Security

US Court Rules Passwords are Protected Because Testimonial

Leave a comment

There’s a part of a new decision that I keep re-rereading, just to make sure I read it right:

As a passcode is necessarily memorized, one cannot reveal a passcode without revealing the contents of one’s mind.

I mean that’s just not true. The old joke about people putting sticky-notes with passcodes on their monitor is because sometimes they are too hard to memorize. The reason NIST backed off complexity requirements and rotations is because passcodes turned out to be too hard to memorize and people were storing them unsafely.

We all recommend password managers and using unique passwords for every site, which is all too hard to memorize. The entire password market doesn’t believe passwords are necessarily memorized.

And then there’s the simple fact that passcode sharing often uses communication channels that rely on storage other than the human mind.

Also beyond being wrong that sentence seems unnecessary to the decision. If this case didn’t have a password written down, despite an accused saying he use one 64 characters long, then it becomes an exception. The fact remains passcodes very often are stored outside the human mind.

The rest of the decision is not terribly surprising

…the compelled production of the computer’s password demands the recall of the contents of Appellant’s mind, and the act of production carries with it the implied factual assertions that will be used to incriminate him. Thus, we hold that compelling Appellant to reveal a password to a computer is testimonial in nature.

Food, History, Security

Fullenkamp: We Use the Past to Better Understand our Present

Leave a comment

Trips to relive famous tactical events sounds in this podcast like something we could do a lot more of for information security.

…military historian Len Fullenkamp reflects on the importance of immersing oneself in the minds of strategic leaders facing dynamic and complex situations. One tool is the staff ride, an opportunity to walk a battlefield and understand the strategic perspective of the leaders…

I’ve walked countless battlefields and tried to relive the decisions of the time. One of the most unforgettable was a trench line perfectly preserved even to this day on a ridge that held off waves of attacks for several sleepless days.

On another long-gone battle ground I stumbled upon three live bullets that had been abandoned for decades, slowly rusting into the ground atop a lookout. I held them in my hand and stared across the dusty exposed road below for what seemed like hours.

Yet I rarely if ever have seen a similar opportunity in the field of security I practice most today. Has anyone developed a “staff ride” for some of the most notorious disasters in security leadership such as Equifax, Target, Facebook…? That seems useful.

In this podcast the speaker covers the disastrous Pickett’s charge by pro-slaveholder forces in America. After two-days investment the bumbling General Lee miscalculated and ordered thousands of men to their death in what he afterwards described plainly as “had I known…I would have tried something different”.

Fullenkamp then goes from this into a long exploration of risk management until he describes leadership training on how to make good decisions under pressure:

What is hard is making decisions in the absence of facts.

Who could be the Fullenkamp of information security, taking corporate groups to our battlefields for leadership training?

Also I have to point out Fullenkamp repeats some false history, as he strangely pulls in a tangent about how General Grant felt about alcohol. Such false claims about Grant have been widely discredited, yet it sounds like Fullenkamp is making poor decisions with an absence of facts.

Accusations of alcoholism were a smear and propaganda campaign, as historians today have been trying to explain. For example:

Grant never drank when it might imperil his army. […] Grant, in a letter to his wife, Julia, swore that at Shiloh, he was “sober as a deacon no matter what was said to the contrary.”

We know today what actually happened was a concerted group of white supremacist historians of a defeated pro-slavery war machine began a campaign to posthumously destroy the character of Grant, to undermine his widespread popularity and programs of civil rights.

After Grant’s death, exaggerated stories about his drinking became ingrained in American culture.

First, the truth of charges against Grant are related to America’s pre-Civil War political and military patronage system (corruption basically) being unkind to him. He succeeded in spite of them and he was living proof of someone using the past to better understand the present.

After extensive experience fighting in all major battles of the Mexican-American War he didn’t sit well being idle and under-utilized. He was introverted and critical of low performing peers. A superior officer in California used minor charges of alcohol as a means to exercise blunt authority over the brilliant Grant.

Second, it was KKK propaganda campaigns of prohibition that pushed the false idea that Grant’s dispute with his superior was some kind of wild and exaggerated issue relevant to prohibition.

In fact history tells us how pro-slavery Generals literally became so drunk during battles they disappeared and were useless, every single time they fought. The KKK projected those real alcoholic events from pro-slavery leadership onto Grant to obscure their own failed history and try to destroy his name.

Apparently it worked because it’s 2019 and far past time for people to stop repeating shallow KKK propaganda about America’s greatest General and one of the greatest Presidents.

Security

The 5 Computer Vision Classes of a Building After Disaster

Leave a comment

The US Department of Defense has issued a challenge for computer vision to correctly classify the state of a building after disasters:

Your model must predict an output PNG image with height and width of 1024 pixels, where each pixel value corresponds to the predicted class at that place in the input image:

0: no building
1: undamaged building
2: building with minor damage
3: building with major damage
4: destroyed building

This makes for very interesting games played at the superficial level with paint or loose objects.

For example could computer vision distinguish easily the sort of building under perpetual construction (as often is the case in developing nations) from one that has been damaged? Or in a similar vein, if buildings are maintained poorly in markets that lack readily available materials, what constitutes minor damage?

History, Security

Why Does Modern Tech Try to Route Freeways Through Neighborhood Streets?

Leave a comment

Since the introduction of new apps to help drivers find better routes, there’s been a persistent problem of freeways routing through neighborhood streets all over America, from NY to LA.

  • Jun 16, 2017 Slate: Suburbs Finally Figured Out a Way to Get Rid of Pesky Drivers on Waze Shortcuts
  • Dec 24, 2017 NYT: Navigation Apps Are Turning Quiet Neighborhoods Into Traffic Nightmares
  • Dec 26, 2017 NYMag: Waze Traffic Forces New Jersey Town to Shut Down Its Roads
  • Sep 20, 2018 WUSA9: Navigation apps flood neighborhood with traffic and VDOT proposes Beltway ramp shutdown
  • Aug 20, 2019 LAMag: Waze Hijacked L.A. in the Name of Convenience. Can Anyone Put the Genie Back in the Bottle?

I’ve spoken about this many times in my AI ethics presentations as a stupid flaw that should be easy to fix.

Meanwhile, news from Cloudflare is that the Internet is exhibiting the same flawed logic

Cloudflare traced the problem to a regional ISP in Pennsylvania that accidentally advertised to the rest of the internet that the best available routes to Cloudflare were through their small network. This caused a massive volume of global traffic to the ISP, which overwhelmed their limited capacity and so halted Cloudfare’s access to the rest of the internet. As Cloudflare remarked, it was the internet equivalent of routing an entire freeway through a neighbourhood street.

Funny thing, historically speaking, is that the Internet is based on transportation logistics. The first hackers were literally people who disobeyed road conventions and safety and went their own way for selfish reasons.

The answer for why a regional ISP in Pennsylvania wanted all the traffic to flow through their neighborhood is…still being discussed. Some speculate it was a test. Someone somewhere always is thinking about how to do Internet-scale attacks on confidentiality, integrity and/or availability.