Lessons from Wannacrypt and its cousins

Now that the dust has settled a bit, we can look at the Wannacrypt ransomware, and the other malware  that are exploiting the same vulnerability, more objectively.

First, the reason that this attack vector existed is because Microsoft, a long time ago, made a mistake in a file sharing protocol. It was (apparently) exploited by the NSA, and then by others with less good intentions, but the vulnerability is all down to Microsoft.

There are three pools of vulnerable computers that played a role in spreading the Wannacrypt worm, as well as falling victim to it.

1. Enterprise computers which were not being updated in a timely way because it was too complicated to maintain all of their other software systems at the same time. When Microsoft issues a patch, bad actors immediately try to reverse engineer it to work out what vulnerability it addresses. The last time I heard someone from Microsoft Security talk about this, they estimated it took about 3 days for this to happen. If you hadn’t updated in that time, you were vulnerable to an attack that the patch would have prevented. Many businesses evaluated the risk of updating in a timely way as greater than the risk of disruption because of an interaction of the patch with their running systems — but they may now have to re-evaluate that calculus!
2. Computers running XP for perfectly rational reasons. Microsoft stopped supporting XP because they wanted people to buy new versions of their operating system (and often new hardware to be able to run it), but there are many, many people in the world for whom a computer running XP was a perfectly serviceable product, and who will continue to run it as long as their hardware keeps working. The software industry continues to get away with failing to warrant their products as fit for purpose, but it wouldn’t work in other industries. Imagine the discovery that the locks on a car stopped working after 5 years — could a manufacturer get away with claiming that the car was no longer supported? (Microsoft did, in this instance, release a patch for XP, but well after the fact.)
3. Computers running unregistered versions of Microsoft operating systems (which therefore do not get updates). Here Microsoft is culpable for an opposite reason. People can run an unregistered version for years and years, provided they’re willing to re-install it periodically. It’s technically possible to prevent (or make much more difficult) this kind of serial illegality.

The analogy is with public health. When there’s a large pool of unvaccinated people, the risk to everyone increases. Microsoft’s business decisions make the pool of ‘unvaccinated’ computers much larger than it needs to be. And while this pool is out there, there will always be bad actors who can find a use for the computers it contains.

Advertisements

Advances in Social Network Analysis and Mining Conference — Sydney

This conference will be in Sydney in 2017, from 31st July to 3rd August.

http://asonam.cpsc.ucalgary.ca/2017/

As well as the main conference, there is also a workshop, FOSINT: Foundations of Open Source Intelligence, which may be of even more direct interest for readers of this blog.

Also I will be giving a tutorial on Adversarial Analytics as part of the conference.

Even more security theatre

I happened to visit a consulate to do some routine paperwork. Here’s the security process I encountered:

1. Get identity checked from passport, details entered (laboriously) into online system.
2. Cell phone locked away.
3. Wanded by metal detection wand.
4. Sent by secure elevator to another floor, to a waiting room with staff behind bullet-proof glass.

Here’s the thing: I got to carry my (unexamined) backpack with me through the whole process!

And what’s the threat from a cell phone in this context? Embarrassing pictures of the five year old posters on the wall of the waiting room?

I understand that government departments have difficulty separating serious from trivial risks, because if anything happened they would be blamed, regardless of how low-probability the risk was. But there’s no political reason not to make whatever precautions you decide to take actually helpful to reduce the perceived risks.

“But I don’t have anything to hide” Part III

I haven’t been able to verify it, but Marc Goodman mentions (in an interview with Tim Ferriss) that the Mumbai terrorists searched the online records of hostages when they were deciding who to kill. Another reason not to be profligate about what you post on social media.

Public vs Private/Metadata vs Data/Modelled vs Unmodelled

Governments, intelligence organizations, and law enforcement have traditionally made a distinction between collecting data about what I do in public spaces, and what I do in private spaces. These were originally conceptualized in geographical terms: on the street (public) vs inside my house (private). Even in these terms, issues quickly arise: what about what I am doing in front of a window? What if there is a CCTV camera that points at the space outside my house, but also happens to capture a view into the house? Is the fact that the snow has melted on my roof but not my neighbors grounds for a search warrant?

The beginning of electronic communication changed the venue, but didn’t change the framing of the boundary between public and private: the content of a communication is typically considered to be private, but its envelope, how and when it was sent and to whom, is typically considered to be public. Enter the distinction between data (the contents) and metadata (the envelope).

Note in passing that the multinational internet organizations did not, and do not, acknowledge the existence of any boundary between public and private. Their avowed intent is to collect and organize all the world’s information. And, by and large, people have been willing not only to permit this, but to actively help. (It’s not clear to me how much of this should be attributed to ignorance and how much to foolhardiness.)

What’s changed in the past (say) decade is a growing public awareness of how much metadata about them there is, and how easily it is collected and stored in today’s world. However, in my view, to frame the problem as one of data is to get into a muddle.

The conventional view of privacy is that it’s about information flow: who is allowed to collect and retain my information. Privacy advocates, therefore, want to put barriers in the way of collecting “personal information”. But what is “personal information” and how does it fit into the data/metadata distinction? Much of the discussion today jumps off from the realization that some metadata can naturally be considered personal information. So the proposed solutions are all about limiting information collection practices, and preserving the integrity of data once collected. However, this attack on the problem doesn’t provide a rationale for which data should be treated as personal; and the rationale needs to be widely agreed and self-evidently sensible if it is to affect government choices, and the wider discussion of the balance between security and privacy.

It is more helpful to consider privacy not as a scalar property that I either have none of, some of , or lots of, but rather as a property of a relationship. A has privacy with respect to B is B is unable to build a useful model of A. “Unable” might mean “physically unable”, but it might also mean “legally unable”.

So I might have little privacy with respect to my spouse, and to Google, and to foreign governments; more with respect to my work colleagues; and even more with respect to the Canadian (and other Five Eyes) government. (Yes, that really is the order.)

This definition reveals aspects of privacy that information containment definitions cannot. Yes, if B cannot gather information about me, then B cannot model me usefully, so my definition subsumes existing ones.

But B also cannot build a useful model of me if B lacks the algorithmic and computational resources to actually do the modelling. This was the basis of practical privacy even as recently as 30 years ago — if you wanted to build a decent model of someone you either had to live with them, or you had to physically travel around to various information sources gathering small pieces of information at each one. It was at least partially feasible to model a single individual, but it didn’t scale. (This, of course, is how it was possible to insert agents into other countries under deep cover, a practice that is much, much difficult today than it was during the Cold War.)

B also cannot build a useful model of me if the data about me is massively contradictory. So one approach to preserving my privacy, which does not jump out from conventional information flow views, is to increase the flow of information about me that is available in the real world, but make sure that the vast majority is untrue. Of course, this would be a tedious process if it had to be done manually, but the availability of computation helps individuals as well as modellers. To take a simple example, it would not be hard to create multiple email addresses and have your mail client randomly choose which one to use to send each outgoing message. It wouldn’t be too hard to aggregate this information and still build a model, but it’s a start. Now imagine that your mailer generates multiple versions of each email you send with the contents subtly changed (this is within the state of the art — see the Frankenstein malware) and sent to multiple similar receivers, only one of which is real. The problem of finding out who said what to whom becomes much more difficult very quickly.

People need to be able to operate, at least some of the time, in private: businesses making pricing decisions, inventors creating intellectual property, governments building budgets. It seems to me that there are only really two alternatives for the near future:

1. Build enclaves within the present communication/computation infrastructure that are much harder to penetrate, but for which the true costs are paid (i.e. without the ad subsides that provide much of our “free” infrastructure today). This would require the infrastructure providers to assume liability and charge accordingly. It’s not clear this is doable, but it might be.
2. Learn to do private activities  “out in the open” using techniques such as fake replicants, since it is much easier for an insider to identify the genuine one than it is for an outsider (at least within limited time frames).

In the shorter term, the discourse on privacy would make more sense if we expand the discussion from information flow management to the bigger issue of modelling.

Government signals intelligence versus multinationals

In all of the discussion about the extent to which the U.S. NSA is collecting and analyzing data, the role of the private sector in similar analysis has been strangely neglected.

Observe, first, that all of the organizations that were asked to provide data to the NSA did not have to do anything special to do so. Verizon, the proximate example, was required to provide, for every phone call, the originating and destination numbers, the time, the duration, and the cell tower(s) involved for mobile calls — and all of this information was already collected. Why would they collect it, if not to have it available for their own analysis? It isn’t for billing — part of the push to envelope pricing plans was to save the costs of producing detailed bills, for which the cost was often greater than the cost of completing the call itself.

Second, government signals intelligence is constrained in the kind of data they are permitted to collect: traffic analysis (metadata) for everyone, but content only for foreign nationals and those specifically permitted by warrants for cause. Multinationals, on the other hand, can collect content for everyone. If you have a gmail account (I don’t), then Google not only sees all of your email traffic, but also sees and analyzes the content of every email you send and receive. If you send an email to someone with a gmail account, the content of that email is also analyzed. Of course, Google is only one of the players; many other companies have access to emails, other online communications (IM, Skype), and search histories, including which link(s) in the search results you actually follow.

A common response to these differences is something like “Well,  I trust large multinationals, but I don’t trust my government”. I don’t really understand this argument; multinationals are driven primarily (?only) by the need for profits. Even when they say that they will behave well, they are unable to carry out this promise. A public company cannot refrain from taking actions that will produce greater profits, since its interests are the interests of its shareholders. And, however well meaning, when a company is headed for bankruptcy and one of its valuable assets is data and models about millions of people, it’s naive to believe that the value of that asset won’t be realized.

Another popular response is “Well, governments have the power of arrest, while the effect of multinational is limited to the commercial sphere”. That’s true, but in Western democracies at least it’s hard for governments to exert their power without inviting scrutiny from the judicial system. At least there are checks and balances. If a multinational decides to exert its power, there is much less transparency and almost no mechanism for redress. For example, a search engine company can downweight my web site in results (this has already been done) and drive me out of business; an email company can lose all of my emails or pass their content to my competitors. I don’t lose my life or my freedom, but I could lose my livelihood.

A third popular response is “Well, multinationals are building models of me so that they can sell me things that are better aligned with my interests”. This is, at best, a half-truth. The reason they want a model of you is so that they can try and sell you things you might be persuaded to buy, not things that that you should or want to buy. In other words, the purpose of targeted advertising is at least to get you to buy more than you otherwise would, and to buy the highest profit margin version of things you might actually want to buy. Your interests and the interests of advertisers are only partially aligned, even when they have built a completely accurate model of you.

Sophisticated modelling from data has its risks, and we’re still struggling to understand the tradeoffs between power and consequences and between cost and effectiveness. But, at this moment, the risks seem to me to be greatest from multinational data analysis than from government data analysis.

Language learning as a model of radicalisation

The Canadian Prime Minister said today, in response to the arrests for the planned Via Rail attacks, and perhaps to the Boston Marathon bombings as well, that these are not a reason to “commit sociology”. I think he’s exactly right. As I said in the previous post, I’m dubious that levels of dissatisfaction with societies, or even with religions, play a major role in radicalisation — it’s a much more individual-specific process. This is why only a tiny fraction of people in exactly the same social, religious, and even family setting become radicalised.

I’m also deeply skeptical that anyone becomes radicalised via the Internet. Our survey results indicated that variations in access to the Internet, or to mass media channels that have a frankly jihadist orientation have no correlation with attitudes on radicalisation-relevant subjects or dissatisfaction of any kind. I’m convinced that it always takes contact with a person, perhaps only one and perhaps only once, for radicalisation to happen.

Here’s where the analogy with language learning comes in. I learned French (in Australia) the same way I learned Latin (declensions, conjugations, agreement). I read French well and could speak it after a fashion. But the first time I heard French radio and then met people who actually spoke French, there was a kind of click in my brain and something changed about the way I used and learned French. I don’t think this is just autobiography; as I mentioned in the last post, learning languages via TV programs doesn’t work nearly as well as you might expect it to.

I’m fairly convinced something similar happens with radicalisation. An individual can watch the videos, talk the talk, fantasise the actions, but unless/until they make contact with someone who has actually done something, there isn’t any danger. Once this happens, of course, radicalisation can proceed very quickly indeed, which explains (I guess) the several cases where apparent changes have been very swift.