Security quotes of the week [LWN.net]

This suggests a missing factor in machine-learning research: manners. We’ve evolved manners to signal to others that our intent is not hostile, and to negotiate the many little transactions that in a hostile environment might lead to a tussle for dominance. Yet these are hard for robots. Food-delivery robots can become unpopular for obstructing and harassing other pavement users; and one of the show-stoppers for automated driving is the difficulty that self-driving cars have in crossing traffic, or otherwise negotiating precedence with other road users. And even in the military, manners have a role – from the chivalry codes of medieval knights to the more modern protocols whereby warships and warplanes warn other craft before opening fire. If we let loose swarms of killer drones with no manners, conflict will be more likely.

— Ross Anderson

Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the “aggressor”), bit flips were found only in the two adjacent rows (the “victims”). However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. [...] This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.

— Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu & Mattias Nissler report on their discovery of Half-Double (Thanks to Paul Wise.)

When the floodgates open, democratic speech is in danger of drowning beneath a tide of fake letters and comments, tweets and Facebook posts. The danger isn’t just that fake support can be generated for unpopular positions, as happened with net neutrality. It is that public commentary will be completely discredited. This would be bad news for specialist AstroTurf companies, which would have no business model if there isn’t a public that they can pretend to be representing. But it would empower still further other kinds of lobbyists, who at least can prove that they are who they say they are.
We may have a brief window to shore up the flood walls. The most effective response would be to regulate what UCLA sociologist Edward Walker has described as the “grassroots for hire” industry. Organizations that deliberately fabricate citizen voices shouldn’t just be subject to civil fines, but to criminal penalties. Businesses that hire these organizations should be held liable for failures of oversight. [...]

— Bruce Schneier and Henry Farrell

to post comments

Rowha

Posted May 28, 2021 2:33 UTC (Fri) by calumapplepie (guest, #143655) [Link]

"Rowhammer is a DRAM vulnerability whereby repeated accesses to one address can tamper with the data stored at other addresses. Much like speculative execution vulnerabilities in CPUs, Rowhammer is a breach of the security guarantees made by the underlying hardware. As an electrical coupling phenomenon within the silicon itself, Rowhammer allows the potential bypass of hardware and software memory protection policies."

Rowhammer looks to be much less exploitable then the CPU bugs (since physical memory addresses are hidden behind the MMU, not all physical addresses are vulnerable, and we do all sorts of nonsense to hide what memory addresses we are using for sensitive data). That doesn't mean that it won't be a massive ongoing headache for the next decade.

Security quotes of the week

Posted Jun 7, 2021 15:55 UTC (Mon) by ratfactor (guest, #132367) [Link] (4 responses)

> "Organizations that deliberately fabricate citizen voices shouldn’t just be subject to civil fines, but to criminal penalties."

I stand in the "new laws should be a last resort and beware of unintended consequences" camp. But I gotta say, does anyone have a good argument for why falsifying the appearance of public opinion *should* be legal?

Security quotes of the week

Posted Jun 7, 2021 16:47 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (3 responses)

In the US? Largely freedom of speech. In any case, public opinion is also very debatable and subject to interpretation. Did you interview the right people? Is there a "silent majority"? Were your questions biased?

I suspect that falsifying official records is the best way to attack this problem (thus shunting it into the "fraud" field). Attach reasonable fines per fraudulent comment and randomly audit submitted comments. Say 1% of all comments get investigated. Astroturf campaigns are almost certainly going to hit that trigger. One could make the random chance proportional to the similarity score of the comment to the rest of the submitted ones, but I think pure random would work better since there's no subverting it other than "get lucky". If you find fraudulent comments, investigate similar comments (either via content or metadata) to dig in and then go after them with normal governmental prosecution fervor.

But basically, there's no law against lying about whatever you want using whatever power you have to disseminate it. The closest things we have here are probably false advertising regulations which are…not widely enforced. The egregious ones do, but usually because they broke some other law (such as claiming FDA efficacy when none exists).

Security quotes of the week

Posted Jun 7, 2021 19:56 UTC (Mon) by farnz (subscriber, #17727) [Link]

The problem here, and one that I think could be addressed via fraud rules, is that the "astroturf" companies are flooding channels of communication with a large number of apparently real individuals to generate the illusion that many people are all on one side.

So it's not so much claiming to represent the "public opinion", it's creating a large fake public and saying "these X million people all fall on one side of the debate, ergo you should believe that this is the majority opinion". That's one thing when (e.g.) the US President stands up and says "I believe that the majority of the US population agrees with me" - he's one person invoking the spectre of "the majority" as support - but it's quite a different thing when there are X million apparently unique real people all stating the same viewpoint.

In certain contexts, we already treat this sort of misrepresentation as a big deal; I can cast my vote in a given election, and I can claim that everyone is voting the way I did, but I cannot add extra votes that match mine to the voting box.

Maybe we need to extend similar to other forms of communication than just voting - you're allowed to claim that the unique person who stands behind the account "farnz" represents the views of millions of people, but not allowed to create millions of accounts in order to give the impression that millions of people have the same views as you.

Security quotes of the week

Posted Jun 7, 2021 22:40 UTC (Mon) by Wol (subscriber, #4433) [Link] (1 responses)

> In the US? Largely freedom of speech. In any case, public opinion is also very debatable and subject to interpretation. Did you interview the right people? Is there a "silent majority"? Were your questions biased?

To my mind it's "lying for personal gain". Which is an offence under all sorts of circumstances.

Okay, there may be a problem with deciding which side of the line certain actions belong - a deluded sock-puppet should not face criminal consequences for being deceived.

I very much take your concerns about "public opinion is debatable" - I've been reading comp.risks, and two medical things jumped out at me recently, where the medics vehemently believed what turned out to be old wives tales, and both killed people thanks to CoVid. But I don't think that believing "received wisdom" should be criminal. Refusing to believe contrary evidence may be stupid, but it's human and not criminal.

But pretending to believe what you know are lies, well that IS culpable. The problem, of course, is proving it ...

Cheers,
Wol

Security quotes of the week

Posted Jun 7, 2021 22:53 UTC (Mon) by mathstuf (subscriber, #69389) [Link]

> To my mind it's "lying for personal gain". Which is an offence under all sorts of circumstances.

Yes, but largely not in the political realm (certainly not in the US above the local level at least; not sure how it is in the UK since the news I get about that is basically just headlines…). And astroturfing is largely in the realm of political speech, so…fraud is really the only viable option here.

> a deluded sock-puppet should not face criminal consequences for being deceived.

Sure. The investigation can just be some simple verifications of the provided info, inspection that the address is real, asking if they know anything about the petition in question, and verifying that it is at least in the direction of the submitted comment. I know it's not as simple as it sounds, but it doesn't sound like a week per comment either. If the person purported to have submitted the comment doesn't even know what the topic is, there's some evidence for abuse at least. Get enough and all you'll be left with are the big offenders in the space anyways…