Spafford On Infrastructure Risks

nealmcb writes "In a major report from the AAAS, Eugene Spafford, director of CERIAS, summarizes the many risks to our information infrastructure (viruses, bugs, single points of failure, etc.), their causes (explosive growth, primacy of time-to-market over quality, lack of support for basic information security research, etc.), and the negative effects of the DMCA, CBDTPA, and other corporate maneuvers."

Scientists out of touch with the economy.

[DraconPern]

This comment made me think twice about how important they think security is: "After all, disruption of eBay, Amazon, Google, or online chat groups does not seem like much of a menace." -- Eugene H. Spaffor A major security breach at eBay or Amazon will surely result in millions of dollars of lost transactions and loss of investor confidence. How is that not a menace? One can argue that the US economy is more important than security because it has an global effect. And without google, most websites won't even need security. We just slashdot them until they are unavailable. :)

Re:Scientists out of touch with the economy.

Problems with Amazon or eBay are not likely to bring people to question their faith in the US economy. Now, if one problem affected all of them more or less equally, then that would be one sector of the economy, and people would question that sector, but not the whole economy. Notice it has taken more than a few corporate bad apples and misdeeds being smoked out to bring the market into a complete funk, not one or two.

Re:Scientists out of touch with the economy.

[Zeinfeld]

Spaff is pretty well known in the Internet, but I am affraid I can't think of a major contribution to computer security from him since tripwire.

Incidentally, it is somewhat disappointing that he puts out the comparisons of Windows vs Unix viruses as 'proof' that UNIX is more secure without addressing the specific features of UNIX that would make it so. It is one thing for a slashdotter to assert 'unix is more secure than windows', a university professor specialising in computer security should be able to do more than recite opinions, he should be able to explain why and how one system is more secure than another. The systemic lack of security argument does not work by the way since UNIX is the only mainstream operating system that did not originally have a security model. All the security features in modern UNIX are retrofitted - in some cases (shaddow passwords) in the face of opposition from UNIX purists.

The principal reason why Macs, Ataris and MSDOS machines all had chronic virus problems is that they have no account based security controls. A rogue program can corrupt any system file it likes. A secondary reason is that in their original incarnation every one of the machines has supported the clueless operating mode of try to boot from removable media. The only difference since then is that the Internet has proven a far more effective vector for malicious programs than floppy disks and the clueless enabling vector has been run from email.

He conveniently ignores fact that there are Virus building toolkits written for Windows and the vast majority of the 'dozens of new viruses a week' are no more than minor variations on the same basic cores. Nor does he tie this back to his initial theme of an O/S monoculture which is somewhat odd because the main reason why there are epidemics of Windows viruses is simply the fact that the population of Windows machines is large enough to support epidemics. For a virus to become an epidemic all that is required is for each infected host to pass on the infection to an average of more than one new host. There are two reasons an infected Linux box is less likely to do this, first 90% of the hosts an infected linux box attempts to infect are likely to be Windows boxes imune from a linux virus. Second the remaining 10% of linux boxes are likely to be considerably more heterogeneous that the average windows machine. There are likely to be a large number of different builds and even different processors, all in all a much harder target to infect.

The heterogeneous platform argument is unfortunately one of those arguments that works fine on the individual level and fails entirely at the public policy level. The problem being that it may be logical for me to use an obscure operating system to reduce the risk of virus (or other attack) but if everyone chooses the same O/S the obscurity advantage is lost. Incidentally Linux is far too mainstream for the obscurity argument to apply, if you want to be obscure you would have to use something like the Genera (Lisp machine) system we got the Clinton administration to use to do their press release publications onto the Internet from. (The machine was not choosen for security through obscurity, however we did remark afterwards that if the machine was ever compromised we could probably write the list of suspects with the expertise to crack it for the Secret Service)

Long Ramble Time (tm)

[CajunArson]

OK, as a recent Purdue Grad (Spafford heads CERIAS at Purdue) and as someone who is going into security research for a Masters degree.... I'm going to shoot my mouth off!!

Spafford's article is somewhat of a hit & miss. I'm going to paraphrase a few sections that IMHO are good, and some that are not so good.

The Good:
-- UCITA: ~"This legislation will ban research into security issues with software products and even outlaw criticism of software design"~ I could'nt agree more, what kind of an idiotic company could possibly object to FREE DEBUGGING being done by University researchers, that could lead to drastically better software, instead of skipping beta, if I were a commercial developer I'd GIVE IT TO THE UNIVERSITY FIRST!! (As a rabid old-school capitalist I actually think the road to more $$$ is to put out a good product, unfortunately a bunch of short sighted schmucks thought they could cheat the system.... and look at their stocks...)

-- The lack of research in security: yeah, Purdue churned out over 125 Seniors in Computer Engineering, and I'm the only one that I know who is doing grad work (or has a job) in security proper, and I'm only getting a Master's, so I won't help his PhD count, (not that a Master's isn't helpful, he wants to have people to take over for him when he retires).

-- The lack of qualified people in Law Enforcement: Another *excellent* point, if we just had a competent core of cyber-crime investigators, a whole bunch of this BS about Carnivore wouldn't even be neccessary since they could do the proper investigatory work to get probable cause for warrants and nail the criminals while not violating the Constitution...
(sometimes I think I'm the only one who wants to punish the criminals while simultaneously not punish the normal people...) The laws do need updates in some ways (NOT the DMCA), but warrants
to look through e-mails and electronic corespondance should have clearly defined levels of evidence neccessary (just like today there are
pretty well defined levels for searching your house).

-- ~"That common system that runs commerce, defense, and much of the scientific establishment. It is under a constant barrage of viruses, worms, and hacker (he said hacker, not cracker BTW) attacks, this system which you use to browse the internet is also going to run an Aircraft carrier next year. What would we say if the US Airforce bought crop dusters since they are cheaper than F-16's?"~

Another excellent point, but I don't see what he has against Linux since I use it every day!! :) OK, we all know he's attacking Windows, and he has an excellent point.... The aircraft carrier (My guess is it's the Truman or more likely the Reagan) has all kinds of reinforced bulkheads and compartments so that even if one part of the ship gets hit, the rest can keep on fighting! (here comes the analogy) So why the hell would you have one, integrated, incredibly vulnerable system running everything from a powerpoint presentation in the briefing rooms, to
controlling the airplane elevators and ordance tracking system?? It's dangerous and completely uneccessary, I wouldn't even put Linux in charge of most of the sensitive systems, they have enough money to build custom systems (note that custom systems can still be modular and communicate with each other, they are just built to better tolerances in a restricted environment of a ship) You can run some isolated Windows boxes to do some word processing or Powerpoint slides, just don't give the ship a bluescreen!

OK, now time for a few gripes (don't worry this list is shorter)

-- ~"The traffic on the internet doubles every
90 to 120 days" It looks like Spaff fell for the
old WorldCom line too... :) He does use some hyperbole in this piece (if the worst case of everything he talks about actually happened the internet would already be fried, but he is trying to present his position trenchantly).

-- ~"Only 12% of people in security research are women and minorities"~ OK, I could care less really, I DO discriminate... I only think the best & brightest should be doing this sort of thing, I don't care if you are a Purple-with-green-Polka dotted Female, just as long as you are the best, and I also don't care if you fill every quato imaginable, if you can't hack it, leave. He does raise a good point that too many of the security researchers aren't even from this country, but I think this means we should get more of America's best interested in security, and let the foreign exchange students learn too.

OK, that's it, this is a topic near & dear to my heart so I just had to spout off, go ahead & flame away! :)