Category Archives: Hacking

Security via obscurity failed… in 1903

This is a wonderful story about the hacking of Marconi’s wireless system in 1903. Marconi touted the security of his system based on a tight (and presumably not publicly disclosed) frequency bandwidth. Of course it was hacked in a public and humiliating fashion.

Security via obscurity, as effective in 1903 as it is today.

Hat tip to Bruce Schneier.

Rise of SaaW?

There are a couple of interesting articles on Stuxnet out recently. This article poses the astonishing possibility that it was a directed attack at the Iranian Bushehr nuclear plant. The arguments given, however, are highly circumstantial.

This article also puts forth the notion that Stuxnet was likely created by some government.

Is this the first instance of SaaW, software as a weapon?

Just a bit more complicated than that

Phil Windley posts about Google’s recent moves in China and describes them as a result of conflict between Google’s desired to do what’s right (not censor) and doing what it needs to do to stay in business in one of the largest markets in the world. That’s an interesting take on it, but it doesn’t wash with recent history.

To be clear, Google was fine with doing evil for several years now. The lived with the government restrictions and did business up until recently when they were penetrated (reportedly badly) by hackers that no one seriously believes aren’t at least backed by the Chinese government. Also the decision to buck the government was also made easier by Google’s own lagging competitive position in China.

If the real story ever comes out I’m sure it will be fascinating. Until then I’m not sold on Google’s altruistic motives in this dispute.

hacking and scalping

Some hackers were apparently caught hacking TicketMaster, buying tickets, and scalping them at a higher price. The article is clear on this point, but I would assume the hackers actually paid the Ticketmaster price but then resold the tickets for a much higher price.

So these guys are being accused of both hacking and scalping. While I have no sympathy for hacker could someone explain to me why scalping is even illegal? Seriously, if an event is selling tickets for $25 that have a market value of $75, why are we criminalizing the scalpers? If the tickets were sold using dynamic pricing like hotel rooms scalpers would be out of business, the event would make more money, and customers would have less fear of getting ripped off.

What am I missing here?


Nico Popp suggests that incidents such as the recent Google hack may lead to governments and large corporations adopting a form of Mutually Assured Destruction cyber defense.

On one hand there is a lot of sense in this, especially for governments. However I suspect retaliation would be more of a economic (or worst case military) nature.

At some level that’s exactly what is going on with the Google case. Google obviously believes that the Chinese government is behind the attack and Google has retaliated by threatening to stop censoring content in China, even at the risk of getting thrown out of the country. Of course now they seem to be backing down and both sides are now looking for a face saving compromise.

But one problem with the MAD theory of cyber-warfare is that you most often don’t have any idea who to retaliate against. At least not with sufficient degree of certainty.

So for now, MAD looks pretty unlikely in the cyber-warfare game.

What’s not being said

I usually find what’s not being said far more interesting than the platitudes that are uttered. According to this article Google and China are negotiating a face saving compromise to allow Google to remain in China. What is being said is that this is about the level of censorship. What is not being said, and what is probably really the truth is that this is really all about the Chinese government hacking Google.

I mean seriously. Google China censored content from day one and now it all of a sudden decided to “do less evil”? As Corporal Nobbs likes to say “pull the other one, it has bells on it”.

No, what changed is that the government has hacked Google and gotten caught doing it, and probably affected some high-level Google execs.

Here is my prediction; the face saving compromise will involve a little easing of the censorship rules, a promise not to hack Google any more, and Google quietly giving some sweetheart deals to some high-level Chinese officials.

Misplaced Blame

Bruce Schneier writes this, in which he lays the blame for the Chinese hack of Google on the US Government. His reasoning is that since Google put in a back door surveillance mechanism to enable the US to  eavesdrop on Google users, it is then the US’s fault that Chinese hackers used that mechanism to hack Google accounts.

This is a little like me blaming my employer if I have an accident on the way to work.

While I agree that companies should not be making it easy for governments to spy on people, when legally required to do so it is also their responsibility to make sure that this done in as secure a manner as possible.

Also note the interesting linguistic phrase that most journalist have used in this issue. The hacking of Google is usually described as being done by “Chinese hackers”. That’s not wrong, but it missing the most important point. No one seriously believes that the attacks were not done at the behest of the Chinese government itself. That is a very important distinction.

Glass half full, and covered with prints

Dave Kearns notes the city of Bozeman is walking back its requirement that applicants supply user ID and passwords to all social networking sites. But then he closes with:

Just one more reason to drop the use of passwords in favor of a biometric authentication. Even Bozeman, I’d hope, wouldn’t ask you to leave your finger on file!

Is the glass half empty or half full? Either way it’s covered with prints, which you should think about before jumping into biometrics. Then watch the Myth-Busters fool several fingerprint readers with covertly obtained fingerprint samples. After watching that you probably are going to start feeling uneasy about fingerprint readers.

And it seems facial recognition systems can be fooled with pictures of the face blown up to full size.

I wouldn’t bet the farm on voice authentication either.

Who is we? You is.

Pogo said it best: “We have met the enemy and they is us”. Bob Blakely asks us the vendors four basic questions on security:

Are we willing to give anything up?

Are we willing to do anything different?

Are we willing to take any blame?

Are we willing to give any guarantees?

The answer to all of these questions really depends on who we is. I am not, for instance, willing to give up earning a paycheck in the software industry. Which means the things I am willing to give up or do different is constrained by the other we’s that determine the success or failure of my employer.

Let me give you an example; Vista UAC. Here is an example of a classic trade-off between security and convenience. And the users hate it. Worse for Microsoft it’s presence hasn’t helped sell Vista even for business use.

So what we are willing to give up and do different is constrained by a market that wants security without any additional cost, or effort on the end user.

As for blame, who should get it? Yes, vendors often do stupid things for which they should get blamed. But what about situations where there are different levels of security available and the end user chooses less than the most secure? Tried running your browser of choice without javascript enabled lately? Who get the blame for that? You for enabling javascript, the browser vendor for providing the capability in the first place, or all the web site designers who force you to enable javascript to view their site?

How about open source? Who gets the blame for those vulnerabilities?

As for guarantees, they are a good idea, but there has to be a limit. No software company can take the liability for the end users losses in a security breach. The reason is simple. The liability is open ended, but the cost of the software is not.

While Bob’s questions are interesting, they are not the important ones. The important questions are:

Are you as the consumer willing to factor security into your buying choices?

Are you willing to pay more for higher security?

Are you willing to have fewer features if it means a more secure system?

Are you willing to take responsibility for your own actions?

The answer to these questions today is no.

Nor anywhere else for that matter

Phil Windley has this interesting post on Cloud Security. There are a lot of good thoughts here, but this one stood out:

Host intrusion detection systems (HIDS) work fine on cloud infrastructure, but are hard to do at higher levels of the stack. Network intrusion detection systems (NIDS) are impossible to do at most providers. The traditional notion of “perimeter” is not necessarily available in the cloud.

Nor anywhere else for that matter, I would add. No notion is more irrelevant today than perimeter security, yet it continues to be the cornerstone of many organizations strategy. I always suggest keeping the perimeter in place but secure everything behind it as if it doesn’t exist.