October 25, 2005

Security Professionals Advised to Button Lips

Nick pointed me to his Cuthbert post, and I asked where the RSS feed was, adding "I cannot see it on the page, and I'm not clued enough to invent it." To which he dryly commented "if you tried to invent it you'd arguably end up creating many 'unauthorized' URLs in the process...."

Welcome to the world of security post-Cuthbert. He raises many points:

Under these statutes, the Web equivalent of pushing on the door of a grocery store to see if it's still open has been made a crime. These vague and overly broad statutes put security professionals and other curious web users at risk. We depend on network security professionals to protect us from cyberterrorism, phishing, and many other on-line threats. These statutes, as currently worded and applied, threaten them with career ruin for carrying out their jobs. Cuthbert was convicted for attempting to determine whether a web site that looked like British Telecom's payment site was actually a phishing site, by adding just the characters "../.." to the BT site's URL. If we are to defeat phishing and prevent cyberterrorism, we need more curious and public-spirited people like Cuthbert.

Meanwhile, these statutes generally require "knowledge" that the access was "unauthorized." It is thus crucial for your future liberty and career that, if you suspect that you are suspected of any sort of "unauthorized access," take advantage of your Miranda (hopefully you have some similar right if you are overseas) right to remain silent. This is a very sad thing to have to recommend to network security professionals, because the world loses a great deal of security when security professionals can no longer speak frankly to law-enforcement authorities. But until the law is fixed you are a complete idiot if you flap your lips [my emphasis].

Point! I had not thought so far, although I had pointed out that security professionals are now going to have to raise fingers from keyboards whenever in the course of their work they are asked to "investigate a fraud."

Consider the ramifications of an inadvertant hit on a site - what are you going to do when the Met Police comes around for a little chat? Counsel would probably suggest "say nothing." Or more neutrally, "I do not recollect doing anything on that day .. to that site .. on this planet!" as the concept of Miranda rights is not so widely encouraged outside the US. Unfortunately, the knock on effect of Cuthbert is that until you are appraised of the case in detail -- something that never happens -- then you will not know whether you are suspect or not, and your only safe choice is to keep your lips buttoned.

Nick goes on to discuss ways to repair the law, and while I agree that this would be potentially welcome, I am not sure whether it is necessary. Discussion with the cap-talk people (the most scientific security group that I am aware of, but not the least argumentive!) has led to the following theory: the judgement was flawed because it was claimed that the access was unauthorised. This was false. Specifically, the RFC authorises the access, and there is no reasonably theory to the alternate, including any sign on the site that explains what is authorised and what not. The best that could be argued - in a spirited defence by devil's advocate Sandro Magi - is that any link not provided by the site is unauthorised by default.

In contrast, there is a view among some security consultants that you should never do anything you shouldn't ever do, which is more or less what the "unauthorised" claim espouses. On the surface this sounds reasonable, but it has intractable difficulties. What shouldn't you ever do? Where does it say this? What happens if it *is* a phishing site? This view is neither widely understood by the user public nor plausibly explained by the proponents of that view, and it would appear to be a cop-out in all senses.

Worse, it blows a hole in the waterline of any phishing defence known to actually work - how are we going to help users to defend themselves if we ourselves are skating within cracking distance of the thin ice of Cuthbert? Unfortunately, explaining why it is not a rational theory in legal, economic or user terms is about as difficult as having an honest discussion about phishing. Score Cuthbert up as an own-goal for the anti-phishing side.

Posted by iang at October 25, 2005 05:14 PM | TrackBack

Move to another country (legal jurisdiction, service provider). Go on stike. Withhold your talents/abilities.
Get off your butt. You people have incredibly valuable knowlege. My impression is that the NSA isn't anything compared to what it used to be. I don't really know.


Posted by: bob at October 25, 2005 06:21 PM

You and I and many other security experts have some good opinions about what "unauthorized" means, but British Telecom disagreed. They convinced the judge so thoroughly that he found Cuthbert guilty even though he practically admitted the verdict was unjust. Cuthbert, Schwartz, and other cases have started creating some very bad precedent on what "unauthorized" means. The more this precedent gets frozen into place, the less room defense lawyers have to argue for a more just meaning. I encourage defense lawyers to continue to vigorously make such arguments. Meanwhile network professionals, either directly or through the lobbyists for the corporations they work for, should cut to the heart of the problem. Network professionals, and curious web users in general, should lobby against the overly broad and vague statutory language that was pushed through by a previous generation of lobbyists before the advent of the Web and with insufficient input from network professionals. We have a window of political opportunity to do this while legislatures around the world react to the phishing problem.

Posted by: nick at October 26, 2005 03:33 PM

[Seen on Risks:] A woman is being summoned to court, and faces a 1000-pound fine if found guilty, over non-payment of a 1.20-pound London bus fare.

Most of London's transport system is moving over to the Oyster card system, where quasi-smartcards are touched against readers at tube station barriers or doors to buses. A card can contain season tickets, top-up funds for
pay-as-you-go travel, or both.

According to the television news coverage today, Jo Cahill believed that she had paid on entering the bus, but the reader did not register her card in order to deduct the fare from the top-up funds. An inspector has treated her
as a fare-dodger, even though she explained the situation and offered to pay.

This seems to set the precedent that users are required to confirm that the reader has indeed registered their card, even though the visual and audible signals are not always clear. Transport for London claims that its Oyster card readers rarely fail, although they do not specify whether or not users will always be taken to court when they do fail. (I frequently get onto buses where the reader has a post-it note saying "reader broken" stuck to it.)

More at: http://news.bbc.co.uk/1/hi/england/london/4361286.stm

nick rothwell -- composition, systems, performance -- http://www.cassiel.com

Posted by: Risks at October 27, 2005 07:48 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.