Page 7 of 7
This seems like a really bad idea:
Government has the right—even the responsibility—to see that its laws and regulations are enforced. The Internet is no exception. When the Internet is being used on American soil, it should comply with American law. And if it doesn’t, then the government should be able to step in and filter the illegal sites and activities.
Thirteen Pennsylvania high-school kids—Kutztown 13—are being charged with felonies:
They’re being called the Kutztown 13—a group of high schoolers charged with felonies for bypassing security with school-issued laptops, downloading forbidden internet goodies and using monitoring software to spy on district administrators.
The students, their families and outraged supporters say authorities are overreacting, punishing the kids not for any heinous behavior—no malicious acts are alleged—but rather because they outsmarted the district’s technology workers….
The trouble began last fall after the district issued some 600 Apple iBook laptops to every student at the high school about 50 miles northwest of Philadelphia. The computers were loaded with a filtering program that limited Internet access. They also had software that let administrators see what students were viewing on their screens.
But those barriers proved easily surmountable: The administrative password that allowed students to reconfigure computers and obtain unrestricted Internet access was easy to obtain. A shortened version of the school’s street address, the password was taped to the backs of the computers.
The password got passed around and students began downloading such forbidden programs as the popular iChat instant-messaging tool.
At least one student viewed pornography. Some students also turned off the remote monitoring function and turned the tables on their elders_ using it to view administrators’ own computer screens.
There’s more to the story, though. Here’s some good commentary on the issue:
What the parents don’t mention—but the school did in a press release—is that it wasn’t as if the school came down with the Hammer of God out of nowhere.
These kids were caught and punished for doing this stuff, and their parents informed.
Over and over.
Quoth the release:
“Unfortunately, after repeated warnings and disciplinary actions, a few students continued to misuse the school-issued laptops to varying degrees. The disciplinary actions included detentions, in-school suspensions, loss of Internet access, and loss of computer privileges. After each disciplinary action, parents received either written notification or telephone calls.”
What was the parents’ reaction those disciplinary actions? Some of them complained that—despite signing a document agreeing to the acceptable use policy—the kids should be able to do whatever they wanted to with the free machines.
“We signed it, but we didn’t mean it”?
Yes, the kids should be punished. No, a felony comviction is not the way to punish them.
The problem is that the punishment doesn’t fit the crime. Breaking the rules is what kids do. Society needs to deal with that, yes, but it needs to deal with that in a way that doesn’t ruin lives. Deterrence is critical if we are to ever have a lawful society on the internet, but deterrence has to come from rational prosecution. This simply isn’t rational.
EDITED TO ADD (2 Sep): It seems that charges have been dropped.
I’ve written about full disclosure, and how disclosing security vulnerabilities is our best mechanism for improving security—especially in a free-market system. (That essay is also worth reading for a general discussion of the security trade-offs.) I’ve also written about how security companies treat vulnerabilities as public-relations problems first and technical problems second. This week at BlackHat, security researcher Michael Lynn and Cisco demonstrated both points.
Lynn was going to present security flaws in Cisco’s IOS, and Cisco went to inordinate lengths to make sure that information never got into the hands of the their consumers, the press, or the public.
Cisco threatened legal action to stop the conference’s organizers from allowing a 24-year-old researcher for a rival tech firm to discuss how he says hackers could seize control of Cisco’s Internet routers, which dominate the market. Cisco also instructed workers to tear 20 pages outlining the presentation from the conference program and ordered 2,000 CDs containing the presentation destroyed.
In the end, the researcher, Michael Lynn, went ahead with a presentation, describing flaws in Cisco’s software that he said could allow hackers to take over corporate and government networks and the Internet, intercepting and misdirecting data communications. Mr. Lynn, wearing a white hat emblazoned with the word “Good,” spoke after quitting his job at Internet Security Systems Inc. Wednesday. Mr. Lynn said he resigned because ISS executives had insisted he strike key portions of his presentation.
Not being able to censor the information, Cisco decided to act as if it were no big deal:
In a release shortly after the presentation, Cisco stated, “It is important to note that the information Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Lynn’s research explores possible ways to expand exploitations of known security vulnerabilities impacting routers.” And went on to state “Cisco believes that the information Lynn presented at the Blackhat conference today contained proprietary information and was illegally obtained.” The statement also refers to the fact that Lynn stated in his presentation that he used a popular file decompressor to ‘unzip’ the Cisco image before reverse engineering it and finding the flaw, which is against Cisco’s use agreement.
The Cisco propaganda machine is certainly working overtime this week.
The security implications of this are enormous. If companies have the power to censor information about their products they don’t like, then we as consumers have less information with which to make intelligent buying decisions. If companies have the power to squelch vulnerability information about their products, then there’s no incentive for them to improve security. (I’ve written about this in connection to physical keys and locks.) If free speech is subordinate to corporate demands, then we are all much less safe.
Full disclosure is good for society. But because it helps the bad guys as well as the good guys (see my essay on secrecy and security for more discussion of the balance), many of us have championed “responsible disclosure” guidelines that give vendors a head start in fixing vulnerabilities before they’re announced.
The problem is that not all researchers follow these guidelines. And laws limiting free speech do more harm to society than good. (In any case, laws won’t completely fix the problem; we can’t get laws passed in every possible country security researchers live.) So the only reasonable course of action for a company is to work with researchers who alert them to vulnerabilities, but also assume that vulnerability information will sometimes be released without prior warning.
I can’t imagine the discussions inside Cisco that led them to act like thugs. I can’t figure out why they decided to attack Michael Lynn, BlackHat, and ISS rather than turn the situation into a public-relations success. I can’t believe that they thought they could have censored the information by their actions, or even that it was a good idea.
Cisco’s customers want information. They don’t expect perfection, but they want to know the extent of problems and what Cisco is doing about them. They don’t want to know that Cisco tries to stifle the truth:
Joseph Klein, senior security analyst at the aerospace electronic systems division for Honeywell Technology Solutions, said he helped arrange a meeting between government IT professionals and Lynn after the talk. Klein said he was furious that Cisco had been unwilling to disclose the buffer-overflow vulnerability in unpatched routers. “I can see a class-action lawsuit against Cisco coming out of this,” Klein said.
ISS didn’t come out of this looking very good, either:
“A few years ago it was rumored that ISS would hold back on certain things because (they’re in the business of) providing solutions,” [Ali-Reza] Anghaie, [a senior security engineer with an aerospace firm, who was in the audience,] said. “But now you’ve got full public confirmation that they’ll submit to the will of a Cisco or Microsoft, and that’s not fair to their customers…. If they’re willing to back down and leave an employee … out to hang, well what are they going to do for customers?”
Despite their thuggish behavior, this has been a public-relations disaster for Cisco. Now it doesn’t matter what they say—we won’t believe them. We know that the public-relations department handles their security vulnerabilities, and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen.
And these are the people building the hardware that runs much of our infrastructure? Somehow, I don’t feel very secure right now.
EDITED TO ADD: I am impressed with Lynn’s personal integrity in this matter:
When Mr. Lynn took the stage yesterday, he was introduced as speaking on a different topic, eliciting boos. But those turned to cheers when he asked, “Who wants to hear about Cisco?” As he got started, Mr. Lynn said, “What I just did means I’m about to get sued by Cisco and ISS. Not to put too fine a point on it, but bring it on.”
And this:
Lynn closed his talk by directing the audience to his resume and asking if anyone could give him a job.
“In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess,” Lynn said. “They had to do what’s right for their shareholders; I understand that. But I figured I needed to do what’s right for the country and for the national critical infrastructure.”
There’s a lawsuit against him. I’ll let you know if there’s a legal defense fund.
EDITED TO ADD: The lawsuit has been settled. Some details:
Michael Lynn, a former ISS researcher, and the Black Hat organisers agreed to a permanent injunction barring them from further discussing the presentation Lynn gave on Wednesday. The presentation showed how attackers could take over Cisco routers, a problem that Lynn said could bring the Internet to its knees.
The injunction also requires Lynn to return any materials and disassembled code related to Cisco, according to a copy of the injunction, which was filed in US District Court for the District of Northern California. The injunction was agreed on by attorneys for Lynn, Black Hat, ISS and Cisco.
Lynn is also forbidden to make any further presentations at the Black Hat event, which ended on Thursday, or the following Defcon event. Additionally, Lynn and Black Hat have agreed never to disseminate a video made of Lynn’s presentation and to deliver to Cisco any video recording made of Lynn.
My hope is that Cisco realized that continuing with this would be a public-relations disaster.
EDITED TO ADD: Lynn’s BlackHat presentation is on line.
EDITED TO ADD: The FBI is getting involved.
EDITED TO ADD: The link to the presentation, above, has been replaced with a cease-and-desist letter. A copy of the presentation is now here.
In the New York Times (read it here without registering), columnist John Tierney argues that the media is performing a public disservice by writing about all the suicide bombings in Iraq. This only serves to scare people, he claims, and serves the terrorists’ ends.
Some liberal bloggers have jumped on this op-ed as furthering the administration’s attempts to hide the horrors of the Iraqi war from the American people, but I think the argument is more subtle than that. Before you can figure out why Tierney is wrong, you need to understand that he has a point.
Terrorism is a crime against the mind. The real target of a terrorist is morale, and press coverage helps him achieve his goal. I wrote in Beyond Fear (pages 242-3):
Morale is the most significant terrorist target. By refusing to be scared, by refusing to overreact, and by refusing to publicize terrorist attacks endlessly in the media, we limit the effectiveness of terrorist attacks. Through the long spate of IRA bombings in England and Northern Ireland in the 1970s and 1980s, the press understood that the terrorists wanted the British government to overreact, and praised their restraint. The U.S. press demonstrated no such understanding in the months after 9/11 and made it easier for the U.S. government to overreact.
Consider this thought experiment. If the press did not report the 9/11 attacks, if most people in the U.S. didn’t know about them, then the attacks wouldn’t have been such a defining moment in our national politics. If we lived 100 years ago, and people only read newspaper articles and saw still photographs of the attacks, then people wouldn’t have had such an emotional reaction. If we lived 200 years ago and all we had to go on was the written word and oral accounts, the emotional reaction would be even less. Modern news coverage amplifies the terrorists’ actions by endlessly replaying them, with real video and sound, burning them into the psyche of every viewer.
Just as the media’s attention to 9/11 scared people into accepting government overreactions like the PATRIOT Act, the media’s attention to the suicide bombings in Iraq are convincing people that Iraq is more dangerous than it is.
Tiernan writes:
I’m not advocating official censorship, but there’s no reason the news media can’t reconsider their own fondness for covering suicide bombings. A little restraint would give the public a more realistic view of the world’s dangers.
Just as New Yorkers came to be guided by crime statistics instead of the mayhem on the evening news, people might begin to believe the statistics showing that their odds of being killed by a terrorist are minuscule in Iraq or anywhere else.
I pretty much said the same thing, albeit more generally, in Beyond Fear (page 29):
Modern mass media, specifically movies and TV news, has degraded our sense of natural risk. We learn about risks, or we think we are learning, not by directly experiencing the world around us and by seeing what happens to others, but increasingly by getting our view of things through the distorted lens of the media. Our experience is distilled for us, and it’s a skewed sample that plays havoc with our perceptions. Kids try stunts they’ve seen performed by professional stuntmen on TV, never recognizing the precautions the pros take. The five o’clock news doesn’t truly reflect the world we live in—only a very few small and special parts of it.
Slices of life with immediate visual impact get magnified; those with no visual component, or that can’t be immediately and viscerally comprehended, get downplayed. Rarities and anomalies, like terrorism, are endlessly discussed and debated, while common risks like heart disease, lung cancer, diabetes, and suicide are minimized.
The global reach of today’s news further exacerbates this problem. If a child is kidnapped in Salt Lake City during the summer, mothers all over the country suddenly worry about the risk to their children. If there are a few shark attacks in Florida—and a graphic movie—suddenly every swimmer is worried. (More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.)
One of the things I routinely tell people is that if it’s in the news, don’t worry about it. By definition, “news” means that it hardly ever happens. If a risk is in the news, then it’s probably not worth worrying about. When something is no longer reported—automobile deaths, domestic violence—when it’s so common that it’s not news, then you should start worrying.
Tierney is arguing his position as someone who thinks that the Bush administration is doing a good job fighting terrorism, and that the media’s reporting of suicide bombings in Iraq are sapping Americans’ will to fight. I am looking at the same issue from the other side, as someone who thinks the media’s reporting of terrorist attacks and threats has increased public support for the Bush administration’s draconian counterterrorism laws and dangerous and damaging foreign and domestic policies. If the media didn’t report all of the administrations’s alerts and warnings and arrests, we would have a much more sensible counterterrorism policy in America and we would all be much safer.
So why is the argument wrong? It’s wrong because the danger of not reporting terrorist attacks is greater than the risk of continuing to report them. Freedom of the press is a security measure. The only tool we have to keep government honest is public disclosure. Once we start hiding pieces of reality from the public—either through legal censorship or self-imposed “restraint”—we end up with a government that acts based on secrets. We end up with some sort of system that decides what the public should or should not know.
Here’s one example. Last year I argued that the constant stream of terrorist alerts were a mechanism to keep Americans scared. This week, the media reported that the Bush administration repeatedly raised the terror threat level on flimsy evidence, against the recommendation of former DHS secretary Tom Ridge. If the media follows this story, we will learn—too late for the 2004 election, but not too late for the future—more about the Bush administration’s terrorist propaganda machine.
Freedom of the press—the unfettered publishing of all the bad news—isn’t without dangers. But anything else is even more dangerous. That’s why Tierney is wrong.
And honestly, if anyone thinks they can get an accurate picture of anyplace on the planet by reading news reports, they’re sadly mistaken.
For many Americans, the end of the year is charitable contribution time. (The reasons are tax-related.) While there is no shortage of worthy causes around the world, I would like to suggest contributing at least something to EPIC.
Since its founding ten years ago, EPIC has worked to protect privacy, freedom of expression, and democratic values, and to promote the Public Voice in decisions concerning the future of the Internet. They maintain one of the most extensive websites on privacy and free speech issues on the Internet. They litigate Freedom of Information Act, First Amendment, and privacy cases. They publish books on open government and privacy. They train law school students about the Internet and the public interest. They testify frequently before Congress about emerging civil liberties issues. They provide an extensive listing of privacy resources as well as a guide to practical privacy tools.
Remember when it became public that JetBlue (and other airlines) provided passenger information to the U.S. government in violation of their own privacy policies? Or when it was revealed that the CAPPS-II airline passenger profiling system would be used for other, non-terrorism, purposes? EPIC’s FOIA work uncovered those stories.
December 15th is the 213th anniversary of the signing of the Bill of Rights. Read through it again today, and notice how the different laws protect the security of Americans. I’m proud to be a member of EPIC’s Advisory Board. They do good work, and we’re all a lot more secure because of it.
EPIC’s website
For many Americans, the end of the year is charitable contribution time. (The reasons are tax-related.) While there is no shortage of worthy causes around the world, I would like to suggest contributing at least something to EPIC.
Since its founding ten years ago, EPIC has worked to protect privacy, freedom of expression, and democratic values, and to promote the Public Voice in decisions concerning the future of the Internet. They maintain one of the most extensive websites on privacy and free speech issues on the Internet. They litigate Freedom of Information Act, First Amendment, and privacy cases. They publish books on open government and privacy. They train law school students about the Internet and the public interest. They testify frequently before Congress about emerging civil liberties issues. They provide an extensive listing of privacy resources as well as a guide to practical privacy tools.
Remember when it became public that JetBlue (and other airlines) provided passenger information to the U.S. government in violation of their own privacy policies? Or when it was revealed that the CAPPS-II airline passenger profiling system would be used for other, non-terrorism, purposes? EPIC’s FOIA work uncovered those stories.
December 15th is the 213th anniversary of the signing of the Bill of Rights. Read through it again today, and notice how the different laws protect the security of Americans. I’m proud to be a member of EPIC’s Advisory Board. They do good work, and we’re all a lot more secure because of it.
EPIC’s website
Sidebar photo of Bruce Schneier by Joe MacInnis.