Wednesday, September 3, 2014

Improving the security of mobiles and services

After the recent debacle where pictures has been leaked from Apple's iCloud, by using iBrute and EPPB to attack specific users iCloud acounts there is clearly a need to address weak security in synchronization protocols used by mobiles for backing up and synchronizing data to the cloud.

Since these apps, our built in services, on the phone relies on static information to identify and authenticate seamlessly it is relatively easy to reverse engineer the protocol and emulate an individual device. These apps and services operates on the user's behalf and can not rely on multi factor authentication (MFA) requiring user intevention.

I will here propose a solution based on a integrated chip (IC) for generating OTPs (one time passwords) to introduce some randomness to the identity information submitted from the mobile.

When the user installs and app or activates a service on the phone, the app/service registers itself as a OTP consumer to the mobile OS. The OS must be able to uniquely identify an app/service in order to prevent impersonation from other apps. No token should be required to store by the app. Most app developers are not security experts and will probably not be able to secure such a token properly.

When the app logs in to the remote service for the first time, an OTP sequence is set up in the onboard chip. The chip generates touples of passwords, one part as the actual password, and a second to use as salt for a hashing algorithm. The remote side must set up the same OTP sequence, and the process should be confirmed by the user who identifies with username, password and ideally a MFA token entered by the user. This could be a OTP generated by Google Authenticator or similar. Steve Gibsons SQRL will also be an excellent confirmation. This requires the user to create the account beforehand, or the app does this during first time login. Devices added to the account can be revoked access if they are stolen, and when devices are added the user is properly notified in a separate channel (e.g. email, SMS)

When the app or service want to communicate with the remote end this sequence will occur:
  1. App/service request OTP from IC
  2. IC generates OTP touple and hashes the first part using salt from the second part
  3. The hash is returned to the app (the app never sees the real OTP)
  4. The app supplies the hash value as part of communication setup process
  5. The remote side also generates same OTP touple as the mobile and calculates the hash
  6. Hashes are compared.
  7. A succesful compare allow for proceeding the operation.
 This will make it impossible to emulate a device by using static information. The hashing is there to obfuscate the original OTP, in order to make it even harder to guess the next password.

The proposed solution may also be used where the user is active, but as a added layer of security. Recently Tesla Motors announced that the iPhone could be used as a FOB (and probably Android/Windows devices later, guessing). If the setup process used the onboard screen of the car, scanning a QR code on the screen, the risk of illegitimate access and use of the car is minimized. This is probably just the beginning of use cases for mobiles giving access to valuable items, and security issues lies ahead.

This solution only help protect to use of a service from a mobile, not the content stored on the service providers storage. These will to varying degrees be vulnerable to other attacks, so don't put anything on a service providers storage that must absolutely not leak into the wrong hands.

This idea is free to use, but oh, I'm saving money for a Model S ;)

Wednesday, June 27, 2012

New blog dedicated to systems thinking

I have created a new blog where I will focus on systems thinking from a programmers perspective here http://flowshaped.io.

This blog may continue to contain various ramblings on software and the industry.

Monday, January 9, 2012

Real world authentication and transaction protocol semantics

A real world story explained in authentication and transaction protocol semantics to provide some insight into the relationships between real world information flow and failure demand that is so important when managing IT dependent service organizations.

A couple of years ago me and my family went on a trip to Mallorca. In the confusion of the arrival terminal baggage area we left one backpack on the pickup trail. The backpack contained artifacts of high value, but not critical to our stay. A human error started an obscure process enduring the our whole stay on the island.

Note: As most histories of failure demand this one started with the customer making a mistake. In systems thinking terms, this is probably so frequent in the charter business that it should be considered as mere variation.

On the bus to the hotel I discovered we where missing the backpack and asked the guide what to do. The guide told me to contact the guides located at the hotel as he was just having responsibility for transport to and from the airport.

Note: this must be happening all the time, why doesn't charter operators have procedures for handling this immediately? This is in effect a redirection to another service (endpoint), much like a http code 303 See other. This is also an example of standardized work that drives costs and complexity up.

I attended to the guides on the hotel on a daily basis. This resulted in using estimated 30 minutes per day in waiting and talking to the guides. Each day they promised to look into it, they contacted the airport, waited for response from the lost property department.

Note: I was polling the guides, which was in a constant loop answering me and polling the lost property department. This consumed resources and was of course a source of irritation to us.

In the day we where leaving, the guide having responsibility for the returning bus transport followed me to the lost property department of the airport. When asking for the backsack the clerk just shaked his head. Nothing like my backpack was found. I pulled my passport to eliminate any doubt of who I was, and provide correct information. The clerk quickly disappeared and returned with my sack. Huh? It appeared the guides was not informed of the required authentication to pick up left property.

Note: The airport clerks pretended it did not exist until I showed up in person and provided proper authentication. Much like a properly invented security measure in IT, but remember to inform your users (guides) about it. Failing to inform results in failure demand in the flow and bad service seen from the customer (which in this case will associate the travelling destination with bad service (cognitive availability).

Since the time before checkin was nearing fast I did not have time to check the contents of the sack before later. It appeared that mobile chargers and iPods where missing.

Note: Almost no security measure can stop unloyal employees from taking what they want.

After returning I claimed the loss to my credit card company. Travels payed with the card automatically has travel insurance. They presented a bureaucratic and cumbersome process, and in general did not cover lost property. Huh? So much for travel insurance. Our house contents (NO: innbo) insurance though covered lost property during travel. The process was very straightforward and used average prices on artifacts calculated from real prices. I got a security token that I could use to "buy" the artifacts again from their webpage or get money refund. -> Happy travelling insurance customer. I will stick with these guys for a while, as my availablity heuristic brain tells me they provides good service.

Note: providing a simple process with clear semantics reduces pain and resource consumption and great service.

Friday, January 6, 2012

Content and technology cycles

Most content outlives any presentation and distribution technologies. Content valuable enough will be converted to new formats and prepared for distribution on new carriers. This is nothing new and has been ongoing since humans started to draw and write.

Content creation involves effort and possibly considerable amounts of economical investments. Professional content creators live off their work, and naturally wants to be paid for providing their works.

Somewhere along the road, movie-, music- and publisher industry acquired exclusive distribution rights. When they where distributing content in a physical form (in atoms), this added considerable value to the product. Distributors got involved in all kinds of coordination and promotion activities related to their exclusive rights. As long as the distributors controlled the technology this went along fine, but with the invention of the music cassette the foundation for a copy culture was laid. Content consumers wanted to have copies of music in their cars, walkmans and in the living room. The VCR allowed copying of films. A growing pirate industry, mainly based in Asia was founded, but the economical problems was limited as they had to move atoms around the globe and copied material was not more accessible than the originals.

For music and movies this led both to direct loss for content creators, but it also provided culture sharing. When more people heard new music or films, some bought originals while some copied. It will be impossible to know if the entertainment industry have lost or gained in this game. A copy today may result in future sales of releases of music and movies.

When computers moved into the home copying of software soon became common as the physical burden was shrinking. We started to move bits on physical carriers (diskettes). When PCs was introduced copying flourished. Whether this favored or hurt the software industry is not quite clear. Microsofts success with Office was laid with the massive distribution of Windows which was heavily copied and distributed amongst users. I would guess the software industry as a whole, especially platform vendors, have gained opportunities because of copying. This is not a defense of piracy, but my estimation of the outcome. The software industry has slowly adjusted to the new realities. Software can be bought and downloaded or provided as as service (SaaS). Open Source developers uses the moving of bits their full advantage.

In the late 90-ies the Internet was introduced for consumers. The Internet made moving atoms obsolete. Content could now be moved as pure bits globally, with the speed of the network. The Internet provides us with a completely new way of distributing and consuming content. It is also a foundation for collaboration, creativity and provides us with vast new opportunities for doing business.

The elimination of the need for moving atoms also reduces costs. There is little value in moving bits, and the concept of the moving and copying of bits breaks the limitations of physical distribution. It also breaks exclusivity as content can be made available for anyone instantly at a global scale. The entertainment industry seems not have understood or do not welcome this. They seem to be willing to go all the way in their efforts to stop the evolution. They lobby for and support legislations like SOPA, PIPA and EU Data Retention Directive.

Technology follows very rapid cycles of invention, while content has a completely different cycle. The most valuable content will inevitably be converted to new presentation- and carrier technologies. If the copyright owners does not do it, consumers will. And why should they not? If you have bought a product shouldn't you be allowed to use it on gadgets not yet invented? To me it is not crystal clear copying is theft. Copying is also culture sharing, and generates future sales. The Internet gives us great possibilities for sharing culture and this could be lost, or at least very restricted if the entertainment industry will get it's will with lawmakers.

So why would anyone tie exclusive distribution rights to specific distribution technologies? This gives distributors no incentives for adjusting to new realities and opportunities. These industries are now lobbying for draconic laws that is protecting their relatively outdated business models. They refuse to meet the demand of their customers and stubbornly gives Internet the blame for everything not going their way. The difference now is that consumers (and pirates) have all the tools and infrastructure to fill in the gaps. When the gap left open by the entertainment industry is wide enough and demand is high, massive piracy is the inevitable result.

Instead of exploiting vast opportunities for culture sharing and selling a lot more (for a lower price per item, reflecting reduced costs) they want laws that will seriously impede democratic freedoms hard won through recent centuries. The Internet has breathed new life to democracies (video of Al Gore talking about SOPA was quickly deleted from Youtube...). Whether the lawmakers does not understand this, or do not want more democracy will be mere speculation. It is probably a mix of incompetence and using piracy as an excuse for their own agenda.

Another consequence of the internet is that there is only one market: the global market. Trying to limit releases to restricted areas will fail and only cause problems. It has become de facto Cargo Culting in the media industry. In the digital distribution world there is no borders or physical restrictions that creates exclusivity. A better strategy will be global releases and making use of social media buzz to spread the word and attract consumers to buy content from copyright holders.

Tuesday, November 1, 2011

Hack your phone

Recently my old HTC Hero started to get notoriously slow and frequently report "low on space". Even after removing all apps memory was still almost exhausted. The phone has been running on MoDoCo 2.1 since the last r5 release.

I could have just bought a new phone, which of course would be better by all means, but since the risk of bricking the phone was low (low probability and the impact of the risk was just to by a new one) I decided to find what the latest update around for an old phone like the Hero.

I found far more than I expected in Cyanogen Mod 7.1. Now I have a far newer OS than HTC has ever released for the phone, a lot of new functionality plus a much more stable and responsive phone. Extended standby time included. In addition to saving (or at least postponing replacing the Hero) it was a satisfying feeling to successfully tinker with the device.

When the risk is low the threshold for hacking your phone should be low. Just as people should know how to switch light bulbs and connect the pieces of a surround system, they should also have some knowledge about their phones and how to repair them. It is not hard, it is fun and you'll learn a lot.

Friday, October 14, 2011

My data

We are doing it all wrong. Empowering people with technology is currently centered around the technology only. The technology is important of course, but it is totally useless without any data. Technology is just for playing with the data.

So do we empower the user with any control over data? Can we manage data digitally as in real life? Well of course not, digital information is about making data more fluid. But making data more fluid does not mean doing it to all data. The principles if privacy should be valid independent of format.
  • Private data should be as private as in a bank box. If the individual chooses to destroy the data, it is his or her choice.
  • Shared secrets should be as secret as though it was shared with real friends. Sometimes information will leak.
  • Published data should assimilate. As in real life. It would be impossible to control the flow
  • Observations can be recorded, but no personal information should be stored without consent
Given these simple rules, it should be the individual deciding which risks to take. Facebook, Google or governments should be in no position to decide what risks to take with any data.

That does not mean any data can be gathered by trusted parties, but what and how data is collection should be open. It must always be possible to opt out. That does not exclude companies and governments from monitoring activity. It should just be recorded as impersonal observations. As in real life.

Monday, August 29, 2011

Information industry battles

Evidence that we are now witnessing one of the greatest battles in the information media industry is emergent. The giants of the industry is either actively pursuing ever more control or is being pushed to take defensive steps. Through the last century many similar battles has taken place: AT&T, the Hollywood Filmthrust and RCA vs Armstrong serving here as prominent examples.

The roles of the battle is not new: weak and unprepared governments, capitalism serving shareholders, and eager consumers. The goal of the current battle is to dominate so as to cut [exclusive] deals with content owners. As often seen before patents is used by the big guys to limit innovation from competitors, and push around those big enough to pose a competitive threat.

In earlier battles a very limited set of patents was used a weapons. Now the giants has to collect patent portfolios in order to gain sufficient control over/defense against competitors. A large number of consolidated patents is powerful when  one tries to suffocate innovation and limit the innovative freedom of others.

Innovation has always been important in the Information media industry. Innovation could make the industry more or less self regulating. If a conglomerate/cartel manages to gain control over innovation that could be a threat and even ultimately replace them, they have also gained invulnerability. The loosers if the battle is the content consumers, that will have less choice. The free market can easily commit suicide, especially in the information industry.

The governments, and especially the USA, has much to easily given the giants the weapon they need: patents. It is maybe a bit counterintuitive, but patents is a construction for limiting further innovation. Governments are also generally weak at regulating the information media industry. This creates the opportunity to create an empire. The more powerful, the easier it is to get allies either by fear or business. But, there is a but, when governments has seen trough it's fingers of this battle yielding consolidated giants, they have also created a soft underbelly on those. The giants knows it, and parts of the governments knows it too. The parts of the governments that has understood, also know how to exploit it. Ultimately the information industry stiffens, only casting static shadows of its former dynamic nature. This is when capitalism stops working.

Recently the US and EU has implemented legislation that let them get access to the giants business records. In the name of the fight against terrorism and child porn, they have adopted draconian laws, that removes our digital privacy. This just get easier the bigger the giants gets, because the stakes get higher with size. No giant wants to be defeated up by an anti-trust case.

The current battle is more destructive than ever. The real stakeholders is not shareholders, but us. Our privacy is at stake. Information media industry collects private information and serves public information. It is a unbalanced game. We loose as consumers because without competetion, the giants will be lazy but almost impossible to replace. They have their patent portfolios. This equilibrium is exploited by our governments.