Crypto-Gram

January 15, 2003

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@schneier.com
<http://www.counterpane.com>

A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.

Back issues are available at <http://www.schneier.com/crypto-gram.html>. To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to crypto-gram-subscribe@chaparraltree.com.

Copyright (c) 2003 by Counterpane Internet Security, Inc.

In this issue:

Militaries and Cyber-War

Recently I was interviewed by an Iranian newspaper on the subject of computer security. One of the questions I was asked was whether or not the Pentagon had a secret weapon that could disable the Internet.

It’s an interesting question. I have no idea what the real answer is, but I can certainly speculate.

There’s no doubt that the smarter and better-funded militaries in the world are planning for cyberwar, both attack and defense. It’s a multifaceted concept. A military might target the enemy’s communications infrastructure through both physical attack—bombings of selected communications facilities and transmission cables—and virtual attack. It would be foolish for a military to ignore the threat and not invest in defensive capabilities, or to ignore the possibility of launching an offensive cyber-attack against an enemy during wartime. And while history has taught us that many militaries are indeed foolish, some are not.

This implies that at least some of our world’s militaries have Internet attack tools that they’re saving in case of wartime. They could be denial-of-service tools. They could be exploits that would allow military intelligence to penetrate military systems. They could be viruses and worms similar to what we’re seeing now, but perhaps country- or network-specific. I can certainly imagine a military finding a new vulnerability in a common operating system or software package and keeping it secret, hoping to use that vulnerability to their advantage in wartime.

So my guess is that the U.S. military could disable large parts of the Internet, at least for a while, if they wanted. But I doubt that they would do so; it’s far too useful an asset, and far too large a part of our economy. More interesting is whether they would try to disable pieces of it. If we went to war with country X, would we want to disable their portion of the Internet, or remove connections between their Internet and our Internet? Depending on the country, a low-tech solution might be the easiest: disable whatever undersea cables they’re using as access. Could the U.S. military turn the Internet into a U.S.-only network if they wanted? That seems less likely, although again a low-tech solution involving the acquiescence of companies like Cable & Wireless might be the easiest.

One important thing to remember here is that you only want to shut an enemy’s network down if you aren’t getting useful information from it. The best thing to do is to infiltrate the enemy’s computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate. The next best thing is to passively eavesdrop. After that, the next best is to perform traffic analysis. Only if you can’t do any of that do you consider shutting the thing down.

When a military discovers a vulnerability in a common product, they can either alert the manufacturer and fix the vulnerability, or not tell anyone. In U.S. military circles, this is called the equities issue. It’s not an easy decision. Fixing the vulnerability gives both the good guys and the bad guys a more secure system. Keeping the vulnerability secret means that the good guys can exploit the vulnerability to attack the bad guys, but it also means that the good guys are vulnerable.

Script kiddies are attackers who run exploit code written by others, but don’t really understand the intricacies of what they’re doing. Professional attackers spend an enormous amount of time developing exploits: finding vulnerabilities, writing code to exploit them, figuring out how to cover their tracks. The real professionals don’t release their code to the script kiddies; the stuff is much more valuable if it remains secret. I believe that some militaries have collections of vulnerabilities, and code to exploit those vulnerabilities, that they are saving in case of wartime or other hostilities. It would be irresponsible for them not to.

My interview in the Iranian newspaper. (To be honest, I have no idea what it says.)
<http://www.jamejamdaily.net/shownews2.asp?…>

Crypto-Gram Reprints

Crypto-Gram is currently in its sixth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram.html>. These are a selection of articles that appeared in this calendar month in other years.

A cyber Underwriters Laboratories?
<http://www.schneier.com/crypto-gram-0101.html#1>

Code signing:
<http://www.schneier.com/crypto-gram-0101.html#10>

Block and stream ciphers:
<http://www.schneier.com/…>

The Doghouse: Yahoo

When you register for a Yahoo account, they ask you for your date of birth. The purpose is security; if you forget your password, they can authenticate you with this information. Someone’s birthdate isn’t a secret, and is a terrible way to authenticate someone. But Yahoo goes one step further. “My Yahoo,” the company’s popular personalized news page, uses the information to put a “Happy Birthday, <username>!” message at the top of your page when you visit on your birthday.

An excellent example of not getting it.

<http://www.oreillynet.com/pub/wlg/2597>

News

Government report says cyberterrorism threat is overhyped.
<http://www.wired.com/news/infostructure/…>

Even Microsoft agrees: don’t trust Microsoft:
<http://www.infoworld.com/articles/op/xml/02/12/09/…>

Elcomsoft not guilty of violating the DMCA.
<http://www.wired.com/news/business/0,1367,56853,00.html>
<http://sanjose.bizjournals.com/sanjose/stories/2002/…>
<http://www.wired.com/news/business/0,1367,56898,00.html>

Evaluating intrusion detection systems:
<http://online.securityfocus.com/infocus/1623>
<http://online.securityfocus.com/infocus/1630>
<http://online.securityfocus.com/infocus/1651>

Insider accused of attempting to manipulate stock price by sabotaging computer.
<http://www.vnunet.com/News/1137678>
<http://www.theregister.co.uk/content/55/28630.html>

Another essay on full disclosure:
<http://www.osopinion.com/perl/story/20319.html>

The strategic effectiveness of suicide terrorism:
<http://magazine.uchicago.edu/0212/research/…>
<http://www.plastic.com/article.html?sid=02/12/23/…>

Good piece on Total Information Awareness:
<http://www.newyorker.com/talk/content/?…>

Even though there are thousands of hackable holes in computer systems, only a very few of them are actually exploited in bulk:
<http://www.wired.com/news/infostructure/…>

There’s a new version of the Bush Administration’s cyber-security plan. Incentives to tighten network security are reduced, more authority is given to the Department of Homeland Security, and they’re no longer going to consult regularly with privacy experts. It’d all worry me more if I thought this plan had any real effects.
<http://www.wired.com/news/conflict/0,2100,57109,00.html>

More DMCA abuse, this one about printer toner cartridges:
<http://news.com.com/2100-1023-979791.html>
Europe is banning this practice:
<http://www.geek.com/news/geeknews/2002Dec/…>
This has the makings of a trade war between the U.S. and the EU.

While we’re on the subject, the EFF has written an excellent article about the unintended consequences of the DMCA:
<http://www.eff.org/IP/DMCA/…>

The U.S. government is looking for input on sentencing guidelines for hackers:
<http://online.securityfocus.com/news/2028>

Another excellent essay by Tim Mullen on “strike back” (see also the various comments in the letter column, below). I disagree with some of this, but I am happy to see intelligent debate on this issue.
<http://online.securityfocus.com/columnists/134>

Counterpane News

The news that I couldn’t talk about for the past month and a half is that Counterpane has received another round of funding. We have another $20M, which is more than enough to fund the company until we reach break-even, and to allow us to expand our services. It’s a tough economic climate out there, and the fact that we got this much money from a list of impressive investors is a source of pride for me.

Meanwhile, Counterpane continues its quest for world domination in the Managed Security Monitoring space. The fourth quarter of 2002 was our best quarter ever, and the year was our best year ever. I’ll spare you the details; they’re in the press release if you want to read them.

And Counterpane has hired a new CFO and COO. Press releases announcing these changes will be out soon.

Funding press release:
<http://www.counterpane.com/pr-seriesd.html>

Fourth quarter press release:
<http://www.counterpane.com/pr-2002q4.html>

Security Notes from All Over: Cichlids

Midas cichlids have biparental care; both father and mother fish watch over the fry. Unfortunately for them, they still lose a lot of their young to predators. So to avoid losing too many of their own babies, they actually go out and kidnap the fry of other Midas cichlids, or even other species of fish. (In one case, while one pair of Midas cichlids was fighting another pair, the male of a third pair sneaked in and took about fifty fry back to his own territory.) Predators are just as happy to eat the adopted fry as the parents’ own young, so as long as the larger school of fry doesn’t attract more predators, more of the parents’ own young will survive.

The convict cichlid also practices adoption, but is fussier: it will only adopt fry that are smaller than its own. Predators will tend to attack the smaller adopted fry because they’re easier pickings.

[paraphrased from George W. Barlow, _The Cichlid Fishes: Nature’s Grand Experiment in Evolution_, p. 202-203]

The RMAC Authentication Mode

As part of the AES process, NIST has embarked on a program to standardize various modes of operation for the block cipher. Aside from the encryption modes we’re all used to from DES days, NIST is trying to standardize on authentication modes as well.

The first mode NIST has proposed is RMAC (Randomized Message Authentication Code). It has the advantage of having a security proof. In fact, if you use triple-DES as the underlying cipher in an RMAC construction (the RMAC mode can work with any block cipher), then the resulting construction is provably secure. But this is the very same construction that Lars Knudsen broke in a recent paper.

What’s going on here? On the one hand, RMAC is a provably secure mode. On the other hand, there’s a working attack against it. That’s not supposed to happen!

Let’s take things one at a time…

RMAC is secure in something called the ideal cipher model. As part of that model’s assumptions, the underlying block cipher needs to be secure against a variety of attacks, including related-key attacks. If a block cipher is susceptible to related-key attacks, then it would be inappropriate to model it as an ideal cipher and the RMAC security proof would not apply.

Now if triple-DES can be modeled by an ideal cipher, then triple-DES-RMAC ought to be secure. In fact, NIST’s RMAC standard includes triple-DES-RMAC is one of the two options. (AES-RMAC is the other.) However, it’s been shown that triple-DES is not secure against related-key attacks. Even worse, it is this related-key property that Knudsen uses to break triple-DES-RMAC. His attack requires 2^16 chosen messages and about 2^56 work, which makes it practical with today’s computing resources.

So now we can explain what happened. The proof of security for RMAC only works if you assume use of an ideal cipher. If you want to draw any conclusions about RMAC with a real block cipher like triple-DES or AES, you have to hope that your real block cipher behaves enough like an ideal cipher that the same proof still carries over. In the case of triple-DES, that hope turned out to be false. Triple-DES is not well modeled as an ideal cipher, because triple-DES is vulnerable to related-key attacks. And as Knudsen showed, if there are related-key attacks on your real block cipher, this not only renders the proof irrelevant and “invalidates the security warranty,” it can also lead to serious attacks on RMAC.

At this point, the most interesting question is whether AES-RMAC is secure. If you want to think that the proof of security for RMAC says anything about AES-RMAC, you have to hope that AES behaves like an ideal cipher. One necessary condition for the latter is that AES must be secure against related-key attacks.

AES is a new cipher, and the security of it against related-key attacks has not been well-studied. For the most part, cryptanalysts focus on the standard threat model (chosen plaintext/ciphertext attacks), and related-key attacks are only occasionally studied. What little we do know about the security of AES against related-key attacks suggests that AES has considerably less strength against related-key attacks than against normal attacks: the best related-key attack (found after only a few weeks of analysis) breaks nine rounds.

The lesson here is that the ideal cipher model is not as powerful a tool as some think it is, and a mode of operation that is secure in that model isn’t necessarily secure in practice. Cryptography theory is mature enough to base designs on, but there’s still no substitute for detailed cryptanalysis. RMAC should not become a NIST standard.

NIST RMAC Specification:
<http://csrc.nist.gov/publications/drafts/…>

NIST Modes of Operation page:
<http://csrc.nist.gov/encryption/modes>

Comments on RMAC:
<http://csrc.nist.gov/encryption/modes/comments/>
The analyses of David Wagner, Phil Rogaway, and Lars Knudsen are especially worth reading.

Related-key attacks against triple-DES:
<http://www.schneier.com/paper-key-schedule.html>

Related-key attacks against AES:
<http://www.schneier.com/paper-rijndael.html>

This article was written with the help of David Wagner.

Comments from Readers

From: “Jennifer S. Granick” <jennifer granick.com>
Subject: Counterattack

The noisemaking analogy is an interesting one because it relates to an argument we’re making in the Intel v. Hamidi case, where Intel got an injunction stopping Hamidi from sending e-mails to intel.com addresses. Intel argues that the e-mail servers are their private property, and they have the right to exclude people from use of their property, as they would from their buildings, or from use of their car. We argued that extending that kind of private property right to the networked world would mean that the Internet is not a public commons but a series of private fiefdoms, a model detrimental to socially beneficial uses. We suggested that the problem of spam and unwanted e-mail is best considered as a nuisance problem, exactly the way the law looks at things like too much noise coming from one property and washing over into the next. The properties share a common thing, air or “ether” as the case may be, and rather than the absolute right to exclude, the court should weigh the harm to and interests of each party in determining whether anyone has the right to stop Hamidi from sending the e-mail from his own property.

I like that you immediately went for the commons/nuisance model, rather than the strict private property model. It makes me feel that nuisance is intuitively right to those familiar with the Internet. Of course, if you were a lawyer arguing this point, you’d adopt the stricter property view and say that the strikeback targets have the absolute right not to be patched, etc. because that’s the stronger right.

In the nuisance context, since there’s a balance of rights and harms, the law really is your only recourse. Going over there and taking the stereo is not allowed. But there are concepts like self-defense and defense of others that permit the violation of others’ personal and property rights in certain narrow cases. It depends on what interest you’re protecting, person or property, and whether you’ve only counter-attacked to the extent necessary to protect that interest and no further.

From: “Tim Mullen” <Thor HammerofGod.com>
Subject: Counterattack

When it comes to the MPAA, I absolutely agree—but there are several key differences between what people like Berman are proposing and what I am doing… For one, there is already a framework of law and protocol for copyright holders to seek remedy. Copyright law is extensive, and has a long history of case law. The Berman bill will provide for a copyright holder to circumvent this existing framework in order to take immediate action against alleged acts of copyright infringement. More importantly, the spirit of the bill/action is much different. We seek to impede the propagation of global worms. Our actions against the attacking system are limited specifically to the scope of the attacking process—no other action is taken against the system or other processes. No harm is caused to the attacking system, or to the administrator/owner of the system (not purposefully, anyway.) The entire basis of the Berman bill is to allow the copyright holder to inflict willful and substantial “damage” against the alleged system and owner to the degree that they will stop the alleged activity. They *want* to hurt the end user—they want to cause enough trouble for the user that they will give up.

There is no framework in place to which to take guidance when it comes to protecting our property and equipment from constant attack. There needs to be. The other big difference is that the Berman bill proposes that the copyright holder can take action against people *who are committing a crime*. The alleged activity is against the law—here, when you set up a Win2k box on the net and it gets Nimda and attacks everyone non-stop, it is *not* a crime. There is nothing illegal about being stupid, or not knowing how to secure a system.

We have to look at this within the confines of stopping an attacking process—we can’t make it “personal” as if we are doing something against the people who own these boxes. And actually, the law supports this differentiation: If I personally set up a Win2k box at default, knowing that it will be compromised in 10 minutes and start attacking “close” boxes to me, I have not committed a crime. However, if I run a Perl script that executes the same exact GET requests against the exact same boxes, I have committed a felony.

If the tie between administrator and the actions of his equipment cannot support culpability for actions in tort (as in them being responsible for their computer getting Nimda), how can we support the same logic required to say that we are infringing upon the administrator’s rights when we neutralize the attack? Why are we pretending that the box has rights?

Even if we do take the stance that the box has some implicit right, we should treat it like we do a criminal—if a person’s actions show that they cannot operate in society without hurting other people or infringing upon their rights, we take their rights away, and keep them from doing so. The very infestation of a system by a worm shows that it is not configured in a state that it should be to participate in a global network—therefore, it loses some rights (that I don’t think it should have in the first place).

Homeowner-type analogies never really work; there is just too much one can say one way or the other to fit the desired outcome. Do I get to trespass on a neighbor’s property to disable the noisemaker? Probably not, but one might actually be able to under certain nuisance law. I could always say back that if my bike was stolen, and I saw it in your yard, I certainly do have the right to go onto your property and take it back—the law says I can. So where does it stop?

If you really wanted the analogy to be accurate to this issue, we would have to say that the house alarm not only caused noise of its own, but that it made other house alarms around it go off, which made other house alarms around them go off, etc, etc. Pretty soon, everyone has to shout just to be heard. None of this noise is against the law, so the police won’t help you. The manufacturer of the alarms says that it is the homeowner’s fault for not knowing how to install them and that it is not their problem. Further, all the criminals know that the homes with the alarms going off are completely wide open, so they use the alarm signal to hunt down homes to take over to use for some future illegal activity. The really bad thing is that when you try to talk to the neighbors about all the noise, they say “What noise? We don’t hear any noise. Go away.”

From: John Kelsey <kelsey.j ix.netcom.com>
Subject: Counterattack

Just a nitpick on your counterattack article: I don’t think justice depends on the government doing the punishment. (Think of a really corrupt government, where the punishment is always done to the person who paid the lowest bribe.) Having a neutral third party investigate the facts and decide what punishment or restitution should be made is a way to try to get justice in punishment or restitution, but it’s neither the only way to get it nor guaranteed to get it. And that neutral third party may or may not be the government.

A really obvious example of justice being done by non-governments is when a parent successfully determines which kid started the fight and assigns punishments appropriately.

It seems obvious that automated counterattacks are a bad idea in nearly all cases. Not only do you have a real hard time guaranteeing that your automated system correctly identified the attacker, you also have a hard time guaranteeing that the owner of the counterattacking system didn’t generate the evidence of the initial attack on his own to justify his counterattack. And you can easily imagine a “war” starting between two or three such systems. (Note that all of these are problems that appear in vigilante justice, as well—the lynch mob hangs the wrong guy, the lynch mob is started by a false accusation by the target’s enemies, or you lynch me, and then my friends and family lynch you.)

From: Paul Mantyla <pjm1212 yahoo.com>
Subject: Counterattack

In the December 15 Crypto-Gram, you state, “Our laws give us the right to justice…” This is too strong a statement and your statements that follow fail to correct the error. Only an omniscient being is able to determine what is just.

Our best approximation is a set of laws and civil rights. As Oliver Wendell Holmes famously remarked, “This is a court of law, young man, not a court of justice.” Is it just for a guilty man to go free, or for an innocent man to be convicted? The government is most dangerous when it ignores the law and the Constitution in pursuit of justice. For example, in apparent violation of the 5th amendment’s protection against double jeopardy, the doctrine known as “dual sovereign” allows the state and federal governments to prosecute a person for the same act (e.g. police officers in the Rodney King case).

See “An Ever-Expanding Double Jeopardy Loophole” in the Cato Institute’s Handbook for Congress: <http://www.cato.org/pubs/handbook/hb105-22.html>. As citizens of the United States, we have a right to many things, but a “right to justice” is not one of them.

From: Daniel Upper <upper peak.org>
Subject: Counterattack

Until the courts do sort out when counterattack is permissible, I’d like to suggest the necessity defense as a way of thinking about it. In general, a defendant is not guilty of violating a law if it was necessary to do so. The criteria for necessity vary somewhat, but they generally look about like this:

* The action was done to avert a threat of immediate, significant harm.

* The harm caused by the action was not disproportionate to the harm avoided.

* There is no reasonable legal alternative to the action.

* The actor reasonably believed that his/her action would prevent the significant harm.

* The defendant did not cause the threat of harm.

This test is fairly stringent and broadly applicable. Most specific emergency exceptions—e.g., self-defense, emergency medical care by non-doctors—can be looked at as special cases of it. I expect that any counterattack the courts eventually decide to allow will also meet these criteria.

Note also that there is nothing here about justice or punishment. It only sanctions preventing harm.

From: Michael Nygard <mtnygard charter.net>
Subject: Counterattack

There is a nuance to the counter-attack proposals that I wish you had discussed in your essay. The essential difference is between that of vengeance and self-defense. If you are the victim of a crime, then you have the right to defend yourself—during the commission of the crime.

Just as breaking and entering can escalate to robbery-homicide in a few chaotic seconds, we must recognize that an intrusion can escalate from minor to catastrophic in milliseconds. Though this point is still controversial among law-makers and law-enforcers, self-defense is widely viewed as the way to prevent a situation from escalating. Automated counter-attacks perform the same function; limiting the amount of damage done by the attacker, perhaps preventing the crime from escalating from petty vandalism to grand larceny.

It would be simplistic to say that the same act is self-defense during a crime, but vigilantism afterwards. Still, when law enforcement cannot possibly respond during the crime itself, a swift counter-attack may be the only protection available.

From: Brian Beesley <BJ.Beesley ulster.ac.uk>
Subject: Counterattack

There are a couple of points you might have missed:

(1) If it’s accepted that X can counterattack you on the grounds that X suspects (maybe even has hard evidence) that you are attacking X in some way, then why can’t you counter-counter-attack? The point here is that if X is the “big guy” and there are lots of people in my position, we (acting in concert) are more likely to be able to inflict serious damage on X than vice versa.

(2) The counterattack mechanism depends on us leaving our computers open to attack and/or engaging in unsafe conduct (e.g., running scripts downloaded from Web pages). This strategy may be fairly successful against casual users but will likely have no effect whatsoever on anyone who deliberately sets out to act “illegally.”

The “Berman bill” is fatally flawed—not because of its political content, but because it fails to address the problem. The proposed legislation is designed to “feel good” to its proposers rather than to be effective.

There simply is no need for further legislation, at any rate in most of the developed world. What is needed is the will for those who feel they are being robbed of their intellectual property to gather evidence which could be presented under existing legislation, rather than just moaning about their (dubious) loss of sales.

From: Mike Koptiw <mkoptiw att.net>
Subject: Counterattack

I agree that vigilantism is morally wrong, and I agree that the state is best situated to handle justice. But, from a legal argument point of view, I would make a distinction between strikeback to a DOS attack and strikeback to a copyright violation.

As always, it depends. In some cases, general, common law principles of tort actually privilege a victim’s action against a perpetrator. First, common law does not privilege the use of force to recover lost property. Our courts resolve these issues. The law handles this, and it does not stand for vigilantism.

However, common law does privilege the use of force in defense of property from forcible trespassers. The force one may use must be proportional to eject the trespasser, and once the trespasser has left the property, the victim may not pursue the trespasser with force.

So I think that there are common law, theoretical legal arguments for strike back in DOS and intrusive hacking cases when there is a virtual trespasser (be it a rogue DOS packet or a hacker’s presence), but it there is no legal leg to stand on when the attack is based solely on recovering a right to content on the person’s computer (like RIAA’s proposal).

From: Marko Asplund <aspa kronodoc.fi>
Subject: Counterattack

In addition to being an ethically and morally questionable idea, I fail to see how automated strike-back technology would save the Internet from global worm attacks. Strike-back could perhaps be successfully utilized against contemporary worms such as Nimda which decide to leave the door open as they come in but it is naive to think that the next generation worms will continue to do so.

The definition of clear responsibilities is challenging in case the strike-back fails. Even if the strike-back uses minimal force and extreme care is put into crafting the neutralizing code, it is always possible that something goes wrong and the target system fails in some way after the neutralization. What if the infected system controls life-support systems in a hospital? If human lives are lost because of the strike-back, who is responsible if the system fails to function after the strike-back? There’s always a small number of vendor software patches which have unexpected results in a small number of target systems. Why wouldn’t there be any with strike-back systems?

Mullen draws parallels between self-defense and strike-back, but one difference is that a software system on the Internet doesn’t have as much intelligence or information on the attack context or the attacker as a human being under attack would have. Using your noisy neighbor analogy, one could say strike-back is like trying to shut the noisy device down using a shotgun…and aiming with a blindfold on.

From: Rick Bressler <bressler the-bresslers.com>
Subject: Counterattack

After reading this article and reflecting for a bit, I am wondering if we’re not seeing the beginnings of a “self defense” doctrine on the Internet, although at this point much of the legislation is clearly misplaced and inappropriate, as is often the case when our lawmakers try to adapt to new situations.

I think it bears pointing out that your comparisons to crime in the physical world leave out the concept of self-defense completely. (Is this intentional?) In the real world there is a big difference between self-defense, a preemptive strike, and vigilantism. All of these have large bodies of case law around them.

Clearly a preemptive strike is illegal. (Unless you’re a government of course. :-)) You can’t attack somebody just because you think they *may* attack you at some future date.

Vigilantism is taking the attack back to your aggressor after the fact, or seeking justice on your own. Clearly this can’t be allowed in civilized society, nor is it condoned by any legal system I’m aware of, although at various times and places it has been overlooked.

Self-defense is a response to the immediate threat of death or grave bodily injury. Does such a doctrine have a place in the cyber world? In your example of somebody actively attacking a machine or better yet a critical infrastructure server, and the victim responding by shutting them down, we have a situation that to some extent parallels the act of self defense in the real world, at least to the extent that you are responding to an immediate and possibly serious threat. Perhaps one at least temporarily ‘lethal’ to the Internet.

Note that in the non-cyber world we typically reserve this right only for the most severe crime, the threat of taking an innocent life or, in rare cases, property. Is there a case where this might be extended to an “innocent server”? Perhaps one protecting your home network? Credit card data? Bank account? A small number of servers that the whole Internet depends on?

From: Nicholas Weaver <nweaver CS.berkeley.edu>
Subject: ONE case where vigilantism worked…

There actually is one case where vigilantism worked: the das-bistro anti-code-red-II default.ida script.

This script, when installed on a Web server, would respond to a Code Red II probe with a counterattack which disabled the Web server using the Code Red II installed backdoor and restarted the machine, clearing the Code Red II infection (memory resident) and preventing reinfection and machine abuse.

Considering that all those machines were broadcasting that they are trivially vulnerable, removing them from the net is probably necessary, especially since there ARE no police to call: there is no standard way to say “this machine is compromised” and get the ISP to do anything about it.

Someone malicious could have just as easily tweaked and released CRclean (a passive, sourcecode only “antiworm” published on BugTraq) with a malicious payload to co-opt all those machines. Thus, having a small/medium number of anti-code-red-II Web pages was probably of benefit.

Of course, it only worked because of CRII’s authors silliness and/or strategic stupidity (don’t make control channels that can be used by anyone unauthorized, and close the hole you came in on).

From: “John.Deters” <John.Deters target.com>
Subject: Counterattack

In your article, you claim that vigilantism is wrong, an idea that “society after society has eschewed.”

You don’t seem to take into account that the Internet is a brand-new *kind* of society. For the first time in history, we have a society that is not tied to geography. All legal systems were and are still tied to geopolitical boundaries. But IP packets don’t apply for visas before crossing those boundaries. The wires and fibers carry goods, services, and mischief equally, and without prejudice. So commerce occurs, regulated and taxed only by people naive enough to volunteer to their local governments that they deserve to be regulated or taxed for their online activities. And mischief occurs too; but the mischief makers do not usually feel such compulsions to report their activities.

Also, the definition of mischief varies depending on where you stand. The RIAA believes that mischief happens when a song is downloaded. I believe that it happens when I get spam or some lame e-mail virus. You believe it happens when your clients get DDOS attacked.

There is no global government regulating this Internet society. A patchwork of geographically bound law enforcement agencies hunting down mischief makers is about all we have right now. Sometimes they stop at their boundaries, sometimes they call their cohorts on the other side of the boundary to make an arrest on their behalf. Most of the time they do nothing.

So in a basically lawless society, one that has not yet formed a cohesive government, one that allows a mischief maker to hide between governments, what would you have people doing when nobody can provide justice? Should they do nothing? Call the FBI? Call for a Global Internet Government?

Vigilantes are not simply “taking the law into their own hands,” because usually there is no law that can be applied. So if a hacker goes after a spammer’s computer, I’ll cheer. If the RIAA goes after a Napster user’s computer, I don’t really care. I’ll defend myself on the Internet, thank you very much. But the one thing I am SURE I don’t want to see is a global regulatory agency deciding whether or not they “approve” of the packets I’m sending. Because I have no doubt that whatever I send or receive, be it music, pictures, or subversive e-mail to some crypto newsletter, some group will be offended and call for my arrest.

From: “Tousley, Scott W.” <Scott.Tousley anser.org>
Subject: Department of Homeland Security

In the December 2002 Crypto-Gram, your comments on the Department of Homeland Security included: “Security has two universal truisms relevant to this discussion. One, security decisions need to be made as close to the problem as possible… Two, security analysis needs to happen as far away from the sources as possible.”

I do not agree fully with the second truism, because security analysis of rare events must be both centralized and decentralized. Security analysis is increasingly a distributed challenge that will continue to involve a judicious mixture of systems and people, and this analysis challenge requires a substantial amount of context that only comes with proximity. We must somehow enable effective analysis from the national and international analysts all the way down to the ground-level security guard and first-line supervisor. Cops and guards and first-responders can fight terrorism effectively only if they themselves are lightly steeped in and contribute to the larger analysis context. The strength, flexibility and evolution of networks can support much of this need, if these still-embryonic networks are not squashed by bureaucratic interests of a national Homeland Security Department and various state and municipal counterparts fighting to feed at the trough. I do worry that our reorganization will make security more brittle when we coordinate too heavily in the name of political, bureaucratic, and budgetary efficiency.

From: The Wengers <wenger bigfoot.com>
Subject: Department of Homeland Security

I agree with your assessment that analyzing intelligence should not be solely entrusted to the new Dept. of Homeland Security. But I see some very disturbing signs that the balance has been tipped too far the other way in order to protect the turf of our existing intelligence agencies.

The tension is to create enough overlapping jurisdiction so that things don’t fall through the cracks, but not so much as to create unnecessary redundancy and wasteful turf battles. Therefore, I was disturbed to read a recent Washington Post article called “Homeland Security Won’t Have Diet of Raw Intelligence Rules Being Drafted to Preclude Interagency Conflict” (by Dan Eggen and John Mintz, Dec. 6, 2002; page A43). The article notes that “[f]or now, the intelligence agencies have persuaded the White House that information provided to the Homeland Security Department should be in the form of summary reports. Those summaries generally will not include raw intelligence or details on where or how the information was gathered, in order to protect sources and methods.”

It may not make sense to strip the existing intelligence agencies of their intelligence gathering and analysis roles for the reasons you gave. However, if this Homeland Security Agency is to serve any vital role, it should be as a coordinator of threat analysis and response. And I don’t believe it can do that job in a meaningful way if it is required to rely solely on second-hand data. As you aptly wrote “[a]ll these [intelligence] organizations have to communicate with each other, and that’s the primary value of a Department of Homeland Security. One organization needs to be a single point for coordination and analysis of terrorist threats and responses. One organization needs to see the big picture, and make decisions and set policies based on it.” But how can the Homeland Security Director see the big picture and make fully informed decisions if his/her staff cannot review the data upon which the conclusions they are being fed are based? This effort by the CIA, NSA and FBI to keep Homeland Security’s snout out of the intelligence data trough cannot be a good sign.

The Washington Post article goes on to note that “Administration officials already are considering, for example, whether to include homeland security representatives as members of the 56 regional Joint Terrorism Task Forces, which oversee local terror investigations.” How could this be an item for debate? If you look at the FBI’s description of the JTTF program, it involves representatives of scads of federal agencies along with state and even local agencies. “There are currently 36 JTTFs in operation, which reflects an increase of 25 task forces since 1996, to which more than 620 FBI special agents are assigned, and approximately 584 full-time and part-time officers from other federal, state, and local agencies are assigned. Full-time federal participants in the JTTF program include the Immigration and Naturalization Service; U.S. Secret Service; Naval Criminal Investigative Service; U.S. Marshals Service; U.S. Customs Service; Bureau of Alcohol, Tobacco, and Firearms; U.S. Border Patrol; U.S. Department of State/Diplomatic Security Service; Postal Inspection Service; Internal Revenue Service; Department of Interior’s Bureau of Land Management; Air Force Office of Special Investigations; U.S. Park Police; Federal Protective Service; Treasury Inspector General for Tax Administration; and the Defense Criminal Investigative Service.” (Nov. 13, 2001, Statement for the Record of Assistant Director Kathleen McChesney Training Division, FBI on Communication with the Law Enforcement Community Before the United States House of Representatives Committee on Government Reform Washington, D.C. <http://www.fbi.gov/congress/congress01/…

Let me get this straight, the Park Police and the Bureau of Land Management are represented in the Joint Terrorism Task Forces but the Department of Homeland Security is not? How can this be a good sign?

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography. Back issues are available on <http://www.schneier.com/crypto-gram.html>.

To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of “Secrets and Lies” and “Applied Cryptography,” and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on computer security and cryptography.

Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane’s expert security analysts protect networks for Fortune 1000 companies world-wide.

Sidebar photo of Bruce Schneier by Joe MacInnis.