Threat Modeling Thursday: 2018

So this week’s threat model Thursday is simply two requests:

  1. What would you like to see in the series?
  2. What would you like me to cover in my Blackhat talk, “Threat Modeling in 2018?”

“Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This includes new properties of systems being attacked, new attack techniques (like biometrics confused by LEDs) and a growing importance of threats to and/or through social media platforms and features. Take home ways to ensure your security engineering and threat modeling practices are up-to-date.”

Threat Model Thursdays: Crispin Cowan

Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame.

What are we working on?

One of the places where Crispin goes deeper is definitional. He’s very precise about what a security principal is:

A principal is any active entity in system with access privileges that are in any way distinct from some other component it talks to. Corollary: a principal is defined by its domain of access (the set of things it has access to). Domains of access can, and often do, overlap, but that they are different is what makes a security principal distinct.

This also leads to the definition of attack surface (where principals interact), trust boundaries (the sum of the attack surfaces) and security boundaries (trust boundaries for which the engineers will fight). These are more well-defined than I tend to have, and I think it’s a good set of definitions, or perhaps a good step forward in the discussion if you disagree.

What can go wrong?

His approach adds much more explicit description of principals who own elements of the diagram, and several self-check steps (“Ask again if we have all the connections..”) I think of these as part of “did we do a good job?” and it’s great to integrate such checks on an ongoing basis, rather than treating it as a step at the end.

What are we going to do about it?

Here Crispin has assessing complexity and mitigations. Assessing complexity is an interesting approach — a great many vulnerabilities appear on the most complex interfaces, and I think it’s a useful strategy, similar to ‘easy fixes first’ for a prioritization approach.

He also has “c. Be sure to take a picture of the white board after the team is done describing the system.” “d. Go home and create a threat model diagram.” These are interesting steps, and I think deserve some discussion as to form (I think this is part of ‘what are we working on?’) and function. To function, we already have “a threat model diagram,” and a record of it, in the picture of the whiteboard. I’m nitpicking here for two very specific reasons. First, the implication that what was done isn’t a threat model diagram isn’t accurate, and second, as the agile world likes to ask “why are you doing this work?”

I also want to ask, is there a reason to go from whiteboard to Visio? Also, as Crispin says, he’s not simply transcribing, he’s doing some fairly nuanced technical editing, “Collapse together any nodes that are actually executing as the same security principal.” That means you can’t hand off the work to a graphic designer, but you need an expensive security person to re-consider the whiteboard diagram. There are times that’s important. If the diagram will be shown widely across many meetings; if the diagram will go outside the organization, say, to regulators; if the engineering process is waterfall-like.

Come together

Crispin says that tools are substitutes for expertise, and that (a? the?) best practice is for a security expert and the engineers to talk. I agree, this is a good way to do it — I also like to train the engineers to do this without security experts each time.

And that brings me to the we/you distinction. Crispin conveys the four question frame in the second person (What are you doing, what did you do about it), and I try to use the first person plural (we; what are we doing). Saying ‘we’ focuses on collaboration, on dialogue, on exploration. Saying ‘you’ frames this as a review, a discussion, and who knows, possibly a fight. Both of us used that frame at a prior employer, and today when I consult, I use it because I’m really not part of the doing team.

That said, I think this was a super-interesting post for the definitions, and for showing the diagram evolution and the steps taken from a whiteboard to a completed, colored diagram.

The image is the frontspiece of Leviathan by Thomas Hobbes, with its famous model of the state, made up of the people.

Carpenter!

The decision in Carpenter v. United States is an unusually positive one for privacy. The Supreme Court ruled that the government generally can’t access historical cell-site location records without a warrant. (SCOTUS Blog links to court documents. The court put limits on the “third party” doctrine, and it will be fascinating to see how those limits play out.

A few interesting links:

As I said previously, I am thankful to the fine folks at the Knight First Amendment Institute at Columbia University for the opportunity to help with their technologists amicus brief in this case, and I’m glad to see that the third party doctrine is under stress. That doctrine has weakened the clear aims of the fourth amendment in protecting our daily lives against warrantless searches as our lives have involved storing more of our “papers” outside our homes.

Image via the mobile pc guys, who have advice about how to check your location history on Google, which is one of many places where it may be being captured. That advice might still be useful — it’s hard to tell if the UI has changed, since I had turned off those features.

Threat Model Thursday: Architectural Review and Threat Modeling

For Threat Model Thursday, I want to use current events here in Seattle as a prism through which we can look at technology architecture review. If you want to take this as an excuse to civilly discuss the political side of this, please feel free.

Seattle has a housing and homelessness crisis. The cost of a house has risen nearly 25% above the 2007 market peak, and has roughly doubled in the 6 years since April 2012. Fundamentally, demand has outstripped supply and continues to do so. As a city, we need more supply, and that means evaluating the value of things that constrain supply. This commentary from the local Libertarian party lists some of them.

The rules on what permits are needed to build a residence, what housing is acceptable, or how many unrelated people can live together (no more than eight) are expressions of values and priorities. We prefer that the developers of housing not build housing rather than build housing that doesn’t comply with the city’s Office of Planning and Community Development 32 pages of neighborhood design guidelines. We prefer to bring developers back after a building is built if the siding is not the agreed color. This is a choice that expresses the values of the city. And because I’m not a housing policy expert, I can miss some of the nuances and see the effect of the policies overall.

Let’s transition from the housing crisis here in Seattle to the architecture crisis that we face in technology.

No, actually, I’m not quite there. The city killed micro-apartments, only to replace them with … artisanal micro-houses. Note the variation in size and shape of the two houses in the foreground. Now, I know very little about construction, but I’m reasonably confident that if you read the previous piece on micro-housing, many of the concerns regulators were trying to address apply to “True Hope Village,” construction pictured above. I want you, dear reader, to read the questions about how we deliver housing in Seattle, and treat them as a mirror into how your organization delivers software. Really, please, go read “How Seattle Killed Micro-Housing” and the “Neighborhood Design Guidelines” carefully. Not because you plan to build a house, but as a mirror of your own security design guidelines.

They may be no prettier.

In some companies, security is valued, but has no authority to force decisions. In others, there are mandatory policies and review boards. We in security have fought for these mandatory policies because without them, products ignored security. And similarly, we have housing rules because of unsafe, unsanitary or overcrowded housing. To reduce the blight of slums.

Security has design review boards which want to talk about the color of the siding a developer installed on the now live product. We have design regulation which kills apodments and tenement housing, and then glorifies tiny houses. From a distance, these rules make no sense. I didn’t find it sensible, myself. I remember a meeting with the Microsoft Crypto board. I went in with some very specific questions regarding parameters and algorithms. Should we use this hash algorithm or that one? The meeting took not five whole minutes to go off the rails with suggestions about non-cryptographic architecture. I remember shipping the SDL Threat Modeling Tool, going through the roughly five policy tracking tools we had at the time, discovering at the very last minute that we had extra rules that were not documented in the documents that I found at the start. It drives a product manager nuts!

Worse, rules expand. From the executive suite, if a group isn’t growing, maybe it can shrink? From a security perspective, the rapidly changing threat landscape justifies new rules. So there’s motivation to ship new guidelines that, in passing, spend a page explaining all the changes that are taking place. And then I see “Incorporate or acknowledge the best features of existing early to mid-century buildings in new development.” What does that mean? What are the best features of those buildings? How do I acknowledge them? I just want to ship my peer to peer blockchain features! And nothing in the design review guidelines is clearly objectionable. But taken as a whole, they create a complex and unpredictable, and thus expensive path to delivery.

We express values explicitly and implicitly. In Seattle, implicit expression of values has hobbled the market’s ability to address a basic human need. One of the reasons that embedding is effective is that the embedded gatekeepers can advise, interpret in relation to real questions. Embedding expresses the value of collaboration, of dialogue over review. Does your security team express that security is more important than product delivery? Perhaps it is. When Microsoft stood down product shipping for security pushes, it was an explicit statement. Making your values explicit and debating prioritization is important.

What side effects do your security rules have? What rule is most expensive to comply with? What initiatives have you killed, accidentally or intentionally?

‘EFAIL’ Is Why We Can’t Have Golden Keys

I have a new essay at Dark Reading, “‘EFAIL’ Is Why We Can’t Have Golden Keys.” It starts:

There’s a newly announced set of issues labeled the “EFAIL encryption flaw” that reduces the security of PGP and S/MIME emails. Some of the issues are about HTML email parsing, others are about the use of CBC encryption. All show how hard it is to engineer secure systems, especially when those systems are composed of many components that had disparate design goals.

Nothing to see here, move along!

A reminder, this blog has moved! If you’re seeing this in your RSS, you should take a second to update your feed.

From now on, I’ll be posting at Adam Shostack and Friends/. If you read the site via RSS, please take a moment to update your feed to https://adam.shostack.org/blog/feed/. Oh, and everyone who’s been part of the jazz combo has an account over at the new blog, and I expect a new Mordaxus post any day.

If there’s too much content here (there?) and you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed.

More Chaos, New Site!

When I started blogging a dozen years ago, the world was different. Over time, I ended up with at least two main blogs (Emergent Chaos and New School), and guest posting at Dark Reading, IANS, various Microsoft blogs, and other places. It made less and less sense, even to me.

I decided it’s time to bring all that under a single masthead, and move all the archives over.


From now on, I’ll be posting at Adam Shostack and Friends/. If you read the site via RSS, please take a moment to update your feed to https://adam.shostack.org/blog/feed/. Oh, and everyone who’s been part of the jazz combo has an account over at the new blog, and I expect a new Mordaxus post any day.

If there’s too much content here (there?) and you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed.

Syria

So I’m curious: on what basis is the President of the United States able to issue orders to attack the armed forces of Syria?


It is not on the basis of the 2001 “Authorization for Use of Military Force,” cited in many instances, because there has been no claim that Syria was involved in the 9/11 attacks. (Bush and then Obama both stretched this basis incredibly, and worryingly, far. But both took care to trace back to an authorization.)

It is not on the basis of an emergency use of force because the United States was directly threatened.

Which leaves us with, as the NY Times reports:

Mr. Trump authorized the strike with no congressional approval for the use of force, an assertion of presidential authority that contrasts sharply with the protracted deliberations over the use of force by his predecessor, Barack Obama. (“Dozens of U.S. Missiles Hit Air Base in Syria.”)

Or, as Donald Trump once said:

Trump-Syria.png

Seriously, what is the legal basis of this order?

Have we really arrived at a point where the President of the United States can simply order the military to strike anywhere, anytime, at his personal discretion?

More Satellites Than You Can Shake a Stick At

This video is really amazingly inspiring:

Not only does it show more satellites than I’ve ever seen in a single frame of video, but the rocket that took them up was launched by the Indian Space Research Organisation, who managed to launch not only the largest satellite constellation ever, but had room for a few more birds in the launch. It’s an impressive achievement, and it (visually) crystalizes a shift in how we approach space. Also, congratulations to the team at Planet, the ability to image all of Earth’s landmass every day.

Launching a micro satellite into low Earth orbit is now accessible to hobbyists. Many readers of this blog could do it. That’s astounding. Stop and think about that for a moment. Our failure to have exciting follow-on missions after Apollo can obscure the fascinating things which are happening in space, as it gets cheap and almost boring to get to low Earth orbit. The Economist has a good summary. That’s not to say that there aren’t things happening further out. This is the year that contestants in the Google Lunar XPrize competition must launch. Two tourists have paid a deposit to fly around the moon.

But what’s happening close to the planet is where the economic changes will be most visible soon. That’s not to say it’s the only thing to watch, but the same engines will enable more complex and daring missions.

For more on what’s happening in India around space exploration and commercialization, this is a fascinating interview with Susmita Mohanty.

Video link: ISRO PSLV-C37 onboard camera view of 104 satellites deployment

Groundrules on Complaining About Security

Groundrules on Complaining About Security

In this article, I want to lead into some other articles I’m working on. In those, I’m going to complain about security. But I want those complaints to be thoughtful and within a proper context.

You will hear many of us in security talk about threat models. Adam literally wrote the book on threat models and if you don’t have a copy, you should get one.

Threat models are a way of thinking about security in a somewhat rigorous way. Without some sort of threat model, you’re not really doing security.

Threat models sound complex, but they’re really not. We all do them intuitively all the time, and here’s the basic outline of how to make one. You want answers to these questions:

  1. What are you doing?
  2. What could go wrong?
  3. What are you doing about it?

Among the valuable things in Adam’s book, he talks about these and more, but these three simple questions frame how to talk about security no matter who you are. If you don’t have a threat model, you might be doing something useful, but it’s not really security.

If you are a maker of security, without a threat model you might have a solution in search of a problem. You might also have a stone soup security system, in which you throw a bunch of things in a pot, and while tasty (or secure), isn’t organized. There are many, many stone soup security systems out there.

If you’re going to use a security system, without a threat model you have no way to know if what you’re getting meets your needs.

If you’re challenging a security system, without a threat model, your criticisms may be true but irrelevant.

It is these latter two cases – deciding what security system to you and providing a critique of a security system – that I’m going to focus on, particularly since I’m going to be engaging in challenges, and people selecting a system also need to think about what their own threat model is when selecting a system. If you’re going to use a secuity system, a little bit of thought about what you expect it to do and what you expect it to protect you from is in required.

Let me move a bit away from computer security for a moment; analogies often help.

Let’s look at this statement:

  • Aspirin doesn’t cure cancer.

It’s true. Aspirin doesn’t cure cancer. It doesn’t do half-bad on headaches (with of course, a number of other qualifiers), but it doesn’t cure cancer.

However, if Alice says, “I’m going to go take an aspirin” and Bob says, “Aspirin doesn’t cure cancer,” he has implicitly assumed that her threat model is not:

  • I have a headache
  • I’m going to take an aspirin to cure it

but

  • I have cancer
  • I’m going to take an aspirin to cure it.

Even if Alice actually does have cancer, she might also have a headache. Especially if she has to deal with someone with simplisitic thinking like Bob. This is the sort of headache that got me to write this essay.

Getting back to security, while I was typing the first part of this, a friend and I started on a discussion. We started with wondering if since most front door locks are easily picked, does that mean that they’re just security theatre. The discussion then went into social value of locks (most people are honest, after all), the technological merits of Abloy locks, the expense of getting a good lock for all your doors, the human factors aspects of wanting one key for all your doors, the security problem of weak points from the porch to the windows, and then on to reinforcing hinges and even the front door itself. It was a fun discussion, but it wasn’t a good security discussion, it was security stone soup. The initial question of whether most door locks do anything was the pot of water with a stone in it and we kept adding in garnishes until we ended up with a tasty conversation. However, at no point did we discuss a threat model. We don’t know what we were trying to protect, what threats we were protecting it from, or anything that turns it into a real security discussion.

I think we were talking about a stereotypical threat of a burglar backing up a van to the house and carting off a lot of valuables, but I am just presuming that.

I know of what I speak in this issue of threat models because I’m guilty of it, too. It’s so easy to get caught up in security stone soup that it happened to me while I was writing an essay on threat models and security stone soup.

Now that I have a couple of ground rules in place as a preface, I will complain about security in my next essay.

On Immigration and Refugees

NewImage Sergey Brin and baby
The ban on refugees is illegal, immoral and un-American, and as an American, I want to add my voice.

The ban is illegal. (“Trump’s Immigration Ban Is Illegal.”) I suspect that the United States also has legal obligations under treaties to accept refugees, but Google isn’t my lawyer, and I am no expert.

The ban is immoral. Those who have gone through our immigration process and gotten green cards are being restricted from returning to the US. Those people have followed the legal path to immigration and built lives here. We made a deal with them and we’re breaking it, suddenly and without warning. Those people might have jobs, school, or family to return to, and their lives are upended and uncertain. These are not illegal aliens, they are people who have gone through a complex, and sometimes kafka-esque immigration process.

I have worked with engineers from Syria. (I’m not going to name them in today’s climate.) They did good work, and were good people. They were dealing with the horror of hearing family back home was missing, and they did good work anyway.

The President is hurting America with this ban. By telling those here legally that their status can be upended at a whim, he makes a strong argument against coming here by following the rules as they exist on a given day. Some people will continue to come here in violation of the law; others will go elsewhere, and another country will get both the risk and the reward from that set of refugees.

It’s worth noting that the protests and court orders yesterday, while welcome, “Despite growing dissent, Trump gives no sign of backing down from travel ban.” I guess we need to keep calling this what it is: un-American.

Pictured is John von Neumann, refugee, and inventor of the von Neumann architecture that’s at the heart of the computer on which you’re reading this, and Sergey Brin, co-founder of Google, on his way to protest in San Francisco.

[Update: The hawks at Lawfare blog have an analysis, Malevolence Tempered by Incompetence:.]

Kyber Crystal and the Death Star

Death star construction

This post has spoilers for Rogue One, and also Return of the Jedi.

We learn in Rogue One that the Death Star’s main gun is powered by Kyber crystal. We know from various sources that it’s rare.

Then the Death Star is tested, destroying Jedah, where they’re mining the crystals. Note that both times its fired, they give the order “single reactor ignition.” Are they testing the reactors and power systems, or conserving kyber crystal?

Really, how much “ammo” did the original Death Star have on board? How many times could they fire the main gun?

Was ten or fifteen shots considered sufficient, because after a demonstration, fear will keep the local systems in line? Where did they find enought kyber crystal for the second Death Star?

The Dope Cycle and the Two Minutes Hate

[Updated with extra links at the bottom.]

There’s a cycle that happens as you engage on the internet. You post something, and wait, hoping, for the likes, the favorites, the shares, the kind comments to come in. You hit reload incessantly even though the site doesn’t need it, hoping to get that hit that jolt even a little sooner. That dopamine release.

A Vicious cycle of pain, cravings, more drugs, and guilt

Site designers refer to this by benign names, like engagement or gamification and it doesn’t just happen on “social media” sites like Twitter or Instagram. It is fundamental to the structure of LinkedIn, of Medium, StackExchange, of Flickr. We are told how popular are the things we observe, and we are told to want that popularity. Excuse me, I mean that influence. That reach. And that brings me to the point of today’s post: seven tips to increase your social media impactfulness. Just kidding.

Not kidding: even when you know you’re being manipulated into wanting it, you want it. And you are being manipulated, make no mistake. Site designers are working to make your use of their site as pleasurable as possible, as emotionally engaging as possible. They’re caught up in a Red Queen Race, where they must engage faster and faster just to stay in place. And when you’re in such a race, it helps to steal as much as you can from millions of years of evolution. [Edit: I should add that this is not a moral judgement on the companies or the people, but rather an observation on what they must do to survive.] That’s dopamine, that’s adrenaline, that’s every hormone that’s been covered in Popular Psychology. It’s a dope cycle, and you can read that in every sense of the word dope.

This wanting is not innocent or harmless. Outrage, generating a stronger response,
wins. Sexy, generating a stronger response, wins. Cuteness, in the forms of awwws, wins. We are awash in messages crafted to generate strong emotion. More, we are awash in messages crafter to generate stronger emotion than the preceding or following message. This is not new. What is new is that the analytic tools available to its creators are so strong that the Red Queen Race is accelerating (by the way, that’s bait for outraged readers to insist I misunderstand the Red Queen Race, generating views for this post). The tools of 20th century outrage are crude and ineffective. Today’s outrage cycle over the House cancelling its cancellation of its ethics office is over, replaced by outrage over … well, it’s not year clear what will replace it, but expect it to be replaced.

When Orwell wrote of the Two Minutes Hate, he wrote:

The horrible thing about the Two Minutes Hate was not that one was obliged to act a part, but that it was impossible to avoid joining in. Within thirty seconds any pretense was always unnecessary. A hideous ecstasy of fear and vindictiveness, a desire to kill, to torture, to smash faces in with a sledge hammer, seemed to flow through the whole group of people like an electric current, turning one even against one’s will into a grimacing, screaming lunatic. And yet the rage that one felt was an abstract, undirected emotion which could be switched from one object to another like the flame of a blowlamp.

I am reminded of Hoder’s article, “The Web We Have to Save” (4.4K hearts, 165 balloons, and no easy way to see on Medium how many sites link to it). Also of related interest is Good-bye to All That Twitter and “Seattle author Lindy West leaves Twitter, calls it unusable for ‘anyone but trolls, robots and dictators’” but I don’t think Twitter, per se, is the problem. Twitter has a number of aspects which make trolling (especially around gender and race issues, but not limited to them) especially emotionally challenging. Those are likely closely tied to the anticipation of positivity in “mentions”, fulfilled by hate. But the issues are made worse by site design that successfully increases engagement.

I don’t know what to do with this observation. I have tried to reduce use of sites that use the structures of engagement: removing them from my reading in the morning, taking their apps off my phone. But I find myself typing their URLs when I’m task switching. I am reluctant to orient around addiction, as it drags with it a great deal of baggage around free will and ineffective regulation.

But removing myself from Twitter doesn’t really address the problem of the two minutes hate, nor of the red queen race of dope cycles. I’d love to hear your thoughts on what to do about them.


[Update: Related, “Hacking the Attention Economy,” by danah boyd.]

[Update (8 Feb): Hunter Walk writes “Why Many Companies Mistakingly Think Trolls & Harassment Are Good for Business,” and I’d missed Tim Wu writing on “The Attention Merchants.”]