Slashdot Mirror
Spafford On Infrastructure Risks
nealmcb writes "In a
major report from the AAAS,
Eugene Spafford,
director of CERIAS, summarizes the
many risks to our information infrastructure (viruses, bugs, single points of failure, etc.),
their causes (explosive growth, primacy of time-to-market over quality, lack of support for basic information security research, etc.),
and the negative effects of the DMCA, CBDTPA, and other corporate maneuvers."
My favorite are all of the P2P programs that people run that can be auto updated. Imagine the havoc that can be created with control of 1,000,000 computers with fast internet connections.
How am I supposed to download my Windows ME patch if as soon as I connect with a fresh install I get infected? Microsoft should include a rescue CD that runs Linux.
A report from the AASWEDW discussing IISDCED and UPDESCTG interrelation issues with OPWSEDSC and NMEDSE, along with EWSDICE or WEDGCDSE legislation. Film at 11.
They who would give up an essential liberty for temporary security, deserve neither liberty nor security
This comment made me think twice about how important they think security is: "After all, disruption of eBay, Amazon, Google, or online chat groups does not seem like much of a menace." -- Eugene H. Spaffor A major security breach at eBay or Amazon will surely result in millions of dollars of lost transactions and loss of investor confidence. How is that not a menace? One can argue that the US economy is more important than security because it has an global effect. And without google, most websites won't even need security. We just slashdot them until they are unavailable. :)
On page 2 he says:
which implies over a hundred per week, but on page 9 he says:
which sounds somewhat lower. Which is it?
Either way, it's a pretty horrific number.
One problem is not so much lack of basic research as it is lack of a "literature" to search. It's routine for someone to present some time-consuming research at a security conference only to have the Q&A consist of "did you know that's been done already?"
Also, we don't know how much research is being done behind closed doors. The NSA has a lot of bright people and is big enough to do basic research *if* they choose. Their mission does include infrastructure protection.
Spafford's comments about the pressure of time to market were on target. Bruce Schneier spoke at Microsoft once. An employee asked him what MS could do to make secure products. Schneier's response was, simply, that Microsoft shouldn't -- that security is expensive, slows development, and won't result in more sales. That last may have changed by now.
For perspective, some of the government's cyberwarfare investigators have said that any hostile power's virus attack would get lost in the noise of daily blue screens, system "upgrades" and random viruses. On the offensive side, they recommend that if you want to stop a computer from working you should use an OS-independent attack from an F-18. Such an attack can't be fixed by downloading a patch.
So far I've read a poem that, while interesting, a quick search on google shows that the person who presented it is also the translator. Right. Can someone please find the original so we can verify this for ourselves? Thank you.
I've seen police, fire fighters, and medical personnel compared with researchers in the social science and humanities. I've seen proposals for information to be on a "need to know" basis, with the only people who "need to know" being the government and (of course) researchers. I love it when someone welcomes a loss of freedom provided it doesn't include them.
If you want some good music to listen to this to, I reccomend Love Me, I'm a Liberal by Phil Ochs unless you're too young, in which case you might as well listen to the Jello Biafra version
No Zen is good zen
OK, as a recent Purdue Grad (Spafford heads CERIAS at Purdue) and as someone who is going into security research for a Masters degree.... I'm going to shoot my mouth off!!
:) OK, we all know he's attacking Windows, and he has an excellent point.... The aircraft carrier (My guess is it's the Truman or more likely the Reagan) has all kinds of reinforced bulkheads and compartments so that even if one part of the ship gets hit, the rest can keep on fighting! (here comes the analogy) So why the hell would you have one, integrated, incredibly vulnerable system running everything from a powerpoint presentation in the briefing rooms, to
:) He does use some hyperbole in this piece (if the worst case of everything he talks about actually happened the internet would already be fried, but he is trying to present his position trenchantly).
:)
Spafford's article is somewhat of a hit & miss. I'm going to paraphrase a few sections that IMHO are good, and some that are not so good.
The Good:
-- UCITA: ~"This legislation will ban research into security issues with software products and even outlaw criticism of software design"~ I could'nt agree more, what kind of an idiotic company could possibly object to FREE DEBUGGING being done by University researchers, that could lead to drastically better software, instead of skipping beta, if I were a commercial developer I'd GIVE IT TO THE UNIVERSITY FIRST!! (As a rabid old-school capitalist I actually think the road to more $$$ is to put out a good product, unfortunately a bunch of short sighted schmucks thought they could cheat the system.... and look at their stocks...)
-- The lack of research in security: yeah, Purdue churned out over 125 Seniors in Computer Engineering, and I'm the only one that I know who is doing grad work (or has a job) in security proper, and I'm only getting a Master's, so I won't help his PhD count, (not that a Master's isn't helpful, he wants to have people to take over for him when he retires).
-- The lack of qualified people in Law Enforcement: Another *excellent* point, if we just had a competent core of cyber-crime investigators, a whole bunch of this BS about Carnivore wouldn't even be neccessary since they could do the proper investigatory work to get probable cause for warrants and nail the criminals while not violating the Constitution...
(sometimes I think I'm the only one who wants to punish the criminals while simultaneously not punish the normal people...) The laws do need updates in some ways (NOT the DMCA), but warrants
to look through e-mails and electronic corespondance should have clearly defined levels of evidence neccessary (just like today there are
pretty well defined levels for searching your house).
-- ~"That common system that runs commerce, defense, and much of the scientific establishment. It is under a constant barrage of viruses, worms, and hacker (he said hacker, not cracker BTW) attacks, this system which you use to browse the internet is also going to run an Aircraft carrier next year. What would we say if the US Airforce bought crop dusters since they are cheaper than F-16's?"~
Another excellent point, but I don't see what he has against Linux since I use it every day!!
controlling the airplane elevators and ordance tracking system?? It's dangerous and completely uneccessary, I wouldn't even put Linux in charge of most of the sensitive systems, they have enough money to build custom systems (note that custom systems can still be modular and communicate with each other, they are just built to better tolerances in a restricted environment of a ship) You can run some isolated Windows boxes to do some word processing or Powerpoint slides, just don't give the ship a bluescreen!
OK, now time for a few gripes (don't worry this list is shorter)
-- ~"The traffic on the internet doubles every
90 to 120 days" It looks like Spaff fell for the
old WorldCom line too...
-- ~"Only 12% of people in security research are women and minorities"~ OK, I could care less really, I DO discriminate... I only think the best & brightest should be doing this sort of thing, I don't care if you are a Purple-with-green-Polka dotted Female, just as long as you are the best, and I also don't care if you fill every quato imaginable, if you can't hack it, leave. He does raise a good point that too many of the security researchers aren't even from this country, but I think this means we should get more of America's best interested in security, and let the foreign exchange students learn too.
OK, that's it, this is a topic near & dear to my heart so I just had to spout off, go ahead & flame away!
AntiFA: An abbreviation for Anti First Amendment.
The amount of traffic we see on the backbones of the networks has been doubling approximately every 90 to 120 days.
I thought that myth had been debunked. It now has passed into the realm of the 'factoid'.
Enigma
This whole report regarding "stuff rushed to market over quality" reminds of buying fire works at an indain reservation. The guy I went up to was missing 2 fingers. Like I'm going to buy some m-80's from a guy who lost 2 fingers.
So, I wish I could see the state of the computer of the guy who's trying to sell me a computer.
I remember your (identical) posting on July 22nd, which you claim on your web site drove 1400 hits worth of traffic to your site.
Other than writing a thesis, and driving traffic to your web site, what have you done?
You appear to be attempting to start an Open Source project to address the problem using your approach arrived at from your thesis materials, without a proof-of-concept.
With respect, if your methods worked, they should be able to work manually, without having to build up a huge supprt infrastructure.
In other words, you should be able to apply them to a demonstration problem, and have the results speak for themselves.
You should also be aware that *declaring* an Open Source project is not the same thing as *causing* one to come into being. Merely declaring something will not cause thousands of elves to come out of the woods and solve your problems for you, Seymore Cray's claims to the contrary.
If you want to convince people, *do something*, don't just *talk about doing something*.
-- Terry
I'm sorry, but how can I take a "study" seriously when there not even citations of sources.
Spafford is the master at soundbytes, but I'm still not convienced he knows what he's talking about.
We could talk about the scare tactic scenario (page 4) he presents about 50% of the phones going down along with the internet (ok, anyone with half a cluepon, tell me how "the internet" can go down...portions of it yet (we saw it effectively "down" on 911) but it's pretty well impossible to take down the public 'net unless you nuked the entire planet. Ditto for the phone systems (even the legandary Blotto Box (assuming it would work) could only take down a NPA.)) but suspending reality for a moment and living in the the Spaff's world....
His basic math does not add up (another poster has already pointed this out already) and does not agree with the data avaliable (talking about his virii numbers). even the virii whores at Mcafee don't claim there are new worms/virii ever 75-90 mins (page 4.2)
Consider such statments he makes, such as...
"[...] on average over 1 million each year from computer misuses and computer crime [lost each year]. Worldwide, as much as 1 trillion may be lost in downtime and damages each year. Not only is poor security costing us real money, it is also harming our national competiveness."
The FBI study is not cited only mentioned. The numbers he mentions are not backed up with facts, neither are there facts to back up the "national competiveness" loss he cites (surely it's not because our economy is in the tanker no?).
He goes on to say that only "100 (maybe 60)". people in higher Ed have training in Security (as he defines it I might add). But again, no facts to back that up, only conjecture.
I loved the paragraph.
"As best I as I can tell, the total amount of money available this most recent fiscal year for *basic* research in information security was about $2 million (through the National Science Foundation); a great dealof the money is being spent on acquisition and development of technology for security, but rather that is money spent on extentions of known methods rather than basic reasearch"
Ok, from a basic logical thinking point of view...either the 2 mill was avaliable for basic research or not (he says both, he says at the begining it is, but then says that most of the money was spent on "extentions of known methods")
after this he goes on to say that comp sci as a discpline was created at Purdue (where he works).
Finally for some WorldCom quotes...
"The amount of traffic that we see on the backbones of the networks has been doubling ever 90 to 120 days" That's pretty much a direct quote from some of the FUD that the WorldCom guys were pitching back in 99-2000.
He goes on to bitch about people intering the Comp Sec field without a degree and tries to pitch those folks as having no real level of depth or expertise. I can only point out that the great and powerful Spaff has been personally hacked by those selfsame people....
My point being in this that you gentle reader, need to take Spafford with a very large grain. Always ask for the proof.
If you wish to learn more about spafford simply browse some of his old Usenet posts.
in particular you may find such threads as "CERT as told by Spafford" entertaining. Spafford used to be one of the honchos that kept general security info from the hands of the unwashed masses....
You can also read his "the sky is falling" report to the Whitehouse a few years ago, again it makes interesting reading.
Mark this as a troll if you must, but don't accept every blind statment by somone with a PHD as gospel.
Bugs Bunny was right.
Constantly, the money that companies are forced to spend on recovering from various infrastructure attacks are should not always be referred to as "losses". Certainly, if someone broke into your building and stole something, that is a loss. But if your entire corporate network is down for two days while your IT department is working overtime and the rest of the company is not, while getting paid, this is not a loss. This is an operating expense. This is part of the expected cost of using software that has well known vulnerabilities. This is part of that "total cost of ownership" that Microsoft is only so proud to bring up when discussing their software prices when compared with those of competitors.
So for now on, don't suggest that companies LOSE this money whenever they're attacked. This is just part of the total cost of ownership when you run insecure software, and when you hire substandard IT personel, and when you don't have reasonable company policies regarding non-business related applictions.
Companies can take the cheap way out. They can put Windows boxes in front of every employee of the company, content that everyone can quickly figure out what to do with minimal expense. Hire some just out of college whackjobs with no useful experience to run the network. They're cheap afterall. Nobody to train, nobody to waste money on. No need to spend money on security audits. That's just wasted money. Of course, you'll "lose" all of it the first time someone hits you, but that's the way you've decided to budget your technical department. You get what you pay for.
-Restil
Play with my webcams and lights here
See the subject line.
The provided link is to an HTML version of chapter 1 of the book of which Gene Spafford's comments being cited in theis Slashdot article are in chapter 4.
-- Terry
Gene Spafford was instrumental in blocking the installation of Carnivore onto Purdue University's network. Many other schools folded, but he was adament about users rights.
-- the computer doesn't want any beer, no matter how much you think it does. NEVER, EVER feed your computer beer.
Two words: sendmail
This interview with Gene Spafford was recommended by Bruce Schneier in his Crypto-Gram newsletter some months back.
Bruce says:
I skipped over the intro page but if you really want to see it it's here.
Well, that's only one word :)
But, yes, there's nothing about OSS that prevents buffer overflows. It just has a greater change of being caught and fixed IMO than CSS. Not that the buffer overflows will be caught immediately. Sendmail's problems went for years without being noticed. But many of them are now fixed.
You are absolutely right though -- OSS is not immune to things like security holes, viruses, worms, or othre bugs. It stands a slightly better chance, and I use it all the time, but people who think it's the holy grail are just deluding themselves.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
I thought that myth had been debunked. It now has passed into the realm of the 'factoid'.
Spaff published the piece a week before it was debunked. The file is dated Jul 19, the article you cite follows from an Economist article dated Jul 26.
Now looks like what we had was:
2 years of tenfold growth
3 years of twofold growth.
(dotcom bubble pop)
2 more years where numbers aren't in (though DSL connects were about doubling per year).
Substituting "doubles every year" in Spaff's article makes it a bit less gee-whiz, but no less valid.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I thought for a moment it was SpaMfford Wallace...
RISKS digest 19.88 (1998): USS Yorktown dead in water after divide by zero.