Category Archives: information security

Cyberdeterrence Papers

Posted on by

This just came past my inbox:

The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. government.

To stimulate work in this area, the NRC is offering one or more monetary prizes for excellent contributed papers that address one or more of the questions of interest found in its call for papers, which can be found at
http://sites.nationalacademies.org/CSTB/CSTB_056215

Abstracts of less than 500 words are due April 1, 2010. First drafts are due May 21, 2010, final drafts July 9, 2010. For more information, see the call for papers.

The broad themes of interest include

  1. Theoretical Models for Cyberdeterrence
  2. Cyberdeterrence and Declaratory Policy
  3. Operational Considerations in Cyberdeterrence
  4. Regimes of Reciprocal/Consensual Limitations Regarding Cyberattack
  5. Cyberdeterrence in a Larger Context
  6. The Dynamics of Action/Reaction in Cyber Conflict
  7. Escalation Dynamics of Cyber Conflict

Readers with questions can contact Herb Lin, 202-334-3191, hlin at nas … edu

Me, I’m glad to see the administration moving towards more contests and open solicitations as a way of tapping into different ideas from a broader set of contributors.

I saw something that an abstract is not required to submit a fill paper, but would encourage checking in on the rules for yourself.

Logging practices

Posted on by

Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, but I was curious about the form of this alleged hacking.

My curiosity was rewarded:

“he allegedly examined a report of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com.

In the instances where they had, Business Insider claimed that Zuckerberg said he tried using those incorrect passwords to access the Crimson members’ Harvard email accounts.”

dailymail.co.uk, 2010-03-06

So, it looks like the allegation is that actual passwords entered for failed logins were routinely logged.

Yuck.

We Take Your Privacy Seriously

Posted on by

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login.

experian-direct.jpg
Boy, am I glad to know they take my privacy seriously, because otherwise, their failure to fill out fields in their certificate might really worry me.

I mean, I’m not annoyed that BNY Mellon treated my information negligently. Oh, no. I expect that. I am a little annoyed that having done so, they offered me a year of “monitoring” rather than prevention. I’m annoyed that it’s a year, when there’s no evidence that risk of harm falls after a year. And I’m annoyed that the company offering monitoring doesn’t bother to get the little things right.

[Update: This may be a broader issue of all non-EV certs being treated like this. I admit, I rarely check because I rarely care. But when I do care, I reasonably expect it to be done right.]

Security is About Outcomes, FISMA edition

Posted on by

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write:

the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ information and network security postures, possible vulnerabilities and the ability to better protect our federal systems.
(“Moving Beyond Compliance: The Status Quo Is No Longer Acceptable”)

I’m tremendously excited to see this because back in April I wrote “Security is about outcomes, not about process.” I don’t know that I can claim credit for this, but it’s nice to see how far the meme has gone.

Rebuilding the internet?

Posted on by

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became adam@bwnmr4.harvard…wow, there’s still cname for that host. But I digress.


Really, I wanted to talk about a report, passed on by Steven Johnson and Gunnar Peterson, that Vint Cerf said that if he were re-designing the internet, he’d add more authentication.

And really, while I respect Vint a tremendous amount, I’m forced to wonder: Whatchyou talkin’ about Vint?


I hate going off based on a report on Twitter, but I don’t know what the heck a guy that smart could have meant. I mean, he knows that back in the day, people like me could and did give internet accounts to (1) anyone our boss said to and (2) anyone else who wanted them some of this internet stuff and wouldn’t get us in too much trouble. (Hi S! Hi C!) So when he says “more authentication” does that mean inserting “uunet!harvard!bwnmr4!adam” in an IP header? Ensuring your fingerd was patched after Mr. Morris played his little stunt?


But more to the point, authentication is a cost. Setting up and managing authentication information isn’t easy, and even if it were, it certainly isn’t free. Even more expensive than managing the authentication information would be figuring out how to do it. The packet interconnect paper (“A Protocol for Packet Network Intercommunication,” Vint Cerf and Robert Kahn) was published in 1974, and says “These associations need not involve the transmission of data prior to their formation and indeed two associates need not be able to determine that they are associates until they attempt to communicate.” That was before DES (1975), before Diffie-Hellman (1976), Needham-Schroeder (1978) or RSA. I can’t see how to maintain that principle with the technology available at the time.

When setting up a new technology, low cost of entry was a competitive advantage. Doing authentication well is tremendously expensive. I might go so far as to argue that we don’t know how fantastically expensive it is, because we so rarely do it well.

Not getting hung up in easy problems like prioritization or hard ones like authentication, but simply moving packets was what made the internet work. Allowing new associations to be formed, ad-hoc, made for cheap interconnections.

So I remain confused by what he could have meant.

[Update: Vint was kind enough to respond in the comments that he meant the internet of today.]

Moore’s Law is a Factor in This

Posted on by

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I had a fun little stroll down memory lane reading about average machines not having more than 16MB of ram, and how they borrowed a server with 2, later 3 900 MB disks. 129 decimal digits fits in 430 bits. The RSA-129 paper concludes:

We conclude that commonly-used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars
and to wait a few months.

Fast-forwarding to this week, David Molnar mentions that “We’re living in the future now:”

The 512-bit RSA key used for signing applications and firmware updates for the TI-83 has been factored. By some person working on his or her own. With one computer.

David links to “Calculator hackers crack OS signing key, opening a closed platform,” and following links, we get to “fun number theory facts:

Gentlemen,

A mathematical morsel for your entertainment and edification.

The number
6,857,599,914,349,403,977,654,744,967,
172,758,179,904,114,264,612,947,326,
127,169,976,133,296,980,951,450,542,
789,808,884,504,301,075,550,786,464,
802,304,019,795,402,754,670,660,318,
614,966,266,413,770,127


is the product of
5,174,413,344,875,007,990,519,123,187,
618,500,139,954,995,264,909,695,897,
020,209,972,309,881,454,541


and
1,325,290,319,363,741,258,636,842,042,
448,323,483,211,759,628,292,406,959,
481,461,131,759,210,884,908,747.

What should the new czar do? (Tanji’s Security Survey)

Posted on by

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

I think it’s a fascinating question, and posted my answer over at the New School blog.