October 06, 2005

Security Software faces rising barriers

Signs abound that it is becoming more difficult to do basic security and stay clean oneself. An indictment for selling software was issued in the US, and this opens up the pandora's box of what is reasonable behaviour in writing and selling.

Can writing software be a crime? By Mark Rasch, SecurityFocus (MarkRasch at solutionary.com) Published Tuesday 4th October 2005 10:05 GMT

Can writing software be a crime? A recent indictment in San Diego, California indicates that the answer to that question may be yes. We all know that launching certain types of malicious code - viruses, worms, Trojans, even spyware or sending out spam - may violate the law. But on July 21, 2005 a federal grand jury in the Southern District of California indicted 25 year old Carlos Enrique Perez-Melara for writing, advertising and selling a computer program called "Loverspy," a key logging program designed to allow users to capture keystrokes of any computer onto which it is installed. The indictment raises a host of questions about the criminalization of code, and the rights of privacy for users of the Internet and computers in general.

We all might agree that what the defendent is doing is distasteful at some level, but the real danger here is that what is created as a precedent against key loggers will be used against other things. Check your local security software package list, and mark about half of them for badness at some level. I'd this is as so inevitable that any attention paid to the case itself ("we need to stop this!") is somewhere between ignorance and willful blindness.

On a similar front, recall the crypto regulations that US security authors struggle under. My view is that the US government's continuing cryptopogrom feeds eventually into the US weakness against cyber threats, so they've only themselves to blame. Which might be ok for them, but as software without crypto also effects the general strength of the Internet at large, it's yet another case of society at large v. USG. Poking around over on PRZ's xFone site I found yet another development that will hamper US security producers from securing themselves and us:

Downloading the Prototype

Since announcing this project at the Black Hat conference, a lot of people have been asking to download the prototype just to play with it, even though I warned them it was not a real product yet. In order to make it available for download, I must take care of a few details regarding export controls. After years of struggle in the 1990's, we finally prevailed in our efforts to get the US Government to drop the export controls in 2000. However, there are still some residual export controls in place, namely, to prevent the software from being exported to a few embargoed nations-- Cuba, Iran, Libya, North Korea, Sudan, and Syria. And there are now requirements to check customers against government watch lists as well, which is something that companies such as PGP have to comply with these days. I will have to have my server do these checks before allowing a download to proceed. It will take some time to work out the details on how to do this, and it's turning out to be more complicated than it first appeared.

(My emphasis.) Shipping security software now needs to check against a customer list as well? Especially one as bogus as the flying-while-arab list? Phil is well used to being at the bleeding edge of the crypto distribution business, so his commentary indicates that the situation exists, and he expects to be pursued on any bureaucratic fronts that might exist. Another sign of increasing cryptoparanoia:

The proposal by the Defense Department covers "deemed" exports. According to the Commerce Department, "An export of technology or source code (except encryption source code) is 'deemed' to take place when it is released to a foreign national within the United States."

The Pentagon wants to tighten restrictions on deemed exports to restrict the flow of technical knowledge to potential enemies.

A further issue that has given me much thought is the suggestion by some that security people should not break any laws in doing their work. I saw an article a few days back on Lynn's list (was lost now found), that described how the FBI cooperates with security workers who commit illegal or questionable acts in chasing bad guys, in this case extortionists in Russia (this para heavily rewritten now that I've found the article):

The N.H.T.C.U. has never explicitly credited Prolexic’s engineers with Maksakov’s arrest. “The identification of the offenders in this came about through a number of lines of inquiry,” Deats said. “Prolexic’s was one of them, but not the only one.” In retrospect, Lyon said, “The N.H.T.C.U. and the F.B.I. were kind of using us. The agents aren’t allowed to do an Nmap, a port scan”—techniques that he and Dayton Turner had used to find Ivan’s zombies. “It’s not illegal; it’s just a little intrusive. And then we had to yank the zombie software off a computer, and the F.B.I. turned a blind eye to that. They kind of said, ‘We can’t tell you to do that—we can’t even suggest it. But if that data were to come to us we wouldn’t complain.’ We could do things outside of their jurisdiction.” He added that although his company still maintained relationships with law-enforcement agencies, they had grown more cautious about accepting help.

What a contrast to the view that security workers should never commit a "federal offence" in doing their work.

I find the whole debate surrealistic as the laws that create these offences are so broad and sweeping that it is not clear to me that a security person can do any job without breaking some laws; or is this just another sign that most security people are more bureaucrats than thinkers? I recently observed a case where in order to find some security hardware, a techie ran a portscan on a local net and hard-crashed the very equipment he was looking for. In the ensuing hue and cry over the crashed equipment (I never heard if they ever recovered the poor stricken device...), the voice that was heard loudest was that "he shouldn't be doing that!" The voice that went almost unheard was that the equipment wasn't resiliant enough to do the job of securing the facility if it fell over when a mere port scan hit it.

Barriers are rising in the security business. Which is precisely the wrong thing to do; security is mostly a bottom-up activity, and making it difficult for the small players and the techies at the coalface will reduce overall security for all. The puzzling thing is why other people do not see that; why we have to go through the pain of Sarbanes-Oxley, expensive CA models, suits against small software manufacturers, putting software tool-makers and crypto protocol designers in jail and the like in order to discover that inflexible rules and blind bureaucracy have only a limited place to play in security.

Addendum: Security consultant convicted for ... wait for it: doing due diligence on a charity site in case it was a scam!

Posted by iang at October 6, 2005 08:44 AM | TrackBack
Comments

This deemed export is ridiculous. The fact that this has become law implies a number of ridiculous assumptions, namely that by default foreginers are
1. significantly more of a threat to US homeland security than US nationals and
2. less versed in cryptography and IT security in general than locals.

A trade embargo usually hurts both parties, but it is the less developed party that suffers more from the lack of exchange (of ideas in this case). Are there more good ideas within the US than outside of it? I somehow doubt it.

Also, this law makes it harder (if not outright disadvantageous) to hire foreigners in crypto-related development within the US. The rational response for a company facing this problem is to relocate abroad and continue business as usual.

Posted by: Daniel A. Nagy at October 8, 2005 10:13 AM

Yes, more or less. I think we've proven that crypto can be done anywhere. At the beginning of the 90s, crypto was stronger in the US, and in the NSA. At the end of the 90s this was no longer so. If I had to say where the US leads the world in crypto I'd list things like the NSA's budget and RSADSI's conference, not actual developments like block ciphers, md cryptanalysis, eliptic curves and good utilisations of basic work.

Why the USG continues this policy is puzzling to me; but I don't really care why it is, I just wish they'd stop doing damage to us all. What I care more about is that if you look deeply into security, you see problems: crypto-free distros, poor architectural understanding of security processes and crypto in particular, higher than normal obeisance to book learning, standards committees etc etc. And if you look closely, one of the factors that holds up consistently is that crypto is in some sense controlled or to be avoided. "Bad" in other words, or "you must use a real security expert..."

This comes directly from the USG attitude, I believe. And the result is that the net is insecure. Until we can get at the underlying factors and free them up in a sort of microeconomic reform sense (crypto to the people, willingness to include security early on, self-dependency and not the nanny state attitude) ... then we can't really ever expect the net to be secure.

Posted by: Iang at October 8, 2005 11:17 AM

Although ... note that the 'deemed' export did not include crypto for some reason. I didn't understand that part.

Posted by: Iang at October 8, 2005 11:18 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.