Last summer, I brought you the story of how the Domain Name System (DNS) was under threat and how many of the world’s top tech companies were working together to solve it. Unfortunately, not everyone has updated the software on their servers to fix this flaw. While it’s not as big of a threat as it was last summer, it still poses a danger to the web. Almost a year ago, I explained a flaw in the encryption system that you use to securely connect to online banking sites and to safely purchase goods from Amazon, eBay, and many others. Today there’s more news about ways for that encryption (https) can fail.

The new attack is what’s known as a “man in the middle” attack. What this means is that some evildoer, or someone who just wants your money, watches your network and waits for you to go to your bank’s website. When you do that, the evildoer inserts himself in the middle of the communication and can start adding to the information that’s going back and forth. This allows him to do all sorts of nasty stuff from stealing your online banking information to tricking your browser to download malicious software onto your computer. Ideally, this is one of the things that the encryption is supposed to prevent. If all the communication between you and the server is protected with encryption, no one can insert themselves into your conversation. However, there is a flaw in the design of the protocol which allows this to happen at a crucial moment.

The flaw was came to prominence a few weeks ago, but many researchers said that the flaw was so difficult to exploit that it wouldn’t be a serious security threat. Then, a few days ago, a Turkish student used the flaw to steal some user names and passwords for Twitter. Fear not, he was not being malicious, but simply proving to the security community that this is a serious flaw that needs to be taken seriously instead of simply being dismissed. Twitter has since made changes to prevent the same thing from happening again and industry groups have begun meetings to determine a more permanent fix for this problem. These meetings have been going on since September, but it’s unclear if a solution has been found yet. This, like the other security problems I’ve written about before, will be fixed soon, but it will take a long time for the fix to go into wide use. It’s also a reminder that even our best and brightest will make mistakes sometimes with wide ranging impacts on our economy and the way we communicate.

image by http://www.flickr.com/photos/23905174@N00/

In another installment of “Holy shit, are we really doing that?!?”, today I bring you news of US Department of Homeland Security’s Project Hostile Intent. This is a series of cameras, infrared detectors, and other sensor devices that scan a crowd and look for, supposedly, people who have hostile intent. Really, the scanners are looking to see if people seem overly nervous or frightened. The goal is to find terrorists in a crowd before they actually do anything. Just think what happens when we install these in airports. Everyone who’s nervous and running late for their flight is going to have cops come up and question them extensively while they’re trying to make it to their flight. Everyone who loses their bag is going to have to deal with an hour of police questioning before they can start the long process of recovering their luggage.

The government is also mounting these scanners on trucks in the hopes that they can quickly be deployed at sporting events, speeches, and (I’d imagine) protests and rallies to help with security. Presumably, this system will simply run passively until it sees someone who matches the profile of a terrorist (whatever that is) and then alert security somehow.

I see two big problems with this. The first is a privacy issue. I imagine that all that data the sensors are taking in is being recorded. With storage so cheap, all that data will likely be stored in case it’s useful later. So it’s conceivable that there will now be records of where you were (using GPS) at a specific time paired with data about your heart rate, perspiration, etc. I’m not really keen on anyone, especially the government, having that kind of information about me. It could not only be used to track your attendance to events (did you go to the opposition party’s rally?), but it also monitor your reaction to the event (did it make you excited, fearful, etc). Furthermore, such devices could be surreptitiously installed around a city to provide much more detailed tracking of people’s movements and moods. This, of course, assumes that the system will actually be able to live up to its claims. Detecting another person’s emotions or psychological state from a distance is difficult to begin with and trying to so to a crowd of people simultaneously is nearly impossible.

The second big problem is one that I alluded to earlier: the huge number of false positives such a system would generate. Lots of people will be nervous or acting strangely in airports, sporting events, protests, and rallies and there’s simply no way that all of those nervous and strange people could be screened. The truth is, we don’t have a profile for what a terrorist is or how they behave. If we did, we could train humans to recognize it with much greater accuracy than these machines will be able to. In the end these devices aren’t going to stop terrorists and aren’t going to be any more effective than the ridiculous airport security measures that have already been put in place. What it will do, though, is make people worry more about what they say and where they say it. Systems like this will have a chilling effect on speech and that is something that no healthy democracy can or should support.

Last month I brought you the story of RepRap, a rapid prototyping machine that was the first machine to build a copy of itself. I covered some of the possible long-term consequences of this development. Apparently the TSA read my post and reacted swiftly to protect America and the world from this robot menace. OSCON (Open Source CONvention) was this last weekend in Portland and the creators of RepRap brought the child machine with them to show off. On the way back, the TSA dismantled the crate holding the machine by unscrewing the permanent screws instead of the ones marked “Open Here”. Unable to put the crate back together, they shipped it as-is with a whole side open despite the “Fragile” stickers all over it. When the crate arrived back in New Zealand, the machine was completely destroyed. So thanks TSA, for protecting all of us from this grave threat!

A major Internet catastrophe was narrowly averted recently through the combined efforts of security researchers and large companies like Cisco and Microsoft. Not all the details of the problem have been released yet and those that have are rather esoteric, but I’ll do my best to explain them in layman’s terms. Also, before I get started, I want to do something I don’t do often: thank Microsoft for showing strong leadership on this and providing resources to ensure that the problem got fixed for everyone. So if you’re interested in hearing an exciting story about a race to save the Internet, read on!

Read More >>

As many of my friends know, I talk about security and civil liberties quite a bit. Many groups, especially the Bush administration, like to present a choice between security and civil liberties. This, however, is a false choice. There are many ways that we can use new technology and good, old fashioned techniques to increase our security without sacrificing civil liberties. All to often, though, the “security measures” that are put in place are designed to make us feel more secure, not to necessarily actually make us more secure. One way this manifests itself is in spending huge amounts of money defending against ridiculously specific threats. In fact, that money could be much better spent improving our disaster response infrastructure, something that comes in handy during terrorist attacks and natural disasters like Katrina. It’s also important to realize that giving up civil liberties often makes us less secure, not more. For instance, when the FBI creates a computer program that allows agents to wiretap a phone with the click of a mouse (no warrant needed), there’s nothing to stop an agent from wiretapping the phone of a friend or rival to discover private information about them.

Read More >>