Phillip Hallam-Baker's Web Security Blog

Recent global political events have me thinking about the traditional theory of deterrence and its relationship to accountability. In both cases the idea is to reduce or eliminate an undesirable outcome by threatening consequences.

The introduction of new technologies inevitably leads to situations where privileged economic positions are created. This situation may be acceptable if the technology is sufficiently compelling. Xerox enjoyed a complete monopoly on the manufacture and sale of plain paper photocopiers for many years. Polaroid achieved a similar position in the market for instant photography.

This situation has not in general been acceptable in the case of network protocols. Xerox did not attempt to achieve a monopoly in the sale of Ethernet technology. Regardless of any technical benefits it is unlikely that Ethernet could have supplanted IBM's token ring if it had been a proprietary technology.

'Open standards' has been the mantra in network protocol design for several decades. What is less often considered is the extent to which open standards rely on open standards institutions and the control that these might exercise over a standard.

For profit corporations have very clear lines of accountability to their shareholders and to their customers. Patents only protect a market for a temporary period and the strongest possible patent on the manufacture of buggy whips is rendered obsolete by the internal combustion engine.

Developing strong accountability mechanisms within a non-profit organization is a significant challenge but the very purpose of constructing the institution is to address control points that are considered too sensitive to be allowed as private property.

The level of suspicion that surrounds such institutions is frequently high. A risk clearly exists yet that risk is rarely realized. Why?

Accountability suggests a control regime in which the range of control feedback is continuous. If an accountable party defects to a small degree they face minor consequences, if they defect to a larger degree the consequences increase accordingly.

Not-for-profit open standards institutions appear to operate in a different regime in which the control feedback is non-linear. The lack of direct accountability means that minor defections do not in general attract consequences. If a major defection occurs the consequences are likely to be very serious and there is a very high probability that the institution will not survive in its current form with its former authority intact.

The term 'deterrence' seems to be appropriate for this non-linear form of all-or-nothing consequences. As in the cold war there is considerable ambiguity as to the actions that might be considered a defection and the reaction that might result. Such ambiguity is destabilizing and may lead to minor issues leading to catastrophic consequences.

Posted by Phillip Hallam-Baker at 12:10 PM | Permalink | Comments (0)

Commercial services that make use of pretexting to obtain cellphone records hav caused widespread concern across the blogosphere, in particular after one blogger, John Aravosis bought the cell phone records of Gen Wesely Clark through one of the services in order to highlight the problem.

Opinions as to the legality of these services differ. The companies providing the services strenuously protesting that their activities were legal right up to the point where they stopped offering the services and disappeared. USA Today reports that AT&T has brought a lawsuit against 25 service providers.

Regardless of whether the practice is legal or not the business model is clearly unacceptable as a matter of public policy. If new laws are required they will be passed. The difficulty in preventing this type of activity is not in passing legislation but in enforcing it. Law enforcement is process based, the recognition and rewards for applying existing process to secure convictions are unfortunately much greater than the rewards for developing new process to defeat novel types of crime.

Perhaps what we need is some sort of national level cyber-crime unit tasked specifically with investigating emerging crimes and chosing the cases to be addressed by their novelty rather than traditional criteria. What I know about Internet crimes is scary, but the crimes I don't yet know about, or know about but can't yet measure worry me even more.

Posted by Phillip Hallam-Baker at 3:47 PM | Permalink | Comments (0)

There is an evil tendency underlying all our technology - the tendency to do what is reasonable even when it isn't any good.

Robert Pirsig, Zen and the Art of Motorcycle Maintenance

(Via the random quotations page)

Posted by Phillip Hallam-Baker at 8:30 AM | Permalink | Comments (0)

The events of the past week made a return to discussion of Part III of the UK Reulation of Investigatory Powers Act all but inevitable. The BBC report is typical. Under part III of the act the police can in certain circumstances obtain a court order requiring a party to provide information necessary to decrypt encrypted material.

Sooner or later there will be another round of questions about how RIPA part III affects the operation of a Certification Authority. The business of a Certification Authority is to manage use of cryptography after all. People get suprised that the commercial CAs are not engaged in a major lobbying effort over this issue.

There are many good reasons why a US based public corporation should not insert itself into highly controvertial issues in UK politics. It is one thing to assist a government with an explanation of what are frequently highly technical issues, quite another to actively campaign on an issue.

In this case there is another reason that is even more fundamental. Certification Authorities manage public keys used for encryption or verification of digital signatures and private keys used to create digital signatures. Except in highly unusual circumstances a Certification Authority does not have access to any decryption key other than its own. Hence RIPA part III has no implications for a well run Certification Authority. There are no decryption keys, hence nothing for the court to demand.

Another point that bears making is that the UK has a long tradition of expertise in cryptography and signals intelligence. Public Key cryptography was discovered by two British mathematicians working at GCHQ before its rediscovery at MIT. Government bills in the UK are drafted by the civil service and it is inconceivable that a bill of this type would have been drafted without expert review from cryptographic experts at GCHQ who know all about techniques such as perfect forward secrecy that ensure that in the case of transport encryption the decryption keys are deleted as soon as they are no longer required. Perfect forward secrecy does not apply to stored data.

Legislation is a blunt tool and nobody is more aware of this fact than legislators and courts. It may be impossible to prove with absolute certainty that a person is deliberately witholding a decryption key or is genuinely unable to supply it. This is not a new problem for the courts and that is why the standard of proof is reasonable doubt in a criminal trial or the balance of probabilities in a civil matter.

It is much harder to build a cryptographic system that is designed to support criminal activity than prevent criminal activity. All of the commonly used cryptographic tools including PGP are much better at preventing criminal atacks by third parties than they are for plotting a conspiracy. If you are engaged in a conspiracy you have much greater need of steganography than of cryptography. It is more important to conceal the fact of the communication than the content.

If a suspect has been arrested after extensive email and chat communications with known paedophiles and has a large stock of encrypted data that has been collected over a long period of time a reasonable person will make the obvious inference.

Posted by Phillip Hallam-Baker at 11:36 AM | Permalink | Comments (0)

People usualy rely on past experience. In the case of security this is often a mistake. Past bad experience is often reliable but past good experience is not.

If there is a security problem you can expect it to continue until effective measures are deployed to control it.

If there is no security problem today that may be either because the system is secure or because nobody believes it worth their while to attack.

The problem is that the second criteria can change very rapidly. Three months ago use of VOIP (Internet telephony) in phishing attacks was a rare event. Customers are now reporting that this problem is now routine.

As long as email phishing was providing the attackers with sufficient rewards there was little incentive for the phishing gangs to invest in developing a VOIP capability. Occasional attacks were observed but these were clearly of an experimental rather than a production basis.

Over the past two years the difficulty of making email phishing attacks has increased as the rewards have diminished. Consumers are much less likely to be tricked. Phishing capture sites remain active for much shorter lengths of time due to the intervention of takedown services. Use of phished credentials is much more difficult due to deployment of Fraud Detection Services.

In response to these challenges the criminals have developed a new generation of email phishing technologies and branched out into other phishing mediums such as VOIP. Even if email phishing was wiped out entirely tommorow the underground marketplaces used to exchange stolen card numbers would continue to exist. Even if VOIP phishing is defeated the credit card fraud rings would return to buying stolen credit card numbers from dishonest waiters carrying a skimming device.

The lesson is that we must be proactive in deploying strong security. Europe has already deployed chip and pin credit card protection. Eventually that technology will be deployed in the US. In the meantime we must continue to anticipate and react to attacks in advance of the attackers. If we fail to do that the criminals will win and that outcome is unacceptable.

Posted by Phillip Hallam-Baker at 1:01 PM | Permalink | Comments (0)

Over the weekend I spent some time trying to fix my son's computer as the networking had stopped working. It is quite possible that the explanation could be that the card has stopped working, that the software is misconfigured or that the antenna is broken.

The point is that it should not be my job as a user to work out the reason for the problem. The computer should work it out and tell me.

Engineers have an infuriating level of tollerance for systems that need manual tweeks. In the original WIFi security scheme WEP the user is expected to type in a long secret key in hexadecimal to enable security. Windows XP makes this twice as hard as necessary by making the user type the key in twice. My son's computer stopped working after a 'repair' man temporarily turned of WEP while working on a modem problem (don't ask why).

When I upgraded my network I decided I had had enough of WEP so I bought a new router that supports WPA-PSK.

The new router works just like it should. It still needs a bit more set up than I think it should and the designers have not thought about how to transition a network from WEP to WPA. You can choose one or the other but not both. Both is what you need when you have five machines working on WEP two of which won't work on WPA at all.

We still build computers the same way that cars used to be built. The worst expect to be maintained by a full time mechanic, the best aspire to allow the user to be their own mechanic. Modern cars come with four year bumper warranties and are designed to run 10,000 miles between services. We still have not got to the point where we expect computer systems to just work without complaints or excuses.

Why did we have to wait six years to get a security mechanism for WiFi that was usable and secure?

Posted by Phillip Hallam-Baker at 6:01 PM | Permalink | Comments (0)

One of the persistent refrains when trying to deploy a security specification is 'someone may sue because'. And there follows a convoluted argument that providing some sort of security may make things worse by making it more likely that someone will sue if it fails.

There is some truth in this argument but not a lot of sense. As the BBC reported yesterday a man sued the city of New York for removing the tiger and alligator that he illegally kept in his appartment. The plaintif argued that the search was illegal without a warrant and that cash, jewels and a pet rabbit had disappeared during the search. The judge disagreed considering the police had acted "cautious and reasonably" in the interest of public safety. On the disappearence of the rabbit he stated "The whereabouts of the rabbit has not been ascertained, but there is no indication that Al the alligator was questioned in that regard".

Anyone can sue over anything but that is equally true of what you might do and what you might not do. If the police had not acted promptly and the tiger had escaped and injured someone the victim might have sued the police for negligence not to mention the owner of the tiger, the appartment block, the supplier of tiger food, the maker of the door the tiger had broken through and anyone else they thought might pay.

Anyone can sue over everything but the law is considerably more sensible than people generally expect. The occasional daft decision happens but most judges are much more cautious and sensible than is generally allowed. If there is doubt as to the legal implications of a security protocol the right action is to talk to a real lawyer and not to assume that the law is an ass

Posted by Phillip Hallam-Baker at 2:07 PM | Permalink | Comments (0)

The state of Internet security today is such that anyone describing themselves as a security expert is mistaken.

The Internet is under attack by organized criminals whose crimes succeed because we have not delivered a security infrastructure for the Internet that ordinary people can use.

When I started working on Internet security there was a widespread optimism that cryptography could solve any problem. All you had to do was make sure that you used enough of it. Today we are beginning to realize that it is not enough to deliver a machine loaded with programs that provide 'military grade' cryptographic security. The job is not done until we build systems that people actually use.

SSL has done an amazing job for the past ten years. It worked because it was so easy for people to use that people could use it without being aware that they were using it. Ten years is a long time for a cryptographic protocol to be in service in an environment that changes as much as the Internet. A protocol that has served us so well deserves some mid-life maintenance, Extended Validation certificates and Secure Internet Letterhead are an attempt to prepare SSL for its next decade of service.

We have done less well with DNS security, IP Security, S/MIME, PGP. All are excellent designs but none has seen widespread use for the purpose for which they were designed.

The barbarians are now at the gate. The Internet is under attack by organized criminals. We have to change our approach. The traditional information security approach is not providing solutions to the security problems we face. Military grade cryptography works for the military because they can order the soldiers to use the system no matter how painful it may be to do so.

We have to develop a new type of security for the Web, security that solves the whole problem and not just the parts of it that can be reduced to mathematics.

Most of all we have to abandon the misleading and misquoted slogans that are too often a substitute for thought. How often has the phrase 'Bad security is worse than no security' been used to justify another year of delay in agreeing a security potocol standard? And how many people who talk about 'end to end' security realize that the ends of an Internet communication are people not machines?

Posted by Phillip Hallam-Baker at 8:38 AM | Permalink | Comments (0)

I spoke on Identity 2.0 systems at the Wikimania hacker days this afternoon. It was a pretty interesting event.

One of the key principles the Wikipedia people want to preserve is inclusiveness, allowing as many people as possible to make a contribution. This works well in general, but a small minority of vandals spend their time ruining things. The article on the Spanish Inquisition is regularly replaced with 'Nobody expects', graphiti is added and so on.

Taking Wikipedia to the next level without loosing the inclusiveness is the objective. For this to work there must be accountability. In an environment like Wikipedia it is impossible to keep the vandals out without keeping out many more people who can make a useful contribution. It is impossible to prevent the bad actors performing bad acts but it is possible to discourage them by ensuring that there are consequences.

Good Wikipedia editors quickly establish a reputation on wikipedia but that reputation is not transportable to other environments. If they want to join another wikiproject or contribute to a blog they become an unknown quantity. We are back to the age old problem: on the Internet nobody knows you're a dog.

OpenID and Identity2.0 systems provide the starting point to correct this problem. Once I have a portable identity that I can use to show I am the same person editing the different blogs we have a starting point for exchanging reputation across those blogs. The wider the scope over which I use my reputation the greater its value is to me. Portable identity improves accountability because it increases the value of reputation and thus the consequences of default.

Posted by Phillip Hallam-Baker at 10:51 AM | Permalink | Comments (0)

It is frequently asserted that little thought was given to security in the design of the Internet. In the case of the Web at least the assertion is false. Security was a major issue as early as 1993, long before the dotCom era.

Or was it?

A lot of time was spent on implementing cryptography. The view of the time was that cryptography is a sufficiently powerful tool that we can solve any problem provided that we use enough of it. This view turned out to be naive and wrong.

The Accountable Web is an attempt to fix that problem.

Bank vaults are a good way to protect cash but only a small proportion of the bank notes printed are sitting in a bank vault at any given time, the point of cash is that it is a medium of exchange. If cash sits idle in a bank vault for any length of time it might as well be replaced by an entry in a ledger.

For cash to do its job it must spend most of its time outside the protection of the vault. Even so the system works for two reasons. The first is risk based security. Banks need strong vaults because they hold large concentrations of money. Shops avoid being targets for theives by holding as little cash on hand as they can to do their business. Most people do the same thing, a mugger knows that their victim's watch or iPod is likely to be worth rather more to them than the contents of their wallet. Security measures are chosen for their cost effectiveness. If the cost of a security measure is less than the expected return of risk reduction it is unlikely to be widely implemented.

The second reason the system works is Accountability. The theif can easily get away with one picked pocket, or two, or even ten. But the professional theif who picks pockets for a living is certain to be caught sooner or later, it is only a matter of time. The purpose of having police is to deter crime.

In December 2003 I attended the Aspen Institute round table on three problems of Internet governance: spam, privacy and network security. Had the event occured a year later it is likely that Internet Crime in the form of phishing would be added to the list. In each case we identified a failure of accountability as a key reason for the problem we were discussing.

The idea of accountability is somewhat foreign to the Internet and there are many who want the Internet to remain a global consequence free environment. It is now clear that the Internet has consequences beyond the Internet and that demanding absolute anonymity for Internet use is neither sustainable nor desirable.

If someone wants to send anonymous email let them. But that anonymous email sender has no right to force me to accept their messages and the anonynmous email sender has no right to stop me rejecting any message that is not securely authenticated and comes from a party I can hold accountable if it turns out to be spam.

Posted by Phillip Hallam-Baker at 11:01 AM | Permalink | Comments (0)