Key Escrow that Might Work

12. December, 2018

Instead of encrypting everything with a single government key, several government agencies need to provide new public keys every day. The private key must be under the control of a court. Each secure encryption channel needs to subscribe to one or more of those agencies. The court must delete those keys after six months.

Advantages:

  • No attacker will be able to monitor any channel of communication for a long period of time.
  • Generating and sharing new keys can be automated easily.
  • A single stolen key will just compromise a small fraction of the whole communication.
  • Judges will decide in court which messages can be deciphered during the storage period.
  • It’s still possible to decipher all messages of a person if there is a lawful need.
  • If a key is lost by accident, the damage is small.
  • No one can secretly decode messages.
  • The system can be adapted as attackers find ways to game it.

Disadvantages

  • More complex than a single key or single source for all keys. It will break more often.
  • Pretty expensive.
  • Judges need to be trained to understand what those keys mean.
  • Keys will be in more hands, creating more points of attack.

Always remember that in a democracy, the law isn’t about justice but balancing demands. There are people afraid that embarrassing details of their private communicate will be exposed as well as people trying to cover the tracks of a crime.

Right now, there is no better way to determine which communication needs to be cracked open than a normal court case.

Reasoning:

If we used one or a few keys to encrypt everything (just because it’s easier), that would put a huge attraction on this data. Criminals will go to great lengths to steal those. If there are many keys, each one of them becomes less important. The amount of damage each key can cause must be smaller in this case. It would also mean they would have to steal many keys which would raise chances to get caught.

I was wondering if one key per month would be enough but there is really no technical reason to create so few. We have the infrastructure to create one every few seconds but that might be overkill. Once per day or maybe once per hour feels like a sweet spot. Note: When the technical framework has been set up, it should be easy to configure it to a different interval.

If we spread the keys over several organizations, an attack on one of them doesn’t compromise everyone. Also, software developers and users can move around, making it harder for unlawful espionage to track them.

Police officers and secret services should not be left alone with the decision what they can watch. Individuals make mistakes. That’s one reason why you talk to a friend when you make important decisions. Therefore, the keys should be in the hands of the law.

The law isn’t perfect. My thoughts are that we would use the perfect system if it existed. Since we’re using the law, the perfect solution probably doesn’t exist or it doesn’t exist, yet. In either case, using court rulings is the best solution we have right now to balance conflicting demands. The keys could be confiscated when the case is started and destroyed when the case is closed to avoid losing access halfway through the proceedings.

Mistakes will happen. Systems will break, keys will be lost, important messages will become indecipherable, criminals will attack the system, idiots will put keys on public network drives. Is there a way that this can be avoided? I doubt it. Therefore, I try to design a system which shows a certain resilience against problems to contain the damage.

For example, a chat app can request keys from its source. If that fails, it has options:

  1. Use a previous key
  2. Log an error in another system which monitors health of the key sources
  3. Automatically ask a different source
  4. Tell the user about it and refuse to work
  5. Let the user chose a different source

Leave a Comment » | Philosophy, Software | Tagged: , , , | Permalink
Posted by digulla

Avoid Publishing SNAPSHOTs to Nexus

3. July, 2018

Once in a while I’m running into people who deploy SNAPSHOT versions of Maven dependencies to a company-wide Nexus server with a job on a CI server. This is usually a very bad idea, especially when using branches.

Scenario: Two developers, John and Mary, each working in their own branch. They push their branches, CI builds them and they end up on Nexus.

Problem: Nexus doesn’t know or care about branches. Whichever job finishes last wins.

Often, this is not a problem. Now let’s add another project B. B depends on A.

As long as B depends on a release of A, everything is fine.

Now, John needs to make some changes in A. So he updates the dependency in B to A-x.y.z-SNAPSHOT. Everything is still fine, since Mary still uses the latest release of A.

Then Mary also creates a feature branch in her clone of A. That still doesn’t break anything because Maven caches SNAPSHOTs for a day.

The next morning, John makes a change to B and builds it.

This build might break when Mary’s CI job finished last!

The problem here, which can go unnoticed for years, is that Maven silently downloaded Mary’s version of A onto John’s computer and used that to compile. John will see the source code from his branch of A but the binaries will be something else.

Eventually, one of them will make a small changes which affects the others project. They will see MethodNotFoundException or get strange compile errors while the source code (which isn’t affected by this) will look perfectly fine or unit tests will break in odd ways.

That is the main reason why you shouldn’t deploy SNAPSHOT branches to a shared Maven repository: It creates a small chance for subtle bugs which will take a long time to find since your mental model (“I see the source, this is what I get”) will be wrong.

You can get away with publishing the master branch to Nexus (i.e. only a single branch with SNAPSHOTs will ever be published to Nexus).

Note: If your CI server shares local Maven repositories between projects, your builds can fail on the CI server for the same reason. Configure your CI server for per-project local repositories and wipe them before the build to avoid such issues for sure.

Leave a Comment » | Software | Tagged: , , , , , | Permalink
Posted by digulla

Binding one Instance to Two Interfaces in Guice

15. June, 2018

Sometimes, you need to bind one instance to two interfaces in Guice, for example:

interface Foo { ... }

interface Bar extends Foo { ... }

class FooBarImpl implements Bar { ... }

Let’s imaging FooBarImpl is a stateful bean which is saved in a session scope:

bind(Bar.class)
    .to(FooBarImpl.class)
    .in(Session.class);

This works when someone injects Bar but injecting Foo fails. There are two solutions for this: Bind Foo to Bar or use a provider method to transform the type.

Solution 1: Binding Interfaces

bind(Foo.class)
    .to(Bar.class);

This will use the mapping for Bar to satisfy requests for Foo.

Solution 2: Provider Method

Provider methods are a nice way to build complex objects from bound instances. In our case, we can map the types like so:

@Provides
@Session
public Foo fooProvider(Bar impl) {
    return impl;
}

Note: These approaches will put two keys into your scope but they will point to the same instance.

Leave a Comment » | Software | Tagged: , | Permalink
Posted by digulla

Stop on specific NullPointerException in Eclipse

20. December, 2017

TL;DR: Find the line where the exception occurs and then add a conditional breakpoint which checks the local variables for values that would trigger the exception.

In Eclipse, you can stop on any exception by using the menu Run -> “Add Java Exception Breakpoint…“.

That’s great but it doesn’t help when you want to stop on a certain exception on a certain line. It’s a big problem with code that uses exceptions for control flow – you could have thousands of those exceptions before you get to the one which you care about.

In my case, I had a NullPointerException in java.util.concurrent.ConcurrentHashMap:

    public V get(Object key) {
        Node<K,V>[] tab; Node<K,V> e, p; int n, eh; K ek;
        int h = spread(key.hashCode()); <-------- key is null
        ...

I tried to add a conditional breakpoint here with the condition key == null but Eclipse complained that it couldn’t compile the expression (probably missing debug information).

The method was called from Jetty’s ClassInheritanceHandler, so I added a conditional breakpoint there.

That’s another reason to copy method results into local variables before using them.

Leave a Comment » | Software | Tagged: , , | Permalink
Posted by digulla

Code Formatting by Example

15. December, 2017

People are starting to use Machine Learning to write better code.

One example is code formatting. Instead of painstakingly writing a parser and then rules which are to be applied to each node of the Abstract Syntax Tree (AST), the guys from Codebuff are using the “learn by example approach”. Just feed Codebuff with a couple of examples and it will learn to apply those implied rules to source code.

If you find something that looks bad, you don’t have to dig through dozens of pages of code formatter options or code formatter config files, just add more examples.

If you’re using Xtext, you can use the tool to write code formatters for you DSL: “Machine Learning Formatting with Xtext

Leave a Comment » | Software | Tagged: , , | Permalink
Posted by digulla

Why Apple Sucks

10. November, 2017

People often ask my why I hate Apple products. My answer: “I’m not compatible.”

I was always looking for a good example what I mean. In my hands, Apple products crash, show weird behavior or important features are utterly broken.

Case in point: Apple has released an “everyone can write an App” course on iTunes. Here is what I did:

  1. I clicked the link
  2. itunes.apple.com opened in my web browser
  3. A few seconds, nothing happened
  4. Then I got a message box: “Do you want to open this link in iTunes?”
  5. Uhh… yes?
  6. iTunes opened. Showing my music library. Where is the product that you were supposed to open? Thanks for wasting 10 seconds of my life.
  7. Clicked the link again.
  8. Clicked “yes” again
  9. Now iTunes shows a page with “Swift Playgrounds”. Probably what I wanted to see, I’m not sure anymore.
  10. I click on the product.
  11. iTunes opens a web page in my browser. WTF???? What’s the point of having iTunes when it can’t even download something!?
  12. The web page says “Please install iTunes.”
  13. I give up.

That’s one example in which Apple products waste my time. It’s almost always like that.

Apple, I hate you.

Leave a Comment » | Philosophy, Software | Tagged: , , | Permalink
Posted by digulla

Artificial Ethics

24. October, 2017

While watching this video, I wondered: We’re using machine learning to earn money on the stock market and to make computers understand speech. Why not ethics?

Around @26:00 , Isaac talks about ways to develop AIs to control androids. He would like to use the safe approach of manual programming all the specific details to create an AI.

The “manual programming” path has been tried since 1960 and it’s now deemed a failure. The task is simply too complex. It’s like manually writing down all possible chess positions: Even if you tried, you’d run out of time. Machine learning is the way to go.

Which means we have to solve a “simple” problem: Encode the rules of ethics. That is, a machine learning algorithm must check itself (or be checked by another algorithm) against a basic set of ethical rules to determine whether “a solution” to “a problem” is “ethical” (quotes mean: “We still have to figure out exactly what that means and how to put it into code”).

Just like intelligence, ethics is somewhat of a soft and moving target. Fortunately, we have a huge body of texts (religious, laws, philosophy, polls) which a machine learning algorithm could be trained on. To test this machine, we could present it with artificial and real life incidents and see how it rules. Note: The output of this algorithm would be a number between 0 (very unethical) and 1 (very ethical). It would not spit out solutions on how to solve an ethical dilemma. It could just judge an existing solution.

It’s important that the output (judgement) is checked and the result (how good the output was) is fed back into the algorithm so it can tune itself. Both output and feedback needs to be checked for the usual problems (racism, prejudice, etc.).

Based on that, another machine learning algorithm (MLA) could then try many different solutions, present those to the ethics one, and pick the best ones. At the beginning, humans would supervise this process as well (feedback as above). Eventually, the MLA would figure out the hidden rules of good solutions.

That would eventually lead to ethical machines. Which would cause new problems: There will eventually be a machine, very impartial, that “is” more ethical than almost all humans. Whatever “is” might mean, then.

Related articles:

Leave a Comment » | Comment, Philosophy, Software | Tagged: , , , , | Permalink
Posted by digulla

Your Phone Should be Your Butler

18. October, 2017

A lot of people share private details with the world without being aware of it. For example, they take nude pictures with their phones (NSA keeps a copy, just in case) or they sell the phone without wiping it properly, allowing the next owner to get a good idea who you are, or they install apps like the one from Facebook which ask “can I do whatever I want with anything I find on your phone?” and people happily click the “Yeah, whatever” button (a.k.a “Accept”).

When people use modern technology, they have a mental model. That model tells them what to expect when they do something (“press here and the screen will turn on”). It also contains other expectations that are rooted in social behavior. Like “I take good care of my phone and it will take good care of me (and my data)”.

That, when you think about it, is nonsense.

A phone is not a butler. In essence, a phone is a personal data collecting device with additional communication capabilities. But the main goal is to learn about you and then manipulate you to buy stuff. It’s about money. Companies want it, you have it, they want you to give it to them. Anything else only exists to facilitate this process. If pain would increase revenue, we’d be living in hell.

Case in point: Speech based input. When you click on a page, that doesn’t tell much about you. When you use your finger, the phone can at least feel when you’re trembling. Are you angry or enthusiastic? We’re getting there. But your voice is rich with detail about your emotional state. More data to milk to make you perfect offers which you simply don’t want to refuse.

A butler, on the other hand, has your interests in mind. They keep private information private instead of selling it to the highest bidder. They look out for you.

The source of the difference? You pay a butler. (S)he is literally working for you. On the phone, a lot of people expect the same service to happen magically and for free. Wrong planet, pals.

Wouldn’t it be great if phones were like butlers? Trustworthy, discreet and helpful instead of just trying to be helpful?

I hope we’ll see more technology like the app Nude (which hides sensitive photos on your phone).

Related:

Leave a Comment » | Philosophy, Software | Tagged: , , , , | Permalink
Posted by digulla

Spreading Bad Software is Immoral

29. September, 2017

From Fefe’s Internet Security Days keynote:

Schlechte Software zu verbreiten ist unmoralisch.

Translation: Spreading sloppy software is immoral. It’s like producing waste and dumping it into a river. Properly handling would be expensive, illegal dumping saves money and turns it into a SEP.

Writing sloppy software is similar. Instead of investing time into doing it right, you try to externalize costs: The client will somehow (have to) deal with it. They either have to pay you to make it better the second time or they have to spend time and nerves every day to work around shortcomings.

When we see someone dump toxic waste in a forest, most people are outraged. The same people, when they are managers of a software company, sign contracts that define the delivery date of something before knowing the requirements. Software developers, desperately trying to feel and look competent, shout “Done!” only to collapse into a morose heap of self-pity after a minimum of poking what this “done” really means.

Fefe is arguing that doing it right is as expensive as doing it sloppily. I have the same hunch. I’ve seen numbers on the  Standish Group Chaos Report (alt: Wikipedia, German) which gives a good indication how much failing projects cost: Around 20% are a total waste of money since they are eventually killed, 52% cost twice as much, only 30% make it in time, in budget and with the promised feature set (note: I bet at least half of those 30% made it because the feature set was reduced/readjusted during the project).

If you assume that in 2014, $250 billion was spent on software development in the US, that means cost of $50 billion on failed projects alone. That is our money. Your’s and mine. Companies don’t magically get money, they sell products and each wasted project eventually means additional figures on some price tag in a shop.

Then we have $125 billion which should have been $62 billion but another $62 billion was necessary to make it to the finishing line. It’s a harder to tell how much of that is wasted. You can’t count projects that were simply underestimated or feature creep – additional features cost additional money, so it’s out of budget but not wasted. Let’s assume $10 billion (less than 10% waste overall) in this group.

In a perfect world, that would mean we could spend 24% ($60 billion out of $250) more on software quality without any additional cost.

Related articles:

Leave a Comment » | Philosophy, Software | Tagged: , | Permalink
Posted by digulla

Wrong colors in Windows Photo Viewer / Falsche Farben in Windows-Fotoanzeige

18. September, 2017

When colors in the Windows Photo Viewer (Win 8 to 10) look oddly wrong, it’s probably because of something called “color profile“.

Solution:

  1. Open “System Control” (Systemsteuerung)
  2. “Color Management” Farbverwaltung
  3. Select your monitor
  4. Check “Use my settings for this device” (“Eigene Einstellungen für das Gerät verwenden”) (otherwise, you can’t click anything at the bottom)
  5. Hinzufügen
  6. Select “sRGB IEC61966-2.1”
  7. Click “Set as Default Profile” (“Als Standardprofil festlegen”)
  8. Repeat for each monitor
  9. Restart Photo Viewer (Fotoanzeige)

Leave a Comment » | Software | Tagged: , , | Permalink
Posted by digulla

« Previous Entries
Next Entries »