Take for example, the fact that my effort to install Ubuntu to drive my CNC lathe had me drilling into the case of a server with a drill this morning.
Why does it take an electric drill to install ubuntu? Well it shouldn't but it does require a DVD drive as opposed to a CDRom drive as claimed. And I don't have a DVD drive on the ancient machine in question, only CDRom. And the BIOS would not boot from a USB DVD drive. So I have to take the DVD drive out of another aged server, only the key to the case has been lost, hence the drill. And I could not do that last night when the kids were in bed, I had to wait till first thing this morning.
And the need for a DVD drive in turn is caused by the fact that the ubuntu distribution is now 700Mb and the design capacity of a CDRom is 650Mb. So after several hours of 'persuasion' to get the ISO to burn on a CD I found that the drivers on the machine won't boot from a CDRom of more than 650Mb, it just hangs.
And these are the real problems of computer administration. None of these steps is difficult, and the problems will all be forgotten after success is achieved. But each little problem soaks up a few minutes or a few hours of time
In recent years edge caching has been rather less fashionable than Napster style 'peer-2-peer'. P2P bypasses the need for the ISP to invest in cache infrastructure by conscripting end user machines as caches. This is good for the P2P provider but very bad for the ISP as the content will now travel over the most constrained part of the ISP's network multiple times.
The value of edge cachine is already known to companies like Akamai of course. But Akamai is a proprietary scheme. Google recently began work to build out a similar scheme and there will be many more as Internet video on demand becomes an increasingly bigger market.
So pity the poor ISP who is expected to provide space and power for all these boxes in their endpoints. If any economics student is looking for a thesis topic, try predicting which parties will benefit from this particular arrangment during the introductory phase and then again some years later once consumers have reliable ways of measuring network performance being delivered.
My rough model suggests that under the proprieatry cache model each party benefits at exactly the wrong time. In the short term, some ISPs may gain a modest revenue stream but in the longer term content is king.
Rather than waiting passively for the content distribution companies to come along with their boxes, a better strategy for the ISPs would be to develop a model that puts the edge cache under their control, allowing the ISP to determine the choice of hardware/software platform and which content content is cached.
The design of a network protocol for such a scheme may be left as an exercise for the (graduate) student. A discovery mechanism will be required (hint, SRV records in the reverse DNS) and some means of breaking content up into manageable chunks. And in the case of really popular content there will be a need for load balancing amongst local servers.
The rather more interesting issue is the security considerations that arise. Who gets to store content? Who gets to retreive it? When is content deleted? How are questions of copyright ownership decided?
While the cause of the disruption is not yet known, it stretches credibility to believe that this was operator error. Most likely it will turn out to be an act of vandalism by a disgruntled employee or an external attacker. In either case, we need to know quickly as casual attacks by vandals tend to be followed by professional attacks for profit.
At a minimum the attacker has demonstrated the ability to map one cable channel onto another. But imagine that the attacker had the ability to inject arbitrary content into the New York city cable feed for Bloomberg or CNBC. It really isn't very difficult to see how a profitable stock manipulation fraud can be set up.
The big problem with electronic media is establishing authenticity. As we come to rely on electronic information sources, the risk of being fed spurious data increases. Unless we take the problem seriously soon, others will force us to take it seriously.
One reason I am interested is that the GENI testbed would provide an environment that could allow meaningful experiments into security usability. Putting a user in a lab for an hour or so is a great way of working out if they are likely to buy a product or install it correctly. Lab experiments are a lousy way of predicting how a user might react to an unexpected attack in six months time when their own money is at stake.
As with most such projects, the objectives are considerably more ambitious than the funds on offer. This leads me to suggest a way to simplify the project: drop the plans to investigate new routing algorithms.
There are two reasons why routing is not an interesting or important field of study for publicly funded research. The first is that makers of routing hardware are already keenly interested in the problem, the second is that nobody is going to be interested in deploying a radical new routing scheme requiring a completely new suite of systems when Moore's law continues to deliver a 100% increase in gates every 18 months.
But the bigest reason to be suspicious of researching new routing techniques is that we already know an efficiency improvement that is orders of magnitude greater than anything a change to the core router transport makes possible, the problem is that we don't yet know how to deploy it.
As you probably guessed from the title, that efficiency improvement is edge caching. The best way to improve the efficiency of a network is not to send the data at all, or to send it only once. More on that in part II
You cannot use a US issued credit card in the typical UK store any more. If its not Chip and PIN it simply does not exist as far as they are concerned. Whatever the Visa and Mastercard exchange rules might say on accepting all current cards is irrelevant as far as the underpaid sales assistant is concerned. No chip, no pin means no service.
And the situation is only going to get worse. Chip and PIN does have some security issues, but those reported to date are all due to the need for interoperation with legacy magnetic stripe systems. US banks can complain about their cards not being honored in Europe as per the merchant card agreement, but the European banks are unlikely to be very interested. Chip and PIN has all but eliminated card present fraud.
Having problems with spam? Shut down the mail server, or only accept mail from people you already know. Having problems with people posting copyright material on the Web? Allow anyone to shut down any Web site they choose instantly with a phone call.
Worried about the risk of being hoaxed with a prank call? Well hang up on the President elect when he calls you to congratulate you on your election victory.
Security is really easy when you are only concerned about one side of the problem. And that us why so many 'obvious solutions' that are proposed by interest groups are unworkable. The proposers only take time to understand one side of the problem, usually their side of the problem. Then they try to push their solution through by attempting to minimize the significance of the objections of the other side, rather than trying to address them.
The fact that the President may not be able to call a Member of Congress and speak to them for fear of a hoax should be considered a national security concern. As should the risk that a hoax might be perpetrated for malicious purpose.
And it is not just members of Congress. The email lists used during the campaign are still active (Kerry's list from 2004 is also still active). They reach millions of activists. What if someone was to work out a way of engaging those for malicious purposes?
The email problem could be solved today, every communication from a major political campaign should be signed, whether the recipient is a member of Congress or a member of the public. That is what DKIM is designed to permit.
But signing is only one half of the problem, how is the user made aware that the communication is genuine? Here I think we should take a cue from Hollywood. Think of any movie scene in which the President of the United States appears in a video-conference. does the President just appear on the line? No, because even though the President of the United States is going to be recognized on sight, that is not the protocol. What you invariably see in a scene of that type is first an establishment shot for the seal of the President of the United States. Then the President appears.
That is what we should have for Internet communications, and it is something that we could do very quickly for email and extend to other modes of communication in a short period of time.
As always we have the folk whose answer is 'don't let the kids near it'. Which is often merely a way of evading the problem. One supposedly serious report from a supposedly serious learned medical body tells us that there is no proof that computers do not do harm so the 'safe' option is for parents to ideally stop their children using computers or to seriously limit their use. I found this advice offensive, as anyone with a scientific training shoud. Ignorance is never a sound basis for offering advice to others.
I taught myself to use a computer at 11. I have seen a child teach himself to read using a computer at three. There is no substitute for the human teacher, but it might also be the case that there is no substitute for the computer as well. No human teacher can compete with the patience of the machine.
So how do we start being serious about online child safety.
It occurs to me that one starting point for a serious consideration of online child safety would be to ask computer security specialists what they do. They have (or should) have a much better idea of the potential risks, and they are trained to evaluate potential solutions.
So if you have views on this I would appreciate you sharing them with me by email at hallam@dotcrimemanifesto.com. In particular I am interested in knowing:
You can also comment in this thread by for obvious reasons it is probably not a good idea to mention your own children if you do so.
]]>
Well now it appears that one of the sources that pushed the hoax story in the media has itself been involved in a complex hoax of its own. Martin Eisenstdat, purportedly the 'McCain Camp Adviser' who revealled that Sarah Palin did not know Africa was a continent turns out to be a hoax.
So now we have at least two levels of hoax, possibly more. All of which reinforces my original argument that we need to establish more trustworthy sources of information in the Web.
Is the New York Times a trusted source of information? Well this week a fake copy was printed. And what was perhaps more surprising was the fact that a large number of journalists seem to have reported the groups claim to have printed 1.2 million copies without questioning the improbability of financing, let alone perpetrating a hoax on such a scale.
Is nytimes.com a trustworthy source of information? Well not http://nytimes.com/, that is for sure. Not without SSL security at the very least.
The scam in this case appears to be an advance fee fraud. People are told that they have a job, they just need to pay for the visa application. The mails are of course sent out by crooks, this is a scam.
There have been similar scams involving lotteries, but these tended to involve the larger companies that could conceivably have a PR budget to do such stuff. this is a scam that can affect pretty much any company larger than a corner shop.
The top cyber-security news is that the Obama campaign was successfully penetrated by some form of Trojan and files uploaded from the machine.
While the source of this particular attack is unknown, and will probably remain so, the potential has been demonstrated. What might well have been an opportunistic attack in 2008 will almost certainly be followed by well planned and executed plans in the 2012 campaigns.
Even though the machines in question would not have stored classified information, the potential for manipulating policy through an IT compromise of a campaign is in some ways more significant than an IT compromise at (say) the state department.
The risk is not so much that a foreign power might change the outcome of the election than that they might influence the policy platform that the campaign runs on. Once an administration is formed, the apparatus of policy formation is slow and cumbersome, it takes a great deal to blow it off course. But during a campaign, the smallest of gusts can capsize a vessel with the right timing. Even though campaign promises are not the same thing as policy, there is a definite connection.
The bottom line is that security of campaign communications matters at least as much as security of administration communications. And this is only one example of the fact that in the Internet age, national security rests on the whole information infrastructure and not just the tiny fraction that is run by the government.
Whatever else may be said about the 2008 US Presidential election, the Web did the job we intended it to do back in 1992. The 2008 election was not the first election in which the Internet (and indeed the Web) were used. In fact I ran a Web server with material from all of the parties back in 1992 and the Clinton-Gore campaign had an online campaign in that election run by Jock Gill.
But 2008 is the first election in which the agenda was not entirely set by the establishment media which would much rather debate lipstick on a pig than healthcare, education or the economy.
So much for self congratulation. Now to look at what did not work.
One of the biggest problems was that at the same time the Web makes it easy to make information available, it also makes that information less easy to trust. Unlike the 2004 election the 2008 election has not had whole media cycles dominated by fake photographs (Kerry/Fonda) or forged documents (aka Rathergate). But that seems to have been as much because people are much less likely to trust the information they see.
The good part is that we are less likely to be fooled. The bad is that we are less likely to be informed. We need to have a mechanism that allows people to actually trust their eyes.
This problem has many aspects and will take many years to solve completely. But a good starting point would be to look at the issue of copyright and in particular the use of DMCA takedown notices to supress speech as happend during the campaign.
The basic facts are that the McCain/Palin campaign uploaded videos to YouTube. YouTube then received DMCA copyright notices and the videos were removed. Whereupon the McCain/Palin campaign complained that their free speech was being suppressed and that videos from the campaigns should be vetted manually. In response to which Google said that they were not going to create special categories of content.
It is very easy to get into arguments about which side is right and overlook the fact that these goals are not necessarily incompatible.
In particular, the real problem here is a failure of accountability. The DMCA was written to address the problem of copyright infringement by unknown, unaccountable parties. It contains a provision for an objection to be made against a takedown notice. The whole point of DMCA is to identify the parties to a dispute so that it may be resolved in a court of law.
So why not allow any party to sign their uploaded content with a digital certificate that contains their authenticated business address? We have all the infrastructure in place to issue such certificates today (although Google can hardly be expected to have the code to make use of them.)
Site specific browsers are also a useful security tool, particularly when setting up a browser environment for use by a three year old girl who wants to visit the 'Dora the Explorer' game on the Web. A site specific browser allows an account to be created that can access precisely the sites that are age appropriate. This is as much a usability issue as a security issue, avoiding the situation where the mouse clicks on the wrong thing causing another site to load, ruining the game.
Making the browser site-specific is certainly one means of achieving the 'secure browsing mode' that many banks have been asking for, But users have enough trouble downloading an installing one browser. How can they be expected to download, install and maintain a different site specific browser for each bank and brokerage they might use (I have two of each plus a 401K retirement fund and a life assurance policy making six in all).
A recent paper by D.K. Smetters and Paul Stewart suggests a neat solution to the problem. In their scheme, a user is told to access security sensitive sites from a 'secure launchbar' that causes a site specific browser to be launched in a separate process. Instead of having to have a different site-specific application for each bank, all we need is a site-specific secure bookmark.
Clearly, for such a scheme to be trustworthy, the secure bookmarks must be limited to trustworthy sites. Smetters and Stewart suggest various means of achieving this, but I am sure nobody will be surprised to learn that Exetended Validation certificates with embedded subject logos (aka Secure Internet Letterhead) would be my choice.
To complete such a scheme, agreement would be necessary on a standard set of capabilities for 'secure-site-specific' browsers. Traditional W3C specifications describe the features that MUST be supported. This specification would also need to specify which features MUST NOT be specified. Or at least provide the launch bar application with a means of specifying the features to be activated in the site-specific browser. Cross-site scripting attacks have much less power when the user is accessing a site with plug-in extensions disabled and no ability to follow links that lead off-site.
Designing and building software is easy. Establishing a critical mass of users is the hard part.
At this point we need to go back and consider what advantages CLE provides that existing schemes such as whole disk encryption or directory level encryption do not. In my view the answer is that storage level encryption can provide security when used correctly, CLE makes it much harder to make the type of mistake that can lead to a breach. Whole disk encryption is good but it only works as long as the authorized user does not copy the data to a USB thumb drive. Directory level encryption is even more fragile and can fail when an application unexpectedly makes a copy of the sensitive data in an unencrypted location.
A part of any CLE deployment strategy must be developing programming toolkits that allow an existing application to be CLE enabled with minimal effort. One of the reasons that SSL has become so popular is the fact that by design the API for SSL toolkits look almost identical to the traditional BSD socket API.
We have most of the PKI infrastructure required to support CLE. All we are missing at this point is the key management server. If we are going to make CLE a reality though we need to establish a critical mass of applications.
Although I have focused on the 'network CLE' problem, this is in fact a superset of the single user CLE problem and even applied at the single user level, CLE provides considerable value. I would like to be able to copy files to a USB thumb drive without worrying about creating copies of possibly confidential information.
Ubiquitous deployment of CLE will take many years, perhaps a decade or more. But in the meantime niche deployment of CLE can address the most difficult, highest risk activities.
For example, the typical data breach occurs when an auditor loses a laptop or thumb drive containing sensitive personnel data. Why is it always an auditor? Possibly because they are the only people who confess. But regardless, deployment of CLE to every desktop in an enterprise is hard. Integrating CLE into the export function of the HR database and insisting that the auditor install an open standards based plug-in into their spreadsheet is much easier.
Another area that might be the killer application of CLE that creates the necessary critical mass is CAD/CAM. A large part of the CAD/CAM market is involved in classified government work or designs that are commercially sensitive and unlike the office applications market, the market for CAD/CAM applications is fiercely competitive.
At this point the technology described is adequate to meet the original use cases. This is the point at which protocol design traditionally stops. But in the new security model this is the point where the really difficult work starts: usability.
If a CLE system is going to be any use it is going to have to be used and it is not going to be used unless use is effortless [Is zero-effort security a better tag line for what I am attempting to achieve than Zero-overhead?].
To make CLE effortless, it must be possible for system administrators to take on all the heavy lifting required for configuration and the impact on day to day use must be negligible except in the exceptional case where the user is actually focused on the specific issue of security.
What this means in my view is that the CLE system needs to be tightly integrated into the applications that create CLE controlled content. The application must be able to determine the security policy to be employed from the document template used to create the document. The application must be able to seamlessly acquire rights to content when the user attempts to open the file.
At the same time we should probably consider the document storage lifecycle as a whole and come to terms with the fact that the Xerox Parc files and folders paradigm is simply not working any more.
Files and folders were a sensible method of organizing content when we had one machine that we used exclusively for editing documents and managing data. Today I use at least two computers every day, three if you count the iPhone and every one of them doubles as a communication device. That puts valuable work product documents at risk of compromise by network applications.
What I would prefer is to completely isolate by network interaction workflow from my document editing workflow. Or at the very least isloate them to the greatest degree possible. When I save a document I want it to be stored in my virtual document repository in the cloud and I want to be able to access it from any computer I might work on later.
The Xerox Parc files and folders approach treats the local storage on my laptop as a disk drive for primary storage of files and folders. This is a problematic approach with any laptop if you frequently switch between laptop and desktop machines. It is particularly problematic if you have a MacBook Air and have to live inside an 80Gb drive.
A better approach is to treat the local storage on the machine as a cache for the main storage in-the cloud. Windows Vista attempts to do this to some extent with its replication feature, but that particular interface is broken as it attempts to adapt the files and folders approach rather than reinvent the underlying concept.
Looking at my own use of company confidential documents, the exact reverse is applied. In fact as a general rule virtually every document that I handle that is company confidential is also going to be shared outside the company by virtue of its intended function. Patent applications must be shared with outside counsel, responses to customer RFPs must be shared with the customer.
There are of course some company confidential documents that should never be shared outside the enterprise, but these are rather less likely to result in immediate catastrophic damage if disclosed. I would not want an outsider to know the exact configuration of my internal networks or have access to the ATLAS source. But the consequences of unintended disclosure are unlikely to be as severe as disclosure of a bid submitted to a customer.
My point here is that if we are going to produce a Content Level Encryption infrastructure that is going to meet real needs we need to design it to allow it to cross organizational trust boundaries from the start, not as an afterthought.
The first and most important constraint that this places on our design is that there is no value to a CLE scheme unless it is built on open, unencumbered standards. A clever scheme encumbered by patents is less likely to be of utility than a simpler scheme based on older technology. To do that we need to ideally work with technologies that are described in patents that have either expired already or are close to expiry.
Next we have to consider the security concerns of the receiving organization as opposed to Carol. Traditional PKI architectures focus on Alice and Carol as if they are the ultimate decision makers. But when Alice and Carol work for different companies we are dealing with four parties, not just two. The sending organization wants to be able to assure itself that it is willing to disclose the information, the recipient organization needs to be able to assure itself that it wishes to accept responsibility for accepting the data, to check that it is not contaminated by malware, that it is not unintended spam and so on.
End to end security still matters of course, but there are four ends to this communication, not just two. If we are to meet the real end-to-end security requirements it must be possible for the sending and receiving organizations to scan the messages on their incoming and outgoing messaging gateways.
What this means, is that the sending gateway needs to decide whether the content of the file is data that it wishes to release to the recipient organization. Depending on the security policy governing the data this may mean checking that an NDA has been registered with the recipient organization.
The sending gateway then needs to obtain the encryption key of the recipient organization, create the corresponding decryption block and pass the data along. On receipt the recipient must determine if the content is acceptable and if so create the necessary decryption block for Carol.