On Bias and Security

Two talks, two important messages

Posted by Katie McLaughlin on December 14, 2015

There were two standout talks from YOW! Sydney 2015.

Sometimes the Questions are Complicated, but the Answers are Simple – Indu Alagarsamy

Indu is an amazing speaker, who has had to ensure so much to get where she’s gotten to in the industry as a single mother from India, and yet she’s done it, and it’s brilliant she was able to share her story.

She spoke of bias in the tech industry, about how women are seen as second-class citizens, and how we all need to address how our backgrounds may subtly change our thinking towards biased results.

She phrased some of the issues so brilliantly, I’m just going to reference her words directly, with my own thoughts as commentary:

The Google Images results for CEO, Programmer, and Receptionist how just how biased we are towards these roles. [t]

This was something I hadn’t considered before, and although most of the top results appeared to be stock imagary, that’s just part of the problem - even in generic marketing, male dominated roles are seen to be more important, and important roles are seen to be more male dominated.

When a woman is pregnant, she’s seen as a resource problem. [t]

Indu described how she told her boss she was expecting, and she was immediately taken off an important task she was on. “I’m not having a baby tomorrow!”, she retorted. Yes, women sometimes have other things that take them away from the workforce (you know, creating new humans), but they can still be productive members of the team until they are at a point where they feel they need to take care of themselves. For some this might be days, weeks or months before the birth; but until they take their leave, they should not be seen as defective resources.

When someone says “hey you sound emotional/angry”, that makes me angry! You discredit my contributions. [t]

This. This so many times. Human communication comes with many different layers in the delivery - body language, tone, and inflection aside, the actual information being conveyed is the most important. I cannot count the amount of times the information I’ve been trying to convey has been taken, disassembled, and reflected back at me as “Oh, you sound upset”. I’m not going to pander or sugar coat my words if I’m trying to have a technical discussion with a peer. If you’re going to make point of the packaging and not the content I’m trying to convey to you, you’re going to make me frustrated.

Indu states herself that she took the Implicit Association test, and it found that she was moderately gender biased, but she is working to fix that.

The crux of her talk is the benefits of diversity - a more diverse team will achieve better results.

She phrases this wonderfully by looking at the logic of things.

Having a team full of people with similar backgrounds means you have a limited shared history to draw from [t]

If you have a group of people all from the same background – same education, culture, region, whatever – they are probably going to have gone through similar experiences. By incorporating team members from a more diverse section of society, you are going to implicitly achieve a greater cross-section of background, and thus achieve a greater shared history to draw experience on to solve problems.

In a closed system, three programmers who were taught imperative programming may have more trouble understanding functional or object orientating structures than if one of their team was taught one of these paradigms. This is a simplistic example – there are many factors where someone might understand these concepts, through deduction, past hobbies, whatnot – but having multiple people with the same basic footprint is going to limit the ability to draw from a complex knowledge base.

Creating diverse teams breaks bias and brings new perspectives [t]

Indu also recommends Conflict Management training. This phrase in itself might seem jarring, but when you understand that this sort of training can help people understand the logic processing of others, and establish guidelines on how to deal with such issues, it makes sense. If you’re not used to dealing with the input from others who might not have had the same background as you, it might be hard to process their message. It could be as simple as understanding that some cultures may not be as sarcastic as others, or that the flow of logic to get to a conclusion went through different thought centers that you weren’t used to.

Overall this talk was important and brilliant, but was presented to a depressingly empty room. I understand Indu was asked to present this talk at FP Syd so that people not going to YOW! were able to hear her message. I hope that a recording from either this event or YOW! itself is something that you watch. My soundbites and opinions are nothing on the complete message.

Making Hacking Child’s Play – Troy Hunt

The other standout talk from the event was Troy Hunt. I’ve not seen him perform before, so I was a bit excited to see him speak.

His talk was a buffet of different aspects of security and privacy that may have overwhelmed some of the audience, so I’m taking the time to describe each of what I was able to catch.

Establishing account existance and Timing Attacks

Troy draws a few examples of this from the Ashley Madison data breach. As the operator of Have I Been Pwned?, he’s been involved in assessing the leaked data from these kind of breaches. Ashley Madison is one that he’s specifically not added to the searchable archives of HIBP, specifically because of the sensitivity of the data. Disclosing if an email account has been associated with a dating website can be extremely disruptive, so when he shared just how many .gov addresses were in the dump.. it was concerning.

There are a number of ways that website inadvertently disclose if accounts exist in their system:

  • Explicitly saying “This email address does not exist”, or “There is no account associated with this email”
  • Having the same “If this address exists, an email will be sent” with visual differences in the CSS/text (as was the case in Ashley Madison)
  • A different time taken for responding to requests for reset of existing and not-existing accounts.

Troy explained that in the case he investigated, the timing attack was able to determine if accounts did/didn’t exist by way of seeing the time taken to check the hash associated with the account when attempting to login. Accounts that didn’t exist didn’t return records from the database, and thus didn’t have to take time processing the hash check on the password given, since it had failed out early.

Content Security Policy

A newer feature of modern web browsers, this is a flag that tells browsers to not load scripts or stylesheets from places that are untrusted. In Troy’s example, he loaded an arbitrary script into a page via the console which then called external resources to play the Harlem Shake and bounce around divs in time with the music.

The demonstration on his own site showed that he had explicitly disallowed external scripts to be run, and thus no shaking happened.

DDoS Made Easy

A Distributed Denial of Service attack can saturate an unprotected website in seconds and make it inaccessible for legitimate users. There are a number of tools out there that make it extremely easy for anyone, including children, to establish a DoS attack themselves. Rope in a few mates with the same tool and it becomes distributed.

Instead of demonstrating this himself, Troy called a member of the audience up to use the Low Orbit Ion Cannon (LOIC), a common tool used by ‘script-kiddies’ and other agents to enact attacks on systems. Troy specifically walked the audience member through DoSing her least favourite football team, without him touching the keyboard (and stating this for the recording that he was not in control of the machine).

The LOIC requires only a domain name, which is automatically resolved via hostname lookup, and even without any customisation of options, the ‘lasers’ can be ‘fired’.

Super Computer Hash Cracking

There are many cryptographic functions, and only some are deemed secure enough for general use. Add salting - the addition of a secret key to the text to be hashed - and it’s sufficiently difficult to reverse engineer a password.

md5 is not one of these cryptographic functions.

Troy demonstrated by way of the Stratfor leak, which used md5 hashing with no salt, that taking one of the hashes and throwing it into Google returned the original string in the search results. This is because the md5 hashes have already been calculated for an enormous number of values, and the power of Google makes these unique strings readily searchable.

What was more worrying is that the password checked from the leaked data resolved to be the password ‘stratfor’. And that there were 12,000+ other accounts that were also using this password. Security!

Impersonation of WiFi hotspots

Probably one of the most impressive tricks on display was the use of the Pineapple. PineAP is a device that is able to impersonate WiFi hotspots.

As Troy explained it, mobile devices with WiFi on send out probes for networks that it has been configured to automatically connect to. This is why if you leave your WiFi on you automatically connect at home and the office.

What the Pineapple does is listen for these probes, then starts impersonating that hotspot. “Oh, you’re looking for Starbucks WiFi? That’s me! Hello!”. It may then route your packets for you, but it has successfully placed itself in the middle of your connection in a classic Man in the Middle attack.

What’s worrying is that 20+ devices automatically connected to the Pineapple, as it impersonated such hotspots as Starbucks and Sydney Airport.

What’s more worrying is that on iOS, if you have remembered a password-free WiFi (normally a free hotspot like McDonalds), there is no way to remove that listing unless you are currently connected to that network. That means going to the Airport to disconnect. There are other ways, but they involve forgetting all networks, or a factory reset of your phone.[0]

Sub Resource Integrity

Back to the Content Security Policy, I asked Troy after his talk about his use of CloudFlare to be the host of his jQuery and Bootstrap assets. Unless the host of your external resources can be trusted, there’s a chance that the minified jQuery could contain something you didn’t expect. How often do you validate that the minified version of your scripts are accurate, and that the source of the minification doesn’t contain anything weird.

Troy explains there are trade-offs. Using a Content Delivery Network (CDN) for common libraries means that there’s added speed benefits to the site: it might already be cached client side; it’s one less thing your server doesn’t have to serve out; etc.

However, if you are concerned, you can use Sub Resource Integrity (SRI) to associate a file with an expected checksum. That way you can know that the file is what you expect to be served without serving it yourself.

My entire tweet stream from #yow15

[0] Some replies to my tweet about this did get replies stating it was possible to remove single remembered networks by introspection of the record on the filesystem. However, for the standard iPhone user, this is not easily done, and thus I’m not counting it as a solution.