Friday, October 29, 2010

Apparently Facebook hates privacy so much that they pay lobbyists to stop privacy laws

This maybe shouldn't surprise anyone, but Mashable is reporting that Facebook Lobbied to Kill Social Networking Privacy Act in the USA.

It's one thing to believe that privacy isn't important, or to make mistakes that expose users, but paying people to lobby against privacy legislation that might protect your users seems like a big step further. It makes me concerned as a user of the service.

Incidentally, Facebook has already broken Canadian privacy law (they're not the only ones), and likely the laws of several other countries, so I guess it makes sense that they wouldn't want to run afoul of further laws... but I really wish they'd do this by handling privacy issues better rather than paying people to make sure the laws don't come into effect. Maybe the law was simply ill-conceived (I haven't read it) but this really doesn't sound like the actions of a socially-responsible company. Very disappointing.

Thursday, October 28, 2010

Why 12 year olds may be our best bug hunters

You may have heard the news: Mozilla pays 12-year-old San Jose boy for hunting bugs in system:

It's safe to say a typical Willow Glen 12-year-old doesn't earn $3,000 for a couple of weeks' worth of work. Then again, Alex Miller is no typical 12-year-old.

Alex is a bug hunter, but the bugs he's uncovering are unlikely to end up in any entomological reference book. Instead, the bug Alex found was a valid critical security flaw buried in the Firefox web browser. For his discovery, he was rewarded a bug bounty of $3,000 by Mozilla, the parent company of Firefox.

Much of the coverage I've seen has been along the lines of "wow, if a 12 year old can find a bug, then anyone can do this!" which I think is awesome if it has more people out looking through code in hopes of one of those $3k bounties. But I also find that attitude a little sad because frankly, Alex Miller sounds like a pretty smart guy and implying that what he did is easy because he's young is a bit condescending and likely incorrect.

But the more I think about it, the more I think that maybe younger bughunters have some natural advantages, and maybe we should go out of our way to recruit them. I taught 17 year olds doing in-lab tutorials for several years running, and work students down to around 12 years old when I've taught mini-courses in the spring, and they're pretty darned sharp.

Here's some assets younger folk bring to the table when it comes to security flaws:

  • A different point of view -- Some teachers take it as incredibly frustrating that their students just don't see the world the way they do because it can be hard to teach without common ground, but I've always found it fascinating how my students will write code in ways completely different to what I expect. Frankly, I don't see this kind of diversity when I work with my colleagues, probably because we have similar educational backgrounds. A different way to think can help you find things that others are going to miss, in research or in security bug hunting!

  • Time -- Alex Miller says he only spend 90 minutes/day for around 10 days to find his bug, but in general tweens and teens can have a lot more free time than their adult counterparts. Sure, there's school and homework and often a slew of extra-curriculars, but there's usually less time spent on childcare, laundry, groceries, cooking, cleaning, yardwork. Younger students may do some of that, but usually not all of the above.

  • Enthusiasm -- Let's face it; if you stare at code all day at work, you're not always likely to set aside 90 minutes/day to do it at home. Whereas when I was a teenager and was writing essays at school, 90 minutes of debugging sounded like a lot more fun!

  • Chutzpah -- It's easy for us as adults to think "meh, so many people have looked at this... I'll never find anything" and in general the students I work with have a lot more guts and are just more willing to believe that they personally will change the world if they just try. Certainly, my gaming students often propose genre-busting epic game ideas that I can just imagine getting shot down at a company meeting.

So maybe we shouldn't be saying "if a 12 year old can do it, anyone can" and instead thinking "how can I channel my inner 12 year old?"

Wednesday, October 27, 2010

Quick Hit: Firesheep

By now, probably everyone's already heard of firesheep, the nice user-friendly way to use cookies to do session hijacking. Want to be logged in as someone else on Facebook? No problem.

It's nothing spectacular on a technical level, since it's been easy enough to use other people's cookies for quite some time, but it's a pretty impressive social hacking tool. It's making it clear to a lot of people (and media) that this is a real problem, and that it's an exploit anyone can do now.

I'm actually sort of surprised that I haven't seen this earlier: it used to be a bit of a game in the undergrad lounge to see what one could sniff off the network, with people using some tool whose name I've forgotten to show any images that came up from users surfing on the wireless. Hacking session cookies would have been a fun addition to our childish games -- and I'll bet plenty of college kids are using it for just that. Or for checking out their ex-boyfriends/girlfriends...

Monday, October 11, 2010

Does expiring passwords really help security?

Change is Easy
Originally uploaded by dawn_perry
I've heard a lot of arguments as to why expiring passwords likely won't help. Here's a few:

  • It's easy to install malware on a machine, so the new password will be sniffed just like the old.
  • It costs more: frequent password changes result in more forgotten passwords and support desk calls.
  • It irritates users, who will then feel less motivated to implement to other security measures.
  • Constantly forcing people to think of new, memorable passwords leads to cognitive shortcuts like password-Sep, password-Oct, password-Nov...
And yet, many organizations continue to force regular password changes in order to improve security. But what if that's not what's really happening? Three researchers from the University of North Carolina at Chapel Hill have unveiled what they claim to be the first large-scale study on password expiration, and they found it wanting.

They focus especially on the idea that consecutive passwords will be related, and build a system which could try a variety of transforms such as changing which letter was uppercase, duplicating letters/numbers/symbols, and even "leet" translation (eg: raven becomes r@v3n). The implications of their results are fairly clear and potentially disturbing for those who thought password changing was providing extra security in the case of a breach:

  • With offline attacks: "On average, roughly 41% of passwords can be broken from an old password in under 3 seconds."
  • With online attacks: "An average of 13% of accounts can be broken (with cer- tainty) in 5 online guesses, and 18% can be broken in 10 guesses."
  • "As we expand our consideration to other types of transform trees, we would not be surprised to see these success rates jump significantly."
In essence, they've shown that changing passwords doesn't provide nearly as much security as system designers had hoped, and they suggest we abandon the practice rather than continue to annoy users with a policy that has been proven ineffective.