The Center for Education and Research in Information Assurance and Security (CERIAS)
The Center for Education and Research inInformation Assurance and Security (CERIAS)
Over the last month or so, many people who read my first post on Senator Obama’s “security summit” at Purdue have asked me about followup, I’ve been asked “Did you ever hear back from the Senator?”, “Has the McCain campaign contacted you?”, and “What do you think about the candidates?” I’ve also been asked by a couple of my colleagues (really!) “Why would they bother to contact you?”
So, let me respond to these, with the last one first.
Why would someone talk with you about policy?
So, I haven’t been elected or served in a cabinet-level position in DC. I haven’t won a Nobel prize (there isn’t one in IT), I’m not in the National Academies (and unlikely to be—few non-crypto security people are), and I don’t have a faculty appointment in a policy program (Purdue doesn’t have one). I also don’t write a lot of policy papers—or any other papers, anymore: I have a persistent RSI problem that has limited my written output for years. However, those aren’t the only indicators that someone has something of value to say.
As I’ve noted in an earlier post, I’ve had some involvement in cyber security policy issues at the Federal level. There’s more than my involvement with the origins of the SfS and Cyber Trust, certainly. I’ve been in an advising role (technology and policy) for nearly 20 years with a wide range of agencies, including the FBI, Air Force, GAO, NSA, NSF, DOE, OSTP, ODNI and more. I’ve served on the PITAC. I’ve testified before Congressional committees a half-dozen times, and met with staff (officially and unofficially) of the Senate and House many times more than that. Most people seem to think I have some good insight into Federal policy in cyber, but additionally, in more general issues of science and technology, and in defense and intelligence.
From another angle, I’ve also been deeply involved in policy. I served on the CRA Board of Directors for 9 years, and have been involved with its government affairs committee for a decade. I’ve been chair or co-chair of the ACM’s US Public Policy committee for a dozen years. From these vantage points I have gained additional insights into technology policy and challenges in a broad array of issues related to cyber, education, and technology.
And I continue to read a lot about these topics and more, including material in a number of the other sciences. And I’ve been involved in the practice and study of cyber security for over 30 years.
I can, without stretching things, say that I probably know more about policy in these areas than about 99.995% of the US population, with some people claiming that I’m in the top 10 or so with respect to broad issues of cyber security policy. That may be why I keep being asked to serve in advisory positions. A lot of people tend to ask me things, and seem to value the advice.
One would hope that at least some of the candidates would be interested in such advice, even if not all of my colleagues (or my family 
are interested in what I have to say.
Have any of the other candidates contacted you?
Simply put—no. I have gotten a lot of mailings from the Republican (and Democratic) campaigns asking me to donate money, but that’s it.
I’m registered as an independent, so that may or may not have played a role. For instance, I can’t volunteer to serve as a poll worker in Indiana because I’m not registered in one of the two main parties! I don’t show up in most of the databases (and that may be a blessing of sorts).
To digress a moment…. I don’t believe either party has a lock on the best ideas—or the worst. I’m not one of those people who votes a straight-ticket no matter what happens. I have friends who would vote for anyone so long as the candidate got the endorsement of “their” party. It reminds me of the drunken football fans with their shirts off in -20F weather cheering insanely for “their” team and willing to fight with a stranger who is wearing the wrong color. Sad. Having read the Constitution and taken the oath to defend it, I don’t recall any mention of political parties or red vs. blue….
That said, I would be happy to talk with any serious candidate (or elected official) about the issues around cyber, security, education, and the IT industry. They are important, and impact the future of our country…and of much of the world.
So, has anyone with the Obama campaign contacted you since his appearance at Purdue?
Well, the answer to this is “yes and no.”
I was told, twice, by a campaign worker that “Someone will call you—we definitely want more advice.” I never got that phone call. No message or explanation why. Nothing.
A few weeks after the second call I did get a strange email message. It was from someone associated with the campaign, welcoming me to some mailing list (that I had not asked to join) and including several Microsoft Word format documents. As my correspondents know, I view sending email with Word documents to be a bad thing. I also view being added to mailing lists without my permission to be a hostile act. I responded to the maintainer of the list and his reply was (paraphrased) “I don’t know why you were added. Someone must have had a reason. I’ll check and get back to you.” Well, I have received no more email from the list, and I never got any followup from that person.
So, in summary, I never got any follow-up from the campaign. I don’t think it is an issue with the Senator (who wouldn’t have been the one to contact me anyhow) but a decision by his staff.
So, depending your level of cynicism, the mentions of my name, of CERIAS, and of follow-up was either (a) a blown opportunity caused by an oversight, or (b) a cynical political ploy to curry local favor.
(My daughter suggested that they are waiting until after the election to appoint me to a lofty position in government. Uh, yeah. That probably explains why I haven’t gotten that MacArthur “genius grant” yet and why Adriana Lima hasn’t called asking me to run away with her—the timing just isn’t right yet.
What are your opinions on the Presidential candidates?
I’m not allowed to be partisan in official Purdue outlets. So, in some further posts here over the next week or two I will provide some analysis of both major candidates (NB. Yes, I know there are over 300 candidates for President on the ballots across the country. However, I don’t think there is much chance of Baldwin, Barr, McKinney, Nader, Paul or the rest getting into office. So, I’ll limit my comments to the two main candidates.
If you really want to know who I’m probably voting for, you can see my Facebook page or send me email.
[Update 10/16: After this was published I sent a link to this entry to several people associated with the Obama campaign. Only one responded, and it was clear from his email that there had been a mixup in getting back to me—but no interest in rectifying it.]
In my secure programming class I have denounced the overloading of return values as a bad practice, and recently I discovered a new, concrete example of a bug (possibly a vulnerability) that results from this widespread practice. A search in the NVD and some googling didn’t reveal any mention of similar issues anywhere, but I probably just have missed them (I have trouble imagining that nobody else pointed that out before). In any case it may be worth repeating with this example.
The practice is to return a negative value to indicate an error, whereas a positive value has meaning, e.g., a length. Imagine a function looking like this:
int bad_idea(char *buf, unsigned int size) {
int length;
if (<some_error_condition>) {
length = -ERROR_CODE;
} else {
length = size; // substitute any operations that could overflow the signed int
}
return length;
}
This function could return random error values. Under the right conditions this could result in at least a DoS (imagine that this is a security-related function, e.g., for authentication). I suggest using separate channels to return error codes and meaningful values. Doing this lowers complexity in the assignment and meaning of that return value by removing the multiplexing. As a result:
There is an increased complexity in the function prototype, but the decreased ambiguity inside the function is beneficial. When the rest of the code uses unsigned integers, the likelihood of a signed/unsigned integer conversion mistake or an overflow is high. In the above example, the function is also defective because it is unable to process correctly some allowed inputs (because the input is unsigned and the output needs to be able to return the same range), so in reality there is no choice but to decouple the error codes from the semantic results (length). This discrepancy is easier to catch when the ambiguity of the code is decreased.
It does away with the bad practice of keeping the same variable for two uses: assigning error codes and negative values to a “length” is jarring;
It disambiguates the purpose and meaning of checking the “returned” values (I’m including the ones passed by reference, loosely using the word “returned”). Is it to check for an error or is it a semantic check that’s part of the business logic?
Integer overflows are a well-known problem; however in this case they are more a symptom of conflicting requirements. The incompatible constraints of having to return a negative integer for errors and an unsigned integer otherwise are really to blame; the type mismatch (“overflow”) is inevitable given those. My point is that the likelihood of developers getting confused and having bugs in their code, for example not realizing that they have incompatible constraints, is higher when the return value has a dual purpose.
Edit (10/13): It just occurred to me that vsnprintf and snprintf are in trouble, in both BSD and Linux. They return an int, but take an unsigned integer (size_t) as a size input, AND are supposed to return either the number of printed characters or a negative number if there’s an error. Even if the size can be represented as a signed integer, they return the number of characters that *would* have been printed if the size was infinite, so specifying a small size isn’t a fix. So it *might* be possible to make these functions seemingly return errors when none happened.
Note(10/14): I’ve been checking the actual code for snprintf. In FreeBSD, it checks both the passed size and the return value against INT_MAX and appears safe.
I discovered that our XML feed from Secunia had been disabled, coinciding with a re-organization their web site. So, the information contained in Cassandra from Secunia is now out of date. Hopefully it can be re-established soon, but I didn’t get an answer from Secunia over the weekend.
We’ve recently added features using IPMI to our ReAssure testbed, for example to support reimaging of our Sun experimental PCs and rebooting into a Live CD, so that researchers can run any OS they want on our testbed. IPMI stands for the “Intelligent Platform Management Interface”, so we have a dedicated, isolated network on which commands are sent to cards in the experimental PCs. An OS running in these cards can provide status responses and can perform power management actions, for example a power cycle that will reboot the computer. This is supposed to be useful if the OS running in the computer locks up, for example. So, we were hoping that we’d need fewer trips to the facility where the experimental PCs are hosted, have greater reliability and that we’d have more convenient management capabilities.
However, what we got was more headaches. Some IPMI cards failed entirely; as we had daisy-chained them, the IPMI cards of the other PCs became inaccessible. Others simply locked up, requiring a trip to the facility even though the OS on the computer was fine… One of them sometimes responds to status commands and sometimes not at all, seemingly at random. The result is that using the IPMI cards actually made ReAssure less reliable and require more maintenance, because the reliability-enhancing component was so unreliable! The irony. I don’t know if we’ve just been unlucky, but now I’m keeping an eye out for a way to make that more reliable or an alternative, hoping that it doesn’t introduce even more problems. That is rather unlikely, as I’ve discovered that even though the LAN interface is standard, the physical side of those cards isn’t; AFAIK you can’t take a generic IPMI card and install it, it needs to be a proprietary solution by the hardware vendor (e.g., you need a Tyan card for a Tyan motherboard, a Sun IPMI card for a Sun computer, etc…). So if the IPMI solution provided by your hardware vendor has flaws, you’re stuck with it; it’s not like a NIC card that you can replace from any vendor. I don’t know of any way to replace the software on the IPMI cards either, in a manner similar to how you can replace the bad firmware of consumer routers with better open source software. I suppose that the lessons from this story are that:
This is from our colleagues at NCSU, and is time-critical. Please take 5 minutes to fill out this (simple) survey. It will help an NSF-funded privacy project.. And “Thank you” from CERIAS, too!
ThePrivacyPlace.Org Privacy Survey is Underway!
Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.
The URL is: http://theprivacyplace.org/currentsurvey
We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).
Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
IBM gifts
On behalf of the research staff at ThePrivacyPlace.Org, thank you!
