Blown To Bits

Archive for the ‘Security’ Category

Cyberspace as a National Asset

Thursday, June 24th, 2010 by Harry Lewis

That is the name of the bill introduced this week by Senators Lieberman, Collins, and Carper, giving broad powers to the executive branch to control the Internet in case of certain emergencies. It is an important bill and it’s going to excite a lot of discussion about how much we need, and how much we fear, government control of the Internet.

The worries have been growing. A year ago a similar bill was introduced by Jay Rockefeller of WV. Richard Clarke’s Cyberwar is #1605 on Amazon as I write this post. We all know the damage that teenagers and criminals can do — imagine what an organized cyber-attack orchestrated by our enemies could accomplish.

As the worries have been growing, so has the skepticism. There was a terrific Intelligence Squared debate a couple of weeks ago about whether the “cyberwar” risks had been exaggerated. Mike McConnell of Booz Allen Hamilton, and former director of the NSA, argued that the risks had not been exaggerated, and he was joined by Jonathan Zittrain. Arguing the other side were privacy expert Marc Rotenberg and computer security expert Bruce Schneier. Shneier listed some of the purple language that had been used to describe the attacks that are occurring already — 9/11, Pearl Harbor, etc. — and noted that we in the U.S. love to use war language for describing things that are not wars but crimes, almost as much as we hate labeling as wars things that really are wars, our decade-old undeclared wars abroad. McConnell acknowledged that “war” is a metaphor, but so was “Cold War,” and no one doubts that the risk was real and that we won.

But it was Rotenberg who drilled down on the underlying problem with the rhetoric, which is not the semantic question of metaphors and language, but that purple language has repeatedly been used by the government in the past to argue for sweeping technological controls that undermine personal liberties. Rotenberg referred to the demands (recounted in Chapter 5) for government control of encryption technology, key escrow requirements, and the proposed requirement for the Clipper Chip). None of these supposedly essential measures wound up being approved, Rotenberg notes, and here are our friends from NSA back to help us again. McConnell responded that there was no danger to civil liberties — you just have to get the laws right and then unwarranted government surveillance would be illegal. Mark exploded that mere illegality had not stopped warrantless wiretapping under the Bush administration. McConnell promised to return to the issue if asked to, but it never happened.

I do think that exchange was at the crux of the issue. If you could trust the government, we wouldn’t worry about government monitoring what we are doing. But the whole Constitution is premised on the fact that we can’t trust the government always to do the right thing. Even reasonable-sounding laws are written with vague edges — especially laws about technology, which are drafted to cover innovations that haven’t happened yet. Prosecutors and other government officials, confronted with people they don’t like and a law with elastic edges, will stretch the law to cover the situation, and such cases often don’t even come to trial because the defendant pleads to a lesser charge rather than risk the judgment of the court on whether a harsh law is being stretched too far. (See Harvey Silverglate’s gripping and scary Three Felonies a Day.)

The Lieberman-Collins proposal allows the President to declare a “national cyber emergency” (the term is defined, but based on the examples in Clarke’s book and McConnell’s debate remarks, the NSA would probably argue that we have been in one several times, perhaps continuously). A new bureaucracy, the National Center for Cybersecurity and Communications, would reside within Homeland Security and would be charged with developing plans for responding to emergencies and seeing that they are implemented. CNET’s Declan McCullagh described the legislation as creating an Internet “kill switch,” separating problematic servers from the Net by government edict. Lieberman’s spokespeople were offended, saying that the legislation actually restricted authority the president already had under the 1934 Telecommunications Act.

The devil will be in the details.

Missing in the immediate reaction is the answer to a question raised by Chris Soghoian in the Intelligence Squared debate. None of this would be as much of a problem if our computer software wasn’t buggy. If Microsoft’s operating system were not so vulnerable to attack, the risks to the nation of being attacked would be a lot less. Is anyone in Washington thinking about requiring Internet security  at that level–with some significant financial penalties for violators?

Did Google Get “Hacked” by Social Deception?

Saturday, February 6th, 2010 by Harry Lewis

Marc Ambinder of the Atlantic reports an interesting theory of how the Chinese managed to penetrate Google’s security barrier, which should be about the best in the world. Very little of the attack was technologically novel, according to his source, University of Texas Computer Science Professor Fred Chang. The key steps were figuring out the names of key system administrators, and looking at their profiles on Facebook and other social networks. The attackers then masqueraded as social network “friends” of the sysadmins, tricking them to click on links that turned out to embed malware on their computers. From that point on the theft of passwords was easy. The masquerade required exploiting an unpatched security hole in Internet Explorer; we knew that part. But the sysadmins are presumably pretty sophisticated about suspect email, so getting the identities of their “Friends” was essential.

Of course, by Facebook’s new policy, there is no way to hide your Friends list. I wonder if stories like this one will put any pressure on Facebook to change that policy.

This is all speculation, Ambinder notes. But Chang used to have a high level job at the NSA, so it’s a fair guess he’s familiar with some of the tricks that cyberattackers have tried in the past.

The Full Body Scanning Debate

Wednesday, December 30th, 2009 by Harry Lewis

In the New York Times, travelers and privacy experts present their views on whether the millimeter-wave scanners I discussed yesterday are an unacceptable invasion of privacy. Quoting a Utah Republican who sponsored a bill (which passed the House but not yet the Senate) banning the use of the devices except as secondary screening technology, the story says

“I’m on an airplane every three or four days; I want that plane to be as safe and secure as possible,” Mr. Chaffetz said. However, he added, “I don’t think anybody needs to see my 8-year-old naked in order to secure that airplane.”

Which is to say what, that no terrorist would put a bomb on an eight-year-old? I wonder if there is a name for this rhetorical device, where one transforms a general proposition into a personal insult.

EPIC, which had previously filed suit for more information about these devices, seems to me to have it right.

Marc Rotenberg, head of the Electronic Privacy Information Center, said his group had not objected to the use of the devices, as long as they were designed not to store and record images.

Keep the screens in a separate room (as is done). Disable the recording capability (as is done). Make sure the operator doesn’t have a cell phone camera if you wish (though it is hard to imagine much titillation coming from these images, compared to what is readily available). But yes, check the passengers the way you check their luggage, and the wheel bearings for that matter. And yes, that is a role for government, or government-controlled entities. I don’t think we want a free market here, allowing airlines to trade off security for ticket price and allowing consumers to decide for themselves how much risk they are willing to accept.

Bruce Schneier is a very astute security expert, but I am not sure I follow his logic here:

Bruce Schneier, a security expert who has been critical of the technology, said the latest incident had not changed his mind.

“If there are a hundred tactics and I protect against two of them, I’m not making you safer,” he said. “If we use full-body scanning, they’re going to do something else.”

The millions of dollars being spent on new equipment, he said, would be better invested in investigation and intelligence work to detect bombers before they get to any airport.

The last part is surely true. Figuring out the line determining when someone goes on a no-fly list is tricky business. You don’t want any father with a grudge against his son to be able to ground the son by making a call to the Embassy. But it sounds like there were enough other dots to connect in this case to have set off appropriate alerts. I take Schneier’s point to be that the security perimeter at the airport is not the only place, nor even the best place, to keep terrorists off the plane, and the threat model that puts all the energy at stopping them there will be ineffective in practice. That sounds right, but isn’t really an argument against the use of the millimeter-wave technology.

Millimeter wave scans = privacy infringement?

Tuesday, December 29th, 2009 by Harry Lewis

The recent attempt by a Nigerian man to blow up a plane flying into Detroit has brought the subject of millimeter wave scans back into public discussion. These scans use very short-wave radio signals to peek through people’s clothing and see what they may have underneath. Some privacy advocates resist the use of these devices, because they show genitalia, as well as revealing breast implants and so on.

Maybe I am missing something, but I can’t get excited about the fact that a security screener might get a glimpse of an X-ray like image of my private parts in the course of verifying that I wasn’t hiding some explosives there (as the alleged terrorist apparently was). It may not be useful or effective to screen everyone–maybe you’d do some obvious profiling (bought the ticket with cash, etc.) to reduce the workload on the screeners and keep them sharper. But if the image isn’t stored, I don’t see any privacy problem in principle here. In enlightened societies at least, we have mostly gotten past prudery in medical care–not many hospital patients would today insist on having their bedpans emptied only by same-sex attendants. If you want to use the technology of air travel, you need to accept the technology of security (provided, once again, that it really is security-enhancing and not just in place to create a phony sense of security).

By the way, the TSA hasn’t yet fixed the huge security hole, pointed out by Chris Soghoian several years ago, that they check the boarding pass against your ID at the security perimeter and the boarding pass against the electronic ticket record at the gate, but never verify that the ticket matches your ID, unless you check a bag. If you are not checking luggage, the two boarding passes could be different.

Privacy bonus: Canada’s Daily Post has an article about privacy loss, which quotes Blown to Bits and ends with a Christmas-spirit thought that sprung into my head when I was interviewed last week:

Harry Lewis, a professor of computer science at Harvard and co-author of Blown to Bits, said the book was written to get people thinking about how much of their personal information they surrender every day. He worries that the less privacy we enjoy, the more it will discourage social advances.

“The loss of privacy is a socially conforming force,” he said in an interview. “So many social experiments over the course of human history — religious innovations, political dissent — started among small groups of mutually trusted friends who gradually gained acceptance for their beliefs and their behaviours.”

If Jesus’s early followers had a Facebook group, he joked, “they would have been stamped out very quickly.”

How Much Did We Pay for These Drones?

Thursday, December 17th, 2009 by Harry Lewis

Incredibly, the signals between the unmanned drones being used in Iraq and Afghanistan and their base stations are transmitted in the clear — unencrypted. The insurgents have figured that out and are watching the same scenes that our military is watching. The Wall Street Journal says the system has been “hacked,.” Not really — no more, as a colleague put it to me, than someone who buys a police scanner is “hacking” the police radio system.

Encrypting signals is easy, obvious, and taken for granted. How could the system have been designed and deployed without it?

Senate Moves to Give President Control Over the Internet

Friday, August 28th, 2009 by Harry Lewis

Senator Jay Rockefeller of West Virginia has introduced legislation that would give the President the authority to declare a “cybersecurity emergency” and take control of certain private, non-governmental networks during such an emergency. The bill is full of vague language and describes powers that can be exercised without any judicial or other review, if necessary for U.S. “national defense and security.”

There are all kinds of problems here, as the Declan McCullagh report enumerates. First, the government has shown itself not be be very good at cybersecurity. For another, the Obama administration invoked national security as the reason not to share a draft intellectual property treaty with the public. (See Say It Ain’t So, Barak, March 14, 2009.) By that standard, the government could take over the Internet on a whim or a scare.

This legislation is seriously flawed.

Ban Sex Offenders from Social Networking Sites?

Thursday, August 20th, 2009 by Harry Lewis

The state of Illinois has enacted a law prohibiting anyone classified as a sex offender from using any social networking site. The definition of the latter is quite complicated — it certainly covers more than Facebook and Myspace. Blogs may qualify as well. The language is hard to parse.

I understand the impulse, but this looks like another blunt instrument designed in a moment of panic, like the Child Online Protection Act we discuss in Chapter 7 of Blown to Bits.¬†¬†Andrew Moshirnia argues that it’s probably unconstitutional as other such laws have proved to be — it simply restricts too much speech that doesn’t need restriction in order to get at the subset that is actually objectionable. Moshirnia points out two other minor problems: it won’t work (it’s too easy to create a fake identity online) and sex offender registries are overbroad (read my other book, Excellence Without a Soul, if you’d like to see how one Harvard undergraduate earned his status on the list). Then there’s the fact, abundantly documented in the Internet Safety Technical Task Force report, that the Internet is not the enabler of sex crimes that politicians love to pretend it is.

Go after the crimes, not the tools. The fact that some people can use their liberty for evil ends is no reason to restrict anyone’s liberty pointlessly.

The President as the Commander-in-chief of Cybersecurity

Friday, April 3rd, 2009 by Harry Lewis

A draft cybersecurity bill empowers the president to commandeer the Internet under vaguely specified circumstances:

The President … may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network …

Now the Internet is inherently hard to control, because of its distributed architecture, and the vast numbers of private and governmental parties, spread across the globe. I wonder what would actually happen if he gave the order. The language of the bill also states that the President

may order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security,

which may sound reasonable until you recall how capacious “national security” interests can be — broad enough that allowing the American public to see the draft of an anti-music-piracy trade agreement drafted with the assistance of the RIAA is also considered a national security threat. By that standard, the President could cut off your Internet connection if he though you were a file-sharing risk.

There is, moreover, a category of “Federal government and¬†private sector owned critical infrastructure information¬†systems and networks.” These are not defined in the proposed statute — the President (surprise) gets to say which systems and networks are “critical.” The bill then gives the government complete access to everything about them:

The Secretary of Commerce shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access.

Now I am guessing that the Internet backbone would be critical, don’t you think? Pretty much all traffic flows through the backbone, so it seems this clause may with one stroke of a pen invalidate ALL privacy laws and protections relating to electronic communications.

There is a lot in this bill to like — it calls for important research and creates some emergency-response structures that are likely to be more good than threatening. There is also much to make one suspicious — it leads with appeals to the economic importance of the Internet, and talks about “intellectual property” long before it mentions “banks.” But the worst seems to me in these few lines, where the drafters, our elected representatives, have said, “The government can seize control of it all and can look at everything.” So much for Congress checking the power of the executive to monitor and interfere with the communications of citizens!

Huge Cyber-Spy Ring

Sunday, March 29th, 2009 by Harry Lewis

A remarkable report was released yesterday by researchers at the University of Toronto. A very sophisticated malware distribution has been reporting from hundreds of infected computers for at least a year now. Among the computers affected are those of groups allied with the Dalai Lama, and the reports appear to be going to China. The malware has the capacity not only to send documents back, but to turn on the computer’s camera and microphone so everything that his happening in the vicinity of the computer can be observed. John Markoff has an excellent summary in the New York Times, and the full report is available for download here.

This is scary stuff, and no laughing matter. Other sites that were part of the network included a computer in an Indian embassy.

“Peer to Peer” Sometimes Means “Defense Contractor to Iran”

Sunday, March 1st, 2009 by Harry Lewis

Someone working for a defense contractor in Bethesda, Maryland did what millions of teenagers do — he installed a peer-to-peer filesharing program on his computer so he could share and download music. He evidently was unaware that the same permission that allows computers elsewhere to reach into his computer and take copies of songs also allows those computers to reach in and take other files stored on his computer. Such as, for example,¬†engineering and communications information about Marine One, President Obama’s helicopter, which turned up on a computer with an IP address locating it in Teheran, Iran. Oops! The story goes on to explain,

Retired Gen. Wesley Clark, an adviser to Tiversa [the company that made the discovery], said the company discovered exactly which computer the information came from. “I’m sure that person is embarrassed and may even lose their job, but we know where it came from and we know where it went.”

Well, General Clark may be half-right there; no doubt they identified the source. But who knows where else that information now is? Once it’s out there, there is no taking it back.

The bad guys are out there, just checking who’s left the back door unlocked. I doubt this computer in Bethesda is the only one.

Thanks for the tip to my colleague Matt Welsh, who is, by the way, running his own blog. The most recent item is about his experience of blowing his music to bits — that is, freeing his music collection from the plastic CDs that used to contain it.