SMBlog -- Steve Bellovin's Blog

Political Agendas for Network Design?

Tue, 09 Sep 2008 01:29:23 GMT

Network design should have as a primary goal the efficient operation of a network. Naturally, security is an important design consideration; the question, though, is what security really means. There are lots of possible definitions; to me, though, none of them include political censorship. Regrettably, the ITU seems to be considering just such a requirement for some new network facilities.

The facility in question is a "traceback" facility -- where did some network message come from? This is not a bad idea; I've even worked on it myself, though I've since concluded that that particular approach isn't useful. (Why? I don't want to spend a lot of time and space discussing it here; briefly, there are three reasons. First, very few attacks these days use spoofed source addresses; the real IP address already tells you where the attack is coming from. Second, in case of a DDoS attack, there are too many sources; you can't do anything with the information. Third, the machine attacking you is almost certainly someone else's hacked machine and tracking them down (and getting them to clean it up) is itself time-consuming.) But what constitutes an "attack"? Put another way, what kinds of behavior justify letting the authorities track someone down?

In what I'm told is a document being used by an ITU study group, the following rationale appears for a traceback facility requirement:

A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so protecting the anonymity of the author.

To me, countering this is exactly what network designs should not be aimed at.

Now -- we all know that there are countries that believe in such censorship. Fortunately, there are many others that do not. In fact, in the US the right to anonymity in political speech is constitutionally protected. Why should a network design intentionally subvert that?

The ITU -- a UN agency -- should not subvert UN principles. Article 19 of the Universal Declaration of Human Rights -- a UN document -- states

Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

Institutionalizing a means for governments to quash their opposition is in direct contravention of this passage.

To prevent this sort of abuse, a network-based traceback facility should yield no more information than is already necessary for the network to function. In the Internet, that means source IP addresses, which are present in every legitimate packet. (The traceback facility I worked on had that property.) I'll take it a step further: any design process for a new network should at least consider eliminating even that, since source addresses convey geographical information to the packets' recipients.

(Disclaimer: since I'm not a participant in any ITU study groups; I don't know this provision is the group's consensus or simply a proposal from some members.)

This Blog and Creative Commons

Thu, 04 Sep 2008 02:28:34 GMT

Under U.S. copyright law, this blog has always been copyrighted. That said, I never mind people using my material, as long as I'm credited. I decided to formalize it -- and simplify (more accurately, eliminate) most permission questions -- by adding an explicit Creative Commons license to this blog.

The MBTA versus (Student) Security Researchers

Wed, 20 Aug 2008 11:17:45 GMT

As I'm sure many of you have heard, the MBTA (Massachusetts Bay Transportation Authority) has a very insecure fare payment system. Some students at MIT, working under the supervision of Ron Rivest -- yes, that Ron Rivest, the "R" in RSA -- found many flaws and planned a presentation at DEFCON on it. The MBTA sought and received an injunction barring the presentation, but not only were the slides already distributed, the MBTA's court filing included a confidential report prepared by the students with more details than were in the talk...

The Electronic Frontier Foundation is appealing the judge's order, and rightly so. Not only is this sort of prior restraint blatantly unconstitutional, it's bad public policy: we need this sort of security research to help us build better systems. I and a number of other computer scientists have signed a letter supporting the appeal. You can find the complete EFF web page on the case here.

Update: a judge has lifted the gag order against the students. Note, though, that the MBTA's lawsuit continues.

Update on Laptop Border Searches

Sat, 02 Aug 2008 19:14:55 GMT

The government has now published its policy on laptop searches here. It raises more questions than it answers. For one thing, they don't just claim the right to search -- and seize -- your laptop when you enter the country; they can search it when you leave the country, too. They also claim the right to do this at the "functional equivalent of the border, or extended border". Declan McCullagh explained these and related issues. He also points out that CBP is enforcing trademark and copyright laws, which (at least in theory) gives them the right to look for illegally-copied songs on your iPod.

Peter Swire, a respected law professor and former Clinton administration official, has written on the subject as well. In his Congressional testimony, he, too, points out the similarity of laptop searches to cryptographic key escrow.

Control as a Motive for Content Owners

Wed, 30 Jul 2008 05:38:00 GMT

The traditional argument against file-sharing, as often expressed by the RIAA and the MPAA, is simple: people are obtaining (copyrighted) content without paying for it; this deprives the creators of the revenues to which they're entitled, both by law and a respect for property. Put that way, it seems simple and obviously right; the arguments against them tend to be about availability, price, and the like, or perhaps a rant against pre-Internet business models. All that said, sometimes there's more going on.

A recent news story tells a different tale. Warner Brothers fought mightily to keep The Dark Knight from appearing on file-sharing networks before the official release date. What mattered was not so much the appearance of the film, but the timing. Why?

Timing, it turns out, is crucial to studio profits. For good movies, an official release ensures maximum curiousity and hence attendance; for a bad movie, the official opening without precursors ensures that people will not have heard the negative buzz before buying tickets.

This is not new, of course. Studios have long manipulated release dates, viewings by critics (never see a movie where there were no pre-release showings for the media), foreign release dates, etc. That last week I could go to Belgium for the PET Symposium and see ad posters for Le Chevalier Noir is no mark of new-found egalitarianism by Warner Brothers; rather, it reflects careful calculation that this was the way to maximize profits. But the buzz is crucial:

Studios fear a reprise of the "Hulk" piracy debacle. A rough, early version of Ang Lee's 2003 summer movie made its way to the Internet two weeks before the film's scheduled premiere, provoking negative reactions from the comic-book film's devoted fans, whose opinion carries far more weight in determining the success of this film genre than that of mainstream film critics.
"A lot of people decided not to go near it. Hollywood argued, correctly, that many more people would have gone to see it, had online buzz not been so critical of the movie," said Eric Garland, chief executive of BigChampagne Online Media Measurement, which monitors file-sharing networks and is a consultant to the entertainmentindustry.

The argument about file-sharing in this case is no longer about the lost revenue from those who would otherwise have paid to see the movie. Rather, it's about controlling dissent: they don't want people who didn't like the movie to say so publicly, before lots of people pay for the privilege of seeing a bad movie.

The -sharing debate is much more nuanced in this situation. While property owners have the right to use their property in the way that's most profitable for them, it's no longer a question of consumption without compensation. Rather, it's a question of controlling information flow, and that's a different kettle of fish entirely. One gets the feeling that if it were legal and practical, the studios would limit unfavorable online discussion of their movies -- remember the "veggie libel laws sponsored by the food industry or SLAPP? Fortunately, the American tradition and legal system are hostile to such things.

The lesson here is that one should look beneath the covers of all arguments about the harm done by file-sharing. The traditional claim has been that each downloaded file represents a lost retail sale. That claim is false in both directions. Some people would never have purchased the product (and hence represent no loss of revenue); in other situations, single copies in the "wrong" hands will represent a greater loss of revenue, but only because of information flow. In this situation, downloads in the absence of blogs and the like would have very little effect. The real issue, then, is this: should the studios have a monopoly on market perceptions? Worse yet, should the government, by means of copyright law, help enforce this monopoly? In ACLU v. Reno (96-963), Judge Dalzell wrote

It is no exaggeration to conclude that the Internet has achieved, and continues to achieve, the most participatory marketplace of mass speech that this country -- and indeed the world -- has yet seen.

Cybersecurity Advice for (Possible) President Obama

Thu, 24 Jul 2008 15:05:22 GMT

In a recent campaign appearance, Barack Obama made a number of proposals regarding "cyberterrorism". (Eugene Spafford was at the speech and blogged about it; be sure to read his description. You can find the text of Obama's speech here and a fact sheet with more details here.) I'm glad to hear that Obama is taking cybersecurity seriously (and I'll be glad to post a similar note if I see similar news stories about John McCain), but I fear he may be barking up the wrong tree. I can summarize my concerns in four points: the issue is cybersecurity, not cyberterrorism; there are no magic bullets; execution and policy matter a lot; and (of course) we need to do more research. I'll discuss each of these in turn.

Cyberterrorism versus Cybersecurity

Obama spoke specifically about "cyberterrorism" -- the risk that terrorists might use cybercapabilities to attack U.S. interests. The the problem, though, is that this focus characterizes the threat too narrowly. The Internet Security Glossary gives this explanation (among others) for "threat"

To be likely to launch an attack, an adversary must have (a) a motive to attack, (b) a method or technical ability to make the attack, and (c) an opportunity to appropriately access the targeted system.

This is the classic trinity known to all mystery fans: motive, means, and opportunity. In principle, defenders can use any one of the three to foil an attack.

Motive is the hardest one for an outsider to assess. At best,it's a matter of delicate intelligence assessments about what an enemy plans to do. There have been many news stories about, say, Chinese government-sponsored hacking; there have been many fewer articles about al Qaeda's cyber plans. Perhaps there have been fewer leaks; perhaps there has been less information to leak. Regardless, it seems clear that there has been serious activity by nation-states.

Of course, the flip side is that everyone -- the U.S., other countries, and the terrorists -- uses the Internet. There has been a lot of speculation that the Internet is too useful to the bad guys as a communications system for them to want to damage it. There is an irony here: the less they fear to use the Internet, the more likely it is that they won't want to risk loss of their own access by launching a cyberattack. If there is too much U.S. government monitoring of Internet communications, in the hope of catching terrorists, the less reason they'll have to refrain from attacking.

When it comes to means, the situation is considerably bleaker. Lots of people can launch cyberattacks; many of them are mercenary and sell exploits to the highest bidder. They don't care if the buyer is a government, a terrorist group, an extortionist, a credit card number thief, or a spammer; what counts is profit. While we can safely assume that nation-states have very great capabilities, both they and the terrorists can easily purchase capabilities they don't have. The publicly-known capabilities of the bad-guy hackers are demonstrably enough to do great damage. (It is worth noting that even ordinary attacks can affect the sorts of infrastructure targets that cyberterrorists may go after.)

Opportunity -- for our purposes, that is the remaining security holes that exist in our systems -- is the most promising avenue for the defenders, since we can to some extent control it. We have little control over whether or not someone can attack us, and exploits are much more easily distributed and obtained than, say, highly enriched uranium. But we can (to some extent) plug our own holes. This, then, has to be the focus of our work: defending our systems, regardless of who the attacker is.

Some will object that cyberterrorists and nation-states have greater capabilities than commercial attackers. While arguably true, it's irrelevant: we aren't even doing an adequate job defending against the "easy" attacks. And these attacks are devastating; TJX alone lost more than US$250 million to one group of attackers.

Focusing on generic cybsecurity will help against real, serious vulnerabilities without needing to speculate on enemy intentions or capabilities. That is, the same cybersecurity efforts we need to defend against cybercriminals defend against cyberterrorists.

No Magic Bullet

It is very important that our next president recognize that there is no magic bullet that will solve the cybersecurity problem. Most security problems are due to buggy code; I regard buggy code as the oldest unsolved problem in computer science, and I do not anticipate a solution any time soon. More than 20 years ago, Fred Brooks wrote a classic essay "No Silver Bullet" (a copy appears to be here). In it, he noted that

I believe the hard part of building software to be the specification, design, and testing of this conceptual construct, not the labor of representing it and testing the fidelity of the representation. We still make syntax errors, to be sure; but they are fuzz compared with the conceptual errors in most systems.
If this is true, building software will always be hard. There is inherently no silver bullet.

The same is true for cybersecurity (a subset of the reliability issues Brooks was talking about).

By the same token, a Manhattan Project-type effort won't work. We don't know how to produce secure, bug-free code; we don't even know if it's possible for human programmers to do it. We're not dealing with the laws of physics, which very clearly do permit at least some chain reactions; we're dealing with the limitations of the human brain. We've also seen many failed attempts at panaceas. Throwing a large pile of money at the problem will not magically cause a solution to appear.

Execution and Policy Matter

For all my pessimism about complete solutions, we can certainly do a lot better than we're doing today. Some of the advice is mundane and familiar: patch your systems. (Other conventional advice, such as "pick strong passwords", is at best overblown and arguably harmful.) Other aspects are more difficult: proper system design counts for a lot. A cybersecurity czar with both a bully pulpit and some regulatory authority might accomplish a lot. To give just one example, many banks have insecure web sites. Are government regulations the cure, or at least part of it?

Some will argue that market mechanisms will solve the problem. Companies with poor security practices -- again, think TJX -- will pay the price. Unfortunately, there are serious market failures, such as end-user license agreements that shield some actors from liability. Similarly, consumers have little knowledge of (and often little choice about) software choices and their security implications. Perhaps liability and its corollary, insurance, are part of the solution. One important role for a cybersecurity czar is to develop a comprehensive set of policies (including proposed new laws and regulations) that will let the market function. There will be -- there must be -- a lot of debate over the issues. To give just one example, what will be the effects of liability (let alone strict liability) on open source software development and distribution? These questions do not have obvious answers, but it will be easier to discuss the questions in the context of a comprehensive solution.

More Research

I'm an academic, so of course I'm calling for more research. The argument, though, is simple: we don't know how to solve the problem. While I don't think we'll ever have perfect solutions, are there unknown techniques that could help? We don't even know if firewalls are useful or not.

There is a lot of room for more research. I served on a recent National Academies study committee that outlined some important research issues; I'll only mention two here. First, if some level of insecurity is inevitable (and I think it is), how do we minimize the damage? Second, there is a need for long-term, sustained effort; short-horizon programs won't produce fundamental break-throughs. There have been press reports that DARPA has moved away from such a focus (note: this is not a conclusion I'm attributing to the committee).

Conclusions

There is definitely a cybersecurity problem, and there is a lot a president can do to help solve it. It is much less clear that there is is a cyberterrorism problem; however, dealing with the more mundane issues will help defend us against such threats if they do exist.