Saturday, August 23, 2008
Dude, Where's My Cache?
Remember when this all began, four days ago, I asked the world to cache the documents discovered in the Baidu cache, just in case they disappeared? Well sometime between last night and today, they did just that. A day after the Wall Street Journal was able to retrieve a copy from the Baidu cache, it dissappeared. Here are the original links: cache1 cache2. Surprisingly, the document I linked in a subsequent post is (at the time of this post) still present: cache3. Does this removal necessarily mean malfeasance? We can't be certain, as all search engine caches have a timeout period, in which older documents are expunged. Maybe this was just the natural timeout period of the documents, maybe not. Either way, it now becomes imperative to build mirrors of the third document, cache3, as we can reasonably expect it to dissapear soon.
The good news is, hundreds of people mirrored these documents before they were removed, and can vouch for what they saw. Here are just a few of the massive outpouring of volunteer mirrors that showed up in the comments section:
Behind the Wall?
I've received so much information in that last few days I don't know how to get to it all. Here's a small excerpt of an email I received from within China:
As a fellow resident in China, some 60 miles north of Grace, I must say that Grace's comment is at least partially correct. China is in many ways a wonderful place. However, I must take factual exception to some of her statements. While your blog has not been discovered by authorities yet, if I do a search for "NYTimes and underage gymnasts" on Google my internet connectivity at home is suspended for 15 minutes, and I am unable to establish any outside connections to ANY website from any computer in my home. In addition, while researching the gymnasts scandal, my internet searches routinely turned up blank pages for well known sites whose uptime is better than four 9s and my internet connection was suspended several times for 15 minutes eachLike the earlier email from Grace this one is impossible to verify, but the assertions made within are repeated often by those living within China.
Full of Sound and Fury, signifying...?
In the end, what does this all mean? Aside from the three spreadsheets I found, there is this fourth document, hosted by the Internet Archive, also hosted by the General Administration Sport China (www.sport.gov.cn), also currently missing, which states that He Kexin's birthday is Jan 1, 1994. That's four documents removed from the same government web server that are all in complete agreement about He Kexin's birthday. Stored on multiple web servers around the world! In fact, the Internet Archive keeps a history of when it stored its document copies, and it goes back to the year 2006, showing two separate, identical retrievals of the now-removed document. And what of the amazing Huffington Post article which predates my blog, showing screenshots of official news reports in which He Kexin's age is suddenly changed from 14 to 16, and a list published by the Chengdu government showing He Kexin's birthday to be, again, Jan 1 1994? What can we do with this vast preponderance of electronic evidence, all of which has been removed from the servers that once hosted it?
A Future Yet to be (Re)Written
We live in the Information Age, and we are facing a future in which all documents will be electronic. Doubtful? Later this year, American voters will elect a president using electronic voting machines which don't leave a paper trail. Americans can sign up now for bank accounts which are completely electronic and generate no consumer available paper records. And most DMV's, state agencies for issuing official id, are online now. A future of electronic records? We're living in it.
No Proof
If you receive a printed bank statement one month that says you have $3000, and the next month it says you have $2000, you can take both statements to court. If you have online banking, what do you take to court? If you vote electronically, what is the standard of proof for an audit? How can anyone prove the validity of a digital document? That was the question I faced four days ago, and my ad-hoc solution of community mirroring shows the dearth of solutions available to the public. The nature of digital documents has changed irrevocably, and our institutions have failed to keep up. Digital documents are invisibly malleable and non-persistent.
Invisibly malleable. The art of paper document forgery is as old as art forgery, dating back hundreds of years. Meanwhile digital document forgery is as easy as changing one number in a spreadsheet, and right now we lack the tools to track these changes. The coming wave of remote application providers like Google Docs might someday be able to provide us with a chain-of-trust type solution to this problem, but that day is a long way off. In the meantime, we face this problem with voting machines, where digital changes to vote tallies cannot be detected. The public deserves a solution to this problem, and it is a challenge for the information security industry to provide it. For now, I favor paper verified voting.
Non-persistent. The problem of non-persistence is the problem that the international community is now having with the electronic documents mentioned in this blog and elsewhere regarding He Kexin's age. In the blink of an eye, a document can be removed from the web server that hosts it, and someone seeking to prove the historical existence of that document has no recourse whatsoever. In a future in which all identity documents are electronic, does that mean that someone's identity can be erased? I would answer with a question: is He Kexin being erased, or overwritten? I'll let anyone who has read this blog reach their own conclusions in that regard. But again, I challenge the information security community: we need a solution. Recently my colleague Mike Zusman and researcher Dan Kaminsky gave presentations at Blackhat highlighting fundamenatal problems with the mechanisms that allow Internet users to trust that they are arriving at the web site they requested. These problems are related: how do we verify sites, and how do we verify documents hosted on sites? DNS security, SSL security, and the unfilled need for a legally admissable Internet Notary that can prove the historical existence of electronic documents. These are the solutions to the problems I've encountered this week. These are the solutions which can keep our elections safe, and preserve our culture of verifiable documents. I for one look forward to a future where innovative solutions to these problems are available to the citizens of the world.
-stryde.hax
Check out this recently submitted link from an anonymous user comment, in English! "14-year-old newcomer to the national team"! Google Cache
No longer anonymous. The above link was submitted by Jody Lanard M.D.
0 comments:
Post a Comment