Sunday, July 19, 2009

Don't Trust the House

Following up on my last post about online poker, I'd like to begin a series of posts on why online poker is risky business.

This post will focus on the house, and why you shouldn't trust that the house will not cheat. My poker friends usually respond to my warnings by stating that the house only takes a rake, a small percentage of every pot, so their incentive is for fair play, and a lot of it. However, remember that the "house" is really a set of computer servers that are programmed by people. There is nothing stopping those people from entering the casino as well. These people can play in poker rooms with you, and they have access to all of the cards in the deck before they are dealt. That's a pretty big advantage.

If you think this example is far fetched, then see this
article
about a 60 Minutes investigation that led to the discovery that a former World Series of Poker champion was behind exactly this kind of scam at the site Absolute Poker, stealing over $20 million. Due to the fact that online poker's legal status is ambiguous in the US, and that the poker companies were managed in Costa Rica and run on an autonomous Indian reservation in Canada, the players who lost tens and even hundreds of thousands of dollars have had very little recourse.

The cheaters in the 60 Minutes story were discovered because they were greedy and were not trying very hard to hide. As the article describes, whenever a player was bluffing, the cheaters would go all in. When another player had a good hand, they would fold. The cheaters' winning percentage was a whopping 15 standard deviations away from the mean. They were almost asking to be caught.

I believe that wherever and whenever there is an opportunity to cheat for big money, there are people who will do so. It would be naive to think that the Absolute Poker scam is the last of its kind. But, next time, the cheaters will be smarter and more careful. It would not be too difficult to program a bot, armed with knowledge of all the cards, to play at some small percentage of the poker tables, and to win just a little above average. The bot could be programmed to lose some and to only win within the expected norms of a good player. Over time, the author of the bots will win millions.

The next time you sit down at a poker table with real money, ask yourself how confident you are that the other "people" at the table are human, and that none of them is in cahoots with the house. Remember, that in the case of Absolute Poker, the company running the servers was not an accomplice. There was just a malicious insider.

Thursday, July 16, 2009

Know when to Hold 'em

I sometimes play online poker, Texas Hold 'em, on my iPhone. The application is by Zynga, and it's not real money - just for fun. Still, it's highly interactive and extremely fun. People from anywhere in the world join tables with other iPhone users along with other users on their computers. You get several thousand play dollars, and you're off and running.

Although I really enjoy playing Texas Hold 'em, I've never played for real money online. As a security researcher, there are too many reasons why I don't trust the system to be fair. For starters, collusion among other players could put me at a huge disadvantage. They could share their cards and their money, and in any situation, they would be able to calculate the odds of making or not making certain hands much better than me. Over time, they would be expected to destroy me. I can't think of any way to prevent collusion. Furthermore, how do I know that the house isn't cheating? How do I know the cards are random? How do I know nobody can see my cards? What about malware on my phone or desktop that could read my cards from memory? I have many other worries.

Many of my friends play Texas Hold 'em online for money, despite my warnings. Well, this week, I had an interesting experience playing on my iPhone. I was dealt the King of spades and the King of clubs. A pretty good hand. I bet it aggressively, and I made a bunch of "money" on the hand. The next hand, I was dealt ... the King of spades and the King of clubs. That seemed like a pretty unlikely coincidence. But, it was still possible. I bet it the same way and was paid off again in a showdown (meaning that everyone saw my cards at the end). The very next hand, I was once again dealt the two black kings. This time I bet it even more aggressively, correctly thinking that the others wouldn't believe I had three good hands in a row and would put me on a bluff. I got a lot of callers and really cleaned up. (The next hand after that I had a more typical hand for me, something like two-seven off suit.)

Unfortunately, I was not actually in the room with the other players, so I couldn't see their reactions, but I have to believe that they were incredulous. What are the odds of being dealt the same exact two high cards three hands in a row? I don't have my calculator on me, but my intuition tells me that it shouldn't happen that often. I had never seen it before. So, what caused this? I believe the most likely answer is coincidence. But, perhaps it was an error in the way memory is cleaned up in the poker software? Maybe it was due to a bug in the random number generator? It would have to be an error on the server, as I imagine that the client just displays what it's told, and considering that the other players saw my cards, I don't think it was a client-side error. I'll never know for sure, but I can say that every time an extremely unlikely event happens in online poker - and they are guaranteed to happen sometimes - doubt will creep in about the security and honesty of the system. It's one reason I won't play online for real money.

Tuesday, May 12, 2009

A vote in favor of electronic medical records (with caution)

Efforts to move medical records out of their antiquated paper files and into sleek new computer systems have gained great momentum in recent months. The Obama administration has pledged $17.2 billion in economic stimulus funds toward this goal. Supporters have hailed the benefits of speedier access to critical medical data and easier transfer of medical histories when a patient sees a new physician.

But amid this rush toward new technology, some doctors and several organizations such as Patient Privacy Rights have raised a yellow flag of caution. In this age of Internet hackers and lost laptops, just how secure, they ask, will these computerized medical records be? After all, it’s a lot easier for someone to waltz out of a hospital with a USB stick in their pocket containing 5,000 patient records, than with many boxes containing the equivalent paper records. Moving electronic records online can make them particularly vulnerable.

To some extent, these fears are justified. I have been studying the security of electronic medical files for about a year now, and it’s not the first time I’ve confronted the pros and cons of paper versus electronic records. Since 2003, my primary research has focused on the security of electronic voting systems. As a result of that work, I have concluded that the best way to ensure proper elections is to move from electronic to paper ballots.

Yet what is true for voting systems is not necessarily true for electronic medical records. The adversarial model in these two applications is completely different. In a voting system, all parties should be viewed as adversarial. Everyone has a stake in the outcome, and there is no reason to believe every software developer, election official, poll worker or voter will refrain from tampering with the process. That doesn’t mean these people are malicious. It just means that we need voting systems that can be trusted, even when the people associated with the process are corrupt.

Contrast that with the medical records scenario. Computerized system designers and builders have every reason to want their technology to be secure, and little or no incentive to undercut this. Vendors will sell more systems if their technology is highly secure. Hospital administrators will seek the safest systems to protect patient privacy and keep their institutions off the front pages and out of the courtroom. For patients, the benefits are obvious.

Protecting identifiable electronic medical records is easier than protecting anonymous votes in an election. And it is a manageable problem. That’s not to say that there will never be incidents where medical records are compromised. But with good design, proper care, appropriate procedures and of course sufficient funding, electronic medical records can be protected as well or even better than the paper versions.

Still, we need to be careful. There are many wrong ways to make this transition. If history is any indicator, unless a concerted effort is made to require proper protection, the new medical systems will be no better than the insecure voting machines that many states have purchased. When money flows from Washington, vendors tend to spring up out of nowhere. The ones who gain traction are the ones with the best sales teams, the glossiest brochures and the best connections, but not necessarily the most secure systems. This has happened over and over again in every industry.

We need to make sure that security standards, including evaluation and testing procedures, are established before the billions are spent. Computer security experts in academia, government and industry should all be engaged to establish criteria and evaluation methodologies. We need support from all of the relevant stakeholders, including privacy advocates, the medical establishment, vendors and the technical security community.

We are facing a golden opportunity to improve the lives of millions of Americans by providing computerized storage and access for medical records. We can reduce or eliminate redundancy, waste, unnecessary exams and procedures, and medical errors. And, we can do it without inordinate risks to individual privacy. Nevertheless, while electronic records appear to be our destiny, the privacy of those records will only be preserved if we are careful and do this right. There will be no second chances.

Tuesday, March 31, 2009

ISE press release: New CEO hired April 1

FOR IMMEDIATE RELEASE
Date: April 1, 2009

Independent Security Evaluators Hires CEO

Independent Security Evaluators LLC (“ISE”), a Baltimore-based computer security consulting firm, has hired Richard “Rick” Wagoner as the Chief Executive Officer. Dr. Avi Rubin, president and founding partner of ISE, stated that the company’s rapid growth led to the need to bring in a CEO. “We have been very fortunate to have experienced significant growth since we started ISE four and a half years ago,” said Dr. Rubin. “Our client base and reputation continue to grow, and in order to continue delivering the highest level of technical consulting expertise, we felt it was time to recruit a business leader with a proven track record to manage operations and provide strategic direction for ISE. We are grateful to President Barack Obama for making Mr. Wagoner available for this job.”

Dr. Rubin and the partners of ISE believe Mr. Wagoner has the right skill set and experience to move ISE forward. “Rick offers the unique blend of drive and creativity, combined with executive management experience that we are confident will take ISE to the next level,” said Dr. Rubin.

Mr. Wagoner has held high level corporate management positions. Most recently, Mr. Wagoner was chairman and chief executive of General Motors Corporation. Although GM experienced a loss of $80 billion under his watch, Mr. Wagoner is confident that things he will be better at ISE. “The tremendous loss of market share that we experienced at General Motors in the last eight years is simply not possible at ISE. This makes my new challenge all the more exciting,” said Wagoner. He received a bachelor’s degree in economics from Duke University in 1975 and a master’s in business administration from Harvard University in 1977.

“I am thrilled to be working with such a talented group of people in the expanding field of information security,” said Mr. Wagoner. “Avi and the partners have created a very solid base from which to grow the business. I am excited to work for a company that is not unionized and to escape the cold winters of Michigan. Being in Baltimore has other advantages. If we need to go to Washington for a bailout, it’s only an hour’s drive away – no need for a corporate jet.” ISE plans to invest the savings from not needing a corporate jet back into the local community.

---
About ISE: ISE was founded by Dr. Rubin, a computer science professor and the Technical Director of the Information Security Institute at the Johns Hopkins University. A custom technology consulting group, ISE was established to address the need for increased information security at every level of an organization. ISE leverages academic theory and real world experience to design and build new, innovative solutions and to evaluate existing security infrastructure. In the near future, ISE expects to produce energy efficient, low cost, and highly secure automobiles.

Tuesday, March 17, 2009

Trusting Bruce Schneier is risky business - just ask Jack Bauer

In last night's episode of Fox's thriller show, 24, there is a reference to the Blowfish algorithm which was designed by Bruce Schneier. On the show, an email message that contains the expected location of Jack Bauer is encrypted using Blowfish. The FBI intercepts the message and must decrypt it if they are to find him. I was curious to see what the 24 writers had up their sleeve. The answer: the designer of Blowfish put in a back door which was known to a former CTU operative. The FBI had leverage over the former CTU man because his wife was being held and faced at least 15 years in prison. The cipher was broken in seconds. Thanks a lot, Bruce! Thanks to your back door, Bauer is now being chased as a wanted man ... at least until next week.

Monday, March 09, 2009

Facebook privacy settings - nice, but I wish they actually worked

I resisted joining facebook as long as I could, but I finally succumbed to peer pressure and joined. Like most people, I have a love-hate relationship with the site. It has been great for catching up with old friends, keeping up with what people are doing, and making announcements to large groups of friends. But facebook has also posed dilemmas at times. What do I do when someone I barely know tries to friend me? How about someone I don't know? What about someone from high school whose name sounds very familiar, but I can't for the life of me recall if we were friends or if perhaps I hated that person?

Like most people, I set a person threshold above which I accept the invitation. At the risk of offending people, I typically err on the side of accepting requests. So, I've now got over 200 facebook friends, many of whom I barely know. As such, facebook is a lot less useful. The main reason is that I have disjoint circles of friends who I know for different reasons, and with whom I have different kinds of interactions. First there's family. I like to share pictures and videos of my kids with my relatives. But, I don't necessarily want everyone to see them. I have my soccer buddies. I play in two different leagues on Sunday mornings and Thursday nights. I sometimes use my status to poke fun at something that happened in a game, or to brag about a big win. Most of my friends don't really care about that. I have my poker buddies, my geek computer science friends, my high school pals, college roommates, sailing mates, tennis partners, and other circles of friends, none of whom know each other. I've been friended by current and former students, researchers in my field at other universities, past colleagues in industry, and friends of my family since childhood. Of course, I've done a lot of the friend requesting myself. The point is that it's a diverse set of people, and that I interact with them very differently. Some of my poker buddies have tattoos and take cigarette breaks during games, while many colleagues in my field have never had a friend with fancy body markings and wouldn't be caught dead in a casino. Some of my computer science colleagues have won international awards for highly technical discoveries, while some of my soccer teammates didn't go to college.

As far as I can tell, facebook does not recognize that people live in many different communities. I'd like the ability to post one status message to all my relatives and a different one to all my technical colleagues. I'd like to post pictures of my kids that only our group of friends that I will refer to as "parents of our kids' friends in school" can see. I tried to figure out a way to do this, and discovered a feature on facebook that allows you to make lists of friends. Then, supposedly, you can control the access to your facebook information based on these lists.

Either I do not understand how these features work, or more likely, they do not actually work correctly. (If the former is true, then facebook has designed privacy features that a computer scientist specializing in computer security and privacy cannot understand, and so they better get to work on their interface.) In the privacy setting screen, under Settings->Privacy->Profile, you can set who can see various information, such as profile, status, wall postings, videos that you are tagged in, and others. If you select "Custom", you can specify a friend list. There is also a nifty feature that lets you see your page as any of your friends who you select would see it. So, for example, I can specify Ann Rubin and see what my facebook pages look like when Ann Rubin access them, based on my privacy settings. I played around with this for a while. I set a friends list that consists of personal friends who I tend to socialize with. Selecting the names was an interesting exercise. The threshold I set was whether I had gotten together with this person in a purely social setting in the last two years. I set it so that only people on this list could view my status updates and my wall postings. I then set my status and posted some things to my wall.

Next, I viewed my facebook home page as one of my friends who was not on the social list. The status was not visible, but the wall posting was. I've since experimented quite a bit with the privacy settings using friend lists, and I've found that some of the features simply don't work. It is possible that I'm not doing it right. It wouldn't be the first time. But I consider myself an expert in this sort of thing, and if I can't get it right, I don't think there's much hope for the broader facebook user population. I wonder to what extent facebook has tested their custom settings options in their privacy settings. The only thing worse than not providing privacy features is providing privacy features that do not actual give the claimed privacy. Think of how much trouble you could get in. I might have posted pictures of myself sailing on a day that I was supposed to be at work, believing that my JHU colleagues, my department chair, or most seriously my students couldn't access my wall. It's a good thing that I tested the features before feeling comfortable using them.

The bottom line is that there really is no privacy for information that you volunteer onto facebook. If something would embarrass you, or would be inappropriate for certain friends, you shouldn't post it thinking that only the other friends will see it. In theory, facebook is an excellent way to keep up with people and to notify people of your activities in a twitter-like fashion. But, when it comes to privacy, facebook still has a lot of work to do to.

Thursday, March 05, 2009

I'll update my software when I'm good and ready - thank you

Not since I got my first iPhone (after waiting in line for a few hours) have I been as excited to get a new gadget as I was last week when my new Amazon Kindle 2 arrived. It did not disappoint. The screen resolution, using the new e-ink technology, is absolutely stunning. You have to see it to believe it. I immediately purchased the book that I've been reading in hard cover, Ken Follet's World Without End, and I put the heavy volume on the bookshelf for good. I also downloaded samples of Barak Obama's book about his father and of course, of my book Brave New Ballot, so I could show it to people. The books download in under a minute. I read in the instructions that the battery lasts much longer when the wireless modem is off, so once I downloaded my books, I turned off the modem.

Yesterday, Amazon released the Kindle for iPhone app - another exciting development. I installed the app, and the iPhone automatically downloaded the books that I had purchased on my Kindle. I checked out World Without End, and the book opened to the spot that I was reading on the Kindle a couple of days ago when I turned off the wireless modem. Very nice! Amazon's Whisper Sync technology kept the iPhone version and the Kindle version at the same spot. Unfortunately, this meant that I had to keep the Kindle modem on if I wanted the iPhone to know where I was. That was okay. I could either remember to turn on the modem for a short while when I finished reading on the Kindle, or just keep it on and remember to charge it.

I wanted my iPhone to know where I was in the book, so I turned on the kindle modem. That's when I discovered a "feature" in the Kindle that I did not like. The Kindle suddenly went blank and a progress bar came on, along with the words "Software is updating" or something like that. I don't remember the exact words. The Kindle had a software upgrade, and without any prompting, it performed the update. Presumably, this was the update that disabled text to speech on some of the books (see this article).

Now, I am a gadget freak. I am an early adopter of almost every cool new gadget that comes out. I can barely count the numbers of items in my house that udpate their own software. My Blu-Ray DVD player, my DVR, my Apple TV, my computers, my iPhone, my digital camera, and even my refrigerator (just kidding) - they all get software updates all the time. But first, they ASK ME. It is only civilized. Amazon has decided that it is not a users' choice whether or not to update the Kindle software. This is downright rude.

When I first studied the idea of software updates on common devices, back when I worked at AT&T Labs, and we were designing security protocols for cable modems, I was very concerned. But, proper use of digital signatures and public key cryptography can greatly reduce the security risks. However, software updates are disruptive. They can break things, and they might come at a very inconvenient time. The user owns his devices, and it should be his choice whether or not to update the software. I do not like the auto software update on the Kindle one bit. I hope that the next software update that happens to me while I'm in the middle of reading will change the software update process so that the user can decide whether or not to update.

Other than that, I love my Kindle. I read a lot, and now the experience is that much better. Now, I wait for Kindle 3. What will it have? Color? Touchscreen? Virtual Display in my contact lenses? It will be exciting, and hopefully, it will let me control software updates.

Tuesday, February 03, 2009

Family Resemblance

Yesterday, I installed the new version of iLife '09 on my computer. This is Apple's photo management and editing software for the Mac, and the new version includes a truly incredible feature based on face recognition technology. You can select pictures from your photo library and tag faces in the pictures. The software then searches your library and finds other pictures that it selects as candidate matches for the tagged faces. There is an interface for viewing all of the candidate pictures, confirming correct matches, and correcting pictures that have been mis-tagged.

I am an amateur photographer with a photo library of over 30,000 pictures, going back to the advent of digital cameras. I have a studio in my basement where I take portrait shots, and I'm often lugging around my camera bag with all my lenses - especially to the kids' events at school. Finding particular pictures has been very hard, but Apple has made it easier with the last few upgrades to iPhoto, including categorizing pictures into Events, keyword searches, and smart libraries. This face recognition technology takes organizing photos to a new level.

One of the most interesting and entertaining properties that I've discovered in iPhoto '09 comes from pictures that are tagged incorrectly by the software. The most common mistake is tagging someone as his/her sibling. There must be something in the face recognition algorithm that picks up on family resemblances that are not perceived by humans. For example, as luck would have it, my brother and I look nothing alike. (In this case it is his good fortune.) We've been told that our entire lives. But, in several instances the software confused our faces. Similarly, my father and his brothers were mis-tagged as each other. In fact, the two people that the software seems the most confused about are my older daughter and my son. I found this a bit surprising because my son has a twin sister, and I have not seen an instance yet where one of the twins was tagged as the other. However, my older daughter and my son seem to provide the biggest challenge to the tagging feature.

I've noticed two factors that contribute to the accuracy of the face recognition - the number of pictures I have of someone, and the number of times I manually tag them. So, it's not surprising that the most collisions occur between relatives. Still, I observed few instances of two people being tagged as each other where there was no blood relation. Siblings on the other hand seem to throw iPhoto face recognition for a loop.

What was surprising to me was that I was not tagged as either of my parents by the software, despite the fact that people tell me I look like my mother. In fact, I saw very few instances of parents tagged as their children or vice versa. I'm very curious about the face recognition algorithm and about the family resemblance properties that iPhoto '09 exposes as a side effect.

Apple has taken what I believe to be a revolutionary step in photo organization, and for once, the bugs, or more accurately, the deficiencies in the software, namely mistakes in the tagging algorithm, actually provide the most fun.

Tuesday, January 13, 2009

Jack Bauer and the security of our critical infrastructure

Last year, I became addicted to the Fox TV show "24". I downloaded all of the old episodes to my iPhone (and later my Apple TV) and I watched them while working out. Watching the high intensity, high action, 24 adds to the adrenalin rush I get while riding my exercise bike or running on my treadmill. The first two seasons were amazing. Jack Bauer saved the world from nuclear war and from a deadly virus. Over the next 4 seasons, the show continued to play on these themes, but it became somewhat predictable. There are only so many ways bad guys can destroy the world. Several months ago, I finally caught up; I had seen all of the old episodes. And last year, there was no 24 due to the writers' strike in Hollywood.

It appears that the writers had some time to come up with some new and creative material during the year layoff. This year's season, which premiered last month and then again this past weekend (the show managed to have 3 premiers for a total of 6 hours) is based on a premise that I know all too well. In fact, it is very interesting to me that the writers' brainstorming of what could be the worst threat to the US besides a nuclear or viral attack is the same as what I have been worried about for some time now. The basic idea is that the bad guys have kidnapped a security expert who was the chief designer for a super firewall that controls access to all of the critical infrastructure in the country. This scientist is forced to create a device that allows the bad guys to take over air traffic control, the water treatment centers, the power grid, etc. (Never mind that he is able to accomplish this in a matter of minutes.)

While the show is not very accurate technologically, and the specific scenario of this season's 24 is far from realistic, the actual threat is very real. Much of our critical infrastructure is controlled by computers. Real time control systems are increasingly dependent on software. Software that inherently contains bugs, and which is increasingly complex. The same targets that are depicted in over-dramatized fashion on 24 are becoming increasingly vulnerable to real world criminals. Now, President-elect Obama is talking about digitizing health records and about upgrading our technological infrastructure. I'm all for that. But, security needs to be a top priority. We cannot let what happened with voting systems - where the technology was developed before security was considered - happen in our healthcare system.

Part of the reason why I have been enjoying watching 24 is that I get a good laugh at some of the ridiculous depictions of technology and, in particular, security. However, the vulnerability of our critical infrastructure to cyber attack is no laughing matter.