Schneier on Security: A Taxonomy of Social Networking Data

A Taxonomy of Social Networking Data

At the Internet Governance Forum in Sharm El Sheikh this week, there was a conversation on social networking data. Someone made the point that there are several different types of data, and it would be useful to separate them. This is my taxonomy of social networking data.

from Schneier on Security: A Taxonomy of Social Networking Data.

Follow the link for a useful breakdown of data in any community site or service.

Conservatives unveil plans to cut state surveillance » Local Government »

A future Conservative government would drastically reduce the size of the “Big Brother” state.

Were they to win the election, the Tories would slash database projects and roll back the “snooping” powers given to officials.

In future, Whitehall departments would face tougher privacy rules to protect the individual against loss of their personal data, shadow justice secretary Dominic Grieve will say today.

via Conservatives unveil plans to cut state surveillance » Local Government »

Vanish: Enhancing the Privacy of the Web with Self-Destructing Data

Computing and communicating through the Web makes it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview; a lost or stolen laptop can expose personal photos or messages; or a legal investigation can subpoena the entire contents of a home or work computer, uncovering incriminating or just embarrassing details from the past.

Vanish is a research system designed to give users control over the lifetime of personal data stored on the web or in the cloud. Specifically, all copies of Vanish encrypted data — even archived or cached copies — will become permanently unreadable at a specific time, without any action on the part of the user or any third party or centralized service.

from Vanish: Enhancing the Privacy of the Web with Self-Destructing Data.

Cryptography Challenge…

Cory Doctorow asked Bruce Schneier to give him a hand designing wedding rings. Not an obvious combination until you realise these are crypto rings…

There are two great discussions going on over at both blogs. Cory has asked his crowd to help design a cipher for his crypto wedding rings. While Bruce simply said Contest: Cory Doctorow’s Cipher Wheel Rings.

The discussion on both posts is worth reading. A mixture of things popping up about the similarity between the three rings and the Enigma machine as well as comments about Jefferson’s Wheel Cipher.

Like most things Cory does (or says) there’s an element of the slightly bizarre. The prize, a not to be sniffed-at signed copy of Little Brother.

The full set of photos are on Cory’s Flickr account, tagged weddingring.

Comparisons with the Enigma machine, I suspect, are bogus. While there is a visual similarity with the Enigma’s wheels the Enigma’s cipher was implemented in the electronics within the machine. The letters on the rotors simply enabling the correct starting positions to be selected. The Enigma machines perform a substitution cipher, but with the additional complexity that the substitution pattern changes for each letter through the message. I don’t see a way to do that with these rings. There may be rotor ciphers that could be implemented – I don’t know.

Jefferson’s cipher is a much closer match, a fully manual system consisting of 26 wheels with the alphabet scrambled differently on each one. Similar to the Enigma machine, sender and receiver had to have the order of the wheels synchronised and each letter would use a different substitution scheme, though Jefferson’s not as thorough as the Enigma.

As the rings cannot be altered and the alphabet is in order on all three wheels, any attempt that results in one character of cipher text for each character of plain text will be a simple substitution cipher. While it may take several complex steps to arrive at the cipher character it will only take an attacker one step to go back.

So, if you’re thinking about this problem seriously there are some things you have to decide on first…

  1. Is the ring considered secret or not?

    This is isn’t an unreasonable assumption (putting aside that the details have been published online). It’s not that long ago that messages were transferred in plain text relying only on the emperor’s seal – made in wax with a ring only he carried.

  2. Can you include another secret?

    There are suggestions on the blogs of using most recent blog posts, first pages of known books and other items as keys to drive the cipher. This then involves taking the character from the key and the character from the plaintext and some form of mathematical computation (shifting rings up or down, finding the next dot above or below, that kind of thing) to arrive at the cipher text character.

  3. Is the algorithm secret?

    Knowing Bruce’s views on secrecy and security, even suggesting it is pure heresy. Considering the ring to be secret may be part of this, or may not. Some of the ideas I’ve had fall outside being encryption and really fall into the realm of a ‘secret encoding’. But hey, something has to be secret and if it can’t be the ring, or the key, the maybe it has to be the algorithm.

Then, of course, you have to decide what to do with the rings. Any Cryptographic algorithm fulfils one of four basic purposes:

  1. Symmetric Encryption

    These algorithms use the same key to encrypt and decrypt the text. They may use a single algorithm, like ROT13, or they may use a matched pair of algorithms, like many other substitution ciphers.

  2. Asymmetric Encryption

    These algorithms use one key to encrypt and another to decrypt. The keys in this case are paired and are usually termed public and private keys. Typically you would use the recipients public key to encrypt and they would use their own private key to decrypt.

  3. Non-Decryptable Hashes

    Used mostly for storing passwords (I can’t think of another use), these algorithms enable you to reliably convert plain text into a hash with little possibility of reversing the process. For passwords this means you store the hash of the password, then compare the hashed version of any sign-in attempt with the stored hash.

  4. Signing

    Signing means adding some kind of addendum to the message that confirms you wrote it. Again this is done using public/private key pairs. You use your private key to create a hashed version of the message which others can then verify using your public key.

As well as thinking about all of that good stuff it might be worth looking for clues in the design of the rings. Bruce must have had something in mind when designing the rings.

Here are the obvious things to notice:

  1. All three rings feature the alphabet in order.
  2. The dot patterns are not random.
  3. The dot pattern follow a 1, 2, 3 pattern.
  4. The dot pattern is not unique (it repeats) when looking across the three rings.

Less obvious:

  1. The S across three rings, looking at the dots above, makes dot, dot, dot while the O across the dots on top is three blanks (dash, dash, dash?) this made me go look at Morse Code again.

Yep, that’s all I spotted 🙁

I’ll be chatting with a coupe of colleagues to see if we can put our heads together and also watching to see what the winner comes up with.

Don't touch anything!

Biometrics really annoy me. In a previous life building secure authentication systems for Egg, a major internet bank, I did a great deal of research into biometrics. Not only are there issues for a substantial minority (think those with glaucoma, burns victims, those with no hands), whichever biometric you pick. But there is also the fundamental problem that you can’t ‘reset’ a biometric in the same way as a password or a certificate.

Even more annoying is the way in which proponents seem to ignore even the most compelling evidence against biometrics – such as the obvious fact that your fingerprint is neither secure nor secret. Nor is it non-reproducible.

Something that Germany’s interior minister, Wolfgang Schauble has just found out.

Do you keep

a draft of some posts that you write and think “nah, if I publish that I’ll get in trouble”?

I do. They might be rants or they might criticise something that’s really not up for criticism, socially I mean.

Anyway, I’m bound to get a visit from the TSA, or refused entry into the US or someat for this…

Firstly: this is a great skit on the absurdity of airline security.


nah, better leave that in the drafts folder.


“How do I know you are who you say you are?”

Over on Alan’s blog he mentions that banks are training us to be insecure.

This is a hard problem to solve. The population at large can well understand that somebody could phone them and say “hi, I’m from blah-blah bank”, but the assumption is that they won’t.

This initial assumption of trust is what makes it easy to do business with each other, easy to have a conversation. But it also makes it easy for people to take advantage. Kevin Mitnick‘s book on the subject, The Art of Deception, is a great read. It’s full of horror stories of how perfectly normal, smart, people are duped by simple things like “but I knew who hew was, he phoned the other day”.

No, I know I’m a freak – I’ve used “I Like Cheese” to ward off tele-marketers – so I simply ask the bank for the 3rd and 5th letters of their password. It usually goes something like this:

“Hi, this is Samantha, I’m calling from blah-blah bank. Is that Mr Styles”

“Yep, what can I do for you?”

“I need to check some details on your account, but first I need to ask you some security questions. Can I have the first line of your address?”

“Sure, but first I need to make sure you’re who you say you are. Can I have the third and fifth letters from your password, please?”

“I’m sorry?”

“Well, you called me, so I don’t know who you are until you answer some security questions. Can I have the third and fifth letters from your password please?”

“I’m sorry sir, I don’t understand what you mean.”

“Well, I need to know who you are before I can give you any of my details.”

“oh, ok, I’m Samantha from blah-blah bank.”

“Great, can I have the third and fifthe letters from your password please?”

“erm, I don’t have a password sir, what is it you mean?”

“Well, you should have received a telephone banking password in the post in order to access your customer, that’s me. I need you to tell me the third and fifth letters from that password, without revealing the whole password to me, before I can give you any details.”

“ok, I don’t have that password”

“ok, perhaps you can email then?”

“sure, I’ll do that”

Of course, by the end of the call the conversation has slowed to an incredulous and confused drawl, not the chipper, bright young thing that started off. I know, it’s sad; I’m a freak, but it makes me laugh.

I Absolutely Do Or Don't Want OpenID

Over at work we’re talking about OpenID, one of my colleagues, Richard Wallis is skeptical

So am I.

I don’t want OpenID, I’m an individual who spends a lot of time online. My online nick, mmmmmRob, already provides a rather incriminating history just on what Google have indexed. I do not trust any provider (let alone Microsoft, Passport? Come on!) to authenticate me everywhere, because they also then get to see where I go, if not what I do.

I don’t want OpenID, I don’t want to have lots of passwords… the positive point of having lots of OpenID providers is great for the individual, but there are two sides to this choice. The sites I use will also have to decide which OpenID providers they trust. There will be many occasions, I’m sure, where the lists won’t intersect. I would choose (other objections aside) based on who will keep my data private and secure. Commercial sites will choose based on who they can share data with and how that will enable them to target me more successfully.

I don’t want OpenID, I don’t want one thing to break everything. If my OpenID is compromised all the sites I use are open to that one set of authentication details. Say it’s a flaw in my provider or in OpenID itself, not just my account, then no matter how quickly I change it, it’s compromised again; all the sites allowing OpenID remaining either vulnerable or off-air until it’s fixed.

I don’t want OpenID, because it doesn’t give me one set of credentials. Online I live on the web, on IRC, in an assortment of Instant Messengers I can’t see OpenID integrating with every protocol (although technically it could). When IRC servers support it then we may have something ubiquitous. The web is not the internet.

Over at work we’re talking about OpenID, one of my colleagues, Richard Wallis is skeptical

I’m not.

I want OpenID. I have so many usernames and passwords I have to keep them all written down, I’ve forgotten how many accounts I had to re-create just because I changed my email address.

I want OpenID. I’m not sure I trust some of the sites I use to keep a password secure, so instead I make up some junk password and end up creating a new account each time I visit. If my OpenID provider will keep my credentials that’ll be safer.

I want OpenID. I write internet sites. If I can cross-reference the browsing habits of my users with those seen on other sites I exchange data with then I can make my site better by offering links, promotions and other personalisation.

I want OpenID. Lots of people run several pieces of web server software, your website and your blog? For Universities it’s the website, student portal, staff portal, reading lists, virtual learning and so on. Having them all support one easy single sign-on solution would be great.

I want OpenID, as services start to underpin each other – S3 underpins SmugMug and more on the way – I need a way for me to share an identity, safely, between the two things. I want to use my own S3 account to store my SmugMug photos.

I want OpenID. As an internet geek it just seems wrong that the internet doesn’t have an established, global, standard, federated authentication infrastructure. It should have.

So, if OpenID is still some time off and not right for everything, what do I do now?

I use Password Safe, a free, open-source, password manager. It stores all my passwords in a strongly encrypted file. I keep the file on a USB fob on my keyring and make backups to an online drive. It generates strong passwords for me, stuff like b?L>Jqa\v%4gM99 if you want to go that far or i2KPpS5W by default. It has a nice little feature that you can use to key press into other applications, so it even logs me on via SSH and authenticates me on IRC.

It’s an easier solution than OpenID and it’s here now, but it doesn’t solve all my problems.