Steve Jobs is dead - the state of computer security is sorry

 

The late Steve Jobs, left, interviewed
together with Bill Gates,
at D5 conference in 2007

Ok, hopefully no-one died from heart attacks reading this yet, but it's just a bad joke. When covering the Apple Keynote in the Macworld conference today, the extremely popular web site Mac Rumors got its live coverage web site hacked by people crediting Anonymous / 4chan.

No shadow on Mac Rumors staff really, since in my opinion computer security in general is in a very sorry state. I want to carry on writing on this topic soon, but be sure, it was Mac Rumors today, it can very well be your site or service tomorrow. It's not a matter of some being more vulnerable than others - if you are unlucky to be targeted, you are very likely to get huge trouble.

Stitched screenshot of the defaced live stream below:


A yawn or not, Macworld is still receiving a lot of coverage in the press, such as here, here, here, here, here, here, here, here, here and here.

Be back later for more of my rants and info about the hack.

The farse of BankID

The Swedish Administrative Development Agency (Verva) released has released a report suggesting to expand the concepts of electronic identification in Sweden. IDG writes how your cellphone will be used for e-identification, how e-identification will look in the future, everyone will have eID within two years and how the BankID company is optimistic about the future. What bull.

"BankID is an incompatible ugly hack the Swedish banks threw together to give Persson something to brag about during the EU-chairmanship"

... I quote from a renowned bank security specialist who must remain unnamed. The Swedish BankID really is terrible technology which attempts to fill the void the national ID-card should have, and could have filled long ago. Polisen writes (my emphasis): "På id-kortet finns ett kontaktchipp som i framtiden kan bli bärare av elektronisk information, så kallade eID-tjänster, som till exempel elektronisk legitimation". ("On the ID-card there is a contact-chip which in the future may be the carrier of electronic information, so called eID-services, for example electronic identification") Not only have they got backward what eID-services are and there is no such thing as a "contact-chip" if we are to be picky about device terms (which I think we should), they seem to not have any infrastructure, technical plan or even room to create a functioning hardware electronic identification.

The BankID-service is bad primarily because it is software carried ("BankID på fil") and because it requires service providers to chip in to the business model in a way which is just unfeasible. I have been told service providers avoid providing more services through BankID because the licensing is so expensive, whereas actually everyone could benefit and save money from using it more. Great success... I just realized that clunky BankID client which never works properly probably does embed standard PKCS#12 certificates (X.509) and keys (RSA) but I have not yet to peek into exactly what they are. The fact remains BankID chose to step beside existing infrastructure for hardware, software and protocols existing in browsers and other clients. Also, unless you're communicating with a BankID licensed organization, the BankID you have been issued is worthless. It may not matter much to most people, but principally it is strange not to be able to verify identity without going through a government.

Oh, and this story about Swedish bureucracy is just hilarious, according to
epractice.eu: March 2008 - "Due to the fact that the Swedish Administrative Development Agency (Verva) has no longer been assigned to manage the national eGovernment portal and that no other Government agency was handed this task over, the portal ‘sverige.se’ closes down." Yippie kay-yay...

In contrast, the Estonian ID card implements a regular PKI smart card much like the US DoD CAC. It ties into the OpenID project and anyone can implement services based on it using standard software and the government-provided LDAP directories. Oh and we already have Mobiil-ID using cellphone SIMs (using cellphone to pay for parking is a different but also very elementary thing done in all cities by most car owners for years).

To be fair though, the Estonian ID-card drivers are sometimes also messy to install, non-Estonian language support is failing in some points, the cards are pretty expensive to issue and since two cards have failed for me (I used to sit on my wallet) I've had to experience the failing support organization behind it. Probably Estonia can be said to have benefited from being a small country, not because there are few end-users (above a million is never a small number) but a limited number of market players which are able to cooperate and without too much involvement of Statskontoret framework agreements to stand in the way of pushing sensible technology.

All this is of course pretty complex things and it cannot be expected of the layman to distinguish what is good or bad technology. Myself I've gotten a proper eToken PRO through Danish it2trust on which my keys are stored, to be able to encrypt, sign and authenticate while knowing that the key can practically (as far as I know) never be stolen unless the physical token is stolen. That feels really good, and even if I don't have that sensitive information myself, at least I know how to do it, and what software is capable or not to do these things properly.

Actually I recently found myself in a war-of-blogs regarding inferior banking security where the pretty large Swedish blogger "TKJ" spreads some confusion on what is the real problem and the cause for credit card frauds persisting. I'd like to say that I don't mind TKJ contributing to the discussion, on the contrary, and he's generously complimented the expert critique he's received. In my opinion also security experts should dare to step up and discuss these things openly, or media and consumers surely won't know where to push the market. So my $0.02 are that the reason swedes are still getting skimmed is the emberassing fact that Swedish banks and payment systems still use primarily copiable magnetic strips instead of the more secure "for electronic use only" smartcards. In the competition between nations for using the greatest technology, this is one area where Sweden is definitely suffering from having to carry it's legacy and being stuck with old solutions.

Selling using the Black Swan

I've been reading The Black Swan recently, an exciting book by Nassim Nicholas Taleb. In its essence, it reminds us how fooled we may be in the way we describe reality, history and future, and possibly it may assist us to make much better decisions and being ready for the unexpected.

Taleb sums this down as being due to two primary ways of assessing things in the human mind:

• System 1 - the experiential. Rapid decisions according to experience and habit, the "gut feeling" and prejudice (in the true sense of the word)


• System 2 - the cogitative. Thinking rationally and logically about things, involving experience but also assessing the influence of abstracts such as statistics
  

The problem is of course that the experiental system can frequently be wildly inaccurate but you don't notice it unless you knowingly bring in the cogitative system to actually assess things. Using the cogitative system is both energy consuming and tricky as you don't always know when it would make a difference. I myself experience that I everyday think a certain way about things, but when you stop to think about how you actually should act, sometimes it seems that your direction has drifted way off target.

Anyway, the book also recently taught me a little clever thing about sales, especially if you're selling something obscure. Essentially if consider the probability of a generic situation A, compared to a more specific situation B whichas a consequence will result in A happening. Even if mathematically the likelyhood of A must be greater than that of B (and thus A) since other situations than B may also cause A, if B feels rational and A more complicated, people will generally think experientally and inaccurately think that B feels much more probable than the complex situation A.

So how to use this in sales? Well, describing the situations you want your customers to use your product for will make them seem more likely. Maybe this is very basic to anyone in sales, but for me it was a realization. I'll make an example below, and as a hint, A as described above is someone stealing and your email password and abusing it because you don't use SSL and B is computer wiz-kid stealing your password while you're working in the same café:

Rather than just talking about the importance of using encrypted POP and SMTP email (that's just a matter of ticking a box in the email program) tell the story of the university computer security student who has a hobby to run a network sniffer and log anything interesting when he's working from cafés. Your email program is checking the email every few minutes and the young student captures your username and password every time. Every now and then he takes a look in the logs and checks out the people of which he's got the accounts of, emptying his nets so to say.

In a couple of months, he's soon gathered some thousand accounts and realizes that besides playing pranks on his clueless victims (they had really given him their passwords!), he can make a little bit of extra money from monitoring the gossip or business pages and matching them to his secret lists. It is easy for the guy to be very safe from getting caught, every now and then he will get his hands on some very valuable information, and the people he sells it to can create a world of trouble for the victims. And all this because they didn't use secure email connections. Please use secure email connections and don't become a victim yourself. Tick that one box, check it now.

So you thought your OS was secure?

When looking for information about the IDA disassembler (anyone who knows it and can give me a few hints?) I found an interesting video at Google Videos. Alex Sotirov discussed how he found a very applicable "ANI" exploit in WinXP and Vista, including showing his best IDA tricks. Quite academic and extremely technical. As food for thought he ends the lectures with this diagrams about what OS provides what security measures:


We Mac users sometimes brag about how secure OS X is, while in reality it probably has a pretty solid base in Darwin and provides a reliable development environment with Cocoa... but when bugs and exploits are found, OS X is standing there almost absolutely naked and defenseless.

Of course, Windows drags a larger pile of legacy code behind itself, but it also is a lot more under fire, it makes a lot more sense to produce exploits and viruses for Windows.

My advice (which I hope will soon be published at mjukvara.se are still simple: 1) use good, secure software which throws away popups and spam 2) install system updates as they become available 3) run some sort of firewall and maybe free antivirus software . You, or if someone does it for you, need to keep your computer reasonably clean and well-oiled. Don't blame a virus if it's you who's filled up your disk. By these simple principles, my systems have been essentially perfectly free from virus trouble for at least five years. Knock on wood :-)

A little PS about that dangerous Internet hole which recently was "discovered" by Anton Kapela and Alex Pilosov. Experts are saying that indeed the "hole" is there, but everyone concerned were already aware of it and will not have much problems with it. If anything it is a small reminder that whenever you transmit passwords or any sensitive data over the Internet, you should not make any assumptions that the network is not wiretapped.

My public keys

It's a bit silly with all the FRA-debate, but I figured I should anyway publish my public keys / certificate properly. Do note that the corresponding private keys are just kept encrypted with passphrases on my disks, thus not as reliable as if kept in some security tokens (I will however get some soon).

My X.509 / S/MIME certificate:

$ openssl x509 -in mail.der -fingerprint
SHA1 Fingerprint=D1:50:3A:C3:76:FD:37:95:58:4D:A4:F1:A9:1E:D4:F9:49:0C:8C:95
-----BEGIN CERTIFICATE-----
MIIC6jCCAlOgAwIBAgIQfieZBy5u6tREnLuiykK/mDANBgkqhkiG9w0BAQUFADBi
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0EwHhcNMDgwNzMxMTMzNDU3WhcNMDkwNzMxMTMzNDU3WjBKMR8wHQYDVQQDExZU
aGF3dGUgRnJlZW1haWwgTWVtYmVyMScwJQYJKoZIhvcNAQkBFhhjai5zdmVuaW5n
c3NvbkBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDx
VgamRU9zL7ugY+2u/LHg4JyjLJhqUqvQmpwp4zHDSW4tjAOBmn2wRmF/53/LKqWu
w2nfvHig888V+uIa8+xVFgS1AyJ6xX3jqWQ0OD7GzjCAglV2auZ7cYNd3uMO9/yg
AdyxwwKHZnTSYhlBdL85En2RKbjGHimVlZag569pkxeA3dY6Tea7n79bmRuGzlSQ
C6CdZOcbbr7SWih6a35tfxxvDBQDjPQKZs1o6ois8AhdwwwepmiTT6Fsn9S8fje9
0UuFol7nEIswbK7lE+44W375iuxk1bXJep6VzWhB8kLWPB9DRMfjFcNuzABziRkH
Ei5GeKDfRc+IAEHbfmMZAgMBAAGjNTAzMCMGA1UdEQQcMBqBGGNqLnN2ZW5pbmdz
c29uQGdtYWlsLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBAAiG
70aW9v7pZEpYnUCABuodVaxJO29L2SLb0EFe+jhVaOJ/09i0d/hYRk+4AFDrLEXZ
a63RHDZ/quOYSHaDSsidpX35yRNtT4FSxhm4SsbZiUZfjZAMNxpnsqkooWiz+goU
ABIWtzdtjilKbVrc9WfAQsYJElTN3Qvo7T3h17IO
-----END CERTIFICATE-----

My PGP / GnuPG public key:

Key fingerprint = 0349 0021 407D 9955 A3B5 FC18 1294 5939 1766 8EFA
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.8 (Darwin)

mQGiBEWaw0cRBACZNwcwZDZgcYR3OepOH9rSlA/p2WwO/5SrczkQ10/J/+ASLMyp
991d628qNLqlJ1nUnjRFw7GgVxHhYgVCDabhaC9JZru3GTBDXvKet+3rxZZf+isd
328H3o41cFsYwmJRERP+YuiG+QXIljb6z2suei8+QNhy5bmRyyqb+nn64wCgswwL
Ud9cOKTI6T9LFg3Xch+IQc8D/1BW3qO0RdMhis+i53ma7VYU2h0HiVJM91mJrUlE
CrL6dn0DI91H6rqakfAgESCDNjxKqHk/KnGq8Epzgyg0vmBedddsZMoNe/fewwv4
OQizJwQi2k8e9gDPsb66VsGZ1VH9uHuryeaO0P4ePkdH5zRjVJb+T4ggwexEiiXZ
jWd3A/9477im8lWwYZGxXn+RzDg0q7GmZuKRH0SEezWKVJFSdyXDXh4EagF/n1nR
tP9J3SUtd6RMNIRVIgBae9cbbohfsPCJdfVsoH2EjbUwv7fYCN6IEQioi2e7DhZs
RgHu6TuSckXKUuwHDauEv3YGkmfq4S5nF3gmuEv1t67/5Iijs7RDQ2FybC1Kb2hh
biBTdmVuaW5nc3NvbiAocHJpdmF0ZSBhZGRyZXNzKSA8Y2ouc3ZlbmluZ3Nzb25A
Z21haWwuY29tPohkBBMRAgAkBQJFmsNHAhsDBQkB4TOABgsJCAcDAgMVAgMDFgIB
Ah4BAheAAAoJEBKUWTkXZo76vKcAoLJQHSM+G7I9SvuI1k9aPyEJpIZGAJ4iZP61
7WpugcGNLbVegR4t3RyR2YhMBBARAgAMBQJFm2UyBYMB4JGVAAoJEAlZ96CtMp7r
Qn4An3usN/tF2oChzypGv1w542wcjGUTAJ0S1Tlj1UjGWR6B+iXU6SSJpxI80Yhk
BBMRAgAkBQJFmsNHAhsDBQkB4TOABgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEBKU
WTkXZo76vKcAoI1ePQCJsdPIzSzN461LpXD7a++KAJ0eVpZEzB9npMtttReCGfXR
11j3gIhkBBMRAgAkAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheABQJIYqL8BQkEqRM1
AAoJEBKUWTkXZo76dq8AoIkB2Xb+VPA3KyajMZEMRz2KD0qvAKCfRBoJXkaWjXI8
cbdH1kNfvzgWhYhMBBIRAgAMBQJIYqaDBYMB4S/5AAoJECcNz56eI7s4JSQAoLYW
4pvRmjBJenX8ft1Zh8kAmHOpAJ4sAQCQ9j6naPGLvO97M/tGDhynN7kCDQRFmsO/
EAgA9Z3mkxvWXPPAnY2vg55+KW4ZEd4zdIxXocfYHn0i9nHg256GU805uSH8KD16
jAdkUEkWDX5m1xQqR6Wr3Lfax/CPnXSBoRWT8oXnTG7Uqv0uPyADNayJk62zHYFh
x1FZjNAfnwGGAScGb9m/YQ5i9vN0rN5NYVilk5nyJi/pIAmFhR+ttYm3bj0atdoF
sgU15Z1jQOwMwO6qBncPkws1r548sftPMYf+58nZiDKmeVlFkDAiLB8TM43mr7lb
ZEqysq+WoiN0+DnqahqZIi3noAHeZPDQlD4fAgeMDl7bcdM0EspG4L3Fz8Hf9PWD
vyViVdGYcfe7W+ym5MN6cPu1cwADBgf9FpHXSuD12KJ3IkLj5dg3Mbx+ySaQDdmA
BIw59W3RGyab+bYbCs0alRoCIe9ZI36V+mSzkQV4Slkm6gn0DXtRLI0UBW7qPiNq
4miw3iQzeSpwP06ZcX4Z3NUxuBQOx/q4Xtwsb8qVfy/Qvi8y0vzNhXQ8RuR6hGh3
Z/GWJYMcJFPB+5MLJ/0dUkI6AP+B4RF4RYZuq8A7lAmUVEldKES8t+8apJZLBDoQ
nh11sUbjqJaVQroTjZO22oK0RZaoro2Y8DAeF+WiF93Ts7bDgHgJjoJP9Iz1o4iA
PXHEB7Nv6EvtrdWMiguGxT7NiXAx1V1qte/bd9bcyzBvkVHNSNmICYhPBBgRAgAP
BQJFmsO/AhsMBQkB4TOAAAoJEBKUWTkXZo76f6MAn037bNsQ+KxAUMKgj7iBAbkN
ZZTQAKCh2cufVEPN2sC4SoSznlwLeDkFzw==
=uo2X
-----END PGP PUBLIC KEY BLOCK-----

Since I got OneSwarm, my friends may go ahead and add me:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFhFi8f
wtqFA1mf3LbIrVvhj2Z15hzVM0R5BWZtUhO852salZc0g
xI9vHIvD+2AInT01HcIvDTkJlQ2vebomJOhO69NqkJhHG
rVfpWYZAQLYCrM19lmu4cFAM4+uakI0sSeNh0iuzISQBS
VL2e5Al8vNTIoTfAXEnD4q+VJX/7uQIDAQAB

(Update: I had some issues with that the GnuPG key was expired, so I had to update that and get it onto a keyserver. The fingerprint is unchanged, and I will probably get myself Aladdin eToken PRO or an AET CrypToken any day now)

(Update 2: Now I have managed to securely generate and store on an Aladdin eToken PRO my X.509 / S/MIME certificate, so that's a new one now)

(Update 3: I got OneSwarm, so I added my public keys here as well)

(Update 4: I changed laptop and the server is offline currently, so changed one OneSwarm keys)