I’m in the Security Protocols Workshop, whose theme this year is “security protocols for humans”. I’ll try to liveblog the talks in followups to this post.
I’m in the Security Protocols Workshop, whose theme this year is “security protocols for humans”. I’ll try to liveblog the talks in followups to this post.
Steven Murdoch started the workshop with a talk on transparency enhancing technologies. He’s been following the court case Bates and others v Post Office Ltd; the claimants are post office franchise operators who argue that the defendant’s Horizon bookkeeping system made errors that cost many of them lots of money and led to some going bankrupt or being wrongly prosecuted. The trial has now gone on for a decade and the parties have spent over £10m between them. What sort of jurisprudence is appropriate to technical security disputes? If a court uses Bayesian updating, unlikely events such as flaws in cryptography can be swamped by more common events such as operator dishonesty, which can lead to the wrong outcomes in cases like this one. The prior experience of payment disputes is not encouraging. One has to distinguish carefully between having a correct but vague answer to the right question, from having a precise answer to the wrong one. So how can we reduce the likelihood of evidence wrongly appear consistent with human error? In the Horizon case, there was a keystroke log but it turned out to be less useful than hoped; arguments were made that the information would violate both personal privacy and commercial confidentiality. Perhaps we need a law to the effect that computer systems that are incapable of clearing innocent people should not be admissible in evidence.
Next was Benjamin Reinheimer has been studying audio CAPTCHAs such as those based on the cocktail party problem. His experiments used overlapping male and female synthesised voices reciting numbers, letters and words; the best machine-learning classifiers he could train were reasonable at identifying what the male voice said, but much less capable at distinguishing the female one. Questioners pointed out that this may reflect bias in the software or in its training datasets; that the most expensive part of deploying such a system is data collection and annotation; and that the best way to amortise these costs might be to ask extra questions and to give as little feedback as possible to solvers when solutions are rejected; and that audio CAPTCHAs are not just a potential substitute for screen-based ones but now an intrinsic sector of their own, given the growth of phone-based systems.
The third speaker of the afternoon, Sasa Radomirovic, has been thinking about mental models. In cyberspace these are often contrived by vendors; emptying the trash makes a suitable sound but doesn’t convey the subtleties of deletion versus secure deletion. The design quality varies and could often be improved, particularly by feedback: in the real world we know whether our lawnmower engine is running or not. With software it’s not that straightforward, and the things that can undermine our mental models include abstraction, delay and change; above all the latest things are ever more complex and it tends to be only the young that follow them closely, and the same emoji also looks quite different on different platforms – leading to fragmentation and age stratification. It would be better to have standardised signs such as we have for hazard warnings and street furniture. What security symbols do we have? There are many little locks and keys but their meanings are very diverse. Sasa would like a standard vocabulary of security signage to communicate both protection goals and trade-offs.
Last up of Wednesday afternoon’s was Simon Foley, talking about social constructionism in security protocols. His first case study was the Equifax hack, which the CEO initially blamed on human error – a C-level executive for not overseeing the vulnerability management process; the individual concerned argued that it was stupid controls instead. Simon surveyed network defenders from network operations centres and incident response teams. Their understanding is jointly constructed, often by people talking directly with subject experts rather than using the company’s formal procedures. To manage such processes we need to understand the shared reality that emerges. Simon is trying to understand the human experience of being in the loop of security systems; this is good for discovering the “unknown knowns”, the things we know without realising it, and for understanding that human transgression is a normal component of the status quo. For example, a protocol that froze a screen in hospitals after the webcam detected the absence of a human for five second caused so much annoyance to doctors that they circumvented it by covering the webcam. Simon has also been trying to develop a theory of the socio-technical experience of CSIRTs. Information sharing contrary to procedure is associated with cognitive dissonance.
Thursday’s sessions were started by Vasilios Mavroudis, who has been studying market manipulation. Electronic markets now have books of buy and sell orders, and a matching engine to pair them. The orders in the book can be at market, or have limit prices, or may be partly hidden (e.g. the full quantity isn’t displayed). The EU Markets in Financial Instruments Directive requires markets to have fair access, with operational transparency, symmetric information and trading integrity. In addition to traditional abuses from publishing misleading information to pump-and-dump, there are now technical tricks too around trading protocols, timing and side channels. Fingerprinting techniques can be used to uncover anonymous traders. Illegal tricks include quote stuffing; queue jumping, sniping and scalping can be illegal depending on the context. There’s debate about sniping; some see it as a bug (it discriminates against slower traders, so the Toronto exchange imposes a random delay of 1-3ms on all traders) and others as a feature that drives technology uptake. Traders used to minimise latency by renting premises close to the market, or even colocated machines – though at some markets, such machines are now all given the same length of cable.
The second speaker, Prashant Anantharaman, has been studying mismorphisms – where different people perceive things differently. An example is the use of null characters in phishing domain names; they can deceive machines too, as with the mozilla null character bug. Prashant is categorising such bugs by the strategies used by programmers to deal with uncertain values, or to check possible inconsistencies in input such as with the Heartbleed bug. The protocol designers and implementers may be in different teams or even companies, while the input validator, the parser and the protocol engine may be in different software libraries and may not be completely interoperable between client and server.
Chan Nam Ngo has been working on affordable security, and in particular the fairness of multiparty computation, which means that corrupt parties get the answer if and only if honest parties do, and which requires an honest majority. Crypto fairness and financial fairness aren’t quite the same thing. To illustrate this, Chan Nam ran a version of Kumaresan’s see-saw game among five audience members; the last player ended up having to deposit seven pounds to win one. Scaling such systems up makes things even worse – MPC trading between dozens of parties could impose a disadvantage factor in the hundreds. The open problem is to design a protocol where everyone locks up about the same stake in escrow for a trade or game regardless of when they move.
Vijay Kothari and Michael Millian have been studying human-computability boundaries; how should you go about designing an automaton around people? The boundary of what people can reason about doesn’t map neatly on to automaton boundaries; people can reason about some but not all pushdown automata and some but not all Turing machines. Questions were raised about whether mapping the human-machine boundary in formal machine terms was the best approach; in other application areas the boundary is at a higher layer in the stack. For example, humans deal better with probabilities when they are expressed in frequentist terms, or made socially salient. A further problem is that people have different cognitive styles, with some people trained in computational thinking and others not. Individuals also use different styles at different times: an expert operating in her domain of expertise with motivation and focus is very different from a random person visiting a site with partial attention en route to something else.
The afternoon shift started with Benjamin Ylvisaker, who notes that secure messaging and collaborative editing are both popular, so why not secure collaborative editing? The intersection between the two consists of a few research prototypes. To go beyond file sharing you need fine-grained management of concurrency. There are issues not just with protocols but with architecture and the underlying economic model. In a distributed implementation will users have to be online simultaneously? Benjamin’s idea is that each user keeps a list of edits in their own cloud storage account, and there’s a protocol to merge them; there’s a lot of recent research on operational transforms etc., and we can use timestamps to order them. The most recent part of the chain is tentative rather than committed. Since the encrypted data are kept in public, ratcheting isn’t needed as often as for messaging.
Next was Arastoo Bozorgi who’s been working on UPSS, a cryptographic file system to support applications from censorship-resistant social networking to cloud health records that can be audited without the auditor learning private patient information. Everything is stored as fixed-size immutable encrypted blocks protected by convergent encryption and referred to by immutable DAGs; the key for each block is kept encrypted in its parent, so as to avoid a central crypto key store. Change propagation is managed by copy-on-write. Arastoo also described ho a private collaboration service might be constructed on top of it. There was discussion about the level at which merging might be done and the extent to which such a service might need to understand the detailed semantics of applications such as editors that it might support.
Laurent Chuat is working on zero-knowledge user authentication. The problems of passwords and of two-factor authentication are well known, and attacks based on phishing, malware (at both ends), eavesdropping, and a man-in-the-middle are common. Laurent’s pitch is for an augmented version of PAKE where the user’s phone has the secret key (essentially a long passphrase), communicates to her laptop using bluetooth or WebRTC or QR codes, and a variety of servers can verify the proofs the phone generates. He’s designed it to minimise the opportunities for compromised computers at either end and argues that smartphones are the real solution to the authentication problem.
Virgil Gligor was Thursday’s last speaker and wonders whether it might ever be possible to design a malware-proof computer. One approach might be to add reductions, such as using a separating kernel to get flow-isolated partitions; yet there are a surprising number of hidden assumptions about crypto, secrets and adversaries, not to mention the ‘Gollmann complaint’ that reductions assume nothing unexpected can happen. So is it at all possible to have much simpler reductions that don’t depend on crypto and bounded adversaries? Unconditional reduction might depend on a real hardware random number generator (possibly based on a quantum noise source) plus formal verification of information-flow properties, and given space-time optimal computations, the presence of malware might be detected by timing. Discussions followed on the nature and capabilities of such a machine. For example, computations would have to use all available memory, but we have none that work on any existing device specification. Too many things also need to be proved around control flow. Virgil suggests a total redesign for provability: an instruction set to support computations expressed as k-independent random polynomials which give an almost universal hash function family and have computations in constant time and with constant memory. See chapter 16 of Arora and Barak’s ‘Computational Complexity’ for the underlying theory on whether Horner’s rule is optimal for the computation of a polymomial.
Friday’s first speaker was Jeff Yan who’s noted that the geographical organisation of crime familiar from the Sicilian Mafia is persisting into the age of cybercrime. He’s been investigating Chinese scam villages, where hundreds of people earn a living from some particular online abuse. These are scattered across seven provinces in China. What’s going on? Gambetta explains the Mafia’s emergence as a perverse response to a rapid transition to a market economy, creating demand for protection of the newly granted property rights, that the state could not meet, leading to banditry; this was coupled with a supply of unemployed soldiers. Is such an economic perspective relevant to scam villages? The scams take time and effort but the entry cost is learning how to talk to victims rather than money. As a result, the village is the natural unit to scale up a business; training is easy and you can control the scope of sharing. Different villages have different scam stories. Possible analogies are the medieval system of craft guilds, which restricted entry to keep earnings up but sought to distribute tradesman, and the Indian phenomenon of thuggee where highwaymen from one group of villages killed and robbed travellers on India’s highways in colonial times. In the specific environment of rural China, the patriarchal clan system provides a mechanism for trust and control. This might lead us to ask about institutional criminal structures in other places with cybercrime ecosystems including Nigeria (clans?), Russia (physical crime gangs with political cover) and the USA (where things may be less organised as criminals are better at remaining anonymous). Jeff’s analysis is that the villages provided an alternative path to scale up business given the impossibility of enforcing property rights in conventional courts and to facilitate cooperation, as when weak teams get strong ones to help work high-value victims. There may also be issues of quality control: not screwing up in ways that publicise the scam and poison the well. The policy recommendation might be to punish scam villages on the basis that they’re organised crime.
Next was Diana Vasile who’s been studying key insertion attacks on public-key cryptosystems – so-called ‘ghost users’ demanded by intelligence agencies as a means of monitoring end-to-end encrypted chat. More than a billion people rely on such systems. The app takes away the pain of key management, but the source code, the key server and the message server are typically maintained by the same team, and many systems offer multiple end-points per user (your phone, your tablet and your watch, in the case of iMessage). What sort of notification should be given to users of other users and of key changes in order to make the false-positive and false-negative behaviours robust? She suggests three steps. First, incentivise users during the crucial first ten minutes when they’re playing with it, by setting up a game in which users can get silver or gold ratings by authenticating their friends. Second, provide an option to customise the warning system so that people exposed to attack can be nudged or even forced to check things properly. Third, provide a means to collect and aggregate evidence about keys, with key signing or transparency mechanisms, whether personal trust decisions, services like CONIKS, or plausible revocations. Video calls may be more trustworthy as MITM attacks are harder, so long as people are alert about poor-quality calls. She further suggests the use of gossiping protocols over local wifi to fortify these mechanisms further; one possibility is Dat. Another possibility is to make a key change a major social event, as the replacement of a phone after loss or failure is a major life event. The takeaway is user incentives not hidden options; sensitivity to user context; and message visibility rather than key management. Finally, similar mechanisms can be used for binary transparency as well as key transparency.
The second-last talk was by Lydia Kraus who invited us to imagine we’re archaeologists. Just as one can try to understand neolithic societies from their stone tools, what might we understand from the history of protocols about our changing environment? TLS and its predecessor SSL go back a quarter of a century now, and Lydia’s “dig” is a project to collect all the browser warnings from this period, which she plans to make accessible as a research archive. Obvious things to expect are the usability evolution of fine validation (DV/OV/EV), validation errors (wrong host, self-signed, expired, revoked) and content (mixed content, mixed script, etc), messages around ciphersuites (algorithms, modes, attack indicators), and recent additions such as certificate transparency ad pinning.
The last speaker was Mansoor Ahmed, whose talk title “Snitches get stitches” was chosen long before Julian Assange’s arrest yesterday (full disclosure: I’m a coauthor). Whistleblowing is one of the most difficult security problems; normally we’re trying to deal with insider threats but with whistleblowing laws we’re trying to promote it. Data collected by a whistleblowing charity tell us that in most cases it’s not about technology but power dynamics. Culture matters too; black people complaining about discrimination weren’t taken seriously until the civil-rights movement, and women complaining of sexual harassment have been taken more seriously only since the #metoo movement. At he hard end of the spectrum we often see a tension between hard power and soft power; with Snowden, for example, it’s the hard power of the US state against the soft power of the media. But soft power is fickle; stories and jokes about Harvey Weinstein circulated widely before his arrest. Anyway, whistleblowing is high on the agenda, given not just the Assange case but the EU rules on whistleblower protection. So can we formalise the problem in any useful way? Let Alice be trying to expose wrongdoing by Max the boss to Duncan the journalist, while Tom is an agent of power who supports Max and Harry is another agent of power who supports Alice. So Alice contacts Duncan, who can broadcast Alice’s documents and harm Max, or betray Alice to Max and perhaps harm her instead. One tricky dimension is trust; Duncan has to decide whether Alice is a provocation by Max, or is genuine. Behind the protocol flow are the power relationships. Features of the problem are whether Duncan possesses impunity, whether he can be censored, and whether Alice needs anonymity, at least for a while. Technologists often solve the wrong problem, for example by suggesting mix networks; but against a state adversary it’s not a good idea to be the only person in the civil service using Tor (and with many real whistleblowing cases the anonymity set size is one, so technical anonymity is not even relevant). A survey of the last ten years reveals that very few whistleblowers remained anonymous (one notable exception being the Panama Papers), so the goal is not anonymity as much as impunity or physical escape. Other important factors are whether the leaked information is easily verifiable, and whether Tom can use pervasive surveillance, for example by analysing traffic data at national scale. In general one has to understand the limits of technology and tailor any proposal to a given Max and Tom, rather than looking for a one-size-fits-all solution.
At lunch it was announced that Mansoor Ahmed won the best presentation award. Congratulations!
Mansoor’s award-winning paper is now on arxiv.