How not to buy a dustpan

If you wonder why some among us are not terribly sanguine about the idea of ceding more control and power to the Federal government, consider some of the procurement documents available at www.fbo.gov. The Federal Business Opportunities website lists nearly every contract that the feds want to bid to private business, and for those willing to wade into a swamp of stultifying bureaucratic language, it makes revealing reading. We will consider just two examples. Brave readers are invited to don their gaiters and explore for themselves.

Consider procurement FA8201-09-R-0088.
Briefly stated, folks at Hill Air Force Base in Utah were seeking assistance with the security documentation of some of their systems. That basic idea is contained in language like this:

The objective is to satisfy policy requirements of DIACAP IAW DoDI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), and AFI 33-210, Air Force Certification and Accreditation (C&A) Program (AFCAP) to complete Information Technology Lean and Security, Interoperability, Supportability, Sustainability, and Usability (SISSU) checklist in the Enterprise Information Technology Data Repository (EITDR).

This seemingly daunting array of acronyms and document references is actually comprehensible to those in the IT security business - but the actual solicitation is barely so. It reads more like a grammar schools student's attempt to write a paper on the theory of relativity by stringing together related chunks from the encyclopedia. A knowledgeable reader quickly apprehends that the creators of this solicitation have little understanding of the subject about which they are writing. How they intend to judge the merits of the responses is a mystery.

But the real thigh slapper is found in the final pages of the work statement – truly revealing the thrown-together nature of the enterprise. Bidders are admonished that in the course of their work reviewing the security posture of IT systems they must be prepared to deal with toxic stuff:

If the contractor spills or releases any substance contained in 40 CFR 302 into the environment, the contractor or its agent shall immediately report the incident to the Hill AFB Command Post at 801-777-3007. The liability for the spill or release of such substances rests solely with the contractor and its agent.

The "40 CFR 302" (available to masochists and insomniacs here) is a 74 page document that includes lengthy definitions of words like "facility" , "person" and "release". ("Release means any spilling, leaking, pumping, pouring, emitting, emptying, discharging, injecting, escaping, leaching, dumping, or disposing into the environment..."). Some 50 pages are taken up with a list of substances with names like Diethyl-p-nitrophenyl phosphate.

So in the unlikely event the intrepid security contractor releases more than 23 kilograms of Ethanimidothioic acid, he is enjoined to notify the command post. Great. Glad we have that covered.

What is not so amusing, and which speaks volumes about the mistrust with which many people regard the government is seen in the final addendum to the procurement request:

This is to notify all interested parties that the Government is hereby cancelling this solicitation. There has been a tremendous amount of interest and numerous questions on this requirement. These questions pointed out areas that we need to address and clearly define before we can re-solicit this requirement. We felt this action was necessary in order to provide you a better understanding of our requirements, proposal expectations and evaluation procedures. We apologize for any inconvenience.

Translated in plain English, this says

Having hastily and carelessly thrown together this ill-defined request for bids, full of inconsistencies and security boiler-plate pasted from well known documents that say nothing about our actual requirements, we have received an avalanche of pointed questions from knowledgeable security professionals who have made us aware just how meaningless our document is. No doubt dozens of contractors have wasted hundreds of man-hours trying to create a comprehensible response to this mess, which will only serve to drive up the cost of the services that we will eventually procure when we fix this piece of junk and reissue it. Sorry about that.

Or consider this nine (yes, nine) page document drafted to secure dustpans for the General Services Administration (https://www.fbo.gov/index?tab=documents&tabmode=form&subtab=core&tabid=aaec633ba60681fba7e3155a6292cc6c) Dustpans are carefully defined thusly:

The dustpan shall consist of a pan attached to a handle, and shall be in accordance with the following characteristics...The front edge of the pan shall be in continuous contact with the floor when in use or when pressed to the floor with slight downward pressure applied to the handle. When the dustpan is lifted from the floor by the handle, the pan shall swing downward by gravity into a vertical position so that debris will move into the hooded area. The handle shall balance in the upright position when the pan is flat on the floor. The handle shall not interfere with the entrance of debris into the pan.

In contrast to the previous procurement, it can be said that the writer of these words knows a little something about his subject. Now if only we could get that knowledge and precision applied to a slightly more complex topic like computer security.

Single payer health care, anyone?

Can the Post Office Save the Internet? (And vice versa?)

Enhanced identity credentials. We routinely offer a widely accepted credential (usually a drivers license) to facilitate in-person transactions, but there is no similar credential in the virtual world. Several years ago it was widely thought that public Key systems would provide a basis for universal and robust identification for a host of on line interactions.

However, the promise of PKI has not been realized. This is part a function of the herky-jerky nature of technical innovation, and partly because public key crypto was burdened with unreasonable expectations. The phrase, “non-repudiation” quickly became associated with PKI, suggesting that it could hold every certificate owner legally responsible for every keystroke, and that “wet” signatures heretofore necessary and sufficient for the signing of contracts would become a thing of the past. Much was written by lawyers about the the legal verifiability of digital signatures and many changes were made to the PKI standard by technologists to accommodate evolving needs.

(see http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf as one example). An elaborate structure constructed under the rubric of X.509 was proposed to create so-called “distinguished names”. One of the problems wrestled with during this period was that of “Certificate Revocation Lists” or CRLs. Briefly, it goes like this: If Alice relies on Bob's certificate for some purpose, then Alice needs to be sure that Bob's certificate hasn't been revoked since it was issued. (Perhaps because Bob's private key was compromised). So technical committees concocted an elaborate protocol whereby Alice could get up to minute status on Bob's certificate, and lawyerly graybeards stroked their chins about the legal validity of CRLs. But ultimately, it proved as impractical as having store clerks consult a long list of stolen card numbers before completing every card transaction.

Suffice it to say, the vision of PKI as the silver bullet of on-line identification never took off.

But if we were to scale back our expectations and requirements, PKI could serve some current needs admirably. Suppose you could go to your local post office, show a drivers license, pay a modest fee, and be issued a certificate that asserted only that on a certain date, the holder of this certificate identified himself to a post office in the state of Virginia. In other words, the certificate would assert only that the bearer is a real person with a real identity, not a spammer. Businesses, large and small, represented by a real person, could do the same. Then, you could instruct your computer (or your ISP) to block all mail that wasn't accompanied by a “this is a real person” certificate. If a real person, who happens to be a spammer, obtains such a certificate, then it would be a simple matter to block the mail uniquely identified by that certificate. While the certificate would be cheap, it wouldn't be so cheap as to make “certified spam” a paying proposition. And if a certificate were associated with threats, harassment, or other malfeasance, a judicial warrant could be invoked to reveal the identity of its owner.

This would also permit widespread use of encrypted email. If your in box is anything like mine, most of the mail is from repeat correspondents. With certificates all around, the first exchange of email would create a symmetric session key that could be relied on for a few weeks or longer.

A couple of possible objections:

Wouldn't this destroy anonymity on the net, thereby undermining its usefulness as a medium of free expression and a useful tool for whistle blowers?

No. First off, a warrant would be required to identify the certificate holder. But even if one assumes that the judicial system is compromised, and that jack-booted thugs (or the NSA) will subvert the system somehow, it is perfectly reasonable to suppose that anonymous proxies will accept mail, or other connection types without demanding a certificate. If the Washington Post, various hotlines, and private detective agencies choose to accepted non-certified mail, they will not make a tempting target for spammers or hackers, since they provide no conduit to the credulous souls that actually respond to spam or connectivity to systems worth subverting.

During the late 1980's there was considerable discussion about the privacy impacts of caller ID for the phone system. (http://catless.ncl.ac.uk/Risks/8.42.html#subj1.1). On balance, it would seem that most people prefer the advantage of knowing who is calling before they answer the phone.

Wouldn't the expense and and hassle of maintaining the certificates outweigh the benefits?

Given the low level of trust associated with the certificate, it seems unlikely. Potentially, the certificates might never expire. Certificates would only need to be verified occasionally, for example, when one received an email from a new correspondent. Mail to and from your bank, your doctor, your friends and the garage would all be encrypted with the symmetric key that was established at the first email exchange. Post offices are ubiquitous and have been in the business of facilitating the reliable delivery of messages for generations. It would be easy for certificate owners to solve problems and update keys when there is a walk-in help desk in every zip code.

OK, so Carl Clueless has his bright, shiny new certificate. But because he's as stupid as someone who composes text messages on the Santa Monica Freeway during rush hour, his private key is gathered up by a bot herder and used to impersonate him. Now what?

The bot herder can't impersonate him, since he doesn't know who Carl is. All he knows is that he has the credential of someone who went to the post office and presented an ID. If the spammers want to know who Carl is, they are going to have to identify themselves to the PO. If the spammer uses it to send spam, it won't be long before the certificate winds up on users' and ISPs' blacklists, Note, this isn't a CRL, at least not in the traditional sense, because it is distributed, and no entity is responsible for maintaining it. But when Mr. Clueless discovers that his mail is being rejected all over the place, he will trudge to the PO, get a new certificate for say, $10-20 dollars and probably ask himself, “How can I keep this one safe?”

There are questions: How do we help Carl Clueless guard his key? By placing on a read only USB stick? Maybe. This seem to be the only way to make it portable. And there may issues I haven't though of (incredibly). I'd be interested to hear the ideas of others.

Making the Internet Safe

Recently, the white house issued a much anticipated (at least by the IT security community) report titled, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure.

Much of the response has been laudatory, albeit less than wildly enthusiastic. It's easy to understand why. The report says lots of things that are true, and worth repeating. Unfortunately, that's mostly all it does: Say things have have been said before. Earlier versions of these platitudes date back to the Clinton administration (here) A later version created during the Bush administration can be found here. These are but two examples. It is left as an exercise for the reader to find half a dozen more. And now that the much respected Melissa Hathaway, primary author of the report, has stepped out of the Kleig lights, one can almost hear the dust beginning to gather on this report.

Among the many themes that bounce off the walls of this echo chamber, we have:

1. The Internet has transformed American life and commerce.

2. We are increasingly dependent on computers and networks for the operation of vital supply chains, financial markets and various elements of the infrastructure.

3. The complexity, interconnectedness and ubiquity of the Internet make it vulnerable to attack and hard to secure.

4. Attacks have been increasing in frequency, severity and sophistication.

5. Most of the IT communications infrastructure is in private hands.

6. It is important for government and the private sector to work collaboratively to secure cyberspace.

7. It is important to protect the privacy and civil liberties of the citizenry.

8. Responsibility for information security is distributed across multiple departments and agencies in the federal government.

Asleep yet?

The endless repetition of these bromides will not move us forward. Here is what will:

• Creating specific criteria that financial institutions must enforce use when conducting on-line transactions with customers. I don't mean nebulous standards that vaguely outline best practices. I mean specifics like the use of strong authentication.

• Requiring Internet Service Providers to play an enhanced role in protecting the Internet and its users.

• Establishing a mechanism that would allow citizens to establish an on-line identity that is nearly as reliable as the ubiquitous drivers license.

I'll have more to say on these suggestions shortly. (Promise).

Microsoft sobers up too late

Long after the besotted drunkard has sworn off the demon rum and found sobriety, the after effects of years of debauchery linger. The rheumy eye, the gravelly voice and the damaged liver remain as testimonies to the years of indulgence. So it is with Microsoft.

Not that the software giant has been drinking too much. But it is only recently that the Microsoft has got religion when it comes to security. The Trustworthy Computing Initiative, the Security Development Lifecycle, and all the other initiatives that MS has undertaken to assure us that, as they state on their website, “The security of our customers' computers and networks is a top priority, …” are most welcome, but the lateness of this conversion comes at a price.

Anyone who follows computer security news is aware that the Wall Street Journal recently published a story asserting that the systems that control our nation’s electrical grid had been found to be undermined by malware.
Less well publicized, but equally disturbing is a story about the Conficker worm invading medical devices.

Rodney Joffe…told a panel of the House Energy and Commerce Committee …that he and another Conficker researcher identified at least 300 critical medical devices from a single manufacturer that have been infected with the computer virus.

As a side note, most renditions of this story state that device manufacturer claim FDA rules require a 90-day notice before the machines can be patched. The ZDNET version headlines, “Red tape keeps Conficker on medical devices” However, this writer could not find any such regulation. In fact, one FDA advisory document (here): says specifically that that “premarket review” is “usually not…required prior to the implementation of a software patch to address a cybersecurity vulnerability.” It’s hard enough to comply with actual government regulations let alone imaginary ones.

Microsoft’s indulgence has not been demon rum, but complexity and performance. Originally versions of Windows NT (for those of you who remember that far back) boasted a ring architecture, which segregated essential OS functions like memory management into a central “kernel”. Non essential functions like graphics rendering were relegated to a less trusted, peripheral area, and had to request memory management functions from the “outside” like everybody else. But at some point, complaints about performance took precedence over robust security design, and things like graphics were moved into the kernel, so that applications could run faster. Or, more properly, the distinction between the kernel and non-kernel eventually dissolved. The result we are living with today is seen in things like the perennial updates to applications like the Adobe Acrobat reader. What should be a forgettable utility has the potential to subvert the integrity of your laptop because the graphics routines that should be powerless to affect the operating system are part of its core. The sad thing is that hardware speeds are now so good that if MS had stuck to the NT design model, no one would notice any performance hit.

One positive glimmer of hope: The advent of a BIOS based operating system called Hyperspace . The marketing pitch on the website is focused on the benefits to the end user. (Performance, ironically). Hyperspace can run a browser and an email client, and mirable dictu, it boots up in seconds. It can also run side-by-side with Windows, so when you need to load all those clunky drivers, add ons, and bloated Adobe readers, you can do so. While the product is geared toward the laptop user market, I see no reason why it can’t be used as the platform for say, ATM machine software. In which case, maybe this wouldn’t happen:

Automated Teller Machine (ATM) Malware Analysis

Sheesh....pretty soon, some dingbat will decide it’s a good idea to use XP as the basis for voting machine software…Oh, wait…

Microsoft’s conversion is, as I said, welcome. But the damage is done. It’s time for a liver transplant.

Stopping Adults Facilitating the Exploitation of Today's Youth (SAFETY)

I've heard it said that the quality of an Italian restaurant is inversely proportional to the size of the pepper grinder the waiter brings to your table. In other words, if the grinder is the size of a telephone pole, you're better off warming up some Chef Boyardee.

I think a corollary of that axiom applies to legislation and the acronym used to name it: The more contrived the acronym, the more dubious the legislation. The SAFETY act is a good example.

If you thought legislative ignorance regarding internet technology had reached an all time low when former Senator Stevens characterized the Internet as a series of tubes, you were wrong. In a move of stunning inanity, some legislators are backing legislation that states, “A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.” You can read about it here, among many other places.

Its sponsors claim that this is needed to protect our children, saying things like, “ While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children”

I won't bother to explain how absurd it is for every WiFi Hotspot administrator to keep track of the transient users of the thousands of DHCP addresses a busy node hands out every day, or even how such a scheme would be ineffectual even if it was practical, since elementary MAC-address spoofing, well within the reach of your average script-kiddie, could implicate a latte-sipping teeny-bopper in child porn trafficking, were she unlucky enough to use her netbook while seated next to a tech-savvy pedophile at Starbucks. Nor will I exhort you to contact your elected representatives to express your outrage, because this will never become law. The politically muscular forces of the so-called “hospitality industry” will make a few phone calls, and the sponsoring congress-critters will issue a meek, “Never mind”, like this:


I will, however, issue my suggestion for a more appropriate acronym:

Saddling Technologists with Onerous Obligations Ostensibly Preventing Internet Deviance

Technology and Peepers

In one of the more self-serving and and tendentious pieces I've seen in a while, Brian Cleary, a marketing VP for Aveksa, suggests that today's high-tech Peeping Toms should not be held accountable for their voyeurism (here). Specifically, he states,

“The natural curiosity of employees to view the private records of political figures and celebrities is leading to people losing their jobs or being criminally convicted. Most of the these workplace incidents are not tied to identity theft or other bad intentions, they are simply employees taking advantage of access policy gaps at the companies they work for...”

First, let me dispense with the nits. There are no “gaps” in the policy. There may or may not be gaps in the enforcement of the policy, or the training and awareness programs designed to promulgate the policy, but if employees are “breaking privacy laws” it seems likely that they are probably in violation of company policy. I've read my share of fine print, and usually these things have words that convey the idea, “Don't break any laws”.

Cleary actually admits this when he states, “Employees... need to realize that unless there is a job-related reason for them to access these records, even sneaking a peek at them is a very bad idea.” Indeed. But Cleary's solution is not to treat employees like adults, or expect them to behave accordingly. His solution is to baby-proof the database: “The real problem here is not the natural curiosity of employees, but rather the poor controls for how user access is governed at these organizations.” It perhaps comes as no surprise that Mr. Cleary's company sells the cyber equivalent of the plastic gizmos parents put on kitchen cabinets to keep toddlers away from the Drano.

I've also raised my share of children, and seen them traverse Kohlberg's stages of moral development. Adults know they shouldn't look at Barack Obama's cell phone bill or Brittany Spear's medical record, even if they have access to it, if they have no legitimate reason for doing so. If their moral development is so paltry that they can't be expected to restrain their “natural curiosity” out of respect for ordinary social norms (let alone anything loftier) then they should be treated like the moral children they are: Warn them that if they misbehave, they will be spanked, and if they ignore the warning, spank them. And give them the constant reminders children need: When users log on to programs that give them access to private records, remind them that Peeping Toms get fired, and reinforce the reminders, perhaps whenever a user opens a record for the first time.

I'm all for sophisticated, fine-grained access controls, and Aveska's products may be wonderful – I don't pretend to know. But I do know that expecting technology to serve as a substitute for honorable (or at least self-interested) employees is unwise.

Infrastructure, regulated and otherwise

We are hearing a lot of talk about infrastructure. The much heralded bill that has made its way through the congressional sausage maker is expected to “invest” untold billions on roads, bridges and... heaven knows what. One of the components frequently mentioned is the computer infrastructure. (The figure I've heard as I post this is a whopping 7 billion). While a 21^st century version of the rural electrification act that provides broadband access to East Cupcake, Wyoming sounds tempting, I doubt it will do much for the economy. I am sure, however, that will do nothing good for the Internet. With all due respect to the good people of East Cupcake, we don't need to add thousands of Internet newbies as new cannon fodder for the botnet herders.

Access to our infrastructure for the most part is controlled. Think of the extraordinary measures we take to protect the those roads and bridges and the people and commerce that traverse them. Drivers have to have a license. In order to get a license, they have to pass a test, and pay a fee. If they drive a large truck, or a small motorcycle, they have to get a special license. The vehicles themselves have to be inspected, registered and insured. Why? Aside from the generating revenue that politicians can “invest” in fulfilling their promises to make our futures bright, we are all safer when our fellow infrastructure users have some notion of how to drive and extra incentive to keep their brake linings maintained.

But not so on the Internet. Anyone with the cyber equivalent of a scooter can coast onto the information superhighway, and if their lack of preparation or ineptness results in a 20-car pileup and commensurate casualties...well, its all just part of life on the new electronic frontier.

Allow me to suggest that the wild west phase of the Internet is over. If taxpayers are going to foot the bill for the infrastructure that facilitates all this commerce and information flow, we should insist that those who use it don't endanger us by allowing their machines to be subverted by the cyber mafia.