The brief for the logo was to create something playful, bold and adaptable that used the London skyline as a theme.

As the recent LinkedIn Password Leak showed, even tech-savvy companies can get it very wrong. Unsalted SHA-1 is not good enough. Hashes can be calculated at 8 thousand million per second on a modern GPU. The scary thing is that it’s one of the least bad leaks recently, the Sony Password Leak revealed that they were storing millions of passwords in plain text.

Clearly, something needs to be done, and here is what I propose:

Sites should publish some hashed passwords

On my website, yetanothersocialnetwork.com, I provide a page with some sample database rows from my user table (with fake data):

This makes the security of the site transparent. For those who care, they can easily see that decent security measures are being taken with the storage of passwords. For those that don’t, if there is a problem, a fuss will hopefully be made about it before a leak, rather than after.

If you run a site that stores user passwords, please consider doing this. If your hashes are good, this should be a trivial thing to do. If they aren’t, well it’s probably time you sorted that out…

First of all, I tested the script in a game of hangman against every single word in a 70k word dictionary. I played with 10 lives before losing, which is probably on the conservative side, 12 seems like a common figure. The script lost on 469 words, of which 99 were 3 letters long. There were 20 words 7 letters long, all of which ended in ‘ing’. There were no words of 8 letters or longer.

I’ve made a complete list of losing words available, as running the test takes several hours to complete.

In terms of getting around this – unfortunately it is impossible to do better. The only improvement that could be made is randomizing between choices of letter that have equal probability, so that the words that are unreachable cannot be determined. This results in a larger number of words that potentially lose, but a lower probability of losing on those words (and no words will definitely lose).

Obviously you’ll get different output from different dictionaries, larger dictionaries will result in more failures.

These are fairly promising results though, unless you were guessing against an opponent who also had access to optimal-strategy data and knew which words were most likely to be difficult to guess, you’re going to be able to win most of the time with this approach.

Having read it I was slightly perplexed, it seemed like massive overkill for something that can be calculated fairly simply, so I created pyngman, a python script that generates optimal next guesses for Hangman. Input the state of the game and the letters you’ve called and it will tell you what letter to call next.

You supply the information as a state, such as ..e.., where .’s are unknown letters, followed by a list of letters you’ve tried:

$ pyngman -state ..e.. est
> Your best next guess is: a

It does this by using a dictionary (you must supply the dictionary, so the results will change depending on what you supply!), and looking at all possible words that could be the solution, and working out the letter with the highest probability of being present. So far I have been unable to find a word which causes the program to lose a game of hangman!

Grab pyngman from github and have a go yourself

Possible Improvements

It occurs to me that pyngman, while good, is not technically optimal. In hangman, you’re not trying to win, you’re trying not to lose. Therefore, you can do better than picking the letter which has the highest probability of being in the solution, you can pick the letter which minimizes the highest number of guesses required to reach any potential solution. This requires a bit more computation, but is not a technically challenging thing to implement.

One slight improvement (which I may include myself if I have time) is to adjust how letter frequencies are calculated. Currently every instance of every letter is counted, but you would only want to count any letter once per word to get the correct solution. The difference this makes to the supplied letters is probably minimal though.

First up: Google Chrome

Google recently offered anyone to earn up to $60,000 per exploit for finding bugs in its flagship browser, Chrome. One student did indeed walk away with the prize money. This kind of competition is quite common in security research, the most famous such competition is Pwn2Own. Why is this method favoured then? Simple economics. If you find a bug in a major piece of software such as Chrome or Windows, that exploit is worth a lot of money. Stuxnet contained four Windows ‘zero-day‘ exploits, each of which would have had a hefty black-market price tag. This simple fact fueled speculation the Stuxnet was a government initiative  - given the vast amount of resources required to build it.

So Google is following a good tradition of offering its software freely to hackers to see if they can exploit it. If they do the hackers gain financially, Google gains financially (as a prize-money oriented approach is fairly cheap, in the grand scheme of things, you don’t have to pay anyone who fails to find an exploit!), and users of Google Chrome gain through using a more secure browser. The only people that lose out are the criminals.

Second: Airport Security

By which of course I mean the TSA. Much has been made of a recent video in which a man takes a metal box through the TSA’s new scanners undetected. Putting aside the fact that airport security is just security theatre for a second, let’s think about the implications. First of all, was this man right to put the security to the test? He has posted a video which by now potential terrorists have potentially seen, in which he describes a potential exploit of the system. Isn’t this a bad thing to do? Well, no. Now that the TSA is aware, they can fix the security hole. Note also that he gave the TSA plenty of warning before going public. It’s entirely possible that knowledge of these exploits was already known to terrorists, who wouldn’t have told the TSA. Making this information public is the right thing to do.

The TSA’s response has been strange though. While I agree it should discourage people from trying to find exploits (since if everyone was trying this out the line for security at the airport would be even longer!), the text from their response has to be read to be believed:

Imaging technology has been extremely effective [...]. It’s one of the best tools available to detect metallic and non-metallic items, such as… you know… things that go BOOM.

Their jovial reply comes across as very awkward. They trash-talk the guy who found the exploit, and don’t mention whether they intend to fix it. The overall impression of the article is that they are holding their hands over their ears and shouting ‘The system is secure’ repeatedly, despite evidence to the contrary. This kind of behaviour is sadly common. In 2010, banks tried to censor research that showed the Chip & PIN was insecure. Most of the banks took a very long time to plug the security hole (I can’t find out if all major banks have yet, even now).

The Problem

It’s not that simple, unfortunately. Open security is a great thing for software (if you’re software relies on secrecy for security, it’s not secure). However it gets trickier when you’re dealing with physical systems, just letting people try and exploit the system all the time is a recipe for disaster. The systems are designed around the assumption that 99% of the time (at least) they won’t pick up anything. Nearly every single positive case will be an innocent mistake on the part of the passenger. Most TSA agents will never see, let alone catch a malicious traveller in their entire careers. There is no baseline against which to establish meaningful tests.

Despite this, the machines are tested in the field, and it’s by people hired and trained to do so. The tests are often written by the people who design and make the machines. There’s no equivalent of the kind of free-for-all attack that Google’s Pwnium competition encourages. Running a challenge over the course of a day doesn’t work either. TSA agents are not a dumb piece of software, so unless the test was completely blind  (which is impossible if it’s a public competition) there would be no benefit, as the agents would be much more alert than normal.

The Solution

Open security for all of these systems is the dream. Currently a lot of airport security relies on people not knowing how it works (behavioural analysis, for example). This is all fine, until it gets leaked, which it always does. You simply can’t keep a secret that big entrusted to so many people. I’m not going to link to where this stuff is, but it’s freely available on the internet and other networks.

Technology is hugely useful in this scenario. However intrusive it may seem, machines to detect stress, to detect hidden objects and many other kinds of things are the way forward, with the simple caveat that they must be open. I don’t mind an intrusive picture being taken by a machine, as long as I can read the code that performs the obfustication. Your word that it’s doing that is simply not good enough.

Unfortunately this way of thinking goes against the grain of decades of security thinking at airports, so I’m pessimistic. I can only hope that sooner or later people realise that intrusive security is at this point inevitable, and what we should be campaigning for is not less of it, but to make it open.

Name: o2
APN: mobile.o2.co.uk
Username: vertigo
Password: password
MMSC: http://mmsc.mms.o2.co.uk:8002
MMS: proxy 193.113.200.195
MMS: port 8080 MCC 234 MNC 10

At the SBSeg conference, StegDroid won honours as the second best paper in the undergraduate track.

1. Arrange the application windows you want to have on your second screen as you would like them. You will not be able to rearrange them once they are there.
2. Completely quit the applications you wish to use on your second monitor, e.g. terminal, Chrome.
3. Full screen your app (Xcode)
4. Using the trackpad, swipe with three fingers a little bit, so that just the edge of the next space is visible (but it won’t switch when you let go)
5. Keeping your fingers on the trackpad, hit cmd + space to open Spotlight and type in the name of the program you wish to launch on the second monitor (terminal)
6. Hit enter to launch the program, wait for the window to display, then you can take your fingers off the trackpad.
7. Repeat steps 4-6 for any other apps you wish to launch!

[translation] The Brazilian Symposium on Information Security and Computer Systems (SBSeg) is a scientific event promoted annually by the Brazilian Computer Society (SBC). It represents the main forum in the country for the presentation of research and relevant activities related to information security and systems. The 11th symposium will be held between 06 and 11 November 2011 in Brasilia, DF, and is organised by the group of Network Engineering and the Department of Computer Science, both from the University of Brasilia.

Update

The accepted version of the paper is available online at the SBSEG site.