Surveillance State

How popular can a piece of software get before being in "beta" is no longer a legitimate excuse for known software flaws? Or, to put it another way, is it responsible to allow hundreds of thousands of people to install your product, when you know ahead of time that doing so opens them up to attack?

The software visionaries at the Mozilla Corporation, which makes the popular Firefox web browser, have taken the approach that creativity and functionality is king--even if security has to take a backseat. Case in point: The widely praised "Ubiquity" software add-on, which brings an amazingly rich and extensible new form of interaction to the Firefox Web browser.

The technology press has showered praise upon the developers of this software tool. However, in prioritizing functionality over security, Mozilla Labs punted complex trust choices to end users--the vast majority of whom are ill-equipped to make such decisions. The end result is that the hundreds of thousands of users of Ubiquity face a significant risk of browser hijacking by attackers, which could result in the theft of e-mail and online banking account information.

Mozilla's Ubiquity in Action

Hackers have turned their attention to Facebook's hundreds of independent applications. The results are not terribly surprising, but do not tell a good tale: app developers don't seem to know a thing about basic security, and are putting private user information at risk. As a result, malicious hackers are able to access and change what should be private user data managed by the application providers.

Just a few months after this blog brought you exclusive news of privacy problems in Facebook's application system, we are now already seeing the consequences of Facebook's decision to pass the buck on on application security and privacy. Facebook shares user data with a large number of third-party application developers (without user consent), who then leave the data open to hackers due to nonexistent security and privacy protections. We at Surveillance State would be lying if we said we didn't see this coming.

Third-party developers

As I mentioned in a blog post back in January, Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent. Simply put, whenever a user installs a Facebook app, the developers of that application get access to data on every person who that user is Facebook 'friends' with, as well as most of the people in that user's network. While Facebook makes it perfectly clear when users install an application that developers will get access to their data, it doesn't do anything at all to warn users that the same data sharing occurs when their friends install apps.

Facebook has its legal bases covered though, as its Terms of Service clearly state that the company is in no way responsible for anything that the developers do with user data. It further notes that the company does nothing at all to verify that developers are doing anything at all to protect user data, or that they are not storing data beyond the time needed to process the application request (a strict no-no). The terms of service state:

"[each application] has not been approved, endorsed, or reviewed in any manner by Facebook...we are not responsible for...the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK."

Flaws in apps, users at risk

According to a recent article in 2600, the Hacker Quarterly, many popular Facebook applications are vulnerable to trivial attacks, which permit a nefarious person to both set and read the data associated with that app. The 2600 article uses apps Moods, Free Gifts, and Super Wall to prove its point.

Quite simply, the developers have no authentication mechanism in place on their own servers when processing queries issued by a Facebook application. The developers rely instead, on the Facebook app itself playing by the rules. A nefarious hacker merely needs to intercept the Web request issued by the app, and replace his/her own Facebook ID with that of a potential victim.

While the 2600 article is not online, a reader of the Consumerist blog summarized it online:

In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid (Facebook user ID) before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.

The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.

Super Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's.

This is not rocket science, but far closer to computer security 101. Microsoft's Larry Osterman has written about these kinds of flaws on his own blog, describing his effort to educate Microsoft's programmers:

It takes a special mindset to think like a bad guy. Not everyone can switch into that mindset. For instance, I can't think of the number of times I had to tell developers on my team "It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code."

On Wednesday, I spoke with Adrienne Felt, the University of Virginia researcher whose report first highlighted the excessive and dangerous data sharing that happens between Facebook and its Application developers. When asked for her thoughts on the lack of authentication and security at major Facebook apps, Adrienne told me that, "sadly i am not surprised at all" as "apps are written by people who just barely know anything about coding."

For those of you interested in learning more, someone has taken the time to record a screencast of the attack in action. All that's needed is a Facebook account, the Firefox browser, and the Firebug browser add-on.

A team of respected security researchers known for their work hacking RFID radio chips have turned their attention to pacemakers and implantable cardiac defibrillators.

The researchers will present their paper, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," during the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy, one of the most prestigious conferences for the computer security field.

The authors of the paper are listed as: Shane S. Clark, Benessa Defend, Daniel Halperin, Thomas S. Heydt-Benjamin, Will Morgan, Benjamin Ransford, Kevin Fu, Tadayoshi Kohno, William H. Maisel.

Kevin Fu, an assistant professor at the University of Massachusetts Amherst, along with two graduate students who worked on the project all gained significant attention for their past work in attacking RFID-based credit cards and RFID (radio frequency identification) transit payment tokens.

Kohno, a professor at the University of Washington, was the subject of worldwide media coverage for his work in exposing flaws in Diebold voting machines back in 2003, and then later for finding major privacy flaws in the RFID-based Nike+iPod Sport Kit.

Shocking stuff

When contacted by e-mail, Kohno told me that he and his colleagues could not currently comment on their latest project. Without the help of the authors, it is difficult to predict the contents of their research paper. However, it is possible to piece together other bits of information to try to learn more about the project.

A previous research paper published by the same team noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. An increasingly large percentage of these can be remotely controlled and monitored by specialized wireless devices in the patient's home. The devices can be accessed at ranges of up to 5 meters.

By reading between the lines (millions of remotely implanted medical devices, able to administer electrical shocks to the heart, can be controlled remotely from distances up to 5 feet, designed by people who know nothing about security), it is easy to predict the gigantic media storm that this paper will cause when the full details (and a YouTube video of a demo, no doubt) are made public.

Just remember where you saw it first.

For the last few years, frequent travelers have had the option to sacrifice their privacy (as well as some money) for speed at the airport. Now, thanks to some keen deal-spotting by bloggers, passengers can skip to the front of the airport security line for free. The question to be asked is: even when such services are free, are they worth the price?

(Credit: Courtesy CLEAR/Verified Identity Pass)

Verified Identity Pass is one of three companies that participate in TSA's Registered Traveler program. The company offers separate lines leading to TSA checkpoints for its subscribers. Passengers passing through one of these lines get to skip to the front of TSA's security checkpoint -- although they still must take off their shoes and belts.

Verified Identity Pass, and its CLEAR program, has been the subject of much hype since its launch a couple years ago . However, it has received quite a bit of criticism from the security community, as well as from TSA's head honcho Kip Hawley. In a statement last year explaining why CLEAR customers still had to take off their shoes and belts, Hawley told Congress:

"The technology is not yet there to provide significant screening benefits to members," Hawley said today before the House Committee on Homeland Security, adding that providers need to tweak such systems before TSA grants full approval. He did not specify the modifications TSA seeks.

Passengers wishing to join the CLEAR program will need to fork over $100 per year, plus $28 for the background check that TSA will run. As part of the application, customers are asked for their social security and drivers license numbers, although these are clearly marked as optional information.

The real sticking point, at least for me, is that passengers are required to give up a copy of their fingerprints and a retina scan. This information will then be used to authenticate you when you go through a CLEAR checkpoint. Of course, should the FBI write a national security letter and decide that it would also like a copy of that biometric information, Verified Identity Pass will be forced to hand it over. Creepy.

Thanks to some keen spotting by Gary over at View from the Wing, suckers passengers willing to hand over this information to a central database can now join CLEAR for free, at least for the first year.

First: go and sign up to be a member of the Hyatt Hotels Platinum Program (valid until March 31).

Second: with your new Hyatt platinum number in hand, go over to the CLEAR site and sign up for a one year free membership.

I've thought it over, and even when it's free, I still can't convince myself that it's a good idea to do this. However, for those of you who fly frequently (or who have been arrested before, and thus already have your paw-prints on file), perhaps you may find this useful.

For those more adventurous travelers, as I've discussed before, there is another way to jump to the front of the security line - refuse to show ID.

With all of the attention that the Foreign Intelligence Surveillance Act (FISA) update (and the administration's vigorous attempts to immunize the criminals telcos), it seems like a good time to explore the issues surrounding surveillance and privacy in America today.

NSA: We're watching you....

(Credit: National Security Agency)

While there are so many scary things being done by intelligence and law enforcement, hope is not far away. Easy to use privacy technologies are upon us, and with them, comes a radical shift in the balance of power. As this article will explain, the scalable techniques with which the NSA, FBI and other agencies can spy on innocent Americans may soon be made useless - forcing them to go back to the old school (and labor intensive) black bag job.

First, a few facts:

• Fact: The National Security Agency (NSA) has data-mined the call records of millions of Americans. These records were handed over to the spying agency without a court order or warrant.
• Fact: Calling your Aunt Susan in Australia? The NSA is listening. No warrant? No problem. What about for international calls made to a lawyer, doctor or priest? No warrant necessary there either.
• Fact: Mobile phones transmit extremely accurate location information back to the wireless carriers. The FBI, DEA and other federal law enforcement agencies routinely get access to this location data without demonstrating "probable cause," which is typically required before a judge will issue a warrant.
• Fact: Most mobile providers claim that they do not save copies of text messages sent to phones and pagers for extended periods of time. However, up until the point that the messages are deleted, the companies will happily turn them over to the police without a warrant, requiring only that the prosecutors claim that the records are "relevant and material" to an investigation.
• If you are arrested by the police, in addition to searching your body, they are also permitted to search through your mobile phone and look through anything that they can find. Got an iPhone? They may be able to browse through hundreds of emails from your gmail account using the device, all without the pesky requirement that they first get a warrant.

As the debate over FISA and telco immunity has demonstrated, the telecom companies are willing to completely eviscerate consumer privacy in order to help law enforcement and the intelligence community. With the telcos getting handsomely paid for their participation in illegal surveillance programs, its clear that consumers cannot rely upon AT&T and Verizon to protect their privacy.

Consumers will need to take matters into their own hands - and luckily, secure communication technology is finally user-friendly enough to be usable by non-geeks.

In addition to enabling the average Joe to regain a bit of his privacy, the rapid deployment of easy to use crypto will have a major impact on our society: The end of large scale surveillance.

Raising The Bar: The Black Bag Job

The big problem with the surveillance techniques currently used by the NSA, aside from the fact that they are creepy and illegal, is that they scale so well.

Just like Google, if the NSA wants to expand its surveillance abilities, it simply has to build another data center. Want real-time spying on the phone calls of 10 million more people? No problem -- just buy another 10,000 computers, and set them up with NSA's existing pattern recognition software

In the old days, the spooks would have to rely on the so called 'black bag job' -- a term to describe the act of breaking into a suspect's house in order to install bugs and other listening equipment. The team doing it, at least in Hollywood movies, were, like ninjas, dressed in all black.

The nice thing about the black bag job - is that it is labor intensive. Want to install bugs in the home of a suspected Soviet agent? That'll take a team of five agents, plus around the clock surveillance for a few days beforehand. Using traditional techniques, spying on an additional 10,000 Americans would require an additional 50,000 NSA black-bag-job agents to install the bugs.

As large as the NSA is, it simply doesn't have that level of resources. Thus, simply due to the man hours required, the NSA's surveillance net was limited in scope.

Unfortunately, due to computers, and the willing assistance of telecom companies - this is no longer a problem. Surveillance today scales very very easily, and it is almost trivial for the NSA to spy on an additional 100,000 Americans.

The deployment of easy to use cryptography for the average user will significantly upset the status quo. Large scale surveillance will no longer be possible, and the spooks will have to return to the days of the black bag job. Will they still be able to focus on high-profile terrorist targets? Sure. However, their days of spying on the average American, simply because it's easy, could be over.

I'll now explore the technologies that will make that possible.

Secure Instant Messaging

I've written extensively about this form of secure communication before. Adium, one of the most popular instant messaging applications for the Mac, ships with high-end encryption out of the box. Similarly, Pidgin, an IM application shipped with practically every Linux distribution, also includes support for the same encryption protocol that Adium uses. A port of Pidgin is also available for Windows users.

An encrypted conversation in Adium

(Credit: The Adium Dev Team)

These IM applications and the off-the-record encryption standard they use are protocol independent. That is, they work with AOL Instant Messenger, Google Talk, Yahoo IM, and others. By using one of these applications, your IM communications are encrypted, authenticated, and completely deniable.

No amount of telecom company assistance will enable the Feds to passively snoop on an encrypted IM conversation. In order to have any chance at getting a copy of the messages, Uncle Sam will need to resort to a significantly more invasive (and riskier) surveillance techniques.

Secure Voice over Internet Protocol (VOIP)

Unfortunately, out of the box, most internet based telephony services are horribly insecure. Use Vonage, Packet8, or one of the other popular VOIP services? Your calls are going over the wire in the clear. Using one of several open source hacking tools, it's trivially easy for an attacker or nosey neighbor to snoop on your calls.

With regard to the mainstream voice solutions, Skype is the clear exception to the rule. All Skype communications are encrypted (as long as you don't live in China, where the government has forced the eBay owned software company to install some fairly suspect filters).

Skype has been extremely secretive about the technical details of their encryption technologies. They paid a few security consultants to conduct a review of the system, which, not surprisngly, was rewarded with rave reviews. However, some crypto geeks have been able to reverse engineer Skype, and have determined that by and large, the program does a pretty good job.

Skype's security is good enough, it seems, to stump the police and intelligence agencies in Germany. They've had to resort to paying 2500 euros per victim suspect to install malware that secretly records the audio as its recorded and played on the user's PC during a Skype call.

Thus, for most users, Skype is more than good enough - and a complete pain in the ass for law enforcement.

For those users not willing to trust their communications to a closed-source communications system, the gold standard really is Zfone, an encrypted VOIP solution made by famed cryptographer and cypherpunk Phil Zimmerman. While it's easily the best tool out there, it unfortunately suffers from the network effect -- that is, there really isn't anyone using it right now.... and Skype has, in a few years, become the most widely deployed cryptographic application ever.

If you can get your pals to install it, go for Zfone, but for those you can't, Skype is probably good enough.

Anonymous Web Surfing

One word: Tor. If you're not using it already, you need to be.

Encrypted Computer Data

Both Microsoft Windows Vista and Mac OS X include encrypted disk support out of the box. While I can't speak to the Windows experience, I can say that encrypted disk support is a piece of cake on the Mac. As recent court cases have shown, this disk encryption can be a total roadblock for law enforcement, and can completely derail any attempted investigation or prosecution.

Mobile phones

As fans of the HBO show The Wire will already know, mobile phone privacy and anonymity is something that there is a significant market need for. For now, psuedo-anonymity can potentially be achieved through the use of prepaid phones, but this provides no safety against a government agent with a wiretap order (or a spying agency willing to break the law).

For now, we as consumers are left out in the cold. However, the rise of devices such as the iPhone and Google's Android OS do give me some hope. If we get Skype on mobile phones (a not so unrealistic possibility), law enforcement is going to have a very very tough time. Furthermore, if we can replace SMS text messages with off-the-record encrypted IMs, users will finally get the privacy they deserve.

While we can't rely on Steve Jobs to bring this to us, there is a decent chance that Google's Android system may end up having these features. It's an open platform, right? So it's just a matter of time until someone hacks it up, and releases it.

Homeland security officials seem to have adopted a naive and dangerous standard to detect bombs: Devices sold by major corporations that come packaged in logo-adorned, mass produced containers are perfectly safe, while those made by hobbyists and tinkerers with exposed wires and batteries are potential bombs or at least hoax devices.

The problem with this approach is that in many past cases of successful terrorism, especially those committed by state-sponsored groups, the bombs were actually hidden in fully-functioning mass-market electronic devices: personal stereos and mobile phones. Smart terrorists, the ones we should be trying to thwart, do not walk into an airport with LED lights and a 9-volt battery dangling from their sweatshirt.

This past Friday, MIT sophomore Star Simpson unintentionally caused a gigantic freak-out when she walked into Boston's Logan airport wearing a jacket with a home-made electronics project attached to it. Airport security officials confused the device - a circuit board, a few LED lights, and 9 volt battery - with an improvised explosive device. In a press conference following the incident, state police Maj. Scott Pare said that Simpson is "extremely lucky she followed the instructions or deadly force would have been used. She's lucky to be in a cell as opposed to the morgue."

Star Simpson's panic causing circuit board

(Credit: Lisa Poole/Associated Press)

This comes less than a year after police in Boston scrambled bomb-response units around the city after discovering Moonitites (flashing promotional electronic signs) that had been placed by a viral marketing firm advertising a TV show on Cartoon Network. After the brouhaha faded, Turner Networks agreed to donate two million dollars to the city of Boston in compensation. The two men who had installed the signs were initially charged with placing a hoax device to incite panic, but the charges were later dropped after the men agreed to perform community service.

Aqua Teen Hunger Force promotional LED sign

(Credit: Jimmy / Wikipedia Commons)

Boston has now rightfully earned itself a reputation as a city that overreacts over the smallest thing. Comparing the reactions by Boston officials, and those of Seattle (where the electronic devices were also placed) clearly demonstrates this.

Massachusetts Attorney General Martha Coakley said the device "had a very sinister appearance. It had a battery behind it, and wires." King County (Seattle) Sheriff's spokesman John Urquhart told members of the press "To us, they're so obviously not suspicious ... We don't consider them dangerous" and that "[i]n this day and age, whenever anything remotely suspicious shows up, people get concerned - and that's good. However, people don't need to be concerned about this. These are cartoon characters giving the finger.

With these two episodes of Chicken Little style overreaction by public officials setting the tone, let us now begin to explore the massively flawed policies adopted, albeit unofficially by homeland security officials: Devices sold by major corporations that come packaged in logo-adorned, mass produced containers are perfectly safe, while those made by hobbyists, tinkerers and electronics nerds with exposed wires and batteries are bombs.

But first, a history lesson:

On December 21, 1988, Pan Am Flight 103 was destroyed by a bomb, and the remains landed in and around the town of Lockerbie, Scotland. The terrorists who constructed the Lockerbie bomb hid a smaller charge of explosives in the power pack of a stereo cassette player, with a barometric fuse (set off by a drop in pressure) and timer hidden behind the tape deck. These were primed to go off at a certain time and altitude. Had anyone checked, the tape deck would have blared out music.

In 2006, Israeli paratroopers raided an explosives lab in the West Bank, discovering teddy bears with wires hanging from them, apparently slated to be used as explosive devices. Presumably, the bomb-makers would seal up the teddy bears to hide the wires before sending them out to be used to kill.

A WWII German Exploding Chocolate Bar

(Credit: M15 History For Schools)

Also in 2006, the Shabak, Israel's internal security agency is reported to have assassinated Yahya Ayyash, the chief bomb maker for Hamas. A double-agent within Hamas slipped Ayyash a cellular phone with explosives hidden inside. The fully working telephone was reportedly tracked by Israeli Intelligence, who listened in on conversations and detonated the device when it was up to Yahya's ear.

These are just a few instances of explosives being hidden in innocent looking devices. The CIA is reported to have attempted to kill Castro with an exploding cigar. Furthermore, according to the British MI5 history archive, German intelligence agencies during WWII created hand grenades that were made to look like chocolate bars. The candy's flavor could best be described as explosive.

After that stroll down memory lane, it should be clear that motivated persons, be they terrorist groups, resistance fighters, or state security agencies, can easily package up a bomb so that it looks like a completely innocent object - something sold by a respected company and bought off the shelf from a major retailer. Moreover, in many cases, the shell device containing the bomb can still function - as a mobile phone, a laptop, or a personal stereo.

What this means is that from a risk-analysis perspective, up until the moment someone is searched at the airport security checkpoint, every single passenger is equally likely to have a bomb on them. The laptop being used in an airport Starbucks, the boom-box being carried by a music fan, the carry-on bag with wheels being pulled by a passenger, or the circuit board attached to the sweatshirt of an MIT student are all equally likely to be bombs. The mere fact that one of the items happens to have exposed wires, a few LED lights and a 9-volt battery in no way makes it more likely to be a bomb.

Suspected Terrorist button made famous by John Gilmore

(Credit: Aaron Swartz)

Yes, some of the "terrorists" caught over the past few years have been complete idiots. Richard Reid, who was unable to light his own shoe-bomb with matches, and the Glasgow airport bombers come to mind. Our government should not expect that future terrorists will be as stupid. After all, the 9/11 hijackers were willing to go to flight-training school in order to prepare for their attack. Our security policies should be focused at catching the intelligent, well funded and patient attackers, not just the idiots.

Airport security and law enforcement need to radically rewrite their training materials to focus more on actual threats, and not those pictured in episodes of TV's 24. Real terrorists hoping to take down an airplane do not advertise themselves by wearing "Terrorist" buttons and badges, t-shirts with Arabic writing, or with blinking LED lights, exposed wires and a 9-volt battery hanging from their chest. Terrorists, at least the smart ones, will do their very best to try and stay under the radar. And thus, the sad fact is that in focusing on attack-scenarios and bomb designs straight from a Hollywood movie, security officials may very well be diverting manpower away from the real threat: Someone who looks just like you or me.

Attempts to assert your right to fly without ID can often be very frustrating, due to Transportation Security Administration and airport officials not knowing their own rules.

With any luck, this should no longer be an issue because the TSA has, at last, clarified things.

Passengers with tickets for domestic flights are under no obligation to present ID to TSA. Passengers may be required to show ID to airline employees, but that is a contractual matter between the airlines and their passengers. U.S. government employees cannot, however, require you to show ID in order to pass through the security checkpoints.

Poster at Burning Man '06

(Credit: Christopher Soghoian)

I have personally flown over a dozen times without showing a single form of ID. A number of others have documented similar success stories. Unfortunately, some TSA employees are not aware of their own rules, and at times, have forced passengers to produce ID. Blogger Jake Appelbaum has documented one such experience. Something similar happened to me earlier this year when TSA agents brought over an airport police officer who then compelled me to produce an ID.

The 9th Circuit Federal Court of Appeals clarified a passenger's right to travel without showing ID in its ruling in Gilmore v. Gonzales. Expecting that a TSA screening agent be able to parse a court opinion is often a losing battle. It is for that reason that I've spent the last few months sending letters back and forth to TSA, via my senator, which at least guarantees a reply. Eventually, I was able to get something from TSA in writing that confirms passengers are able to legally fly without showing ID. For those of you who'd like to give it a shot, print out this letter and take it with you. It should (hopefully) reduce any push-back you get from TSA agents.

For those of you who don't get a kick out of asserting your rights, you may wonder why you would ever want to do this. After all, those passengers who decline to provide ID to TSA will instead be forced to go through an invasive "secondary screening" process--a five-minute-or-so procedure in which passengers are patted down, poked, prodded and have their carry-on bag thoroughly searched by hand.

There is a little known, but extremely useful side effect of refusing to show ID: In many airports, you get bumped to the front of the security line. As illogical as it may seem, you can often get through security faster by refusing or "forgetting" your ID at home than if you followed the normal security process.

So, the next time you fly, use my letter and repeat after me: "I hereby assert my right to fly without showing an identification document to any government official." With any luck, you should get through without any problems, and more than likely, you'll get bumped to the front of the queue. If you get any push-back at all, remember the magic words, "I'd like to speak to a supervisor please."

For further reading on the subject: I have a research paper documenting (and fixing) security flaws in the boarding pass system and no-fly lists that'll be published at the IDMAN workshop in October. A pre-print copy of the paper is available online: Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists. Researchers from MIT analyzed the benefits of racial profiling in airport security back in 2002. I highly recommend their paper, Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System. Bruce Schneier has been talking about airport security flaws for years, and most recently published a must-read interview with TSA chief Kip Hawley.

Letter from TSA

(Credit: Christopher Soghoian)

Click to see a full-size copy (pdf).