Avatar and Fetishizing The Other

Fair warning: This post may contain spoilers. However, I also feel I must point out that the foreshadowing in Avatar is so clumsy that the first half of the movie contains spoilers for the second half. So really, how much damage am I going to do?

So, James Cameron spends a decade working on his opus, and here it is. Truth and beauty in dazzling 3D, right? Wrong. I think this film is rubbish. Worse, I think this film is insidious rubbish that is a pro-establishment screed dressed in sheep's clothing of weak Iraq war metaphor. I think that continued success of rubbish like this adversely affects any hope of achieving a truly tolerant and egalitarian society.

It has already been pointed out that Avatar is another take on the classic white guilt fantasy. But the sci-fi setting gives it a weird undercurrent that I find more even more unsettling. By setting his non-whites as aliens, Cameron accidentally distills all the assumptions Hollywood makes about race, and then forces them into the cold light of day by pursuing an interspecies romance.

The Na'vi are a mish-mash of characteristics from just about every well-known "primitive" culture - feathers like Native Americans, Maori skin markings, African accessorizing (all African people are one big homogeneous tribe, if you didn't know), the hunting habits of Amazon tribes, and so on. This provides the framework for a bland allegory about evil white people - it's like indigenous peoples Malt-O-Meal. In the creation of this hunter-gatherer everyman, Cameron has provided a glimpse into the machinations of ignorant white men's minds.

Neytiri's introduction is as a howling dervish who shoots arrows mid-leap. She embodies the exotic, the mysterious, the untamed. When perturbed, she hisses like a feline (displaying her sharp, animal-like teeth). She views animals as kindred spirits. And see, what makes this a problem is that us white people have this really obnoxious habit of dressing dark-skinned models in animal prints and posing them with animals. We like to portray them as exotic, mysterious, and untamed. When we control the image, they are the Other.




Let's talk about Otherness. The idea started with Hegel, who said that consciousness cannot become self-conscious until it meets another consciousness and learns to define itself as separate from that other. Since then this idea has cropped up time and time again, because it seems to accurately describe a component of our psychology; humans have a tendency to define ourselves in opposition to other humans. Nationalism, racism, sports fans; we love to forge our identities by labeling Them and Us. It's not enough to have just an Us - if we find ourselves in a situation where there is no Them, we will quickly manufacture one.

Now, usually we take the straightforward route and just vilify the Other. Simply bicker over the prophet's cousin, or riot over those immigrants daring to live in "your" country, and get to fighting. But there's another method of oppression at which Americans in particular are becoming very adept. You declare your tolerance for the Other and talk about how much you like Others and how you have all sorts of Other friends. Meanwhile, you continue to marginalize the Other, but you make it subtle. You appropriate bits of their culture, but be sure place them in a one-dimensional box that leaves no room for growth. You pay lip service to equality but don't make any sacrifices of your own. In this way the Other can find no adversary to combat, and you can convince yourself that their failure to better themselves is due to some innate cultural deficiency. This is how we end up with black models dressed in leopard print.

What Cameron has created is the authoritative example of being ignorant and white. Not only is the appearance of the Na'vi built out of superficial elements of human ethnicities, but their entire culture is a slurry of half-baked ideas, the kind an ignorant white guy gets from paging through a National Geographic without bothering to read the articles (they are kinda long, after all). He's actually come up with some ludicrous explanation about neurons in plant matter to take the idea that "native peoples are really in touch with nature" to an extreme that has them literally talking to their ancestors through the trees or something.

There's neotribalism, and then there's this. This is not just yearning for simpler times or showing appreciation for low-impact lifestyles. This is fetishizing the Other. The Na'vi as a people are presented as strange, unknowable, yet utterly desirable. And creepily, Jake Sully plays out in concrete terms the fantasy that Cameron is playing out in the abstract. Sully is so enchanted by the Na'vi that he seeks to know, to possess, to dominate, and he consummates this quest by exerting his mastery over the natural world, hijacking control of the tribe, and having alien sex with Neytiri. And he is the protagonist because this is how ignorant white men understand desire.

We've been analyzing the movie in terms of the racial Other, but in fact the most famous application of Hegel was by Simone de Beauvoir, who applied the concept of the Other in The Second Sex, her book on the status of women:

Thus humanity is male and man defines woman not in herself but as relative to him; she is not regarded as an autonomous being... She is defined and differentiated with reference to man and not he with reference to her; she is the incidental, the inessential as opposed to the essential. He is the Subject, he is the Absolute – she is the Other.

-- Simone de Beauvoir, The Second Sex

I'd like to argue that the Na'vi are not only racial Others, but collectively they represent the sexual Other, Beauvoir's female.

It's no accident that Neytiri is the only prominent Na'vi in the film. Sure, Tsu'tey is the chief warrior, but he is practically eating out of Sully's hand by the end of the film, despite having spent the entire movie being cuckolded by Sully. He is the weak, ineffectual man next to Sully's raging pillar of testosterone. Neytiri is the only character to display any depth at all, and she is the only one who sees a considerable amount of screentime.

The support of life became for man an activity and a project through the invention of the tool; but in maternity woman remained closely bound to her body, like an animal.

-- Simone de Beauvoir, The Second Sex

Neytiri is fierce and capable, yet she displays no volition of her own. There are some weak attempts at connecting her to her land and her people, but she seems to have no personal desires, no ambition or selfishness. She spends the film at the mercy of events around her, captive to her emotions. Her involvement with Sully only further strips her of will - by the climax, she is a Harley babe riding bitch on the gigantic symbol of virility, Toruk, clutched between Sully's manly thighs (but it's okay, she's helping the war effort by cheering).

Sully definitely has the largest... dragon.

Oh sure, she turns Colonel Quaritch into a pincushion at the end. But to what end is his death? The battle is already over; the Na'vi have clearly won. So even the vague desires that Neytiri has expressed for herself - preserving her land and people - are not at stake. The only threat Quaritch poses is to Sully, who he is happily trying to murder. Her sole motivation for killing Quaritch is to save her man, and in fact, this display of devotion is the only real thing Neytiri accomplishes all film. She has cemented her own subjugation.

Now, I'm not saying Cameron tried to make a movie that was obliquely racist and anti-feminist. But he did, and he is as guilty as anyone. His crime is intellectual indolence; using superficial fairy tales instead of seeking any true understanding. Our crime is that we keep throwing money at bullshit like this instead of exploring anything that we might find difficult or uncomfortable. A movie that grosses $77 million in the first weekend is part of our culture, whether we like it or not. And if we can't even stop producing this shit, how are we ever going to flush it out of our system? Why ask ourselves tough questions about equality in this country when we can indulge our white male guilt with useless tripe? It's useless tripe, but in 3D!





Bonus: Now that I've spoiled this movie, allow me to spoil the plot of Avatar 2 as well. The humans come back. This time they just drop the bombs from space. All the Na'vi die. The humans congratulate each other and wonder why they didn't think of that sooner. The End.

Avoiding disaster when using svn switch

So I was going to be my usual negative self again this month, but I created something, so I'll share that instead. Your regularly scheduled cynicism will return next month.

The problem

So you're working away on a branch of your project in SVN, and you need to switch to a different branch. svn switch does exactly that, but there's a catch. Say your repository has a top level with a README and CLI scripts and whatnot. But you've been hacking away in the src/ folder because that's where all the real code is. And you carelessly type svn switch svn://myrepo/branches/other_branch while your working directory is src/. What you should have typed was svn switch svn://myrepo/branches/other_branch/src - notice the subtle but important difference there.

As soon as you hit Enter, you've screwed the pooch. Remember, SVN doesn't know about branches - it just thinks they're all folders. So what you've done is tell it to switch the working directory, src/, to the top level directory of some other branch. It's going to delete everything in your folder and start checking out the whole root directory into your working directory. It's going to make a mess, then yell at you about conflicts and slotting and mismatches and you're probably going to end up getting frustrated and running rm -r on the whole folder. If there's a graceful way to recover from this mistake, I have yet to find it. I've done this enough times that I usually realize my mistake as soon as the first message pops up, and I often mash Ctrl-C in hopes of preventing further damage, but honestly I think that makes it worse.

After making this mistake for about the fiftieth time yesterday, I finally decided it would be in my best interest to protect me from myself, and so I wrote a bash script. It checks the directory (relative to the root of the branch) that you're asking to switch to against your current directory and won't let you continue if it thinks you're about to screw something up.

This script assumes that your repository follows the standard SVN repo format - your code should be in trunk or branches/branchname. And it assumes you're going to run svn switch on your current working directory - I didn't write any support for more than one argument.

Installing

Because of the nature of SVN commands, we have to wrap svn and just pass arguments for the other commands through untouched. Shawn Parker gets credit for the original inspiration. You'll need to put the below code in a file and make it executable. Then edit your .bashrc to add the following line:
alias svn='/path/to/script.sh'

Worse than Nothing

Want to get phished? Don't worry, it won't hurt.

If you have an account with Vanguard, the investment firm, you can experience it for yourself right here (works on IE7, IE8, or FF3). If not, you can watch a quick screencast of me phishing myself. Note that this is clearly not the Vanguard site, and yet after I enter my username, I'm shown my personal image (mine's a canoe! what's yours?). I didn't answer any security questions, and yet that's my personal image that only my bank and I are supposed to know. And here it is on some scammer's site. That's the unique part of my attack, and the most dangerous.

By the way, that screen at the end is where the scammer has just obtained your password and is happily emptying your bank account (since I'm nice, I just display a hash and don't save it).

I don't mean to pick on Vanguard, I just happened to have an account with them. A similar attack should be quite possible on Bank of America, HSA Bank, or anyone else who uses the SiteKey system. SiteKey is a scheme banks came up with in response to the large and largely-intractable problem posed by phishing. It's sometimes labeled as a "multi-factor authentication" system, but I think that's incorrect - it's more of a "mutual authentication" system. The site proves that they are legitimate by showing you a picture that you selected when you sign up. Since no one else could know what picture you have set, this proves that the site is who you think it is. At least, that's the theory.

My attack is simple. The first page is just a static page that looks exactly like Vanguard's home page - standard phishing fare. When you submit the form with your username, I build a page with an iframe pointing to the Vanguard site, passing it the username. As long as you've logged in from this computer before, the Vanguard site happily shows your personal image. Then I create a form outside of the iframe with a password field and a submit button, and float those elements over the iframe. So while you're seeing the Vanguard site in the background, you're entering your password into a form I control, and the submit button you click submits to my page. And just like that, I have your password.

I have your password. I did this with a freakin' Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It's a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don't think this even qualifies as a "hack." I think you should be concerned. This attack has been possible as long as SiteKey has been in existence, and I see no reason why I would be the only person to think this up. In all likelihood, some smart phisher out there is already doing this.

I learned retroactively that this technique is called UI Redressing, more commonly referred to as Clickjacking. It's behind a number of attacks, of which perhaps the most publicly visible (although not the most dangerous) was the Twitter "Don't Click" infection. Even worse, since my attack requires no clicking on the actual hidden elements, even NoScript's vaunted ClearClick technology doesn't detect it (NoScript does offer an opt-in to disable iframe content, which sounds like it should stop the attack, but it didn't work for me).

SiteKey was weak to begin with. It's bad enough that a vast majority of site users don't notice if the image is missing. And a weaker man-in-the-middle attack that involved asking security questions was demonstrated 3 years ago[pdf]. But this is worse. A malicious site that shows you your own handpicked image will lull you into a false sense of security. Who would think twice about providing personal information when that mountain stream or étouffée or whatever you picked is staring you right in the face? The banks have worked hard to train users to look for that image, and that very training can be turned against them to make phishing attacks even more successful than before. SiteKey is not just useless - it's worse than nothing at all.

I have been in contact with RSA Security, the vendors of SiteKey, about this attack. To their credit, they were very professional about the whole thing. They treated the matter seriously (I was surprised to get a response at all), and did not try to bullshit or bully me. So they get points for understanding how to make the vulnerability reporting process a productive one. They told me they have notified their clients about the problem and suggested corrective action. I imagine this action will consist of frame-busting Javascript and a proprietary IE8 header. I can only speculate because as of this posting, neither Vanguard nor HSA Bank have done anything to prevent the attack, even though it has been two months since I reported it. These changes will help, but the headers are opt-in and only work on newer browsers, and the Javascript isn't necessarily immune to circumvention. Besides, recall what I said about my qualifications as a security researcher. If I came up with this in a few hours of spare time, don't try to tell me there aren't similar attacks that could be discovered by a motivated person - say, someone who makes a living managing a phishing operation.

There's another reason I think SiteKey is worse than nothing. It's not just users who get a false sense of security from it - banks are biting on these supposed panaceas instead of facing up to the very difficult problem of performing real security. It's all too easy for companies to set arcane password rules and shell out money for "solutions" like SiteKey, and convince themselves that they've tried hard enough. Wrong. SiteKey is like a Mickey Mouse band aid on the wrong knee. Maybe it gets the three year old to stop crying, but it's not actually doing any good.

Epilogue

I know, I know, I'm such a negative person. Always bringing other people down. Complaining about what exists without offering any suggestions of my own. What would I propose to guard against phishing? Huh, tough guy?

I have to be honest - I don't see a silver bullet. Phishing is a serious threat, and one that preys on our inescapably human failings - inattention, belief that our perceptions are accurate, and willingness to adapt our actions to what we are presented with. I don't see it going anywhere any time soon. However, I think the Firefox address bar is a great start:

If we have to train users to look for something, it should be this. Benefits:

• It's client-side. No man-in-the-middle. No UI redressing. Short of a serious Firefox exploit or SSL vulnerability, there's no faking this part of the address bar.
• It comes (I assume) from the SSL certificate, which is a pretty okay security measure, and one that any respectable site dealing with sensitive information already uses.
• It's friendly and distinctive - it's big and green and it tells you the name of the company.
• It's right next to the address bar, which encourages one to also check the URL. This is the original best security measure, and one that eBay and others have been advocating for years. I should point out that the pretty little Locationbar² plugin is helping here as well by highlighting the domain name so it stands out against the rest of the URL.

Still, this only works if you think to look. The danger of phishing is that you get caught at the end of a long day, or when you're in a hurry, or when fucking PayPal actually has deactivated your account three times in the past and you're so annoyed by the prospect of a fourth that you get careless and don't check.

I've got another suggestion, but this one is a lot further from reality. This is what I think could be, if we would spend less time on fake security and more time on real security.

Imagine, if you will, a world where PGP is commonplace. That's right, I'm evangelizing again. Imagine every email you receive is signed, and you have an extensive trust network. When you open an account at a new bank, the rep hands you a piece of paper with instructions on downloading the bank's public key and a fingerprint to verify it. Because PGP is so common, your email client actually throws up a big red warning saying "Hey! This signature is untrusted!" whenever you get email from someone whose key you haven't imported. Suddenly you have a proactive warning on every phishing email that comes through. Nobody is going to click through a message from their bank that is labeled as "untrusted." You could teach your grandparents that.

Is this a pipe dream? For now, yeah. But it's a good one - it's a world where email phishing is essentially solved.

Until then, keep checking your address bar.

Update (12/03/09): Looks like at some point in the past few months, Vanguard updated their site with some frame-busting Javascript, and now hides the pages if Javascript is disabled (bad news for accessibility, but arguably more secure). However, let me reiterate: the fact that they have stuck their finger in this leak doesn't mean there aren't other holes in the dike.

Another update: I sent this article to Jim Youll, the author of the original paper on SiteKey vulnerabilities. He emailed me back, and in his response was a remark that stuck with me: "they always say that the undisclosed back-end systems are the fail-safe for the front-end attacks. I don't think they're lying." At some point, it hit me: what if SiteKey is nothing more than security theater? Maybe they do know that it's useless. Maybe they don't expect it to stop anything. Maybe whatever fee they're shelling out isn't coming from the security budget, but from the marketing budget. If this is the case, I just hope the marketing spiel isn't working on the people who need to be doing the real security.

Making Chroma-Hash Less Leaky

Prologue

Recently, Jakob Nielsen yelled at everyone that password masking is a usability problem. When that man yells, people listen, and so were planted the seeds for some interesting experiments in providing password hints. The sexiest of these so far is Mattt Thompson's Chroma-Hash.

Some valid security concerns were raised over this widget. Mattt has solved several of these already with his recent improvements. I'd like to examine one of the remaining issues and suggest a solution. You can view my fork on Github for the source code.

The problem

The scenario goes something like this: a user takes and shares a screenshot or screencast of their login screen with password typed in. Someone malicious views this and can garner information about the hashed password from the color bars. From here, I'm going to assume that you understand the basics of how MD5 is a one-way function and why that's important.

In the standard operating mode, Chroma-Hash is pulling number values right from the MD5 hash. We can get the colors with an eyedropper, and look - they match up (in reverse order) to the first part of the hash of the salted password.

$ echo -n "hooray12:7be82b35cb0199120eea35a4507c9acf" | md5sum
4ea16c514a6697bce642ee2250aa92f6 -
If we were using five color bars, we would have disclosed almost the whole hash.

People keep bringing up the fact that MD5 is not considered a secure hash function any more. These concerns are misplaced. MD5 is considered broken because it's too easy to find collisions - things that hash to the same MD5 sum. This is useful indeed if you are wanting to forge a digitally signed certificate or tamper with transferred data. But unless the authentication server is using the exact same salt and hash algorithm as Chroma-Hash, creating a collision with someone's color bar hash is useless - you'll be able to get the same colors, but you won't be able to log in.

The real concern here is this: we've allowed an attacker to move the computational load onto their own hardware. When you control the password oracle, it's easy to limit the rate at which login attempts may be made. This makes a brute force attack or even a dictionary attack infeasible. The attacker can't try passwords fast enough to have a reasonable chance of guessing the right one within years. But when an attacker has a hashed result of your password, they can run a dictionary attack as fast as their hardware allows, and a matching MD5 from a dictionary attack is likely to be the right password, because let's face it, people in general don't choose secure passwords.

An aside: at the leading edge of server-side security, the equivalent threat of a stolen database is dealt with by bcrypt, a hashing scheme that can be tuned to be computationally intensive. So maybe the password check takes a tenth of a second instead of a thousandth - it's no big deal in the course of regular business, but it will significantly slow down an attacker trying to test a lot of passwords against stolen hashes. This strikes me as impractical for our purposes, and not only because we would need to implement bcrypt in Javascript. Tune it too strong, and a user running on slow hardware could suffer a bad performance hit when trying to type in their password. Tune it too weak, and an attacker with a couple dedicated cores could crank through at a fair clip.

My solution

In this case, I say collisions are actually our friends. If we can limit the information available to an attacker, we can leave them with a very large set of possible matches that they can only check by attempting to log in to the server. The point here is to make them verify against the server, rather than doing it at their own pace.

This is where another convenient fact comes into play. In his blog entry, Mattt points out that over-the-shoulder attacks won't be effective against Chroma-Hash.

As a color expressed in Hex, there are 16,777,215 possible colors for each bar. Eye-balling it wouldn’t be enough to get an exact color value—the difference between #952A08 and #952A09 is nearly imperceptible...

Those millions of possible colors come from 24 bits used to represent each color, which in turn is 24 bits of our hash leaked for every color bar. If we don't leak the information in some of those bits, our attacker cannot be as precise about identifying matches. And since humans cannot really differentiate all those colors anyways, we're losing almost nothing by eliminating some of the possibilities.

The best way to do this is to redact the low-order bits, so that we keep the entire color range and lose only the fine distinctions between shades. You can think of this like counting in multiples. Instead of every number being an option, we round to the nearest even number, or multiple of 16, or whatever we like. The more we round, the more information we can withhold from an attacker.

Let's see it in action.

In this version, rgbStepSize is 2. You can see that the color values are very close to the original, but each 2-character hex number is even (0x96 = 150, 0xbc = 188, 0xe6 = 230, and so on). And since we're rounding, the attacker cannot know if the original hash contained "96" or "97", "bc" or "bd", etc.

In this one rgbStepSize is 16. Looking at the color values, you can see that the second character of each pair is 0. We've eliminated half of the bits leaked by Chroma-Hash, and the colors are still remarkably close to the exact values as far as the human eye is concerned. In fact, quick experimentation shows that we can go with a step size of 64 or so without affecting user experience too drastically.

Did it work?

Now, how much does this help us? I'm a little out of my depth here, so I can only provide some back-of-the-napkin estimates. The small version of Openwall's word lists, which consists of various words and word combinations, has about 300,000 entries. For a six-digit password consisting of lowercase letters and numbers, there are about 2 billion total possibilities. A 64 bit hash can have about 18 quintillion different values, so if a dictionary attack finds a match against all bits, it's almost certainly the true password.

Let's say we're showing three color bars with a step size of 64. This means that 6 of each 24 bits per color is leaked. So an attacker is working with 18 bits, a space of about 260,000. Assuming the distribution through this space is even (it should be), each possible combination of these 6 bits will match up with roughly 34 million possibilities in the six-digit password space. This is good, as the attacker cannot test 34 million passwords against the server in a reasonable amount of time. However, working with the small word list, we can expect an almost one-to-one correspondence, which is not good. If we were to drop to two color bars, we could expect 73 matches per colorset. If we were to use a step size of 128 instead of 64, we could bring it up to 585 matches per colorset. If we did both of these, 4,688 (but at some point, usability drops off).

Regaining perspective

By dead reckoning, I would guess that most passwords used in a reasonably computer-literate community are stronger than the small dictionary list, containing non-words, numbers and hopefully capital letters or even symbols. But humans do like phonetic constructions and show a strong aversion to random combinations of letters and symbols. And a not-inconsequential number of people are still using dangerously weak passwords, unaware of the dangers of computer security.

So, is it worth it? Assess the risks. A user must leak their password information through a screenshot or similarly exact reproduction. This must either be initiated by the user or social-engineered out of them - someone with direct access to the user's computer could just install a keylogger instead. Additionally, that user must have a weak password. An attacker must take the time to launch a dictionary attack against the gathered information, then test all resulting possibilities against the server until one works. Unlikely, but not implausible. Put this in context with the more mundane but oh-so-effective threats like phishing, email password reset, compromise from another site, and general password carelessness. And finally weigh your perceived threat against the usability benefits Chroma-Hash offers.

Is it worth it? That's up to you.