The Petcock Problem

Many years ago, I worked for the small town where I grew up. My title was Street Commissioner. This is a very small town, and I was a part time employee with one helper. Basically, I was the guy what fixed things. We had a very old network of water pipes that supplied water from several wells. The water system leaked in many places. Occasionally, a small leak turned into a big leak, and something had to be done about it.

You might think that the first response to a big water leak would be to close the water valves in order to isolate the leak and prevent the loss of valuable water. Not so fast!

First of all, in an interconnected network that had been upgraded and patched by piecework for many decades, it wasn’t always possible for small localized segments to be isolated, and turning off the water for a large area would inevitably lead to discord.

Second, closing even a single valve caused pressures throughout the system to change. Any pressure change anywhere in the system had the potential to cause new failures at weak points, which would just compound the problem.

Furthermore, at some point repairs could be counterproductive and completely replacing parts of the network would be the best option. This would require time for the town council to approve the funds, and for contractors to be hired, and for the work to be scheduled and completed — all while the leaking water is causing collateral damage to the roadway and inconveniencing the affected residents with low water pressure.

Eventually the big leak had to be repaired, and the water had to be turned off somewhere before the repair could be completed. The decision about where and how to accomplish this was not a simple decision, due to the competing factors involved, and the practical realities a small town is faced with.

I call this problem the Petcock Problem. Imagine petcock valves scattered throughout a network of pipes. I call this the Petcock Problem because petcock valves typically have three positions, analogous to the notion of closing, opening, or redirecting connections on the network in order to isolate a fault.

The Petcock Problem would apply in many situations involving complex networks, such as when a tree knocks down a power line or when an internet router dies. Sometimes the best solution is to isolate the fault to the most localized part of the network possible, thereby inconveniencing the least number of people at the expense of putting the larger network at greater risk of a much larger catastrophe. Sometimes the best solution is to shut down the entire network temporarily, thereby inconveniencing everybody that relies on the network, but removing any risk of further degradation while repairs are completed. Most of the time the best solution is somewhere in between these extremes. As the network ages and faults become more commonplace, at some point the best solution is to scrap the entire network and build a new one.

This is the Petcock Problem, or “How do you stop the bleeding?”. The solution involves balancing several variables, some of which are known quantities, some of which are wild guesses, and some of which are potentially very chaotic (in that a small change in value could have an unpredictable impact on the outcome).

[Disclaimer: I’m sure that the study of network topologies has its own terms of art and well researched algorithms for describing and solving these types of problems. I’m not claiming to have some new revelation about networks here. This is just my own little custom worldview.]

In a future post I will explain how the Petcock Problem applies to something as diverse as the Vernor lawsuit.

Autodesk Design Review 2010 Snake Oil Alert

From a new features overview of Autodesk Design Review 2010 comes the following snake oil claim:

Digital Signatures
To help secure your data, you can now digitally sign DWFx files.

As I’ve explained before, digital signatures do not provide data security; they simply authenticate the person that applied the signature. Digital signatures are a welcome feature with many potential uses, but data security is not one of them.

Design File Locking and Snake Oil Security

The increased sharing of electronic CAD data (ala BIM) holds a lot of promise, but it also exposes companies and individuals to additional liability and risk. This additional risk is coming into focus more and more as actual cases of costly legal battles confront engineers and architects.

The June 2008 AUGI wishlist results contain “Design File Locking” as the top wish by a substantial margin, and Shaan Hurley lists it as number 3 in the AU 2008 AutoCAD wish list. Clearly, interest in file and IP security has been growing steadily.

As demand for IP security grows, there are sure to be snake oil security vendors trying to cash in on it. I received a spam email a few days ago from SafeNet, Inc. promising “a cost-effective and easy to integrate solution that provides reliable and effective security through the use of digital signatures.” Whenever I see such statements with a long string of buzzwords, my snake oil alarm goes on alert. Digital signatures are for authentication and establishing trust — they cannot and do not provide “reliable and effective security”, although I suppose they could be used by a system that does.

In the last year or two, a number of companies have claimed to market software that “secures” AutoCAD DWG files. When I see such a claim, it invariably refers to software that creates an anonymous unequally scaled MINSERT entity. These can be created or “exploded” with a few lines of AutoLISP code. Frequently these companies claim to “encrypt” the drawing, which may sound sexy, but is an outright lie. If this is a level of “security” that meets your needs, at least use one of the many free versions posted throughout the internet (DETER.VLX from DotSoft is one I know of).

There are solutions, but they always require changes in the workflow process that involve difficult tradeoffs and careful evaluation of what is technically feasible and practical versus the costs of implementing the changes. There is no such thing as installing a single piece of software to instantly solve the problem. If you are looking for ways to protect intellectual property in your drawing files, don’t be fooled by snake oil security vendors.

Disclaimer: One of my hats is the president of CADLock, Inc., makers of CADVault for AutoCAD.

Digital Signatures: Under the Hood

The basic requirements of a digital signature are that it must uniquely identify the signatory, it must be independently verifiable, and it must be invalidated if the signed data has changed. To understand how these objectives are achieved, let’s start with the foundation of modern digital signature technology: public key encryption and the public key infrastructure, or PKI.

In public key encryption, a “key pair” consists of two parts: a public key and a private key. In simplistic terms, the public key is mathematically derived from the randomly generated private key using an algorithm known as a “one way function”. A one way function makes it easy to calculate a public key if the private key is known, but extremely difficult to deduce the private key if the public key is known. The end result is a secret private key and an openly shared public key that are mathematically related in such a way that the public key can be used to decrypt data that was encrypted with the private key, and the private key can be used to decrypt data that was encrypted with the public key.

This interesting property of such a key pair gives rise to a number of useful capabilities. In the case of digital signatures, the act of signing data is essentially nothing more complicated than encrypting the data with a private key. If the data can be decrypted successfully with the signer’s public key, then only the signer’s private key could have been used to do the encrypting. In practice, this process is simplified so that the signer encrypts only a secure hash, or checksum, of the data to be signed. The recipient then calculates the hash from the raw data and compares the result with the “signed” hash after it is decrypted. If the values match, the digital signature and data are validated.

For this process to work properly, there need to be standard ways to package information about the algorithms used, and to provide important information about the keys themselves. This need is fulfilled by digital certificates. A digital certificate is a file or block of memory containing a public key along with ancillary data about the key and its owner. The certificate is itself digitally signed by the entity, usually a mutually trusted third party, that issued the certificate. This enables users to verify that the public key is valid and trustworthy.

A digital ID is the private key component of a key pair. Normally the private key is not stored together with the public key, but instead is stored in a separate physical location for security, usually requiring a password to access it. A key manager maintains links between the digital certificate and its associated private key. In many cases, it is convenient to use the term “digital ID” to mean both the public and private keys, even though they are physically separated.

It is almost always a good idea to time stamp digital signatures. Time stamping involves sending the digital signature to a time stamp authority, who then creates and returns a digitally signed time stamp that is uniquely and securely associated with the original digital signature. The time stamp can then be verified by third parties in the future by using exactly the same technique used to verify a digital signature.

I think these important terms deserve a review. A “digital certificate” is a public key, which is itself digitally signed by a mutually trusted third party. Your digital certificate represents your public digital identity, and it should be made freely available to anyone who wants or needs it. A “digital ID” is a digital certificate and the private key associated with the digital certificate. It isn’t difficult to create your own self-signed digital ID, but a digital ID is only as good as the issuing authority that signs it. When you purchase a digital ID from a third party like VeriSign or Thawte, their reputation makes your digital ID more trustworthy.