Busy day. I already have a half dozen things to post, but in the interest of time and brevity I just wanted to mention a guide to cross site scripting attacks. This kind of article, subtitled “Three Ingredients for a Successful Hack”, reminds me of the controversy over the Anarchist Cookbook but updated for the digital age:

Cross site scripting (XSS) errors are generally considered nothing more than a nuisance — most people do not realize the inherent danger these types of bugs create. In this article Seth Fogie looks at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to “shell” access to the web server.

Great. Now back to helping people find and quickly remove XSS vulnerabilities…

This morning’s BBC report has brought to light the ongoing debate over how to enforce the UK Regulation of Investigatory Powers (RIP) Act from 2000.

Part III of RIPA gives law enforcement agencies the decryption powers and, provided some conditions are met, makes it a serious offence to refuse to turn scrambled files into an “intelligible” form. Those refusing could see their sentence increased as a result.

The government is holding a consultation exercise on the code of conduct that those using these powers will have to abide by.

The code was debated at a public meeting organised by digital rights group the Foundation for Information Policy Research (FIPR).

This debate seems to start from the age old issue of whether people are required to incriminate themselves when police are unable to find evidence against them. This situation, however, is slightly more complicated because encryption keys are so easily hidden and/or destroyed. Moreover, encryption is so frustratingly easy for law enforcement to find precisely because it can be so difficult for them to decipher. In theory you can leave encrypted files lying about without fear of them being used as evidence against you, unlike a smoking gun or a bloody knife, so to speak.

So, just at the time when encryption is starting to really be adopted on the personal computer the police are demanding that they need either special privileges such as a back-door or the right to inflict severe penalties on anyone refusing to decrypt data on demand. It is interesting to read that the US government seems to be moving ahead (“VA to spend $3.7M on encryption tools”) since the adopters must be curiously watching the UK to see what kind of liabilities they could bring to themselves. They spend money trying to avoid liability, and could just end up with a different set (e.g. will internal investigators be able to access VA data without alerting suspects or demanding decryption?).

Mr Bowden [former head of FIPR] also questioned the wisdom of making it an offence to refuse to unscramble evidence. He said there were many scenarios that made it possible for a suspect to deny they ever had the key that unlocked encrypted data.

Already, he said, there had been one court case in which a suspect was acquitted after claiming a computer virus under someone else’s control had caused the offences for which he faced trial. Mr Bowden speculated that other suspects could use the same tactic or would fake a virus infection to get themselves off the hook.

There is certainly no silver bullet here so it is good to see the debate taking place. Unfortunately finding common ground is complicated by a lack of experience and examples to help everyone find an appropriate balance.

Key management systems and encryption that I have deployed have always encountered resistance primarily from those who are the least familiar with what it can and will do for them. I usually tell people that encryption, like other tools, is a double-edged sword that needs careful guidance and legislation/policy to help ensure proper use and to prevent misuse. Many people feel strongly about these issues and so it is important to review the possibilities early to avoid unpleasant surprises. Or as Lord Philips of Sudbury put it:

“You do not secure the liberty of our country and value of our democracy by undermining them,” he said. “That’s the road to hell.”

Lawrence M. Krauss, professor of physics and astronomy at Case Western Reserve University, has an interesting essay in the NYT about the changing landscape in the battle between creationists and schools:

With their changing political tactics, creationists are an excellent example of evolution at work. Creation science evolved into intelligent design, which morphed into “teaching the controversy,� and after its recent court loss in Dover, Pa., and political defeats in Ohio and Kansas, it will no doubt change again. The most recent campaign slogan I have heard is “creative evolution.�

But perhaps more worrisome than a political movement against science is plain old ignorance. The people determining the curriculum of our children in many states remain scientifically illiterate. And Kansas is a good case in point.

[…]

As we continue to work to improve the abysmal state of science education in our schools, we will continue to battle those who feel that knowledge is a threat to faith.

But when we win minor skirmishes, as we did in Kansas, we must remember that the issue is far deeper than this. We must hold our elected school officials to certain basic standards of knowledge about the world. The battle is not against faith, but against ignorance.

Correction, that’s what people used to do. It’s ok to look, just don’t record images as it might be interpreted as intent to cause harm. Information has literally become power. The Register has the scoop:

The FBI said Monday that it had no information to indicate that the men in custody had any ties to terrorist organisations, the Associated Press reports. Nevertheless, the local police and prosecutors seem persuaded that they’ve foiled a dastardly plot, and appear prepared, for now, to go through with the prosecutions.

Additionally, photos of the five-mile long Mackinac Bridge were found in a digital camera belonging to one of the suspects, prompting local authorities to imagine it was a target.

A lawyer defending the men told the AP that the photos were tourist snapshots taken while the men were stuck in traffic. “That’s what people do when they see a tourist attraction: they take pictures,” the wire service quotes him as saying.