Schneier on Security
A blog covering security and security technology.
« Security Engineering, by Ross Anderson |
| State Department Loses Hundreds of Laptops »
May 6, 2008
Dual-Use Technologies and the Equities Issue
On April 27, 2007, Estonia was attacked in cyberspace. Following a diplomatic incident with Russia about the relocation of a Soviet World War II memorial, the networks of many Estonian organizations, including the Estonian parliament, banks, ministries, newspapers and broadcasters, were attacked and -- in many cases -- shut down. Estonia was quick to blame Russia, which was equally quick to deny any involvement.
It was hyped as the first cyberwar: Russia attacking Estonia in cyberspace. But nearly a year later, evidence that the Russian government was involved in the denial-of-service attacks still hasn't emerged. Though Russian hackers were indisputably the major instigators of the attack, the only individuals positively identified have been young ethnic Russians living inside Estonia, who were pissed off over the statue incident.
You know you've got a problem when you can't tell a hostile attack by another nation from bored kids with an axe to grind.
Separating cyberwar, cyberterrorism and cybercrime isn't easy; these days you need a scorecard to tell the difference. It's not just that it’s hard to trace people in cyberspace, it's that military and civilian attacks -- and defenses -- look the same.
The traditional term for technology the military shares with civilians is "dual use." Unlike hand grenades and tanks and missile targeting systems, dual-use technologies have both military and civilian applications. Dual-use technologies used to be exceptions; even things you'd expect to be dual use, like radar systems and toilets, were designed differently for the military. But today, almost all information technology is dual use. We both use the same operating systems, the same networking protocols, the same applications, and even the same security software.
And attack technologies are the same. The recent spurt of targeted hacks against U.S. military networks, commonly attributed to China, exploit the same vulnerabilities and use the same techniques as criminal attacks against corporate networks. Internet worms make the jump to classified military networks in less than 24 hours, even if those networks are physically separate. The Navy Cyber Defense Operations Command uses the same tools against the same threats as any large corporation.
Because attackers and defenders use the same IT technology, there is a fundamental tension between cyberattack and cyberdefense. The National Security Agency has referred to this as the "equities issue," and it can be summarized as follows: When a military discovers a vulnerability in a dual-use technology, they can do one of two things. They can alert the manufacturer and fix the vulnerability, thereby protecting both the good guys and the bad guys. Or they can keep quiet about the vulnerability and not tell anyone, thereby leaving the good guys insecure but also leaving the bad guys insecure.
The equities issue has long been hotly debated inside the NSA. Basically, the NSA has two roles: eavesdrop on their stuff, and protect our stuff. When both sides use the same stuff, the agency has to decide whether to exploit vulnerabilities to eavesdrop on their stuff or close the same vulnerabilities to protect our stuff.
In the 1980s and before, the tendency of the NSA was to keep vulnerabilities to themselves. In the 1990s, the tide shifted, and the NSA was starting to open up and help us all improve our security defense. But after the attacks of 9/11, the NSA shifted back to the attack: vulnerabilities were to be hoarded in secret. Slowly, things in the U.S. are shifting back again.
So now we're seeing the NSA help secure Windows Vista and releasing their own version of Linux. The DHS, meanwhile, is funding a project to secure popular open source software packages, and across the Atlantic the UK’s GCHQ is finding bugs in PGPDisk and reporting them back to the company. (NSA is rumored to be doing the same thing with BitLocker.)
I'm in favor of this trend, because my security improves for free. Whenever the NSA finds a security problem and gets the vendor to fix it, our security gets better. It's a side-benefit of dual-use technologies.
But I want governments to do more. I want them to use their buying power to improve my security. I want them to offer countrywide contracts for software, both security and non-security, that have explicit security requirements. If these contracts are big enough, companies will work to modify their products to meet those requirements. And again, we all benefit from the security improvements.
The only example of this model I know about is a U.S. government-wide procurement competition for full-disk encryption, but this can certainly be done with firewalls, intrusion detection systems, databases, networking hardware, even operating systems.
When it comes to IT technologies, the equities issue should be a no-brainer. The good uses of our common hardware, software, operating systems, network protocols, and everything else vastly outweigh the bad uses. It's time that the government used its immense knowledge and experience, as well as its buying power, to improve cybersecurity for all of us.
This essay originally appeared on Wired.com.
Posted on May 6, 2008 at 5:17 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It is already being done in certain industries using a program called "SafeGuard Easy 4.20.1"
--aside from being a pain for the desktop helpdesk if something need to be fixed outside of the OS; it works well.
---Makes Ghosting also a bigger pain once encrypted a 8gb footprint is seen outside the OS as the whole drive!
Lewis Donofrio Sr. Windows / Unix Systems Administrator 734-355-0592
Any references to support the claim that Internet worms have breached air gaps in under 24 hours? (Obviously with human help ;)
--That last comment was a follow-up on the "full-disk encryption" part that Bruce was talkin about in the 13th paragraph.
> So now we're seeing the NSA help secure Windows Vista and releasing their own version of Linux.
SELinux is not an "own version of Linux" but it is Mandatory access control system. Which, for example, implemented in Red Hat Enterprise Linux.
A couple nitpicks:
1) "Internet worms make the jump to physically-separate classified military networks in less than 24 hours, even if those networks are physically separate." "[E]ven if" implies that it's an exception, but in my experience, most physically-separate networks tend to be physically separate. ;-)
2) "I'm in favor of this trend, because my security improves for free." It's not free; it's paid for by your tax money (and mine). That said, though, I'd rather it be spent on that, than on eavesdropping on my phone calls, let alone TSA Security Theater 3000!
"Any references to support the claim that Internet worms have breached air gaps in under 24 hours? (Obviously with human help ;)"
I looked when I wrote the piece, but I couldn't find the reference. I've heard it from a couple of sources, although they may have all had the same original source.
Basically, it's some general with a laptop that allows the worm to make the jump.
To follow up on liks' remark: SELinux is a kernel subsystem, build-able and loadable (or omit-able) as a kernel module. A quick glance at a recent-ish linux kernel (2.6.18) shows that the SELinux source code weighs in at under 1MB, in a source tree comprising 270MB.
Under the circumstances, it seems misleading to refer to NSA's otherwise valuable contribution as "their own version of Linux", particularly in a popular, non-technical article. Even moderately technically-literate readers probably think of a "version of Linux" not in terms of a kernel, but rather in terms of a distribution, either general-purpose (e.g. Fedora, Ubuntu), or specialized (e.g. Scientific Linux). Certainly, most modern general-purpose distributions include the SELinux kernel module by default, and invite the user to create an SELinux security policy at installation time.
From this perspective, the NSA has done something far more valuable than create "their own version". They have made a lasting contribution to the linux community, both by adding the actual source code and by educating the linux coding community on the requirements and architectural principles of robust OS resource access control. There are now other alternatives to SELinux that have grown up around the kernel, but the influence of SELinux on each of them is clear.
Whatever else the NSA may be, they are a good Linux citizen. I am perfectly content to see government money spent this way.
You have to be careful not to let initiatives like this get caught up in typical bureaucratic nonsense. What starts out as seemingly good security requirements turns into stupidity or worse, requirements that are insecure or allow government prying. It just takes a couple bureaucrats and a congressman or two to start insisting on stupid things like this. So the private marketplace needs to balance with the government behemoth and make sure its own needs are met.
Othewise you get things like Real ID or No-Fly lists, which can't really do anything to help
It's a shame that the effort appears to be just SELinux these days.
Don't get me wrong, I am very glad that people are going to the effort and I appriciate it a lot.
It's just that I'm kind of a belt and braces man, and would like to see two different systems being developed concurently.
Not just because competition tends to bring out the best in people, mainly because of the "eggs in one basket" problem.
If everybody uses SELinux for say health care, and a serious flaw is found with it then it leaves all of the systems vulnerable.
Two systems however reduces the odds of a serious flaw effecting things at better than 1/4 the odds (because they would have to be time coincident with respect to the fix time).
"But I want governments to do more."
It's astounding how difficult it appears to be for Bruce to understand that every demand he makes (to the extent that Bruce is influential) of government officials helps to legitimize, in the minds of government officials, the increased use of government power in precisely the areas that Bruce constantly complains government is intruding unjustly upon. Coercion is coercion, whether it comes from the "left" or the "right."
How hard and how many times does one have to be hit by the law of unintended consequences?
A young and naive person may not yet understand the nature of bureaucracy. But what is Bruce's excuse? It's embarrassing to the point of being shameful.
@ Same Old Song
"A young and naive person may not yet understand the nature of bureaucracy. But what is Bruce's excuse? It's embarrassing to the point of being shameful."
What is shameful about a request for big security buyers to exert influence over the market?
Consumers with common values benefit when they align and more clearly illustrate demand, or even contribute resources directly to increase quality of product.
"It was hyped as the first cyberwar: Russia attacking Estonia"
I have a clear memory of Tony Blair saying "Ping Bombardment Strategy" when talking about reaction to the UN actions in Kosovo in 1999. What struck me was that by the way he pronounced it, he had absolutely no clue what he was reading.
"What is shameful about a request for big security buyers to exert influence over the market?"
Nothing, as long as those big security buyers are using their own wealth.
Government doesn't use its own wealth. It uses yours. And mine. And the wealth of millions of others.
I'm sure you feel fine about having bureaucrats use my money without my permission, but next month, it's going to be your money that's used to fund something you may very well strongly disagree with (say, for instance, the Iraq war.) The principle is the same: government officials appropriate your wealth, and then spend it as they see fit.
The buying power that government weilds is mostly coerced from its citizens. Ask anyone if they would rather keep their wealth, or have a government bureaucrat decide how to spend it.
What's shameful, and fatally conceited, is for a non-naive person to pretend not to understand that coercion used to confiscate the wealth of others to serve your own purposes can be justified by claiming that the victims will benefit from the proposed use of the ill-gotten gains (and should thus be pleased, or at least complacent.)
Ahem. Replace "not to understand" with "to believe" in the last paragraph of my above post, and it will make more sense, if any.
"I'm in favor of this trend, because my security improves for free."
Not true: you are (I assume) a US taxpayer.
But I'm not....haha, so my security does improve for free.
Security does improve for free, simply because more secure systems have a lower cost of ownership than less secure systems.
"Security does improve for free, simply because more secure systems have a lower cost of ownership than less secure systems."
If someone has to pay for it, then it's not for free, is it.
@ Same Old Song
Why do (some) libertarians find it necessary to take a very straightforward analysis of the way the world currently works and replace it with a discussion of why it ought not to work that way?
I'm just asking. Do you expect some return from this behavior? Do you expect Bruce to change the system of taxation in the US? Or do you just want a platform?
@Same Old Song
I think the major problem with your argument is that the government needs security just as much as any other institution regardless of the source of funding. Unlike excessive social programs and excessive corporate-socialism programs, good security is a requirement any government will have.
Where I think Bruce goes astray is ignoring the lesson of the clipper chip. His call for the government to use its buying power to get better security into the market is eerily similar to the reasoning the key-escrow advocates used in promoting the clipper chip. It is just as easy - maybe even easier due to lobbyist influences - for government to encourage flawed security products as it is to encourage good security products.
"good security is a requirement any government will have"
Unfortunately, there's just a tiny bit of room for interpretation in such a statement. Say, between 1 US dollar and 3 trillion US dollars, for example.
Guess which side a government bureaucrat who is spending money which is not his, will err on.
Claiming "but the government needs it!", begs the very question of justification, rather than answering it.
@ Same Old Song
Someone has to pay for endless patches to insecure systems as well, so I am not sure what (if anything) you are suggesting.
You apply this to any institution large enough to have sway on a systems provider instead of just "the government" if that makes you feel better.
@Bruce "But I want governments to do more. I want them to use their buying power to improve my security. I want them to offer countrywide contracts for software, both security and non-security, that have explicit security requirements. If these contracts are big enough, companies will work to modify their products to meet those requirements. And again, we all benefit from the security improvements."
This happens. My employer makes the IPS and desktop firewall system that the DoD uses. When we made the sale, it came with several strings attached - the NSA did a code review, we beefed up the audit logging, and several other minor changes were made to comply to with the government's "Common Criteria". Another stipulation of the sale was that any changes that the government required must be made in a mainline release, not a special government-only patch. So all our customers benefit from our efforts to please the DoD.
And, I'm willing to bet, Vista's seemingly-aggressive support for IPv6 networking is an effort to comply with the DoD's near-future IPv6 transition goals. I know our product's IPv6 support is directly related to the needs of our largest customer.
Same Old Song. You comments are disingenuous, but do provoke blog responces, hum, SOS fits another TITLE here?
USA is like ROME in the movie gladiator, but with foreign countries as the Praetorian Guard, and X as a Emperor. How things will end, will not be as simple as any movie, but maybe like ROME did. Given this dependency and lockin, we must all unite for common dual bread lines, and secure/insecure products that the NSA/powers that be, want. Reminds me of the 4 versions of Microsoft Vista, what a plan! What leadership! It will all fall down, there is no bottom. The race to the bottom is more than a protest, it is an unspeakable game of chicken with death and the planet. And the people will not be keeping their wealth saved from less taxes, it would be taken from them, like their houses today. In a world full of false images, we have our revelations brought to use the hard way.
Somebody must step in and bring some order. SOS, you seem to pretend to be for the people, but you really are for your army. Can't blame you, historical power tends to see itself as a necessary evil/Good at at costs. Sure feels like a Microsoft powerplay, nothing more than pump and dump in the end. The Seige, a movie, see it, sure came around. Oh well.
Current history of the USA from the end of the cold war to now, has been poor leadership at best, ruthless sellout race to the bottom that could break sometime, as negotiation. All part of clockwork. Oranges sure would complain and get the point better than some who tempt the negotiation too much for their unity. More EQUITIES are needed, that is why this article is important.
...the revolving door spins along, while nero squeezes away.
"...replace it with a discussion of why it ought not to work that way?"
One reason is because Bruce's "straightforward analysis" contains assumptions which aren't true and which themselves promote harm.
"Do you expect some return from this behavior?"
"Do you expect Bruce to change the system of taxation in the US?"
Singlehandedly and utterly? Obviously not. But promoting its current abuses doesn't help.
"Or do you just want a platform?"
Are these my only three choices?
So when I demand that the goverment build better roads or more training for teachers in public schools, would that be considered coercion too?
@ Same Old Song
So, it looks like you and Bruce are saying the same thing:
Better management of government resources would be...better.
The only variation I see is that Bruce has given a specific example of a positive outcome he would like to see (and that we could agree/disagree) from the better management of government resources; he wants security to improve.
Sounds like a very reasonable request to me.
I think this already happens a fair bit more than Bruce gives credit for. The underlying issue for the NSA is that they'd really like to buy their technology components in the open market than have to develop it themselves. If they leave security vulnerabilities in, they (and other secure government purchasers) also locked out from getting the benefits from the more efficient open market.
They basically say as much in the discussions around elliptic curve cryptography.
If I may add a point about the "bored kid" background - when the story surfaced some months ago I actually went to the courthouse and read through the files - as well as talked to prosecution and CERT.ee people before and after.
As it often happens, the story is more complicated than headline.
This particular kid went to .ru hacker forums where threads about attacking Estonia were already running and posted rather actively about what to target and what not (on the highly sophisticated level like providing some URLs and asking not to DOS his ISP :-). As our CERT people were monitoring the same forums and he had chosen alias "Dimon s Tallinna" - and there was a need to cut down noise from bored kids - he was traced and arrested (didn't find how exactly, but I would have sent him a private message with a URL to click on and looked on log file, for example). This did have the expected calming effect on forums right after news about his arrest broke, for example archive.org has the same thread that is in court files but couple of days later, with another noisy user r00t.blackhat having emptied all of his messages. http://web.archive.org/web/20070506024410/...
He reached a deal with prosecution out-of-court and was fined. As an interesting sidenote, he didn't forget to mention in his defense that he had open WiFi at home and somebody else might have been doing all that attacking stuff (I recall there was a lengthy dispute here about Bruce's pro-open-wifi post...)
There were other users and IPaddresses from which defacings had been performed from and Estonian State Procurature made "a formal investigation assistance request" to the Russian Supreme Procurature in May of 2007, in order to track down attackers residing in Russia. It has not yielded any positive response, regardless of the fact that this type of cooperation is specifically "enumerated in the Mutual Legal Assistance Treaty" between Estonia and Russia.
As for connecting DDoS to Russia... you can't take this particular event separately from the rest of the "people's war" campaign as it is seen here in Estonia. Attacking Estonian ambassador in Moscow, blocading embassy, main bridge over river between Estonia and Russia suddenly needing repairs, the same with railway, large retail chains dropping Estonian products... And the coverage on Russian state-TV, including finely coreographed performances in Tallinn (a lot of that is considered to be for their domestic politics). And, there is an interesting story about the order in Russian forums and what can be said there and what not, see http://lrtranslations.blogspot.com/2007/02/... (yes, from LaRussophobe translations :-)
Also, interestingly, an Anatolij Tsiganok of a "independent military prognostics center" (but also "public advisory board by the Russian ministry of defence") tells to Gazeta.ru http://www.gzt.ru/world/2008/02/07/220025.html that cyberattack is a good tool because there is nothing about them in international agreements and calls attacks agains Estonia succsessful (not forgetting to mention west has nothing comparable to Russian capability).
"So, it looks like you and Bruce are saying the same thing"
"The only variation I see..."
Better read the post and comment(s) again, a little more closely.
Clive Robinson: A bug in any kernel code in a monolithic kernel system (which includes all OSs that are popular at the moment) can give ultimate privilege to the attacker. The quality of the kernel code from the NSA and other contributors is very high and changes are reviewed more thoroughly than most kernel code - so I think that a privilege escalation bug in that code is quite unlikely.
The recommended configuration for SE Linux is to not rely on it entirely (as I do for a demonstration with my SE Linux Play Machine - see the above URL), but to use Unix permissions as well. Using two layers of protection does more than decrease the probability to 25%, having two bugs be discovered in a short enough interval that important machines have not been upgraded to fix the first bug seems rare.
Same Old Song: You should keep in mind the fact that Red Hat Enterprise Linux (with SE Linux as a default feature) is considerably cheaper than all the other options for government use. The US government is both increasing computer security for everyone AND saving the US taxpayer money!
"US government is both increasing computer security for everyone AND saving the US taxpayer money!"
Well, no. The fact that the US Government spends less money, by using Red Hat Linux, in this particular area on this particular project does not "save" the US taxpayer any money.
Any appropriated wealth "saved", will be spent by Government officials in some other way. It's not as if the saved wealth is returned to the taxpayers, nor is it the case that the taxpayers' "bill" next year will be reduced because of this year's "savings".
The best that can be said of using Red Hat in this case is that the Government spent less money on the project than it otherwise would have. The taxpayer will see no net benefit; his cost remains the same. And he still has no choice of whether to pay. Taxes are not voluntary.
"IT technologies"!? Come on, surely you know what the T in IT stands for...
Perhaps I'll walk over to the ATM machine, key in my PIN number, and purchase some IT technologies.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..