Cassini

This image isn’t Saturn’s Rings, but an image of Saturn from its pole to equator.

Saturn

Sadly, many of the sites reporting on Cassini’s dive through Saturn’s rings — I’m going to say that again — Cassini’s first dive through Saturn’s rings — don’t explain the photos. I’ll admit it, I thought I was looking at the rings. Space.com has the explanations.

“…the Elusive Goal of Security as a Scientific Pursuit”

That’s the subtitle of a new paper by Cormac Herley and Paul van Oorschot, “SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit,” forthcoming in IEEE Security & Privacy.

The past ten years has seen increasing calls to make security research more “scientific”. On the surface, most agree that this is desirable, given universal recognition of “science” as a positive force. However, we find that there is little clarity on what “scientific” means in the context of computer security research, or consensus on what a “Science of Security” should look like. We selectively review work in the history and philosophy of science and more recent work under the label “Science of Security”. We explore what has been done under the theme of relating science and security, put this in context with historical science, and offer observations and insights we hope may motivate further exploration and guidance. Among our findings are that practices on which the rest of science has reached consensus appear little used or recognized in security, and a pattern of methodological errors continues unaddressed.

Cyber Grand Shellphish

There’s a very interesting paper on the Cyber Grand Challenge by team Shellphish. Lots of details about the grand challenge itself, how they designed their software, how they approached the scoring algorithm, and what happened in the room.

There’s lots of good details, but perhaps my favorite is:

How would a team that did *nothing* do? That is, if a team connected and then ceased to play, would they fare better or worse than the other players? We ran a similar analysis to the “Never patch” strategy previously (i.e., we counted a CS as exploited for all rounds after its first exploitation against any teams), but this time removed any POV-provided points. In the CFE, this “Team NOP” would have scored 255,678 points, barely *beating* Shellphish and placing 3rd in the CGC.

The reason I like this is that scoring systems are hard. Really, really hard. I know that DARPA spent substantial time and energy on the scoring system, and this outcome happened anyway. We should not judge either DARPA or the contest on that basis, because it was hard to see that that would happen ahead of time: it’s a coincidence of the scores teams actually achieved.

How Not to Design an Error Message

SC07FireAlarm

The voice shouts out: “Detector error, please see manual.” Just once, then a few hours later. And when I did see the manual, I discovered that it means “Alarm has reached its End of Life

No, really. That’s how my fire alarm told me that it’s at its end of life. By telling me to read the manual. Why it doesn’t say “device has reached end of life?” That would be direct and to the point. But no. When you press the button, it says “please see manual.” Now, this was a 2009 device, so maybe, just maybe, there was a COGS issue in how much storage was needed.

But sheesh. Warning messages should be actionable, explanatory and tested. At least it was loud and annoying.

Account Recovery

Access to an account is access to an account. A lot of systems talk about “backup” authentication, but make that backup authentication available at all times. This has led to all sorts of problems, because the idea that the street you grew up on is a secret didn’t make sense even before Yahoo! “invalidated“it. Not to mention that even when answers to these questions are freeform, they tend to have only a few bits of entropy. Colors? First names? All have distributions. Then there’s the ones who insist they know your answers: United Airlines Account Recovery Questions

One of the people who’s focused on really improving account recovery is Brad Hill, and at F8, Facebook announced some new tech which I think is a very useful new point in the design space.

As developers, we talk a lot about building experiences that people love. But there’s one experience that never fails to elicit a groan from people everywhere: recovering an account after forgetting your password.

[…]
Delegated Account Recovery helps people and businesses recover their accounts using the services that they trust. It is an open protocol that gives companies the ability to provide better and more secure options to their customers for regaining access to their accounts. Facebook — and other providers in the future — can help people verify who they are when they forget their password, lose their two-factor codes, or don’t want to answer security questions based on personal information. (“Delegated Account Recovery Now Available in Beta.”)

It’s worth checking out.

And not that I’m trying to make trouble for anyone, but at what point does relying on use of a “secret” question like “street you grew up on” become the sort of unfair trade practice that garners regulatory attention? My guess is that the availability of credible alternatives brings that day closer.

People are The Weakest Link In Security?

Despite the title, end users are rarely the weak link in security. We often make impossible demands of them. For example, we want them to magically know things which we do not tell them.

Today’s example: in many browsers, this site will display as “Apple.com.” Go ahead. Explore that for a minute, and see if you can find evidence that it’s not. What I see when I visit is:

URL bar showing

When I visit the site, I see it’s a secure site. I click on the word secure, I see this:

Dropdown

But it’s really www.xn--80ak6aa92e.com, which is a Puncycode URL. Punycode is way to encode other languages so they display properly. That’s good. What’s not good is that there’s no way to know that those are not the letters you think they are. Xudong Zheng explains the problem, in more depth, and writes about how to address it in the short term:

A simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information. I hope Firefox will consider implementing a fix to this problem since this can cause serious confusion even for those who are extremely mindful of phishing.

I appreciate Xudong taking the time to suggest a fix. And I don’t think the right fix is that we can expect everyone to use a password manager.

When threat modeling, I talk about this as the interplay between threats and mitigations: threats should be mitigated and there’s a threat that any given mitigation can be bypassed. When dealing with people, there’s a simple test product security engineering can use. If you cannot write down the steps that a person must take to be secure, you have a serious problem. If you cannot write that list on a whiteboard, you have a serious problem. I’m not suggesting that there’s an easy or obvious fix to this. But I am suggesting that as long as browser makers are telling their users that looking at the URL bar is a security measure, they have to make that security measure resist attacks.

A New Blog

When I started blogging a dozen years ago, the world was different. Over time, I ended up with at least two main blogs (Emergent Chaos and New School), and guest posting at Dark Reading, IANS, various Microsoft blogs, and other places.

I decided it’s time to bring all that under a single masthead, and hey, get TLS finally. I’ve imported the EmergentChaos and New School archives, but not the others. For those others, I’ll post a link here as I post there.

If you subscribe to either or both, I suggest subscribing here; I’ll post reminders to those other blogs to move as well. If you maintain a link to either of the old blogs, please update it to point here.

I’m sure I’ve broken things in the imports, please let me know what they are.


In the near future, I’ll set up redirects from the old blogs to here.

Syria

So I’m curious: on what basis is the President of the United States able to issue orders to attack the armed forces of Syria?

It is not on the basis of the 2001 “Authorization for Use of Military Force,” cited in many instances, because there has been no claim that Syria was involved in the 9/11 attacks. (Bush and then Obama both stretched this basis incredibly, and worryingly, far. But both took care to trace back to an authorization.)

It is not on the basis of an emergency use of force because the United States was directly threatened.

Which leaves us with, as the NY Times reports:

Mr. Trump authorized the strike with no congressional approval for the use of force, an assertion of presidential authority that contrasts sharply with the protracted deliberations over the use of force by his predecessor, Barack Obama. (“Dozens of U.S. Missiles Hit Air Base in Syria.”)

Or, as Donald Trump once said:

Trump-Syria.png

Seriously, what is the legal basis of this order?

Have we really arrived at a point where the President of the United States can simply order the military to strike anywhere, anytime, at his personal discretion?