Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
January CRYPTO-GRAM newsletter
CRYPTO-GRAM
January 15, 2003
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
<http://www.counterpane.com>
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at
<http://www.counterpane.com/crypto-gram.html>. To subscribe, visit
<http://www.counterpane.com/crypto-gram.html> or send a blank message
to crypto-gram-subscribe@chaparraltree.com.
Copyright (c) 2003 by Counterpane Internet Security, Inc.
** *** ***** ******* *********** *************
In this issue:
Militaries and Cyber-War
Crypto-Gram Reprints
The Doghouse: Yahoo
News
Counterpane News
Security Notes from All Over: Cichlids
The RMAC Authentication Mode
Comments from Readers
** *** ***** ******* *********** *************
Militaries and Cyber-War
Recently I was interviewed by an Iranian newspaper on the subject of
computer security. One of the questions I was asked was whether or not
the Pentagon had a secret weapon that could disable the Internet.
It's an interesting question. I have no idea what the real answer is,
but I can certainly speculate.
There's no doubt that the smarter and better-funded militaries in the
world are planning for cyberwar, both attack and defense. It's a
multifaceted concept. A military might target the enemy's
communications infrastructure through both physical attack -- bombings
of selected communications facilities and transmission cables -- and
virtual attack. It would be foolish for a military to ignore the
threat and not invest in defensive capabilities, or to ignore the
possibility of launching an offensive cyber-attack against an enemy
during wartime. And while history has taught us that many militaries
are indeed foolish, some are not.
This implies that at least some of our world's militaries have Internet
attack tools that they're saving in case of wartime. They could be
denial-of-service tools. They could be exploits that would allow
military intelligence to penetrate military systems. They could be
viruses and worms similar to what we're seeing now, but perhaps
country- or network-specific. I can certainly imagine a military
finding a new vulnerability in a common operating system or software
package and keeping it secret, hoping to use that vulnerability to
their advantage in wartime.
So my guess is that the U.S. military could disable large parts of the
Internet, at least for a while, if they wanted. But I doubt that they
would do so; it's far too useful an asset, and far too large a part of
our economy. More interesting is whether they would try to disable
pieces of it. If we went to war with country X, would we want to
disable their portion of the Internet, or remove connections between
their Internet and our Internet? Depending on the country, a low-tech
solution might be the easiest: disable whatever undersea cables they're
using as access. Could the U.S. military turn the Internet into a
U.S.-only network if they wanted? That seems less likely, although
again a low-tech solution involving the acquiescence of companies like
Cable & Wireless might be the easiest.
One important thing to remember here is that you only want to shut an
enemy's network down if you aren't getting useful information from
it. The best thing to do is to infiltrate the enemy's computers and
networks, spy on them, and surreptitiously disrupt select pieces of
their communications when appropriate. The next best thing is to
passively eavesdrop. After that, the next best is to perform traffic
analysis. Only if you can't do any of that do you consider shutting
the thing down.
When a military discovers a vulnerability in a common product, they can
either alert the manufacturer and fix the vulnerability, or not tell
anyone. In U.S. military circles, this is called the equities
issue. It's not an easy decision. Fixing the vulnerability gives both
the good guys and the bad guys a more secure system. Keeping the
vulnerability secret means that the good guys can exploit the
vulnerability to attack the bad guys, but it also means that the good
guys are vulnerable.
Script kiddies are attackers who run exploit code written by others,
but don't really understand the intricacies of what they're
doing. Professional attackers spend an enormous amount of time
developing exploits: finding vulnerabilities, writing code to exploit
them, figuring out how to cover their tracks. The real professionals
don't release their code to the script kiddies; the stuff is much more
valuable if it remains secret. I believe that some militaries have
collections of vulnerabilities, and code to exploit those
vulnerabilities, that they are saving in case of wartime or other
hostilities. It would be irresponsible for them not to.
My interview in the Iranian newspaper. (To be honest, I have no idea
what it says.)
<http://www.jamejamdaily.net/shownews2.asp?n=26454&t=com>
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Crypto-Gram is currently in its sixth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
<http://www.counterpane.com/crypto-gram.html>. These are a selection
of articles that appeared in this calendar month in other years.
A cyber Underwriters Laboratories?
<http://www.counterpane.com/crypto-gram-0101.html#1>
Code signing:
<http://www.counterpane.com/crypto-gram-0101.html#10>
Block and stream ciphers:
<http://www.counterpane.com/crypto-gram-0001.html#BlockandStreamCiphers>
** *** ***** ******* *********** *************
The Doghouse: Yahoo
When you register for a Yahoo account, they ask you for your date of
birth. The purpose is security; if you forget your password, they can
authenticate you with this information. Someone's birthdate isn't a
secret, and is a terrible way to authenticate someone. But Yahoo goes
one step further. "My Yahoo," the company's popular personalized news
page, uses the information to put a "Happy Birthday, <username>!"
message at the top of your page when you visit on your birthday.
An excellent example of not getting it.
<http://www.oreillynet.com/pub/wlg/2597>
** *** ***** ******* *********** *************
News
Government report says cyberterrorism threat is overhyped.
<http://www.wired.com/news/infostructure/0,1377,56935,00.html>
Even Microsoft agrees: don't trust Microsoft:
<http://www.infoworld.com/articles/op/xml/02/12/09/021209opwinman.xml>
Elcomsoft not guilty of violating the DMCA.
<http://www.wired.com/news/business/0,1367,56853,00.html>
<http://sanjose.bizjournals.com/sanjose/stories/2002/12/16/daily28.html>
<http://www.wired.com/news/business/0,1367,56898,00.html>
Evaluating intrusion detection systems:
<http://online.securityfocus.com/infocus/1623>
<http://online.securityfocus.com/infocus/1630>
<http://online.securityfocus.com/infocus/1651>
Insider accused of attempting to manipulate stock price by sabotaging
computer.
<http://www.vnunet.com/News/1137678>
<http://www.theregister.co.uk/content/55/28630.html>
Another essay on full disclosure:
<http://www.osopinion.com/perl/story/20319.html>
The strategic effectiveness of suicide terrorism:
<http://magazine.uchicago.edu/0212/research/invest-terror.html>
<http://www.plastic.com/article.html?sid=02/12/23/23150192;cmt=60>
Good piece on Total Information Awareness:
<http://www.newyorker.com/talk/content/?021209ta_talk_hertzberg>
Even though there are thousands of hackable holes in computer systems,
only a very few of them are actually exploited in bulk:
<http://www.wired.com/news/infostructure/0,1377,56955,00.html>
There's a new version of the Bush Administration's cyber-security
plan. Incentives to tighten network security are reduced, more
authority is given to the Department of Homeland Security, and they're
no longer going to consult regularly with privacy experts. It'd all
worry me more if I thought this plan had any real effects.
<http://www.wired.com/news/conflict/0,2100,57109,00.html>
More DMCA abuse, this one about printer toner cartridges:
<http://news.com.com/2100-1023-979791.html>
Europe is banning this practice:
<http://www.geek.com/news/geeknews/2002Dec/gee20021223017885.htm>
This has the makings of a trade war between the U.S. and the EU.
While we're on the subject, the EFF has written an excellent article
about the unintended consequences of the DMCA:
<http://www.eff.org/IP/DMCA/20030102_dmca_unintended_consequences.html>
The U.S. government is looking for input on sentencing guidelines for
hackers:
<http://online.securityfocus.com/news/2028>
Another excellent essay by Tim Mullen on "strike back" (see also the
various comments in the letter column, below). I disagree with some of
this, but I am happy to see intelligent debate on this issue.
<http://online.securityfocus.com/columnists/134>
** *** ***** ******* *********** *************
Counterpane News
The news that I couldn't talk about for the past month and a half is
that Counterpane has received another round of funding. We have
another $20M, which is more than enough to fund the company until we
reach break-even, and to allow us to expand our services. It's a tough
economic climate out there, and the fact that we got this much money
from a list of impressive investors is a source of pride for me.
Meanwhile, Counterpane continues its quest for world domination in the
Managed Security Monitoring space. The fourth quarter of 2002 was our
best quarter ever, and the year was our best year ever. I'll spare you
the details; they're in the press release if you want to read them.
And Counterpane has hired a new CFO and COO. Press releases announcing
these changes will be out soon.
Funding press release:
<http://www.counterpane.com/pr-seriesd.html>
Fourth quarter press release:
<http://www.counterpane.com/pr-2002q4.html>
** *** ***** ******* *********** *************
Security Notes from All Over: Cichlids
Midas cichlids have biparental care; both father and mother fish watch
over the fry. Unfortunately for them, they still lose a lot of their
young to predators. So to avoid losing too many of their own babies,
they actually go out and kidnap the fry of other Midas cichlids, or
even other species of fish. (In one case, while one pair of Midas
cichlids was fighting another pair, the male of a third pair sneaked in
and took about fifty fry back to his own territory.) Predators are
just as happy to eat the adopted fry as the parents' own young, so as
long as the larger school of fry doesn't attract more predators, more
of the parents' own young will survive.
The convict cichlid also practices adoption, but is fussier: it will
only adopt fry that are smaller than its own. Predators will tend to
attack the smaller adopted fry because they're easier pickings.
[paraphrased from George W. Barlow, _The Cichlid Fishes: Nature's Grand
Experiment in Evolution_, p. 202-203]
** *** ***** ******* *********** *************
The RMAC Authentication Mode
As part of the AES process, NIST has embarked on a program to
standardize various modes of operation for the block cipher. Aside
from the encryption modes we're all used to from DES days, NIST is
trying to standardize on authentication modes as well.
The first mode NIST has proposed is RMAC (Randomized Message
Authentication Code). It has the advantage of having a security
proof. In fact, if you use triple-DES as the underlying cipher in an
RMAC construction (the RMAC mode can work with any block cipher), then
the resulting construction is provably secure. But this is the very
same construction that Lars Knudsen broke in a recent paper.
What's going on here? On the one hand, RMAC is a provably secure
mode. On the other hand, there's a working attack against it. That's
not supposed to happen!
Let's take things one at a time...
RMAC is secure in something called the ideal cipher model. As part of
that model's assumptions, the underlying block cipher needs to be
secure against a variety of attacks, including related-key attacks. If
a block cipher is susceptible to related-key attacks, then it would be
inappropriate to model it as an ideal cipher and the RMAC security
proof would not apply.
Now if triple-DES can be modeled by an ideal cipher, then
triple-DES-RMAC ought to be secure. In fact, NIST's RMAC standard
includes triple-DES-RMAC is one of the two options. (AES-RMAC is the
other.) However, it's been shown that triple-DES is not secure
against related-key attacks. Even worse, it is this related-key
property that Knudsen uses to break triple-DES-RMAC. His attack
requires 2^16 chosen messages and about 2^56 work, which makes it
practical with today's computing resources.
So now we can explain what happened. The proof of security for RMAC
only works if you assume use of an ideal cipher. If you want to draw
any conclusions about RMAC with a real block cipher like triple-DES or
AES, you have to hope that your real block cipher behaves enough like
an ideal cipher that the same proof still carries over. In the case of
triple-DES, that hope turned out to be false. Triple-DES is not well
modeled as an ideal cipher, because triple-DES is vulnerable to
related-key attacks. And as Knudsen showed, if there are related-key
attacks on your real block cipher, this not only renders the proof
irrelevant and "invalidates the security warranty," it can also lead to
serious attacks on RMAC.
At this point, the most interesting question is whether AES-RMAC is
secure. If you want to think that the proof of security for RMAC says
anything about AES-RMAC, you have to hope that AES behaves like an
ideal cipher. One necessary condition for the latter is that AES must
be secure against related-key attacks.
AES is a new cipher, and the security of it against related-key attacks
has not been well-studied. For the most part, cryptanalysts focus on
the standard threat model (chosen plaintext/ciphertext attacks), and
related-key attacks are only occasionally studied. What little we do
know about the security of AES against related-key attacks suggests
that AES has considerably less strength against related-key attacks
than against normal attacks: the best related-key attack (found after
only a few weeks of analysis) breaks nine rounds.
The lesson here is that the ideal cipher model is not as powerful a
tool as some think it is, and a mode of operation that is secure in
that model isn't necessarily secure in practice. Cryptography theory
is mature enough to base designs on, but there's still no substitute
for detailed cryptanalysis. RMAC should not become a NIST standard.
NIST RMAC Specification:
<http://csrc.nist.gov/publications/drafts/draft800-38B-110402.pdf>
NIST Modes of Operation page:
<http://csrc.nist.gov/encryption/modes>
Comments on RMAC:
<http://csrc.nist.gov/encryption/modes/comments/>
The analyses of David Wagner, Phil Rogaway, and Lars Knudsen are
especially worth reading.
Related-key attacks against triple-DES:
<http://www.counterpane.com/key_schedule.html>
Related-key attacks against AES:
<http://www.counterpane.com/rijndael.html>
This article was written with the help of David Wagner.
** *** ***** ******* *********** *************
Comments from Readers
From: "Jennifer S. Granick" <jennifer@granick.com>
Subject: Counterattack
The noisemaking analogy is an interesting one because it relates to an
argument we're making in the Intel v. Hamidi case, where Intel got an
injunction stopping Hamidi from sending e-mails to intel.com
addresses. Intel argues that the e-mail servers are their private
property, and they have the right to exclude people from use of their
property, as they would from their buildings, or from use of their
car. We argued that extending that kind of private property right to
the networked world would mean that the Internet is not a public
commons but a series of private fiefdoms, a model detrimental to
socially beneficial uses. We suggested that the problem of spam and
unwanted e-mail is best considered as a nuisance problem, exactly the
way the law looks at things like too much noise coming from one
property and washing over into the next. The properties share a common
thing, air or "ether" as the case may be, and rather than the absolute
right to exclude, the court should weigh the harm to and interests of
each party in determining whether anyone has the right to stop Hamidi
from sending the e-mail from his own property.
I like that you immediately went for the commons/nuisance model, rather
than the strict private property model. It makes me feel that nuisance
is intuitively right to those familiar with the Internet. Of course,
if you were a lawyer arguing this point, you'd adopt the stricter
property view and say that the strikeback targets have the absolute
right not to be patched, etc. because that's the stronger right.
In the nuisance context, since there's a balance of rights and harms,
the law really is your only recourse. Going over there and taking the
stereo is not allowed. But there are concepts like self-defense and
defense of others that permit the violation of others' personal and
property rights in certain narrow cases. It depends on what interest
you're protecting, person or property, and whether you've only
counter-attacked to the extent necessary to protect that interest and
no further.
From: "Tim Mullen" <Thor@HammerofGod.com>
Subject: Counterattack
When it comes to the MPAA, I absolutely agree -- but there are several
key differences between what people like Berman are proposing and what
I am doing... For one, there is already a framework of law and
protocol for copyright holders to seek remedy. Copyright law is
extensive, and has a long history of case law. The Berman bill will
provide for a copyright holder to circumvent this existing framework in
order to take immediate action against alleged acts of copyright
infringement. More importantly, the spirit of the bill/action is much
different. We seek to impede the propagation of global worms. Our
actions against the attacking system are limited specifically to the
scope of the attacking process -- no other action is taken against the
system or other processes. No harm is caused to the attacking system,
or to the administrator/owner of the system (not purposefully,
anyway.) The entire basis of the Berman bill is to allow the copyright
holder to inflict willful and substantial "damage" against the alleged
system and owner to the degree that they will stop the alleged
activity. They *want* to hurt the end user -- they want to cause
enough trouble for the user that they will give up.
There is no framework in place to which to take guidance when it comes
to protecting our property and equipment from constant attack. There
needs to be. The other big difference is that the Berman bill proposes
that the copyright holder can take action against people *who are
committing a crime*. The alleged activity is against the law -- here,
when you set up a Win2k box on the net and it gets Nimda and attacks
everyone non-stop, it is *not* a crime. There is nothing illegal about
being stupid, or not knowing how to secure a system.
We have to look at this within the confines of stopping an attacking
process -- we can't make it "personal" as if we are doing something
against the people who own these boxes. And actually, the law supports
this differentiation: If I personally set up a Win2k box at default,
knowing that it will be compromised in 10 minutes and start attacking
"close" boxes to me, I have not committed a crime. However, if I run a
Perl script that executes the same exact GET requests against the exact
same boxes, I have committed a felony.
If the tie between administrator and the actions of his equipment
cannot support culpability for actions in tort (as in them being
responsible for their computer getting Nimda), how can we support the
same logic required to say that we are infringing upon the
administrator's rights when we neutralize the attack? Why are we
pretending that the box has rights?
Even if we do take the stance that the box has some implicit right, we
should treat it like we do a criminal -- if a person's actions show
that they cannot operate in society without hurting other people or
infringing upon their rights, we take their rights away, and keep them
from doing so. The very infestation of a system by a worm shows that
it is not configured in a state that it should be to participate in a
global network -- therefore, it loses some rights (that I don't think
it should have in the first place).
Homeowner-type analogies never really work; there is just too much one
can say one way or the other to fit the desired outcome. Do I get to
trespass on a neighbor's property to disable the noisemaker? Probably
not, but one might actually be able to under certain nuisance law. I
could always say back that if my bike was stolen, and I saw it in your
yard, I certainly do have the right to go onto your property and take
it back -- the law says I can. So where does it stop?
If you really wanted the analogy to be accurate to this issue, we would
have to say that the house alarm not only caused noise of its own, but
that it made other house alarms around it go off, which made other
house alarms around them go off, etc, etc. Pretty soon, everyone has
to shout just to be heard. None of this noise is against the law, so
the police won't help you. The manufacturer of the alarms says that it
is the homeowner's fault for not knowing how to install them and that
it is not their problem. Further, all the criminals know that the
homes with the alarms going off are completely wide open, so they use
the alarm signal to hunt down homes to take over to use for some future
illegal activity. The really bad thing is that when you try to talk to
the neighbors about all the noise, they say "What noise? We don't hear
any noise. Go away."
From: John Kelsey <kelsey.j@ix.netcom.com>
Subject: Counterattack
Just a nitpick on your counterattack article: I don't think justice
depends on the government doing the punishment. (Think of a really
corrupt government, where the punishment is always done to the person
who paid the lowest bribe.) Having a neutral third party investigate
the facts and decide what punishment or restitution should be made is a
way to try to get justice in punishment or restitution, but it's
neither the only way to get it nor guaranteed to get it. And that
neutral third party may or may not be the government.
A really obvious example of justice being done by non-governments is
when a parent successfully determines which kid started the fight and
assigns punishments appropriately.
It seems obvious that automated counterattacks are a bad idea in nearly
all cases. Not only do you have a real hard time guaranteeing that
your automated system correctly identified the attacker, you also have
a hard time guaranteeing that the owner of the counterattacking system
didn't generate the evidence of the initial attack on his own to
justify his counterattack. And you can easily imagine a "war" starting
between two or three such systems. (Note that all of these are
problems that appear in vigilante justice, as well -- the lynch mob
hangs the wrong guy, the lynch mob is started by a false accusation by
the target's enemies, or you lynch me, and then my friends and family
lynch you.)
From: Paul Mantyla <pjm1212@yahoo.com>
Subject: Counterattack
In the December 15 Crypto-Gram, you state, "Our laws give us the right
to justice..." This is too strong a statement and your statements that
follow fail to correct the error. Only an omniscient being is able to
determine what is just.
Our best approximation is a set of laws and civil rights. As Oliver
Wendell Holmes famously remarked, "This is a court of law, young man,
not a court of justice." Is it just for a guilty man to go free, or
for an innocent man to be convicted? The government is most dangerous
when it ignores the law and the Constitution in pursuit of
justice. For example, in apparent violation of the 5th amendment's
protection against double jeopardy, the doctrine known as "dual
sovereign" allows the state and federal governments to prosecute a
person for the same act (e.g. police officers in the Rodney King case).
See "An Ever-Expanding Double Jeopardy Loophole" in the Cato
Institute's Handbook for Congress:
<http://www.cato.org/pubs/handbook/hb105-22.html>. As citizens of the
United States, we have a right to many things, but a "right to justice"
is not one of them.
From: Daniel Upper <upper@peak.org>
Subject: Counterattack
Until the courts do sort out when counterattack is permissible, I'd
like to suggest the necessity defense as a way of thinking about
it. In general, a defendant is not guilty of violating a law if it was
necessary to do so. The criteria for necessity vary somewhat, but they
generally look about like this:
* The action was done to avert a threat of immediate, significant harm.
* The harm caused by the action was not disproportionate to the harm
avoided.
* There is no reasonable legal alternative to the action.
* The actor reasonably believed that his/her action would prevent the
significant harm.
* The defendant did not cause the threat of harm.
This test is fairly stringent and broadly applicable. Most specific
emergency exceptions -- e.g., self-defense, emergency medical care by
non-doctors -- can be looked at as special cases of it. I expect that
any counterattack the courts eventually decide to allow will also meet
these criteria.
Note also that there is nothing here about justice or punishment. It
only sanctions preventing harm.
From: Michael Nygard <mtnygard@charter.net>
Subject: Counterattack
There is a nuance to the counter-attack proposals that I wish you had
discussed in your essay. The essential difference is between that of
vengeance and self-defense. If you are the victim of a crime, then you
have the right to defend yourself -- during the commission of the crime.
Just as breaking and entering can escalate to robbery-homicide in a few
chaotic seconds, we must recognize that an intrusion can escalate from
minor to catastrophic in milliseconds. Though this point is still
controversial among law-makers and law-enforcers, self-defense is
widely viewed as the way to prevent a situation from
escalating. Automated counter-attacks perform the same function;
limiting the amount of damage done by the attacker, perhaps preventing
the crime from escalating from petty vandalism to grand larceny.
It would be simplistic to say that the same act is self-defense during
a crime, but vigilantism afterwards. Still, when law enforcement
cannot possibly respond during the crime itself, a swift counter-attack
may be the only protection available.
From: Brian Beesley <BJ.Beesley@ulster.ac.uk>
Subject: Counterattack
There are a couple of points you might have missed:
(1) If it's accepted that X can counterattack you on the grounds that X
suspects (maybe even has hard evidence) that you are attacking X in
some way, then why can't you counter-counter-attack? The point here is
that if X is the "big guy" and there are lots of people in my position,
we (acting in concert) are more likely to be able to inflict serious
damage on X than vice versa.
(2) The counterattack mechanism depends on us leaving our computers
open to attack and/or engaging in unsafe conduct (e.g., running scripts
downloaded from Web pages). This strategy may be fairly successful
against casual users but will likely have no effect whatsoever on
anyone who deliberately sets out to act "illegally."
The "Berman bill" is fatally flawed -- not because of its political
content, but because it fails to address the problem. The proposed
legislation is designed to "feel good" to its proposers rather than to
be effective.
There simply is no need for further legislation, at any rate in most of
the developed world. What is needed is the will for those who feel
they are being robbed of their intellectual property to gather evidence
which could be presented under existing legislation, rather than just
moaning about their (dubious) loss of sales.
From: Mike Koptiw <mkoptiw@att.net>
Subject: Counterattack
I agree that vigilantism is morally wrong, and I agree that the state
is best situated to handle justice. But, from a legal argument point
of view, I would make a distinction between strikeback to a DOS attack
and strikeback to a copyright violation.
As always, it depends. In some cases, general, common law principles
of tort actually privilege a victim's action against a
perpetrator. First, common law does not privilege the use of force to
recover lost property. Our courts resolve these issues. The law
handles this, and it does not stand for vigilantism.
However, common law does privilege the use of force in defense of
property from forcible trespassers. The force one may use must be
proportional to eject the trespasser, and once the trespasser has left
the property, the victim may not pursue the trespasser with force.
So I think that there are common law, theoretical legal arguments for
strike back in DOS and intrusive hacking cases when there is a virtual
trespasser (be it a rogue DOS packet or a hacker's presence), but it
there is no legal leg to stand on when the attack is based solely on
recovering a right to content on the person's computer (like RIAA's
proposal).
From: Marko Asplund <aspa@kronodoc.fi>
Subject: Counterattack
In addition to being an ethically and morally questionable idea, I fail
to see how automated strike-back technology would save the Internet
from global worm attacks. Strike-back could perhaps be successfully
utilized against contemporary worms such as Nimda which decide to leave
the door open as they come in but it is naive to think that the next
generation worms will continue to do so.
The definition of clear responsibilities is challenging in case the
strike-back fails. Even if the strike-back uses minimal force and
extreme care is put into crafting the neutralizing code, it is always
possible that something goes wrong and the target system fails in some
way after the neutralization. What if the infected system controls
life-support systems in a hospital? If human lives are lost because of
the strike-back, who is responsible if the system fails to function
after the strike-back? There's always a small number of vendor
software patches which have unexpected results in a small number of
target systems. Why wouldn't there be any with strike-back systems?
Mullen draws parallels between self-defense and strike-back, but one
difference is that a software system on the Internet doesn't have as
much intelligence or information on the attack context or the attacker
as a human being under attack would have. Using your noisy neighbor
analogy, one could say strike-back is like trying to shut the noisy
device down using a shotgun...and aiming with a blindfold on.
From: Rick Bressler <bressler@the-bresslers.com>
Subject: Counterattack
After reading this article and reflecting for a bit, I am wondering if
we're not seeing the beginnings of a "self defense" doctrine on the
Internet, although at this point much of the legislation is clearly
misplaced and inappropriate, as is often the case when our lawmakers
try to adapt to new situations.
I think it bears pointing out that your comparisons to crime in the
physical world leave out the concept of self-defense completely. (Is
this intentional?) In the real world there is a big difference between
self-defense, a preemptive strike, and vigilantism. All of these have
large bodies of case law around them.
Clearly a preemptive strike is illegal. (Unless you're a government of
course. :-)) You can't attack somebody just because you think they
*may* attack you at some future date.
Vigilantism is taking the attack back to your aggressor after the fact,
or seeking justice on your own. Clearly this can't be allowed in
civilized society, nor is it condoned by any legal system I'm aware of,
although at various times and places it has been overlooked.
Self-defense is a response to the immediate threat of death or grave
bodily injury. Does such a doctrine have a place in the cyber
world? In your example of somebody actively attacking a machine or
better yet a critical infrastructure server, and the victim responding
by shutting them down, we have a situation that to some extent
parallels the act of self defense in the real world, at least to the
extent that you are responding to an immediate and possibly serious
threat. Perhaps one at least temporarily 'lethal' to the Internet.
Note that in the non-cyber world we typically reserve this right only
for the most severe crime, the threat of taking an innocent life or, in
rare cases, property. Is there a case where this might be extended to
an "innocent server"? Perhaps one protecting your home network? Credit
card data? Bank account? A small number of servers that the whole
Internet depends on?
From: Nicholas Weaver <nweaver@CS.berkeley.edu>
Subject: ONE case where vigilantism worked...
There actually is one case where vigilantism worked: the das-bistro
anti-code-red-II default.ida script.
This script, when installed on a Web server, would respond to a Code
Red II probe with a counterattack which disabled the Web server using
the Code Red II installed backdoor and restarted the machine, clearing
the Code Red II infection (memory resident) and preventing reinfection
and machine abuse.
Considering that all those machines were broadcasting that they are
trivially vulnerable, removing them from the net is probably necessary,
especially since there ARE no police to call: there is no standard way
to say "this machine is compromised" and get the ISP to do anything
about it.
Someone malicious could have just as easily tweaked and released
CRclean (a passive, sourcecode only "antiworm" published on BugTraq)
with a malicious payload to co-opt all those machines. Thus, having a
small/medium number of anti-code-red-II Web pages was probably of benefit.
Of course, it only worked because of CRII's authors silliness and/or
strategic stupidity (don't make control channels that can be used by
anyone unauthorized, and close the hole you came in on).
From: "John.Deters" <John.Deters@target.com>
Subject: Counterattack
In your article, you claim that vigilantism is wrong, an idea that
"society after society has eschewed."
You don't seem to take into account that the Internet is a brand-new
*kind* of society. For the first time in history, we have a society
that is not tied to geography. All legal systems were and are still
tied to geopolitical boundaries. But IP packets don't apply for visas
before crossing those boundaries. The wires and fibers carry goods,
services, and mischief equally, and without prejudice. So commerce
occurs, regulated and taxed only by people naive enough to volunteer to
their local governments that they deserve to be regulated or taxed for
their online activities. And mischief occurs too; but the mischief
makers do not usually feel such compulsions to report their activities.
Also, the definition of mischief varies depending on where you
stand. The RIAA believes that mischief happens when a song is
downloaded. I believe that it happens when I get spam or some lame
e-mail virus. You believe it happens when your clients get DDOS attacked.
There is no global government regulating this Internet society. A
patchwork of geographically bound law enforcement agencies hunting down
mischief makers is about all we have right now. Sometimes they stop at
their boundaries, sometimes they call their cohorts on the other side
of the boundary to make an arrest on their behalf. Most of the time
they do nothing.
So in a basically lawless society, one that has not yet formed a
cohesive government, one that allows a mischief maker to hide between
governments, what would you have people doing when nobody can provide
justice? Should they do nothing? Call the FBI? Call for a Global
Internet Government?
Vigilantes are not simply "taking the law into their own hands,"
because usually there is no law that can be applied. So if a hacker
goes after a spammer's computer, I'll cheer. If the RIAA goes after a
Napster user's computer, I don't really care. I'll defend myself on
the Internet, thank you very much. But the one thing I am SURE I don't
want to see is a global regulatory agency deciding whether or not they
"approve" of the packets I'm sending. Because I have no doubt that
whatever I send or receive, be it music, pictures, or subversive e-mail
to some crypto newsletter, some group will be offended and call for my
arrest.
From: "Tousley, Scott W." <Scott.Tousley@anser.org>
Subject: Department of Homeland Security
In the December 2002 Crypto-Gram, your comments on the Department of
Homeland Security included: "Security has two universal truisms
relevant to this discussion. One, security decisions need to be made
as close to the problem as possible... Two, security analysis needs to
happen as far away from the sources as possible."
I do not agree fully with the second truism, because security analysis
of rare events must be both centralized and decentralized. Security
analysis is increasingly a distributed challenge that will continue to
involve a judicious mixture of systems and people, and this analysis
challenge requires a substantial amount of context that only comes with
proximity. We must somehow enable effective analysis from the national
and international analysts all the way down to the ground-level
security guard and first-line supervisor. Cops and guards and
first-responders can fight terrorism effectively only if they
themselves are lightly steeped in and contribute to the larger analysis
context. The strength, flexibility and evolution of networks can
support much of this need, if these still-embryonic networks are not
squashed by bureaucratic interests of a national Homeland Security
Department and various state and municipal counterparts fighting to
feed at the trough. I do worry that our reorganization will make
security more brittle when we coordinate too heavily in the name of
political, bureaucratic, and budgetary efficiency.
From: The Wengers <wenger@bigfoot.com>
Subject: Department of Homeland Security
I agree with your assessment that analyzing intelligence should not be
solely entrusted to the new Dept. of Homeland Security. But I see some
very disturbing signs that the balance has been tipped too far the
other way in order to protect the turf of our existing intelligence
agencies.
The tension is to create enough overlapping jurisdiction so that things
don't fall through the cracks, but not so much as to create unnecessary
redundancy and wasteful turf battles. Therefore, I was disturbed to
read a recent Washington Post article called "Homeland Security Won't
Have Diet of Raw Intelligence Rules Being Drafted to Preclude
Interagency Conflict" (by Dan Eggen and John Mintz, Dec. 6, 2002; page
A43). The article notes that "[f]or now, the intelligence agencies
have persuaded the White House that information provided to the
Homeland Security Department should be in the form of summary
reports. Those summaries generally will not include raw intelligence
or details on where or how the information was gathered, in order to
protect sources and methods."
It may not make sense to strip the existing intelligence agencies of
their intelligence gathering and analysis roles for the reasons you
gave. However, if this Homeland Security Agency is to serve any vital
role, it should be as a coordinator of threat analysis and
response. And I don't believe it can do that job in a meaningful way
if it is required to rely solely on second-hand data. As you aptly
wrote "[a]ll these [intelligence] organizations have to communicate
with each other, and that's the primary value of a Department of
Homeland Security. One organization needs to be a single point for
coordination and analysis of terrorist threats and responses. One
organization needs to see the big picture, and make decisions and set
policies based on it." But how can the Homeland Security Director see
the big picture and make fully informed decisions if his/her staff
cannot review the data upon which the conclusions they are being fed
are based? This effort by the CIA, NSA and FBI to keep Homeland
Security's snout out of the intelligence data trough cannot be a good sign.
The Washington Post article goes on to note that "Administration
officials already are considering, for example, whether to include
homeland security representatives as members of the 56 regional Joint
Terrorism Task Forces, which oversee local terror investigations." How
could this be an item for debate? If you look at the FBI's description
of the JTTF program, it involves representatives of scads of federal
agencies along with state and even local agencies. "There are
currently 36 JTTFs in operation, which reflects an increase of 25 task
forces since 1996, to which more than 620 FBI special agents are
assigned, and approximately 584 full-time and part-time officers from
other federal, state, and local agencies are assigned. Full-time
federal participants in the JTTF program include the Immigration and
Naturalization Service; U.S. Secret Service; Naval Criminal
Investigative Service; U.S. Marshals Service; U.S. Customs Service;
Bureau of Alcohol, Tobacco, and Firearms; U.S. Border Patrol; U.S.
Department of State/Diplomatic Security Service; Postal Inspection
Service; Internal Revenue Service; Department of Interior's Bureau of
Land Management; Air Force Office of Special Investigations; U.S. Park
Police; Federal Protective Service; Treasury Inspector General for Tax
Administration; and the Defense Criminal Investigative Service." (Nov.
13, 2001, Statement for the Record of Assistant Director Kathleen
McChesney Training Division, FBI on Communication with the Law
Enforcement Community Before the United States House of Representatives
Committee on Government Reform Washington, D.C.
<http://www.fbi.gov/congress/congress01/mcchesney111301.htm>)
Let me get this straight, the Park Police and the Bureau of Land
Management are represented in the Joint Terrorism Task Forces but the
Department of Homeland Security is not? How can this be a good sign?
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography. Back
issues are available on <http://www.counterpane.com/crypto-gram.html>.
To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or
send a blank message to crypto-gram-subscribe@chaparraltree.com. To
unsubscribe, visit <http://www.counterpane.com/unsubform.html>.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO
of Counterpane Internet Security Inc., the author of "Secrets and Lies"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
and Yarrow algorithms. He is a member of the Advisory Board of the
Electronic Privacy Information Center (EPIC). He is a frequent writer
and lecturer on computer security and cryptography.
Counterpane Internet Security, Inc. is the world leader in Managed
Security Monitoring. Counterpane's expert security analysts protect
networks for Fortune 1000 companies world-wide.
<http://www.counterpane.com/>
Copyright (c) 2003 by Counterpane Internet Security, Inc.
(Log in to post comments)
|
|
||||||||||||