that it has become the norm for public officials and new organizations to present new and interesting things to frighten us, but come on; you’re not even trying anymore!

Security through Surveillance

A recent article int the NY Times has revealed that the Department of Homeland Security is funding the development of software to sniff out anti-government bias in the written word. The software will be first used on foreign and domestic newspapers to, presumably, detect those who are disloyal, and thus a threat to US security. As the article points out:

Researchers at institutions including Cornell, the University of Pittsburgh and the University of Utah intend to test the system on hundreds of articles published in 2001 and 2002 on topics like President Bush’s use of the term “axis of evil,” the handling of detainees at Guantánamo Bay, the debate over global warming and the coup attempt against President Hugo Chávez of Venezuela.

Yes, apparently, holding a position contrary to the president on Global Warming is an indicator of anti-Americanism. We can all be certain that this technology will be quickly applied to Internet blogs and e-mail traffic once it is ready — or more likely in a test deployment to assess its capabilities. Of course DHS attempts to put the best face on ths program:

Federal law prohibits the Homeland Security Department or other intelligence agencies from building such a database on American citizens, and no effort would be made to do that, a spokesman for the department, Christopher Kelly, said.

Kelly’s argument, however, is as disingenuous as most surveillance proclamations have been. By stating that they are not directly tying such data sets to specific people - but instead tying them to anonymous (or aliased) blogs, or rotating IP addresses, the DHS can easily get around this law.

Why the Department of Homeland Security — which is charged with the physical protection of our country — is investing our tax dollars into a system to monitor hidden biases in newspapers is far beyond the logic any sane person.

The greatest irony in the NYT story is when, reporter, Eric Lipton quotes Andrei Sitov, Washington bureau chief of the Itar-Tass news agency. Sotov dismays that this technology may be used to stifle criticism of the president or the administration. “This is what makes your country great, the open society where people can criticize their own government,” Sitov said. When Tass, the former arm of Soviet propaganda, suggests that our government maybe going too far in sniffing out dissent; well, that expresses some level of irony I lack the language skills to descibe.

h/t Homeland Studipity

One of the under reported stories of the week concerns the latest major security flaw in the Diebold AccuVote-TS voting machine. The folks over at Freedom to Tinker have discovered that the cover lock (which controls access to the memory slot) on the AccuVote-TS is the same as that used on mini-bars, filing cabinets, and other general office equipment. Ed Felton notes:

We bought several keys from an office furniture key shop — they open the voting machine too. We ordered another key on eBay from a jukebox supply shop. The keys can be purchased from many online merchants.

As the Center for Information Technology Policy has shown, access to the memory on these machines opens the door to allow for simple vote tampering. It has been shown time and time again that these, and other, e-voting machines have been built with little attention to security or the stability needed to stand up under the pressures of a general election.

At one time, I believed that electronic voting could be made to function securely and effectively. I am quickly coming to the belief that the entire concept is flawed - either by corrupt contractors or faulty hardware. The illusion of a paper trail on e-voting machines offers little hope. There is much to recommend the old paper ballot, pencil and box that is still used in much of the world.