Schneier on Security

A blog covering security and security technology.

« University of California's Tips for What to Do When There's a Shooter on Campus | Main | REAL ID Action Required Now »

May 8, 2007

The Myth of the Superuser

This is a very interesting law journal paper:

The Myth of the Superuser: Fear, Risk, and Harm Online
Paul Ohm

Abstract: Fear of the powerful computer user, "the Superuser," dominates debates about online conflict. This mythic figure is difficult to find, immune to technological constraints, and aware of legal loopholes. Policymakers, fearful of his power, too often overreact, passing overbroad, ambiguous laws intended to ensnare the Superuser, but which are used instead against inculpable, ordinary users. This response is unwarranted because the Superuser is often a marginal figure whose power has been greatly exaggerated.

The exaggerated attention to the Superuser reveals a pathological characteristic of the study of power, crime, and security online, which springs from a widely-held fear of the Internet. Building on the social science fear literature, this Article challenges the conventional wisdom and standard assumptions about the role of experts. Unlike dispassionate experts in other fields, computer experts are as susceptible as lay-people to exaggerate the power of the Superuser, in part because they have misapplied Larry Lessig's ideas about code.

The experts in computer security and Internet law have failed to deliver us from fear, resulting in overbroad prohibitions, harms to civil liberties, wasted law enforcement resources, and misallocated economic investment. This Article urges policymakers and partisans to stop using tropes of fear; calls for better empirical work on the probability of online harm; and proposes an anti-Precautionary Principle, a presumption against new laws designed to stop the Superuser.

If I have one complaint, it's that Ohm doesn't take into account the effects of the smarter hackers to encapsulate their expertise in easy-to-run software programs, and distribute them to those without the skill. He does mention this at the end, in a section about script kiddies, but I think this is a fundamental difference between hacking skills and other potentially criminal skills.

Here's a three-part summary of the topic by Ohm.

Posted on May 8, 2007 at 6:14 AM • 31 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Frank Wilhoit • May 8, 2007 6:52 AM

So you're telling me to read the paper even though the abstract, which you quote in full, is patent nonsense?

tcliu • May 8, 2007 7:34 AM

More and more I'm convinced that a similar approach as Bruce recommends for terrorism is required for computer security.

"Intelligence and emergency response."

Right now, once your computer gets broken, you are done. Game over. All security is currently based on preventing that single break - therefore we have oodles of passwords and "Program {0000-1111-2222} wants to perform operation number 4, Allow or Deny" incomprehensible dialogs, which, if you get them wrong, you are done - but this time it is your own fault, somehow.

What can be done to make cracking irrelevant?

Computers will be broken into, what can be done to minimize the fallout?

Ben Rosengart • May 8, 2007 7:44 AM

No such thing as a superuser? Is this some moldy 1980s we-don't-need-no-stinkin'-wheel-group Stallman rant?

;-)

wiredog • May 8, 2007 7:48 AM

"This mythic figure is difficult to find" really? I guess he's never been on a VMS system.

Some Guy • May 8, 2007 8:04 AM

$man su

Found him!

arturus • May 8, 2007 8:34 AM

Reading through the three part summary, but I did notice one pretty bad factual error, or at least ommission:

"In fact, many experts now doubt that an attack will ever disable a significant part of the Internet."

While it may not in the future, there's the fact that such a thing has already happened:

http://en.wikipedia.org/wiki/...

Paul Ohm • May 8, 2007 8:39 AM

Thanks for the link, Bruce! My main thesis is that whether or not the Superuser exerts a lot of power, policymakers always assume he does without demanding proof. They do silly and harmful things in response. For example, Congress is considering amending the Computer Fraud and Abuse Act (the principal Federal law prohibiting unauthorized access and damage to computers) to help catch botnet operators. It doesn't seem to bother them that there are very few statistics about the prevalence of botnets. And the amendments they are considering are typical fare for Superuser overreaction: they are talking about doing away with the $5000 damage threshhold (at least in cases with a lot of compromised computers). My prediction is that such an amendment would be used to convict many non-botnet operators but hardly ever used for the stated purpose.

And I've already been raked over the coals about my choice of the word, "Superuser." You'll see in footnote 8 of the paper that I consciously chose the word because of its association with the unix term. Nevertheless, the Volokians have almost convinced me to use "Superhacker" instead in the final publication.

Paul Ohm • May 8, 2007 8:48 AM

Arturus,

The statement was meant to be a prediction about the future, not a statement about the past.

In the paper, I make the easier-to-defend related statement that the Internet has never "crashed," and I drop a footnote stating that I don't count Morris because 10% does not a crash make. But I guess I'd agree that 10% probably counts as "significant" in this context.

Ben Hyde • May 8, 2007 9:02 AM

Thanks.

At first blush I presumed this would be an instance of the usual anti-regulatory rants deployed against any application of the precautionary principle. There is some of that, and the article can't quite avoid the litigator's tendency to take hostages only to appear willing to negotiate.

He is a bit weak on appreciating how the vast pool of talent on the net makes finding holes in systems highly probable and that since these holes are information goods they spread fast.

But his core argument that the regulators are throwing the baby (thoughtful and judicious application of the power of the state) out with the bathwater (the stew of bad actors on the net) is very nicely put together. He's right that the mythic way that the geek community frames their skill, culture and tech is a key contributor to the problem.

Very thought provoking. Thanks again.

Valdis Kletnieks • May 8, 2007 9:57 AM

"In fact, many experts now doubt that an attack will ever disable a significant part of the Internet."

The Morris worm has already been mentioned. And I'd posit that Nachi (with its habit of ICMP pinging random potential next targets, causing explosion of the flow tables on many routers) rendered large parts of the Internet *effectively* disabled - mostly in the user-facing DSL/cable farms. But more than one major financial institution had their ATM network fall on its face because their internal net was too busy burning with Nachi to transport production traffic....

Fred Flint • May 8, 2007 9:57 AM

Many years ago in the DOS days, I ran a BBS dedicated to online games with a minor amount of public domain software available for download. I did it for free and for fun. It was sort of like a blog with games and a few downloads.

After running this BBS for many years, I attended an international security conference in Toronto and the head of the RCMP computer crime section explained to the packed house "all computer BBSes are criminal enterprises".

Yes, that's an exact quote, burned into my brain.

He went on to explain all BBSes contained downloads like 'how to make an atomic bomb', 'how to make pipe bombs', instructions on how to hack into other people's computers, pirated software and a whole list of utter crap. He said the RCMP was monitoring the BBSes.

I guess he was afraid of the Superuser.

Well, I was afraid of him, especially as I was employed in the computer security field and I didn't want to get busted for nothing - or even fall under a heavy cloud of black suspicion.

I went directly home after the conference and instantly deleted my BBS. Not very brave I know but that's what happens when the cops, especially the head cop, fears the Superuser.

And now, according to Godwin's Law, I will mention Nazis. That just seems appropriate.

FP • May 8, 2007 10:05 AM

A similar point could be made about the "superterrorist" that governments want to protect us against, using an ever-wider surveillance net.

The superterrorist is intelligent, has multiple identities, unlimited funding, top-notch intelligence, access to the latest technology and the skill to operate it, and commands a platoon of smart, skilled operatives that are willing to throw their lives at any cause.

Fortunately, there's not many Mohammed Atta's, if any.

supersnail • May 8, 2007 10:43 AM

While there may or may not be "superusers" ( uber-hackers would be a better term).
The main problem is a combination of defective products and "dumb" users.

I.E. developers produce insecure and hard to manage software and sell it to your aunt who becomes and indavertant member of various 'bot nets and spam gangs.

Every telephone manufacturer has to get there equipment certified as fit to be connected to the telephone network before they can sell it over the counter, why shouldnt OS manufacturers have thier product certified as fit to be connected to the internet before they can sell it to an unskilled user?

Mike Sherwood • May 8, 2007 10:49 AM

This really needs a better name than superuser or superhacker. It seems like the idea is more in line with Nietzsche's Ubermensch. These are people who are not constrained by the boundaries of society. Software is malleable. The only constraints that exist are the ability of the person to use the tools at their disposal.

As people interested in security, how many of us have developed the same skills as many criminals? I know the only thing that separates me from many of the type of people mentioned in this paper is that I broke into computer systems I owned or was responsible for securing. I did it to learn how to secure them and test that it worked, but the knowledge and ability are exactly the same. There isn't always a clearly defined line between legal and illegal, such as the case of the university sysadmin who counter-hacked someone's machine and that was found to be justified in court. Good and evil intent may be discernable in some cases, but laws aren't concerned with those vague concepts.

I think the traits of the individuals are basically the same, but some choose to use their power for good, whereas the paper focuses on the bad. Though, one thing I've considered more than once is how many people with these dual use skills would still be employable if convicted of a felony? Would the university sysadmin concede to a life of minimum wage if the court came down hard against him?

One big problem with legislating technology is that the technology changes too fast for the legislation to maintain relevance. Botnets, spam and identity theft share the same problem from a legal standpoint. A misdemeanor with a small impact is regarded the same whether it's committed 1, 2 or 1,000,000 times. There is no legal concept of net harm to society to differentiate these kinds of cases. When there's a low risk and a high reward, there will always be a bunch of people trying to exploit it.

Hacker Wannabe • May 8, 2007 10:58 AM

comments comments:

su does not stand for "superuser."

superhacker is a wonderful compliment. T-shirt fodder for thinkgeek.com !

Too bad they dumped so many good things about VMS when they tried morphing into Windows NT.

Jim • May 8, 2007 11:11 AM

Other blog threads about Ohm's topic have brought up the unfortunateness of the term "Superuser." It confuses the issue, it rings of unnecessary hype, it overloads a perfectly good existing term, it conflates "users" with hackers, and it ignores the existence of perfectly good terms that describe the people in question better (I agree with supersnail that "uberhackers" would be a far better term, if only because it would let many of us for whom the term "superhackers" grates move past that word and get to Ohm's real argument).

Unfortunately, Ohm seems wedded to that term, and I think his argument suffers for it.

His argument also suffers because it often takes only one uberhacker to break a system. DeCSS and AACS are prime examples. I can play DVDs under linux not because I'm a crack cryptanalyst, but because one person figured out CSS and let the world know DeCSS. It's a cliche that security is only as strong as the weakest link, but it's also true. As a corollary, security is only as strong as its ability to withstand its smartest attacker.

Applying the argument to the design of cryptographic algorithms shows just how wrong Ohm's thinking can be. You can't design systems around the average user under the idea that uberhackers are rare and thus shouldn't be who we design security around. Design security around the middle of the bell curve, and you're guaranteed that someone at the high end will break the security (and then, once broken, everyone in the middle of the curve can take advantage of it).

I agree that legislators often overreach when drafting computer crime laws, but I don't think it's because they're unjustifiably concerned with uberhackers. Rather, I think it's a result of how difficult it is to translate between tech and law, and how any law that isn't re-written every year has to be vague on technology. It's also a problem about regognizing what the law can and can't do, and what it should or shouldn't do. The DMCA is a prime example -- a broad prohibition against "reverse engineering" does nothing to prevent that activity, while prohibiting a host of activities that (I hope) were never contemplated under the act. If lawmakers stopped concentrating on uberhackers, it would change nothing about law like the DMCA, either in their drafting or in their enforcement.

Frieky_Friday • May 8, 2007 11:16 AM

So, Bruce...I thought we didn't need a security industry? ;) What's this about hackers and script kiddies? People actually want to break software of all sorts?! ;)

Bruce Schneier • May 8, 2007 12:16 PM

"So you're telling me to read the paper even though the abstract, which you quote in full, is patent nonsense?"

Yes.

I disagree with a lot of what he wrote, but I agree with some of it -- and his line of argument is interesting and worth reading in any case.

Matthew Skala • May 8, 2007 1:01 PM

If you're going to replace the misused term "superuser" with some other name for that concept, please don't choose one that includes a built-in misuse of the word "hacker," KTHXBYE.

Jim • May 8, 2007 1:38 PM

The attacker definition of "hacker" isn't a misuse, it's simply a different use. The English language allows for words to have multiple meanings; "hacker" is one of them.

Paul Ohm • May 8, 2007 1:55 PM

Actually, in my paper, I think I am talking about hackers in the traditional sense. My paper is about users who can effect powerful change. That's basically my definition. The label applies irrespective of motive and regardless of whether anyone finds their actions threatening or not. What makes them "Superhackers" instead of just, "hackers," is the Mythology that's built up around them.

In fact, in my description of problems with the Myth, I point to the "guilt by association," problem. Not all superusers/superhackers are evil, but policymakers often confuse power and harm.

But, I will confess that at several points in my public comments about the paper, I have lazily and mistakenly talked about Superusers with a decidely negative bent. I should've been more careful.

Saucepan • May 8, 2007 4:14 PM

"What can be done to make cracking irrelevant?"

Run every application (and, eventually, web page) in its own disposable virtual machine. Seriously.

Jim Lippard • May 8, 2007 6:20 PM

In part 3 of the summary on Volokh, Ohm writes about the lack of good data on intrusions. Virginia Rezmierski at the University of Michigan has done some good work on computer incident factor analysis and categorization that looks at prevalence and causes of computer security incidents.

Ralph • May 8, 2007 6:58 PM

@ Paul

"The experts in computer security and Internet law have failed to deliver us from fear..."

I have two problems with this statement:

1. Many in our small industry have lost their voice from continued screaming at the stupidity of the current security environment. It is not that the message has not gone forth - it is that there is little interest in the hearing of the message.

2. It is not our responsibility to deliver you from fear. Fear is not something that comes from without, it comes from within.

American today lives in a climate and circumstance of it's own choosing; and whilst wisdom calls in the streets it is not a mark of your age to listen to it.

But congratulations on stirring the debate, I hope you are widely read.

Jeff Williams • May 8, 2007 10:08 PM

Forget whether there are superhackers, this paper is about uncertainty in risk measurements (there is always uncertainty in both likelihood and impact). Paul's recommended "anti-precautionary" principle boils down to "when in doubt, don't do anything."

I agree we should strive to reduce this uncertainty and make more informed security decisions. But when we haven't done that yet, or don't have enough information to figure it out, we should err on the side of caution - not the other way.

I hope that the world doesn't adopt this foolish principle. I believe it will encourage the wait-and-see, ignorance is compliance, check the box form of security that characterizes far too many agencies and enterprises.

InternetSurfer • May 9, 2007 2:35 AM

The Myth of the Superuser/'S is not a myth. To try and hide that there are variables (a.k.a individuals) that can do whatever they please does nothing.

"I am Evolution. I created the WWW. I have been waiting for you. You have many questions and although the process has altered your consciousness you remain irrevocably human, ergo some of my answers you will understand and some of them you will not. Concordantly, while your first question maybe the most pertinent you may or may not realize it is also the most irrelevant."

Fred F. • May 10, 2007 5:14 PM

I find the OLPC work in securing their laptop very interesting. Their model is to treat each process as its own with access to only that which it needs. Then if a process gets compromised then only that which it can access is compromised.

For example if a text editor gets compromised, it will not be able to erase all my music or even access my list of email addresses.

Sudhakar Jaani • May 11, 2007 12:45 AM

Superuser is reality. Have you heard about Mr. Kalpesh Sharma?

Mr. Sharma is an information security expert and also
world's greatest hacking expert who challenged that he can prove the vulnerabilities
in 80 percent of world's financial websites alone. He proved this recently through a
LIVE telecast in front of camera. During this telecast, the Minister of Information
Technology, Technical Experts, Legal Experts and a team of Star Editors were
present. Mr. Sharma had also answered to all the questions through a debate
competition in the same news telecast. Other then this, Mr. Sharma had also worked
with India Army (Intelligence) and as a Technical Assistant to Chief Minister of
Gujarat for research and development activities.

Born in small village of most famous Indian city known as Pink City of India. Mr.
Sharma is in the field of security research from last 8 years. He has now full
control over the global web security system. His life was full of struggle and
overloaded stress. He mentions his strength and pride by specifying himself as a
Full-stop on E-system. His aim was to perform unique tasks across globe, something
which no one other then him can perform. He proved this through a LIVE ON AIR
telecast on one of the most reputed news channel INDIA TV
(http://www.indiatvnews.com). This telecast was aired in the Breaking News on INDIA
TV and was the world's first longest hacking and security related news telecast.
This telecast was shown from 9:00 PM to 12:30 AM and is one of the best serialized
news programme of India. Minister of Information Technology, Technical Experts,
Stock Exchange Experts, Cyber Crime Experts, Indian Star Editors Team and Corporate
Profiles were all present during this telecast. Mr. Sharma had hacked several
Internet Banking, Internet Trading and Internet Shopping websites all in a single
attempt. Recently, Mr. Sharma had also announced about his new security firm
Shubhlabh Technologies. He mentions hacking as an expert level work which is
technical art of finding vulnerabilities in existing weak security of any online
activity through Internet. Kalpesh Sharma, shows the LIVE demonstration on net
banking and its loopholes. He proved that no bank is safe for your money. He
challenged to all banks that he can hack any bank site because of their loopholes.
However, his intention behind proving was to help out peoples become safe and aware
of technical security.

First he reserved an airticket on indiatimes.com shopping website for free. The
payment was done by hacking the site of IDBI Bank payment gateway. Secondly, he
purchased a raincoat from rediff shopping website and payment was done through
hacking of Federal Bank. From both websites he received the receipt with order
number and confirmed payment that the payment is done and we will deliver it within
3 days...

Alongwith, Mr. Sharma also went for discussion through a debate in the same LIVE
telecast with Mr. Dhrender Kumar (Stock Exchange Expert) and Pawan Duggal (Cyber Law
Expert) and they felt shocked when they saw all these right in front of their eyes.
Mr. Dhrender said that, " I am shocked to see this situation. Now our money is not
safe and we could not take physical risk to keep huge amount of funds with us,
because technical era is on it's way towards progress. In order to avoid this we are
using Net Banking, but as seen there are several vulnerabilities in banking system
also... "

Mr Pawan Duggal described about some clauses and sections of Information Security
Act, and asked peoples who lost their money, can claim up to 10 Million INR. But you
have to prove it in the court of law, which is almost very difficult to perform. You
can't get help from consumer court as well, in this situation. No one knows what can
be done? Mr. Sharma also hacked the so called safe website of shares and securities
trading i.e Indiabulls.com and transfered 100 INR into his Union Bank Savings
Account. Indiabulls database site reflected the balance fluctuations, immediately.
For discussion on this, Mr Gagan Banga (President of Indiabulls) was called in this
LIVE telecast. But instead of accepting his company's technical mistakes, he
challenged against Mr. Sharma's claims. He fully denied though everything was seen
by millions of peoples across nation. He said that, " It's not possible to hack our
trading website". Then, Mr. Sharma challenged him to prove it right in that running
LIVE telecast, and asked him for oral permissions. Mr. Sharma also added that let
public viewers of this telecast give their decisions after he demonstrates it right
now. Once Mr. Gagan felt nervous ! because by this they can loose the confidence of
people. But at last he accepted that challenge and told to Mr. Sharma that he can
come in his office and hack Mr. Gagan's account. I will give you permission to hack
my account, but I can't give permissions for other hacking other's accounts. This
shows Mr. Gagan have doubt about his website and was afraid of Mr. Sharma's
Challenge.

For further discussion Mr. Shakeel Ahmed (IT Minister of India) came and he told
that he is not a technical person, but he will definitely do well for people's of
his country with his technical team... In short, none of our money is safe until and
unless, online security vulnerabilities are not removed completely. In order to know
more about Mr. Sharma's research activities and services please go through
http://kalpeshsharma.page.tl

Web Site = http://kalpeshsharma.page.tl/about.htm

Contact Details = Kalpesh Sharma
2, shri ram park society, on chandola canal, near jawahar chowk, maninagar,
Ahmedabad - 380008, Gujarat, India.

Pete Mirin • August 14, 2007 10:12 PM

Kalpesh Sharma is a swindler. I contacted out to do security work and he cheated me out of $400.00. His wholesale scam set up is on free pages and doesn't have a website or office.

Kalpesh Sharma hides behind a fake company called Shubhlabh Technologies.
Don't be fooled by this con artist.

Pete Mirin • October 7, 2007 11:49 PM

I am so sorry ! This person had completed my work and provided the services but I recieved it late due to my mail server errors. I am extremely sorry for writing anything wrong about Mr. Sharma for the error due to my foolish mail server administrators.

Thanks Mr. Sharma. It was by mistake and I was in hurry so I could not understand whether whom to trust and whom not. But now all the things are clear. Thanks Ag

Pete Mirin • October 7, 2007 11:50 PM

Thanks Mr. Sharma. It was by mistake and I was in hurry so I could not understand whether whom to trust and whom not. But now all the things are clear. Thanks Again....

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M J
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D