" /> net.wars: February 2013 Archives

« January 2013 | Main | March 2013 »

February 22, 2013

Merchants of chaos

Somehow, I managed to miss the exploding tomato.

I think I understand it, though: there is a state of mind you get into when you have been battered relentlessly with unerring but false logic: if this, then this, then this other thing, then the next thing, and you see...you must admit this, and that means you were wrong all along. The floor slides away from you the way it does in the description Mrs Morton gave Berton Roueche of her bouts of labyrinthitis, a disease of the inner ear, and if you are not left alone the only way you can reassert the world as you know it is to bellow out the facts as you know them.

When you read the BBC Panorama journalist John Sweeney's new book about his time investigating Scientology for two Panorama episodes, one in 2007 and the other in 2010, The Church of Fear, you get the sense that this was his state of mind when he turned into - his term - the exploding tomato. This becomes clearer when you're shown the steps that led him there. Sweeney has apologized for his loss of control many times. Last night, speaking in East Grinstead, the town where Scientology has its UK headquarters, he gave us a small re-enactment. Up close, that was LOUD.

In an interview yesterday with The Register, Sweeney references a line I had forgotten, said to me in 1994 by former Scientologist Robert Vaughan Young to explain why he was glad he did not have to face the Internet during his time as a national spokesman for the Church of Scientology: "It's going to be to Scientology what Vietnam was to the US."

Eighteen years later, it seems clear he was right.

On Sweeney's 2010 Panorama, The Secrets of Scientology, the actor Larry Anderson, explains that his 33 years in Scientology began to end when he decided to break with CoS policy to go online and see what critics said about it. What he found was the secret documents at the heart of the conflict described in my 1995 Wired piece, whose reverberations set the framework for the copyright-related notice and takedown rules still in effect today. These "OT III" materials outline the beliefs you only learn hundreds of thousands of dollars into the practice of Scientology: the story of Xenu.

The OT III - for Operating Thetan, level III - documents escaped total Scientology control when they became an exhibit in Lawrence Wollersheim's 1980 suit against the CoS for damages after leaving the organization. Then came the Internet, which for the first time allowed former and disaffected Scientologists to find each other and share their stories. In 1994, the "Operating Thetan" documents made their appearance on the Usenet newsgroup alt.religion.scientology. When their publication brought legal and law enforcement attacks, copies spread more and more widely. The CoS was about as successful in keeping them offline as the RIAA and MPAA: today, they're not only on Usenet and the Web but readily accessible on your favorite torrent site, and there are summaries on Wikipedia, About.com, and, well, everywhere.

In 1994, a former Scientologist called the CoS "bait and switch", arguing that if people realized they were joining a belief system involving billion-year-old space aliens they would never sign up. This was why the alt.religion.scientology dissidents were so intent on getting the "secret scriptures" out in public: break the CoS's rigid control over that information and you break an important element of the recruiting mechanism. In the 1970s, a campus recruiter could invite students to an introductory meeting confident that they would know very little about the organization. Today's students have found Scientology's history, controversies, and belief system on their phones before he's finished his opening sentence. If China can't entirely insulate its population from the Internet, what chance does Scientology have?

They can still try, and some will let them. In the video clip linked above, Sweeney says the CoS told him it discourages members from accessing outside media because they are "merchants of chaos". In his book, he quotes from celebrity interviews given him for his 2007 Panorama, Scientology and Me that he was not allowed to broadcast. (Later, the CoS included excerpts from those same interviews in its crossfire documentary, Panorama Exposed, enabling the BBC to use those bits in 2010.) In Sweeney's account of these interviews, Kirstie Alley describes herself as "a little bit stupid on the Internet" and says she doesn't use it; Leah Remini says, "I don't go on the Internet".

By this time, Scientology's innermost beliefs are probably better understood and better known by those *outside* the group than those inside it. Because: until you have reached (at considerable expense) the OT III stage of studying Scientology, the core of Scientology beliefs is not disclosed to you. The reason, Hubbard wrote in 1967, is that exposure to these powerful secrets without proper preparation will send you insane, then kill you. The blank stares of Scientologists you ask about Xenu may simply mean they really don't know yet.

"We'll just run the SPs [Suppressive Persons] right off the system. It will be quite simple," Elaine Siegel, then a member of the Office of Special Affairs International, wrote to Scientologists online in 1994. Famous last words.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series


February 15, 2013

Frictional arithmetic

"Business models based on friction, as opposed to consumer value-add, will wither and die," Mark Hale, head of payments for KPMG, said at yesterday's Westminster eForum on digital payments. You can see his point: who now has the patience to stand in a long line waiting to pay? Waiting is friction. Answering questions is friction. Online, time-to-delivery is friction, which is why Amazon.com is trying so hard to shrink it.

Is cash friction? That's less clear. There are plenty of people - in the UK, most notably Consult Hyperion's Dave Birch - who will tell you that it is. The British Rail Consortium's policy lead, Richard Braham, on the other hand, pointed out that last year 58 percent of transactions were in cash. "We're more likely heading to the cardless society than the cashless society," he said.

That makes intuitive sense to me: for a quick getaway for small purchases it's hard to beat plunking down exact change. But just as the speed and lower risk of credit cards have abolished paper checks/cheques from in-person transactions, I can see where for many people the speed and convenience of tapping a mobile phone on a reader would kill off the business of carrying plastic credit cards.

We're a long way from there yet, however, and it's as sensible trying to predict the eventual outcome as it is to try to predict which media formats will die. In fact, if the history of media is any guide, most of today's forms of payments will survive in some shape, depending on their cultural context. For most Westerners, with our bank accounts and financial services, digital payments are a luxury, in Kenya they fill such an enormous market gap that M-Pesa has been a huge success and is changing the landscape.

Some support for Braham's position came from Matthew Hudson, the head of business development, fares and ticketing for Transport for London. When it launched Oyster cards in 2003, TfL had no idea it would become the largest contactless card issuer in the UK: 52 million cards issued to date. Oyster is just one step in a series intended to reduce costs. Ticketing started in the 1850s to eliminate the "massive" amounts of fraud involved in accepting cash directly. Recently, London buses began accepting payment via Barclaycard's contactless Wave. By November, anyone with a contactless payment card, native or foreign, will be able to use it throughout TfL's system; eventually, the system will effectively be back to directly accepting cash - albeit digital cash. What's likely ending is the Ticket Era. But Hudson is, he said bluntly, not remotely interested in mobile phone payments as long as consumers have no idea whom to call when the system fails (although he loves the Barclaycard plastic pay tag you can glue to the back of your phone). "Interoperability means nothing to consumers," he said.

It takes a large-scale operation to appreciate that point: uncertainty and confusion about who is responsible for which failures - do you call the mobile phone manufacturer, the mobile network operator, the handset manufacturer, the operating system vendor, the app publisher, or the company you're buying from? - are the app killers. Especially given today's situation with security; earlier in the week, Trustwave launched its 2013 report, which showed that the average length of time from intrusion to containment is 210 days. In 76 percent of the cases Trustwave investigated, organizations did not know they'd been hacked until an outsider told them - regulators, law enforcement, the public. Mobile phones are already targets for malware; so much more so when they are digital wallets.

Hudson's comments make it clear how fast players and methods are proliferating. It's what you expect from an immature industry: an explosion of experiments and options in which unexpected players emerge, usually followed by a shakeout leaving behind a relatively few large, successful winners. Both the UK and the EU are thinking about this progression. In early February, the UK's Chancellor of the Exchequer, George Osborne, talked about opening up payment systems. Last year, the an EU green paper on card, Internet, and mobile payments studied how to remove obstacles and provide effective governance for the new era. The framework for electronic money was created some years back.

Yet things are getting stranger than they may realize. What's a currency? We usually think of the government-backed, state-sponsored variety as the hard stuff. Yet Hudson sees Oyster cards as a "currency" people convert Sterling into. Frequent flyer miles and loyalty points are also obvious currencies, even if what you can buy with them is limited. But what about Amazon gift certificates? On his blog, Birch tells the story of his brief study of payment systems in use among online sex workers. Few take Paypal, which allows chargebacks and freezes accounts unpredictably if it suspects illegal activities. Most customers eschew credit cards as too tightly coupled to their real-world identities. But Amazon gift certificates: set up a new account with a different email address, charge to real credit card. Birch argues it provides a sufficient level of pseudonymity while still giving both sides the ability to trace the other in case of fraud. And it's a whole lot simpler than Bitcoin. In digital payments, complexity is friction.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

February 8, 2013

Bug-a-boo

A few weeks ago, Matt Blaze, the head of the distributed systems lab at the University of Pennsylvania, and Susan Landau, published an opinion piece in Wired arguing that the FBI needs hackers, not back doors. This week, they, with co-authors Steve Bellovin, a professor in computer science at Columbia University, and Sandy Clark, a graduate student in Blaze's lab, published Going Bright: Wiretapping without Weakening Communications Infrastructure, the paper making their arguments more formally.

The gist is straightforward enough: when you pass a law mandating the installation of back doors in communications equipment you create, of necessity, a hole. To you, that may be legal access for interception (wiretapping); to the rest of us it's a security vulnerability that can be exploited by criminals and trolls every bit as effectively as one of those unpatched zero-day bugs that keep getting in the news. Like yesterday's announcement that the Federal Reserve's systems had been hacked. So instead of creating new holes, why not simply develop the expertise and tools to exploit the ones that already exist and seem to be an endemic part of creating complex software?

Yeah, no, they're not joking. April isn't for some time yet.

A little more background. In 1994, the US passed the Communications Assistance for Law Enforcement Act (CALEA). It was promptly followed by legislation mandating lawful interception in Europe, Canada, and others. Since then, law enforcement in those countries has persistently tried to expand the range of services requires to install such equipment. In the UK, the current government proposes the Communications Capabilities Development Programme (CCDP), which would install deep packet inspection (DPI) boxes on ISPs' networks so that all communications can be surveilled.

There are many, many problems with this approach. One is cost; fellow Open Rights Group advisory council member Alec Muffett has done a wonderful job of pointing that out for CCFP in particular. If, he writes, you require a whole lot of small and medium-sized companies to install a proprietary piece of hardware/software that perforce must be frequently updated, you have just given the vendors of these items "a license to print money".

The bigger problem, however, as Landau wrote in 2005 (PDF), is security. A hole is a hole; when a burglar who finds an unlocked door isn't deterred by its having been intended solely for the use of the homeowner. The Internet is different, she argues, and the insecurities you create when you try to apply CALEA to modern telephony - digital, carried over the Internet as one among many flows of data packets rather than over a dedicated direct circuit connection - have far-reaching implications that include serious damage to national security.

Nothing since has invalidated that argument. If you'd like some technical details, here's Cisco describing how it works: as you'll see, the interception element creates two streams, sending one on unaltered and sending the other to the monitoring address. Privacy International's Eric King has exposed the international trade in legally mandated surveillance technologies. Finally, as Blaze, Landau, Clark, and Bellovin write here, recent years have turned up hard evidence that lawful intercept back doors have been exploited. The most famous case is the 2004 pre-Olympic incident in which more than 100 Greek government officials and other dignitaries had their cellphones tapped via software installed on the Vodafone Greece network. So their argument that this approach is dangerous is, I think, well-founded.

The FBI, like other law enforcement services, is complaining that its ability to intercept communications is "going dark". There are many possible responses to that, and many people, including these authors, have made them. Even if they can no longer intercept phone calls with a simple nudge to a guy in a control room at AT&T/BT, they have much, much more data accessible to them from all sorts of source; surveillance has become endemic. And the decades of such complaints make it easy to be jaded about this: it was, 20 years ago, the government's argument why the use of strong cryptography had to be restricted. We know how that turned out: the need to enable electronic commerce won that particular day, and somehow civilization surived.

But if we accept that there is a genuine need for *some* amount of legal wiretapping as a legitimate investigative tool, then what? Hence this paper's suggestion that a less-worse alternative is to encourage the FBI and others to exploit the vulnerabilities that already exist in modern computer systems. Learn, in other words, to hack. Yes, over time those vulnerabilities will get closed up, but there will inevitably be new ones. Like cybercriminals, law enforcement will have to be adept at adapting to changing technology.

The authors admit there are many details to be worked out with respect to policy, limitations, and so on. It seems to me inevitable - because of the way incentives work on humans - that if we pursue this path there will come a point where law enforcement or the security services quietly pressure manufacturers not to fix certain bugs because they've become too useful. And then you start wondering: in this scenario do people like UCL's Brad Karp, whose mission is to design systems with smaller attack surfaces, become enemies of the state?


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series


February 1, 2013

Pwned

There's no question that the story of the complex and persistent four-month attack by (probably) Chinese hackers on the IT systems at the New York Times is one of the best few stories of its genre since Clifford Stoll invented it with his 1989 book The Cuckoo's Egg. It's not just the fact of the attack, but the detailed and excellent reporting of it (by Nicole Perlroth). Most companies decline to tell the world what happened to them. The Times behaved like a good newspaper should, and acted in the public interest. Later, the Wall Street Journal confirmed that it, too, had seen its systems infiltrated. In both cases, the goal seems to have been to monitor the papers' coverage of China.

The result is that now we know a lot more about the inner workings of modern attacks on computer systems: highly motivated, layered, multi-faceted, stealthy, patient, persistent. As Charles Arthur outlines over at the Guardian, the hacking scene (with apologies to old-timers, using "hacking" to mean breaking into computers rather than inventing things that do what you want) these days is in layers, each with its own characteristics. Arthur calls them amateurs (in which category he includes Anonymous); commercial hackers (those who steal credit card details for financial gain); and government and military hackers. In tennis terms, amateurs are club players, commercial hackers are paid folks - coaches, trainers, racquet stringers, promoters, agents - and government and military hackers are the elite athletes of the top 100. Somewhere there's a Roger Federer of computer cracking that all the other guys wish they were as good as.

It's striking that, as the Times relates, in 2011 the US Chamber of Commerce thought it had shut down a breach, only to find months later that an Internet-connected thermostat and printer were still chatting away with computers in China. This prospect was, if you recall, the real point of the ">escapades that Columbia University's Ang Cui and Sal Stolfo showed off that same year. It was scary! dramatic! that they could embed malware in documents to make printers smoke, if not burst into actual flames. But their main point was that any Internet-connected device, even one using unique firmware its manufacturer believes is safely obscure, can be turned into a secret surveillance device. Things like printers and routers are especially effective listening posts, since they are necessarily open to everything on their network, and even a thin trickle of data is enough to send out bank account numbers - or user IDs and passwords for later use.

Think of that next time some manufacturer responds to a researcher demonstrating a new attack by saying that it's too far-fetched or something only an obsessive genius would think of. Nothing is too far-fetched if it can be shown to work, and "the other side" can afford to buy plenty of obsessive geniuses.

The story also has done a lot to highlight the limits of our ability to defend ourselves. It's no surprise, for example, that Symantec's anti-malware offerings failed to spot the attackers, and not just because the attacks used zero-day exploits that by definition have yet to appear in the wild. F-Secure's outspoken Mikko Hypponen was quite clear about this last June, when, he wrote bluntly in an opinion piece for Wired, "Consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets". The occasion was the discovery of the Flame malware and his admission that his company (and its competitors) had samples dating to 2010 (and even earlier); their automated reporting systems had simply never flagged them as something to investigate. The key points are that no system is 100 percent perfect (at least, if you want also to be able to do actual work on that computer), and that *of course* well-funded attackers test their malware, before deployment, against all of the leading anti-malware software to ensure it will get through. "We were out of our league," Hypponen concludes.

It is of course a cue for another round of stories asking yet again whether anti-virus software is over. I wrote one of these myself, in 2007. The answer is obviously no, and not just because, as vendors will tell you, anti-virus software has been evolving right alongside the malware it's intended to detect. Even if it hadn't you'd still need it to block all the same old stupid stuff that's been circulating for years.

The Times story also shows us how many more kinds of motivated attackers you may have than you think. The paper has simultaneously to protect its systems from defacement or disruption by amateurs; its database of customer credit cards and personal details from professional commercial hackers; and its reporters and their systems from targeted attacks by the elites employed by states and (perhaps soon) other very large organizations that seek to control what it says about them. Each of those groups has a different MO and also - and this is key - a different amount of patience. The amateur who wants to embarrass you will give up when his skills run out. The professional who can't quickly get at your credit card database moves on just as quickly to someone more easily attackable. The elite attacker who wants you, just you, and nobody else but you...is going to keep at it until he gets you.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.