Pluralistic: 15 Oct 2021

Originally published at: Pluralistic: 15 Oct 2021 – Pluralistic: Daily links from Cory Doctorow


Today's links



1945 radio premium: Captain Midnight decoder badge.

ROT 8000 and what "security" means (permalink)

If you're an Internet Person of a Certain Vintage, you'll likely experience the same thrill of delight I felt this morning when I discovered ROT8000, a Unicode version of the old ROT13 cipher. But after I finished smiling, I got to thinking.

http://rot8000.com/Index

ROT13 is a toy cipher with a simple method for scrambling text – simply change each character in the message to the character that comes 13 letters after it in the alphabet: A=M, B=N, C=O, etc. You're ROTating each character 13 positions forward – hence, ROT13.

The cool thing about ROT13 is how you unscramble the message – just rotate each scrambled letter 13 positions forward again, so that it moves a full circle around the alphabet – ROT13+ROT13=ROT26, and there are 26 letters in the alphabet, so ROT26 takes you back to the start.

A+13=M. M+13=A. Or, put another way: A+26=A.

ROT8000 brings ROT13 into the modern digital environment. Our crude, Roman-alphabet-only systems have been upgraded to the Unicode standard, with a whopping 16,000-characters, incorporating many alphabets, symbols and emojis.

Here's a sentence in plaintext. Here it is in ROT8000:

籑籮类籮簰籼 籪 籼籮籷籽籮籷籬籮 籲籷 籹籵籪籲籷籽籮粁籽簷 籑籮类籮 籲籽 籲籼 籲籷 籛籘籝籁簹簹簹籃

(In Unicode, Chinese characters are 8000 positions away from the Roman alphabet).

Compared to ROT13, ROT8000 is actually a tiny, little bit more secure. When you see a ROT13 phrase, like:

Arire tbaan tvir lbh hc/Arire tbaan yrg lbh qbja

It's totally clear that there's some scrambled text there. and because it's ROT13, it's not hard to descramble it.

But if you're not able to read Chinese, then it's not immediately obvious that a phrase like this:

籗籮籿籮类 籰籸籷籷籪 类籾籷 籪类籸籾籷籭 籪籷籭 籭籮籼籮类籽 粂籸籾

is scrambled at all.

But of course, neither ROT13 nor ROT8000 are very secure.

If either were in wide use to detect secrets, someone could easily write a browser plugin that did a basic spellcheck on all the text you encounter, and if it doesn't look like a real world, try a ROT13 and/or ROT8000 operation on it and see if you get recognizable text.

But we really did used to use ROT13 a lot. We used it to keep secrets. And it worked.

Why it worked is a fascinating look at all the different meanings that "security" has.

ROT13 was once a mainstay of online conversations on Usenet and message boards.

It was essential to joke forums (where it was used to scramble punchlines) and media forums (where it was used to scramble spoilers).

You see, "security" doesn't exist in the abstract. Every security measure is a counter to a threat.

A sprinkler system is security against fire – but not burglars or snakes or covid aerosols.

The threat that ROT13 defended against was…you. It was a way to prevent you from accidentally reading something you didn't want to know – a counter to your haste and/or curiosity.

Now, you might have a lot of security precautions you take against yourself. You might throw out all your Oreos when you go on a diet, or set a second wakeup alarm in case you miss the first one, or put all the stuff you need for work in your bag before you go to bed.

These are all measures to defend yourself against you – your lack of self-control, your ability to rationalize nodding off again after turning off the alarm, your forgetfulness while rushing around in the morning.

The thing that makes ROT13 interesting is that it was a way for your friends to defend you against yourself – as is the case with most security, it was a team sport.

Though ROT13 is now an old joke, this "social security" – in which we form groups that voluntarily take measures to defend ourselves from ourselves – has become surprisingly popular today.

That's the point of things like disappearing messages in Snapchat, Wickr, Signal and other messaging tools. Sending you a "disappearing message" isn't a way to stop you from blabbing its contents to others, or even getting a screenshot.

Even if the app tries to disable the recipient's device's screenshot facility, they can install a third-party screenshot app, or just use another device to photograph their screens.

But even though disappearing measures don't make it possible for you to force other people to keep your secrets, they are still super useful – because automate the process of deleting old messages so you and your friends don't accidentally leak them.

Communicating by disappearing message lets you and your friends agree that you won't save your correspondence, so that cops or school principals or hackers or border guards or your boss or spies can't harvest them and use them against you.

And it frees you and your friends from having to do anything to uphold that bargain you've made with each other. Disappearing messages aren't an anti-traitor tool – they're an anti-human-frailty tool. They prevent lapses, not betrayal. That's incredibly useful.

We're a couple decades into the slow-motion information security emergency, and it's speeding up, and most people genuinely don't understand the fundamental premise that "security" is always contextual, in relation to a threat.

That ignorance is dangerous. It's what's behind Missouri Governor Mike Parson's absolutely shameful slander and threats against St Louis Post-Dispatch reporter Josh Renaud.

https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/

Renaud is a data-driven reporter for the Dispatch; he discovered that the state's portal for looking up the credentials of educators and other school-system workers was exposing their social security numbers.

https://www.stltoday.com/news/local/education/missouri-teachers-social-security-numbers-at-risk-on-state-agencys-website/article_f3339700-ece0-54a1-9a45-f300321b7c82.html

If you looked up any of the 100,000+ records in the system and then examined the source of the webpage that loaded in your browser, you'd find this information. It was trivial to write a script to go through each page and harvest all 100K SSNs.

Renaud told the state education authority about the problem and his intention to publish on it, and gave them lots of time to remedy the problem (they took the site offline), and then he published his article.

Enter Governor Parsons, who, in a malapropism-riddled rant, denounced Renaud and the Dispatch as "perpetrators who attempt to steal personal information and harm Missourians."

He mischaracterized Renaud's work as "unlawful[ly accessing] encoded data…in order to examine other peoples' personal information." He claimed that Renaud's article "may cost Missouri taxpayers as much as $50 million."

And even as he was vilifying the investigator who had discovered a dangerous defect in his administrator's systems, the governor downplayed its gravity, falsely claiming that "there was no option to decode Social Security numbers for all educators in the system all at once."

Parsons called the investigation a "crime," "an attempt to embarrass the state and sell headlines for their news outlet," and a "political vendetta." He threatened legal retaliation against the newspaper, the reporter, and "all those who aided [them]."

This is a really dangerous form of security illiteracy. A website that sends government employees' SSNs to any computer in the world that requests them is severely broken – even if the code that contains the SSN includes a tag that says, "Please don't display this part."

Security is a team sport. Using a disappearing Signal message to tell a secret someone you trust (but who you fear might forget to delete it) is fundamentally different from sending the same message to someone you don't trust – or anyone in the world who asks for it.

Renaud did a public service for 100,000 Missouri state employees. He deserves the governor's praise and thanks, not his threats.

There is a place for security measures that assume good faith but bad follow-through – they are essential for groups that trust each other.

But a public website is visible to the whole world, which, by definition, includes literally everyone in the world you don't trust. Sending sensitive information to people you don't trust but tagging it "Please don't look at this" is obviously bad security.

ROT13 – and ROT8000 – are useful for hiding spoilers or joke punchlines, or making sure the person whose birthday party you're planning doesn't accidentally ruin the surprise.

But if you used them to scramble Social Security Numbers – and then literally threatened to imprison the reporter who pointed out that this is a bad idea – you reveal yourself to be a fool.

(Image: Sobebunny, CC BY-SA)



This day in history (permalink)

#20yrsago Delta flight delay after Islamaphobe mistakes orthodox Jews for Muslims https://web.archive.org/web/20011016000622/http://dailynews.yahoo.com/h/nm/20011015/od/delta_dc_1.html

#20yrsago John Norman decries Worldcon "monothink" http://www.locusmag.com/2001/Departments/Letters10Norman.html

#20yrsago Bruce Sterling's predictions for a post-9/11 world https://web.archive.org/web/20011102212150/http://www.edge.org/documents/whatnow/whatnow_sterling.html

#15yrsago Play Money: memoir of a year selling game-gold https://memex.craphound.com/2006/10/15/play-money-memoir-of-a-year-selling-game-gold/

#10yrsago Great Big Beautiful Tomorrow: a chapbook in PM Press’s Outspoken Authors series https://craphound.com/category/gbbt/

#5yrsago Ikea Shanghai to elderly, lonely Chinese people: buy something or get out https://qz.com/806990/lonely-shanghai-seniors-now-have-to-buy-something-if-they-want-to-cruise-all-day-in-ikeas-cafeteria/

#5yrsago After being outed for massive hack and installing an NSA “rootkit,” Yahoo cancels earnings call https://www.huffpost.com/entry/yahoo-hacking-verizon_n_5800eef7e4b0e8c198a78b14

#5yrsago Billionaire tech investors back ballot initiative to purge homeless people from San Francisco https://www.usatoday.com/story/tech/2016/10/14/silicon-valleys-acute-homeless-problem-ballot/91082346/

#1yrago Bricked Ferrari https://pluralistic.net/2020/10/15/expect-the-unexpected/#drm

#1yrago Dystopia as clickbait https://pluralistic.net/2020/10/15/expect-the-unexpected/#dystopia-is-over

#1yrago What happened in Florida https://pluralistic.net/2020/10/14/final_ver2/#bush-v-gore

#1yrago Pandemic shock doctrine vs internet freedom https://pluralistic.net/2020/10/14/final_ver2/#freedom-house

#1yrago Prop 22 is a scam https://pluralistic.net/2020/10/14/final_ver2/#prop-22

#1yrago How to spreadsheet https://pluralistic.net/2020/10/14/final_ver2/#csv



Colophon (permalink)

Today's top sources: Schneier (https://www.schneier.com/).

Currently writing:

  • Spill, a Little Brother short story about pipeline protests. Yesterday's progress: 271 words (24593 words total)
  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Yesterday's progress: 1073 words (18915 words total).

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Breaking In https://craphound.com/news/2021/09/26/breaking-in-fixed/
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Medium (no ads, paywalled):

https://doctorow.medium.com/

(Latest Medium column: "Dead Letters," how the spam wars and corporate concentration killed open email: https://medium.com/@doctorow/dead-letters-73924aa19f9d).

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

This topic was automatically closed after 15 days. New replies are no longer allowed.