So you want to work in security (but are too lazy to read Parisa's excellent essay)

   No comments


If you have not seen it yet, Parisa Tabriz penned a lengthy and insightful post about her experiences on what it takes to succeed in the field of information security.




My own experiences align pretty closely with Parisa's take, so if you are making your first steps down this path, I strongly urge you to give her post a good read. But if I had to sum up my lessons from close to two decades in the industry, I would probably boil them down to four simple rules:






  1. Infosec is all about the mismatch between our intuition and the actual behavior of the systems we build. That makes it harmful to study the field as an abstract, isolated domain. To truly master it, dive into how computers work, then make a habit of asking yourself "okay, but what if assumption X does not hold true?" every step along the way.





  2. Security is a protoscience. Think of chemistry in the early 19th century: a glorious and messy thing, chock-full of colorful personalities, unsolved mysteries, and snake oil salesmen. You need passion and humility to survive. Those who think they have all the answers are a danger to themselves and to people who put their faith in them.






  3. People will trust you with their livelihoods, but will have no way to truly measure the quality of your work. Don't let them down: be painfully honest with yourself and work every single day to address your weaknesses. If you are not embarrassed by the views you held two years ago, you are getting complacent - and complacency kills.






  4. It will feel that way, but you are not smarter than software engineers. Walk in their shoes for a while: write your own code, show it to the world, and be humiliated by all the horrible mistakes you will inevitably make. It will make you better at your job - and will turn you into a better person, too.









Jackson Hole and Fed Communication

   No comments
Fed chair Janet Yellen gave what I considered to be a good speech at this year's Jackson Hole conference (see here).  Not everyone seems impressed, however. The Fed has no credibility, it seems. For example, it keeps saying it's going to do things, like raise its policy interest rate, only to repeatedly back off. I mean, what the heck? Don't they even know what they're doing?

At some level, this degree of frustration is understandable. (I am less sympathetic, however, when it comes to informed journalists and market traders, who should know better.) Let me try to help ease your frustration.

The first thing to keep in mind is that monetary policy is not a precise science. Much remains to be discovered, especially since the environment (technology in particular) continues to evolve. Keep in mind that most central banks employ the services of research divisions. As Einstein is purported to have said: "If we knew what it was we were doing, it would not be called research, would it?"

That's not to say that monetary policy makers are completely clueless. Evidence. Theory. Discussion. Debate. Experience. Wisdom. They all have a role to play in the process of formulating monetary policy. There is considerable consensus along some dimensions (e.g., keeping inflation low and stable). There is outright disagreement along other dimensions. That's just the way it is. And it's likely to remain this way for the foreseeable future. But in the meantime, if you live in the U.S., try to take some solace in this:

Annual Inflation Rates
Now, in terms of Yellen's Jackson Hole speech, what are people complaining about? Well, consider this WSJ article: Yellen Cries Wolf, with the subtitle: Fed chairwoman tries to convince market that a rate rise is coming but investors aren't listening. Of course, digging deeper into the article, the author clarifies that Yellen did not actually say that, only that she came "close" to saying it. Sigh.

The main issue here, I think, is what people expect in the way of Fed communication in terms of its economic outlook and its description/explanation of its policy rule. These are two conceptually distinct objects and are often confused.

My own personal view is that a central bank should make its policy rule clear, but that it should refrain from providing an economic outlook. So, for example, the Fed should want to make it clear that a sharp uptick in inflation would be met with a correspondingly sharp increase in its policy rate (assuming that this is an appropriate policy response). But what would be the use in having the Fed provide an outlook (a probability assessment) over future inflation? All that people need to know, really, is that the Fed is committed to keeping inflation in check. The credibility of this belief is ultimately based on reputation (see diagram above). As for forecasting the contingencies that would trigger this or that policy response, let the private forecasters do their job.

But some people want more from the Fed. They want the Fed to tell them how the economy is going to evolve in the foreseeable future (and in some cases, beyond). As if the Fed, or anyone for that matter, can actually know.

Now, if people generally appreciated the inherent difficulty in offering forecasts of this sort, I'd say that it would do no harm for a central bank to offer its economic outlook--a prognosis that would find its way in a portfolio of outlooks generated by other agencies. Market participants could then combine the information in these outlooks and, together with the Fed's clearly stated policy rule, make their own forecast of (say) the future path of short-term interest rates.

But perhaps I'm being naive. If a central bank was to just state its policy rule and refrain from offering its outlook, it would surely be criticized for not providing the market with enough "guidance." It is the demand for this "guidance" that compels central bankers to offer an economic outlook. Here is the outlook provided by JY (emphasized phrases my own):

Looking ahead, the FOMC expects moderate growth in real gross domestic product (GDP), additional strengthening in the labor market, and inflation rising to 2 percent over the next few years. Based on this economic outlook, the FOMC continues to anticipate that gradual increases in the federal funds rate will be appropriate over time to achieve and sustain employment and inflation near our statutory objectives. Indeed, in light of the continued solid performance of the labor market and our outlook for economic activity and inflation, I believe the case for an increase in the federal funds rate has strengthened in recent months. Of course, our decisions always depend on the degree to which incoming data continues to confirm the Committee's outlook
And, as ever, the economic outlook is uncertain, and so monetary policy is not on a preset course. Our ability to predict how the federal funds rate will evolve over time is quite limited because monetary policy will need to respond to whatever disturbances may buffet the economy. In addition, the level of short-term interest rates consistent with the dual mandate varies over time in response to shifts in underlying economic conditions that are often evident only in hindsight. For these reasons, the range of reasonably likely outcomes for the federal funds rate is quite wide--a point illustrated by figure 1 in your handout...The reason for the wide range is that the economy is frequently buffeted by shocks and thus rarely evolves as predicted.

And so, there you have it. Evidently, the Fed plans to raise its policy rate soon. And if it doesn't, its credibility will be diminished. Or if it does raise rates even though conditions do not warrant it, its credibility will be again be diminished. Or, as the fan chart above demonstrates, the Fed evidently has no idea where interest rates will go. There's no winning this game. Go back and look at the first diagram again and give it a rest.


Velferd tapt i paradis

   No comments
Norge gjør for lite i kampen mot skatteparadis.

EU skal lage en felles svarteliste over skatteparadis og Panama kommer til å havne der. Torsdag kom Panamas infantile svar. Det lille landet lager sin egen svarteliste over land som svartelister dem, og truer med handelskrig.

EU produserer like mye på én dag som Panama gjør i løpet av ett år. Handelen mellom EU og Panama er helt ubetydelig. Panamas reaksjon er mer morsom enn farlig for EU.

Saken viser at kampen mot skatteparadis går fremover. Hvert år hjelper skatteparadis med å unndra femti milliarder dollar fra beskatning i Afrika. Der er omtrent like mye som kontinentet mottar i u-hjelp. Det er beregnet at svart økonomi utgjør rundt én sjettedel i OECD-land. Skatteparadis gjør det enklere å unndra midler fra beskatning.


Panamas fåfengte forsøk på gjengjeldelse viser hvor enkelt det ville vært for USA og EU å avskaffe skatteparadisene. Dette er gjennomgående små land som er helt avhengig av tilgang til EU og USAs kapitalmarkeder og selskapssystem. At det fortsatt finnes skatteparadis skyldes manglende vilje, ikke manglende evne.

Derfor er det merkelig at norske myndigheter ikke gjøre mer for å undergrave dem. Beregninger viser at norske myndigheter taper 130 milliarder i året på skatteunndragelser. Mye av dette skjules formodentlig i skatteparadiser.

I stedet undergraver norske myndigheter sitt eget skattesystem ved å tillate innkjøp fra selskaper registrert i skatteparadis. Det gjør det enklere for leverandører å operere der og det blir enklere for paradisene å overleve.

Oljefondets etiske retningslinjer burde av samme grunn endres slik at selskaper som er registrert i skatteparadis kastes ut. DN fant i fjor at fondet hadde 2,3 % plassert i paradiser. Det kan selvsagt koste noe å sparke ut selskapene, men det kan bidra til høyere skatteinntekter på sikt.

For ordensskyld så er ikke et skatteparadis et land med lav skatt. Det er etisk uproblematisk at enkelte land har lavt skattenivå fordi de er mer effektive eller velger å prioritere ned offentlig velferd.

Problemet oppstår når utenlandske skatteflyktninger gis særfordeler i form av skattefritak, mens innbyggerne betaler vanlig skatt. Særbehandlingen kombineres gjerne med hemmelighold, som vanskeliggjør arbeidet for skattemyndighetene, men hjelper skattesnytere. I det et skatteparadis avvikler diskrimineringen av egne borgere og hemmeligholdet, opphører det å være et skatteparadis.

Så hvorfor er skatteparadis skadelig? La oss tenke at norske selskaper kunne flytte overskuddene til Danmark og få null skatt, og danske selskaper fikk null skatt i Norge. Fraværet av selskapsskatt ville resultert i en ekstrem høy skattesats på arbeid, lavere produksjon og et stort samfunnsøkonomisk tap. De danske bedriftene i Norge ville bidratt til økt bankaktivitet, men vi ville tapt like mye på skatteflukt til Danmark. Totalt sett ville begge land tapt.

Skatteparadis har altså ingen samfunnsøkonomisk berettigelse. Hovedfunksjonen til skatteparadis er å undra beskatning og skjule informasjon, lovlig eller ulovlig.

Tidligere i vår listet PwC opp noen grunner til å bruke skatteparadis som de mener er legitime, men fordelene som nevnes er helt vanlige i vestlige industriland. Det er normalt med en enkel selskapslovgivning, regler for å unngå dobbeltbeskatning, utsatt skatt på utbytte, ingen begrensninger på valutaoverføringer og et velfungerende rettssystem, slik vi har det i Norge.

Argumentasjonen rakner fullstendig dersom vi ser på Verdensbankens rangeringer over hvor enkelt det er å gjøre forretninger i ulike land. Norge kommer på niende plass, tett flankert av de andre industrialiserte landene. Skatteparadisene ligger håpløst langt etter. Panama kommer på plass sekstini. Det er vanskelig å se andre grunner til å plassere penger i Panama enn lav skatt for utlendinger.

Innfører vi strengere regler for selskaper fra skatteparadis risikerer også Norge å havne på Panamas liste. Den støyten får vi ta.

CSS mix-blend-mode is bad for your browsing history

   No comments


Up until mid-2010, any rogue website could get a good sense of your browsing habits by specifying a distinctive :visited CSS pseudo-class for any links on the page, rendering thousands of interesting URLs off-screen, and then calling the getComputedStyle API to figure out which pages appear in your browser's history.




After some deliberation, browser vendors have closed this loophole by disallowing almost all attributes in :visited selectors, spare for the fairly indispensable ability to alter foreground and background colors for such links. The APIs have been also redesigned to prevent the disclosure of this color information via getComputedStyle.




This workaround did not fully eliminate the ability to probe your browsing history, but limited it to scenarios where the user can be tricked into unwittingly feeding the style information back to the website one URL at a time. Several fairly convincing attacks have been demonstrated against patched browsers - my own 2013 entry can be found here - but they generally depended on the ability to solicit one click or one keypress per every URL tested. In other words, the whole thing did not scale particularly well.




Or at least, it wasn't supposed to. In 2014, I described a neat trick that exploited normally imperceptible color quantization errors within the browser, amplified by stacking elements hundreds of times, to implement an n-to-2n decoder circuit using just the background-color and opacity properties on overlaid <a href=...> elements to easily probe the browsing history of multiple URLs with a single click. To explain the basic principle, imagine wanting to test two links, and dividing the screen into four regions, like so:



  • Region #1 is lit only when both links are not visited (¬ link_a ∧ ¬ link_b),
  • Region #2 is lit only when link A is not visited but link B is visited (¬ link_a ∧ link_b),
  • Region #3 is lit only when link A is visited but link B is not (link_a ∧ ¬ link_b),
  • Region #4 is lit only when both links are visited (link_a ∧ link_b).




While the page couldn't directly query the visibility of the segments, we just had to convince the user to click the visible segment once to get the browsing history for both links, for example under the guise of dismissing a pop-up ad. (Of course, the attack could be scaled to far more than just 2 URLs.)




This problem was eventually addressed by browser vendors by simply improving the accuracy of color quantization when overlaying HTML elements; while this did not eliminate the risk, it made the attack far more computationally intensive, requiring the evil page to stack millions of elements to get practical results. Gave over? Well, not entirely. In the footnote of my 2014 article, I mentioned this:




"There is an upcoming CSS feature called mix-blend-mode, which permits non-linear mixing with operators such as multiply, lighten, darken, and a couple more. These operators make Boolean algebra much simpler and if they ship in their current shape, they will remove the need for all the fun with quantization errors, successive overlays, and such. That said, mix-blend-mode is not available in any browser today."




As you might have guessed, patience is a virtue! As of mid-2016, mix-blend-mode - a feature to allow advanced compositing of bitmaps, very similar to the layer blending modes available in photo-editing tools such as Photoshop and GIMP - is shipping in Chrome and Firefox. And as it happens, in addition to their intended purpose, these non-linear blending operators permit us to implement arbitrary Boolean algebra. For example, to implement AND, all we need to do is use multiply:




  • black (0) x black (0) = black (0)
  • black (0) x white (1) = black (0)
  • white (1) x black (0) = black (0)
  • white (1) x white (1) = white (1)



For a practical demo, click here. A single click in that whack-a-mole game will reveal the state of 9 visited links to the JavaScript executing on the page. If this was an actual game and if it continued for a bit longer, probing the state of hundreds or thousands of URLs would not be particularly hard to pull off.