Hubert Chathi

Hubert Chathi: OK, now this is really getting ridiculous http://en.wikinews.org/wiki/Bomb_scare_aboard_plane_caused_by_harmless_prayer_box #security #paranoia

Hubert Chathi: stupid paranoia wins again http://www.cbc.ca/canada/story/2010/01/05/security-canada-us-airport.html #security

Hubert Chathi: "secure" USB drives not-so-secure: http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html #security

Hubert Chathi: Nearly 2/3 of Canadians would #vote online http://www.cbc.ca/politics/story/2009/12/17/ekos-poll.html In related news, nearly 2/3 of Canadians don't understand #security

Hubert Chathi: wants users to have passwords that are 20 characters long, with at least 8 upper-case letters, 9 lowercase letters, 4 digits, and 8 Unicode symbols above the normal ASCII range... #security

Hubert Chathi: doesn't like this: http://www.cbc.ca/technology/story/2009/06/18/tech-internet-police-bill-intercept-electronic-communications.html #privacy #security

No, not that kind of hash. The NIST is holding a contest for a new cryptographic hash function. Vulnerabilities have been found in the most commonly used hash functions, MD5 and SHA-1, and the contest is for the new SHA-3 standard. The deadline for submissions was last Friday, so if you missed it, too bad.

Schneier et al. have submitted their algorithm, called skein, and Rivest et al. have submitted MD6.

The NIST held a similar contest several years back for encryption algorithms, which resulted in Rijndael being officially named as the Advanced Encryption Standard. That contest took 5 years. We'll see how long this one takes. Hashing is generally less well-understood, and harder to do, than encryption.

I blogged about a year an a half ago about spam killing statistics on my server. I thought I'd post an update since then. These are the spam rejections from the past 10 days.

• viruses rejected by ClamAV: 14 (all phishing attempts — no actual viruses)
• spam rejected by SpamAssassin: 194 (this doesn't count spam eliminated by greylisting, since there's no easy way for me to get those stats)
• rejected by the DNSBL at zen.spamhaus.org: 4,603
• rejected by the DNSBLs at rfc-ignorant.org (dsn and bogusmx): 16
• sent to a nonexisting user: 451
• relay attempts: 37
• failed sender verification: 48
• bogus bounce messages (backscatter from spam): 7
• mail delivered to my inbox: 873

Obviously, these numbers don't show the whole picture — they're only based on 10 days of activity. For example, the backscatter that I get seems to happen in waves, so it's low now, but some times, it's huge.

So in all, in the past 10 days, my mail server rejected 5,370 messages (compared to 3,281 from my last blog) and accepted 873 (compared to 564 from my last blog) messages. I also have another layer of spam filtering when I fetch the mail from my server.

So, spam volumes are up by about 1.6 times. General mail volume is also up — I'm subscribed to a few more mailing lists.

Changes to my filtering setup since last time include:

• using DNSBLs: this drops a lot of spam, as you can see, and reduces the load on my server (since they only require a DNS lookup, and don't need to be content scanned
• lowering the threshold for SpamAssassin
• signing my outgoing envelope sender, so that I can reject bogus bounces
• enabling sender verification
• enabling client SMTP authorization: it doesn't make a showing in these stats, but it drops a few spam here and there. I wish more people would publish CSA records. It's an easy check for spoofing, and a dead giveaway if it fails. It just isn't very well known.

I've also started reporting some spam via spamcop.

Jes complained that I haven't blogged recently, so here it goes. I'm back in Waterloo, after a nice break in Edmonton. I got back on the 8th. Southern Ontario has had a lack of snow this winter ... until I got back. It started snowing the night I got back, and since then, we had one or two days without snow on the ground. We even had a snowstorm that shut down the school last Monday.

On my flight back, I was randomly selected at security for a patdown, I guess to make sure that I wasn't hiding a plastic gun in my pants that would evade detection by the metal detectors. The guard who searched me was professional an courteous. Random searches are a good thing for security, as long as they are truly random, and not based on things like racial profiling. Because once you start trying to profile, the terrorists will recruit people who don't fit the profile.

Thumbs up to cashiers in Alberta (at least the ones that I met at Best Buy and MEC). The signature on my credit card is worn off. The cashiers in Alberta actually checked that it was me by asking for my driver's license. Nobody in Ontario ever checked my license.

Thumbs down to the Vancouver airport. They had to shut down the international terminal and re-screen everyone because of a security mess-up. I don't know the exact details, but it seems like somebody failed to do their job.

As usual, my news pile is backing up (but not bad as my photo pile — I still have my summer photos to put up). So here's a dump of some of the articles.

First of all, don't take pictures of the police, or you might get arrested. (/., /. followup) (Even if you are fully within your rights to do so.)

Also, don't play in trees if you are a 12-year old child. You'll get arrested, and put your DNA on record. (/.)

If you're in an American airport, don't say that the TSA Director Kip Hawley is an idiot, even if he really is an idiot. (KHIAI, /.) If you do that, you may get detained. Because apparently freedom of speech doesn't apply inside an airport.

OK, enough sarcasm. (What? Hubert being sarcastic? Never...)

Electronic voting machines are becoming more commonly used in the US. But it seems like every month, there's a new problem that's found with them. The Open Voting Foundation took apart a Diebold machine, and found that it just takes flipping a single switch, and you can make the machine load your own software, instead of the (supposedly) certified software. (/.) The electronic voting machines also wreaked havoc in Maryland elections. Ed Felten et al. have shown how to infect a Diebold voting machine with a virus and change election results. (Dr. Dobbs, /.)

As Canada considers implementing their own version of the DMCA legislation, Professor Michael Geist, ran a series called 30 Days of DRM, which outlined 30 issues that need to be considered in anti-circumvention legislation. (A brief background: DRM, or “Digital Rights Management”, also called “Digital Restrictions Management”, is a term that refers to technologies used to limit access to digital media, such as music and movies. Anti-circumvention legislation makes it illegal to bypass DRM, aimed at preventing unauthorized duplication, but which also prevents legitimate use of the media.)

Despite claims of security, the new e-passports have been cloned. (/.) While this is not the same as creating a new, fake passport, it is still a significant hole. Some security is gained by embedding a chip inside a passport, but the new passports are generally viewed as unforgeable, giving people a false sense of security.

And the Senate Judiciary Committee has voted to extend the US's warrantless wiretapping. (/.) Because who needs judicial oversight? (Whoops. There I go with the sarcasm again.)

Remember the big scare back in August, that caused airline passengers to not be allowed to bring liquids (with a few exceptions) on board an airplane? Well, a Pakistani judge has ruled that there is not enough evidence against one of the key suspects to link him to any terrorist activities. (BBC, Al Jazeera, /.) Can we please have our water bottles back, now?

You know things are bad when you can't even fart without causing security concerns.

OK, maybe not. But apparently Congressman Markey has called for the arrest of a security researcher, and his house was raided by the FBI. (/., /.) The reason for this was that the researcher, Christopher Soghoian, a Ph.D. student at Indiana University put up a website to let people print out a fake NWA boarding pass, and pointing out a vulnerability in the security measures of the TSA. Mind you, Senator Charles Schumer pointed out the vulnerability earlier (on an official government website, no less), and anyone who knows anything about security already knows how to print out their own boarding pass – most airlines will let you print out your boarding pass at home, and it’s a simple task to modify it to say anything you want.

Was Soghoian helping terrorists by putting up his website to easily let anyone print out their own boarding pass with no effort? Well, any terrorist who can’t figure out how to print out their own pass isn’t going to be smart enough to go through with the rest of his attack, so I don’t think we really need to worry about those people.

I’m frequently making fun of airline security, and pointing out flaws, so let me say that I’m glad I don’t live in the US.

It’s summer, so more people are flying. And after the terrorism-related arrests a few weeks ago, more people are paranoid. And so, I suppose, it’s inevitable that we have more people overreacting to normal incidents.

Here’s one man’s story of what happened when his iPod accidentally fell in the airplane toilet. (Schneier, /., Ottawa Citizen) While the details of his story aren’t independently verified, it has at least been confirmed that someone’s iPod did in fact fall in the toilet, causing security to evacuate the plane and question all the passengers.

12 passengers, all Indian men, were removed from a flight after the crew noticed some passengers fiddling with cell phones. The 12 were later cleared and released without charges.

And when they’re not overreacting, they’re giving strange advice. The “[TSA] [encourages] everyone to pack gel-filled bras in their checked baggage.” (Schneier) So if you’re flying, and don’t have a gel-filled bra, make sure you go out and buy one, and pack it in your checked baggage. Because the TSA says so.

Here’s a Bob the Angry Flower comic on security. Which sounds a lot like the Department of Homeland Security’s list of top terrorist targets. (Schneier)

This is camping season as well, Schneier has a short posting on security tradeoffs in bear-proof garbage bins.

An old post: Schneier announced the movie-plot threat contest winner.

Moving on to computer security, 123456 is the most common password. (Schneier) That’s the kind of thing an idiot would have on his luggage.

And Stephen Colbert gives his computer security tips (part 1, part 2) (Schneier)

A new attack against SHA-1 has been developed. (/.) This is a collision attack (not a preimage attack), and allows part of the text to be chosen. It’s still not practical, but it’s still a further weakness in SHA-1.

And finally, here are some facts about Bruce Schneier (Schneier)

Bruce Schneier has an excellent essay on terrorism and security on Wired.com. (See also the reprint in his blog.) Everyone who is concerned about flying, or about terrorism should read it.

Last week, a Winnipeg doctor and two colleagues were kicked off a plane for saying their evening prayers. The prayers were interpreted by another passenger as suspicious behaviour, and the passenger alerted the flight crew, the three people were taken off their flight. A United Airlines spokesperson said that they have an obligation to take allegations of threatening situations seriously, especially after the recent arrests in Britain.

“Whenever these types of claims are made we have a duty to investigate,” Borrman said. “Our flight crews are trained to make safety the No. 1 priority.”

Yeah, you have a duty to investigate, and the flight crew obviously didn’t do that. Otherwise, they would have realized that the accusation was unfounded. Security doesn’t mean that you start kicking people off whenever someone points a finger and says, “terrorist!”

In my opinion, if anyone should have been kicked off the flight, it should have been the passenger who made the false accusation.