Monthly Archives: February 2006

Chinese website registration

The OpenNet Initiative has released a bulletin on China’s website registration policy. This mandates that all non-commercial websites hosted in China be registered with the Ministry of Information Industry (MII), whereas previously this applied only to commercial sites.

Failure to register a site by July 2005 was punishable by a ¥10 000 fine (about €1 000 and 2/3 of an average urban Chinese annual income) as well as removal the website. Sites are required to put their registration number at the center-bottom of the homepage. Failure to comply makes the owner liable for a ¥5 00010 000 fine.

Enforcement is not only by the MII, but also by the hosting ISPs. This is encouraged by a ¥10 000 fine for hosting unregistered content. ISPs are also responsible for cutting off sites in violation of these rules, however IP/port blocks have also been reported, along with the consequent over-blocking of virtual hosts. The MII also operates the “Night Crawler” which searches for sites not displaying a registration number.

Rebecca MacKinnon suggests that this move might shift Chinese bloggers on to commercial sites such as MSN Spaces, Blogbus, Bokee or Sina, which implement their own keyword filtering to prevent themselves being blocked (as Typepad and Blogsome have been). This shifts the cost and accountability of censorship away from the government and to the edges, as has been done for registration enforcement. The remaining bloggers who maintain their own site will be required to register and so are more likely to self-censor.

The registration process is entirely online, and consists of the owner entering personal information (name, address, etc…) as well as the site description, an email address and mobile phone number. The registration request must then be reviewed by the MII and after a few days the owner is notified of the result and given the registration number if successful.

Interestingly, only the mobile phone number and email address are verified by sending a code to them, which ties in well to the compulsory mobile phone registration in December. Criminals in the UK have been known to steal mobile phones to give untraceable communication in the course of committing offences. Perhaps stolen phones will be used in China to produce fraudulent website registrations for people who would like to keep their anonymity?

Towards a market price for insecurity

There’s been a certain amount of research into the value of security holes in the past few years (for a starter bibliography see the “Economics of vulnerabilities” section on Ross Anderson’s “Economics and Security Resource Page”).

Both TippingPoint and iDefense who currently run vulnerability markets for zero day exploits are somewhat coy about saying what they currently pay (and they both have frequent contributor programmes to try and persuade people not to stick with one buyer, which will distort the market).

The idea is that the firms will bid for the vulnerability, pay the finder (who will keep it quiet) and then work with the vendor to get the hole fixed. In the meantime the firm’s customers will get protection (maybe by a firewall rule) for the new threat — which should attract more customers, and will hopefully pay for buying the vulnerabilities in the first place. The rest of the world gets to hear about it when the vendor finally ships a fix in the form of patches.

It was reported that when TippingPoint came in (giving the impression that they’d be paying out various multiples of $1000) iDefense promptly indicated they’d be doubling what they paid… which one source indicated was usually around $300 to $1000. So competition seems to have affected the market; but the prices paid are still quite low.

However, last December eWEEK reported that some enterprising Russians were offering a 0-day exploit for the Microsoft WMF vulnerability for $4,000 (and it might not have been exclusive, they might sell it to several people).

And now — until the end of March — iDefense are offering an extra $10,000 on top of what they’d normally pay if when Microsoft eventually issue a patch they label a vulnerability as “critical” (viz: you could use it to construct a worm that ran without user interaction).

eWEEK have an interesting article on this, the quotes in which deserve some attention for the (non)grasp of economics that appears to be involved. First off they quote Microsoft as saying “We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers”. That’s an interesting viewpoint — perhap’s they will be submitting a paper to support their view to WEIS 2006?

eWEEK say (they don’t have an exact quote) that Michael Sutton of iDefense “dismissed the notion that paying for vulnerabilities helps to push up the price for hackers who sell flaws on the illegal underground markets”. That suggests either a market in which communication of pricing information is extremely poor; or that Sutton has a new economic theory that will influence the Nobel committee!

In the same article, Peter Mell from NIST is quoted as saying it was “unfair” to concentrate on a single vendor (though I expect iDefense chose Microsoft for their market share and not by tossing a coin!). He was also apparently concerned about the influence on Bill Gates’ fortune, “A third party with a lot of money could cause stock price shifts if they want to”. That’s just “Stock Exchange Operations 101” so I think we can discount that as a specific worry (though WEIS 2005 attendees will of course recall that security holes do affect share prices).

Why so many CCTVs in UK?

I went to the Institute of Criminology yesterday afternoon. Prof Martin Gill of Leicester University gave a brilliant talk on their extensive study on assessing the effectiveness of CCTV in reducing crime.

This was a proper, scientifically-conducted study with plenty of field work and “user studies”—including fascinating simulations with cooperative shoplifters rigged up with hidden cameras and microphones, as well as interviews with convicted murderers.

The speaker had wonderful war stories on people protecting the wrong things, or the right things in the wrong ways, and generally failing to understand how criminals actually operate. He clearly speaks the same language as us and I told him I’d like to invite him to give a seminar here.

One gem among many was the shop that believed itself ultra-secure because it had a giant, scary-looking, 130-kg-of-muscle security guard at the exit; to which the expert shoplifter commented “I’ll have an easy time here! Their only protection is that enormous bloke over there that I can easily outrun!”. The chest size of the guard is only scary if you’re planning to pick a fight with him.

Another good point was that several of the murderers had acted on impulse (alcohol, jealousy, rage) and were not planning to kill anyone when they got up that morning. At the time of killing their victim they were not acting exactly rationally and even the presence of a machine-gun-armed guard wouldn’t have deterred them, let alone a camera.

Anyway, one of the interesting high level messages, and the reason why I file this under “Security economics”, is that the ubiquity of CCTV cameras in the UK is apparently a straightforward consequence of the plentiful availability of government money for CCTV. This created pressure to bid for CCTV installation grants regardless of their actual effectiveness, as an easy way to get at the allocated grant funds.

Obvious meta-questions would then be: why was CCTV so over-funded in the first place? who are the CCTV suppliers that made all the money? and is anyone in a position to reassure us that, as we’d like to believe, there were no links?

Complexities in criminalising denial of service attacks

Last autumn I wrote a background paper on “Complexities in criminalising denial of service attacks” for the Internet Crime Forum (ICF) Legal subgroup. The idea was to give the lawyers some understanding of what DoS and DDoS attacks were all about, and how it can be hard to pin down concepts such as authorisation when one looks at how we use Internet resources today.

The Home Office has now brought forward the Police and Justice Bill, which contains amendments to Section 3 of the Computer Misuse Act 1990 to deal (they hope) with denial-of-service attacks. Thus events have overtaken the document โ€“ so there is little value in progressing the document through the ICF procedures needed to make it an Official Publication. Hence I’ve made it available on my own website, so as to provide a background resource to those considering whether the Home Office have got it right!

Forensics and terrorism

Tomorrow I’ll be at Parliament giving evidence to the Home Affairs Committee, who are considering a request from the police to be able to hold terrorism suspects for ninety days without charge, so as to be able to examine seized computers properly. My written evidence to them is here.

The police are short of forensic capability, sure; and that’s going to get worse until they get their act together. But they’re also short of interpreters. I don’t think they’d dream of asking for increased detention powers just because not enough coppers speak Somali. Parliament would just tell them to hire interpreters from commercial agencies. Why do people get away with such poor policy arguments when computers are involved?

EarthLink has just 31 challenge-response CAPTCHAs

EarthLink, the US ISP, provides its users with a number of spam blocking and filtering systems. One of these systems, deployed since 2003 or so, is called “Suspect Email Blocking” and is one of those tedious and ineffective “Challenge-Response” systems. They might have made sense once, but now they just send out their challenges to the third parties whose identity has been stolen by the spammers.

Since the spammers have been stealing my identity a LOT recently — and since Earthlink is failing to detect their emails as spam — I have received several hundred of these Challenge-Response emails ๐Ÿ™ Effectively, EarthLink customers are dumping their spam filtering costs onto me.

Well I’m now mad as hell and not going to take it any more. So I’ve been responding to these challenges, and whenever possible I’ve been sending along a message that indicates the practical effect of the system. Of course this will mean that the spam will be delivered (and the forged email address will be whitelisted in future) which is hardly what is desired! Since this should be quite noticeable, if everyone was to spend a few minutes each day responding to the challenges then Challenge-Response systems would die out overnight! So please join in!!

Howver, responding is rather tedious (the idea, after all, is that the spammers won’t be able to afford to do it — though in practice they would be able to keep sending their more profitable spam by using labour from the Third World). To avoid this tedium I’ve been working on the automation of my responses. However, the EarthLink web page on which you respond contains a visual CAPTCHA — specifically so as to prevent automatic responses to the challenges. Nevertheless, I got a lot slicker at answering the questions when I wrote some Perl and put up a little Tk widget to collect the answer to the CAPTCHAs.

TK widget for EarthLink CAPTCHAs

The idea was to move on to some fancy image processing since there’s been a lot of success at this (see here and here for starters)… However, that won’t be necessary. It turns out, nearly 300 challenges later, that EarthLink only have 31 CAPTCHAs in total… although since some turn up a great deal more more rarely than others, it may be that there’s a few more to be collected!

01 EarthLink CAPTCHA 01 02 EarthLink CAPTCHA 02 03 EarthLink CAPTCHA 03
04 EarthLink CAPTCHA 04 05 EarthLink CAPTCHA 05 06 EarthLink CAPTCHA 06
07 EarthLink CAPTCHA 07 08 EarthLink CAPTCHA 08 09 EarthLink CAPTCHA 09
10 EarthLink CAPTCHA 10 11 EarthLink CAPTCHA 11 12 EarthLink CAPTCHA 12
13 EarthLink CAPTCHA 13 14 EarthLink CAPTCHA 14 15 EarthLink CAPTCHA 15
16 EarthLink CAPTCHA 16 17 EarthLink CAPTCHA 17 18 EarthLink CAPTCHA 18
19 EarthLink CAPTCHA 19 20 EarthLink CAPTCHA 20 21 EarthLink CAPTCHA 21
22 EarthLink CAPTCHA 22 23 EarthLink CAPTCHA 23 24 EarthLink CAPTCHA 24
25 EarthLink CAPTCHA 25 26 EarthLink CAPTCHA 26 27 EarthLink CAPTCHA 27
28 EarthLink CAPTCHA 28 29 EarthLink CAPTCHA 29 30 EarthLink CAPTCHA 30
31 EarthLink CAPTCHA 31

For rather more detail, and the current totals for each CAPTCHA (some have turned up nearly 30 times, some just once) please see the detailed account which I’ve placed on my own webspace.

By the way: If you’re an EarthLink user reading this — then please turn OFF “Suspect Email Blocking”! You’re just annoying everyone else ๐Ÿ™

Security research may become a crime in the UK

Clause 35 of the new Police and Justice Bill will amend the Computer Misuse Act to make it an offence to make or adapt any article –

(a) knowing that it is designed or adapted for use in the course of or in connection with an offence … ; or

(b) intending it to be used to commit, or to assist in the commission of, an offence …

This would be OK if the “or” at the end of (a) were replaced with “and”. As it stands, it looks like criminalising much of what we do here. Time to write to your MP?

Mysterious and Menacing

There’s a big change coming in the way that the UK police deal with “hi-tech crime” — and it might mean that a lot of Internet crime gets ignored.

For the past five years, since April 2001, the National Hi-Tech Crime Unit (NHTCU) has been the national unit for combating “national and transnational serious and organised hi-tech crime both within, or which impacts upon, the UK”. However, from April 2006 the NHTCU is to become part of the Serious Organised Crime Agency (SOCA), along with the National Crime Squad (NCS), National Criminal Intelligence Service (NCIS), part of the Customs Service (especially those dealing with class A drugs) and part of the Immigration Service (who deal with “people smuggling”).

The task of SOCA is to deal with “level 3” criminality, which is defined by the National Intelligence Model (NIM) as “Serious and Organised Crime — usually operating on a national and international scale, requiring identification by proactive means and response primarily through targeting operations by dedicated units and a preventative response on a national basis”.

Level 1 criminality, defined as “Local Issues — usually the crimes, criminals and other problems affecting a basic command unit or small force area”, will continue to be dealt with, as now, by local police forces. This is the type of crime you report to the desk sergeant in the local nick, and of course it’s seldom the model for crime involving the Internet!

That leaves “level 2” crime which is “Cross Border”. In this definition the border isn’t an international demarcation, but between police forces. Since there are 49 police forces in the UK, it’s pretty clear that almost all Internet crime that doesn’t involve mafias or gangs is going to be level 2.

Up until now, Internet crime has been investigated by the NHTCU (in so far as they have had the resources to manage this). They’ve had successes on phishing, software counterfeiting and DDoS attacks. However, if these crimes occurred this year, with the NHTCU personnel within SOCA, then few of them would be level 3 and so they would not be looked at.

So who will investigate these level 2 Internet crimes in the future? Your local desk sergeant may take down the details, but the Chief Constable, who is meeting targets on how well level 1 crime is dealt with, isn’t going to be interested in putting resources into investigating criminals who are likely to be in another force’s area — and possibly even in another country.

You won’t learn much about this change on any police websites at the moment… and this is partly because there’s another change being made by the NHTCU. Up until now they’ve been very media-friendly with loads of press releases about their successes and lots of information on their website to ensure that High Tech Crime gets reported appropriately.

However, in their new role they’ve decided to leave all this behind. So there will be no more NHTCU officers as speakers on panels at conferences, no more cuddly interviews in The Times. Their watchwords, they tell me privately, for the new style are “mysterious and menacing”.

Let’s hope that’s not how we end up viewing the Internet as the level 2 criminals run riot ๐Ÿ™