Again on threat models

I’ve read many people over the past few months referencing James Mickens’s article on threat models. Given I wrote last year about a similar thing in regard to privacy policies, one would expect me to fall in line with said article fully. They would be disappointed.

While I agree with the general gist of the article, I think it gets a little too simplistic. In particular it downplays a lot the importance to protect yourself against two separate class of attackers: people close to you and people who may be targeting you even if you don’t know them. These do seem at first sight to fit in with Mickens’s categories, but they go a little further than he’s describing. And by painting the categories as “funny” as he did I think he’s undermining the importance of security.

Let’s start with the first threat model that the article points out to in the “tl;dr” table;

Ex-girlfriend/boyfriend breaking into your email account and publicly releasing your correspondence with the My Little Pony fan club

Is this a credible threat? Not really, but if you think about it a little more you can easily see how this can morph into disgruntled ex breaking into your computer/email/cloud account and publicly releasing nude selfies as revenge porn. Now it sounds a little more ominous than being outed out as a fan of My Little Pony, doesn’t it? And maybe you’ll call me sexist to point this out, but I think it would be hypocrite not to point out that this particular problem sees women as much more vulnerable to this particular problem.

But it does not have to strictly be an ex; it may be any creepy guy (or gal, if you really want to go there) who somehow gets to access your computer or to guess your “strong” password. It’s easy to blame the victim in these situations but that’s not the point; there are plenty of people ready to betray the trust of their acquaintances out there — and believe me, people trust other people way too easily, especially when they are looking for a tech-savvy friend-of-a-friend to help them fix their computer, I’ve been said tech-savvy friend-of-a-friend, and it didn’t take many times doing the kind of usual recovery to realize how important that trust is.

The second “threat model”, that is easily discounted, is described as

Organized criminals breaking into your email account and sending spam using your identity

The problem with a similar description of the threat is that it’s too easy for people to discard it with “so what?” People receive spam all the time, why would it matter whose identity it’s sent as? Once again, there are multiple ways to rephrase this to make it more ominous.

A very simple option is to focus on the monetary problem: organized criminals breaking into your email account looking for your credit card details. There are still plenty of services that will request your credit card numbers by email, and even my credit card company sends me the full 16-digits number of my card on the statements. When you point out to people that the criminals are not just going to bother a random stranger, but actually are going after their money, they may care a significant bit more.

Again this is not all there is, though. For a security or privacy specialist to ignore the issues of targeted attacks such as doxxing, coming up with the harassment campaigns that are all the rage to date is at the very least irresponsible. And that does not involve only the direct targets of harassment: the protection of even the most careful person is always weak to the people they have around, because we trust them, with information, or access, and so on.

Take for instance Facebook’s “living will” for users — if one wanted to harass some person, but their security was too strong, they could go after their immediate family, hoping that one of the would have the right access to close the account down. Luckily, I think Facebook is smarter than this, and so it should not be that straightforward, but many people also use member of the family’s addresses as recovery addresses if they were to lose access to their own account.

So with all this in mind, I would like to point out that at the same time I agree and disagree with Mickens’s article. There are way too many cryptographers out there that look into improbable threat models, but at the same time there are privacy experts that ignore what the actual threats are for many more users.

This is why I don’t buy into the cult of personalities of Assange, Snowden or Appelbaum. I’m not going to argue that surveillance is a good thing, nor I’m going to argue that there are no abuses ever – I’m sure there are – but the focus over the past two years have been so much more on state actions that malicious actors like those I described earlier.

I already pointed out how privacy advocates are in love with Tor and they ignore the bad behaviours it enables, and I once again I do wonder why they are more concerned about the possibility of obscure political abuses of power, rather than the real and daily abuse of people, most likely a majority of which women.

Anyway, I’m not a thought leader, and my opinions are strictly personal — but I do think that the current focus on protecting the public from possibly systemic abuse from impersonal organisations such as the NSA is overshadowing the importance of protecting people from those they are most vulnerable from: the people around them.

And let’s be clear: there are plenty of things that the crypto community can and should do to protect people in these situations: HTTPS is for instance extremely important, as it does not take a huge effort for a disgruntled ex to figure out how to snoop cleartext traffic to find the odd password or information that could lead to a break.

Just think twice, next time you decide to rally people up against a generic surveillance society phantom, or even to support EFF — I used to, I don’t currently and while I agree they have done good things for people, I do find they are focusing on the wrong threats.

Privacy Theatre

I really wish I could take credit for the term, but Jürgen points out he coined the term way before me, in German: Datenschutztheater. I still like to think that the name fits many behaviours I see out there, and it’s not a coincidence that it sounds like the way we think of TSA’s rules at airports, security theatre.

I have seen lots and lots of people advocating for 100% encryption of everything, and hiding information and all kind of (in my opinion) overly paranoid suggestions for everybody, without understanding any threat model at all, and completely forgetting that your online privacy is only a small part of the picture.

I have been reminded of this as I proceeded sorting out my paperwork here in Dublin, which started piling up a little too much. My trick is the usual I used in Italy too: scan whatever is important to keep a copy of, and unless the original is required for anything, I destroy the hard copy. I don’t trash it, I destroy it. I include anything that has my address on it, and when I was destroying it with my personal shredder, I always made sure to include enough “harmless” papers in the mix to make it more difficult to filter out the parts that looked important.

As I said in my previous post, I’m not worried about “big” corporations knowing things about me, like Tesco knowing what I like to buy. I find it useful, and I don’t have a problem with that. On the other hand, I would have a problem with anybody, wanting to attack me directly, decided to dumpster-dive me.

Another common problem I see that I categorize as Privacy Theatre is the astounding lack of what others would call OpSec. I have seen plenty of people at conferences, even in security training, using their laptop without consideration for the other people in the room, and without any sort of privacy screen. In one of the past conferences I’ve seen mail admins from a provider that will go unnamed, working on production issues in front of my eyes: if I had mischievous intents I would have learnt quite a bit about their production environment.

Yes I know that the screens are a pain, and that you have to keep taking them in and out, and that they take away some of the visual space on your monitor. Myself, for my personal laptop I decided for a gold privacy screen by 3M, which is bearable to use even if you don’t need it, as long as you don’t need to watch movies on your laptop (I don’t, the laptop’s display is good but I have a TV and a good monitor for that).

But there are tons of other, smaller pieces that people who insist they are privacy advocates really don’t seem to care about. I’m not saying that you should be paranoid, actually I’m saying the exact opposite: try to not be the paranoid person that wants everything encrypted without understanding why. In most cases, Internet communication needs to be encrypted indeed. And you want to encrypt your important files if you put them in the cloud. But at the same time there are things that you don’t really care about that much and you’re just making your life miserable because Crypto-Gods, while the same energy could be redirected to save you from more realistic petty criminals.

My Personal Privacy Policy

Be warned, this post might as well offend you — it’s actually the same topic, and mostly the same post, as I was trying to write months ago and the last of a series of drafts that Typo made me lose and for which I was actually quite pissed off at it.

A premise, considering my current employer, you could expect that I’m biased. People who have known me for a while should know that this has always been my point of view and a payslip is not enough for buying my ideals. A second premise is that what I’m writing here is my personal opinion and has nothing to do with my employer.

Before getting into the details of my personal view on privacy, I’ll have to at least categorize who I am. I’m most definitely not a public figure, but I’m also not a complete nobody. I’m not sure if I’m notable, I’m not an activist as Jürgen is, but with being a Gentoo developer, I end up in a more visible spot than your average person. Even so, I’m not an A-list or even a B-list blogger.. maybe a D-list, for Diego, would be okay. It is obvious too when you consider that my blog has unmoderated, unlimited, non-captcha comments and yet I receive only a handful of them per post.

It is not something I care to think about too much, but I have noticed when I started working here in Dublin, that there were people that already knew me, even when I did not know them before, if not by a name passing on my blog’s comments. It does not mean much, of course, as my contribution to the world is still negligible. But it does mean that what I write on my blog, on my (public) Twitter, Facebook, Google+ profiles, is seriously public. My blog, my mailing list posts, even my IRC history is something that not only employers can look into, but also something that an enemy, if there are still some out there that didn’t grow bored of making my life miserable, would be able to leverage.

So with this premise, what is my idea of privacy? Well, as you probably remember, I have no problem with relatively-big corporation knowing what I buy and given how I use both FourSquare and Ingress, I have no problem with them knowing where I am in most cases. I also have no problem with most of my friends to know where I am, sure, it takes away from me the option of lying to people if I don’t want to go out with them — I count that as a positive note though, as my friends can count on the fact that I’m not doing that. Myself, if I was to do that, I would probably just not count them as friends, and thus would not have a problem with telling them that I don’t want to see them.

Is there anything I don’t want to broadcast? Sure, plenty. And I don’t do that by default. My opinion of people, for instance, is not something I tend to talk about, well, depends on the people of course. And there are habits of my own that I’d rather not talk about. And embarrassing personal problems too, but these do not include, for instance, my diabetes or my pancreatic problems, even though, as medical records, they are among the most protected data about me that is to be found out there.

Let me try to make a practical example of what my concerns of privacy actually are. It’s not a mystery that I’m no good with relationships – surprise, surprise, for a geek – and I’m pretty sure I admitted before to being a virgin as of 28 years of age (and counting). If I was to meet a gal with whom there could be a reciprocal attraction (unlikelier by the day), that would be one thing that I wouldn’t want to be known right away by everyone on earth. If nothing else, because I would probably not believe in the situation myself.

But more importantly, both details and general gists would have different circles of people who would get to know them at different times. My mother would, most definitely, be the last one to know — I originally wrote “my family” (which is basically me, my mother and my sister and her husband), then I realized that something that I similarly wanted to keep from them happened recently, when I got almost mugged. My sister got to know about that episode the week after it happened, when I had to go to the dentist and get the tooth extracted — the punch caused me an abscess that was quite painful and dangerous. I was broadcasting the event to the public and keeping it from my family because I did not want to worry them until the whole thing was completed. My mother still does not know that happened. Helps that neither speak or read English.

So going back to the example above, it’s a certainty that my colleagues would probably find out almost first, as I’m a person of routine and anything that breaks said routine is going to be pretty visible. I could make an excuse, but why? So it’s just going to be noticed. But unless I broadcast it, my sister and mother will not get to know it until I tell them. Sure, FourSquare could possibly deduce a change in behaviour, or notice that I’m checking in with a different set of friends; a government agency tracking my phone and hers could possibly find that I’m taking long walks with a new person (and that could be easily mixed in with my phone often taking long walks with other people as I play Ingress), but what would they care about it? It’s not illegal here.

And here’s the first tenet of my personal privacy policy: the fact that I can afford not to hide from governments is a privilege, and so is my ability to broadcast my position and my habits. I live and lived in countries that are relatively civil, I’m not, say, a gay person in Russia, and, sorry to say this so bluntly, I’m not female, which makes showing people that I’m somewhere alone not that much of a concern. This is the same concept of threat model that applies to computer security and other security areas; in my threat model, what I’m concerned about are not state actors or corporations, but rather criminals and personal enemies.

Back again at the example, if actually going out with somebody would break my routine enough to be noticeable, becoming sexually active I’d expect not to – just a guess, given that I’m not able to tell at this point – and that does change a few more things. Given it would be something private between me and this hypothetical significant other, I wouldn’t be talking about it in the open, which means even my colleagues would not know about it. Somebody would probably know that basically right away: my doctor for sure, and possibly my pharmacist (yes, I do have a local pharmacy, the one where I go buy my insulin and the other prescription drugs I have to take). The former would know when I ask him a new set of blood tests to be safe, the latter would know when I’d be asking for condoms for the first time. Alternatively, Tesco would know when I’d order them from the website, and the delivery guy would know as well, when he comes delivering. I’m pretty sure between the two options I’d go with the pharmacy, as I’ve already given up with being embarrassed when talking with them.

To close this, I would like to note that even though I live in what is mostly a glass house, I don’t expect everybody else to do so too. I’m just writing this to signify that I don’t think that there are many threat models that apply to me, for which I would start wearing a tinfoil hat in light of the “NSA revelations” that last year brought us. Maybe for some of you there are, but I doubt that all the people that have been fretting about tor attacks and the like have good reason to do so.

I’m sure that there are people out there that, under oppressive governments, that entrust their life to Tor and similar tools, so identifying and resolving its vulnerabilities is something that I can’t disagree with. On the other hand, as I said before most of the self-defined privacy advocates out there tend to not consider that this also helps also people like the SilkRoad users. While I’m definitely okay with legalization of marijuana, I’m of that opinion because it would avoid the existence of things like SilkRoad.

On the other hand, the NSA revelations do concern me, not because I’m scared of the NSA, but because if they can do it now, others will be able to do so in the future, and if those others are criminals, then I’d be scared of them. So please let’s all try to make things better, encrypt everything, research and find way around browser fingerprinting and help the EFF (I’m a donor too). Just keep in mind what your threat models are, rather than just blindly follow the blogosphere’s hysteria.

Privacy advocates: two weights, two measures

While I don’t want to say that all privacy advocates are the bad kind of crybabies that I described on my previous post there are certainly a lot I would call hypocrite when it gets to things like the loyalty schemes I already wrote about.

So as I said on that post, the main complain about loyalty scheme involve possible involvement with bad government (in which case we have a completely different problem), and basically have to do with hypothetical scenarios of a dystopian future. So what they are afraid of is not the proper use of the tool that is loyalty schemes, but of their abuse.

On the other hand, the same kind of persons advocate for tools like Tor, Bitcoin, Liberty Reserve or FreedomBox. These tools are supposed to help people fight repressive governments among others, but there are obvious drawbacks. Pirates use the same technologies. And so do cybercriminals (and other kind of criminals too).

Where I see a difference is that while even the Irish Times struggled to find evidence of the privacy invasion, or governmental abuse of loyalty schemes (as you probably noticed they had to resort complaining about a pregnant teenager who was found out through target advertising), it’s extremely easy to find evidence of the cyber organized crime relying on tools like Liberty Reserve. Using the trump card of paedophiles would probably be a bad idea, but I’d bet my life on many of them doing so.

Yes of course there are plenty of honest possible uses you could have for these technologies, but I’d also think that if you start with the assumption that your government is not completely corrupted or abusive (which, I know, could be considered a very fantastic assumption), and that you don’t just want to ignore anti-piracy laws because you don’t like them (while I still agree that many of those laws are completely idiotic, I have explained my standing already), then the remaining positive uses are marginal, compared to the criminal activities that they enable.

Am I arguing against Tor and FreedomBox? Not really. But I am arguing against things like MegaUpload, Liberty Reserve and Bitcoin — and I would say that most people who are defending Kim Dotcom and the likes of him are not my peers. I would push them together with the religious people I’m acquainted with, which is to say, I keep them at arm’s length.

You call it privacy invasion, I don’t.

So it looks like the paranoid came to my last post about loyalty cards complaining about the invasion of privacy that these cards come with. Maybe they expected that the myth of the Free Software developer who’s against all big corporation, who wants to be off the grid, and all that kind of stuff that comes out when you think of Stallman. Well, too bad as I’m not like that, while still considering myself a left-winger, but a realist one that cannot see how you can get workers happy by strangling the companies (the alternative to which is not, contrarily to what most people seem to think, just accepting whatever the heck they want).

But first an important disclaimer. What I’m writing here is my personal opinion and in no way that of my employer. Even if my current employer could be considered involved in what I’m going to write, this is an opinion I maintained for years — lu_zero can confirm it.

So, we’ve been told about the evil big brother of loyalty card since I can remember, when I was still a little boy. They can track what you buy, they can profile you, thus they will do bad things to you. But honestly I don’t see that like it has happened at all. Yes, they can track what you buy, they might even profile you, but about the evil things they do to you, I still have not heard of anything — and before you start with the Government (capital and evil G), if you don’t trust your government, a loyalty card programme is the last thing you should be worried in.

Let’s have a look first at the situation presented by the Irish Times article which I referred to in my first post on the topic. At least, they have been close to reality enough, so instead of going the paranoia of the Big Brother, they simply noted that marketeers will know about your life, although they do portray it as only negative.

Before long, he had come up with a list of 25 products which, if bought in certain amounts and in a certain sequence, allowed him to tell if a shopper was pregnant and when her due date was.

In his book, Duhigg tells the story of a man who goes into a branch of Target near Minneapolis. He is not happy as he wants to know why the retailer has suddenly started to send his high school-going daughter coupons for baby clothes and cribs. He asks the manager if the shop is trying to encourage very young girls, such as his daughter, to get pregnant.

The manager is bemused but promises to look into it, which he does. He finds that this girl had indeed been targeted with all manner of promos for baby products so he calls the father several days later to convey his apologies and his confusion.
That’s when the man tells him that when he raised the issue with his daughter, she told him she was pregnant. The retailer took a lot of flak when the details of its data mining emerged but the controversy blew over.

So first I would say I find it utterly ludicrous that sending coupons for “baby clothes and cribs” would “encourage very young girls […] to get pregnant”. I would also suggest that if the girl is so young that it’s scandalous that she could get pregnant, then it might indeed be too soon for her to have a loyalty card. In Italy for instance you have to be 18 before you can get a loyalty card for any program — why? Because you expect that a minor still does not have an absolutely clear idea of what his or her choices are going to mold their future as.

Then let’s see what the problem is about privacy here… if the coupons are sent by mail, one would expect that they are seen only by the addressee — if you have no expectation of privacy on personal mail, it’s hard to blame it strongly on the loyalty programmes. In this case, if you would count the profiling as a violation of privacy of the girl, then you would expect that her father looking at the coupons would be a bigger invasion still. That would be like reading a diary. If you argue that the father has a right to know as she’s a minor, I would answer that then she shouldn’t have the card to begin with.

Then there is the (anonymous, goes without saying) comment on my post, where they try to paint loyalty schemes in an even grimmer light, first by stating that data is sold to third party companies at every turn… well, turns out that’s illegal in most of Europe if you don’t provide a way for the customer not to have his data sold. And turns out that’s one of the few things I do take care of, but simply because I don’t want junk mail from a bunch of companies I don’t really care about. So using the “they’ll sell your detail” scare, to me, sounds like the usual bull.

Then it goes on to say that “Regularly purchasing alcohol and buying in the wrong neighbourhoods will certainly decrease your score to get loans.” — well, so what? The scores are statistical analysis of the chance of recovering or defaulting on a loan, I don’t blame banks for trying to make them more accurate. And maybe it’s because I don’t drink but I don’t see a problem with profiling as an alcoholic a person that would be buying four kegs of beer a day — either that or they have a bar.

Another brought point? A scare on datamining. Okay the term sounds bad, but data mining at the end is just a way for businesses to get better at what they do. If you want to blame them for doing so, it’s your call, but I think you’re out of your mind. There are obvious bad cases for data mining, but that is not the default case. As Jo pointed out on Twitter, we “sell” our shopping habits to the store chains, and what we get back are discounts, coupons and the like. It’s a tit-for-tat scenario, which to me is perfectly fine And applies to more than just loyalty card schemes.

Among others, this is why I have been blocking a number of webrobots on my ModSecurity Ruleset — those that try to get data without giving anything back, for me, are just bad companies. If you want to get something, give something bad back.

And finally, the comment twice uses the phrase, taken from the conspirationists’ rulebook, “This is only the beginning”. Sorry guys, you’ve been saying that this is the beginning for the past thirty years. I start to think you’re not smarter than me, just much more paranoid, too much.

To sum it up, I’m honestly of the opinion that all the people in countries that are in all effect free and democratic that complain about “invasion of privacy”, are only complaining because they want to keep hiding their bad sides, be it bad habits, false statements, or previous errors. Myself, as you can see from this blog, i tend to be fairly open. There is very little I would be embarrassed by, probably only the fact that I do have a profile on a dating site, but even in that, well, I’ve been as honest as a person can be. Did I do something stupid in my past? I think quite a few things. On the other hand, I don’t really care.

So, there you go, this is my personal opinion about all the paranoids who think that they have to live off the grid to be free. Unless you’re in a country that is far from democratic, I’d just say you’re a bunch of crybabies. As I said, places where your Government can’t be trusted, have much bigger problems than loyalty schemes or profiling.

Why I check your user agents

I’m one of the few Free Software activists that actually endorses the use of User-agent header, I’m afraid. The reason for that is that, while in general that header is used to implement various types of policies, it is often used as part of lock-in schemes (sometimes paper-thin lock-ins by the way), and we all agree that lock-ins are never nice. It is a different discussion on whether those lock-ins are something to simply attack, or something to comprehend and accept — I sincerely think that Apple has all the rights to limit the access to their trailers to QuickTime, or at least try to, as they are providing the service, and it’s for them a platform to show their software; on the other hand, BBC and RAI using it to lock-in their public service TV is something nasty!

So basically we have two reasons to use User-agent: policies and statistics. In the former category I also count in the implementation of workarounds of various species. Statistics, are mostly useful to decide on what to focus, policies, can be used for good or evil; lock-ins are generally evil, but you can use policies to improve the quality of the service for users.

One of the most commonly used workarounds applied by using the user agent declarations are related to MSIE missing features; for instance, there is one to handle serving properly the XHTML files through the application/xhtml+xml mime type, which it doesn’t support:

RewriteCond %{REQUEST_URI} ^/[a-z_/]*$
RewriteCond %{HTTP_USER_AGENT} MSIE [OR]
RewriteCond %{HTTP_USER_AGENT} facebookexternalhit [OR]
RewriteCond %{HTTP_ACCEPT} application/xhtml+xmls*;s*q=0.?0*(s|,|$)
RewriteRule ^/[a-z_/]*$ - [T=text/html]

Yes this has one further check that most of the copies of the same check have on Internet; the reason is that I have experimentally noticed that Facebook does not handle XHTML properly; indeed if you attach a link to a webpage that has images, and is served as XHTML, it won’t get you the title nor allow you to choose an image to use for the link. This was true at least up to last December, and I assume the same is true now, and thus why I have that extra line.

In a different situation, feng uses the User-agent field to identify bugged software and implement specific workarounds (such as ignoring the RTSP/1.0 standard, and seek on subsequent PLAY requests without PAUSE).

Stepping away from workarounds, policies that can implemented this way include warning about insecure, unsupported browsers, trojan-infected systems, and provide them with an informational message telling the user what to do to get something better/cleaner (I do that for a few websites to tell the users that they are running something very broken — such as Internet Explorer 6). This is policy, it’s generally a good policy in my opinion. *On a different note, if somebody can suggest a way to use cookies to add a static way to bypass the check, I’d be happy.*

There are many more things you can do with agent-specific policies, including providing lower-quality images for smartphones, without implementing mobile-specific website vhosts, but I won’t go into deeper details right now.

For what concerns statistics, they usually provide a way for developers and designer to focus on what’s really being used by the targets of their software. Again, some activists dislike this because it shows that it’s not worth considering non-Firefox, non-IE browsers for most websites, and sometimes not even Firefox, but avoiding these extreme cases, statistics are, in the real working world, very important.

Some people feel like being smarter than the average programmer, and want to throw out of place the statistics by saying that they are using “Commodore 64” or “MS-DOS” as operating system. They pretend to defend their privacy, to camouflage among the bad bad Internet. What they are doing, is actually trying to hide on a plane by wearing a balaclava which you might guess is pretty peculiar. In fact, if you try EFF’s Panopticlick you can see that an unique, “novelty” User-agent is actually making you spark among the Internet users. Which means that if you’re trying to hide through a crowd with the balaclava you’re not smarter than anybody, you’re actually stupider than the average.

Oh and by the way, there is no way your faking being Googlebot will work out good for you; on my webserver for instance, you’ll get 403 responses for all your requests… unless your reverse resolution properly forward-confirms to be coming from the googlebot server farm…

Blocking old user agents

I’ve been looking through awstats and the logs of my blog today after talking about that with Petteri the other day. And I noticed quite a few interesting thing in the list of browser versions.

Beside hits reporting “Firefox/8.10” as version (because of most likely a broken packaging in Ubuntu that reports as user agent “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008101315 Firefox/8.10 (intrepid) Firefox/3.0.3”, I got a fair number of pre-2 versions of Firefox, as well as pre-5 versions of Internet Explorer and Netscape. and Firebird/Phoenix branded browsers.

A rapid check shows that stuff like “Firefox/0.10.0” is just spammers. so this is giving me an idea: what if I modify the blog so that comments result disabled if the user agent is too old? Or a known spammer one, or an RSS reader (which cannot leave comments)? Optionally it could reject requests without an User-Agent field too.

Now, I know this is not going to be free of false positive since there are people out there who think that the whole User-Agent header is ruining their privacy and thus intentionally remove or make it invalid. I sincerely don’t give a crap. I don’t see how User-Agent is a privacy invasion when it’s needed for proper technical reasons.

So anyway, does anybody know if there is anything like this already or if I should be starting from scratch?