Archive - May, 2008

Authorization on the Internet

May 30, 2008 in Privacy and Anonymity, Security with 0 Comments

I recently read a post here and here by EFF on laws that make it a criminal offense to simply access an e-mail server or to test if personal data of yours kept by a third party can be accessed by others. This lead me to an article referred to in the first one with more detail on some of the cases (that article is here).

With respect to the Internet, the court needs to view ‘authorization’ in the same context as the expectation of privacy. When a person is sitting in their home, they have a certain expectation of privacy. They expect that covert cameras are not capturing pictures or movies of them and their family. They expect that their conversations, movements, and actions are not being recorded. This expectation changes when a person leaves their home. Security cameras can and do record them walking down the street. An audio conversation between them and a store clerk could be recorded by store equipment (currently not likely, but I suspect it would be considered legal). This type of activity is expected and assumed. You can not claim that a store you were in or the city you were in did not seek your permission to record you prior to being recorded. Privacy is not assumed in public.

In my opinion the same is true for systems on the Internet. If an entity places a mail server on the public Internet, then it is reasonable to expect that it will be connected to, both for reasons it was intended and reasons it was not. Expectations that a mail server will only be used by individuals to route e-mail or route e-mail that is ‘authorized’ is not the responsibility of individuals on the Internet. It is the responsibility of the owner of the server to ensure this. I send e-mail all the time, and I have no idea what servers are accepting and routing my e-mail to the appropriate destination (yes, I can figure these things out but that is not the point). If an individual directly routes e-mail to a server that should not accept or route the e-mail, the company needs to configure their servers to not accept this. The company needs to configure their servers and networks so that they are not open to attack.

Similarly with a web server. If someone is accessing a server that contains their personal medical information and they notice the URL in the browser is: https://medicalfiles.medi/userProfile.asp?id=1234. The user then changes the URL to https://medicalfiles.medi/userProfile.asp?id=1235 and suddenly they are viewing someone else’s profile information, that is completely the responsibility of the company that owns of the server. The company chose to put the server on the public Internet. The company chose to develop, purchase, or otherwise use a particular application to allow private user information to be displayed. The company chose a set of methods to secure this information and ensure that only the authorized individuals could access specific information. With these choices comes a responsibility and consequences for not living up to that responsibility.

Just as there is no expectation of privacy in public, there should be no expectation of proper or in-proper authorization for a server on the Internet. It is the owners responsibility to configure their servers and network devices correctly to enforce the authorization they desire and failure to do so is their own fault and responsibility, period.

United Emirates Airline

May 24, 2008 in customer service with 0 Comments

I recently had to fly for business to Dubai. I ended up flying on United Emirates Airline (UEA). The lady in the picture above is Emma from Manchester. Emma is part of the Cabin crew that was assigned to our area. The outfit she is wearing is what they wear when you board and de-plane the aircraft. I thought it was a cool outfit, but that is not the reason for this entry.

Prior to booking with UEA, I attempted to book as I normally do via Air Canada. Given the last minute timing of the booking due to customer logistics, I expected the cost of the flight to be more expensive regardless of the airline. The price for Air Canada was double the cost to fly via UEA and UEA flew direct, Air Canada I had to transfer. I took the time to call Air Canada and explain to them differences both in time and cost. Their response was pretty much ‘yes we know. And sorry we can’t do anything about it.’

I booked with UEA and it was the best airline decision I ever made. Even considering Air Canada for this trip was naive. The UEA planes are new and amazing. The flight was on a Boeing 777-300. The entertainment system is the best I’ve seen on an aircraft. The selection of television shows, movies, albums, games beats any Canadian or American airline I have been on (and I’ve been on quite a few). And it’s included. No extra charge. You can even use the entertainment system during take off and landing with the exception of the headphones which must be put away. You can watch the map, view the forward or underbelly cameras, or watch the movies without sound. The meals and non-alcoholic drinks are included with the flight.

The staff were amazing. They were friendly, attentive and honestly concerned that everyone was as comfortable as possible. Many times I saw Emma and the others saying “Are you ok?” to different passengers for any of several reasons — and it was real not fake. I mean, they really cared and were really concerned and wanted to make sure things were okay. The staff were smart, attentive, and professional. I spoke with several of the staff, Emma the most as she was the main person in our area. They engaged in conversation, they asked questions, they answered questions and it wasn’t fake. They honestly liked their work and enjoyed talking to the customers. They were interested in them and their comfort. All in all it made for a great flight. One of the advertisements for UEA recruiting on the television in the middle east highlights that they select top of the class individuals for this work. I am willing to bet they do a personality assessment as well prior to hiring. And I bet they pay them well too.

Whatever they do it works! I am not an airline expert but I’d suggest that Air Canada, American Airlines, North West Air and any other North American carrier take a serious look at what they do and start copying it. American Airlines is now going to start charging for baggage, removing flights and laying off staff. It is expected that other airlines will follow suit. Apparently it is due to the rising cost of fuel. United Emirates Airline is posting profits! North American Airlines should take a serious look at how customer service should work and United Emirates Airlines would be a good goal to use.

Colleagues of mine have flown Singapore Airlines and say that it is a similar experience. I haven’t had the chance to fly them yet but it they are posting profits too.

In the future, if I have the option to fly with UEA or Singapore airlines I’ll do it. I won’t even consider North American Airlines.

Framing someone by planting evidence

May 13, 2008 in Forensics, law enforcement, Privacy and Anonymity with 2 Comments

I hope there is more evidence than what is in this story and I hope this evidence is really compelling. If the man is actually guilty of child pornography related offenses then I hope he is charged and convicted to the full extent of the law. I was driving into work and heard this story on the news and it got me thinking about how easy it would be to frame someone with child porn or other incriminating evidence and then just ‘tip’ off the police.

Presently, I am putting the finishing touches on an advanced security course geared toward service providers. Shortly, I will be running this course for a major service provider. In the course we do actual malware deployment and analysis. The malware used is reasonably up-to-date and can be found active on the Internet today. The malware is very easy to use. Much easier than it was even 2 years ago. In some cases the malware uses standard libraries designed to write malware that are available on the Internet. One of the malware samples used for this course includes the ability to write ‘plug-ins’, similar to how you can write a plug-in for a web browser such as Firefox.

I am confident that law enforcement will do a detailed investigation of the suspects computers in the story above. But I’d argue that today it is possible to get malicious code, pictures or any type of incriminating evidence onto a PC leaving minimal to no trace behind. I’d suggest that this has gotten easier over the years and will probably get easier in the future. I and others have worked with malware that doesn’t ever write to storage, but stays resident in memory. Even if there is evidence left on the suspect system, does law enforcement do a detailed analysis for every complaint? I doubt they have the resources for that. For the sake of argument, lets assume that they do have the resources to do a detailed investigation of every system. Lets also assume that the investigation revealed that the evidence was planted externally and the owner had no knowledge of its existence and is innocent. Unfortunately it isn’t over for the owner when the investigation is concluded. There will be issues that will follow them for the rest of their lives. There will be the embarrassment of being suspected of a criminal act. The record of the arrest which can make it difficult to travel in the future even if there is no conviction. Looks and suspicions of others always wondering “Was he really innocent or did he just get lucky and is really guilty?”

State of wireless in Canada

May 8, 2008 in Wireless with 0 Comments

Michael Geist gave a great talk on the state of wireless in Canada I listened to it while eating lunch. I think it is a great talk and he is an excellent speaker as well. issues discussed include open devices, networks, and services, unlocked devices and more. For those interested talk with slides can be seen here.

Permanent link is here.

Searching Laptops at border, II

May 2, 2008 in Security with 0 Comments

Jennifer Granick wrote some follow-up articles here and here about the ability for laptops to be searched at the boarder with no suspicion or cause. My original post to this topic is here.

Good articles and there is not an easy answer to this problem. On one hand there is the need for law enforcement to get the bad guys, but on the other hand, myself and my company have obligations to our customers, often legal obligations to not reveal certain information to any individuals or entities including government.

My laptop is encrypted, and contains virtual machines that have encrypted drives. In certain scenarios I even have hidden encrypted drives within encrypted drives. I am very doubtful a cursory search would find any evidence of these drives or their presence. However, if for some other reason your laptop was to be confiscated or the encrypted data was to be discovered what is one to do? If you are requested to enter or give the keys and/or pass phrases to allow access to the encrypted data and you refuse the border enforcement is just going to probe harder and the end result will be difficulties in the future when you travel. One can argue the border enforcement are just doing their job and trying to ensure the public safety so they require your cooperation. The best answer to this problem unfortunately is to use a forensically clean laptop that does not contain any data where there is a legal obligation to keep private. Once you have arrived at your hotel you pull the data down using a secure connection, preferably to a encrypted drive. Storing the data on encrypted drive not only protects the data from extraction, but once you delete the data from the drive, extraction of data fragments via slack space, trash etc. are more difficult than on a non-encrypted drive. Prior to your trip home, push the data back via the secure connection and wipe it from the drive. You only have to do this for data that you don’t want anyone to see or are under obligation to keep secret. As for the rest of the data, personal pictures, finances or whatever else they can look at it all they want. This is annoying to do, but I think it is probably the safest answer. You can cooperate and feel comfortable at the border, knowing you are not breaking any laws. You are more relaxed and are being completely honest with the border people. They are happier because they can do what they have been tasked with, and you are protecting your clients and customers data which will keep them happy.

I wonder what happens if the border enforcement ran a program while searching a laptop that caused it to delete data or render a program or the laptop useless? Is there any recourse? Probably not.

Update: May 18, 2008
Bruce Schneier posted on laptop border searches. Another one here. They are good articles and like mine basically say the same things. This is good as it appears to be getting more main stream attention now.