Interesting visualization chart from clarified networks.

…the horizontal axis represents time (the beginning of March in the left, the end of June in the right) and the vertical axis represents the count of new incidents that appeared to do something nasty at that point of time. One bar is about two days, one line through the the vertical axis is about 1000 incidents. Now, when the animation starts going, you can see how unhandled incidents (red color) are detected and then turning into handled ones (grey). In the end we also show the cumulative amount of work still left at each point of time. Sort of “incident debt”, if you will.

The information conveyed looks more like a work flow queue for a service than a security illustration. What does it mean when an incident is “unhandled”? No response or no solution? Maybe that’s why they call it a “debt” — they’re representing service workloads for security but it could just as easily be any service ticket. It’s the basic difference between items completed and those still being worked on.

Also, each incident appears to have an equal value of debt, which seems unrealistic. Or maybe not all incidents are equal units. Hard to tell. Bouncing lines are a compelling animation but much more interesting would be workload relative to risk. Then workload relative to risk relative to source could be seen. In other words, where are the highest risk incidents and what percentage of resources (number of resources and length of time) do they consume (versus low risk incidents)?

When I was last in Rio de Janeiro, Brazil I had two cell phones. One I kept with me during the day and in safe areas. The other was a cheap old one with no data and no logs that I could use at night and in areas where I was uncertain about losing control of portable electronic devices that I carried. This was normal practice in Rio. Californians may find themselves facing a similar situation for different reasons.

The recent California Supreme Court decision on cell phone searches means a law enforcement officer can review all information on an electronic device as part of an arrest, including call logs and messages. It is now argued that warrantless search has been legalized in California — a cell phone can be searched without the need for criminal charges filed or to prove relevance to an arrest.

The California Supreme Court, in People v. [Gregory] Diaz, 51 Cal.4th 84 (2011), held that the information in these [portable electronic] devices may be subject to search incident to an arrest without a warrant or other judicial supervision.

An arrestee already could be searched by law enforcement under circumstances of officer safety and to protect evidence against destruction. However, contents of memory and disk, such as with cell phones, generally were not included in the search.

Prior to the California Supreme Court decision a warrantless search of electronics during an arrest was widely believed to be prohibited by state constitutional privacy protections in the public access “Shield Law” and in conflict with penal code 1524. Also, other state supreme courts (Ohio) have ruled specifically that cell phone searches require a warrant while Federal law enforcement agencies follow a protocol that require a warrant for cell phone searches.

Senate Bill 914 subsequently was introduced (updated July 1, 2011) in an attempt by the state legislature to clarify that portable electronic devices only can be accessed with a warrant, except in circumstances of an immediate threat to public safety or to an arresting officer.

It is the intent of the Legislature in enacting Section 1542.5 of the Penal Code to reject as a matter of California statutory law the rule under the Fourth Amendment to the United States Constitution announced by the California Supreme Court in People v. Diaz. The Legislature finds that once in the exclusive control of the police, cellular telephones do not ordinarily pose a threat to officer safety. The Legislature declares that concerns about destruction of evidence on a cellular telephone can ordinarily be addressed through simple evidence preservation methods and prompt application to a magistrate for a search warrant and, therefore, do not justify a blanket exception to the warrant requirement. Moreover, good forensic evidence practice supports the use of search warrants to obtain information contained in a cellular telephone seized incident to arrest. Except as otherwise stated in this section, it is not the intent of the Legislature to curtail law enforcement reliance on standard established exceptions to the warrant requirement.

SB 914 last week passed the Assembly Public Safety Committee with a 5-0 vote.

A PDF is available from thinkst with details on how to shoulder surf the iPad.

It points out that the keypad buttons glow when selected, defeating the mask of the password field. They have released an application to drive the risk home — a camera records the keys that glow.

Even better, they have referenced the movie Sneakers to point out that this is a simple and known threat. Kudos to them for not claiming any sophistication in their threat. It’s a simple and well-known attack and that is what makes it so annoyingly dangerous to use the Apple product.

This image about how to type a PIN should look very familiar.

Back to the PDF, this section caught my eye

We have long realised the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rare to find an application that fails to mask the password on screen.
[…]

We take the fact that password masking is so ubiquitous as the obvious acknowledgement of shoulder surfing as a viable attack method.

Few people probably realize how lucky we are to have those passwords masked. When I worked on television and mobile authentication user interface security for many millions of devices one of my toughest jobs was to convince the developers and product managers to hide passwords. They did not want to do it and they had some good reasons to resist.

I would always hear the argument that making it easier to see the password when typing on a small screen, a small keypad, a keypad on a big screen, using a joystick, etc. meant fewer support/helpdesk tickets. The cost was palpable.

Take one mobile interface, for example. I argued that the character entered should immediately be masked, just like the typical computer interface. The product manager responded with some user behavior data linked to cost — showing the character entered until the next character was entered reduced helpdesk calls related to password more than 30%, with a cost per call said to be $10-15. That adds up quickly for tens of thousands of devices.

We ended up masking the character as soon as the next character was entered or after 1 second, which ever came first. That reduced the chance of exposure from shoulder surfing while still allowing us to force complex passwords. The only way I was going to get to constant masking was to reduce complexity (e.g. no uppercase, no symbols). Trade-offs and calculations of masking were hard, to say the least.

The threat models for mobile devices always led to shared spaces, especially transportation that forced closeness. Imagine sitting in the narrow seats of public transportation in Philadelphia or New York. Yes, I’ve even researched the space allocated between passengers. Did you know that San Francisco’s BART has the most space between passengers — anti-shoulder surfing or just wasted space? Airplanes and buses have the additional problem of rows facing the same direction but airplanes are especially bad because of the space between seats that allows for peering eyes to look through…

That is all for mobile devices that people carry with them. Giant televisions and projectors are another story entirely. Imagine inviting all your friends over to watch a movie. Then, just as you are about to start up NetFlix, you get a message from the Playstation network that it needs you to change your password (no fault of your own, it’s because they were hacked). So you sit in a big room with a big screen and slowly use a joystick to enter your password. They keys you select are illuminated on the screen for everyone to stare at and see. Do you ask everyone to come back in five minutes?

I actually wrote a solution to this problem and patented it but I still see consoles (e.g. NetFlix on Playstation) that illuminate your keystrokes and thereby display your actual password to everyone. Perhaps the thinkst story will generate more demand for use of the patented authentication mechanism. In brief, I proposed a token system that had a password for initial registration but a simplified identification system later for unique input devices like joysticks, phone keypads and touchscreens..

Imagine logging into the Playstation network by using a token and the joystick button sequence “XO^X->”, for example. If people can figure it out for easter eggs and cheats, I knew they could use it to login. I mean why not setup your system for login with your RockBand Guitar? The point of the patent was to leverage the universal input capabilities of devices and tie it to a token created on a computer, rather than try to pound everything into being more like a keyboard.

The designers and product managers at Apple probably thought they were doing users a favor by illuminating keys pressed in order to simulate the feedback of a physical keyboard. And then the other product companies while copying (should I say “embracing and extending“?) the Apple touch interface (Android/RIM) unfortunately also copied the illumination aspect of the keypad. It’s good that they masked the password but they should have thought more about the risk. Then again, I wouldn’t consider Apple product design suitable for an environment with any real risk. That’s not really what they’re designed for…

Ever notice that Apple’s iPad marketing campaign has them floating in some kind of utopian emptiness of just one superuser?

No perspective on who might be looking over your shoulder; no uncontrolled environments…you don’t see any messaging about product design from them related to real-world risks, especially not like this:

Full disclosure: I own a Panasonic Toughbook. It’s the best laptop I’ve ever owned. I’ve sold all my Apple products and don’t miss fixing them.