Concerning 80% infection and security

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Jonathan S. Shapiro" <shap () eros-os org>
Date: November 1, 2004 10:41:43 AM EST
To: dave () farber net
Subject: Concerning 80% infection and security


As the trend in responses has already shown, nobody in the computer
security community is surprised when a survey shows that 80% of home
machines are infected with some sort of malware.

It's true, as Bob Frankston says, that we can't have "secure" machines
without defining security, but that is a cop-out. We can make a lot of
forward progress by using some very simple litmus tests:

  1. Is it possible to infect your computer with
     malware (viruses, pop-ups, spyware) that arrive
     via the Internet?

     Example methods of entry include, but are not
     limited to: email, JPEG images, ActiveX controls,
     web cookies, and other means.

  2. Is it possible to infect your computer by
     pointing your web browser at the internet?

  3. Is it possible for system files to be modified
     by unauthorized software?

My father is a serious computer-phobe, but even he understands the first
two questions, and would understand the last if he thought about it a
moment.

Given which, I think the implication that we can't do anything because
we don't have a perfect definition of security is ridiculous. The
questions we need to be asking ourselves are:

1. Given that complete solutions to ALL of the problems above have
existed in real systems since 1972, why do we continue to tolerate
systems (e.g. Windows, but also Linux, UNIX, MacOS, and OS-X) that do
not satisfy these basic tests? If we cannot get the small, controlling
cartel of software suppliers to fix these issues, why aren't we taking
steps to regulate standards of diligence and minimum standards of
acceptability?

2. Why do we, the electorate, stand idly by when lobbiests paid by major
software vendors create laws and precendents supporting "shrink wrap"
licenses, which allow vendors to disclaim responsibility for shipping
products that are defective, harmful, and dangerous?

3. Why are we allowing software to become a critical element of
automobile safety systems without any sort of meaningful regulatory
standards?

4. Why do we allow the U.S. Federal government to mandate purchase of
ineffectively ``evaluated'' software products? It is widely recognized
that the current standard of evaluation does not meet minimal
requirements for safe deployment in any sort of open network (see my
column: Understanding the Windows EAL4 Evaluation,
http://eros.cs.jhu.edu/~shap/NT-EAL4.html, which appeared in IEEE
Computer last February).  The net effect of this requirement is to
*increase* the barriers to entry against software vendors with products
that are often better technically and functionally more appropriate to
the needs of the purchasing organization, in favor of large incumbent
vendors.

5. Why is it acceptable that the newly formed Homeland Security
department has such a small budget for "Cyber Security" that it is
unable to engage in *any* long term investment? The kind of investment
that might prevent power substations from being destroyed in a major
metropolitan area?

Try to imagine greater Chicago without power for a year. You may think
it unlikely, but major power subsystem vendors are distinctly worried,
and it can be done by remote control. How about cell networks that don't
work during emergencies? Emergency services today coordinate via cell
phone because they don't use compatible radio technologies. Which,
granted, is ridiculous, but the fact remains that the cell phone network
is critical infrastructure by any rational measure.

6. Why have we not questioned the failure of the National Security
Agency, which is charged with software security evaluation standards, to
improve matters?

In 2003, Brian Snow (former head of the NSA's Information Assurance
group) stated during his talk at the USENIX Security conference that he
saw no hope of progress within the next five years on basic issues like
buffer overflows and operating systems security. He exhorted software
developers to "do their job better." When I presented him with an
extended list of failures of the NSA Information Assurance program under
his directorship, including a total failure to follow through on higher
assurance standards and guidelines, a total failure to fund viable
efforts to raise the standard of publicly accessible system security, a
complete (if inadvertent) success at misdirecting market investment
*away* from more secure systems through low-assurance evaluated purchase
requirements, and a total failure to engage in constructive incentive
engineering within the software vendor community, and a consequent
*reduction* in the actual security of computing over the last 25 years
in both the civilian and military sectors, his response was "Guilty as
charged."

In fact, Brian and his successor, Richard (Dickie) George have worked
very hard for *decades* trying to address these issues, fighting uphill
against an entrenched military purchasing environment. In part, I
believe that they tried to meet the wrong technical objectives (which
also seems to be the private opinion of senior officers and supporting
civilians on the sharp pointy end of the US armed services). They also
misunderstood the impending decline of government purchasing power in
the computer sector. But in an environment where the services needed a
solution and there were people willing and able to build it, the NSA
somehow failed to get the pieces connected for 25 years.


Unfortunately, I know the answer to all of the questions I posed above:
in the collective, it is human nature not to care until the issues
become directly personal. But when you get tired of having your computer
infected by any 13 year old who feels in the mood, you might consider
that the solutions to all of the technical problems have long been
known.

And tomorrow, you might consider that the Bush administration has chosen
to reduce the national investment in computer security research to a
small fraction of what it has been under any recent President --
including his father.


Jonathan S. Shapiro, Ph.D.
Assistant Professor
Department of Computer Science
Johns Hopkins University

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/