Archive for category Security Philosophy

Swine Flu Risk Analysis 2009

Posted by Fredrik Björck in Security Philosophy, Uncategorized on April 30th, 2009

This is a little off-topic, but it has to do with risks.

WHO today upgraded the Swine Flu to a Phase 5 (out of 6) in terms of Pandemic risk.

Just to put things in perspective:

  1. Tuberculosis is a deadly infectious disease caused by mycobacteria. In a given year, ca 1.800.000 people DIE from it, and many many more catch it.
  2. The general influenca (the flu) that goes around the world takes ca 250.000 to 500.000 lives EVERY year.
  3. One million people die on world’s roads in traffic accidents every year.
  4. It takes 20 seconds to read this article to this point. During this time 20 people died of starvation. In fact, 36.000.000 people die from starvation in a given year.

So far this Swine flu has killed less than ten people (confirmed).

Hello! Calm Down. Relax and enjoy life.

Swine flu is not a major threat for you. It is just business.

Edit: WHO has later upgraded the Swine Flu to a Phase 6 (out of 6) in terms of Pandemic risk. Help! ;)

No Comments


Why the Pirate Bay verdict may be incorrect

Posted by Fredrik Björck in Security Law, Security Philosophy, Security Reviews on April 17th, 2009

Introduction

I have just finished reading the verdict today from the Pirate Bay trial that gave the defendants a year each in prison and 3 million euros in damages to pay for running the bittorrent site the Pirate Bay in Sweden. It is a well written verdict, and the arguments seem well-founded in the current Swedish law, barring for the somewhat loose connection between the crime and some of the defendants.

I am not here to discuss the politics of file-sharing, but I found an interesting angle in the 107-page document that I think will be one of the future foci as the trial and the debate goes on into other stages: The European Directive concerning electronic commerce.

Article 12

It is interesting to note that the court decides that the Pirate Bay is such a service for the “information society” that is covered  by the 2000/31/EG directive. Wow – this must be great news for the Pirate Bay guys, since it is – as I see it – the only way that this verdict will be changed in the later stages in its totality (and not only for some of the defendants).

Here is a summary of the applicable legal text (full text here):

2000/31/EG directive Article 12 – “Mere conduit”

1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:

(a) does not initiate the transmission;

(b) does not select the receiver of the transmission; and

(c) does not select or modify the information contained in the transmission.

2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.

In essence the court argues that this article quoted above is not applicable, even though they see Pirate Bay as an information society service that is thereby covered by the directive. The reason is, according to the verdict that

The purpose of Pirate Bay’s services was e.g. to provide server space so that users could upload and store torrent-files on the web site. This storage means that Article 12 (in Swedish law paragraph 16) – that only covers services where some form of automatic and temporary storage (cacheing) takes place … is not applicable. (from the verdict)

Basically they argue that since the possibility to upload and store torrent-files is provided, another article is applicable. This other article does not give the Pirate Bay guys freedom from liability.

Why article 12 may be applicable

However, I can see some strong arguments for that it is applicable, now that the court sees the Pirate Bay as a provider of services for the information society. Here is a first stab at a line of argument:

  1. The information that is uploaded is not the protected works, or any parts thereof, but pointers and references to places that may know where parts of that work may (or may not) be found.
  2. The BitTorrent technology is a communications protocol, where the torrent-files (that are uploaded to Pirate Bay) are a part of that communications
  3. The role of the torrent file in BitTorrent communications is only to enable communication to take place between parties sharing files. Therefore, a torrent file should be viewed as information that has the “sole purpose of carrying out the transmission in the communication network”, in the directive.
  4. The directive seems to be written with communication between primarily two parties communicating for a given limited duration in time. However, the idea with BitTorrent is to enable many to communicate with many for a longer duration.
  5. This is where the court might get things wrong: The directive says that the provider should be without liability if 1) they only store information needed for the communication to take place (which is argued above), and 2) only stores this information for a time needed for the “transmission to take place”, and 3) if this storage is “automatic, intermediate and transient”.
  6. Since the BitTorrent transmission, as per definition by the communications protocol, takes place potentially unlimited in time and between many parties, it must be concluded that an operator or provider of such a service must store the torrent-files indefinitely, or at least longer than what the court labels “temporary”.
  7. The directive does not give a limit in the length of time the information can be stored – it only says it can be stored for a “reasonable time to complete the transmission”.
  8. The court’s argument it that the storing of torrent files are not “automatic and temporary”, and that’s why the Pirate Bay guys are still liable.
  9. And here is the end of my argument: The directive specifies further what it means by “automatic, intermediate and transient storage of the information transmitted” by adding “in so far as [the storing] takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission”.
  10. From the perspective of Pirate Bay as a provider, the uploading of the torrent files by users to enable communication between parties is “automatic, intermediate and transient” insofar that user’s torrent clients create the torrentfiles and uploads them to Pirate Bay to enable communication, the files are an integrated and unseparable part of the communications protocol, they are intermediate in that they are only there to broker the communications, and transient insofar as they only need to exist as long as the transmission takes place (which might be indefinately).
  11. Therefore, since the purpose of the information in the torrent files are to enable communication between parties, and since they are stored at the Pirate Bay only for the purpose to carry out the transmission, and only during that time than is reasonably necessary for the transmission, article 12 is applicable.

I am sure that Swedish and European copyright laws can be changed to the better.  But as long as we have the laws we have, all should strive to adhere to them. It is not totally clear to me that the guys behind Pirate Bay have committed any crimes (at all), but we know that many users of their service have done so. This post does not argue that stealing other parties intellectual property is a good thing, or that Pirate Bay is a good (or a bad) thing

In conclusion, I think the court was a little too quick to dismiss the idea of the directive’s article 12 that the provider is without liability in certain circumstances, since these circumstances seems to be fulfilled. Especially since the court writes that they see the Pirate Bay as covered by the directive in itself. I am surprised that no old media has discussed this, since it it also at the heart for the question: Is the Internet still legal after this?

11 Comments


A New World To Secure

Posted by Fredrik Björck in Security Management, Security Philosophy on March 29th, 2009

This article describes briefly how information security will be affected by the coming changes with regards to how we interact with information and communication systems.

We have recently witnessed how virtualization of servers and clients have transformed how we think about information processing. Today, we all understand that the information we see at our computer screen can reside anywhere in the world. The application and software we use can be somewhere else. Nevertheless, we use it here and now. Call it Cyberspace, virtualization or the Cloud – most of us use it every day.

What has happened? Information processing has been totally released from its boundaries in terms of geographical location. The only limit is the bandwidth used to transfer the information from the place of processing to where we are for the moment. Since the bandwidth capacity available to us continues to increase really fast, we can almost discount that as a limitation in the near future.

But we are still not “free”. There is something that limits the use of information and communication technologies today. That is the interface we have to the information. We continue to carry around small mobiles and laptops. We continue to read small screens and punch in text messages in small keyboards. All this to simulate the “limitless” mobile life. But we are not there yet.

The way we interface with information and communication systems is about to change. This, I think, will be the next big communication revolution.

Pretend for a moment that you had access to the same Internet-based services and your software on your computer and mobile without having to carry them around. You could interface with these services and control them using your voice, gestures, or even thoughts. No keyboard needed.

But not only that; there would be no screen to look at. The screen will be replaced with small gateways or we can call them translators between the systems and you. You might perceive the services by hearing the results of a command, or seeing the results like if they were projected like superimposed images in your sight, in what you see right now.

What will enable this radical change is again that technology has made it possible. Speech recognition and facial recognition is developing fast, as is speech synthesis. Screen and projection technologies are also developing at a rapid pace, as is wireless network connections.

Take a small wireless netbook – this gives you a great feeling of freedom today. Well, tomorrow you will not need to punch in the commands at the keyboard – you will just say them, show them, or (later) think them. You will not need to look at the screen to see the answer – just listen, or just watch the information you asked for projected in your own sight – right there in front of you.

Implications for security

All these developments give rise to important information security implications:

  1. Protect objects (information and services) as close to the source as possible, since it will be everywhere. E.g. encrypt your information before you send it to the cloud or out in space.
  2. Decide on access rights for subjects (people or processes) as close to the subject as possible, since both objects and subject will not be bound by time or space. E.g. use biometrics to ensure that the person accessing the information or service is the person expected.
  3. Lars Söderlund at Alliansor: The move towards thinner clients, with decreased storage and processing power at the client side, will increase the importance of availability of network connectivity as a part of information security.
  4. Your ideas here….

Please help develop these ideas by commenting this article. I will update the article using your comments.

7 Comments


Voting System Security – Eurovision Song Contest

Posted by Fredrik Björck in Security Philosophy, Security Reviews on March 15th, 2009

Introduction

My daughters, 6 and 8 years old, are very interested in the Eurovision Song Contest, which is a huge thing in Sweden. The Swedish final yesterday had close to 3.5 million viewers, which means that ca 40% of the Swedish population were watching.

My daughters, smart as they are, asked me about the voting system security. This is their first “democratic” election, so it is very important to them that their votes count and that there is no foul play. Maybe we should care about this, even though it is only a TV show? For many young people of Europe, this is their first election they participate in. What would happen to their view on democratic elections if they could not trust the outcome of this very first one for them? Since I am working with securing general parliament elections, I thought I give this some thought too. Here is what I found:

The rules

The rules for Eurovision Song Contest are posted here. However, the rules regarding the televoting are partly removed in this version. Hungary published the whole text here. Rules in summary:

  • You can’t vote for your own country.
  • Voting is via SMS text messages or telephone and shall be counted during a fixed time period.
  • Scores of the songs in the Grand final shall be calculated on the basis of both the results of the televoting and the results of juries appointed.
  • There is a backup routine where the Executive Supervisor of the European Broasdcasting Union can decide during the final that no votes should be counted, and that only the jury’s votes will decide the winner.
  • “Each Participating Broadcaster shall do its utmost to prevent fraudulent voting in the Shows. It shall give full access to any EBU international monitors who may be sent to oversee all aspects of the televoting procedure, on any territory, with no notice given. The EBU and the Reference Group shall rule on the sanctions to be imposed on a broadcaster found to have participated, either actively or complicity, in any voting fraud”.

What the rules do not say

The official rules posted do not say what constitutes fraudulent voting. Since everyone can vote several times, 10 votes would probably not be considered fraudulent. 100 votes from me on my sister, if she would participate, would probably not be considered fraudulent. But would 1.000 votes? 10.000? 100.000? 1000.000? There is said to be a technical limit of 20 votes per “telephone number”. But today, having many phonenumbers is not like it used to be. You can have thousands of numbers tied to one single subscription for a very low cost (in this example 100 swedish numbers for 290 euros), or you can fake your CallerID using several different methods. You can come from anywhere on the Internet you choose, from whatever IP-number. It is VERY difficult to create a secure voting system in this environment.

The artists are like athletes. They are there to win. They have record companies behind them, and a team that is working with their act, their marketing, and everything the possibly can do to win. Winning is depending on the televoting. Given these circumstances, it would is only natural if each team give the voting system and the rules some thoughts. This is a game. The winner will of cause know the rules inside out and play the game as good as possible within the rules. The problem is that “fraudulent voting” is not defined for the voters, and we decide the televoting!

Ways to manipulate the voting system

You can manipulate the voting system without breaking any of the officialy posted rules. Morally, this would be wrong. But legally, it would be perfectly ok.  Without going into any technical details, here’s how:

  1. Take an ordinary Laptop computer.
  2. Register for a telephone line from an Internet telephony (VOIP) provider with several phone numbers (low cost) for outgong calls in the country were you want to vote (you need n=x/20 numbers, where n=numbers, and x=the numbers of votes you want to generate).
  3. Remember; smaller countries with less interest for the song contest and lower voting fees will be less costly win.
  4. Download Trixbox or any other free telephone exchange and automation suite. Make sure trixbox registers as your SIP-client (as your telephone) with the Internet telephone provider (you have to get the password from the provider).
  5. Get the numbers for your artist from the web sites of the song contest (published the day before).
  6. Use the functionality in trixbox to dial 100 or 1000 parallel voting calls until you have reached the number of votes you need to win in that country (check the official results from last year to find out how many you might need).
  7. Make sure that calls are made from different numbers, maximum 20 votes per number.
  8. Do this for each of the countries you want to win in (No need to go to Ukraine to get a phone number there to call from – you can sign up in your own country for any country).
  9. For countries with SMS text voting; Get many anonymous pre-paid mobile SIM cards from different countries you want to win (often without any starting fee).
  10. Connect these to a computer (you will need multiple SIM card readers) and start to fire away SMSs using an SMS application were you can set the message, recipient, and the number of times it should be sent.

In short, as a voting system – there is very little security. Just get over it. Eurovision Song Contest can be won by the highest bidder this time. You can “buy” the country you want to win. And as far as I can see this is according to the rules. The boradcasters even tell you straight out to vote as much as you can for your artist. However, the technical limit of maximum 20 votes per voter makes can make it quite expensive.

As an example, the difference in votes separating the artists Caronline af Ugglas (second place, 318.952) and Malena Ernman (winner, 322.657 votes) in the Swedish final for 2009 was 3.705 votes. Caroline could have won instead of Malena using just an ordinary laptop with trixbox for total voting cost of roughly 1500 euros, a cost for phone numbers of 537 EUROS ( 3705/20 * 2,9 euros ) and some preparation time.

Can fraudulent voting be detected

Yes, it is possible through logs that exist in the pan-European Televoting Platform operated by Digame Mobile. However, since the voting is spread out in different countries and on different networks and then aggregated, it makes the auditing quite technically complex. For this year’s national competitions, both Spain and Portugal removed thousands of fraudulent votes afterwards. But where is the driving force to take about voting problems in the Grand Final? None.

For a televoting fraud like this to succeed, the fraudsters would have to find a way around the 20 votes per number limit. This could be done through buying many numbers (as in the example above), getting temporary access to a (small )telephone operator’s unused number series, or by faking the voter identity in a way do that the pan-European Televoting Platform believes that is indeed a different voter (fake IP-numbers through proxies if needed and fake CallerID through a service or using the IAX protocol, or whatever else that works).

Another method to get less attention is to make the thousands of calls at irregular intervals (we are talking milliseconds here), so that any automatic detection system does not kick in because it understands that it is not regular calls or messages.

Televoting future

If a major televoting scam is seen, then this might be the end of televoting for the song contest. Maybe this is good.

So what shall I tell my daughters now? I will have to explain to them that this election might be rigged and bought, but the election to the parliament is secure. Yes, that is what I will say. Democracy works, but only when it really needs to.

No Comments


SetPageWidth