Ben Laurie blathering

23 Nov 2007

Can HMRC and NAO Protect Their Own Data?

Filed under: Identity Management,Security — Ben @ 13:14

(Update: an ORG colleague correctly points out I should say “redacted” not “elided” – thanks, Louise!)

In the wake of the HMRC disaster (nicely summarised by Kim Cameron), the National Audit Office has published scans of correspondence relating to the lost data.

First of all, it’s notable that everyone concerned seems to be far more concerned about cost than about privacy. But an interesting question arises in relation to the redactions made to protect the “innocent”. Once more, NAO and HMRC have shown their lack of competence in these matters…

A few years ago it was a popular pastime to recover redacted data from such documents, using a variety of techniques, from the hilarious cut’n’paste attacks (where the redacted data had not been removed, merely covered over with black graphics) to the much more interesting typography related attacks. The way these work is by working backwards from the way that computers typeset. For each font, there are lookup tables that show exactly how wide each character is, and also modifications for particular pairs of characters (for example, “fe” often has less of a gap between the characters than would be indicated by the widths of the two letters alone). This means that if you can accurately measure the width of some text it is possible to deduce which characters must have made up the text (and often what order those characters must appear in). Obviously this isn’t guaranteed to give a single result, but often gives a very small number of possibilities, which can then be further reduced by other evidence (such as grammar or spelling).

It seems HMRC and NAO are entirely ignorant of these attacks, since they have left themselves wide open to them. For example, on page 5 of the PDF, take the first line “From: redacted (Benefits and Credits)”. We can easily measure the gap between “:” and “(“, which must span a space, one or more words (presumably names) and another space. From this measurement we can probably make a good shortlist of possible names.

Even more promising is line 3, “cc: redacted@…”. In this case the space between the : and the @ must be filled by characters that make a legal email address and contain no spaces. Another target is the second line of the letter itself “redacted has passed this over to me for my views”. Here we can measure the gap between the left hand margin and the first character of “has” – and fit into that space a capital letter and some other letters, no spaces. Should be pretty easy to recover that name.

And so on.

This clearly demonstrates that those who are entrusted with our data have absolutely no idea of the threats it faces, nor the countermeasures one should take to avoid those threats.

19 Nov 2007

Happy Birthday: ORG Is Two!

Filed under: Digital Rights — Ben @ 12:22

It seems only yesterday that I sat with a group of starry-eyed activists and had the first board meeting of the nascent Open Rights Group. But I am reliably informed it was two whole years ago. In that time we’ve defied dead musicians, monitored elections and beaten up Auntie. Read all about it.

And once you have, GIVE US YOUR MONEY. ORG relies on the support of people like you – and not nearly enough of you are putting your hands in your pockets. We’re not asking for much, but without it, we can’t go on fighting your fight.

16 Nov 2007

Quilt and SVN: A Slightly Unhappy Marriage

Filed under: Open Source,Programming — Ben @ 5:48

Now that Caja is out in the wild, and I can’t use Google’s internal development tools, I find quilt is coming in handy (why not mercurial queues? I’d prefer it, but the version I can easily install is too old, currently). But, surprisingly for a tool that was designed to assist in open source development, it turns out quilt is a bit weird about co-existing with version control systems.

The issue comes when you finally get approval for your patch and you commit it to the tree. At this point, you want to delete it from the patch series – but quilt won’t let you, because it is applied. If you pop it, then you’ll undo what you’ve just committed. So, what to do? Here’s my ad-hoc recipe

quilt pop -a
patch -p1 < patches/the-bottom-patch svn ci quilt delete the-bottom-patch

and there you are, done. You can even do this retroactively if you forgot to do it as you go along – just miss out the svn ci step. Once you’re back up-to-date you should find that you are still in sync with the head of the tree (assuming no-one committed in the meantime).

14 Nov 2007

Caja Code is Available

Filed under: Capabilities,Open Source,Programming,Security — Ben @ 15:51

Yesterday we put the initial (incomplete) version of the Caja code up at

From now on, all development will be done out in the open. External developers are welcome to come and play, too. Join the mailing list. Write code! Find bugs! Laugh at my mistakes! Have fun!

10 Nov 2007

Shirley Williams on the Identity Card

Filed under: Anonymity/Privacy,Civil Liberties — Ben @ 17:11

I listened to Shirley Williams today speak about the identity card on the always excellent “Any Questions” program on Radio 4. She is not a fan. First of all she made it clear that she believed the LSE’s estimate of the cost, at £19 billion, rather than the government’s, at £5.6 billion. But then she got really quite outspoken

I think the ID cards are much more serious than people realise … the absolute key thing, and I can’t stress this enough, is that the level of data that the government proposes to collect under the ID bill … adds up, in my view, to a Big Brother scheme of the most terrifying kind.

Because it is so expensive our government will sell our data to commercial interests

It will be a record of where you’ve been, what you’ve done, who you’ve talked to, and I think its a terrifying scheme and I’m another person who’s prepared to say I wouldn’t cooperate with it in any way at all (lots of applause)

When asked if she would court jail in her resistance to ID cards, she responded

Of course … My view is that the identity card will undermine individual civil liberty so seriously that one is entitled to say that one won’t cooperate with it. I have not suggested I would use violence, I am suggesting I wouldn’t cooperate with it, nor will I.

Yes, yes, Shirley, but there’s no need to beat about the bush – tell us what you really think! 🙂

I wonder if Shirley supports No2ID?

9 Nov 2007

Groklaw Interviews Becky Hogge on the BBC

Filed under: Digital Rights,Open Source — Ben @ 16:02

I’ve only recently started reading Groklaw, but it is fast becoming one of my favourite blogs. Today they have an interview with Becky Hogge, Executive Director of the Open Rights Group, on the BBC’s iPlayer and rights strategies.

She rightly distances herself from the folderol over BBC’s relationship with Microsoft and focusses on the bigger issues

Q: OK. Now, it was widely reported that the BBC signed a letter of intent with Microsoft which covered the iPlayer, DRM, and other cooperation. Have you seen the document? Is the document available? Do you know what it says?

Becky Hogge: I don’t know what it says, I haven’t seen it, and I don’t know if it’s available. Like I say, the Open Rights Group, we’re trying to move away from this Microsoft issue and look further into the future for the BBC. The BBC has got itself into a really sticky situation with iPlayer and with DRM, and I think it must be feeling bad at this point. What the Open Rights Group are trying to say here is that yes, these problems are real, a lot of our supporter base are using Linux operating systems and even though they’re paying their license fee, they’re unable to access iPlayer services. But we’d like to find solutions for the BBC, rather than more problems. And our big solution is that it needs to start reexamining the rights models. For the sake of public broadcast.

8 Nov 2007

Is The GPL Open Source’s DRM?

Filed under: Open Source — Ben @ 6:08

I was trying to explain the difference between BSD and GPL to a non-open source person the other day and halfway through I suddenly realised that what I was saying sounded just like DRM.

What does DRM do? It seeks to control the ways in which the recipient of some content can use that content.

What does the GPL do? It seeks to control the ways in which the recipient of some code can use that code.

Just sayin’.

5 Nov 2007

Self-issued Cards Are More Secure

Filed under: Anonymity/Privacy,Identity Management,Security — Ben @ 21:01

Pamela Dingle takes some Liberty dudes to task for being obsessed with the letter of the spec. Her, perfectly reasonable, stance is that if she chooses to link a self-issued infocard to her bank account, then that’s at least as secure as any other means we know of for authenticating. Of course, she’s left out of this equation how she gets to make that association, and, of course, the Liberty dudes think you should only make such associations via the middleman of some kind of certificate issuer.

But there’s no reason to involve any card issuers in this at all – we have to have a relationship with the bank to get this off the ground in the first place, regardless of authentication mechanism, and, however that relationship works, we can use it to inform the bank about our self-issued card. Once we’ve done that we have strong authentication with the bank, no need for IdPs, CAs or any of that stuff. In fact, our authentication is stronger than if we had involved a third party – with a self-issued card, no-one else is in a position to make a forgery.

And, of course, we’ve removed a potential correlator of our activities from the equation. Score one for privacy.

Ancient History

Filed under: Open Source — Ben @ 16:17

A new, and rather nice, mail archive searching thingy has been launched. Out of curiosity, I used it to try to find the lost-in-the-mists-of-time birthdate of Apache-SSL. I did – it’s the 16th of October, 1995. Roughly.

Along the way, somewhat narcissisticly, I found a few other things. My first post to the httpd-dev list, admittedly forwarded, on the 5th of September 1995. I had no idea I’d started on SSL so soon after joining the Apache project.

Finally, me arguing against using the GPL (Brian Behlendorf has sometimes claimed that my opposition to the GPL was one of the reasons Apache started with a BSD-style licence).

1 Nov 2007

Caja: Capability Javascript

Filed under: Capabilities,Open Source,Programming,Security — Ben @ 11:44

I’ve been running a team at Google for a while now, implementing capabilities in Javascript. Fans of this blog will remember that long ago I did a thing called CaPerl. The idea in CaPerl was to compile a slightly modified version of Perl into Perl, enforcing capability security in the process.

Caja follows a similar path, except rather than modify Javascript, we restrict it to a large subset. This means that a Caja program will run without modification on a standard Javascript interpreter – though it won’t be secure, of course! When it is compiled then, like CaPerl, the result is standard Javascript that enforces capability security. What does this mean? It means that Web apps can embed untrusted third party code without concern that it might compromise either the application’s or the user’s security.

Caja will be open source, under the Apache License. We’re still debating whether we will drop our existing code for this as a starting point, or whether we want to take a different approach, but in any case, there’s plenty to be done.

Although the site has been up for a while, I was reluctant to talk about it until there was some way for you to be involved. Now there is – we have a public mailing list. Come along, read the docs (particularly the Halloween version of the spec) and join in the discussions. I’m very excited about this project and the involvement of some world class capability experts, including Mark Miller (of E fame) who is a full-time member of the Caja development team.

Powered by WordPress