When is a Fine Excessive?

CNN has an interesting story about a Christian organization that is seeking to avoid fines for not providing coverage for the “Day After” pill or (I think) RU-486. Let us not argue about birth control or abortion. My issue here is the amount of the fine, which is $100 per day per employee for whom the employer refuses coverage. Why isn’t that fine excessive? To begin with, let’s look at the cost of such services. The cost of the drugs are relatively low. According the Planned Parenthood, the cost for the pharmaceuticals are between $10 and $70. For an insurance company this is really a non-issue, and that leaves the moral issue, because it’s not an ongoing expense. In fact, it may even be lower than some people’s co-payments or deductibles. Now we need to add this to an insurance risk pool cost, and the price for insurance probably drops to well less that $0.10 per year . After all, how often does anyone need such services? Maybe once in their lives? Maybe never.

If we break this down, then, to compensatory versus punitive damages, let’s postulate an government program that allows doctors and pharmacies to be reimbursed for the cost of the procedure. Let’s call the program, oh…. Medicaid. Let’s say that costs, from a risk perspective, $1.00 per year. The Supreme Court has already said that punitive damages in civil cases should not exceed a factor of 10. Why then, should the fine for this behavior not by $10 per employee per year instead of $100 per employee per day?

In fact, why not let employers opt out on conscience grounds and let them pay a slightly higher premium of $2.00 per employee? In this sense, the government would stand to profit from an employer who REALLY has qualms. Of course, one would also have to ask why that company would feel so comfortable paying the government twice what it would pay the insurance company, when at the end of the day the same service would be performed?

Put simply: what is the societal interest in penalizing a company 100,000 times the cost of a service in this case? Is this such an egregious omission? Are employees unsafe? Would the service otherwise be unavailable? What is the issue?

Smart Watches and wristbands: who is watching the watches?

Over the last few weeks a number of stories have appeared about new “wearable” technology that has the means to track you and your children. NBC News has a comparison of several “Smart Watches” that are either on the market or could soon be. Think Dick Tracy. Some have phones built in, while others can send and receive email. These things don’t replace smartphones or other PDAs in general because their screen size is so small. They’re likely not to have much of an Internet browser for that reason, and they may only support a few simultaneous applications on board.

Still, smart watches may find their own nitch. For instance, a smart watch can carry an RFID that that could be used to control access to garage doors, or perhaps even your front door. A smart watch might be ideal for certain types medical monitoring, because of its size. In all likelihood these devices would have limited storage, and would take advantage of various cloud services. It’s this point that concerns me.

Any time data about you is stored somewhere, you have to know what others are using it for, and what damage can be done if that data falls into the wrong hands. And so, now let’s consider some of the examples we discussed above in that light:

Voice communications: as one large vendor recently discovered, anything that can be used as a phone can be used as a bug, to listen into conversations. Having access to a large aggregations of smart watches through the cloud would provide an entire market for attackers, especially if the information is linked to specific individuals.
Medical monitoring: similarly, if you are using a smart watch or any other device for medical monitoring, consider who else might want to act on that information. Insurance companies and employers immediately leap to mind, but then perhaps so do pharmaceutical companies who might want to market their wares directly to you.
RFID and location-based services. There have already been instances of people being tracked electronically and murdered. Children wearing this or a similar device could be kidnapped if the cloud-based services associated with the device is broken into.

This is what concerns me about Disney’s Diney World MagicBand. Disney makes a strong case that having such a band can actually improve service. But should their information systems be broken into by a hacker, how much might a deranged estranged parent pay that criminal to find out where the child is?

It is the linkage of various attributes that must be considered. Add location to a name and all of a sudden, a hacked cloud-based service can really do someone damage. We give away a lot of this information already with many smartphone applications and other devices we carry. Before we give away more, perhaps we should stop and think about our privacy in broader terms and what is necessary to protect it. In Europe, the Data Privacy Directive covers a lot of this ground. But America and other countries are far behind that level of protection. Further, every new service on a smart device is going to want to monetize every last bit of data they can get.

Securing domain names: what’s it take?

(Courtesy: Joshua Sherurcij) An old padlock When you see a URL like http://www.ofcourseimright.com, your computer needs to convert the domain name “www.ofcourseimright.com” to and IP address like 62.12.173.114. As with everything else on the Internet, there are more or less secure ways of doing this. Even the least secure way is actually pretty hard to attack. While false information is returned by the DNS all the time, usually it’s benign. There are still some reasons to move to a more secure domain name system:

Attackers are getting more sophisticated, and they may attack resolvers (the services that change names to numbers). Service providers, hotels, and certain WiFi networks are subject to these sorts of attacks, and they are generally unprepared for them.
There are a number of applications that could make use of the domain name system in new ways if it was more secure.

Still it’s good that the current system hasn’t been seriously attacked, because the way the Internet Engineering Task Force (IETF) recommends – DNSSEC – is a major pain in the patoot for mere mortals to use. There is some good news: some very smart people have begun to document how to manage All of This®. What’s more, some DNS registrars who manage your domain names for you will, for a price, secure your domain name. However, doing so truly hands the registrar the keys to the castle. And so what follows is my adventure into securing a domain name.

DNSSEC is a fairly complex beast, and this article is not going to explain it all. The moving parts to consider are how the zone signs the information, how the information is authorized (in this case the parent zone), and how the resolver validates what it is receiving. It is important to remember that for any such system there must be a chain of of trust between the publisher and the consumer for the consumer to reasonably believe what the publisher is saying. DNS accomplishes this by having a hash of the signed record for a zone in its parent zone. That way you know that somehow the parent (like .com) has reason to believe that information signed with a particular key belongs to the child.

From the child zone perspective (e.g., ofcourseimright.com), there are roughly four steps to securing a domain with DNSSEC:

Generate zone signing key pairs (ZSKs). These keys will be used to sign and validate each record in the zone.
Generate key signing key pairs (KSKs). These keys are used to sign and validate the zone signing keys. They are known in the literature as the Secure Entry Point (SEP) because there aren’t enough acronyms in your life.
Sign the zone.
Generate a hash of the DNSKEY records for the KSKs in the form of a DS record.
Publish the DS in the parent zone. This provides the means for anyone to confirm which keys belong to your zone.

Steps one through four are generally pretty easy when viewed in a single instance. The oldest and most widely used name server package, BIND, provides the tools to do this, although the instructions are not what I would consider to be straight forward.

Step five, however, is quite the pain. To start with, you must find a registrar who will take your DS record. There are very few that allow this at all. For “.com” I have found only two. Furthermore, the means of accepting those records is far from standardized. For instance, at least one registrar insists that DS records be stored in the child zone. They are only listed in the parent zone once you’ve used the web interface and selected one of those that can be found. Another registrar requires that you enter the DS record information in a web interface. It turns out this isn’t perfect either. For one thing, it’s error prone, particularly as relates to the validity duration of a signature.

This brings us to the real problem with DNSSEC: both ZSKs and KSKs have expiration dates. This is based on the well established security notion that with enough computation power, any key can be broken in some period of time. But this also means that one has to not only repeat steps one through five periodically, but one must do so in such a way that observes the underlying caching semantics of the domain name system. And this is where mere mortals have run away. I know. I ran away some time ago.

A tool to manage keying (and rekeying)

But now I’m trying again, thanks to several key developments, the first of which is a new tool called OpenDNSSEC. OpenDNSSEC takes as input a zone file, writes as output the signed zone, and will rotate keys on a configured schedule. The tool can also generate output that can be fed to other tools to update parent zones, such as “.com”, and it can manage multiple domains. I manage about six of them myself.

The tool is not entirely “fire and forget”. To start with, the tool has a substantial number of dependencies, none of which I would call showstoppers, but do take some effort by someone who knows something about installing UNIX software. For another, as I mentioned, some registrars require that DS records be in the child zone, and OpenDNSSEC doesn’t do this. That’s a particular pain in the butt because it means you must globally configure the system to not increment the serial number in the SOA record for a zone, then append the DS records to the zone, and then reconfigure OpenDNSSEC to then increment the serial number again. All of this is possible, but annoying. Two good solutions to this would be to either modify OpenDNSSEC or change registrars. The latter is only an option for certain top level domains.

Choosing a Registrar

To make OpenDNSSEC most useful one needss to choose a registrar that allows you to import DS records and also has a programmatic interface, so that OpenDNSSEC can call out to it when doing KSK rotations. In my investigations, I found such an organization in GKG.NET. These fine people provide a RESTful interface to manage DS records, that includes adding, deleting, listing, and retrieving key information. It’s really just what the doctor ordered. There are other registrars that have various forms of programmatic interfaces, but not so much for the US three-letter TLDs.

The glue

Now this just leaves the glue between OpenDNSSEC and GKG.NET. What is needed: a library to parse JSON, another to manage HTTP requests, and a whole lot of error handling. These requirements aren’t that significant, and so one can pick one’s language. Mine was Perl, and it’s taken about 236 lines (that’s probably 300 in PHP, 400 in Java, and 1,800 in C).

So what to do?

If you want to secure your domain name and you don’t mind your registrar holding onto your keys and managing your domain, then just let them do it. It is by far the easiest approach. But tools like OpenDNSSEC and registrars like GKG are definitely improving the situation for those who want to hold the keys themselves. One lingering concern I have about all of this is all the moving parts. Security isn’t simply about cryptographic assurance. It’s also about how many things can go wrong, and how many points of attack there are. All of this proves is that while DNSSEC itself can in theory make names secure, in practice, even though the system has been around for a good few years, the dizzying amount of technical knowledge to keep the system functional is a substantial barrier. And there will assuredly be bugs found in just about all the software I mentioned, including Perl, Ruby, SQLite, LDNS, libxml2, and of course the code I wrote. This level of complexity is something that should be further considered, if we really want people to secure their name to address bindings.

Access to WCIT available to ALL

As I wrote earlier, WCIT is now taking place in Dubai. This conference could impact your ability to use the Internet, either by stifling growth due to encoded business models, or by mandating specific standards, rather than allowing creativity to flow. We have the opportunity to listen to parts of this conference, specifically plenary and whole committee meetings. After a tremendous amount of pressure, the participants of that conference have allowed open access to the streaming. You can access the streams at the ITU web site. To be sure, it’s a fairly technical conference. If you listen in and have questions, you can join an XMPP chatroom. If I’m around I will answer your questions. You can also post them here, although in either case I may not have the answer.

Why is Hamas Attacking Now? It’s All About One Man

Egyptian President Morsi is the one man that Hamas is looking toward to start a war with Israel, and that is why there are rockets flying back and forth.

While there has been very little news of formal progress between the Israelis and the Palestinians, until this week there had been modest informal improvements day to day in the West Bank, at least. Why now, then, did Hamas decide to escalate in southern Israel? The answer can be found in the protests occurring in Egypt, and the new government of President Mohamed Morsi, who is aligned through the Muslim Brotherhood with Hamas.

President Mohamed Morsi By escalating the violence, Hamas hopes to elicit a reaction from Israel that would stoke people in Egypt to press Mr. Morsi to abrogate Egypt’s treaty with Israel. Mr. Morsi previously signaled that the treaty is not inviolate, by stating that the Camp David Accords had envisioned a permanent solution long ago.

This fits a pattern that the Palestinians have been attempting for the last year: rather than come back to the table, they would prefer to see international pressure exerted on Israel, and the more the better. Firing rockets toward Jerusalem has therefore pushed the government of Prime Minister Benjamin Netanyahu into a corner: the Israeli response against such attacks has always been robust, if not aggressive. If the the rocket attacks into Gaza that demonstrate this point have caused as many Egyptians to protest, imagine what the result of a ground offensive would be.

In the meantime, Palestinian Authority President Mahmoud Abbas has had to cut short his world tour, where he has pushed the countries to elevate the status of Palestine to observer state. This has many implications in both political terms and International legal terms, and would represent an attempt at an end run around a bilateral solution. It would provide Palestinians legal claims to sovereignty of their territory. Those claims would do the Palestinians little good in the short term, as Israeli tanks roll across Gaza, and all for the veiled hope that they will somehow come out better (and Israelis worse) thanks to Egypt coming into a war on their side, perhaps bringing others with them.

It all hinges on how President Morsi responds to this crisis, and there is reason to be concerned that he will not respond well. Either the Palestinians have grossly misread his support, or he has failed to communicate his position clearly to them, or he is willing to go to war for them in the right conditions. The first two possibilities would seem naïve. If Israel is perceived by enough people to have not responded proportionally, the matter will escalate beyond its borders. This is what Hamas is hoping for. It is a very high stakes game, that involves live ammo and the deaths of both Palestinians and Israelis. Americans who think this won’t involve our military are being equally naïve.

Benjamin Netanyahu now joins the ranks of prime ministers of Israel who have advocated strength and ended up seeing Israelis attacked. Good one, Bibi.