Kevin Fu

Bits of humor

2011-11-08T07:45:00.000-08:00

For posterity's sake from an architecture course I used to teach. Could be a double post.

Personal questions for authentication, a misguided approach

2011-09-30T09:59:00.000-07:00

The federal government might want to read the advice from Stuart Schechter et al. published in the IEEE Symposium on Security and Privacy about why to avoid "Golden Questions."

A screenshot of the E-QIP website.

Cheers for a pint of Wifi

2011-09-29T10:54:00.000-07:00

Apple Updates

2011-08-25T07:38:00.000-07:00

The biggest update ever from Apple is being downloaded.

Software and the IOM Report on the 510(k) Clearance Process as a Word Cloud

2011-07-29T13:56:00.000-07:00

Yesterday the Institute of Medicine released its report on
Medical Devices and the Public's Health: The FDA 510(k) Clearance Process at 35 Years. The report drew a number of strong reactions.

Study Faults Approval Process for Medical Devices
by BARRY MEIER, The New York Times, Published: July 29, 2011

Study of Medical Device Rules Is Attacked, Unseen
by BARRY MEIER, The New York Times, Published: July 27, 2011

HeartWire has also weighed in.

For more information about the role of software in medical devices in the context of the 510(k) process, see my IOM webcast, the IOM report on Trustworthy Medical Device Software, and publications on the SPQR Lab website. The PDFs are free at the IOM, but there's a clumsy registration process through which one must first wade.

I decided to run the IOM report through Wordle to visualize topics of emphasis. I removed most of the header information before processing. Look below if you want a PDF of higher quality.

The future of medical device interoperability and mHealth

2011-07-22T07:25:00.000-07:00

mHealth Today.

mHealth Tomorrow.

iPhone software update for security

2011-07-16T20:45:00.001-07:00

They say the devil's in the details. For software updates, it's literally true.

It's Hard to Build a Web Site Secure Against Untrusted User Input

2011-06-16T20:44:00.000-07:00

Recently it was reported that a group of hackers broke into Citibank. One security expert was quoted saying, "It would have been hard to prepare for this type of vulnerability." Maybe so, but the problems are hardly new if this part is true:

They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account numbers which appeared in the browser's address bar with other numbers.

I'm sure someone else has stumbled onto this problem several times (it would be hard not to because there are so many websites with sequential numbers and unauthenticated data in user input fields), but I know of at least two research projects that looked into the technical issues behind such vulnerabilities.

Prof. Nickolai Zeldovich at MIT innovated the RESIN research project to help web application developers more clearly specify assertions that pertain to security. For example, a common web application error is forgetting to include an authentication check. Pretty simple error, but pervasive and cumbersome to prevent without a way to express such assertions. The RESIN language helps programmers control information flow.

A second project is my own, so I am more familiar with it. Back in 2001 (when we said "web site" rather than "website"), our small team analyzed the authentication mechanisms in several websites. It was hard not to find problems where websites were susceptible to impersonation of the user. Relevant to the Citibank incident, there were cases where websites assumed the user would not change certain elements of the query string or HTTP POST request. Embedded in these requests were sequential identifiers. Here's one example from a talk several years ago:

After prodding from people working on web application toolkits, I took a new look at web authentication in 2004. Alas, even the web toolkits had authentication flaws. In one product used by large chain retailers, it was possible for a would-be thief to impersonate others to download retail receipts by changing hidden HTML code. I wonder if this problem is similar to the flaw at Citibank. This work was never published, but did appear in the WSJ.

For more information, I encourage the interested reader to consume these documents:

Dos and Don'ts of Client Authentication on the Web from USENIX Security 2001 [PDF and slides from a series of talks]

Inside risks, web cookies: Not just a privacy risk 2001

Book: Exploiting Software 2004 (see the section on "the user input problem")

Biggest Web Problem Isn't About Privacy, It's Sloppy Security 2004

More Scary Tales Involving Big Holes In Web-Site Security 2004

Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications from USENIX Security 2009 [PDF]

RESIN from SOSP 2009

There are probably other historical technical documents of relevance from OWASP or the RISKS Digest. Happy searching!

Exit Strategy

2010-12-01T18:44:00.001-08:00

Something seems a bit wrong with this exit sign in the hallway at IBM.

USENIX Health Security & Privacy Videos Made Public

2010-09-15T11:19:00.000-07:00

Earlier today USENIX made several of the HealthSec Workshop webcast videos publicly available. In particular, anyone may now watch the:

Opening Remarks on USENIX HealthSec

Policy for Health Records (Position papers from both universities and industrial research.)

Invited Panel on Medical Device Security & Privacy
Panelists: John F. Murray Jr., Software Compliance Expert, United States Food and Drug Administration, CDRH/Office of Compliance; Nathanael Paul, Research Scientist, Oak Ridge National Laboratory; Karen Sandler, General Counsel of the Software Freedom Law Center

All the panelists work in the medical device software space, and all personally use computer-controlled medical devices (mostly implanted).

Software update risks in avionics: pre-flight briefings

2010-07-21T13:58:00.000-07:00

Browsing the ASRS database can be educational. Search for ACN #875270 and you'll see these snippets of an anonymous comment about the risks of software updates and avionics for providing pilots with pre-flight briefings.

"I am a Flight Service specialist. I am reporting an ongoing and routinely occurring safety concern. About 2-3 times/month, the company takes down its primary briefing system, for various reasons - software updates/patches, security patches, information updates, etc. The entire system is taken down all at once, nationwide."
...
"Coupling this lack of knowledge with unreliable/incomplete data is a recipe that guarantees, in time, a tragedy for an unknowing pilot and passengers who placed their trust in our company."

Aviation Safety Reporting System
Pre-flight briefing

Software risks and medical ventilators

2010-07-17T17:27:00.000-07:00

Did a software glitch cause an oxygen delivery system to fail, leading to a patient's death?

Earlier this year, a person tragically died during ambulance transport. The article explains that it's believed a software glitch caused an oxygen system to fail, leading to the patient's death. A TV news team made a video of the the medical system and interviewed a paramedic (who was not the paramedic involved with the event). There is very little technical information publicly available about the event, except that there are multiple manufacturers involved. Road Rescue reportedly built the ambulance. And Spartan Chassis is reportedly involved with the components in the ambulance itself.

No one has reported technical information on the alleged software glitch itself. However, this rather brief adverse event report at FDA cites a date coincidentally close to April 22 (the date of the incident). Is the underlying technology an Evita 4 Ventilator? What role did software play in the incident? What other factors contributed?

Do I really have that much mail?

2010-07-10T10:53:00.000-07:00

Apple Mail. Oh no you don't. Interesting that ln(18446744073707454940)/ln(2)=64.

USENIX Workshop on Health Security & Privacy (HealthSec 2010)

2010-02-23T19:40:00.000-08:00

If you conduct research on security and privacy of health information technology, then you should consider submitting a 2-page position paper to the USENIX Workshop on Health Security & Privacy (HealthSec 2010). Submissions are due April 9, 2010. I am co-organizing the workshop with my colleagues Prof. Yoshi Kohno (UW) and Prof. Avi Rubin (JHU) and a healthy dose of security/privacy expertise from the program committee. What I think is notable about our venue is the degree of interdisciplinary research represented by the program committee. We have members from several research disciplines including computer science, medicine, and social science. Moreover, we have members from multiple sectors in health information technology (academia, government, industry). We intend for the event to bring together researchers with bold positions on how to improve security and privacy for emerging health information technologies. There are many security and privacy problems waiting to be solved in areas such as electronic medical records, wireless medical devices, and regulatory and policy issues.

The workshop itself is co-located with USENIX Security in Washington, DC on August 10, 2010. See you there!

From the CFP:

HealthSec is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas on all aspects of medical and health security and privacy. A fundamental goal of the workshop is to promote cross-disciplinary interactions between fields, including, but not limited to, technology, medicine, and policy. Surprising results and thought-provoking ideas will be strongly favored; complete papers with polished results in well-explored research areas are comparatively discouraged. Position papers will be selected for their potential to stimulate or catalyze further research and explorations of new directions, as well as for their potential to spark productive discussions at the workshop.

UMass Amherst CS Alumni Event in Boston Area March 4

2010-02-02T11:22:00.000-08:00

A number of faculty from the UMass Amherst Computer Science department will be kicking back with alums and friends on March 4 in Cambridge (Massachusetts, that is). We were searching for space in the Boston area, so we Googled it. The event takes place at Google's Cafe in Kendall Square. For fairness, next time we will consider Binging it.

Event details appear on http://www.cs.umass.edu/alumsocial2010/

p.s., Alums may order the awesome binary tree-shirt from the student ACM chapter at UMass Amherst.

Security of Automatic Software Updates

2009-08-24T14:58:00.001-07:00

Several years ago, students at UMass Amherst discovered how to co-opt an automated software update mechanism to gain root access on a computer. The most significant security flaw involved a McAfee anti-virus product whereby an automatic, nightly update allowed the students to get root access on a Mac. Back then, the students wrote code manually.

Fast forward from 2006 to 2009. Now security researchers have reportedly created an automated tool to discover insecure software updates. There are likely a lot of vulnerable products out there, and it's not surprising that many small software houses forget to test whether the backdoor is kept locked: the software update.

Our original paper and video demonstration shows how to co-opt a software update mechanism built into an anti-virus product to gain root on a Mac. Fortunately, that particular bug has been reportedly patched. But what else remains unpatched?

The Real Reasons to Support Language Study

2009-08-20T11:14:00.001-07:00

Refreshing comments about the importance of studying languages appeared in the Chronicle of Higher Education.

http://chronicle.com/article/The-Real-Reasons-to-Support/47450/

Homeopathic Encryption

2009-07-16T22:32:00.000-07:00

A few cryptographers who work on homomorphic encryption chuckled at my description of wireless systems nearly absent of proper encryption yet supposedly secure as "homeopathic encryption." Alas, I appear to be just a few days shy of coining the faux term.

Unit-fied Theory of Numbers

2009-07-16T22:30:00.000-07:00

I'm not sure why United numbers its calendar in this unusual order.

Go To Statement Considered Beneficial

2009-07-11T08:06:00.000-07:00

Flattening by Yang, Cooprider, and Regehr is a clever C-to-C program transformation to reduce the amount of RAM used by the call stack. This technique may allow for embedded systems with extremely constrained energy to more effectively perform computation because of the relatively high energy cost for maintaining RAM. I wonder if Mementos could use flattening to improve energy-aware checkpoints of RAM in CRFIDs.

Microsoft

2009-02-01T14:43:00.000-08:00

Ok, thanks. Submitting a letter of recommendation is harder than I thought.

Is That Device Safe?

2009-01-31T10:28:00.001-08:00

The NYTimes has an editorial on charges that the F.D.A has failed to adequately regulate medical devices. A harder task will be ensuring that medical devices maintain security and privacy.

Error art thou?

2009-01-29T19:47:00.000-08:00

Thank you, that explains it.

Flight '); DROP TABLE FLIGHTS;-- ready for boarding

2009-01-14T07:38:00.000-08:00

Hmm, why is there a flight that looks more like an SQL query?

United Airlines and the 5-Second Rule for Security: Freshness is important

2008-09-10T06:56:00.000-07:00

United lost $1 billion in market cap this week because an old news article being mistaken for a fresh article. As a graduate student, I collected stories about flaws related to integrity and freshness of content --- ranging from news stories to software updates --- because of my interests in engineering secure file systems. But it's not the first time that a flaw related to freshness of content has affected the stock of a company. Emulex lost $2.5 billion in market cap because a hoax eight years ago. Here's a screenshot to remind you.

The United incident might be an unintentional accident rather than a security problem. But try to explain the difference between security and robustness to jittery investors who count on the integrity and freshness of information to make important decisions.

Automated Fast Food Error Messages

2008-07-03T20:44:00.000-07:00

Errors messages when ordering fast food at an airport? Have your error message Your Way! When I saw this blue screen of death, I had to try this novel payment system at Burger King. Sadly, the chain hired a cashier to sit next to the automated ordering system. She physically swiped the card and pressed the buttons for me. Hopefully in the future such intervention will not be necessary, but the machines must not be too robust. Windows.

Japan has already mastered the art of automated payment. There are some ramen restaurants where a customer would never even see eye-to-eye with a wait staff member. Here's an example from a ramen restaurant I tried in Fukuoka. Most restaurants have automated kiosks to order food.

Table-side Credit Card Readers

2008-07-03T20:33:00.000-07:00

At Legal Seafoods in Washington Reagan Airport, I had my first experience with table-side credit cards in the USA.

Table-side credit card readers are popular in Europe. Instead of swiping a credit card at the counter, the customer is provided a self-contained unit at the table. The idea is to reduce fraud by wait staff (e.g., surreptitious extra swipes). But not all wait staff are comfortable with table-side units because of the culture of American dining. The user interface is clumsy. When wait staff add their own annotated buttons to a machine, you know that the user interface was not designed well. Read more about table-side credit cards from another blog.

Apple Time Machine Error Message

2008-06-09T21:12:00.000-07:00

Hmm, what's wrong with this error message?

Crummy cookie authentication schemes

2008-04-26T16:21:00.001-07:00

Ever wonder what happens after you log in with a password on a Web site like Blogger, Facebook, banks, shopping Web sites, and such? Often the Web server sets a cookie that essentially says, "Hi. This user already authenticated with a password, so don't bother to ask for the password when the user clicks on the next restricted Web page." This feature is incredibly convenient. Can you imagine typing your password each time you click on a different Web page? That would be unbelievably cumbersome.

Unfortunately, it's amazingly difficult to design a secure Web authentication scheme. Even the experts can mess up. Sometimes the flaws in a cookie authentication scheme can let an intruder bypass the password check entirely. In 2001, I published a USENIX Security paper that attempted to classify the flaws in various Web authentication schemes, discover the root causes of the flaws, and find ways to avoid the flaws. Yesterday, Steven J. Murdoch proposed a solution to fix a vulnerability he discovered in the Wordpress cookie authentication scheme. Further information appears in Murdock's paper and slides. The vulnerability permits an attacker to gain administrative access, and resulted from a type of "cryptographic splicing" flaw that was discussed in the USENIX Security paper and the more comprehensive technical report. Nearly seven years after these publications and the CACM Risks column, the same types of problems keep popping up.

Is there a perfect solution for secure Web authentication based on cookies? No, but we can learn from our mistakes. Designers of security-sensitive Web applications should read up on their history before repeating the mistakes of yore. Not everyone is a Steven J. Murdoch; Web application developers should rely on designs and code from folks like Murdoch rather than risking the design or implementation of a flawed scheme. But even then, be wary of putting too much faith in a cookie authentication scheme.

Open design of contactless payment systems

2007-11-21T08:24:00.000-08:00

A year ago my research group showed that many contactless credit cards revealed personal information such as the credit card number, the card holder name, and the expiration date. We demonstrated how to wirelessly and undetectably read this information through wallets and clothing. If the credit cards did have security mechanisms in place, the mechanisms did not stop our attacks.

Now the credit card industry is "taking the same core functionality that's in the cards and embedding that in a mobile handset." While such systems hold great promise, I'm concerned because of the choral refrain of absolute claims, such as "if someone was to hack the transaction, it could never be duplicated." I would like to believe this. But where's the proof? Absence of proof is not proof of absence. If our systems relied on openly studied protocols, we could establish such proof.

Wireless communication does not have the luxury of physical security enjoyed by a closed network for payment processing. By definition, wireless communication is open and cannot be physically secured. Fortunately, engineers learn about the open design principle in introductory Computer Science and Electrical Engineering courses. The Information Assurance community already learned that openness of a sound design leads to stronger security. For instance, consumers rely on SSL to protect Web surfing at online banks. Thank goodness that the design of SSL is completely open and has been scrutinized publicly for over a decade. Quoting the undergraduate text of Saltzer and Kaashoek: "Violation of the open design principle has historically proven to almost always lead to flawed designs." The authors end with a warning that, "It is simply not realistic to maintain secrecy of any system that receives wide distribution." Let's hope that contactless mobile payments follow the open path for admiration rather than become yet another case study in computer security textbooks. In the meantime, look for wide-scale distribution of contactless payments in mobile phones.

Error messages in subway systems

2007-06-01T09:31:00.000-07:00

Subway ticketing systems have pretty wrapping around Windows.

More daylight savings adjustment errors

2007-06-01T09:27:00.001-07:00

This hotel has a smart clock that double-adjusted for daylight savings on April 1, 2007. I seem to run into these daylight savings bugs everywhere.

Errors on airport check-in kiosk

2007-06-01T09:23:00.000-07:00

Time zone travel, annoying but not life-threatening

2007-03-18T03:39:00.000-07:00

I had the pleasure of flying on a redeye from the USA to Europe on the night of the new US daylight savings system went into effect. On the return trip from Europe, the 767 provided a fun video map of the flight status, including remaining flight time and local time zones. The software did not take into account the new daylight savings plan, so I asked a flight attendant whether the software would be updated. The attendant then made a public announcement that the in-flight entertainment used the wrong time zone, and that passengers should "set the clock back one hour." Passengers are now two hours off actual time. At the left are images. My watch is set to the proper time in Washington, DC. The airline is not.

The Case of the Two Doctors

2006-12-07T17:16:00.000-08:00

A few weeks ago the Google listing changed for some PhDs. Now when ~~googling~~ searching for Brent Waters or Kevin Fu via Google, odd text appears as the first hit. The text consists of the title "dr" followed by the name, all in lowercase. The text itself does not appear on the target Web page.

An inside joke at Google? A cute bug? Google snuck into each thesis defense of yore? Or maybe abhi shelat is taking over the world, letter by letter all in lowercase.

RFID pumpkin nose

2006-10-16T06:15:00.000-07:00

At Ron's annual Pumpkin Party, I did my best to emulate Moses' carving skills (photo credit to Gildas). I settled for this attempt.

Time sink

2006-09-20T20:27:00.000-07:00

This dialog box is not desirable.

Buffer overfly

2006-07-03T07:15:00.000-07:00

It's one thing to see a hot air balloon fly in the distance. It's a bit more impressive when you wake up with one landing in your front yard.

Worm attack

2006-05-19T09:19:00.000-07:00

Parts of New England got upwards of 15 inches of rain this week. My garage is now subject to a worm hole attack. This worm managed to eventually crawl about 3 feet up the side of my garage.

Creative building access control

2006-05-02T08:25:00.000-07:00

I took some snapshots while in Puerto Rico. Perhaps this access control system was designed by committee.

Electronic voting online

2006-05-02T08:01:00.000-07:00

A few weeks ago the ACM held its online elections for its officers. After receving an email with a "unique PIN", I was curious how random the distribution of voting PINs actually was. About a dozen of ACM members emailed me their PINs and the timestamp on the email from the election server. The graph plots the PIN number vs. the estimated time of day for receiving the email. The points look linear to me.

From: "Election Services Corporation for ACM"
To: "Kevin Fu"
Subject: ACM 2006 Election
Date: Fri, 7 Apr 2006 14:32:16 -0400

Dear Kevin Fu:

This e-mail is being sent on behalf of the Association for Computing
Machinery (ACM). To confirm authenticity of this message, go to
http://www.acm.org/acmelection/.

ACM is pleased to offer its members the opportunity to vote online in the
2006 Election.

You are encouraged to participate in this election. Please note that 12:00
noon Eastern Time, May 23, 2006 is the deadline for submitting your vote.
It is important that the voice of ALL members be heard.

To vote online, please go to: https://www.escvote.com/acm2006

You will need your 7-digit ACM Member Number to log in to the secure
voting site. If you do not know your membership number, please go to
https://campus.acm.org/public/accounts/Forgot.cfm

For additional help, please visit the help screen on the log-in page by
clicking on the "Help" button.

Enter the 10-digit unique PIN seen below.

Enter your 7-digit ACM Member Number.

Follow the online voting instructions.

ACM Council Election

Your Unique PIN is: 0502XXXXXX

If you have any questions, please e-mail acmhelp@electionservicescorp.com
or call toll-free 1-866-720-4357.

Thank you for taking the time to submit your vote online.

Association for Computing Machinery

The company conducting the election says:

Thank you for your interest and comments regarding the ACM election.

The pins we generate are not in precise sequential order. They are however in ascending order when transmitted to the queue on the email server. There is no direct correlation between the member id and the pin.

However we thank you for your findings as we are always trying to improve our security and will review these finding in attempt to further improve the process.

The "unique PIN" turns out to simply be a user identifier, and the security of the election rests on the secrecy of the voter's ACM member number. This is probably reasonable for something minor like the ACM election, but it does create unnecessary dependencies.

The ACM election was mentioned once before in the Risks Digest

nothing to say

2004-05-20T17:16:00.000-07:00

"While modern technology has given people powerful new communication tools, it apparently can do nothing to alter the fact that many people have nothing useful to say." -- Lee Gomes, WSJ