Schneier on Security
A blog covering security and security technology.
« Hackers and Criminals |
| Ex-MI5 Chief Calls ID Cards "Useless" »
November 17, 2005
U.S. Compromises Canadian Privacy
A Canadian reporter was able to get phone records for the personal and professional accounts held by Canadian Privacy Commissioner Jennifer Stoddart through an American data broker, locatecell.com. The security concerns are obvious.
Canada has an exception in the privacy laws that allows newspapers to do this type of investigative reporting. My guess is that's the only reason we haven't seen an American reporter pull phone records on one of our government officials.
Posted on November 17, 2005 at 2:32 PM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Any suggestions for a solution?
Legally, the information belongs to whoever collects it. They can do whatever they want with it. So naturally, everything ends up on the free market. It sucks that the target of the information is the only party with no say whatsoever about what is done with the information, but that's the system we've got.
Depending on how the data broker collected the information, the solution may be as simple as enforcing the laws already on the books.
Longer term, I think this points out the need for some form of privacy legislation in the USA. I just hope we don't have some dramatic case (for example, someone buying the phone records of a public official then blackmailing them into paying to keep the records out of the news media) to demonstrate the need.
Mike S: Not in Canada.
The new privacy act requires all companies to protect private information regardless of how or for what reason it was collected. While the data was purchased in the US, the data originated in Canada. The company that moved this private information across the border commited a crime. I hope the company is caught and slapped around. As it is the Privacy Commissioner's private information there is a good chance those responsible will be caught, and she wields a pretty big stick.
> Canada has an exception in the privacy laws that allows newspapers to do this type of investigative reporting.
> My guess is that's the only reason we haven't seen an American reporter pull phone records on one of our
> government officials.
Maybe CNN should outsource its Washington Bureau to Ottowa, and let Canadian reporters dig through American politico's phone lists. Might make for some pretty entertaining reporting.
Here's a Philadelphia TV story on this:
Nov 10, 2005 11:00 pm US/Eastern
Selling Cell Phone Records
(CBS 3) PHILADELPHIA Your cell phone calling records are not as private as you think. As CBS 3's Natasha Brown found, companies are making money selling your cell phone calling records to whoever wants them. Just look - we did it. [...]
I don't have much say in the computer security world,
so I thought I'd share with you something I've been
mulling over for a long while. It's particularly
relevant in light of the Sony DRM fiasco.
It seems that the general trend for application
installation is a requirement that the application
be installed by the root user. For some applications
the might make sense, but for most pedestrian installs
this is by no means needed, and actually poses a great
security risk (e.g. Sony).
I've never seen anyone discuss this most basic level
of security breakdown. It's one thing that "joe user"
don't understand the distinction between root and user
access on their own mahines, that goes a bit against
the concept of a "personal" computer.
But software companies should know better, and it seems
more and more that even when they do know better they
simply ignore security, with the effect that root
installs become so pedestrian that all software gets
installed as root, regardless of whether that makes
My favorite example is Quicktime. Why should I trust
Apple with root access to my Windows machine? And
why do they think they need it? They of all companies
should know better.
Actually, security people talk about this ALL the time. However, I think you're conflating a few things.
Installing as administrator is different from running as administrator. Apple is right to request administrative access to install the program. Applications should NOT be installed on a computer without administrative access. However, once it's installed, I believe that Quicktime is ok to run as a standard user. That is also how it should be.
OTOH, there are many Windows programs that can't run as a standard user. This is bad. There is also no granularity in administrator access -- if you're God, you're God. On my Mac, root access is actually disabled, so even when I'm in my administrator account, I have to give my password to do things that require root access.
The assumption is that if you're installing something, then you know what it is you're installing. The problem is that so many Windows users are running as administrators, because it's the default and many programs won't work without it, that things can get installed without user knowledge or intervention.
There is a difference between having permission to install software, and root. There is a hierarchy of security, and the idea that Quicktime should require root access to install is very wrong from a security perspective.
I agree with Andrew, since requiring a media player to have root-level access seems overkill to me. Then again, I wouldn't put it past Apple to say that Quicktime is actually an essential part of the kernel.
I'm also a bit amused by the statement that an "Administrator" account is handled better on Mac than Windows.
Aren't you just comparing a non-root *nix account with a Windows Administrator account?
That's not really fair (apples to bananas). If you login as root, then you have done the same thing as logging in as Administator. Moreover, Windows does in fact allow you the ability to use a "runas" command (similar to sudo), so you could have a non-Administrator account and be prompted to raise your privileges:
runas /user:ComputerName\administrator "quicktime.exe"
Of course you are correct when you say:
"The problem is that so many Windows users are running as administrators, because it's the default and many programs won't work without it"
This is a huge problem that Microsoft has only just barely started to admit. But the real kicker is that things like "DropMyRights" based on the "Software Restriction Policy" (SAFER) are starting to appear that *reinforce* developing with administrator rights:
"...help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process"
Note the "users who must run as an administrator" statement...so the granularity exists, but will MS convince their developers that a greater good can come from working with lesser rights?
Windows actually has a fairly granular permission system. You just have to know where to look, *and* (much less common) the knowledge as to how permissions impact the users access to a system.
Look in the Local Security Policy in Admin Settings in the Control Panel. Compare this to:
Of course, there are other issues, but Windows is not as bad as people think, it is just that it is not hardened by default, and Microsoft can be very slow to respond to a vulnerability.
> I'm also a bit amused by the statement that an "Administrator" account is handled better on Mac than Windows.
> Aren't you just comparing a non-root *nix account with a Windows Administrator account?
Nope. If you log in as Administrator in Windows (which I guess most people do, and most SW requires for installation) any app you run can do whatever it pleases with your computer.
In Mac OS X most people also log in as admins, but here this only means that you are *allowed* to run apps as root. The OS will ask you for your password every time an app tries to do anything requiring root privileges.
In my opinion the Mac way of handling this is clearly superior (both considering ease-of-use and security).
Why there is no info about vulnerability found in Password Safe?
@Andrew, Davi, et al.
I suspect we're mostly agreeing and there's a terminology problem.
Windows has (as far as I know) three basic permissions levels: Administrator, Power User, and Standard. Yes, there are lots more, but those are things like "Backup Operator" and such. Windows doesn't have anything called "root," which might be why we're getting confused: what does it mean to say Quicktime requires root on Windows, when Windows doesn't have root? Someone who has Administrator can do anything; they are for all intents and purposes root. So I assumed that when Andrew was talking about "root" on Windows, he meant Administrator.
I'll grant that you can make your Windows privileges very granular, if you want and know how to do it. Anyone who's done this on your personal computer, please raise your hand.... :)
Macs have three levels of permissions that can be assigned to users: Administrative, Standard, and more-restricted-than-standard. On a Mac, Administrative rights are NOT the same as root. Root is disabled by default; it's not possible to run as root without deliberately enabling root (and the process makes it pretty clear that what you are doing is a Big Deal). If an Administrative user needs to do something that requires root access, he needs to sudo. I'm comparing non-root *NIX access to Windows Administrator access because those are the respective defaults for administrative privileges-- and yes, I do think that's a better way of handling it.
As for the access QuickTime wants upon installation in Windows: I don't know what it is, or why. Since I'm not sure what Andrew is meaning by root, I can't say more.
When I use the term "root" I mean the account with unrestricted access to all resources on the machine. Some operating systems use one term, other use another. Sometimes it's called "super user", maybe "power user".
This really isn't a terminology issue, it's a security issue. There is simply no reason that I grant the Quicktime installer total and complete access to my comptuer just to install a user level program.
I'm not trying to compar Apples to Windows machines, I'm trying to point out that publishers of software have gotten very insistent that you grant them total access to your computer. In many cases, they don't do anything underhanded. But in other cases, they use the lack of security to do nefarious things which can corrupt your system.
They could not corrupt the system if their software was installable at an appropriatly secure level.
Yes, I agree that Mac, as well as other flavors/distributions of *nix do multi-user better, mainly because they have been truly multi-user for so many decades. And that's not to mention other OS that have had concepts of Assumed Authority, etc. for many many years.
In fact, I'd say the OS9 to OSX migration is a fine example of how Microsoft *should* have migrated away from DOS users and never looked back.
So I see two main issues:
1) A vast majority of Windows developers invariably think single-user systems should be the norm, and that multi-user or role-based access controls are evil. I could say a few things about lazy, spoiled...but I won't.
2) Microsoft feeds this unbelievably short-sighted and high-cost-of-ownership model because it is part of what has made them so pervasive. And the full liability of this short-sightedness has yet to be transferred to them. They beg off on the old mantra "Insecure yes, but look how fast you can code and release to the world." And if that doesn't convince you they say, "but look at all the people who give us money and how much money people can make fixing our problems; releasing bad code is popular and a huge benefit to the economy".
So the reason QuickTime wants admin/root authority to install in Windows is likely because the Windows version is a poorly written application that ignores Windows security documentation and this is only compounded by the amazingly buggy iTunes releases that are "required"...I do not know of other media players that cause as many lockups and hardware issues (code 41) as iTunes so it's hard to blame MS for Apple's (GEAR corp's?) continuously unstable software releases on Windows.
@Davi, @Andrew, @Daedela:
1) Quicktime doesn't actually *require* root-equivalence to install. It just requires rights to install software, modify the registry, install media codecs, and install plugins. These rights are not all granted to the "Power Users" group by default, but if you're concerned about full-on root access, QT doesn't actually need it.
2) On the Mac, an administrative user has escalated privileges, and the ability to temporarily act with root equivalence (it uses "sudo"-like behavior, where the admin user needs to type their own password to do root-required things). Regular users can only escalate to root if they know the username and password of an admin user (similar to Windows' "runas"). The sudo-based system on the Mac means that even when logged in as an admin, "dangerous" operations require you to re-authenticate; on Windows, logging in as an administrator is effectively becoming root.
3) QuickTime, in particular, is not "just user software". QT is much more than a media player, and the libraries and components it uses to allow QT embedding and the like do and should require adminstrative access to modify.
Conclusion: the Mac handles software installation and privilege escalation in a superior way, and in a manner that's understandable to average users. (How many Win users know about runas?) It even puts safety nets around administrative accounts, which Windows sorely lacks.
Also, requiring administrative access to install software is not a big deal -- even requiring root (when it's actually needed) isn't a big deal. You are, of course, free to not use software if you don't trust it to run with escalated privileges. All that said, I agree that sloppy coders and packagers often ask for much higher levels of escalation than they really need to install or operate. This is true on any OS, but is most obvious on Windows due to the poor way Win handles escalation. So, I agree with your core points -- I just think QuickTime was probably a poor example. ;-)
I think you've been misinformed, Quicktime does not need root to do any of those things? I write software, and I can assure you, you can do all of those things without super-user privilages. There may be some issue with permissions on key directories, but if Quicktime doesn't have permission to modify they system directories, it should still be able to install and run.
The only reason that Quicktime NEEDS root access is that Quicktime WANTS root access, and will refuse to install if it is not granted root access.
Having worked intimately with Windows since Windows became Windows, and seeing the change between the "there can be only one" user to the current multiple user and multiple role arrangement, I'll toss this out:
The Windows multiple role/group/multiple user setup actually is much more complex than the UNIX multiple role/group/multiple user setup. In some ways, this is good (the UNIX model is rather simplistic), and in some ways this is bad (the model is actually too complex). The access controls at the file level are much more customizable, and the ability to have multiple groups as well as individual users have different levels of access to a file, for example, is very nice.
Similiarly, the role of users (User, Debug User, Power User, and Administrator) has much more in the way of fine grained control than the UNIX model of "normal user" or "root", with nothing in-between.
The problem is that Windows doesn't *enforce* strict compliance with roles (indeed, for "legacy compatibility" they make it too easy to ignore strict role assignment), and it takes a serious amount of study to design your application properly, particularly the application installer.
(Also, the security policy setup is too simplistic. The correct way to design the security policy and role assignment would be to have *less* roles and better verbosity in the security policy editor.)
This means that most developers don't bother, and just write their code to install as Administrator.
In a sense, this is Microsoft's fault for (a) making their access control policy too complex and (b) then not enforcing the role assignments, making it so that developers just throw their hands up in the air and say, "Damn it, be an Admin to use this".
In another sense, 99% of the software written for Windows just ignores the model, which is a development problem, and really not entirely MS's fault.
Oh, and to quote radiantmatrix:
> 3) QuickTime, in particular, is not "just user software". QT is much more than a media player
Feeping creaturism is rampant in code development for the Microsoft platform. It's a culture issue, and it starts at MS themselves, where they continually tack on every blessed bit of unnecessary functionality they possibly can to every bit of software they sell.
Quicktime is an example of non-MS (but still Windows) software that suffers from this. 99.99999% of the people that want to install Quicktime on their computers don't even want to install it as a general-purpose media player... they want to install it to play QUICKTIME files. They'd be perfectly happy not installing Quicktime (or Flash, or RealPlayer, or even Windows Media Player) if they could just install one media player that played all the media to which they have access.
This patentable file-format lock in problem isn't just used by Microsoft to leverage every application under the sun, this is an industry-wide problem.
You wrote "Canada has an exception in the privacy laws that allows newspapers to do this type of investigative reporting. My guess is that's the only reason we haven't seen an American reporter pull phone records on one of our government officials."
Actually, back in 2003/2004 the Boston Globe ran some articles on personal data privacy documenting how they were able to buy the financial records of, among others, Massachusetts Governor Mitt Romney:
While it doesn't look like the reporters were thrown in jail, it also doesn't look like the personal data brokers who sold the data illegally suffered any legal sanction, either.
"Canada has an exception in the privacy laws that allows newspapers to do this type of investigative reporting. My guess is that's the only reason we haven't seen an American reporter pull phone records on one of our government officials."
no sir. america has an even stronger exception in the privacy laws that allows newspapers to do this type of reporting. it's called the first amendment. there is still no country in the world, including the british commonwealth countries, where a journalist has more freedom to speak than here.
helpful phone tip for today: when signing up for new service, don't use your exact correct name, throw in a bogus initial before your real surname. i did this four years ago when i moved to the "beaver state" and it so bollixed up the information exchange system that i am yet invisible on zabasearch and the other major stalker searches, even though i own real estate here.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.