[tags]cybersecurity research[/tags]
As I write this, I’m sitting in a review of some university research in cybersecurity.  I’m hearing about some wonderful work (and no, I’m not going to identify it further).  I also recently received a solicitation for an upcoming workshop to develop “game changing” cyber security research ideas.  What strikes me about these efforts—representative of efforts by hundreds of people over decades, and the expenditure of perhaps hundreds of millions of dollars—is that the vast majority of these efforts have been applied to problems we already know how to solve.

Let me recast this as an analogy in medicine.  We have a crisis of cancer in the population.  As a result, we are investing huge amounts of personnel effort and money into how to remove diseased portions of lungs, and administer radiation therapy.  We are developing terribly expensive cocktails of drugs to treat the cancer…drugs that sometimes work, but make everyone who takes them really ill.  We are also investing in all sorts of research to develop new filters for cigarettes.  And some funding agencies are sponsoring workshops to generate new ideas on how to develop radical new therapies such as lung transplants.  Meanwhile, nothing is being spent to reduce tobacco use; if anything, the government is one of the largest purchasers of tobacco products!  Insane, isn’t it?  Yes, some of the work is great science, and it might lead to some serendipitous discoveries to treat liver cancer or maybe even heart disease, but it still isn’t solving the underlying problems.  It is palliative, with an intent to be curative—but we aren’t appropriately engaging prevention!

Oh, and second-hand smoke endangers many of us, too.

We know how to prevent many of our security problems—least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it.

Instead of building trustworthy systems (note—I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised.

We spend huge amounts on detecting botnets and worms, and deploying firewalls to stop them, rather than constructing network-based systems with architectures that don’t support such malware.

Instead of switching to languages with intrinsic features that promote safe programming and execution, we spend our efforts on tools to look for buffer overflows and type mismatches in existing code, and merrily continue to produce more questionable quality software.

And we develop almost mindless loyalty to artifacts (operating systems, browsers, languages, tools) without really understanding where they are best used—and not used.  Then we pound on our selections as the “one, true solution” and justify them based on cost or training or “open vs. closed” arguments that really don’t speak to fitness for purpose.  As a result, we develop fragile monocultures that have a particular set of vulnerabilities, and then we need to spend a huge amount to protect them.  If you are thinking about how to secure Linux or Windows or Apache or C++ (et al), then you aren’t thinking in terms of fundamental solutions.

I’m not trying to claim there aren’t worthwhile topics for open research—there are.  I’m simply disheartened that we are not using so much of what we already know how to do, and continue to strive for patches and add-ons to make up for it.

In many parts of India, cows are sacred and cannot be harmed.  They wander everywhere in villages, with their waste products fouling the streets and creating a public health problem.  However, the only solution that local people are able to visualize is to hire more people to shovel effluent.  Meanwhile, the cows multiply, the people feed them, and the problem gets worse.  People from outside are able to visualize solutions, but the locals don’t want to employ them.

Metaphorically speaking, we need to put down our shovels and get rid of our sacred cows—maybe even get some recipes for meatloaf.

Let’s start using what we know instead of continuing to patch the broken, unsecure, and dangerous infrastructure that we currently have.  Will it be easy?  No, but neither is quitting smoking!  But the results are ultimately going to provide us some real benefit, if we can exert the requisite willpower.

[Don’t forget to check out my tumble log!]

[tags]copyright,DMCA,RIAA,MPAA,sharing,downloading,fair use[/tags]

Over the past decade or so, the entertainment industry has supported a continuing series of efforts to increase the enforcement of copyright laws, a lengthening of copyright terms, and very significant enforcement efforts against individuals.  Included in this mess was the DMCA—the Digital Millenium Copyright Act—which has a number of very technology unfriendly aspects.

One result of this copyright madness is lawsuits against individuals found to have file-sharing software on their systems, along with copies of music files.  Often the owners of these systems don’t even realize that their software is publishing the music files on their systems. It also seems the case that many people don’t understand copyright and do not realize that downloading (or uploading) music files is against the law.  Unfortunately, the entertainment industry has chosen to seek draconian remedies from individuals who may not be involved in more than incidental (or accidental) sharing of files.  One recent example is a case where penalties have been declared that may bankrupt someone who didn’t set out to hurt the music industry.  I agree with comments by Rep. Rick Boucher that the damages are excessive, even though (in general) the behavior of file sharers is wrong and illegal.

Another recent development is a provision in the recently introduced “College Access and Opportunity Act of 2007” (HR 3746; use Thomas to find the text). Sec 484 (f) contains language that requires schools to put technology into place to prevent copyright violations, and inform the Secretary of Education about what those plans and technologies are.  This is ridiculous, as it singles out universities instead of ISPs in general, and forces them to expend resources for misbehavior by students it is otherwise attempting to control.  It is unlikely to make any real dent in the problem because it doesn’t address the underlying problems.  Even more to the point, no existing technology can reliably detect only those files being shared that have copyright that prohibits such sharing.  Encryption, inflation/compression, translation into other formats, and transfer in discontinuous pieces can all be employed to fool monitoring software.  Instead, it is simply another cost and burden on higher ed.

We need to re-examine copyright.  Another aspect in particular we need to examine is “fair use.”  The RIAA, MPAA and similar associations are trying to lock up content so that any use at all requires paying them additional funds.  This is clearly silly, but their arguments to date have been persuasive to legislators.  However, the traditional concept of “fair use” is important to keep intact—especially for those of us in academia.  A recent report outlines that fair use is actually quite important—that approximately 1/6 of the US economy is related to companies and organizations that involve “fair use.”  It is well worth noting.  Further restrictions on copyright use—and particularly fair use—are clearly not in society’s best interest.

Copyright has served—and continues to serve—valid purposes.  However, with digital media and communications it is necessary to rethink the underlying business models.  When everyone becomes a criminal, what purpose does the law serve?

Also, check out my new “tumble log.”  I update it with short items and links more often than I produce long posts here.

[posted with ecto]

[tags]interview,certification[/tags]I was recently interviewed by Gary McGraw for his Silver Bullet interview series.  He elicited my comments on a number of topics, including security testing, ethical hacking, and why security is difficult.If you like any of my blog postings, you might find the interview of some interest.  But if not, you might some of the other interviews of interest – mine was #18 in the series.

[tags]reformed hackers[/tags]
A news story that hit the wires last week was that someone with a history of breaking into systems, who had “reformed” and acted as a security consultant, was arrested for new criminal behavior.  The press and blogosphere seemed to treat this as surprising.  They shouldn’t have.

I have been speaking and writing for nearly two decades on this general issue, as have others (William Hugh Murray, a pioneer and thought leader in security,  is one who comes to mind).  Firms that hire “reformed” hackers to audit or guard their systems are not acting prudently any more than if they hired a “reformed” pedophile to babysit their kids.  First of all, the ability to hack into a system involves a skill set that is not identical to that required to design a secure system or to perform an audit.  Considering how weak many systems are, and how many attack tools are available, “hackers” have not necessarily been particularly skilled.  (The same is true of “experts” who discover attacks and weaknesses in existing systems and then publish exploits, by the way—that behavior does not establish the bona fides for real expertise.  If anything, it establishes a disregard for the community it endangers.)

More importantly, people who demonstrate a questionable level of trustworthiness and judgement at any point by committing criminal acts present a risk later on.  Certainly it is possible that they will learn the error of their ways and reform.  However, it is also the case that they may slip later and revert to their old ways.  Putting some of them in situations of trust with access to items of value is almost certainly too much temptation.  This has been established time and again in studies of criminals of all types, especially those who commit fraud.  So, why would a prudent manager take a risk when better alternatives are available?

Even worse, circulating stories of criminals who end up as highly-paid consultants are counterproductive, even if they are rarely true.  That is the kind of story that may tempt some without strong ethics to commit crimes as a shortcut to fame and riches.  Additionally, it is insulting to the individuals who work hard, study intently, and maintain a high standard of conduct in their careers—hiring criminals basically states that the honest, hardworking real experts are fools.  Is that the message we really want to put forward?

Luckily, most responsible managers now understand, even if the press and general public don’t, that criminals are simply that—criminals.  They may have served their sentences, which now makes them former criminals…but not innocent.  Pursuing criminal activity is not—and should not be—a job qualification or career path in civilized society.  There are many, many historical examples we can turn to for examples, including those of hiring pirates as privateers and train robbers as train guards.  Some took the opportunity to go straight, but the instances of those who abused trust and made off with what they were protecting illustrate that it is a big risk to take.  It also is something we have learned to avoid.  We are long past the point where those of us in computing should get with the program.

So, what of the argument that there aren’t enough real experts, or they cost too much to hire?  Well, what is their real value? If society wants highly-trained and trustworthy people to work in security, then society needs to devote more resources to support the development of curriculum and professional standards.  And it needs to provide reasonable salaries to those people, both to encourage and reward their behavior and expertise.  We’re seeing more of that now than a dozen years ago, but it is still the case that too many managers (and government officials) want security on the cheap, and then act surprised when they get hacked.  I suppose they also buy their Rolex and Breitling watches for $50 from some guy in a parking lot and then act surprised and violated when the watch stops a week later.  What were they really expecting?

[tags]hacking, national security, China, cyber espionage[/tags]
Over the last week or two there have been several news items based on statements and leaks regarding on-going cyber espionage.  For instance, two articles, one in the British Financial Times and another on CNN allege that Chinese agents had successfully broken into systems at the Pentagon resulting in a shutdown of unclassified mail systems.  The London Times had an article on the Chinese Army making preparations for “Cyber War” and in New Zealand an official indicated that government systems had been hacked by foreign agents, implying Chinese involvement.  An article in today’s Christian Science Monitor noted that China has been attacking German and British government sites and industry, and another article in the Asia-Pacific news mentions France and Australia as targets.

Of course, these kinds of stories aren’t new.  There was a story in the Washington Post back in 2005 about alleged Chinese hacking, and another set of stories this past March including one in USA Today,  There seems to be a thread going back to at least 2003, as reported in Time magazine.

Not to be outdone, and perhaps in a classic “Spy vs. Spy” countercharge, a Chinese official complained that their systems had been hacked into and damaged by foreign agents.  That could very well be true, but the timing is such that we should be rather skeptical of these claims.

So, what is really going on?  Well, it probably is the case that few people know the whole, real story—and it is undoubtedly classified within each country where any part of the story is known.  However, there are a few things we know for certain:

1. Most government agencies and companies around the world use common products—the same products that are so frequently penetrated by criminal hackers and malware.  We have years of evidence that these systems are easy to hack and hard to defend. Furthermore, those systems are often not kept up-to-date with patches because they are mission-critical and patches can break existing applications.
2. The Chinese have publicly stated that they are pursuing activities in the cyber espionage and warfare arena.  Given the world situation, the US, Brits, Germany, and several other countries are likely targets—not only for political and military espionage, but for economic and technical espionage.  (The Chinese could certainly benefit by stealing plans on how to make lead-free toy coloring and toxin-free toothpaste, for instance.
3. The Chinese are almost certainly not the only country with resources, talent and motives to commit cyber espionage.
4. It’s possible (sometimes) to trace connections back to particular networks and machines, but it is difficult to know if those are the “final” machines in a chain.  It is even more difficult to determine who is running those machines and whether those individuals are motivated by government orders, criminal intent, or simply a hobbyist’s interest.  All three groups are likely to be interested in access to the kinds of information that appear to be involved in these incidents; in some cases, there may be ties between organized crime and governmental entities, so activities of one benefit the other.

Given those 4 observations, we can be reasonably sure that not all the events being discovered are actually government sanctioned; that not all the actors are being accurately identified; and probably only a fraction of the incidents are actually being discovered.  The situation is almost certainly worse in some ways than implied by the newspaper accounts.

Some of us have been warning about lax cyber security, especially coupled with poorly designed COTS products, for years.  What is surprising is that authorities and the press are viewing these incidents as surprising!

It remains to be seen why so many stories are popping up now.  It’s possible that there has been a recent surge in activity, or perhaps some recent change has made it more visible to various parties involved.  However, that kind of behavior is normally kept under wraps.  That several stories are leaking out, with similar elements, suggests that there may be some kind of political positioning also going on—the stories are being released to create leverage in some other situation.

Cynically, we can conclude that once some deal is concluded everyone will go back to quietly spying on each other and the stories will disappear for a while, only to surface again at some later time when it serves anoher political purpose.  And once again, people will act surprised.  If government and industry were really concerned, we’d see a huge surge in spending on defenses and research, and a big push to educate a cadre of cyber defenders.  But it appears that the President is going to veto whatever budget bills Congress sends to him, so no help there.  And the stories of high-tech espionage have already faded behind media frenzy over accounts about Britney being fat, at least in the US.

So, who is getting violated?  In a sense, all of us, and our own governments are doing some of the “hacking” involved.  And sadly,  that isn’t really newsworthy any more.

Updated 9/14
And here is something interesting from the airforce that echoes many of the above points.

[posted with ecto]