The Recurity Lablog

I think it is safe to assume that every kid learns in school, or, to be more precise during the school breaks, that the more you brag, the better you should be able to defend yourself. What I find interesting is the fact that businesses tend to overlook this simple social rule from childhood. There have been examples of businesses intentionally or unintentionally bragging too much in the past. Think Oracle's "unbreakable" campaign, rewarded with a massive amount of reported security vulnerabilities.

Some may have seen the movie "The Devil Wears Prada". In one scene, the protagonist is ordered to obtain a copy of the latest Harry Potter book, which is not available in stores yet. This being a movie, she manages to get it. The script author referred to the hype created by the Harry Potter publishers Bloomsbury Publishing Plc. around every single release of the book.

I always wondered why the script of an upcoming Harry Potter is not obtained beforehand simply by breaking into the publisher's network. My guess was that the people with the required abilities and skills probably have better things to do. But of course, the stakes are higher with the (hopefully) last book in the series.

Today, a post on the Full Disclosure mailing list claims that a copy of the script for the upcoming book was successfully obtained and presents a spoiler with the ending of story, as it will be released in 32 days or so. The post mentions that the way to get it was to send an email with a link to a web page that contained some well-known exploit from milw0rm. The post mentions that it is surprising how many people in the company have the script somewhere on their computer. Game over.

A copy of the new Harry Potter: $34.99.
The global value of the Harry Potter brand according to Forbes.com: $1.000.000.000.
Getting the final marketing move p0wned: priceless.

It doesn't really matter if the Full Disclosure post is a fake or really contains the ending of the next book. If your content is as valuable as this script and your marketing campaign is about the fact that nobody knows about the ending, you should better prepare for someone raining onto your parade.

Now would be a good time to sit back and think about the value of your company's intellectual property assets and if you can be sure that nobody else knows about them. Start with the following, non-exhaustive list of checks:

• Is the information known to exist outside of the company? How do you know?
• Is the information always stored encrypted? If so, how do you know?
• Is the information always destroyed when printed? How do you know?
• Are the backups encrypted? Who got the key? How do you know?

Next time when your laptop is stolen and you fill into the forms an estimated monetary loss of more than $4000, it would be an indication that you did in fact think about the questions above.

When reading about software security, one of the most often repeated mantras is the strict validation of user input. Lack of input validation and quoting has been the root cause of countless security vulnerabilities. But there are times when you want your input data to be exactly as they where provided, especially if you collect sample data that you want to use in detection mechanisms later.

Last week, I needed a new passport, and quickly at that. Since this involves German government institutions, the process gets more complicated the quicker you need something to be done. To make a very long story short, I ended up with my two hour old passport pictures at a governmental office and got told that the pictures would not work. What happened?

Germany is now rolling out the e-pass. The political smoke screen with Terrorist decoration aside, it was the only way to sell large amounts of otherwise totally useless and probably unreliable biometric detection software to customers that cannot effectively refuse to buy - the citizen. If you need to travel, you have to buy the new passport, which supports the German industry, well, some of them.

One of the core features of the new passport is a frontal picture, as opposed to the slightly sideways one used before. The frontal pictures can be read and interpreted by a piece of software in the government office to calculate biometric data about your face, so all the fancy Frauenhofer-Anti-Terror cameras at airports, train stations, in taxis, hotels and the cabins in the city sex shop may be able to identify you.

For this to work, photographers were told how to take an exact frontal picture of you. They usually charge more for the biometrics ready picture than for a regular one too. So I went to a photographer's shop and got my biometrics ready pictures taken. Before the picture is scanned into the computer at the government office, a transparent sticker with an outline and some orientation points is placed on top of the photograph to tell the software where to look for the face.

The software at the government office kept complaining that my picture was not showing a head in frontal perspective, although it was painfully obvious that it was. The surprisingly helpful lady re-placed and re-adjusted the transparent sticker several times to make the software understand that in fact, this is a frontal picture of someone who just happens to have a real egg head - but to no avail. Finally, she sent me on my way again to another photographer's shop around the corner that supposedly produced acceptable pictures for the software with a 100% success rate. So I went getting new pictures taken.

The photographer at the second shop was a young and obviously street-smart German citizen of Turkish descends. After the second round of pictures was taken, he loaded them into Photoshop and copied one into a template file he had at hand. The template file was composed of rulers and grid lines for Photoshop, which seemed to mirror the requirements of our governmental biometrics software at the passport office. Once it again became obvious that my egg-head would not fit into the boundaries, he scaled it on the X-Axis to make it fit. Kiss your aspect ratio goodbye.

Now, I don't understand much of the biometrics matching algorithms used by our government's software. But the little that I do know about face recognition involves head geometry information, including the distance between eyes in relation to other distances, like the one between your nose base and mouth. Well, if you scale an image without preserving the aspect ratio, this information is changed.

What came out was a head shot that was happily accepted by the passport office software as a perfectly valid front shot and respectively is rendered into my passport as well as placed on the RFID chip digitally. The only issue is: that's not me, or to be more precise, it is not my head geometry. May be I should be happy about this, since it will make life a bit harder for the government officials should my profession become entirely illegal in the future and cause them to search train stations and public places for me.

The story somehow reminded me of NASA's input validation when they put a satellite in place over Antarctica. The satellite neglected the fact that there was a hole in the ozone layer, since the measurements were so far out of average that they were considered false. The same can probably be said about my head geometry compared to the average German citizen.

When you collect sample data that you want to use in detection mechanisms, it's probably not wise to neglect data just because it is different than you expected. This will lead to the detection only detecting things you did expect, which renders the detection slightly useless. On the other hand, the story underlines the fact that overly drastic security measures, governmental or otherwise, will increase the likelihood of people circumventing them, knowingly or not. If you bother people enough, they will start cheating. If you bother them even more, you loose them.

Update:
Some forum posting people suggested the root issue is actually that the person photographed is ugly. While this is obviously not a false statement per se, it would suggest that the biometrics software exhibits automatic taste - an interesting thought ;)