Visual SSH fingerprints

Recently, people have picked up on OpenSSH’s new “feature”: visual SSH fingerprints.

It hurts to see this “feature” in a software like OpenSSH, which is so integral to everything we do, because it’s a waste. It’s additional code, and thus an additional risk of bugs, and it has a net security benefit of zero, NULL, zilch, nada, nothing, nix, nadje, oomph!

The theory is that you learn to recognise the general shape of the visual fingerprints of your hosts, which is easier for us to remember than strings of hexadecimal numbers. So, for instance, if you ssh to pony.debian.net, you get to see something that’s not entirely unlike a pony:

Host key fingerprint is 45:2f:a5:d8:13:95:ba:03:51:c4:8d:ac:82:a8:4c:6a
+--[ RSA 2048]----+
|         ==+o.   |
|        .++=o    |
|   . .  .o*..    |
| .. . . o..o     |
|+.     .S. .     |
|oE        o      |
|.          .     |
|                 |
|                 |
+-----------------+

Rejoice! Because now, should pony.debian.net ever present a new SSH fingerprint, when OpenSSH screams at you:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

then you can look at the picture and say: “yeah, I knew that”, because your pony has suddenly transformed into the visual representation of a giant fart.

On the other hand, the new “feature” makes day-to-day interactions a lot easier. Imagine you need to ssh into a new host. You take a piece of paper and call up the admin to ask for the fingerprint, but instead of a series of hexadecimal digits, he says “it looks like the easter bunny and a bit like southern Italy”.

Great “feature”. Thanks. I would appreciate if this sort of crap stayed out of important software. Dan Kaminsky might have some good ideas, but most of the time he’s on crack. Get a grip. Stop being a fanboy.

NP: Kinski: Alpine Static

Posted Fri 31 Oct 2008 09:01:07 CET Tags: blog ?nerds ?openssh planet-debian planet-lca ?ponies ?rant ?security

Swamp airports with trash

I am surely not the only one to complain about the ridiculous liquids restrictions for airplane travel. Since these new regulation are in place, I’ve challenged them, found holes, and compiled tips for those trying to blow up planes.

I wouldn’t write another story if it weren’t for an idea I’ve had at Zurich airport on my last trip to London: let’s swamp the airports with trash so that they’ll be forced to deal with Brussels and IATA to return to normal.

After checking in for my flight, I stopped by the supermarket to buy two containers of yoghurt that would make someone happy. The containers each said 150g (that’s weight, not volume) on them, and I put them into a clear, resealable one-litre bag, placed them into a tray to be x-ray-scanned separately, only to have them confiscated.

After discovering (not much to my surprise) that the security staff didn’t know the difference between weight and volume, nor understood the concept of density, I got a chance to speak to the head security officer (surrounded by five police whose attention I’d gotten), and learnt that Zurich airport has one ton of trash to discard every day, Frankfurt supposedly has to deal with four.

As I was walking onto my plane, I tried to think of non-recyclable containers that we could fill with liquids to bring along to increase that amount. My theory was that once the trash problem became too massive, the airports would have to deal with the authorities to resolve this liquid restriction, because it seems quite clear that normal people have no way to influence choices made that affect our “safety”.

Unfortunately, I see two problems:

First, we’d be dealing with trash and hence face all the environmental concerns. The airports do not recycle the millions of PET bottles they confiscate every day, so we shouldn’t make that worse. Unfortunately, I cannot think of another liquid container that wouldn’t come with similar concerns.

Second, the airports might have the burden, but they won’t carry the cost of all the trash. In fact, thanks to the security theatre related to liquids, we already pay higher airport taxes and charges. Surely it can’t be in our interest to push that further up the scale.

So in the end, swamping airports with trash doesn’t seem like a viable way forward, unfortunately.

I wish I knew what to do. I wish that the decision makers at IATA would finally admit that they overreacted and revert to normal, with sensible security measures, which focus on fending off the real threats, not fake ones. Unfortunately, nobody likes to admit that they were wrong, especially not when the decision is heavily backed up by the lobby of vending machine companies and restaurant owners, who benefit greatly from these ridiculous liquid safety measures.

NP: Pulp: We Love Life

Posted Fri 05 Sep 2008 12:54:03 CEST Tags: ?airports blog planet-debian ?security ?security-theatre ?travel

Tips for those trying to blow up planes

If you’re trying to blow up an airplane, and you’re hip and plan to use liquids to take down the silver bird, the following tips may be useful to you:

• Should your liquid containers not all fit into the one-litre resealable bag, just use two. Leave one of them in your bag and put the other into the plastic box through the x-ray machine. It seems like security checkers don’t notice or care.

• Alternatively, if you need a few more millilitres of liquid or gel, put it in a tube or bottle and write on it Novartis, Roche, Bayer, or any other known manufacturer of pharmaceuticals; make up fancy names or use existing ones. Be creative, although you don’t have to. Even though the EU regulations dictate that only prescription medicine is exempt from the volume restrictions, noone has yet confiscated my tube of Voltaren, nor questioned it, and I’ve had it with me on every trip for three years, at least. If desiging your own tube is too much, empty out an existing tube and refill it.

  Baby food containers work too, but then you ought to bring a baby along for credibility.

• If your detonation strategy involves more than one litre of liquid, don’t give up. Writing “100ml” on a 200 millilitre container should fool most of the security checkers. I’ve tried it, taking the label off a 75ml deodorant spraycan and putting it on a 150ml shaving cream can, and at least in Düsseldorf, they seemed pleased.

• If your explosive substance’s amount is indicated in weight rather than volume (like yoghurt), be prepared to lie. Should the substance put 150g on the scale, make the label read 100g; the concept of density is beyond the brain capacity of your average checker, and I found it pointless to explain to them that one gramme is very rarely the same amount as one millilitre.

• Consider flying out of a non-German airport, where they won’t let you take just a deodorant spray can and nothing else without a bag; you’ll also have to buy a bag for one Euro in these places, while at Zurich or Dublin airports, you get those bags for free at least. (Remind me why we pay extraordinary amounts of airport taxes again?)

Of course, if you’re serious about blowing up an aircraft, you’re probably not going to need any of the above, as you’ll already have a more convenient way to get your substances on the plane. At the checkpoint, you’ll behave like the perfect citizen abiding by all rules; you wouldn’t want to arouse suspicion, now would you?

PS: this post purposely avoids the use of the word “terrorist”.

PPS: of all the great experiences in airports this week, I especially loved how passengers, who checked in at the counters (and had to present their passports there), were again checked after border control in Düsseldorf, while passengers like myself, who used the quick check-in terminals, were just waved through.

NP: Disturbed: The Sickness

Posted Wed 18 Jun 2008 12:11:06 CEST Tags: ?airports blog planet-debian ?security ?security-theatre ?travel

Setting up an encrypted Debian system

Even though the Debian installer can set up encrypted partitions, it is optimised for systems with a single data partition, unless you want to enter multiple passphrases when the system boots. The installer configures a LUKS volume using cryptsetup, but it provides no mechanism for the use of key files, only interactive passphrases.

I like partitioning my disks and use different filesystems for /tmp, /home, /var, and /usr/local for a number of reasons. I don’t like entering more passphrases than necessary. If you can identify with that, the following is for you.

Installing the system

The first step to setting up an encrypted Debian system is to perform a normal Debian system installation. When you are asked to partition your harddrive and create filesystems, set up all partitions as encrypted volumes (I suggest to go with the installer defaults and use dm-crypt and AES with the default settings, simply because I have no reason to doubt the installer dveeloper team’s choices). Make sure to erase the disks in the process — the installer has an option for that.

Set up the swap partition as an encrypted volume too, but don’t worry too much about the settings at this point; we will recreate the swap partition later.

Unless you want to boot off an external medium, such as a USB stick, you will need to create an unencrypted partition for /boot. I will return to this topic, which has security implications, further down.

The installer will ask you for passphrases for each of the volumes you create. I suggest you pick a secure passphrase for the root volume (/), but simple passphrases for all the other ones (such as “a”), since we will reconfigure them to use key files instead.

Using key files

A key file is like a passphrase stored in a file on disk; as opposed to “what you know”, it’s a “what you have” security asset. Thus, you need to store the file somewhere. When I boot up my system, I unlock the root partition with a passphrase entered interactively, which makes the root filesystem available. I store key files for all other volumes in /etc/keys. Obviously, I need to tell cryptsetup to use those.

The first step is to create a key file for each partition and to add it as a decryption key to the LUKS volume. You can do all of the following without unmounting the filesystems. See the following example for hda6, which will prompt for the simple passphrase we entered above to unlock the key ring when adding the key file:

umask 077
mkdir /etc/keys
dd if=/dev/urandom of=/etc/keys/hda6.luks bs=4k count=1
cryptsetup luksAddKey /dev/hda6 /etc/keys/hda6.luks
cryptsetup luksKillSlot /dev/hda6 0 --key-file /etc/keys/hda6.luks

The last command wipes the simple passphrase from the key ring and thus makes it unusable.

Now we need to tell cryptsetup to use the key file by editing /etc/crypttab and ensuring a line such as the following exists:

hda6_crypt /dev/hda6 /etc/keys/hda6.luks luks

This tells cryptsetup to create the cryptographic volume hda6_crypt from the base device /dev/hda6, using the key file we created above, and letting it know that it’s dealing with a LUKS volume.

Repeat this for every partition except your root and swap partitions.

Encrypting the swap partition

If you are using an encrypted Debian system, you likely have some security requirements to meet. If that’s the case, you must also use an encrypted swap partition.

The swap partition can be encrypted in two ways:

• it can be recreated on every boot, using a random passphrase, or
• it can be created like the other encrypted volumes with a persistent passphrase

If you want to use suspend-to-disk, you cannot use the first approach as it would overwrite your memory footprint stored in the swap partition. Furthermore, you cannot use a key file like the other partitions, since the root filesystem is not (and must not) be mounted by the time the resume process starts and needs to read the decrypted swap partition.

The way I solved this is by telling cryptsetup to compute the passphrase of the swap partition from the decryption key of the volume holding the root filesystem; the cryptsetup package implements this with /lib/cryptsetup/scripts/decrypt_derived. Thus, to set up the swap partition, I do the following, assuming hda2 is the partition holding the encrypted swap and the root filesystem is in hda5_crypt:

swapoff /dev/mapper/hda2_crypt
cryptsetup luksClose hda2_crypt
dd if=/dev/urandom of=/dev/hda2
/lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
  | cryptsetup luksFormat /dev/hda2 --key-file -
/lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
  | cryptsetup luksOpen /dev/hda2 hda2_crypt --key-file -
mkswap /dev/mapper/hda2_crypt

To tell the system about this swap partition, we need to add it to /etc/crypttab and /etc/fstab; make sure, those files contain lines like the following:

/etc/crypttab:
  hda2_crypt /dev/hda2 hda5_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

/etc/fstab:
  /dev/mapper/hda2_crypt swap swap sw 0 0

With this in place, as soon as you configure the system for suspend-to-disk, the swap partition will be automatically set up alongside the root filesystem very early during the boot sequence. To figure out which swap partition to make available at that point, cryptsetup checks the following:

• a line like RESUME=/dev/mapper/hda2_crypt in /etc/initramfs-tools/conf.d/resume
• a resume device setting in /etc/uswsusp.conf (see uswsusp.conf(5))
• an entry in /etc/suspend.conf
• a resume=/dev/mapper/hda2_crypt in the kernel command line

You can inspect /usr/share/initramfs-tools/hooks/cryptroot if you want to know more about this.

Using UUIDs

Even though the above is all you have to do, you might want to consider replacing the device paths in /etc/crypttab with persistent ones. One motivation might be the ability to boot off your drive via a USB adapter, which might cause it to appear as /dev/sda instead of /dev/hda.

udev is installed by default on Debian systems and it makes persistent links to partitions available under /dev/disk/by-uuid, using the UUID of the content structure (e.g. the LUKS header). It uses /lib/udev/vol_id to determine those link names.

If you replace the entries in /etc/crypttab, make sure to update the initramfs (update-initramfs -u -k all) and consider to use the same approach for the /boot filesystem in /etc/fstab; you’ll note that all other filesystems use persistent device paths thanks to the dm-crypt layer.

If you ever end up booting off the disk through a USB adapter, you might face the problem where the usb_storage subsystem takes too long to activate, so that the cryptsetup script does not find the devices in time. You can either solve this by adding the rootdelay=x parameter or break=mount to the kernel command line. The first will cause the scripts to wait x seconds before trying to configure and mount the root filesystem; the second would give you a shell that you can exit as soon as the kernel spouted its device initialisation messages at you.

If you got this far, you might even want to take it further and replace hda5_crypt with cr_root or the like to abstract those silly partition numbers away even further. This is easier than it sounds, but does require several steps. Do not do this if you’re not comfortable reviving your system in case it fails to come back up!

1. replace the old names with the new names in /etc/crypttab for all volumes except the root volume. If you are using a derived passphrase for the swap partition, make sure to put the new name for the root volume into the third column of the swap partition’s configuration line.
2. modify /etc/fstab accordingly, leave the root filesystem’s device path alone.
3. call update-initramfs -u
4. modify your bootloader to ask the kernel to boot off the new root volume.
5. replace the root volume’s old name with the new one in /etc/fstab.
6. reboot, and add break=mount to the kernel command line.
7. at the busybox prompt, edit (vi) /conf/conf.d/cryptroot and change the first field of the root volume’s line to the new name.
8. exit the shell and watch the boot process complete.
9. finally, replace the root volume’s old name with the new one in /etc/crypttab.

If the system fails to boot up again, you can use the backup initial ramdisk, which update-initramfs left in /boot.

Security implications

Apart from the usual security implications related to cryptosystems, passphrases, mathematics, user stupidity, and so on, the approach I outlined will leave you with a pretty well-secured system. Obviously, you should make sure to lock your screen whenever you leave the system unattended or the entire encryption is basically useless.

There are two attack vectors on your system, both involving physical access to the machine:

• theft of the machine or its RAM chip, freezing the latter, and scanning the working memory for the passphrase
• manipulation of the kernel or initramfs stored on the (unencrypted) /boot filesystem, in such a way as to obtain the passphrase. To do this, you would have to have access to my machine and return it to me without me noticing; once I restart and enter the passphrase, you’d have to steal it again

Other than that, you should be careful when travelling to totalitarian countries, like the Excited States of America, China, and probably the UK. First off, encryption arouses suspicion, and second, border agents might ask you to decrypt the partitions for them to copy or scan, and refusal to do so might get your turned away at the border. When travelling to those countries, make sure to hide your data properly.

Speed implications

Obviously, having your entire system encrypted (including swap) will slow it down. I don’t have any quantitative information on that, but after several years of using full-disk encryption on my laptop (an X40, which isn’t very powerful), I can say that it remains usable, if you don’t rely on disk-intensive operations, such as compiling kernels and the like.

Alternative approaches

Several alternative approaches exist, all involving an additional device:

• if you don’t like to type in the passphrase for the root filesystem, you could store it on a USB key (or the like); cryptsetup provides /lib/cryptsetup/scripts/passdev, which can be used to deal with such a situation. You can find more information in cryptsetup’s README.Debian file.
• if you don’t like the unencrypted /boot partition, you could boot the system off a USB key, which you can keep separate from the system except for when booting and upgrading the kernel. All you need to do for that is install the bootloader and kernel onto the device and configure it to use the proper encryption volume on the harddisk as root filesystem.
• cryptsetup also comes with support for PKCS#15 smartcards (opensc and openct).

I have chosen neither of these approaches, because the extra security does not make up for the inconvenience, and the danger of an unbootable system in case of loss of forgetting of the additional device.

Posted Mon 16 Jun 2008 11:43:40 CEST Tags: blog ?cryptsetup debian ?dm-crypt ?documentation ?encryption ?howto planet-debian ?privacy ?s2disk ?security

How long will this last?

At Melbourne Tullamarine airport today, I was asked to present the credit card used to book my flights as a security measure to be able to fly Bangkok-Zurich. I did not need the card for the Melbourne-Bangkok leg. Unfortunately, I left the card at home for various reasons. In the end, they just issued both boarding passes anyway.

I was not allowed to take the throw-away wooden chopsticks that came with my Pad Thai lunch through the security checkpoint.

For dinner on the airplane to Bangkok, we were given plastic knives and metal forks. For dinner on the second trip, we got metal knives.

At Bangkok airport, I had to pass a security checkpoint changing planes. They confiscated the plastic water bottle which was given to me on the flight from Melbourne (the bottle said “Thai airlines” on the label).

The lady in front of me was using one of those telescopic walking sticks, she apparently had a bad leg. They didn’t even bother asking about the stick, which she ran through the x-ray. Terrorists don’t have bad legs, nor know how to pretend.

How long are we going to put up with this bullshit?

NP: The Flower Kings: Stardust We Are

Posted Sun 17 Feb 2008 08:23:32 CET Tags: ?airport blog planet-debian planet-lca ?rant ?security ?security-theatre ?travel

On the point of keysigning

As during previous keysigning events, such as DebConf7 and DebConf6, I turned up to the LCA 2008 keysigning event with my ID card issued by the Transnational Republic.

Previously, this act has caused people to to get rather upset. I have explained my motivation and rationale in response to the thread; yet, my reputation as “keysigning subverter” precedes me. I maintain that I am not subverting the web of trust in any way.

I conduct this “experiment” mainly out of interest, and to sensibilise participants of the web of trust. Even though I stated previously that I would no longer attend keysigning events, I couldn’t pass up this opportunity on the other side of the planet.

Fifty-seven people exchanged data and glances at ID cards with me. In total, 9 people asked about this ID card, mostly out of curiosity, but only one person flat out refused to sign my key. This leaves 47 who apparently accepted it.

If you disagree with my approach, please do not sign my keys, 0x330c4a75 and 0x667c7088 (but do read my arguments, please). I will not import signatures I receive for a while, so if you have already sent your signatures by the time you read this, send me a note and I’ll delete them.

Keep in mind that you are not authenticating the ID. You are authenticating my identity. And unless we’ve interacted or you otherwise know who I am and that I am the same person as is using this key for the work through which you know me, you should not sign my key.

Also note that I continue to stick to my policy and will only sign keys of people that I “know”. Thus, if you want my signature and we have not previously interacted, you have four more days until the conference is over.

Update: a couple of people replied, including Paul Wayper. I’ve since had an interesting discussion with him but still want to address two points in his post here:

The ID presented is not “fake”, it is simply issued by an entity that is not considered “official”. Its data are all correct, which I am happy to prove to anyone who cares.

Second: if the web of trust were to die if everyone did what I was doing, would it “live” forever and improve continuously if we continue such mass signings based entirely on IDs? Noone can know how to verify IDs from all countries that issue them, introducing “fakes” is trivial (as my experiment and this message hopefully show). I think it’s a case of quality versus quantity. Whether you buy my point that you need to ask yourself what you are actually proving to the web of trust with your signature (and sign (or not) accordingly), or whether you are signing an identity (what is identity?), I would suggest to concentrate more on educating people. At the keysigning at DebConf7 in Edinburgh, we split people into smaller groups around well-connected keys. Within each group, prior to the keysigning, experienced key owners would take a short time to talk about the process and explain its goals. Specifically, they would make it explicit that there is no obligation to sign ones key, similar to what Jonathan said in this message prior to the LCA keysigning.

My experiment yielded a small discussion on the LCA chat mailing list, which is worth a read if you haven’t seen it yet.

Posted Mon 28 Jan 2008 08:32:41 CET Tags: blog ?culture ?gpg ?keysigning planet-debian planet-lca ?security

Unanswered questions about airline safety

Maybe someone can shed some light on these outstanding questions about airplane safety. The Thai steward earlier made it perfectly clear, with a straight face, that our safety is their priority, but so far, no-one of the crew could give me the answers:

• why do window shades have to be opened during take-off and landing?
• why do tables and leg rests have to be stowed away during take-off and landing?
• why can’t I recline my seat during take-off and landing?
• why do they shut down the in-flight entertainment during take-off and landing and force you to watch advertisements and map views? Are those less likely to cause interference?

I’ll stick to those airplane-specific ones for now. I have another set of questions about certain airport rules on the ground. I feel that the world would be a much better (and safer) place, if those making the rules would actually let us know what these rules are trying to accomplish.

Update: I’ve received plenty of responses. Thanks! Most responses explain questions 1-3 wit reference to the critical nature of take-off and landing. Leaving the windows open helps people orient themselves in case of an emergency and that people from the outside can get in at the right spot, tables and leg-rests are obstacles during an evacuation, and the seats are designed to absorb shocks, but won’t work so well if they aren’t upright. One person argued that entertainment during the critical phase of take-off and landing is distracting in case of a problem, but I am somewhat unconvinced. I have not received another

I must say that none of these responses are surprises. I guess my main point is that airlines might want to consider making these things public, rather than just instructing people about the rules. It would make me happier to comply anyway.

Posted Mon 28 Jan 2008 03:54:29 CET Tags: ?airplane blog planet-debian planet-lca ?security ?travel

Bangkok: your new door to the world?

“Your new door to the world” — the slogan for Bangkok’s new Suvarnabhumi airport tries to get people to stop-over on their trips between Europe and Asia. The airport’s webpage claims that the airport currently handles 45 million passengers per year, but that it would scale up to 110 million.

I don’t see this happening, at all. Today, leaving for Melbourne, I waited for an hour in the security queue, as four flights were leaving concourse E (which has 10 gates) at once: around 500 passengers were queueing to be scrutinised — for explosive liquids and other stuff a real terrorist would never consider smuggling on a plane via the standard passenger processing theatre — in four lines behind four security checkpoints (in fact, that’s how I confirmed my estimate: around 30 seconds per passenger (I timed it), it took me one hour, that’s 120 passengers per queue, so about 500 total, at once).

Four lines, one hour? 45 million passengers. 110 million passengers? Six lines (there isn’t much more space), so 200 passengers per line, 1:40 hours? My new door to the world? Bangkok?

Of course, this is in large part because of idiot passengers. While I was waiting in line, they came three times (every 20 minutes) to empty the garbage can where potential terrorists have to dump their drinkable explosive fluids. We’ve had this ban for over 1½ years, for crying out loud! Sure, some people don’t (get to) fly a lot and a few may really not have heard about dangerous liquids yet (I felt really sorry for an elderly couple who had to ditch pretty much all their toiletries leaving Zurich for Madrid and wondering how they would survive there), but then at least open your eyes and turn on your brain, please.

Unfortunately, the typical Bangkok/Southern Thailand tourist probably hasn’t got brain cycles left between walking and carrying luggage. If you don’t believe me, stop-over in Bangkok and look around: anything with legs in shorts and flip-flops probably fits right in, any obscenely and annoyingly loud group as well. For instance, this circus of 10 en route to London, who joined the end of the queue (read: about 1 hour to go) after their flight’s final call with millions of shopping bags. They furiously tried to raise hell, but failed and probably missed their flight.

Observing all such episodes around me made the hour go by fast — I also had ample time left before my gate would close. There was one situation, however, that made walk over and complain to the supervisor (the one with the walkie-talkie): a couple from Canada were similarly faced with the final call for their flight to Toronto and walked straight up to the top of the lines — outside the ropes. After a short discussion, one of the security attendants escorted them to the gate without subjecting either their bags or bodies to the ever-secure screening process.

The supervisor (the one with the walkie-talkie) didn’t speak English. All she did was smile and make motions with her hands which suggested that I should join the end of the queue.

As I said before, I don’t believe that the (minimal) added security we have at airports today corresponds to or justifies in the slightest bit the shit we have to go through these days to be airborne. However, if you make rules, then stick to them and don’t open gaping (= inviting) security holes.

Fortunately, the Canadians later had to surrender their weapons of plane destruction since, on every gate, another party of security attendants glove-hand-searched every bag a second time, with the previous security checkpoint no 100 metres behind.

I don’t see Suvarnabhumi as a successful or scalable airport. If Bangkok wasn’t such a great place ?to kill a few hours (especially compared to e.g. Singapore), or the (best) entrance to Southeast Asia, I’d probably avoid it in the future.

Posted Mon 28 Jan 2008 03:54:29 CET Tags: ?airport blog planet-debian planet-lca ?rant ?security ?thailand ?travel

The weakest link

For whatever reason, my flights always bite with my food schedule; not that I have one, but I’ll get hungry part way through, it must be the excitement. Under no circumstances will I gulp down the crap they serve on short haul flights, and being a last-minute packer, I usually never find the time to eat before I leave home — I am also seldom hungry when there is stuff to be done before an immutable deadline, such as the departure of a plane.

Fortunately, Switzerland provides healthy and great relief in the form of Bircher Müesli, a snack that can keep you nourished for hours, and which renders itself well to tuppaware transport. So I’ve gotten into the habit of taking some along on trips.

Today, the security staff at the Zurich airport forced me to break with this habit and to throw out my treasured mush. I have since recovered from the pain, but because there is more to the story than Müesli in the dump, I thought it’s about time for yet another airport security story about liquids — my last one is more than half a year old and I am sure you’re craving by now…

When the attendants saw my 400ml container containing Müesli (think yoghurt for now, so you’ll know what consistency I am talking about), they categorised it as liquid and would not let me take it through. Obviously, there was no point in arguing nor in mentioning that I often take the stuff with me on planes and never had a problem before (which is true). I was left with the choice to dump it all, or try to eat it up before my flight left.

I opted for the latter, but 400ml of Müesli is quite too much for quick consumption and I had to declare forfeit about three quarters through. In a moment of genius, I did the math and postulated publicly that I should now be allowed to take the rest, because it’s less than 100ml (airplanes are allergic to liquids in larger volumes). I learnt then that the size of the container matters, not the amount of stuff it contains.

I handed over the container to the attendant under the pretense that I refuse to throw away food and had her do the deed instead. When I got the container back, I noticed that it still had traces of Müesli, looked at the queue of my flight and decided to have a go and be difficult. The result was that I had to head for the toilets and wash off all remaining traces of explosive Müesli.

I made sure to leave a good bit of water in the container, sealed it, and returned to the wardens of safety. This time, they let me pass, despite the 400ml container filled with, say, 30ml of water. But clear liquids aren’t dangerous, or so it seems. Or maybe this is the way to smuggle the real stuff on board?

The entire situation was hilarious, I stayed calm and friendly and made sure to inject a sentence about understanding that they’re just doing their job and aren’t responsible for the regulations at least every minute. They assured me that this was in fact what they were doing, and that it was their orders to obey the regulations imposed by Brussels without exceptions.

Just then, as I was repacking my bag behind the x-ray machine, I noticed how another passenger got through with shaving cream and other stuff in a small toiletries bag. When they didn’t even bother to unpack the bag, I remarked that the regulations also demand for a single, one litre, transparent plastic bag to contain all the 100ml containers and asked whether they were aware of those.

At first, the attendant denied it. When I asked her to step over and look at the informational signs all over the place, which clearly documented the plastic bag requirement, she shrugged and got seemingly annoyed: “we do our job the way we do our job, leave it up to us.”

Some airport staff make you take off your shoes, others don’t. At some airports, you have to switch on laptops, at most you don’t. Some passengers are subjected to the new liquid regulations and have to throw out Müesli, others are exempt. Now what was that they say about the weakest link?

NP: Dream Theater: Awake

Posted Sat 07 Jul 2007 01:19:07 CEST Tags: blog planet-debian ?security

Credit card verification codes

There once was a credit card number tied to a name and when it was abused, the credit card company decided to tie it to an expiration date. It didn’t take long until gifted hackers found out that twelve months and an average life cycle length of two years required them to check each credit card number against the 24 possible expiration date month-year pairs, so the credit card companies also required the billing address to match (at least fuzzily). Unfortunately, many of the companies accepting and storing credit card data are run by clueless people and the data sets of names, numbers, expiration dates, and billing addresses leaked, causing even more organised abuse. The credit card companies did not like that and proceeded to invest tiny amounts of additional energy and manpower into improving the status quo.

So then, one day, in the dungeons of the credit card company offices, a bright young graduate from one of the American elite colleges yelled “heureka” [*]_ and outlined how to secure credit cards with the “credit card verification code” (CVC), printed on the back of each card — printed, not stamped like the number. Maybe his/her theory was that the stamped number could be read from both sides, so a printed CVC would only be readable from one side of the card, bringing instantaneous 200% security increase. Maybe it was some other theory.

In any case, the companies readily adopted the CVC and by today, every web form will ask you to also enter the CVC. They’ll probably store and leak it too.

What’s next? Credit card colour?

NP: OSI / Free

Update: Andrew Pollock points me to the Wikipedia article on CVC as good reading. Indeed, the article explains security benefits in face-to-face transactions and in the socalled “card not present” situations, like ordering over the Internet. Apparently the CVC must not be stored, so in some ways they have learnt from the past. I know of at least one merchant in the US who stores the CVC in my profile though.

Update: Mark Brown adds: “The CVC is being used because it defeats attacks like taking a photo of a card with a mobile phone: it makes it usefully harder (not impossible) for people to transparently clone cards.” This squares with the Wikipedia article.

Posted Sat 06 Jan 2007 21:50:07 CET Tags: blog planet-debian ?security