Administrivia: DeepSec/DeepINTEL/ROOTS Speaker Benefits extended to 2021

Source: https://en.wikipedia.org/wiki/File:Letter_of_Synesius_to_Hypatia_b2.jpgThe Call for Papers of DeepSec, DeepINTEL, and ROOTS have a deadline. DeepSec and DeepINTEL have set he first deadline to 31 July 2020. We will accept submissions after this date, but everyone who submitted before the deadline will be reviewed first. Since all speakers are entitled to benefits which depend on their presence at the conference we decided to extend these offers. If you submit your presentation for the 2020 events and cannot attend, then all benefits such as entry to the conference, travel cost reimbursement, our famous speaker’s dinner, your stay at the hotel, and everything else will stay valid until DeepSec 2021. The only condition is that your content must be presented (either virtually or by proxy).

The offer is valid for DeepSec and ROOTS. DeepINTEL is a special case, because our security intelligence event relies on direct conversation. You will still get some of the benefits if you submit. We intend to address any difficulties for speakers getting to Vienna in November.

So if you are worried about travel and attending the conference, we hope to give you something in return. We have similar plans for attendees and will publish them as soon as we have worked out the details. Meanwhile don’t forget about submitting content. If you have research results, please submit them. The same goes for your idea that needs collaboration with others. Use our CfP manager form and submit your presentation.

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge.

In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers.

Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

Exploiting Race Conditions – Dawid Czagan

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading.  As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. If you develop or use software connected to a network, then this is for you.

In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how this attack works and tell you how to prevent this attack from happening.

Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; mind the date 17/18 November 2020)

 

 

Lectures on Information Security

The Feynman Lectures on Physics, https://en.wikipedia.org/wiki/The_Feynman_Lectures_on_Physics#Six_Easy_Pieces_(1994)It’s time for an editorial to end our premature Covid-19 induced Summer break. We (as in the staff behind DeepSec/DeepINTEL) were busy with projects, preparations, following the news about the pandemic, and collecting information for our event(s) in November. Personally I have been involved in teaching for decades. The past months have shifted the focus heavily on virtual presences in the form of teleconferences. Keeping hundreds of students busy while explaining how operating systems work and how secure code looks tends to take up some of your time. Good network connections and decent hardware helped a lot, but there are a couple of problems with conveying content, concepts, and ideas. Let me show you what I mean.

Getting good tutorials is hard. The new agile way of computer science is to ditch good documentation in favour of quickly created code, or so it seems after wading through endless piles of markup/-down, incomplete README files, forum discussions, and fragments of manuals. Since my background is physics I started with published lectures in the library. Lecture in written form, ideally as published books, take a lot of knowledge and a lot of work. It has a lot to do with security/penetration testing where you retrace your steps, review the documentation of the attacks and scans, put everything into a sensible form, and write summaries of what has been seen and what should be done about it. The process is similar to teaching. Going back to the wonderful world of apps and source repositories the picture turns into dependency hell, bad examples, unfinished projects, and, again, missing tutorials on how to do things right. If you spent more time tormenting search engines than thinking about problems and implementations, then something is wrong.

A couple of years ago we started to collect articles for the DeepSec Chronicles. Stefan Schumacher and me wanted to address the problem of unstructured content. Good presentations are helpful, but the typical talk with slides depends on the spoken word, the gestures, the facial expressions, and interaction with the audience. If you ever watched recorded presentations you will notice that something is missing. Thus we collect articles for the DeepSec Chronicles. The intention is to have information in a form that is meant to be consumed after the conference. This is radically different from putting a video of the talk online and converting the slides to PDF. An article is more difficult to produce, because you cannot explain anything to the reader. There is no voice over. Furthermore you have to prepare the examples in more detail. Reading requires more information in higher quality. Every time I research a question of code, use of a tool, constructs of a programming language, or security controls and end up in forums discussions and badly written „torturials“ I see a confirmation of why collecting well-written articles (and helping other to create them) is something we should do more often.

This brings me to our still open Call for Papers for DeepSec, DeepINTEL, and ROOTS 2020. It is not a Call for Presentations. It’s definitely a Call for Content. We have had a lot of highly talented speakers in the past year (right to the first DeepSec in 2007). If you are working on something and want to get the word out, we would like to help you. Year by year we have taken steps increase the value of the research presented at DeepSec. The DeepSec Chronicles are one step further, as is the Reversing and Offensive-oriented Trends Symposium (ROOTS). Our scholarship program to support researchers is another piece of the puzzle. Mentoring to actively help creating solid results is our project for the future.

So if you have some interesting stuff you want to talk about, let’s hear it. You are encouraged to submit your research to the DeepSec Chronicles. The Internet does not need more broken links and buggy example code.

Administrivia Update: Regulations, Ticket Shop, and DeepSec

Quill icon from The Noun Project. Source: https://commons.wikimedia.org/wiki/File:Quill_icon_-_Noun_Project_13454.svgClear guidelines for events and conferences slowly emerge here in Austria. We have some news on how DeepSec, DeepINTEL, and ROOTS will look like in November. We will compile the set of regulations in a separate document and publish it on our web site. The constraints set by the authorities contain no show-stoppers for the event and the trainings. We will carefully work out a concept which we will use in November for everything that is going on on site in Vienna. 😷 We have the full support of our conference hotel, and we are confident that we can increase health protection and decrease risks for everyone attending.

In addition we found some bug in the ticket shop system. The tickets for DeepINTEL, DeepSec conference / training, and ROOTS can be bought via the Pretix ticket portal. During creation of the ticket categories we used the REST API (with some Julia code 🤓), which in turn led to some funny behaviour in the web display. We fixed some bugs with the data sets, the style sheets, and the preloading mechanism. The ticket shop is online and ready for your bookings.

Please remember that we cannot make DeepSec or DeepINTEL happen if you book late. We can cope with the usual chaos during the preparation phase. However we have a hard time with late bookings, especially given the physically distanced start into 2020.

Update and Reminder – DeepSec/DeepINTEL Call for Papers is still open

We have added another training to the schedule. Irene Michlin (IBM) will teach you about threat modelling and how to integrate threats into your software development life cycle. Further details will be published in our blog. Speaking of content – the call for papers for both DeepSec and DeepINTEL are still open. We are looking for your contribution.

And then there is the inevitable update on DeepSec and the current pandemic situation. A lot of countries discuss how to proceed in terms of regulations, health protection, and logistics such as travel. We would very much link to official information on travel, accommodation, additional procedures during our event, and how DeepSec will look like in November. Sadly we cannot do this yet. The facts are that the Austrian hotels open on 29 May 2020 again. Restaurants already opened two weeks ago. Travel restrictions are still in place and are currently under negotiation. Given that DeepSec and DeepINTEL are international events we rely on you being here in Vienna. The chances are very good that this will happen. This is not idle talk. We used the past two months to develop ways to handle the extra measures and procedures. The reality is that not everything can be solved by technology. This has always been the case in information security. Few other areas of interest and research have to deal with ever changing environments and threats. Just as in infosec we handle the organisation of DeepSec step by step, ask a lot of questions, and proceed carefully.

Of course we will have further updates on how DeepSec and DeepINTEL will look like as soon as we have source material from the authorities. In the meantime consider submitting your content. The call for papers are open until 31 July 2020.

Administrivia for DeepSec, DeepINTEL, and trainings

Jorolemon curbside mailbox with red semaphore flag. File source: //commons.wikimedia.org/wiki/File:IceStorm08.jpg

We cleared some administrative obstacles in the past weeks. The conference hotel has confirmed that DeepSec and DeepINTEL can happen in November. Of course, we cannot look into the future, but technically everything is in place. We still don’t know how the regulations for events will look like, but we definitely plan to have a traditional conference in November. DeepSec and especially DeepINTEL cannot be moved easily into a virtual venue. We rely on face-to-face communication, having groups of people chat in our lounge areas, and random encounters in the foyer. One way or another we are convinced that this can happen. We will let you know about any changes, but we will carefully proceed.

In order to improve the way you can learn new things and practice your security skills we made some changes to the trainings. The call for trainings is still running. Some slots are already published. We decide on the remaining slots in May. Since not everyone wants or can be mobile in November, we will ask all trainers if the sessions can take place in a virtual form. This can be a mixed class with some people attending on site and some being present via the Internet. It can also be a fully virtual training session. We will provide some of the infrastructure needed (such as audio/video equipment at the training sessions). The schedule will hold all information on how you can participate.

The first confirmed fully virtual training will be Dawid Czagan’s Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation session. Participation details will be provided to everyone attending after registration. This also means that Dawid’s workshop will be unaffected by any travel regulations, so bug hunting is a safe bet for you. 😉 As for the conference, we will keep you updated in case something changes.

Stay healthy, stay sane, and be cautious!

Communiqué de presse traduit: Les applis COVID-19 dévoilent leur logiciel pendant la crise

En novembre, la conférence sur la sécurité DeepSec mettra en lumière la mascarade des logiciels.

On dit souvent, « il y a forcément une appli pour ça ! ». Cette formule toute faite est souvent prise à la légère, même en dehors du secteur informatique. La crise actuelle du COVID-19 a de nouveau désigné le code informatique comme solution universelle aux problèmes qui ne sont pas strictement liés à la technologie de l’information. La numérisation générique semble être la réponse à tous nos problèmes. Bien sûr, le traitement des données peut aider. À condition toutefois de posséder des données réelles, vérifiables et recueillies soigneusement. C’est là qu’échouent de nombreux projets.

Téléphones magiques à l’intelligence infinie

La demande d’applis n’a fait qu’augmenter ces dernières années. Ces visions n’ont rien à envier aux idées créatives des scénarios de films et de séries. Le logiciel intégré à nos petits téléphones portables doit résoudre les tâches les plus complexes et délivrer des résultats qui demandaient autrefois de longues années de travail, le tout en un simple glissement de doigts. En réalité, la plupart des applications ne font qu’effleurer la surface. On oublie volontiers un petit détail : sans connexion Internet à de gigantesques fermes de serveurs et bases de données, invisibles sur l’écran tactile, à quoi sert le code ? Les applications ne font que repousser la réalité. Si le smartphone ne chauffe pas et que la batterie tient très longtemps, la magie est alors ailleurs. L’intelligence ne représente presque rien sur l’appareil, à cause d’un manque de puissance disponible.

Il s’agit de la complexité de la construction d’une infrastructure derrière l’application que l’on voit vraiment. Sans interaction avec leurs grandes soeurs dans les centres de données, les applications sur notre téléphone diminuent rapidement. Dans ce cas de figure, les données sont non seulement le pétrole brut, mais aussi le carburant de la numérisation. L’entraînement ne fonctionne toutefois pas comme on le pense. Les utilisateurs finaux sont la source de l’or numérique. Ils ne sont pas au volant, mais plutôt au niveau de l’extraction.

Conception défectueuse en matière de sécurité

Un code moderne n’arrive pas de nulle part. Lors du développement d’applications, soit on se base sur un code existant, soit on crée ses propres bibliothèques. Même lors d’une conception mixte, il s’écoule au moins quelques mois avant de parvenir à un design testé. Si la pression est importante, le développement de logiciel emprunte volontiers des raccourcis. Pour aggraver les choses, la conception commence avec les questions du problème à résoudre et se concentre sur les fonctions dès le début. L’implémentation d’un code et d’un design sûrs est souvent laissée de côté. On voit très souvent ce genre de développements dans le domaine des appareils pour la maison connectée.

Un argument souvent avancé est celui de la publication contrôlée des applications sur les App Stores des fabricants. Naturellement, les applis y sont soumises à des tests, mais une check-list vérifiée en moins d’une minute peut difficilement déceler l’intégralité des failles de sécurité et défauts de conception. Au vu du nombre de programmes disponibles sur les stores virtuels, certaines choses passeront forcément entre les mailles du filet. La recherche de failles et de menaces prend beaucoup plus de temps. On demande souvent aux experts en sécurité si un produit en particulier est sûr. Et on attend une réponse immédiate. Ce n’est pas réaliste et cela ne fonctionne ainsi que dans les scénarios mentionnés plus tôt.

Mascarade de logiciels

En matière de numérisation, les promesses et la réalité ne se recoupent pas souvent. Ces dernières semaines, on a notamment beaucoup parlé de l’application autrichienne de traçage du coronavirus. Les débats portaient majoritairement sur la protection des données et la sûreté de l’application. En prenant du recul et en remettant en question la qualité des données que cette application est censée recueillir, le tableau change du tout au tout. Ross Anderson, un informaticien britannique de l’université de Cambridge, a analysé la précision de la plateforme smartphone dans un article intitulé « Contact Tracing in the Real World » (publié sur le blog Light Blue Touchpaper de l’institut d’informatique). Il conclut que le développement d’une application mobilise plus de ressources que ce qu’une telle application pourrait entraîner comme avantages. Bruce Schneier, un expert américain en cryptographie et en sécurité informatique, évoque sur son blog les effets des faux positifs et des faux négatifs d’une application pour le coronavirus. La seule considération de cet aspect disqualifie d’ores et déjà l’application pour une utilisation dans le monde réel. Et ceci, sans même prendre en compte la sécurité et la protection des données. L’article de Schneier « Me on COVID-19 Contact Tracing Apps » est disponible en ligne.

En outre, un smartphone est un outil probablement inadapté en cas de maladies contagieuses. Comme le GPS est trop inexact, on essaie d’utiliser le Bluetooth pour mesurer la présence et la distance. Les appareils utilisent souvent le Bluetooth LE (à basse consommation) afin de prolonger la vie de la batterie. Mais la mesure de l’intensité du signal avec le Bluetooth LE convient tout au plus à une résolution passable lorsque les personnes sont séparées par des structures massives, en béton armé par exemple. Les matériaux comme le bois, le plâtre ou la pierre mince sont perméables à la mesure. On se heurte en plus aux réflexions qui faussent la direction et la portée. D’après les fiches techniques des fabricants de puces, la puissance de réception réelle peut être 100 fois inférieure ou supérieure à la puissance prévue. Par ailleurs, le Bluetooth LE est un système à antenne unique. Cela signifie que la direction du signal ne peut pas être établie. Pour ce faire, plusieurs antennes sont nécessaires. Les gens tiennent en outre leur smartphone de différentes façons, ce qui entraîne encore plus d’approximation. Les erreurs de localisation sont déjà si nombreuses en laboratoire que cette technologie est éliminée d’entrée. Les scénarios comprenant les transports en commun, les magasins ou les restaurants n’ont même pas été pris en considération, sans parler de la circulation dans la rue ou dans des cages d’escalier étroites (où des signaux Bluetooth LE peuvent être captés derrière toutes les portes). Les porte-clés déjà évoqués officiellement ne devraient pas non plus apporter d’amélioration significative à la situation. La physique est impitoyable sur ce point.

C’est à présent très clair. Les logiciels ne servent plus uniquement à résoudre des problèmes. On les utilise volontiers pour camoufler les questions ouvertes et pour simuler une solution. C’est une véritable mascarade que l’on retrouve à plusieurs niveaux de la société contemporaine. La tâche des expertes et experts en sécurité est de percer à jour cette mascarade. Au début de l’année, le thème « Mascarade » a donc été choisi pour la conférence DeepSec In-Depth Security de novembre – avant même la propagation du Sars-Cov-2. En matière de sécurité informatique, il s’agit toujours de jeter un oeil en coulisses. Il faut déconstruire et analyser les codes. Il faut remettre en question l’architecture des logiciels. Il faut déceler les défauts de conception.

Numérisation désillusionnée comme chantier d’amélioration

Les arguments et démarches présentés ici ne visent pas à renchérir la numérisation. L’objectif affirmé de la conférence DeepSec est de réunir les personnes en charge de différents aspects de la technologie de l’information moderne et de les inciter à échanger. Les projets évoqués d’une application de traçage coronavirus ne sont qu’un exemple. Les expertes et experts en sécurité rappellent régulièrement qu’une conception solide (sécurisée) est incontournable pour les applications. Il serait donc judicieux de consulter les spécialistes avant de s’engager dans une impasse.

Si l’approche qui la motive est réfléchie avec précision, la numérisation ne peut être que positive. N’importe quelle visite au cinéma l’illustre facilement : un film au mauvais scénario ne s’améliore pas si on le projette en haute définition ou en 3D. On ne voit alors qu’un fiasco à gros budget – c’est pareil pour le développement de logiciels. En dépit de sa thématique, la conférence DeepSec ne souhaite pas devenir une mascarade, mais plutôt donner à tous et à toutes la chance d’échanger avec des spécialistes. Il s’agit de soulever ce masque et d’examiner ce qui se cache réellement derrière une technologie. À cette fin, nous proposerons aussi des formations qui offriront sur deux jours un concentré de

connaissances à manipuler et à appliquer. Les premières séances de formation sont déjà ouvertes à la réservation en ligne.

Saisissez cette opportunité pour éviter à votre produit d’échouer avant sa commercialisation. Nous tenons à préciser que cette phrase est tout particulièrement destinée aux décideurs extérieurs au marché qui souhaitent numériser les entreprises et les citoyens à d’autres niveaux. Écrire et répéter continuellement le mot numérisation ne suffit pas.

Programme et réservation

La conférence DeepSec 2020 aura lieu les 19 et 20 novembre. Les formations DeepSec auront lieu les deux jours précédents, les 17 et 18 novembre.

L’évènement DeepSec aura lieu à l’hôtel Imperial Riding School Renaissance Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienne.

Vous pouvez commander vos tickets pour la conférence DeepSec et pour les formations DeepSec sur https://deepsec.net/register.html.

Sources des articles cités par Ross Anderson et Bruce Schneier:

https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/

https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html

 

Translated Article: Ten EU Countries already rely on decentralized Corona Virus Apps

Schon zehn EU-Staaten setzen auf dezentrale Coronavirus-Apps by Erich Moechel for fm4.orf.at

Apple and Google also support the privacy-friendly, decentralized protocol DP-3T. Without technical support in the operating systems of these two groups, no app with Bluetooth tracing can deliver useful results.

The decision by Austria and Switzerland to use a corona virus app with decentralized data storage (DP-3T) triggered a chain reaction. By Friday, ten EU countries had already left the large-scale “Pan-European Project for Data Protection-Compliant Person Tracing” (PEPP-PT). The centralized data collection of PEPP-PT leaves all possibilities for data mining open, a deanonymisation of the data is also included.

Apple and Google, which support the DP-3T standard, are constantly publishing new specifications for the necessary app interfaces in Android and IOS. Without the support of these two companies, whose operating systems control the global smartphone market, not a single corona virus app can deliver useful results through Bluetooth tracing.

The current status in Europe

Already when the third country, after Austria and Switzerland, announced the switch to DP-3T, the alarm bells should have rung for the competing PEPP-PT project. Because this country was Estonia, which is seen in the EU as a digitized model country. As a result, things started to happen, the Netherlands announced that it would discard its already developed apps and start from scratch with DP-3T.

With Italy and, after fierce internal discussions, Germany, two EU heavyweights joined the ranks. Ireland turned around on Friday, and now there are already ten EU countries that have rejected their original big data plans and are now opting for a solution that actually complies with data protection regulations. Of the other European countries, only France and England are currently aggressively advocating the centralized approach.

Clarification on terms

Because the technical issues and terms have been mixed up in the media recently, here is a little clarification. DP-3T does not become a corona virus app; rather, it is the generic term for the protocols used for Bluetooth tracing and for communication with an external server. Google and Apple also do not code a corona virus app, rather they install interfaces (APIs) in Android and IOS, to which the apps can dock on to.

In addition, additional functions are set up in both operating systems so that the apps can run in the background but still send out Bluetooth beacons. For security reasons (danger of stalking), such hidden functions for apps have so far been blocked by Apple at the operating system level. Google released the first additional functions for Android on Friday, which can also be used by all docked apps.

Bluetooth problems that only Google can solve

The most important function, namely the successful exchange of Bluetooth IDs, on which all concepts are based, has so far been the only criterion for possible close contact with an infected person. Of course this is not yet an exact measurement of the distance between two smartphones, but at best a rough estimate. Google has therefore introduced the received signal strength and the duration of contact of the smartphones as additional criteria, which makes the assessment somewhat more precise.

The telephones must have been in constant contact via Bluetooth for at least five minutes, which also helps to further reduce false hits. The spread of microwave radio in the range of 2.4 GHZ – Bluetooth – depends largely on environmental factors. If there are smooth, reflective surfaces, the range can occasionally increase enormously due to reflections. If the smartphone is held to the ear for phone calls, the Bluetooth range also increases. Another factor is the positioning of the Bluetooth antenna, which is embedded in the housing, because these spiral or quad antennas have a significant directional effect.

Using the example of a train journey

Here is an example from everyday life. A half-hour train journey in a sparsely populated open-top wagon can produce completely different results. Anyone who spends most of the time on the phone, possibly even standing, will end up collecting the Bluetooth identifiers of almost all smartphones in the wagon, although only one or two people actually came into critical proximity.

If the smartphone stays in your jacket pocket, that’s not just far fewer contacts, but, what’s more, the Bluetooth IDS of the two people who were in critical proximity could be missing. If these people have keychains or other metallic objects in their jacket pocket next to their smartphone, this can block Bluetooth contacts.

Preliminary conclusion and a mystery

It won’t stop with these ten countries, that’s pretty clear now. Any centralized solution, perhaps combined with obligations and coercive measures, will fail in two ways. First, technically on the smartphone operating systems, since Google and Apple have now decided on a decentralized solution. The second factor is smartphone owners, who will not entrust information about their health and their private tracks to any technical solution, who will run big data analyzes on it and who may have it carried out by private companies.

It still remains a mystery why a prototypical “data octopus” like Google is working for a solution in which there is practically no metadata for the corporations to gain. The reason for this can only be hinted at at this point in time, it has to do with corporate interests and strategies that are far above the daily business of collecting data. The outbreak of the corona virus has turned many things upside down, in this case the corporations were suddenly given a trump card against the EU Commission.

Translated Press Release: Covid-19 Apps show Software Development in Crisis

In November, the DeepSec security conference will highlight the software masquerade.

In everyday language there is the saying “There’s an app for that!”. The phrase is often used as a joke, even outside the IT industry. The current Covid-19 crisis has once again addressed computer code as a universal solution to problems that are not exclusively related to information technology. Generic digitization seems to be the answer to all problems. Of course, data processing can help. The prerequisite for this, however, is the existence of real data that has also been collected in a comprehensible and careful manner. This is exactly why many projects fail.

Magical phones with infinite Intelligence

The call for apps has been repeated again and again in recent years. The visions are in no way inferior to the creative ideas in scripts for feature films and series. Software that runs on small portable phones is said to solve the most complex tasks and, with a simple swipe of your fingers, deliver results that could only be achieved through years of work in the past. In fact, most applications only scratch the surface. One tiny detail is often forgotten: What does the code do without an Internet connection to huge server farms and databases that you can’t even see on the touchscreen? Apps are just a shift in the facts. If the smartphone stays cool and the battery lasts a long time, the magic actually happens somewhere else. Almost nothing on the end device is smart, due to the lack of available performance.

It’s about the complexity of building an infrastructure behind the actual app you see. Without interaction with the big siblings in data centers, the applications on the phone in hand are reduced very quickly. In this scenario, data is not just crude oil, it is also the fuel of digitization. However, the drive does not work as you think. End users are the source of digital gold. You are not at the wheel, but deep in the borehole.

Lack of Security Design

Modern code does not come from nowhere. When developing applications, you either have to build on existing code or create libraries yourself. Even with a mixed construction, at least months pass to halfway achieve a tested design. When there is a lot of pressure on completion, software development likes to take shortcuts. To make matters worse, the design begins with the questions of the problem to be solved and focuses on features right from the start. The implementation of secure code and secure design is usually left behind. Such developments are very common in the field of smart home devices.

A frequently used argument is the controlled publication of applications via the manufacturers’ app stores. Of course, tests run there, but a checklist that runs in less than a minute can hardly detect any security weaknesses or even design errors. In view of the large number of programs available in the virtual stores, something will inevitably slip through inconspicuously. Finding gaps and threats is much more time consuming. Security experts are often asked whether a certain product is safe. An immediate response is expected. This is not realistic and only works in the movie scripts mentioned at the beginning.

Software as a Masquerade

Promise and reality are rarely close to each other in digitization. There has been a lot of discussion about the Austrian Corona Tracing app in the past few weeks. It was primarily about privacy and app security concerns. If you go back several steps and question the quality of the data that this app is supposed to collect, the result shows a completely different picture. Ross Anderson, a British computer scientist at the University of Cambridge, analyzed the accuracy of the smartphone platform in an article entitled “Contact Tracing in the Real World” (published in the Light Blue Touchpaper blog of the computer science institute). His conclusion: The development of an app ties up more resources than the benefits of such an application can outweigh. Bruce Schneier, an American expert in cryptography and computer security, writes on his blog about the effects of positive and negative false reports from a Corona app. Looking at this aspect alone disqualifies the app for use in the real world. Security and data protection have not yet been considered in this analysis. Schneier’s article “Me on COVID-19 Contact Tracing Apps” can be read online.

Furthermore, a smartphone is an unsuitable platform for infectious diseases. Since GPS is too imprecise, one tries to use Bluetooth for the measurement of presence and distance. Bluetooth LE (Low Energy) is often used on the devices to extend the battery life. However, the measurement of the signal strength with Bluetooth LE is only suitable for a passable resolution if people are separated by massive structural measures, such as reinforced concrete. Materials such as wood, plaster or thin stone are permeable to the measurement. In addition, you have to fight with reflections that distort direction and range. According to data sheets from the chip manufacturers, the reception power fluctuates in some cases by a factor of 100. Furthermore, Bluetooth LE is designed as a system with a single antenna. This means that the direction of the signal cannot actually be determined. This requires several antennas. On top of that, people like to hold their smartphone in different positions, which introduces another blur. Even in the laboratory the localization errors are so high that this technology is eliminated. Scenarios such as local public transport, shops or restaurants were not considered at all, let alone walking on the street or in narrow stairwells (where Bluetooth LE signals can be measured behind every door). The key rings already mentioned publicly should not give the situation any significant improvement. Physics is very ruthless here.

The excursion makes it clear: Unfortunately, software is no longer only used to solve problems. It is often used to mask open questions and to fake solutions. This is a masquerade that we find in many areas of modern society. The task of security experts is to see through this masquerade. Without the distribution of Sars-Cov-2, “Masquerade” was therefore chosen as the motto for the DeepSec In-Depth Security Conference taking place in November. Information security is always about a look behind the scenes. Code needs to be de-constructed and analysed. Software architecture has to be questioned. Weaknesses in design have to be identified.

Disenchanted Digitization as a Blueprint for Improvement

The arguments and approaches given here are not a blueprint for the price increase in digitization. The declared aim of the DeepSec conference is to bring people who are entrusted with various aspects of modern information technology to one table and to get them to exchange ideas. The approaches mentioned for a corona tracing app are just a striking example. Security experts regularly warn that a solid – secure – design is essential for applications. One is therefore well advised to consult the experts before talking yourself into a dead end.

Digitization can only bring progress if the underlying approach is carefully thought out. Every trip to the cinema can easily illustrate this: No film with a bad script gets better if you show it to the audience in high resolution or even 3D. You then unfortunately only see an expensively produced fiasco – as sometimes in software development. Despite its motto, the DeepSec conference therefore does not want to offer a masquerade, but rather to give all participants the opportunity to exchange ideas with experts. It is about looking behind the mask and evaluating what is really behind a technology. For this purpose, trainings are also offered that offer highly concentrated hands-on, usable knowledge in two days. The first training units are already online and can be booked.

Take the opportunity before your product fails even before it is on the market. It should be noted that this sentence applies particularly to decision-makers outside the market who want to digitize companies and citizens at another level. Writing down digitization as a word and constantly repeating it all by itself is not enough.

Programs and Booking

The DeepSec 2020 conference days are November 19th and 20th.

The DeepSec trainings take place on the previous two days, November 17th and 18th.

DeepSec is located at the hotel The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can order tickets for the DeepSec conference itself and the training sessions at any time under the link https://deepsec.net/register.html.

Sources of the quoted articles by Ross Anderson and Bruce Schneier:

https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/

https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html

Update on DeepSec / DeepINTEL / ROOTS 2020 with regards to Covid-19

Bio reactor, source: https://commons.wikimedia.org/wiki/File:Bioreaktor_quer2.jpgLacking time travel we have no way to know what will happen in November 2020. That’s not news to us. We closely follow the development of the current Covid-19 crisis, and we constantly evaluate our plans for DeepSec, DeepINTEL, and ROOTS 2020. Given the current state of affairs and the experiments in various countries (including Austria) with lowering the restrictions for business and public life, we believe that our conferences can take place in November. There may be restrictions still present in November with regard to travel and protection measures at our venue. We have developed a schedule for keeping you informed. Additionally we have plans for changing the schedule in order to guarantee the minimum level of content required by our call for papers process. Updates regarding the state of our events in November will be published on our blog on a monthly basis.

Most of our content does not work via remote access, teleconferencing, or video/audio streams. Nevertheless we plan to create infrastructure for relaying content and conducting video/audio conferencing via the Internet. We intend to offer teleconferencing methods to our trainers, so that trainings can be done with a mixture of on-site and remote attendees. If and to which extent a training can make use of the additional infrastructure is decided by our trainers.

Our monthly reminder: The call for papers are open! If you have submissions of content and presentations, please submit as early as possible. The submission form will stay open at least until 31 July 2020.

First DeepSec 2020 Trainings confirmed

Tawakkol Karman's megaphone at the Nobel Museum, source: https://commons.wikimedia.org/wiki/File:Tawakkol_Karman%27s_megaphone_at_the_Nobel_Museum_(51980).jpgWe haven’t been idle in the past weeks. The Austrian government is reducing the lock-down rules to see how normal business and private life can go on. We take this as an opportunity to announce the first three confirmed trainings for DeepSec 2020. The preliminary descriptions can be found on our schedule web site.

Early Bird tickets are available. Given the unusual start into 2020 we ask you to consider buying Early Bird tickets (especially for the trainings). We are exploring special attendee tickets for remote attendance of the trainings. A more detailed description of the content of the trainings will follow in separate articles.

Contact Tracing and the Security of Things

Logo of the Bell Telephone Company between 1889 and 1900, source: https://commons.wikimedia.org/wiki/File:Bell_System_hires_1889_logo.PNGThe spread of Sars-Cov-2 keeps everyone on their toes. Given the emotional state after weeks and months of physical distancing (which we recommend; social distancing has been the norm for decades). We have closed our office in March and heavily rely on telecommunication. Fortunately we did not need to reinvent the Internet. Many of you have probably done the same. We hope that you manage to stay healthy until things can get back to “normal”. Speaking of communication and normality, there are some aspects of the current situation we like to point out.

Every security conference features presentations shedding light on important tools, libraries, applications, or protocols people rely on. Humans like to communicate. The degree varies, but essentially few can do without talking, writing, hearing, or seeing stuff (i.e. messages). This is even more true for companies, governments, health care, the military, and other organisations. The spread of Covid-19 has sparked a massive interest in all things tele, remote,  and networked. Suddenly the meetings need to be virtual. Applications and infrastructure for audio/video conferences and screen sharing has existed before. You have a long list of companies that offer services in this area. Then there is WebRTC (Web Real-Time Communication), an open standard for real-time communication defining a set of application programming interfaces (APIs). Additionally we have a plethora of messengers, communications systems for gamers, and web platforms integrating their share of communication. Not surprisingly the rush on all of these solutions has sparked interest in the security. A few months ago we were fairly confident that a private meeting wouldn’t leave the room. Now the room is gone. What does this mean?

First of all it means that not every platform held its promises. Getting end-to-end encryption right for a group chat is hard. Doing the same for real-time communication is even harder. Signalling is the next problem. How do you connect all participants? How do you make sure that only the right people are „in the room“? There are some answers to these problems, but a fair share of the conference applications suffer from a bad security design, badly maintained code, or other issues.
Secondly, the Crypto Wars come back to haunt us. The Signal developers pointed out the dangers of the US EARN IT bill. Securing communication is under attack by laws making protection impossible. The EARN IT bill is not the only example. China, Russia, Turkey, and Australia have banned end-to-end encryption. UK has similar laws. It’s not a good idea to turn the clock back in time with regards to secure communication.

Lastly, there is talk about contact tracing to get things faster to “normal” again. Of course, „There’s an app for that!“ Ross Anderson thinks differently, so we recommend his article about how this works in the real world.

Well, time for the good news. The calls for paper for DeepSec 2020 and DeepINTEL 2020 are still open! If you have some time and quiet to think about your research or your ongoing projects, let us know! We already got some submissions. Current reviews look good, so we might publish the first trainings for November next week! Looking forward to hear from you! Stay healthy!

It’s April Fool’s Day – 7/24 and 365 Days of the Year

Illustration of conventional comedy and tragedy theatrical masks. Source: https://commons.wikimedia.org/wiki/File:Comedy_and_tragedy_masks_without_background.svgThe first day of April is typically the time where you hide well-written pieces of misinformation to trick people into believing something that isn’t true. We published our share of April Fool’s Day articles in the past. While this was and still is fun we believe that it is time to break with this tradition. Hiding something that isn’t true within a stream of informative articles or news items has become a major way of influencing opinion. Good comedy does the same, but the outcome is different. Satirical news are a means to criticise by exaggerating or focussing on an issue. The typical audience of comedy expects this. The distinction between satire and reality have almost disappeared in the past decade. So if you are looking for entertainment there are plenty of other sources which probably work a lot better.

The other motivation is the discussion about facts and figures we had in the past weeks. Unless you have been living in a cave for the past months (which might not a bad idea after all) you probably heard of Sars-Cov-2 and the Covid-19 disease. The current countermeasures put the society and the economy on a big strain. Lacking things to do people put a lot of effort into the analysis of infected persons, cured persons, patient deaths, and more widely available data. Even if you have the source of the data you are working with you still need to figure out how the measurement was done. Just because the unit fits you don’t have data sets that can be compared. You can still do a qualitative analysis, but you cannot predict the future with it. The Internet is full of epidemiological models with varying degrees of relations to reality. Getting scientific research is hard. Getting scientific sound results with severe time constraints is even harder. While most businesses run fine without academic research, the decisions in their are are often less critical than in health care (or climate research to mention a wildly unpopular topic). The companies running critical infrastructure are excluded to some extent. However event logs and history is full of decisions which might have been better informed if time travel was real.

So to give you some kind of summary: Yes, we still like humour, and we still actively support (information security) researchers trying to point out critical flaws in code and design. No, we don’t want to say that things are difficult. They are, but that’s how we wanted it. We just skip making fun of stuff just because the calendar says so. Our calendar says that the call for paper is still open, so please consider submitting your research results for DeepINTEL and DeepSec.

The most important point is our reference on proper (data) science. Measurements only have meaning if you know how the data was obtained, what the error rates are, and how big your sample sizes were. No system administrator will consider your request if you claim that once upon a time in the past the latency between two points in the network was 623 milliseconds and the packet loss was about 23%. Keep this in mind when you read articles drawing highly complex conclusions from a couple of highly doubtful (or error prone) figures. That’s great for gaining followers. Reality just doesn’t work this way.

Status Update with regard to the current Sars-Cov-2 / Covid-19 Emergency

We wrote in an earlier blog article about the current Sars-Cov-2 / Covid-19 emergency. Mathematics and biology didn’t stop, so you (hopefully) live in an area with restrictions regarding crowds and place where people can’t keep a safe distance. We, the organisation team of DeepSec, are in close contact with peers, members of the community, and reliable sources of information regarding countermeasures by the Austrian government.

Given the current state of affairs the November dates of our events are still in the far future. This means that nothing has changed for our plans. Our calls for papers are still open. The only change will be no marketing messages and advertising for DeepSec and DeepINTEL. We don’t think that a crisis should be used for one’s own advantage. Please stick to facts and verified sources – regardless what message you want to publish or which information you like to relay. Disinformation will cost lives, now and in the future. All event and conference organisers have to follow regulations, so everything that happens to current or future events is up to the regulations and the state of your health (and your national health care system).

Please stay healthy, stay sane, and we hope to see all of you as soon as possible!