Schneier on Security
A blog covering security and security technology.
« NSA's Secure Android Spec |
| Liars and Outliers: Book Excerpt »
March 8, 2012
Cloud Computing As a Man-in-the-Middle Attack
This essay uses the interesting metaphor of the man-in-the-middle attacker to describe cloud providers like Facebook and Google. Basically, they get in the middle of our interactions with others and eavesdrop on the data going back and forth.
Posted on March 8, 2012 at 6:50 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think that's a great way of putting it.
It also helps explain why people let them get away with it most of the time. As long as their data gets passed along as intended, they don't know or don't care. Once things don't turn up (blocked content) or unapproved data (e.g. ads, photo taggs) are added, they finally realise they've lost control.
I see the analogy, but it's not quite right. A MITM attack involves the attacker getting in between two unaware parties without their knowledge or consent, whereas Facebook is a communications channel that people (at least implicitly) trust.
This threat is more like old-time phone operators listening in on your ostensibly private conversations. Eventually social mores and the regulatory environment changed to ensure that people had a total expectation of privacy on the phone unless there was a warrant. Now that it's in the financial interest of the 'trusted' third party to violate our privacy (rather than just operators' curiosity), and they have all sorts of Terms of Service that protect them, this expectation isn't as strong, and regulating them will be fighting an uphill battle against their lobbyists.
George Orwell could never imagine how fast society is moving to '1984' including newspeak (aka political correctness), collecting and storing personal information forever (for many years after transaction/communication occurred) on (first of all) private, not government servers, etc.
Currently Consumer Privacy Bill of Rights is under consideration in Congress.
The only concern is that its final version would be castrated: not providing real privacy rights protection as legislation related to privacy/secrecy of your banking information/transactions.
The point is that when personal information is disclosed to business and/or government , consumer should be clearly informed:
(1 information is used for particular purpose it was provided only;
(2) other usage of that information including xref abd creating 'digital persona' required upfront consent;
(3)that information could become public if and only if there is real imminent threat to life, health of other people or natinal security (not by 'gag' orders, but
(4)any collector of personal information should clear stated on any form, web page, application for how long that collected information is stored and collected information is purged in unrestorable manner thereafter from servers, back up tapes, paper or any other type of media.
I believe it is the classic implementation of "all your data are belong to us".
There is a flip side to the owners being "men in the middle" and that is "decoupling".
I've mentioned this befor but put simply two (or more) people want to communicate in some form without having a direct or peer to peer connection.
You can view these services as being a "store and forward" message service that supplies anonymity for users from external agencies. When the service has a verry large number of connection points that alow a user to connect via SSH etc then conventional traffic analysis becomes very difficult.
So it's a technology with more than just the usual negatives.
@Stupid Security Questions - your point is valid, there is that distinction. But it doesn't subtract from the principle idea. In fact, social media is worse than the MITM attack since it is cumulative and automatic. It is not event-based nor is it contingent on individual connections like a MITM attack. It is everything all the time and never throws anything away. In that regard it is perhaps the most insidious form of MITM there is. It doesn't even depend on the involvement of an attacker. It is on autopilot. A MITM attack is here and now.
@Stupid Security Questions -- Are you sure it's that people, in general, /trust/ Facebook or is that that they don't understand the power they give to Facebook in this situation?
Tuninsia, Egypt and Iran all injected js code from their state run ISPs whenever somebody with a local IP tried to access twitter/facebook and captured their login details in the clear. Then they used the pictures, PMs, and list of friends to round up entire democracy activist movements for interrogation. http://blog.rootshell.be/2011/01/13/...
I am convinced that less than 5% of users read the privacy policies of social networks.
No idea what % understand said polices. I never saw one I personally could understand.
Yet, one could conceive of reputation as a MitM too. Every time an employer calls a reference on a resume that reference could be engaging in a MitM attack. That's the heart of 'social engineering' seems to me.
My point is that in our modern world everything is in the middle of something so anything we don't like could be conceived of as a MitM attack in some fashion.
Written by Alphonse:
Microsoft Kinect Spy System
"So you just got the Kinect/Xbox360 gaming system and you’re having fun, hanging out in your underwear, plopped down in your favorite lounge chair, and playing games with your buddies. Yeah, it’s great to have a microphone and camera in your game system so you can “Kinect” to your pals while you play, but did you read that Terms of Service Agreement that came with your Kinect thingy? No? Here, let me point out an important part of that service agreement.
If you accept the agreement, you “expressly authorize and consent to us accessing or disclosing information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft, our partners, or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.”
Did you catch that? Here, let me print the important part in really big letters.
“If you accept the agreement, you expressly authorize and consent to us accessing or disclosing information about you, including the content of your communications… on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.”
OK, is that clear enough for ya? When you use the Kinect system, you agree to allow Microsoft (and any branch of law enforcement or government they care to share information with) to use your Kinect system to spy on you. Maybe run that facial recognition software to check you out, listen to your conversations, and keep track of who you are communicating with.
I know this is probably old news to some, but I thought I would mention it because it pertains to almost all of these home game systems that are interactive. You have to remember, the camera and microphone contained in your game system has the ability to be hacked by anyone the game company gives that ability to, and that includes government snoops and law enforcement agents.
Hey, it’s MICROSOFT. What did you expect?
And the same concerns apply to all interactive game systems. Just something to think about if you’re having a “Naked Wii party” or doing something illegal while you’re gaming with your buddies. Or maybe you say something suspicious and it triggers the DHS software to start tracking your every word. Hey, this is not paranoia. It’s spelled out for you, right there in that Service Agreement. Read it! Here’s one more part of the agreement you should be aware of.
“You should not expect any level of privacy concerning your use of the live communication features (for example, voice chat, video and communications in live-hosted gameplay sessions) offered through the Service.”
Did you catch it that time? YOU SHOULD NOT EXPECT ANY LEVEL OF PRIVACY concerning your voice chat and video features on your Kinect box."
@Stupid Security Questions
I see the analogy, but it's not quite right. A MITM attack involves the attacker getting in between two unaware parties without their knowledge or consent, whereas Facebook is a communications channel that people (at least implicitly) trust.
This is quibbling. Facebook, Twitter, Google, etc. are men in the middle, period, even if one knows of or consents to their presence.
Never trust a MITM. If you don't want the MITM to succeed at what he's trying to do (e.g. spew ads at you), then encrypt the content of your tweets and posts, and give the decryption key only to your trusted friends.
Google and Facebook are doing the same things that others get tagged for as spyware.
"After having thus successively taken each member of the community in its powerful grasp and fashioned him at will, the supreme power then extends its arm over the whole community. It covers the surface of society with a network of small complicated rules, minute and uniform, through which the most original minds and the most energetic characters cannot penetrate, to rise above the crowd. The will of man is not shattered, but softened, bent, and guided; men are seldom forced by it to act, but they are constantly restrained from acting. Such a power does not destroy, but it prevents existence; it does not tyrannize, but it compresses, enervates, extinguishes, and stupefies a people, till each nation is reduced to nothing better than a flock of timid and industrious animals, of which the government is the shepherd." - Alexis de Tocqueville 1835
"I am convinced that less than 5% of users read the privacy policies of social networks. "
Yes, definitely less than 5%. Probably closer to 0.000005% though.
Microsoft Kinect Spy System ... Or, as I say, "Never put in electronic form that which you do not wish someone else to know."
Cloud computing is not different from any other technology that through history has made it into the mainstream: you get a concept, a lot of hype then everybody gradually jumps on the bandwagon. Subsequently, security is boulted upon.
Or to put it differently: "felgerkarb is the grease upon which new technologies slide into the future". Security is just an afterthought. By the time the average early adopter comes to terms with that, there is often no way back and they just have to sweat it out until skies clear up.
I am a beneficiary using the ladies who arrived before to me. They campaigned difficult for identical rights to work, for equality before to the Ralph Lauren polo shirts for cheap law, and (I understand that is difficult to think for youthful ladies in 2012) however the precise to vote and in fact to stand for election. To these women, ladies of my technology are eternally grateful (if not merely a tiny tired).
Reading the comments to the essay amazes me.
Why do "we" buy into this version of
the Spencer Browne fallacy.
Why is it a "fixable event" for faces
to be wrongly tagged on other's pages?
Why "should" every picture be accurately tagged?
Why do we want to even think so?
Why not let it be ribald with rumors that are refutable?
filled with false expressions?
and so become an arena for truly free and erroneous expression?
Are we condemned to always be under oath?
What a narrow imagination killer that would be!
Read G.K. Chesterton's first chapter in Orthodoxy.
There may indded be bugs and gremlins, yet
let us be free of the hobgoblins of narrow minds.
Babelfish does not translate completely,
yet I understand you.
A wonderful sentiment.
That's a very nice way of looking at it. It's a MITM on confidentiality, specifically. Interestingly enough, their intentions mean that integrity and availability are improved. ;)
. Or, as I say, "Never put in electronic form that which you do not wish someone else to know.
Sadly it's worse than that, because with modern file formats especialy those of Micro$haft "it's not just what you put in that is in there", there is also a whole load of stuff which can be used to your detriment by a smart lawyer and a forensic file examination.
They have an expression in the army of "never leave amunition for the enemy" giving potential litigants files via EMail etc is doing just that.
So whilst it might be less convenient and take slightly longer my advice to people getting involved in any kind of business or legal action is,
Paper, Paper NEVER Electronic Data
And if a Judge says "send files" my advice is still print them out, then scan them into appropriate compressed graphics files on a brand new compleatly clean non network connected computer.
Atleast that way you can see most of what you are giving to a potential enemy and that you can not should be benign. Oh and another advantage is that as each page is a graphics image the recipient (ie the enemy) cannot cut and paste or search it without doing one heck of a load of post processing themselves which kind of puts "sugar in their petrol of their speed machine".
And as a matter of self protection from "electronic discovery" don't just leave documents in the electronic form from the application that produced it because you are shooting yourself in the foot in a number of ways,
1, File formats change with every major and many minor revision of most application software as features are added, bugs removed and the money grabbers force you to upgrade. Thus your files become stale quickly and inaccessable shortly there after (except at very great expense to people who have with foresight kept every revision of application software and media type for solving this issue) and potentialy you are guilty of destroying evidence.
2, You get into the habit of just keeping every thing desired or undesired. Back in the 1980's people used phones and memos and hand written notes these were ephemeral in seconds or days. Few if any businesses kept audio recordings of phone conversations between colleagues and hand written notes usually went in the bin when finnished with. Not so today and a smart lawyer. getting their hands on a hasty typed EMail etc can turn it into "a venomous snake in a bag" which you then have to "wrestle blind in the bag in court"...
3, In US courts electronic discovery is turning into a game of "begger the opponent" in that judges are quite happy to make formal orders of every silly request the opposition lawyers make and you pick up the bill or forfeit all.
The solution to electronic discovery is as in the days of paper records have a formal policy of how to deal with such things.
Firstly however you need to setup a repository then put all "wanted to be kept" or "good documents" into two standard formats for "image" and "search" postscript and text for example as they are the easist to do and have minimal unknown baggage.
Your policy has rules for what qualifies to enter the repository and rules about reviewing and deleting documents in the repository at regular intervals.
Your policy also has strict rules about the ruthless purging of all "bad files" that don't get into the repository after say three months after a set point in a project or on a rolling basis with on going business processes.
Importantly get it into peoples heads that "just because we can store it does not mean we should" because like any other business process it has attached costs both immediatly visable (usually small) and long term (that can break the bank). So like any other business process "it has to be efficient in it's use of resources", shareholders have the legal right to sue you for not doing this because you are stealing (profit) from them.
This reduces not only your longterm costs of keeping electronic data "fresh" and "available" it also reduces your "liability front" greatly to all including importantly "your shareholders".
Oh there is a new and MAJOR Major issue you must recognise and deal with, make sure you remember "cloud storage" in this policy and your cloud provider does what you tell them to do when you tell them. Also have a formal policy that employees cannot use "cloud storage" of any form whatsoever with "work" related issues without the prior written consent of the CIO and make it an instant dismissal on breach written into the employment contract of everyone from Chairman/CEO down to janitor, treat it as a theft / blackmail issue as this is what it could become witth a smart lawyer chasing you.
There is a nice little article on this major self evissoration / immolation issue, I realy realy suggest people read it and think deaply about it,
Electronic discovery is becomming a major "b4ll breaker" for people that are not properly prepared and come up against an increasing band of smart lawyers. It can be more damaging than a fire wiping out all your IT systems and backups. And is also a very very significant reason as to why companies should not use "the cloud" in any shape or form untill they have all the legal asspects of "Third Party" ownership of confidential data nailed down properly.
As I occcasionaly remind people think what happened to Col Ollie North when his confidential EMails were pulled from the backups of a server he never new existed and also Richard Nixon and the Watergate tapes. Now think what would have happened if it was every private conversation, phone call, hand written note, memo or document in draft or otherwise, because that's what "using the cloud" is all about unless you plan carefully.
its simple. If you dont trust it,and dont need it, then dont use it. Bruce opened a fb account that he hardly uses, or pust cozy data into. I have only recently opened one too...using only my initials. Whats the fever?
@Clive: "Oh and another advantage is that as each page is a graphics image the recipient (ie the enemy) cannot cut and paste or search it without doing one heck of a load of post processing themselves"
I have had surprisingly good results with simply using the OCR feature of Adobe Professional (if the texts are not deliberatly distorted). Throwing a bunch of JPGs in and getting a searchable PDF back is very far from "one heck of a load".
The REAL purpose of those Policies (good news: something was done recently by Federal Legislature with Banking/Credit Card industry) is to give all weapons to smart (rather sly) company lawyers against any possible claim on your side. That is no-win game for customer/consumer.
Solution is not self-regulation by industry (that is dead end - just remind you recent financial crisis), but rather mandatory legal requirements for such policy:
(1) No legalize. Period. Plain English with level of understanding of high school graduate.
(2) List of exceptions could not cancel the privacy right stated in the policy altogether.
(3) Size of Policy is limited to 2 (TWO) pages.
...if the texts are not deliberatly distorted...
Yup (I only gave the 20,000ft view, as people complain my posts are too long).
There are a couple of simple ways (both thanks to the UK's Cambridge Labs).
The first is to use a font with selected spectral characteristics similar to the "soft tempest" idea.
The second is with the whole page image using "anti-watermarking" distortions to manipulate the image such that it looks like it's gone through an old style mechanical drum FAX machine where the pinch rollers don't grip properly.
The resulting distortions most humans either don't or hardly notice, unlike OCR software which in the pastt "would barf on a spec of fly dirt".
But as you note OCR is getting better (and Chinese capatcher crackers are dirt poor cheap as well)
So there are other aspects to think of with the font. One is making certain consonants oddly distorted think of a capital B that is more like the number 8. And another is conjoining them in certain ways for instance "th" can be made a single character and in some languages "ae" is conjoined. Again the human mind hardly notices some of these whilst OCR can have a bad hair day.
It is a race, and at the moment OCR is still lagging, as it catches up new methods will need to be used.
The trick as always to stay one step ahead not just of the oposition but your competitors as well...
As for cloud computing being the man in the middle, they are not alone. Google+, FaceBook, YouTube, Twitter, Hotmail, your bank, the phone companies, your smartphone, online gaiming networks, your ISP, credit card providers, credit bureaus, Amazon, eBay, eBook retailers, cable TV (with other video providers), and the spy agencies, are all right there together.
Oh, and I gorgot to add this new startup that wants to "give" you free storage in return for using your video cameras to record everything about you (gee, there is a bunch of people already doing that) along with insurance companies that want full GPS/audio/video (ie black box) recording of everything that goes on with, in, or near your car.
Gives one that nice warm fuzzy about life in general knowing that so many people are so interested in you.
Good grief..."gorgot" --> "forgot"
@ Lynn Etheredge
Thanks for contributing nothing to promote your "NSA spotter" blog. Not sure if the Mod will let you slide or not. Hoping not.
@ Clive Robinson
Good comments on the legal discovery aspect of things. That's one of the reasons I advocate a deniable-computing architecture for many things, with the unlocking secret easily destroyed (or expired). Just too many BS ways to go down to let lawyers decide your fate. ;)
@ Nick P,
Just too many BS ways to go down to let lawyers decide your fate
Oh that it were only the lawyers, but to be honest they are just doing a job for money using tools just like the rest of us.
The real problem is the tools and the system of operating them.
The tools are the legislation and the system judicial process.
I think many would agree there are two basic types of law, those that society needs to stay as a society and then those that have been "purchased" on way or another by vested interests with either deep pockets or significant influence over the legislators.
Most of the problems society suffers come from the bought / influanced legislation and nearly all of it is less than a hundred years old. Which is a very significant tell against it.
Part of the problem is communications, more than one hundred and fifty years ago people did not move around much but animals did to get them to market. Thus distance for several thousand years was effectivly measured by how far you could drive / drove animals on foot or how fast goods traveld by oxen pulled carts (about 1 MPH in modern statute miles).
News traveled by word of mouth carried by drovers and traveling traders thus also moved at a similar slow speed. Thus it moved around six to eight miles a day.
However due to the needs of Kings and later Governments to prosecute wars against each other the speed of communications rose, first by runner, then horse back, then signaling by torches, flags untill eventualy by electricity and radio waves, becoming effectivly instant (to humans) to any part of the world between the two world wars.
This introduced a series of issues in that instant communications demanded instant decisions and "thinking time" diminished and the work of managment and government speed up.
Now "the peoples representatives" of the "representational democracies" we live in are all about style and apperances and very little about substance. They had to be seen to do things faster as there was nolonger the excuse of "communications delay".
Thinking time had gone but worse when you speed things up there is the expectation things will continue at that pace or faster. Soon our legislators could not draft legislation them selves and they had initialy civil servants drafting legislation for them. Then special advisors who had expertise in the areas, then along came industry with the lobbyists, presenting legislators with ready made fact, figures, arguments and draft legislation and analysis.
As we know from the PATRIOT Act legislation is nolonger read in it's entirety, nore is legislation very much to do with it's title as little unrelated bits just get shoved in seldom with comment and usually without serious thought or debate.
The result is modern legislation is owned by the vested interests not society who now have little or no say and have got to the point where they feel so detached from the process steadily increasing numbers can not even see the point in registering let alone voting.
I'm not sure what the solution to this should be, in the past I've said get rid of "representational democracy" and replace it with "true democracy" where individuals vote on substantive issues not for monkeys in suits. However desirable as this may appear to be it just shifts the problem from lobbying representatives to lobbying society, and the old "Money talks every thing else walks" rules apply, so legislation will still get bought by those vested interests.
So I then considered the fact that our legislators do have to much time on their hands to filibuster and argue their "pet" legislation in. And once on the books like the prooverbial manure on the blanket it becomes difficult if not impossible to shift.
Now in the European Union there is something strange, most if not all directives have a sunset clause of only a few years, where they have to go back to be reconsidered for amendment and voted for again effectivly in the "light of experiance".
There are several big advantages to this, firstly bad laws can just lapse and be removed from the books, secondly laws can be fine tuned to improve them and more importantly evolve them with the changing norms of society. But thirdly and perhaps more impoortantly it throttles the introduction of new legislation. The representatives can not do two things at once, thus the time they spend on reviewing is not spent on introducing new legislation thus the whole process gets slowed and thinking time could come back into the legislative process.
However we also need to solve the fundemental issue of "expert advisors" in their many forms, we need a way to ensure they are impartial and give the best advice for society not that of vested interests and this is difficult because as we have seen with Global Warming there are a lot of vested view points dressed up as faux facts in a way that is difficult to tell are faux.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.