Special Interest Group on CRAP » security

The continuing erosion of privacy

Kevin McCurley — Fri, 17 Jun 2011 19:00:05 +0000

I’ll take the opportunity to recommend the recent book by Susan Landau on wiretapping. Privacy is increasing in importance over time, and I’m noticing a lot of fuzzy thinking about how to respect privacy. One incident that recently came up is the fact that my car reports latitude, longitude, position, and speed whenever it downloads an RSS feed (yes my car actually downloads RSS – it’s a Nissan Leaf).

The end of MD5, spoken in 1024 bits.

Kevin McCurley — Mon, 03 Jan 2011 09:09:59 +0000

Here are two 512-bit inputs whose MD5 hashes are identical. The 512-bit inputs differ in only two bits. Nice work mentioned in http://eprint.iacr.org/2010/643
MD5(6165300E87A79A55F7C60BD034FEBD0B6503CF04854F709EFB0FC034874C9C65 2F94CC4015A12DEB5C15F4A3490786BB6D658673A4341F7D8FD75920EFD18D5A) = CEE9A457E790CF20D4BDAA6D69F01E41 MD5(6165300E87A79A55F7C60BD034FEBD0B6503CF04854F749EFB0FC034874C9C65 2F94CC4015A12DEBDC15F4A3490786BB6D658673A4341F7D8FD75920EFD18D5A) = CEE9A457E790CF20D4BDAA6D69F01E41 xor 0000000000000000000000000000000000000000000004000000000000000000 0000000000000000800000000000000000000000000000000000000000000000 00000000000000000000000000000000

AboutFacebook: reading outside

Kevin McCurley — Thu, 21 Oct 2010 23:29:26 +0000

I decided to create a convenient link to the rss feed of facebook postings by my friends. Thanks to jwz for pointing out how to do this.

The facebook privacy problem

Kevin McCurley — Wed, 19 May 2010 00:05:45 +0000

The furor over facebook’s privacy problems has recently escalated. There are several parts to this:

If you are logged into Facebook but then surf around the web, you will be transmitting personal details from your facebook presence to the other web sites
When other people surf the web, they will be transmitting data about their relationship to you. This seems like the worst example.
Trying to improve your privacy settings requires negotiation of a dozen pages with 170 different privacy settings.

There is now an organized protest to avoid logging in to facebook on 6/6/2010. That’s an easy one. I think it’s time to dial back and see what it feels like to not use facebook. Unfortunately I’m logged in on so many places that it will require a witchhunt to log out everywhere. Anyway, this blog post will still eventually show up there, but I won’t.

One of the recent events that annoyed me is that people have been giving one of my email addresses to facebook in trying to add me as a friend. This was apparently caused by someone uploading their email contact list, but in doing this they gave private information between the two of us to a third party, namely facebook. I am always appalled by how freely people will give away private information belonging to someone else, and think nothing of it. Facebook is openly preying on this ignorance. Shame on both of you.

Contextual advertising giggles

Kevin McCurley — Thu, 29 Apr 2010 16:33:47 +0000

I saw a photo posted on Facebook that was tagged with Andrei Broder and Prabhakar Raghavan (both of Yahoo research). It’s ironic that both have worked on algorithms for contextual advertising, but the ads on Facebook next to the photos were hilarious. One of the ads is for “rich dads”. I’m not sure if that was because of Andrei, Prabhakar, or myself (or some combination thereof). The second ad is for travel to Ghana, which may be caused by my rants about guys in Ghana calling me to try out 419 scams. Or maybe this is a new form of scam by the guys in Ghana? If so then the ad is chilling.

Ah the irony

Kevin McCurley — Tue, 01 Dec 2009 19:20:03 +0000

allofmp3.com rears their ugly head

Kevin McCurley — Fri, 14 Aug 2009 00:52:50 +0000

Today I got a piece of spam sent to the email address that was only used for communication with allofmp3.com. In case you have forgotten, that was a shady music seller who sold MP3 music files by the megabyte, but was eventually shut down through pressure by the US trade representative. The spam had a PDF file attachment, which means that either they use PDF to evade filters or else the PDF is a potential virus.

Anyone out there interested in dissecting a potentially rogue PDF file?

You may have already won

Kevin McCurley — Fri, 03 Jul 2009 07:17:30 +0000

Everyone probably gets these emails telling you that you have a long lost uncle who was an official in Africa who left you $21 million, and if you’d just send $1,000 to them then they will wire you the money. They are called 419 scams. About once a year I also get an airmail letter from Africa with one of these scams, trying to get me to send them information for them. For the last four years I have also been getting phone calls to my office from these clowns, trying to get me to yield to temptation and help them steal from me. This last week I got three of these calls, all from country code 233 indicating Ghana. It’s getting more and more annoying (though perhaps the solution is simply to disconnect my phone).

If you try to shop on craigslist, you regularly come across semi-obvious scams, and there are even more scams that are fairly well concealed. I am now getting several spammers a day following me on twitter, and my spam folder on my personal email account typically has 5,000 spam messages in it (I never look at them).

All of this is a reminder that a lot of people on this planet try to make their living from fraud and other criminal activities. Technology has become an enabler for these scams, and the most chilling offender in my mind is voice over IP, which makes phone calls from countries like Ghana essentially free. People who are naive or lonely or otherwise vulnerable (particularly senior citizens) are going to fall victims to this criminality. It used to be that if you wanted to avoid crime, you could mostly do this by sequestering yourself in a civil part of the world. The Internet is making that more difficult.

It’s about trust

Kevin McCurley — Thu, 09 Oct 2008 04:24:36 +0000

As I look around at what is happening in the world today, I keep seeing evidence that it all comes down to trust. As someone who spent a great deal of time working on information security, the subject of trust is one that I tried to design for, but I always regarded trust as a boolean value. In reality, trust is more complicated. Sometimes it is a boolean value, and the goal is to identify and preserve the value of this, and in other cases it should be thought of as a multidimensional object. For example, I might trust someone to competently cut my hair, but that doesn’t mean I would trust them to surgically remove a tumor. Trust is sometimes situational, and sometimes can be measured.

A long time ago a banker explained to me that bankers didn’t hold money – they were in the business of managing trust. They conveyed trust to their depositors and investors, and they held trust in their borrowers. In order to make a business out of this, they had to be shrewd in estimating the value of risk. In the old days they were able to apply their knowledge of social relationships and markets in order to come up with reasonable values. Bankers in a community generally knew who was a good risk for a loan, either because of their relationship in business or through their track record in fulfilling previous commitments.

Unfortunately, the mortgage business was taken over by a set of people who had no way to accurately quantify trust. This is one of those areas where sound human judgement was replaced by algorithmic quantitative analysis, and the results have not been pretty. I always looked suspiciously at the “science” of risk assessment. I’m amused by the fact that the wikipedia entry on risk assessment contains an automatically generated message saying that it contains “weasel words”.

The underlying problem in risk assessment is trying to estimate the probability of an extremely rare event – perhaps an event that has never even been observed to happen. Such estimates are by their very nature wild speculations, with variances that are larger than the mean. Any estimate of the probability of such an event has to be taken with a grain of salt the size of a dump truck.

The application of unsound algorithmic practices and gut instincts has resulted in a massive erosion of trust in our society. In the pursuit of profits, mortgage lenders through out sound predictive methods and substituted unsound analytic techniques instead. When Bush stands up and says that our economy is in a crisis, everyone remembers that he used the same argument for going to war in Iraq. When banks start to question whether borrowers will pay back their loans, they start to hoard their assets and financial liquidity evaporates. When investors (including myself) see a rapid and unpredictable erosion of value in the stock market, they pull out rapidly, further eroding the value of the stock market.

The question is – what will restore this vacuum of trust? Trust is something that is easily lost, but hard to gain. What can be lost in moments will sometimes take years to recover. The U.S. currency is imprinted with the slogan “In God we trust”. That may be true for some, but I think the correct slogan would be “In experience we trust”. We need some better experiences in order to regain our trust.

Thoughts from the Crypto conference

Kevin McCurley — Thu, 28 Aug 2008 23:35:19 +0000

I was having a hard time summarizing my thoughts from the Crypto conference. As always it was nice to see old friends and engage in discussions about the state of the art in crypto, but in retrospect I think the field of mathematical cryptography has dug itself into a hole and has a hard time seeing out. Lots of discussion about what paper got in, but not much excitement generated from the talks.

The invited talks were a pleasant part though. Gilles Brassard gave a nice historical account of the development of quantum cryptography. I always thought that it was a very nicely motivated topic, providing a nice alternative to the Shannon Information-theoretic model and the well worn complexity-theoretic model based on Turing machines. I was somewhat suspicious of the claims that it is economically viable, but customers generally end up resolving that one.

Adi Shamir gave a nice talk about algebraic attacks on crypto algorithms. His fundamental observation that crypto algorithms can be expressed as boolean polynomials provides a nice mathematical framework to work in, but it wasn’t clear to me from the presentation when it will be practical. I guess that’s part of the fun – trying to linearize things for analysis.

The rump session featured a nice talk on faith-based cryptography. It reminded me that many people in the field still throw around the term “provable security” in spite of the fact that the term is misleading. For most cryptographers their goal is to produce theorems rather than security, so they are completely satisfied if their output is “A implies B”, even if the majority of users of cryptography have little reason to believe in A. I guess you have to have faith.

In the end I concluded that I made the right decision to concentrate my creative energies outside of cryptography. Theorems are nice, but most humans have no use for them.