Frederick Giasson’s Weblog

There are two interesting piece of news concerning nuclear security. The first one is from the BBC. The Kyrgyz authorities had arrested 2 men that tried to sell 60 small containers containing plutonium-239. Who said that terrorists or other criminal groups don’t have the power to find and buy such material? This is possible that the news isn’t true. This is possible that the Kyrgyz government to prove something to the Russian or American government invented this. However, personally I think that such a situation is possible. Think about it 2 seconds. The CIA probably doesn’t have many agents in the central Asia zone since 1980 or 1990. The US army have a base in Uzbekistan but they are confined here. We need to rely on local governments for such investigation and probably the world security. The problem is that they have their own problems. Is that possible the Kyrgyz government had arrested them? If it’s true, praise them. Is that the first time that criminals try to buy/sell such products on the black market? I doubt. Why a country where 80% of their weddings are done with kidnapped women care about some criminals that sell/buy plutonium on their territories? The possibility exists; but I have doubts. What’s freaky is that we rely on such governments(there governments in central Asia) to do the work that concerns us. We need to change our mentality and put back our agents on the field where the things append. When I say “we”, I talk about the countries that care about their homeland security or countries that need to care about it.

[In addition to the post: 02 October 2004]
———————————————–

It was finally a false alarm. It suppose to be in reality 55 old-fashioned Soviet smoke detectors. I warn you in the first edition of the post that this was possible that this piece of news was not real or true. However most of the facts remind I said on the subject remain.

———————————————–

The other piece of news is from SecurityFocus. They talk about cyber attacks against nuclear facilities. There are some interesting things that they said and that I want to think about:The fact: “Last year the Slammer worm penetrated a private computer network at Ohio’s idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor’s network, bypassing Davis-Besse’s firewall”. The solution they found to resolve the problem: “News of the Davis-Besse incident prompted Rep. Edward Markey (D-MA) last fall to call for U.S. regulators to establish cyber security requirements for the 103 nuclear reactors operating in the U.S., specifically requiring firewalls and up-to-date patching of security vulnerabilities”. It’s sure that they have problems with their firewalls and vulnerability updates. But for the specific case of what append at Davis-Besse, the best firewall and latest updates would not stop the virus. Why? Because he propagated himself through the contractor’s network. The point here is to demand the same level of network security to their contractors. Any security system with a backdoor is not secure at all.

What if the contractor is bribed or menaced by a criminal group? Security is not just about firewalls and security updates. It’s more than that. You need to think about things that you don’t think about. It’s not just a process; it’s a way of thinking. It’s like doing a great discovery. You need a mind shift, imagination. You need to understand how your enemies work and think. You need to understand how your employees work, think and react in certain situation. Personally I see a great deal of psychology in security (any type of security), I’m I paranoiac? Security is not distributed in distinct parts, it’s a whole.

There is a hope when you finish to read the article:

“A working draft of the NRC guide reviewed by SecurityFocus would encourage plant operators to consider the effect of each new safety system on the plant’s cyber security, and to develop response plans to deal with computer incidents. Additionally, it would urge vendors to maintain a secure development environment, and to probe their products for backdoors and logic bombs before shipping.”

But as I said, this is not just a question backdoors and logic bombs in software. However they are in the good way because we can see that they are preoccupied by their sofware development companies and their interaction with them.

There is not any link between these two piece of news. But I think that it’s a good opportunity to think about the problem. There are probably many things that I don’t understand in the situation, but if I base my thoughts on what I perceive, there is a real problem for the world security.

This is just a little thought about a piece of news that appeared on the BBC this week. This post is hard to write because anybody can read it, from anywhere on the planet, from any culture. The perception toward the violence depends greatly from a place to another, from a culture to another, from a social layer to another. I just want to warn you that it’s strictly a personal thought that don’t need to be shared; so read it with your eyes and if you not agree with it, then start a discussion and I’ll be happy to try to understand your point of view. Don’t be shy, I’m really open with others’ thoughts, it’s how I learn and it’s how I can adapt myself and survive in a new environment and situation.

So, have you read this article? This is just a story like many others. It’s in China but you can see the same thing anywhere else in the world. It’s not a question of race or religion, it’s a question of violence. It’s a question of people toward violence, pure violence. They had probably a motivation to do it, possibly none. The fact is not there. The question I need to ask is: Is everybody having a social responsibility toward violence? A couple of bums versus 80 other peoples. Two of them done a blood bath. Nobody reacted to the situation. They have knifes? Clients had chairs, keyboards, probably some type of poles, etc. There were security guards. Nobody moved. It’s sure that no one know how they will react in this type of situations before live it. Think about it. You, what would you have done in this situation?

Can we check other citizens been slashed in our face without reacting? Do we have the duty to try to do our best in these situations (and not just bow our head)? I think it’s a good society question. We need our society as secure as possible. They are not, they’ll never be. The thing is not to live in a completely secure world. The thing is to be aware of the problem, to study it and try to understand it. The real problem is that people play the ostrich and hide there head in the sand. They don’t wish to sea the reality. Personally, here in Canada, it’s how it work. People don’t need to get stock in the story of others people. Personally, I think we are wrong to think in this way. I think that we need to help other citizens if they are in danger. We need to help them at our best and not fear the prosecution. I also think that we need to learn this thought to citizens and to our future generations. Really, I’m dreaming, I don’t think that a majority of Canadians agree with me but it’s my point of view for the moment. What lack in Canada and probably in many other countries? The citizenship spirit.

If I wish to have the sense of security in my community, I think that this same community needs to have a citizenship spirit , be able and have the courage to help me if I’m in troubles. I’ll do it for them, but will they’ll do it for me?

I just finished to read The myth of Homeland Security. This is a good book about homeland security; mostly concentrated on United-States homeland security post 9/11. This is an apolitical essay on the subject. He bases his thoughts mostly on the analysis of the PATRIOT acts and other governmental writings. A thing that I really don’t like is that he didn’t do a bibliography; he justified this by:

“I had to write whole sections of this book based on partial information. But this book is not intended to be a history text or a reference. I’m making some inflammatory observations; I don’t want you, the reader, to ignore the substance of what I have to say by getting bogged down in the details of my research. So I didn’t quo sources.”

This is a good introduction book on the subject of homeland security. He ask the general questions of the subject and explain his point of view on them. I think that this is an honest writing from the part of the author. Some times, he lacks some deepening of his subject but this is excusable.

There is a good quote that resumes the general mood of the book: “Last week a friend forwarded me one of those “quotable quotes” emails that circle endlessly on the internet. At the bottom, it read: “You read about all these terrorists – most of them came here legally, but they hung around on these expired visas, some for as long as 10 to 15 years. Now, compare that to Blockbuster; you are two days late with a video and those people are all over you. Let’s put Blockbuster in charge of immigration”.

By moment I had doubts on his researches for this book. For example, at the page 111 he says in a You should know section: “The National Security Agency (NSA) is a completely separate “turf” that focuses on cryptography, communication security, and signals intelligence.” The problem is that if you read “Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold War Through the Dawn of a New Century” you’ll see that the fall of CIA was mainly caused by the NSA who win the bureaucratic game for founds. The FBI probably not helped but to say that the NSA is completely separate turf this is two worlds. It’s possible that he is right, but I put a bémol here.

There is his home page: Marcus J. Ranum

This is my personal little review of the book, but you can have access to a full and complete review of the book by reading Robert M. Slade’s

Have a good read!

Security consequences of possible proof of Riemann’s hypothesis

I’ll not resume the news here, it’s was widely done these days: [4], [5], [6], [7], [8] and [9]. There is the proof of the theorem [2] of Louis de Branges [3]

The problem is that we don’t know if his proof is right. Mathematicians have doubt if Louis de Branges is able to prove the hypothesis. It’ll take time to peer review the proof by the most important mathematicians of Riemann’s hypothesis. If finally the proof is counter verified and became true, it’ll probably take time to know the consequences of the proof and how to use it.

In the case that he is right and that we can find how to use the hypothesis to make many one-way functions with prime numbers not one-way anymore, what will be the consequences? For now, no one; in the future, probably many with asymmetric encryption algorithms. If the dream to prove this hypothesis comes true, you’ll can forget electronic commerce, certification, digital signatures, TCP/IP security, secure telephones, just to tell some. You’ll not be able to rely on public-key encryption anymore as a easy to use method for encrypted distant transmission. We’ll live a boom of “The new most secure ecommerce solution with our new full proof proprietary public-key encryption algorithm”. Think about it, it took thousands years and many brilliant ideas to be where we are now. Don’t think that it will take 2 weeks or 2 months to make a new leap in the field of public-key encryption. When we’ll find a solution, it’ll need months and years to analyse and harden algorithms.

There are some questions like: Why there is not enthusiasm for the discovery? Why the proof is not yet published for peer reviewing? Is this because other mathematicians of the field don’t want it confirmed? Is this because there is a price of 1 million in US dollars on the proof of this hypothesis? Is this because they get pressure by commerce and governmental agencies? There is too many questions, we’ll probably know the answer to these questions in a near or far future.

There are some of my reactions and toughs about what come up in the news:

From [4] it’s written: “Gartner research director Ray Wagner said recent flaws in encryption methodologies would take years of research to develop and exploit for, something hackers are less likely to do while other security flaws are easier to take advantage of.” Yeah sure but is there just hackers in the networked world? What about government? Industrial spies? Well funded terrorist groups? (Don’t forget, terrorists aren’t stupid, many have university studies being there necktie. This isn’t an argument to not take the possibility in count.
Always in [4] : “”This is one area where we can stay ahead of the thieves,” said Alan Canton, president of security consulting and software firm Adams-Blake Company. “It does not take nearly as long to come up with a new code or encryption methodology as it does to crack it.” Hummm, I think that Mr Canton needs to read The Code Book. Does he know how it took time to arrive where we are? Yeah, for the moment cryptographers are ahead of cryptanalysts. For how many time if the hypothesis is proved true? Refer to history Mr Canton, it can teach us many things sometimes, specially in the filed of cryptography.
Mr Canton also said: “”No matter what happens,” he added, “it will always be safer to enter your credit card in an e-commerce transaction than to give it to the waiter at the restaurant or to a mail-order company via phone.”” He is right, but I don’t think that he got the point. This is not only a problem of credit card number that travel plain text over the internet, but for the rest, for private communication over a cell phone, to keep our state secret safe of the view of other countries when they communicate. Really, plain text credit card number over the internet is probably on of my last worries. Why? Because the worse thing that can append if someone get my credit card number and buy something with it is that I’ll need to pay 50$CAN for my reclamation to Visa or MasterCard… what a deal!
Just another thing that I wish to point out: check the curriculum of this so-called president of security consulting and software firm. Check his publications, etc. Personally, I cannot find out where you can find his realisations as a security consultant. Therefore, you get his words for what it is. I just say this to remember you that it’s always interesting when you do research on what is said in an article. Be critic!

Come back with our sheep. What’s interesting with this piece of news is that if he is right, we’ll have work for the next years. If he is not then it remembers us that the possibility exists and that we need to get an eye on the situation. It’s not because his proof is wrong that his idea is.

It’s a privilege to have this piece of news. It’s essential to think about news like this. Is the proof of Louis de Branges true? Personally, I don’t care. I know that the possibility exist, it’s what I care of. It’s like UFO, do they come on earth with there flying saucers? For now, I don’t really care, but I know that the possibility exist and this is what make it really interesting. The possibility! Can international terrorism can shutdown our telephone systems by hacking them? The possibility exists. Will they be able to do it? If so, will they do it? It’s another question. What I know it’s that the possibility exist and that we need to take this in count when telephone corporations will build security policies and extend there networks, and try to build security systems. It’s what we care of.

There are the links to Louis de Branges’s website and proof.
[1]http://www.math.purdue.edu/~branges/
[2]http://www.math.purdue.edu/ftp_pub/branges/apology.pdf

There is an interesting article by Karl Sabbagh on the character of Louis de Branges:
[3]http://www.lrb.co.uk/v26/n14/sabb01_.html

There is the proof in the news:
[4]http://www.ecommercetimes.com/story/Mathematical-Solution-Might-Undermine-Data-Encryption-36427.html
[5]http://news.bbc.co.uk/2/hi/science/nature/3794813.stm
[6]http://www.guardian.co.uk/life/science/story/0,12996,1298812,00.html
[7]http://www.vnunet.com/news/1157891
[8]http://www.theaustralian.news.com.au/common/story_page/0,5744,10706836%255E30417,00.html
[9]http://timesofindia.indiatimes.com/articleshow/846888.cms
[10]http://www.math.columbia.edu/~woit/blog/archives/000035.html