1 September 2017
Security is a Systems Problem
There's lots of security advice in the press: keep your systems patched, use a password manager, don't click on links in email, etc. But there's one thing these adages omit: an attacker who is targeting you, rather than whoever falls for the phishing email, won't be stopped by one defensive measure. Rather, they'll go after the weakest part of your defenses. You have to protect everything—including things you hadn't realized were relevant. Security is a systems problem: everything matters, including the links between the components and even the people who use the system.
Passwords are a good illustration of this point. We all know the adage: "pick strong passwords". There are lots of things wrong with this and other simplistic advice with passwords, but we'll ignore most of them to focus on the systems problem. So: what attacks do strong passwords protect against?
The original impetus for this advice came from a 1979 paper by Bob Morris and Ken Thompson. (Morris later became Chief Scientist of the NSA's National Computer Security Center; Thompson is one of the creators of Unix.) When you read it carefully, you realize that strong passwords guard against exactly two threats: someone who tries to login as you, and someone who has hacked the remote site and is trying to guess your password. But strong passwords do nothing if your computer (in those days, computer terminal...) is hacked, or if the line is tapped, or if you're lured to a phishing site and send your password, in the clear, to an enemy site. To really protect your password, then, you need to worry about all of those factors and more.
It's worth noting that Morris and Thompson understood this thoroughly. Everyone focuses on the strong password part, and—if they're at least marginally competent—on password salting and hashing, but few people remember this quote, from the first page of the paper:
Remote-access systems are peculiarly vulnerable to penetration by outsiders as there are threats at the remote terminal, along the communications link, as well as at the computer itself. Although the security of a password encryption algorithm is an interesting intellectual and mathematical problem, it is only one tiny facet of a very large problem. In practice, physical security of the computer, communications security of the communications link, and physical control of the computer itself loom as far more important issues. Perhaps most important of all is control over the actions of ex-employees, since they are not under any direct control and they may have intimate knowledge about the system, its resources, and methods of access. Good system security involves realistic evaluation of the risks not only of deliberate attacks but also of casual authorized access and accidental disclosure.(True confession: I'd forgotten that they noted the scope of the problem, perhaps because I first read that paper when it originally appeared.)
I bring this up now because of some excellent reporting about hacking and the 2016 election. Voting, too, is a system—it's not just voting machines that are targets, but rather, the entire system. This encompasses registration, handling of the "poll books"—which may themselves be computerized—the way that poll workers sign in voters, and more. I'll give an example, from the very first time I could vote in a presidential election: the poll workers couldn't find my registration card. I was sent off to a bank of phones to try to call the county election board. The board had far too few phone lines, so I kept getting busy signals, all the while thinking nasty thoughts about attempts to keep Yankees (I'd just moved to North Carolina) and students (I was there for grad school) from voting.
Think of all of the system pieces in just that part of the election. There was the poll worker—was she honest? There was the election book, and whatever processes, mechanisms, software, or people had gone into compiling it. There was the phone bank I was using, the phone network, the phones at the election board, the people there, and their backend systems that had a master copy of the election roll. My story had a happy ending—the poll worker kept checking, and found that my card has been misalphabetized—but if an analogous problem happened today with an electronic poll book, it's hard to see how the poll worker's diligence could have resolved it. (For other interesting systems aspects of voting, including issues with poll books, see an old blog post of mine.)
The systems aspect of voting is apparent to some, of course, including the New York Times reporters who are covering the hacking story:
Michael Wines, who covers election issues for the Times, said that what stood out to him was the vulnerability of the nation's vast Rube Goldberg election system. Elections, he explained, "are run by understaffed, underfinanced and sometimes undertrained local officials, serviced by outside contractors who may or may not be well vetted, conducted with equipment and software that may or may not be secure." [emphasis added]
Almost all security problems are system problems; beware of people who try to sell you simplistic, point solutions. It's not that these solutions are wrong; rather, they have to be examined for their role in securing the system. Consider HTTPS—encrypted—web connections. Unless you're being targeted by law enforcement or a major intelligence agency, the odds of your connection being tapped on the backbone are vanishingly small. However, it's trivial to tap someone's WiFi connection if you're on the same net as them, e.g., in a public hotspot. So—it's a good idea to encrypt web pages, but if the environment is strictly controlled LAN to controlled LAN, that should be far down on your list of security priorities. And remember: encrypting one link does not solve any of the many other vulnerable points in your system.
Update: vote-tallying software is also part of the system—and can be insecure.