There are already a couple of improvements signalled at Mozilla in security terms since the appointment of Window Snyder as single security chair, for those interested (and as Firefox has 10-20% of the browser market, it is somewhat important). Check out this interview.
What is the key rule that you live by in terms of security?
Snyder: That nothing is secure. ...
( Adi Shamir says that absolutely secure systems don't exists. Lynn's version: "can you say security proportional to risk?" I say Pareto-secure ... Of course, to risk practitioners, this is just journeyman stuff. )
So the answer, in one word: Is Firefox more secure than Internet Explorer?
Snyder: I don't think there is a one-word answer for that question.
If ever there was a battle that was unwinnable, that was it. It quite possibly needed someone who had extensive and internal experience of MS to nail that one for Mozo.
You dealt with security researchers at Microsoft and will deal with them at Mozilla. How do you see the community? There have been several cases where researchers have gone public with Firefox flaws.
Snyder: The security research community I see as another part of the Mozilla community. There's an opportunity for these people, if they get excited about the Mozilla project, to really contribute. They can contribute to secure design, they can suggest features, they can help us identify vulnerabilities, and they can help us test it. They can help us build tools to find more vulnerabilities. The spectrum is much broader (than with commercial products) in ways the research community can contribute to this project.
Earlier, Snyder said:
Snyder: There has been a lot of great work done. I think there is a great opportunity to continue that work and make the entire process available externally.
Is this a move towards opening Mozilla's closed security process? If so, that would be most welcome.
And in other news, Firefox 2.0 is almost here:
Version 2.0 of the software will still feature a raft of new features including an integrated in-line spell checker, as well as an anti-phishing tool (a must-have accessory that's in Opera 9 and will be included in IE 7),...
Hopefully someone will get a chance to review it the anti-phishing tool (!) and compare it to the efforts of the research community over the last few years.
A while back I postulated that email spying was now a present danger, and only lacking in clarity before it becomes a full-blooded validated threat. This sets us the task of tracking the trackers of email, so that we can create a model to predict how that threat effects us and our designs.
I haven't seen statistics on email snooping as yet, but here's some related news. The FBI is back with intent to spy:
The FBI has drafted sweeping legislation that would require Internet service providers to create wiretapping hubs for police surveillance and force makers of networking gear to build in backdoors for eavesdropping, CNET News.com has learned.FBI Agent Barry Smith distributed the proposal at a private meeting last Friday with industry representatives and indicated it would be introduced by Sen. Mike DeWine, an Ohio Republican, according to two sources familiar with the meeting.
News of tracking email in US universities aimed at those protesting against unpopular policies:
The Department of Defense monitored e-mail messages from college students who were planning protests against the war in Iraq and against the military's "don't ask, don't tell" policy against gay and lesbian members of the armed forces, according to surveillance reports released last month. While the department had previously acknowledged monitoring protests on campuses as national-security threats, it was not until recently that evidence surfaced showing that the department was also monitoring e-mail communications that were submitted by campus sources.The surveillance reports -- which were released to lawyers for the Servicemembers Legal Defense Network on June 15 in response to a Freedom of Information Act request filed by the organization last December -- concern government surveillance at the State University of New York at Albany, Southern Connecticut State University, the University of California at Berkeley, and William Paterson University of New Jersey. The documents contain copies of e-mail messages sent in the spring semester of 2005 detailing students' plans to protest on-campus military recruitment.
The reports are part of a government database known as Talon that the Department of Defense established in 2003 to keep track of potential terrorist threats. Civilians and military personnel can report suspicious activities through the Talon system using a Web-based entry form. A Pentagon spokesman, Greg Hicks, would not verify whether the reports released last month were follow-ups to tips from military or government personnel, or from civilians at the universities.
This is a little different in that civilians seem to monitor and report the emails to the Pentagon. Universities are places were one would expect at least passing familiarity with civil rights and so forth, so it is somewhat curious to speculate who on campuses would be tipping off the authorities about protests against on-campus military activities...
The Talon reporting system gained national attention in December 2005 when NBC News obtained a copy of a 400-page Department of Defense document listing more than 1,500 "suspicious incidents" that had taken place across the country. Only 21 pages were released to the Servicemembers Legal Defense Network, since the group requested only documents related to lesbian, gay, bisexual, and transgender individuals and student groups. Mr. Hicks would not disclose the total number of reports that have been filed under the Talon program.
OK, Numbers! We can conclude that minority sexual preferences represent 5% of the current threat level to the DoD. If each page has an email on it, that gives 1500 emails reported in the programme -- that's not a particularly robust estimate but it might represent a lower bound.
And, wait until they get their mits on phone viruses, which store all that juicy lovetalk.
A company, Trust Digital of McLean, Va., bought 10 different phones on eBay this summer to test phone-security tools it sells for businesses. The phones all were fairly sophisticated models capable of working with corporate e-mail systems.Curious software experts at Trust Digital resurrected information on nearly all the used phones, including the racy exchanges between guarded lovers. The other phones contained:
- One company's plans to win a multimillion-dollar federal transportation contract.
- E-mails about another firm's $50,000 payment for a software license.
- Bank accounts and passwords.
- Details of prescriptions and receipts for one worker's utility payments.
A while back I reported that people worrying about cell/mob/handy phone tapping where missing the point - there is tracking ability which is far more useful than tapping ability. Sad to say, that battle is pretty much all over as phones move to include GPS by default.
One Facebook user, signing the petition opposing the recent changes, noted: "I find it sad this is one of the few issues our generation can band together, complain online and take little real action over. (ROFL)". Therein lies the crux about privacy and tracking: most vehement complaining takes place after people feel they have been victimised by technology, and long after it has been popularised.
We are moving as a society to total tracking, and the privacy community didn't notice until it was all over.
So who loses? Well, the Israeli Defence Force, for one. Alexander Klimov made the connection on the crypto list (which I missed even as I reported on the Sigint story):
My guess that at least some information was leaked due to cellular phones (the solders were routinely calling their families)."Besides radio transmissions, the official said Hezbollah also monitored cell phone calls among Israeli troops. But cell phones are usually easier to intercept than military radio, and officials said Israeli forces were under strict orders not to divulge sensitive information over the phone."Even if one don't care what was said over the phone, a lot of information can be extracted from mere location of a phone (especially, if one knows the owner of each phone):
"Israeli officials said the base also had detailed maps of northern Israel, lists of Israeli patrols along the border and cell phone numbers for Israeli commanders."
The Hezbollah tracking was on the individuals. They tracked the commanders as indicative of where the units were. Oops. I'd just love to be part of the design exercise to fix that blooper :)
This is the core failure that the US government foistered on the world. Since time immemorial, the USG has maintained crypto as a munition, and thus it is to be suppressed. This has led to two effects: firstly, the civilian Internet infrastructure is weak and brittle, due to the effect of lots of little barriers against crypto. Our best ally in security suffered the "death of a thousand cuts," as it were.
Secondly, as the civilian infrastructure overtook the military infrastructure, it left the military operations vulnerable when inevitably civilian assets were used for military tasks. If you've ever used military radio gear, you know you have a big problem when every soldier carries a much more powerful device in his pocket, albeit one deliberately weakened by government intervention.
Without dwelling on these points, we can also suggest that this explains why the job of Cybersecurity Czar is a woftam: the employer is cybersecurity's enemy number one.
Collected notes on a month or so of SWIFT rumblings. European privacy regulators are taking on the investigation:
The test is whether European law has competence over US claims to data held by European firms. It does not look at all certain whether it does, but The Register understands that the EU is planning to walk and talk like it does.
It's a very wide geographical area, from Czech Republic to Canada:
Results of the Czech and other probes are expected by the end of the month, Stepankova said. "The next step" will be to determine whether the SWIFT system is being used "in a way that conforms to domestic legislation" in EU countries, she said.
As mused on before, the SWIFT breach has caught the attention of authorities where the one-way passing of confidential flight and phone data did not. Also, the industrial espionage issue of "restaurant economics" has exposed something of a dilemma in the US arguments for over-arching eurosociomonitoring. Problem is, the key regulators ducked and weaved:
The Bank of England, one of the 10 central banks with a place on Swift's managing committee, revealed it had told the British government about the programme in 2002. "When we found out we informed the Treasury and passed the relationship over to them," Peter Rogers of the Bank said. "We also told Swift that they had to speak to the government themselves. It had nothing to do with us. It was a matter of security and not of finance. It was an issue between Swift and the government."In a written parliamentary answer, Gordon Brown last month confirmed the government was aware of the arrangement. Citing government policy not to comment on "specific security issues", however, the chancellor refused to say whether measures had been taken to "ensure the privacy of UK citizens who may have had their financial transactions viewed as part of US counter-terrorism investigations in conjunction with Swift". He also refused to say whether the Swift programme was "legally reconciled" with Article 8 of the European convention on human rights.
A Home Office spokesman said the government had been given "no reason to believe the operation was unlawful", adding that it "strongly supports US efforts to target, disrupt and cut off sources of funding for terrorism". He declined to comment on the commissioner's assessment that the programme may be illegal.
What we need now is for the authorities to recognise the governance issue of breaches. This could be called the camel's-nose-under-the-flap argument -- once a payment system starts shifting protected information out, the information is no longer protected, and breaches happen thick and fast. We're not there yet, as the BoE like others declined jurisdiction.
This issue of Central Banks ducking responsibility for governance is made all the more poignant as they are the only agency with credibility when it comes to the task of general regulation of payment systems, no matter how much we or they approve of their position(s) or not. Hence the general quacking and phaffing around in Belgium and other halls of power as data and competition regulators try and work out what SWIFT is, where it is, and how to spell it.
SWIFT stalled EU probe of US snoopingFor the EU to feel confident that SWIFT had not betrayed home rules, and that the US hadn't stuck its nose where it was not warranted, it had to review the subpoenas by which the US has gained access to SWIFT's records for the last five years.
Yet if SWIFT gave this information up, it would offend the US intelligence services. If it didn't give the information up, it would offend the EU authorities.
Bingo. Why aren't they handing over the subpoenas? Rumour has it that there aren't any; the SWIFT executives in NY were extorted to hand over the data without papers in hand. This favoured technique is used as it guarantees that the Feds (or UST in this case) can do no wrong. They are covered because the information was "volunteered" by SWIFT, and thus, the US Treasury officials concerned have broken no laws. SWIFT of course are later hung out to dry.
Pressure is being exerted in Britain over the various and thin claims of oversight and governance:
However, campaign group Privacy International said [assurances] were not enough. It had filed a complaint to the British data protection body, the Information Commissioner. It is worried that the Treasury was fishing through international financial records in the hope of turning up terrorist finance records. It also feared the data could be used for other purposes, including espionage.Swift's CEO, Leonard Schrank, flew to London to meet Privacy International on Friday. Simon Davies, a PI director, said he had told Schrank he wanted to see proof that the Treasury was only able to see records that it knew contained details of terrorist financial transactions.
"When was the last time you were satisfied with something that was claimed without seeing proof?" said Davies. "We are not prepared to accept anybody's face value assertions that protections have been put in place," he said.
"We won't be fooled again." Precedent is on Davies' side. The US government is on record as not operating secret overseas prisons, not wanting to re-negotiate FISA with Congress, and not wiretapping Americans without a warrant. A few weeks ago, Judge Taylor ruled illegal the wiretapping they promised they were not doing, and the Bush administration immediately turned to Congress to request re-negotiating the FISA act which they were not breaching. (The bills which hand an open cheque to the wiretappers have just been approved in committee.) Which presumptively renders factual their breach, a trend that seems more a standard than an exception.
More snippets: it also looks as though the New York Times might have been a little faithless in not only holding the story for "a year" but in fact before the last Bush election:
Such a delay was, in itself, unpardonable, and provoked angry criticism. Now we learn, from an interview with Executive Editor Bill Keller conducted by Calame, that internal discussions at the Times about drafts of the eventual article had been "dragging on for weeks" before the November 2, 2004, election, which resulted in a victory for Bush."The process," the public editor notes, "had included talks with the Bush administration." A fresh draft was the subject of discussion at the newspaper "less than a week" before the election.
Meanwhile, back at the mission ranch, let's consider why all this was necessary. Terrorism, that's what. Now the Foreign Affairs journal weighs in:
Intelligence estimates in 2002 held that there were as many as 5,000 al Qaeda terrorists and supporters in the United States. However, a secret FBI report in 2005 wistfully noted that although the bureau had managed to arrest a few bad guys here and there after more than three years of intense and well-funded hunting, it had been unable to identify a single true al Qaeda sleeper cell anywhere in the country. Thousands of people in the United States have had their overseas communications monitored under a controversial warrantless surveillance program. Of these, fewer than ten U.S. citizens or residents per year have aroused enough suspicion to impel the agencies spying on them to seek warrants authorizing surveillance of their domestic communications as well; none of this activity, it appears, has led to an indictment on any charge whatever.
In an exceedingly long article that details in painful detail how many terrorist threats failed to materialise, one of the most respected voices in US foreign policy calls the whole motivation for the SWIFT tracking ... bogus!
Who can we trust to inform us on these issues? Politicians asked the NSA to clarify what was secret and what was not so they could get on with their job of politicking.
On July 27, shortly after most members of the committee were briefed on the controversial surveillance program, the NSA supplied the panel's chairman, Pat Roberts (R-Kan.), with "a set of administration approved, unclassified talking points for the members to use," as described in the document.Among the talking points were "subjective statements that appear intended to advance a particular policy view and present certain facts in the best possible light," Sen. John D. Rockefeller IV (D-W.Va.) said in a letter to the NSA director. [...]
Unfortunately the NSA upstaged them and did the politicking for them. Among them, this gem of advice on "what is secret":
"It is being run in a highly disciplined way that takes great pains to protect U.S. privacy rights. There is strict oversight in place, both at the NSA and outside, now including the full congressional intelligence committees."
Others have mentioned the tendency to answer every question with the policy and ignore the question as well as the truth, but this takes the dishonesty to a whole new level. Lying to the congressional committee when they are investigating the precise lack of any "strict oversight" has to be ineptness or chutzpa only possible with extraordinary levels of arrogance.
Felix points to a Newsday article that describes signals intelligence in the recent Lebanon battle.
Hezbollah guerrillas were able to hack into Israeli radio communications during last month's battles in south Lebanon, an intelligence breakthrough that helped them thwart Israeli tank assaults, according to Hezbollah and Lebanese officials.Using technology most likely supplied by Iran, special Hezbollah teams monitored the constantly changing radio frequencies of Israeli troops on the ground. That gave guerrillas a picture of Israeli movements, casualty reports and supply routes. It also allowed Hezbollah anti-tank units to more effectively target advancing Israeli armor, according to the officials.
"We were able to monitor Israeli communications, and we used this information to adjust our planning," said a Hezbollah commander involved in the battles, speaking on the condition of anonymity.
First off, article tries and fails to make the case that the codes were cracked. If that article is anything to go by, it was straightforward -- and well done -- signals intelligence, not code cracking. (El Reg describes it more fairly.) Secondly, it provides more evidence for the reasons behind the Israeli defeat at the hands of the Hezbollah (defeat in straight military mission terms):
"The Israelis did not realize that they were facing a guerrilla force with the capabilities of a regular army," said a senior Lebanese security official who asked not to be identified. "Hezbollah invested a lot of resources into eavesdropping and signals interception."
The Israelis like many modern political movements have been so well fed on a diet of terrorism that they missed the transition. Hezbollah has moved from terrorism through guerilla and up to army status, as laid out in the theory of guerilla warfare. The depth of sigint capability bears this out.
Aside from minor criticisms, a good article. Why talk matters military on an FC blog? One of the reasons that the Internet is so messed up, security wise, is that the threat models derived from military and spook lore. For example, the MITM is more of a threat in the military, less of a threat on the net (rising commercial use of wireless might have been expected to change that, but there isn't much empirical evidence). This failure to understand the different threat models caused massive rollouts of unneeded infrastructure, stuff that could help us now but is instead being slowly built around by banks, merchants and other institutions.
Just because we were fooled once doesn't mean we can't be fooled again, so it is important to keep an eye on related threat fields. Here's some older notes on recent threats in the military world.
In the ongoing saga of institutional torture in the US forces, the NYT published a new case regarding an elite terrorist unit known briefly as Task-Force 6-26 (SMH). Not only does the unit change its name from time to time the individual soldiers have picked up the trick:
Army investigators were forced to close their inquiry in June 2005 after they said task force members used battlefield pseudonyms that made it impossible to identify and locate the soldiers involved. The unit also asserted that 70 percent of its computer files had been lost.
Pseudonyms are not perfect. But, they can do a lot to help privacy, in that they break the chain of investigation. It's not so easy in digital systems, because the pseudonyms are generally used to communicate with other pseudonyms or persons, and that leaves a chain to track back, as well as the tendency for server software to log lots of events. But with persons, it is a grand trick.
Military and legal experts say the full breadth of abuses committed by Task Force 6-26 may never be known because of the secrecy surrounding the unit, and the likelihood that some allegations went unreported. In the summer of 2004, Camp Nama closed and the unit moved to a new headquarters in Balad, 45 miles north of Baghdad. The unit's operations are now shrouded in even tighter secrecy.
Secrecy is always a threat to your operations. It may bring benefits, but the costs are severe as secrecy hides weaknesses from yourself as well as your enemy, and there is no easy way to know who can breach that veil. It is the canonical two-edged sword, and we generally address such threats-to-self with governance techniques - separation of roles also known as the 4 eyes principle, publication of key events, entangled logging, shared signed receipts, and so forth.
Which leads us to the age-old problem of buying stuff from people you don't trust. Ben pointed to:
The UK has warned America that it will cancel its £12bn order for the Joint Strike Fighter if the US does not hand over full access to the computer software code that controls the jets. Lord Drayson, minister for defence procurement, told the The Daily Telegraph that the planes were useless without control of the software as they could effectively be "switched off" by the Americans without warning.
Well, of course. The software for those planes is quite something, and only the source code is going to give you some confidence that there aren't any backdoors.
In a related episode, Washington DC discovered around the same timeframe that there may be an issue with the Boeing 787, so they have asked Boeing to not hand over any military or secret related material to the Chinese. Whoops, too late, it turns out the wing is being manufactured in China ... for those who don't know, in avionics terms, the wing is the prize as it is the one component that limits and dominates everything else, design wise.
The Workshop on the Economics of Securing the Information Infrastructure
http://wesii.econinfosec.org/
October 23-24, 2006
Washington, DC
PRELIMINARY PROGRAM & CALL FOR PARTICIPATION
...
9:00AM Panel - Economic Barriers and Incentives for DNSSEC Deployment
11:00AM Session 1
* Comparing the Costs of Public Key Authentication Infrastructures
* Economics of Internet Security Outsourcing: Simulation Results Based on the Schneier Model
* The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market
1:30PM Panel - Data Sources: Should we answer questions for which data is available, can we get more data, or can we do without?
3:30PM Session 2
* Toward A Dynamic Modeling Of The Vulnerability Black Market
* Toward One Strong National Breach Disclosure Law - Justification and Requirements
* Using Self-interest to Prevent Malice; Fixing the Denial of Service Flaw of the Internet
9:00AM Session 3
* A Closer Look at Attack Clustering
* Predictive Modelling for Security Operations Economics
* Assessing Trusted Network Access Control Cost-Benefit Factors
11:00AM Session 4
* The Statistical Value of Information
* On the Economic Placement of Monitors in Router Level Network Topologies
1:00PM Work-in-Progress (WIP) Session
* Economic Interpretation and a Simulation Exercise for Exploring Corporate Investments in Cyber Security
* Securing Our Data Storage Infrastructures
* A Neo-institutional Perspective on Cyber Attacks
* Beyond Media Hype: Empirical Analysis of Disclosed Privacy Breaches 2005-2006 and a DataSet/Database Foundation for Future Work
* Securing the Process of Insurance Application
* Evaluation of Information Security Investment Portfolios: A Probabilistic Approach
* Direct measurement of spam zombie activity in a residential broadband network
========================================================================
Hotel & Registration
========================================================================
*The WESII Hotel Reservation Deadline is September 20*
*Registration is now open*
========================================================================
Preliminary Program
========================================================================
For updates, see
Monday, October 23, 2006
9:00AM Panel
Economic Barriers and Incentives for DNSSEC Deployment
Moderator: Andy Ozment
Panelists: Sam Weiler, Steve Crocker, and more TBA
11:00AM Session 1
* Comparing the Costs of Public Key Authentication Infrastructures
Patroklos Argyroudis (University of Dublin, Trinity College)
Robert McAdoo (University of Dublin, Trinity College)
Donal O'Mahony (University of Dublin, Trinity College)
* Economics of Internet Security Outsourcing:
Simulation Results Based on the Schneier Model
William Yurcik (University of Illinois)
Wen Ding (University of Illinois)
* The Effect of Information Security Incidents on Corporate
Values in the Japanese Stock Market
Masaki Ishiguro (Mitsubishi Research Institute)
Hideyuki Tanaka (The Graduate School of
Interdisciplinary Information Studies),
Kanta Matsuura (Institute of Industrial Science,
University of Tokyo),
Ichiro Murase (Mitsubishi Research Institute)
1:30PM Panel
Data Sources:
Should we answer questions for which data is available,
can we get more data, or can we do without?
Moderator: Allan Friedman
Panelists: TBA
3:30PM Session 2
* Toward A Dynamic Modeling Of The Vulnerability Black Market
Jaziar Radianti (Agder University College)
Jose. J. Gonzalez (Agder University College)
* Toward One Strong National Breach Disclosure Law -
Justification and Requirements
William Yurcik (University of Illinois)
Ragib Hasan (University of Illinois at Urbana-Champaign)
* Using Self-interest to Prevent Malice;
Fixing the Denial of Service Flaw of the Internet
Bob Briscoe (BT & UCL)
Tuesday, October 24, 2006
9:00AM Session 3
* A Closer Look at Attack Clustering
Rainer Böhme (TU Dresden)
Gaurav Kataria (Carnegie Mellon University)
* Predictive Modelling for Security Operations Economics
Mike Yearworth (HP Labs)
Brian Monahan (HP Labs)
David Pym (HP Labs)
* Assessing Trusted Network Access Control Cost-Benefit Factors
Susmit Panjwani (Deviant Intelligence LLC)
Stephanie Tan (IBM)
11:00AM Session 4
* The Statistical Value of Information
Luther Martin (Voltage Security)
* On the Economic Placement of Monitors in
Router Level Network Topologies
Yongping Tang (Iowa State University)
Thomas E. Daniels (Iowa State University)
1:00PM Work-in-Progress (WIP) Session
* Economic Interpretation and a Simulation Exercise for
Exploring Corporate Investments in Cyber Security
Jonathan Crawford (University of Virginia)
Kenneth G. Crowther (University of Virginia)
Barry Horowitz (University of Virginia)
James Lambert (University of Virginia)
* Securing Our Data Storage Infrastructures
Bob Mungamuru (Stanford University)
Hector Garcia-Molina (Stanford University)
* A Neo-institutional Perspective on Cyber Attacks
Nir Kshetri (University of North Carolina--Greensboro)
* Beyond Media Hype: Empirical Analysis of Disclosed Privacy
Breaches 2005-2006 and a DataSet/Database Foundation for Future Work
Ragib Hasan (University of Illinois at Urbana-Champaign)
William Yurcik (University of Illinois)
* Securing the Process of Insurance Application
Vincent Wolff-Marting (University of Leipzig)
André Köhler (University of Leipzig)
Volker Gruhn (University of Leipzig)
* Evaluation of Information Security Investment Portfolios:
A Probabilistic Approach
Tae-Sung Kim (Chungbuk National University)
Chandrasekhar Subramaniam (UNC Charlotte),
Sungjune Park (UNC Charlotte),
Ram Kumar (UNC Charlotte)
* Direct measurement of spam zombie activity in a
residential broadband network
Geoff Bennett (StreamShield)
Brian Webb (BT Retail)
========================================================================
Program Committee
========================================================================
Alessandro Acquisti Carnegie Mellon University
Heinz School of Public Policy & Management
Ross Anderson University of Cambridge
Jean Camp Indiana University
Huseyin Cavusoglu University of Texas at Dallas
Richard Clayton University of Cambridge
Steve Crocker Shinkuro / DNSSEC Deployment Working Group
Ben Edelman Harvard University Department of Economics
Allan Friedman Harvard University
Kennedy School of Government
Adam M. Golodner Cisco Systems
Larry Gordon University of Maryland
Smith School of Business
Yacov Haimes University of Virginia
Cathy Handley U.S. Department of Commerce, National
Telecommunications & Information Administration
Barry Horowitz University of Virginia
Richard Hovey U.S. Federal Communications Commission (FCC)
Jeff Hunker Carnegie Mellon University
Heinz School of Public Policy & Management
M. Eric Johnson The Tuck School of Business at Dartmouth College
Jeffrey M. Kopchik U.S. Federal Deposit Insurance Corporation (FDIC)
Technology Supervision Branch
Steve Lipner Microsoft
Marty Loeb University of Maryland
Smith School of Business
Doug Maughan U.S. Department of Homeland Security (DHS)
Science and Technology Directorate
Doug Montgomery U.S. National Institute of Standards & Technology
Internetworking Technologies Group
Milton Mueller Syracuse University School of Information Studies
Andrew Odlyzko University of Minnesota
Andy Ozment MIT Lincoln Laboratory / University of Cambridge
Shari Lawrence Pfleeger RAND Corporation
Stuart Schechter MIT Lincoln Laboratory
Bruce Schneier Counterpane Internet Security
Rahul Telang Carnegie Mellon University
Heinz School of Public Policy & Management
Andrew Wyckoff Organisation for Economic Cooperation and
Development (OECD)
Bill Yurcik National Center for Supercomputing Applications
(NCSA)
========================================================================
Workshop Sponsors
========================================================================
The Institute for Information Infrastructure Protection (I3P)
The Workshop on the Economics of Information Security (WEIS)
________________________________________________________________________
Economics of Information Security (EIS) Mailing List Information
We retried your name from either the author/attendee lists of one of the
previous workshops on the economics of information security (WEIS) or
through the suggestion of a member of the WEIS steering committee.
This list will never be used for commercial purposes and we will work to
ensure traffic is kept to a minimum (no more than 10 messages per year).
If you would prefer not to receive future emails about this or related
workshops, we apologize for this intrusion and offer you the following
options for unsubscribing:
1) Visit http://announce-list.econinfosec.org
2) Email stuart@econinfosec.org
While on the conjunction of Mozo tools and security, woeful or otherwise ... a month or so back I used Thunderbird as a foil to introduce a hypothesis (which you can call a law when I'm dead):
* There is only one mode, and it's secure. *
Predictably, most people thought I was grumbling "about Thunderbird", when in fact I was grumbling about the brain-dead insecurity known as PKI.
Unfortunately, Thunderbird has a great name, but the security thing it follows does not. The absolutely dire architecture loosely and variously known as S/MIME or x.509 identity certificates, as applied to email, provides a textbook case of how a system breaches Kerckhoffs' 6th law -- that the system should be usable -- and therefore is bypassed by the users. As this is his most important law by far (by simple economic proof, if you wish to demur) the system is insecure, and the 5 lesser Kerckhoffs do not enter into the discussion.
I also pointed out that I had two newbies up and going in 3 minutes flat with Skype - both with next to no help (over some other chat thing like ICQ). So let's call that the benchmark for a superlative security solution that meets Kerckhoffs' 6th law.
Which leads me to last night's observation - Jimbo, a moderately experienced computer person, downloaded, installed and was sending and receiving email with Thunderbird within 10 minutes. "Less probably," he says, which was welcome relief after debugging what turned out to be an Microsoft Outlook failure brought on by a re-install of Microsoft Office. About an hour, times two, wasted, but at least we got another Tbird flying in <10mins.
From which we can conclude that Thunderbird is in the ballpark, that's actually a good result, albeit with no security. We could suggest that Thunderbird would potentially meet Kerckhoffs' 6th if it could boot up in some sort of quasi-secure mode (even though it and every other mailer won't meet my hypothesis and probably never will, due to the tired and aged infrastructure of email).
So, why is this important? Well, it's important because there are some relatively simple fixes to put in that would bring an x.509 identity based mail agent closer to being in line with modern security thinking (if we can stretch the point with the late19th century).
Here they are:
The key is to be opportunistic, pun intended. By creating and adding the missing key, we bootstrap from nothing -- insecure comms -- to a security level which is good-enough-for-most-folks.
Let's step back and put this in context. The above simple crypto mechanism is better than the alternate as it encrypts when it can. The alternate is nothing, recall. Yet, some might say that it is worse than the PKI alternate, to which I say: comparing real world user comms -- email in flight -- to some paper ideal is an irrelevant comparison.
Keep in mind that the alternate is no crypto email, due to the immutable K6. If however you are one of those unfortunate souls locked in the world of PKI, and/or to die in the attempt, this method comes with an added bonus:
I don't want to stress the last point, above. Perhaps that's because I audit a CA in my spare time (can you say conflict of interest?), or perhaps because I have a fairly pessimistic view of the ability of the players to deliver something the market wants. Or perhaps I don't want to encourage software suppliers to do yet more secret deals with yet more opaque partners which users can't control or even have reasonable security expectations about? Who knows...
But, notwithstanding all the above, points 1 thru 5 will approximately deliver a startup that gets a Thunderbird client into something like secure comms some of the time. And once something like that is done, there are plenty of ways to *improve* that to get more crypto, more of the time, more securely.
I wonder if it could be done with a plugin?