Spafford On Infrastructure Risks 85
nealmcb writes "In a
major report from the AAAS,
Eugene Spafford,
director of CERIAS, summarizes the
many risks to our information infrastructure (viruses, bugs, single points of failure, etc.),
their causes (explosive growth, primacy of time-to-market over quality, lack of support for basic information security research, etc.),
and the negative effects of the DMCA, CBDTPA, and other corporate maneuvers."
My Favorite... (Score:2, Interesting)
Re:My Favorite... (Score:1)
Diversity (Score:3, Funny)
Re:Diversity (Score:1)
I read about it a couple of years ago.
It was a university that provided a rescue
diskette that booted Linux. The Linux installation
then automagically made downloaded and installed
windows on the hard drive.
Sorry I can't remember what university it was
but I think it was somewhere in South America.
This just in... (Score:4, Funny)
Re:This just in... (Score:1, Funny)
WTF?
Re:This just in... (Score:1)
Scientists out of touch with the economy. (Score:2, Insightful)
Re:Scientists out of touch with the economy. (Score:1, Insightful)
Re:Scientists out of touch with the economy. (Score:3, Insightful)
Incidentally, it is somewhat disappointing that he puts out the comparisons of Windows vs Unix viruses as 'proof' that UNIX is more secure without addressing the specific features of UNIX that would make it so. It is one thing for a slashdotter to assert 'unix is more secure than windows', a university professor specialising in computer security should be able to do more than recite opinions, he should be able to explain why and how one system is more secure than another. The systemic lack of security argument does not work by the way since UNIX is the only mainstream operating system that did not originally have a security model. All the security features in modern UNIX are retrofitted - in some cases (shaddow passwords) in the face of opposition from UNIX purists.
The principal reason why Macs, Ataris and MSDOS machines all had chronic virus problems is that they have no account based security controls. A rogue program can corrupt any system file it likes. A secondary reason is that in their original incarnation every one of the machines has supported the clueless operating mode of try to boot from removable media. The only difference since then is that the Internet has proven a far more effective vector for malicious programs than floppy disks and the clueless enabling vector has been run from email.
He conveniently ignores fact that there are Virus building toolkits written for Windows and the vast majority of the 'dozens of new viruses a week' are no more than minor variations on the same basic cores. Nor does he tie this back to his initial theme of an O/S monoculture which is somewhat odd because the main reason why there are epidemics of Windows viruses is simply the fact that the population of Windows machines is large enough to support epidemics. For a virus to become an epidemic all that is required is for each infected host to pass on the infection to an average of more than one new host. There are two reasons an infected Linux box is less likely to do this, first 90% of the hosts an infected linux box attempts to infect are likely to be Windows boxes imune from a linux virus. Second the remaining 10% of linux boxes are likely to be considerably more heterogeneous that the average windows machine. There are likely to be a large number of different builds and even different processors, all in all a much harder target to infect.
The heterogeneous platform argument is unfortunately one of those arguments that works fine on the individual level and fails entirely at the public policy level. The problem being that it may be logical for me to use an obscure operating system to reduce the risk of virus (or other attack) but if everyone chooses the same O/S the obscurity advantage is lost. Incidentally Linux is far too mainstream for the obscurity argument to apply, if you want to be obscure you would have to use something like the Genera (Lisp machine) system we got the Clinton administration to use to do their press release publications onto the Internet from. (The machine was not choosen for security through obscurity, however we did remark afterwards that if the machine was ever compromised we could probably write the list of suspects with the expertise to crack it for the Secret Service)
Re:Scientists out of touch with the economy. (Score:2)
How often do we see Windows viruses again? (Score:3, Interesting)
On page 2 he says:
which implies over a hundred per week, but on page 9 he says:
which sounds somewhat lower. Which is it?
Either way, it's a pretty horrific number.
Re:How often do we see Windows viruses again? (Score:2)
(I mean the use of the term "dozens," not the fact that there's a new Windows virus introduced every 75 minutes.)
Therefore the proper SI standard unit is... (Score:1)
Well written, but I have some quibbles (Score:5, Interesting)
Also, we don't know how much research is being done behind closed doors. The NSA has a lot of bright people and is big enough to do basic research *if* they choose. Their mission does include infrastructure protection.
Spafford's comments about the pressure of time to market were on target. Bruce Schneier spoke at Microsoft once. An employee asked him what MS could do to make secure products. Schneier's response was, simply, that Microsoft shouldn't -- that security is expensive, slows development, and won't result in more sales. That last may have changed by now.
For perspective, some of the government's cyberwarfare investigators have said that any hostile power's virus attack would get lost in the noise of daily blue screens, system "upgrades" and random viruses. On the offensive side, they recommend that if you want to stop a computer from working you should use an OS-independent attack from an F-18. Such an attack can't be fixed by downloading a patch.
Re:Well written, but I have some quibbles (Score:1)
Were you? Do you remember it differently? If so please post your best recollection instead of calling me a liar.
I was a bit startled myself. I believe he was calling attention to the difference in requirements between feature-rich, flexible, powerful commercial software and small, simple, easy-to-analyze "secure" systems.
You may want to read "Secret and Lies", in which Bruce Schneier argues that computer security is like meatspace security -- uneconomical or impossible to do at 100%, but possible to do well enough to buy insurance.
Re:Well written, but I have some quibbles (Score:2)
That particular idea did not start with Bruce. It has been taught in computer security 101 for twenty plus years.
If as he claims in the intro Bruce only just realised that security is risk control not risk elimination then he owes me a credit, I had a long discussion with him on that point at RSA the year before the book came out.
The real explanation is that Bruce's interests have changed over the past ten or so years. When he wrote Applied Cryptography he was pretty much a specialist coder of crypto software, then after AP#1 he got deeper and deeper into cryptography and started proposing his own designs, mainly in the symmetric algorithm space. The point is that in that part of the security world you really can provide pretty much absolute guarantees for certain security risks.
Since then he has pretty much moved from being a pure crypto specialist to being a computer security guru. Even so he does have something of a reputation of firing off attacks on the insecurity of systems without understanding the risks they are trying to mitigate.
A key case in point there being his attack on the security of IPSEC. Now whatever you think about Bruce, Steve Bellovin and Jeff Schiller are by any analysis his equal technically. Whatever reputation Bruce has with the general public, Steve and Jeff have a rather higher one within the IETF.
So yes statement to Microsoft is very much in character for Bruce, yes Bruce has an awfully high reputation, but no don't consider his word as gospel.
Re:Well written, but I have some quibbles-has not (Score:1)
MR Blox(MS Employee) in his comments recently about whether the new C++ library to prevent buffer overflows should be required to be used by MS programmers listed as optional!
But here is the kicker we poor open source coders seem to be able to write code without buffer overflows..maybe MS programmers are just plain fucking stupid!
Re:Well written, but I have some quibbles-has not (Score:2)
Two words: sendmail
Re:Well written, but I have some quibbles-has not (Score:2)
But, yes, there's nothing about OSS that prevents buffer overflows. It just has a greater change of being caught and fixed IMO than CSS. Not that the buffer overflows will be caught immediately. Sendmail's problems went for years without being noticed. But many of them are now fixed.
You are absolutely right though -- OSS is not immune to things like security holes, viruses, worms, or othre bugs. It stands a slightly better chance, and I use it all the time, but people who think it's the holy grail are just deluding themselves.
Lord. Protect me from academics. (Score:3, Interesting)
So far I've read a poem that, while interesting, a quick search on google shows that the person who presented it is also the translator [ucsc.edu]. Right. Can someone please find the original so we can verify this for ourselves? Thank you.
I've seen police, fire fighters, and medical personnel compared with researchers in the social science and humanities. I've seen proposals for information to be on a "need to know" basis, with the only people who "need to know" being the government and (of course) researchers. I love it when someone welcomes a loss of freedom provided it doesn't include them.
If you want some good music to listen to this to, I reccomend Love Me, I'm a Liberal by Phil Ochs [pdx.edu] unless you're too young, in which case you might as well listen to the Jello Biafra version [geocities.com]
Re:Lord. Protect me from academics. (Score:4, Informative)
Re:Lord. Protect me from academics. (Score:1)
Your link is to ch. 1, not ch. 4; Gene's is ch. 4 (Score:2)
The provided link is to an HTML version of chapter 1 of the book of which Gene Spafford's comments being cited in theis Slashdot article are in chapter 4.
-- Terry
Re:Lord. Protect me from academics. (Score:2, Informative)
Yep, it's a load of horsehockey.
The passage he's trying to cite, I beleive, is from an essay Louis Aragon wrote in La Révolution surréaliste, n 4 (published in 1925):
I'd translate this more as "That the drug traffickers throw themselves on our terrified countries. That far away, America's white buildings collapse."
I wouldn't even interpret the first sentence as relating to America, since Aragon clearly considered America to be quite distant from himself and, consequently, any countries he would feel compelled to call "our."
Using such a questionable quote without checking sources was extremely irresponsible on the part of Dr. Greenwood. On the other hand, Wlad Godzich should be summarily dismissed from his position at UC Santa Cruz for such academic dishonesty as daring to translate the same phrase as "The time will come, America,/When the hordes of Afghanistan/Will crash your gleaming airplanes/Into the shiny towers of Manhattan."
Re:Lord. Protect me from academics. (Score:1)
information disclosure (Score:1)
Long Ramble Time (tm) (Score:4, Insightful)
Spafford's article is somewhat of a hit & miss. I'm going to paraphrase a few sections that IMHO are good, and some that are not so good.
The Good:
-- UCITA: ~"This legislation will ban research into security issues with software products and even outlaw criticism of software design"~ I could'nt agree more, what kind of an idiotic company could possibly object to FREE DEBUGGING being done by University researchers, that could lead to drastically better software, instead of skipping beta, if I were a commercial developer I'd GIVE IT TO THE UNIVERSITY FIRST!! (As a rabid old-school capitalist I actually think the road to more $$$ is to put out a good product, unfortunately a bunch of short sighted schmucks thought they could cheat the system.... and look at their stocks...)
-- The lack of research in security: yeah, Purdue churned out over 125 Seniors in Computer Engineering, and I'm the only one that I know who is doing grad work (or has a job) in security proper, and I'm only getting a Master's, so I won't help his PhD count, (not that a Master's isn't helpful, he wants to have people to take over for him when he retires).
-- The lack of qualified people in Law Enforcement: Another *excellent* point, if we just had a competent core of cyber-crime investigators, a whole bunch of this BS about Carnivore wouldn't even be neccessary since they could do the proper investigatory work to get probable cause for warrants and nail the criminals while not violating the Constitution...
(sometimes I think I'm the only one who wants to punish the criminals while simultaneously not punish the normal people...) The laws do need updates in some ways (NOT the DMCA), but warrants
to look through e-mails and electronic corespondance should have clearly defined levels of evidence neccessary (just like today there are
pretty well defined levels for searching your house).
-- ~"That common system that runs commerce, defense, and much of the scientific establishment. It is under a constant barrage of viruses, worms, and hacker (he said hacker, not cracker BTW) attacks, this system which you use to browse the internet is also going to run an Aircraft carrier next year. What would we say if the US Airforce bought crop dusters since they are cheaper than F-16's?"~
Another excellent point, but I don't see what he has against Linux since I use it every day!!
controlling the airplane elevators and ordance tracking system?? It's dangerous and completely uneccessary, I wouldn't even put Linux in charge of most of the sensitive systems, they have enough money to build custom systems (note that custom systems can still be modular and communicate with each other, they are just built to better tolerances in a restricted environment of a ship) You can run some isolated Windows boxes to do some word processing or Powerpoint slides, just don't give the ship a bluescreen!
OK, now time for a few gripes (don't worry this list is shorter)
-- ~"The traffic on the internet doubles every
90 to 120 days" It looks like Spaff fell for the
old WorldCom line too...
-- ~"Only 12% of people in security research are women and minorities"~ OK, I could care less really, I DO discriminate... I only think the best & brightest should be doing this sort of thing, I don't care if you are a Purple-with-green-Polka dotted Female, just as long as you are the best, and I also don't care if you fill every quato imaginable, if you can't hack it, leave. He does raise a good point that too many of the security researchers aren't even from this country, but I think this means we should get more of America's best interested in security, and let the foreign exchange students learn too.
OK, that's it, this is a topic near & dear to my heart so I just had to spout off, go ahead & flame away!
Re:Long Ramble Time (tm) (Score:1)
CS majors do and then some. I have done everything from transistor theory to distributed OS theory, and I've even implemented a VM from both the VLSI side in VHDL and the realspace VM
in an OS kernel, you'd be suprised what they teach us.
Perpetuating the myth (Score:3, Informative)
The amount of traffic we see on the backbones of the networks has been doubling approximately every 90 to 120 days.
I thought that myth had been debunked [slashdot.org]. It now has passed into the realm of the 'factoid'.
Spaff published the piece before the myth popped. (Score:2)
Spaff published the piece a week before it was debunked. The file is dated Jul 19, the article you cite follows from an Economist article dated Jul 26.
Now looks like what we had was:
2 years of tenfold growth
3 years of twofold growth.
(dotcom bubble pop)
2 more years where numbers aren't in (though DSL connects were about doubling per year).
Substituting "doubles every year" in Spaff's article makes it a bit less gee-whiz, but no less valid.
There Is Something Rotten in Software Engineering (Score:1, Flamebait)
There is something rotten at the heart of software engineering. We are using a software technology that was introduced one hundred and sixty years ago by Lady Ada Lovelace and Charles Babbage. This was at a time when the best performance they could hope for that speed demon of theirs--the analytical engine, too bad they never got it to work--was maybe fifty cycles per second at the most. Times have changed somewhat since then. More details can be found at the links below:
Project COSA [gte.net]
I have comments on COSA (Score:2)
Other than writing a thesis, and driving traffic to your web site, what have you done?
You appear to be attempting to start an Open Source project to address the problem using your approach arrived at from your thesis materials, without a proof-of-concept.
With respect, if your methods worked, they should be able to work manually, without having to build up a huge supprt infrastructure.
In other words, you should be able to apply them to a demonstration problem, and have the results speak for themselves.
You should also be aware that *declaring* an Open Source project is not the same thing as *causing* one to come into being. Merely declaring something will not cause thousands of elves to come out of the woods and solve your problems for you, Seymore Cray's claims to the contrary.
If you want to convince people, *do something*, don't just *talk about doing something*.
-- Terry
Re:I have comments on COSA (Score:2)
I have done a lot more than you think. These ideas did not materialize into thin air from nowhere while sitting on my ass. They've been a long time coming. You may not realize it but that is the brunt of the work. The rest is just engineering.
I am working on a two-sided project, AI (Animal) and software reliability (COSA). I have done a tremendous amount of research in AI (see the links below) and written C++ code for a chess learning spiking neural network which can be downloaded from the site. Check it out. I am currently writing code for the COSA execution kernel.
I think this work is too important to allow business interests to control it. I have decided to open-source all the code and research as soon as I can attract one or more sponsors.
Temporal Intelligence [gte.net]
Animal [gte.net]
Re:I have comments on COSA (Score:2)
Yes, it's a lot of work to do the design engineering necessary for any project, including an Open Source Software project. And the design engineering is the most important part of a project -- I generally spend no less than 60% of my time on any project doing design work, and it's usually a much greater percentage than that.
But if you want volunteers to do your coding for you, you have to be able to motivate them, and you're not handling this aspect of your project properly.
The only thing that will motivate people to donate code to your project is if the project infrastructure already exists, and if at least a minimal set of working code exists.
In your thesis, you describe purpose-specific objects with which other objects communicate. But you don't put up source code for the communications infrastructure that must underpin these objects, and you don't put up source code for the common function example objects themselves.
Frankly, without example code, all it will ever be is a thesis, unless you end up finding funding and paying people to work on it, because as it stands, there is no reward equation for Open Source Software volunteers to work on an initial implementation; Open Source is really lousy at creating initial implementations.
-- Terry
Re: (Score:1)
How good is the system the vendor is running? (Score:4, Funny)
So, I wish I could see the state of the computer of the guy who's trying to sell me a computer.
If he's missing fingers... (Score:1)
The Infamous Spafford. (Score:3, Informative)
Spafford is the master at soundbytes, but I'm still not convienced he knows what he's talking about.
We could talk about the scare tactic scenario (page 4) he presents about 50% of the phones going down along with the internet (ok, anyone with half a cluepon, tell me how "the internet" can go down...portions of it yet (we saw it effectively "down" on 911) but it's pretty well impossible to take down the public 'net unless you nuked the entire planet. Ditto for the phone systems (even the legandary Blotto Box (assuming it would work) could only take down a NPA.)) but suspending reality for a moment and living in the the Spaff's world....
His basic math does not add up (another poster has already pointed this out already) and does not agree with the data avaliable (talking about his virii numbers). even the virii whores at Mcafee don't claim there are new worms/virii ever 75-90 mins (page 4.2)
Consider such statments he makes, such as...
"[...] on average over 1 million each year from computer misuses and computer crime [lost each year]. Worldwide, as much as 1 trillion may be lost in downtime and damages each year. Not only is poor security costing us real money, it is also harming our national competiveness."
The FBI study is not cited only mentioned. The numbers he mentions are not backed up with facts, neither are there facts to back up the "national competiveness" loss he cites (surely it's not because our economy is in the tanker no?).
He goes on to say that only "100 (maybe 60)". people in higher Ed have training in Security (as he defines it I might add). But again, no facts to back that up, only conjecture.
I loved the paragraph.
"As best I as I can tell, the total amount of money available this most recent fiscal year for *basic* research in information security was about $2 million (through the National Science Foundation); a great dealof the money is being spent on acquisition and development of technology for security, but rather that is money spent on extentions of known methods rather than basic reasearch"
Ok, from a basic logical thinking point of view...either the 2 mill was avaliable for basic research or not (he says both, he says at the begining it is, but then says that most of the money was spent on "extentions of known methods")
after this he goes on to say that comp sci as a discpline was created at Purdue (where he works).
Finally for some WorldCom quotes...
"The amount of traffic that we see on the backbones of the networks has been doubling ever 90 to 120 days" That's pretty much a direct quote from some of the FUD that the WorldCom guys were pitching back in 99-2000.
He goes on to bitch about people intering the Comp Sec field without a degree and tries to pitch those folks as having no real level of depth or expertise. I can only point out that the great and powerful Spaff has been personally hacked by those selfsame people....
My point being in this that you gentle reader, need to take Spafford with a very large grain. Always ask for the proof.
If you wish to learn more about spafford simply browse some of his old Usenet posts.
in particular you may find such threads as "CERT as told by Spafford" entertaining. Spafford used to be one of the honchos that kept general security info from the hands of the unwashed masses....
You can also read his "the sky is falling" report to the Whitehouse a few years ago, again it makes interesting reading.
Mark this as a troll if you must, but don't accept every blind statment by somone with a PHD as gospel.
Re:The Infamous Spafford. (Score:2)
I do. and I agree with at least one of your points (the NSF one). But my point was really to point out that people need to *think* about what the so called "experts" (did you know that Spafford once said that taking a lead pipe to somones knees was worse than hacking thier systems (he was referring to Bank and the like I would add in all fairness) but I still find that amazing. Again though. my point was really not to diss Spafford, but rather to get people to ask if the people telling them the sky is falling (or that the 'Net the end to all human suffering (not that the Spaz has said that), and consider what they are saying and critically evaluate it.
Re:The Infamous Spafford. (Score:1)
"The next generation of Navy aircraft carriers is going to have all weapons systems, propulsion, and command and control run by the very same system that you use at home to browse the Internet and play computer games. This is the same one that keeps coming up with "blue screens of death," which take on new, grim meaning in a military environment."
If Spafford had been a bit more toned down, he could have still made the same points without introducing vulnerabilies in his arguments that would make one cringe. OTOH, his points should be contemplated and analyzed. Computer/network security is pathetic if one considers the worse case scenario. A design error that is inherent in a commonly used protocol used by network routers could potentiall create havoc. Hmmm, didn't we come close to this one?
Re: USS Yorktown (Score:2)
RISKS [ncl.ac.uk] digest 19.88 (1998): USS Yorktown dead in water after divide by zero [ncl.ac.uk].
Re:The Infamous Spafford. (Score:2)
Well reasoned arguments... (Score:1)
If you ask most fuds they will tell you that only another fud knows anything useful:
"We have a number of policy decisions that are being made by low level technical people"
I think that the whole point of this diatribe is to get more money for his research program. It would help if he cited his sources and gave examples.
Of course, it has already been pointed out that the doubling of internet traffic every 100 days was debunked just days ago. Errors like quoting bogus statistics just servers to further discredit this piece.
The wrong approach. (Score:3, Informative)
So for now on, don't suggest that companies LOSE this money whenever they're attacked. This is just part of the total cost of ownership when you run insecure software, and when you hire substandard IT personel, and when you don't have reasonable company policies regarding non-business related applictions.
Companies can take the cheap way out. They can put Windows boxes in front of every employee of the company, content that everyone can quickly figure out what to do with minimal expense. Hire some just out of college whackjobs with no useful experience to run the network. They're cheap afterall. Nobody to train, nobody to waste money on. No need to spend money on security audits. That's just wasted money. Of course, you'll "lose" all of it the first time someone hits you, but that's the way you've decided to budget your technical department. You get what you pay for.
-Restil
This guy's forecast is way out. (Score:1)
And these risks to the Internet have been around for HOW long now? About 30 years, from the very moment of its creation? And has it ever gone completely down the tube?
Didn't think so.
consumers to blame (Score:1)
I think this guy puts too much blame on the vendors. Vendors supply what people want, and people, in general, want bad software fast rather than good software a little slower. I don't buy into that, I get software based primarily on it's technical merit (which includes security, of course).
Sometimes vendors imply that "everyone writes crappy software". I think that's bad because the consumers might not understand the idea of an application or OS that works consistantly.
However, I don't see any clear way around that kind of marketing. And I certainly don't see any productive (as opposed to counterproductive) way of *forcing* people to write good software without public demand. After all, liability would decrease the number of free software developers. Not only that, what about software developed outside the US? Import laws? That just sounds like a bad idea.
JeffSpafford has done other things (Score:2)
Crypto-Gram: Recommended Interview with Spafford (Score:2)
This interview with Gene Spafford [pkiforum.com] was recommended by Bruce Schneier [counterpane.com] in his Crypto-Gram [counterpane.com] newsletter some months back.
Bruce says:
I skipped over the intro page [pkiforum.com] but if you really want to see it it's here [pkiforum.com].
Meetup was fun. (Score:1)
Phew!!! (Score:2)
I thought for a moment it was SpaMfford Wallace...