Matt Blaze's
Science, Security, Curiosity
Archives: 2010

A couple of years ago Jutta Degener and I became the first people to solve James Randi's $1,000,000 paranormal challenge. We derived, from thousands of miles away, the secret contents of a locked box held in Randi's offices set up to test whether psychic "remote viewing" was possible. Not being actual psychics, we had to exploit a weak home-brewed cryptographic commitment scheme that Randi had cooked up to authenticate the box's contents rather than the paranormal powers he was hoping to test for, but we did correctly figure out that the box contained a compact disk. And being nice people, we never formally asked for the million bucks, although we did have a bit of fun blogging about the cryptologic implications of psychic testing, which you can read here.

Our feat of "psychic cryptanalysis" got a bit more attention than I had expected given that our earthly cryptographic abilities are anything but paranormal, but you never know where the Internet will take things. But I was even more surprised when someone recently sent me a link to this final exam from a contracts course at the Stetson University College of Law [pdf].

Now, my mother definitely didn't raise me to be a law school exam question, and yet there we are, playing a starring role in the question on the fourth page. I have no idea whether to be flattered or horrified, but for the record (especially in case the IRS is reading), we never asked for or received the million dollars. And I've definitely never been been to an Alaskan psychic's convention.

The one thing I'm sure of is that Prof. Jimenez (who I've never met) will be making a guest appearance on some exam of mine in the near future. In a perfect world, he might play a role in a question involving copyright infringement, defamation, and false-light privacy, but since I teach computer science, not law, something about operating systems will probably have to do instead.

Fair warning: If I give a talk --- at your conference, lecture series, meeting, whatever -- and you ask me for "a copy of my presentation" I'm probably going to refuse. It isn't personal and I'm not trying to be difficult. It's just that I have nothing that I can sensibly give you.

Many speakers these days make their visual aids available, but I don't. I don't always use any, but even when I do, they just aren't intended to be comprehensible outside the context of my talk. Creating slides that can serve double duty as props for my talk and as a stand-alone summary of the content is, I must confess, a talent that lies beyond the limits of my ability. Fortunately, when I give a talk I've usually also written something about the subject too, and almost all my papers are freely available to all. Unlike my slides, I try to write in a way that makes sense even without me standing there explaining things while you read.

"Presentation software" like PowerPoint (and KeyNote and others of that ilk) has blurred the line between mere visual aids and the presentations themselves. I've grown to loathe PowerPoint, not because of particular details that don't suit me (though it would be nice if it handled equations more cleanly), but because it gets things precisely backwards. When I give a talk, I want to be in control. But the software has other ideas.

PowerPoint isn't content to sit in the background and project the occasional chart, graph or bullet list. It wants to organize the talk, to manage the presentation. There's always going to be a slide up, whether you need it there or not. Want to skip over some material? OK, but only by letting the audience watch as you fast-forward awkwardly through the pre-set order. Change the order around to answer a question? Tough -- should have thought of that before you started. You are not the one in charge here, and don't you forget it.

When I give a talk, I like to rely on a range of tools -- my voice, hand gestures, props, live demos, and, yes, PowerPoint slides. I tend to mix and match. In other words, from PowerPoint's perspective, I'm usually using it badly, even abusively. I often ignore the slides for minutes on end, or digress on points only elliptically hinted at on the screen. When I really get going, the sides are by themselves useless or, worse, outright misleading. Distributing them separately would at best be an invitation to take them hopelessly and confusingly out of context, and at worst, a form of perjury.

Unfortunately, "PowerPoint" has become synonymous these days with "presentation", but I just don't work that way. Maybe you don't work that way either. There's no one-size-fits-all way to give a talk, or even a one-size-fits-me way. So when I'm asked for my slides, I must politely refuse and offer my papers as a substitute (an idea I owe to the great Edward Tufte).

Fortunately, I'm senior enough (or have a reputation for being cranky enough) that I can usually get away with refusing. Sometimes, though, when pressed hard, I'll give in and send these slides [pdf].

Addendum 26 November 2010: This post sure has struck a (perhaps dissonant) chord somewhere, especially for a long holiday weekend. I'm grateful to all who've emailed, blogged, and tweeted.

Several people have thoughtfully suggested their favorite alternatives to PowerPoint (Prezi seems to be the popular choice), which I'll certainly check out. And for the record, yes, I know about (and use when I can) PowerPoint's "presenter" mode, which improves control over the audience display. Unfortunately, both alternative software and presenter mode, while improvements, are at best unreliable, since they assume a particular configuration on the projecting computer. It often isn't possible to project from a personal laptop (especially in conferences run on tight schedules), leaving us at the mercy of whatever is at the podium. And that often means PowerPoint in single-screen mode.

In any case, while there is certainly room for me to improve my mastery of PowerPoint and its alternatives, this wouldn't solve the basic problem, which is that, in my case at least, my slides -- when I use them at all -- aren't the content. They won't help you understand things much more than would any of the other stuff I also happen to bring up on stage with me, like, say, my shoes (which you can't have, either). But you're welcome to my papers.

I'll be the first witness at this morning's (6/24/10) House Judiciary Committee hearing on ECPA Reform and the Revolution in Location-Based Technology, which, for DC locals, will start at 10am in room 2233 of the Rayburn building.

My testimony [pdf] will focus on the technical: how modern cell phones and wireless services calculate location, and how accurately they can track and record users' positions and movements. This is all in the context of surveillance: when the government gets a pen register order against a cell phone, for example, what information do (or should) they get about the target's location and movements compared with other kinds of tracking technology?

Other witnesses will include (among others) a special agent (from the Tennessee Bureau of Investigation) who does electronic surveillance, and a federal magistrate judge who has to sort out the legal issues when the government requests tracking information about a suspect. The hearing promises to be an interesting glimpse into how location tracking actually works in criminal investigations.

No idea if the hearing will be shown via a webcast or C-SPAN coverage.

Update 6/28/10: The hearing was interesting, and I especially enjoyed Chairman Nadler's line of questions to me about how the technology works and about the records kept by carriers. Unfortunately, video of the hearing doesn't appear to be available online anywhere, at least at the moment.
Update 5/16/12: An updated version of my testimony is available at, as a statement for the record at a house hearing on the "GPS Act".

Back in 1995, Bruce Schneier asked me to write an "afterword" for the second edition of Applied Cryptography. Perhaps to his chagrin, I couldn't think of any better way to sum up a book about cryptography than to dismiss what was then a popular delusion about the subject: that it, above all else, held the secret for securing computers.

1995 now seems like a long time ago, technically and culturally. The Web was barely around. Highly connected people had fax lines at home. The Soviet Union had only recently dissolved. I could see the World Trade Center from my bedroom window.

Essays written that long ago, especially those about rapidly changing technology, can be a bit embarrassing to read -- conspicuously oblivious to some fast approaching meteorite that would shortly make the author's basic assumptions extinct. Or they might seem retrospectively obvious and trite: war is bad, puppies are cute, and computers are insecure.

And so it was with some trepidation that I recently dusted off my copy of Bruce's book and found myself staring at my thoughts on cryptography from the previous century.

A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much.

SSL certificates are the primary mechanism for ensuring that secure web sites -- those displaying that reassuring "padlock" icon in the address bar -- really are who they purport to be. In order for your browser to display the padlock icon, a web site must first present a "certificate", digitally signed by a trusted "root" authority, that attests to its identity and encryption keys.

Unfortunately, through a confluence of sloppy design, naked commercial maneuvering, and bad user interfaces, today's web browsers have evolved to accept certificates issued by a surprisingly large number of root authorities, from tiny, obscure businesses to various national governments. And a certificate from any one of them is usually sufficient to bless any web connection as being "secure".

What this means is that an eavesdropper who can obtain fake certificates from any certificate authority can successfully impersonate every encrypted web site someone might visit. Most browsers will happily (and silently) accept new certificates from any valid authority, even for web sites for which certificates had already been obtained. An eavesdropper with fake certificates and access to a target's internet connection can thus quietly interpose itself as a "man-in-the-middle", observing and recording all encrypted web traffic traffic, with the user none the wiser.

But how much of a threat is this in practice? Are there really eavesdroppers out there -- be they criminals, spies, or law enforcement agencies -- using bogus certificates to intercept encrypted web traffic? Or is this merely idle speculation, of only theoretical concern?

A paper published today by Chris Soghoian and Sid Stamm [pdf] suggests that the threat may be far more practical than previously thought. They found turnkey surveillance products, marketed and sold to law enforcement and intelligence agencies in the US and foreign countries, designed to collect encrypted SSL traffic based on forged "look-alike" certificates obtained from cooperative certificate authorities. The products (apparently available only to government agencies) appear sophisticated, mature, and mass-produced, suggesting that "certified man-in-the-middle" web surveillance is at least commonplace and widespread enough to support an active vendor community. Wired's Ryan Singel reports in depth here.

It's worth pointing out that, from the perspective of a law enforcement or intelligence agency, this sort of surveillance is far from ideal. A central requirement for most government wiretapping (mandated, for example, in the CALEA standards for telephone interception) is that surveillance be undetectable. But issuing a bogus web certificate carries with it the risk of detection by the target, either in real-time or after the fact, especially if it's for a web site already visited. Although current browsers don't ordinarily detect unusual or suspiciously changed certificates, there's no fundamental reason they couldn't (and the Soghoian/Stamm paper proposes a Firefox plugin to do just that). In any case, there's no reliable way for the wiretapper to know in advance whether the target will be alerted by a browser that scrutinizes new certificates.

Also, it's not clear how web interception would be particularly useful for many of the most common law enforcement investigative scenarios. If a suspect is buying books or making hotel reservations online, it's usually a simple (and legally relatively uncomplicated) matter to just ask the vendor about the transaction, no wiretapping required. This suggests that these products may be aimed less at law enforcement than at national intelligence agencies, who might be reluctant (or unable) to obtain overt cooperation from web site operators (who may be located abroad).

Whether this kind of surveillance is currently widespread or not, Soghoian and Stamm's paper underscores the deeply flawed mess that the web certificate model has become. It's time to design something better.