What if S.P.E.C.T.R.E. had Spectre?

Ruh roh, as they say. Google has just published a paper outlining a serious security flaw in, to all intents and purposes, all computers. They knew about it months ago, but they’ve been waiting for Apple, Microsoft and everyone else to issue patches (which, apparently, mean an unavoidable reduction in processing speeds) before making it public. The paper sets out two “exploits” that take advantage of the flaw. These are called “Meltdown” and “Spectre”. They basically allow software to read data from other software that it’s not supposed to be able to, so that one application (let’s say, the hacker) can read data from another application (let’s say, your browser) to steal secrets.

Spectre Graphic with Text      Meltdown Graphic with Text

As you can imagine, there was a great deal of media coverage about this flaw (as there should have been – it’s a huge deal). I happened to see an comment about it on Twitter, in which someone said words to the effect of “thank goodness it was found by don’t-be-evil Google and not by the bad guys”. This is a very misplaced sentiment. In the paper, the researchers clearly state that they do not know whether these exploits have been used in real attacks. Apart from anything else, Google says that the “exploitation does not leave any traces in traditional log files”.

So what if S.P.E.C.T.R.E. actually knew about Meltdown months ago and had Spectre in the Spring? How would we know? If they are really smart, then they’ll carry on stealing our secrets but cover their tracks so that we don’t know that they know. If you see what I mean.

It might be timely to remember the story of the Zimmerman telegram, a story that is mother’s milk to security experts.

You may recall that in 1917, Britain and Germany were at war. Britain wanted the U.S. to join the effort against the Axis of Edwardian Evil. The Kaiser’s ministers came up with some interesting plans: to persuade inhabitants fo the British (and French) colonies in the Middle East to launch a jihad, for example. Another scheme was to persuade Mexico to enter the war on the German side, thus dividing the potential U.S. war effort and eventually conquering it.

(At this point I thoroughly recommend historian Barbara Tuchman’s 1966 account of the affair, “The Zimmermann Telegram”.) 

To execute this dastardly plot, the German Foreign Secretary, Arthur Zimmermann, sent a telegram to the German ambassador in Mexico, Heinrich von Eckardt. The telegram instructed the ambassador to approach the Mexican government with a proposal to form a military alliance against the United States. It promised Mexico the land acquired and paid for by the United States after the U.S.-Mexican War if they were to help Germany win the war. The German ambassador relayed the message but the Mexican president declined the offer.

Naturally, so sensitive a topic demanded an encrypted epistle and it was duly dispatched encoded using the German top secret “0075″ code. And here it is…

The Zimmermann Telegram

As it happens, “0075” was a code that the British had already cracked. Thus, the telegram was intercepted and decrypted enough to get the gist of it to the British Naval Intelligence unit, Room 40. In next to no time, the decoded dynamite was on the desk of the Foreign Secretary Arthur Balfour, the teutonic perfidy laid bare.

Now the British were faced with the same dilemma that faces S.P.E.C.T.R.E. with Spectre. How can you use intercepted information without revealing that there is a security flaw and that you have exploited it? Consider the options:

  • If the British had complained to the Germans, then the Germans would know that the British had the key to their code and they would switch to another code that the British might not be able to break for months, missing much vital military intelligence along the way. What’s more, the Americans would know that the British were tapping diplomatic traffic into the U.S.

  • If they did not reveal the contents, they might miss a the chance to bring the U.S. into the war.

The codebreaker’s clever solution was to leak the information in such a way as to make it look as if the leak had come from the Mexican telegraph company: since the German relay from Washington to Mexico used a different code, that the Americans already knew to be broken, this was entirely plausible.

If you’re wondering what happened, well despite strong anti-German (and anti-Mexican) feelings in the U.S., the telegram was believed to be a British forgery designed to bring America into the war, a theory bolstered by German and Mexican diplomats as well as the Hearst press empire. However, on March 29th, Zimmermann gave a speech confirming the text of the telegram. On April 2nd, President Wilson asked Congress to declare war on Germany, and on April 6th they complied.

The point of this story is that stupid hackers would reveal their hand, but clever hackers would not. So the fact that, according to BBC Radio 4’s “Today” programme, the UK’s National Cybersecurity Centre says there is no evidence that the flaws have been exploited, that does not reassure me! These bugs are big.

“The Meltdown fix may reduce the performance of Intel chips by as little as 5 percent or as much as 30 — but there will be some hit. Whatever it is, it’s better than the alternative. Spectre, on the other hand, is not likely to be fully fixed any time soon.”

From “Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device? | TechCrunch”.


Maybe the way forward is to assume that all machines are compromised and not fix them but instead move the security away from the processors – so going back to the idea of having a Trusted Processing Module (TPM) in every transaction, either built in to the processors (like the “Secure Enclave” in iPhones) or as a separate chip in a PC or as a smart card that is connected to the computer when you want to do something. In this, as in so many other things, Brittany Spears is a beacon to the nations. Eleven years ago I used my Britney Spears smart card (which I still have) to log on to her fan club web site securely. You can read about it here

They are where the money isn’t

When most of us think about bank robbery, we think about people inventing complex derivates and amassing fortunes while the institutions that house them amass fine, bankruptcies and bailouts. But it turns out that your grandparent’s bank robberies are coming back into fashion. American Banker says that violent bank crime has become increasingly less common in the past decade, but that the rate of robberies has ticked back up in recent years.

At first I thought this might be a hipster revolt, like with vinyl records, but that doesn’t seem to be the case. So I’ve no idea. I don’t understand bank robbery. I remember getting into an interesting discussion about bank robbery at a lunch a while back. We were talking about risk and risk analysis. I was trying to make some points about why proper risk analysis like this is a more cost-effective way to proceed than (for example) panicking about newspaper stories on hacking, and that led to a train of thought around cost-benefit analysis for the robber, not the bank. Are robbers put off by thick doors and barred windows and such like? Are robbers deterred by visible, physical symbols of security? Come to that, should be bother with physical security at all in banks?

This is a fair point. So it set me thinking: if you are an amoral sociopath desperate to amass as much money as possible, are you better off robbing a bank or working for it? As a responsible father, I want to help my sons chart the best course for life. Right now, they are at University studying socially useful subjects in science and engineering. Having myself studied science only to become trapped in mortgage serfdom and forced to work until I drop, I am trying to persuade them to become Somali pirates or Wolves of Wall Street, without much success so far. So I understand that side of the equation, but am less certain of the other. Remember that old paper “The Decision-Making Practices of Armed Robbers” by Morrison and O’Donnell. It’s a study of armed robbery in London and one of my favourite papers. It is based on first-hand research (viz, the analysis of over 1,000 police reports and interviews with 88 incarcerated armed robbers).

While it’s about the UK rather than the US, I’m sure the thought processes of the perpetrators must have some similarities. Crucially, the paper notes that “almost all of these robbers evaluated the offence as having been financially worthwhile (aside from the fact that they were eventually caught and punished for their crime)”. So robbing a bank seems like good idea, if you exclude the possibility (in fact, the likelihood) of being caught. I suppose this is standard Jordan Belfort, Bernie Madoff thinking thought isn’t it? Unless people believe they will be caught (and these people don’t) then they only consider the upside.

(One of the interesting snippets it contains is that a great many of the armed robbers in the UK use imitation firearms even though they could have access to real ones. I imagine that in the US the use of imitations is vastly less prevalent, since it’s presumably harder to buy an imitation gun than a real one there.)

So, what to do? While glancing back over the paper I note that the authors say that it doesn’t seem practical to “expect financial institutions and commercial properties to reduce counter cash much more than they already have”. That may have been true when the paper was written a few years ago, but it clearly isn’t true now, since both bank branches and businesses in many countries are becoming cash free. And this is a good thing, because as we all know there is a direct and measurable relationship between the amount of cash out there (more on this later) and the amount of crime. As the paper says, “even when the amount of money obtained was quite small (an element often touted in support of the irrationality of economic criminals), it must be recognised that even apparently small sums may be adequate for the offender’s immediate needs. Hence, gains may be subjectively much larger than they appear”.

Bank robber or management consultant?


It’s a stick up

The rewards of armed robbery seem to me, then, as an educated middle-class professional, to be rather low. Yet they are still sufficient to attract the robbers, because their needs are immediate and limited. I want a holiday home in the South of France but the guy in the Nixon mask isn’t robbing a bank to pay his way through college or to obtain seed finance for a start up, he just needs to buy a car or some drugs or whatever. This paper seems, then, to indicate that so long as there is some cash in the till, there will be robberies. This is not an observation confined to banking. A study of the American Electronic Benefit Transfer (EBT) program found that “the EBT program had a negative and significant effect on the overall crime rate as well as burglary, assault, and larceny”.

What they are talking about here are US programmes where benefit recipients are paid electronically and given cards that they can use in shops instead of being given cash. The authors found a 10% drop in crime correlated with the switch to EBT. It seems pretty overwhelming evidence, and even more so if you read the paper, which notes no impact on crimes that do not involve the acquisition of cash. If we can to stop armed robberies, that would surely be an excellent social benefit to the move to cashlessness and would help us to explain the nature of appropriate regulation to legislators.

But back to the specific point about the relationship between bank cash and robberies. With the rewards from robbing banks and businesses falling  armed robbers, like everyone else, follow the money – literally – and so cash-in-transit (CIT) robberies are now the preferred option. We see the same in Europe where countries that have much higher usage of ATMs have much higher CIT robbery rates than countries that have lower ATM usage (see, for example, Sweden and Denmark).

Overall, then, we see another early indication of the emerging post-cash era: Spending on physical bank security is being reduced and spending on virtual bank security is being increased. We do, indeed, live in interesting times.