So you have all the patches from Microsoft applied automatically, Firefox updates itself as well as its extensions... But do you still have vulnerable, outdated software? Last weekend I decided to try the Secunia Personal Software Inspector, which is free for personal use, on my home gaming computer. The Secunia PSI helps find software that falls through the cracks of the auto-update capabilities. I was pleasantly surprised. It has a polished normal interface as well as an informative advanced interface. It ran quickly and found obsolete versions of Adobe Flash installed concurrently with newer ones, and pointed out that Firefox wasn't quite up-to-date as the latest patch hadn't been applied.

When I made the Cassandra system years ago, I was also dreaming of something like this. It is limited to finding vulnerable software by version, not configuration, and giving links to fixes; so it doesn't help hardening a system to the point that some computer security benchmarks can. However, those security benchmarks can decrease the convenience of using a computer, so they require judgment. It can also be time consuming and moderately complex to figure out what you need to do to improve the benchmark results. By contrast, the SPI is so easy to install and use that it should be considered by anyone capable of installing software updates, or anyone managing a family member's computer. The advanced interface also pointed out that there were still issues with Internet Explorer and with Firefox for which no fixes were available. I may use Opera instead until these issues get fixed. It is unfortunate that it runs only on Windows, though.

The Secunia Personal Software Inspector is not endorsed by Purdue University CERIAS; the above are my personal opinions. I do not own any shares or interests in Secunia.
Edit: fixed the link, thanks Brett!

Cyber Leap Year Summit

I've heard from many, many people who read my blog post about this. So far, everyone who attended and was not involved with the planning of the Summit has basically agreed with my comments.

Here is an interesting post by Russ Thomas that explores the NCLY in depth from a different point of view.

Cybersecurity Legislation

There has been considerable press coverage and discussion on the intertubes about the provision in S. 773 (see my earlier post) that would allow the President to shut down critical infrastructure networks in the event of a national emergency. The people worried about the black helicopters are sure this, coupled with attempts to pass health care, are a sure sign of the Apocalypse -- or the approach of the end of the world in 2012, whichever comes first. Far less attention has been paid to other troubling aspects of the bill, such as the troubling requirement for professional certification of cyber security personnel.

According to some of the experts I have talked with, the President already has this general authority from other legislation. This simply makes it explicit. Furthermore, if we're in a declared national emergency wouldn't a centralized, coordinated response make sense? If not centered at the White House, then where else?

The bill is still in revision, although a draft of an amended version has been circulated to some groups for comment. I have been told that it is unlikely to move forward until after health care reform has been resuscitated or pronounced dead, and after the annual Federal budget appropriations process is finished. So, there may be additional issues betwixt now and then.

9/11 Comments

I wrote something in my personal blog about my 9/11 memories. It isn't really related to cyber security or Purdue, but some of my comments might be interesting to some people.

Other blog

In addition to my personal blog cited above, I also maintain a Tumbler blog with pointers to recent news items that relate to security, privacy and cyber law. It is available as <http://blog.spaf.us> (my part of the overall CERIAS blog (here) can be accessed as <http://cblog.spaf.us>). I generally post links there every day.

A Snapshot

I spent several days this week in DC, visiting officials and agencies related to cyber security. I get the sense that there is little expectation of more funding or attention in the coming fiscal year. The administration has been undergoing a bruising battle over health care, there is yet to be debate on policy for Afghanistan, and there are background engagements in constant play on issues related to the deficit. Cyber is not likely to be viewed as critical because things seem to have been going "okay" so far, and addressing cyber will be costly and require political capital. So, unless there is some splashy disaster, we might not see much progress.

A new version of the ReAssure testbed software, 1.20, is now available on the project web site. This version features a rewritten reservation manager that is multi-threaded, object-oriented, better commented, tested with PyLint, and responds to more queries from the web interface. The supporting serial switch communication library (soobml) was rewritten to be thread-safe, object-oriented and now supports multiple switches. Experiments are also started and stopped with much greater time precision. One small comment on PyLint: we allowed line lengths of 100. Lines of 80 characters are cramped when trying to provide meaningful error messages and referencing objects and invoking methods that have long, meaningful names. Our plans for the next release are to support user control of whether experimental PCs are allowed internet access. Currently only a specifically designated experimental PC is allowed access, for containment reasons. Thanks to Ed Cates (CERIAS staff) for providing system administration services and helping with ReAssure. This work is supported by the National Science Foundation under Grant No. 0420906. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

I am a big fan of the Monty Python troupe. Their silly take on several topics helped point out the absurd and pompous, and still do, but sometimes were simply lunatic in their own right.

One of their sketches, about a group of sailors stuck in a lifeboat came to mind as I was thinking about this post. The sketch starts (several times) with the line "Still no sign of land." The sketch then proceeds to a discussion of how they are so desperate that they may have to resort to cannibalism.

So why did that come to mind?

We still do not have a national Cyber Cheerleader in the Executive Office of the President. On May 29th, the President announced that he would appoint one – that cyber security was a national priority.

Three months later – nada.

Admittedly, there are other things going on: health care reform, a worsening insurgency problem in Afghanistan, hesitancy in the economic recovery, and yet more things going on that require attention from the White House. Still, cyber continues to be a problem area with huge issues. See some of the recent news to see that there is no shortage of problems – identity theft, cyber war questions, critical infrastructure vulnerability, supply chain issues, and more.

Rumor has it that several people have been approached for the Cheerleader position, but all have turned it down. This isn't overly surprising – the position has been set up as basically one where blame can be placed when something goes wrong rather than as a position to support real change. There is no budget authority, seniority, or leverage over Federal agencies where the problems occur, so there is no surprise that it is not wanted. Anyone qualified for a high-level position in this area should recognize what I described 20 years ago in "Spaf's First Law":

If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

I wonder how many false starts it will take before it is noticed that there is something wrong with the position if good people don't want it? And will that be enough to result in a change in the way the position is structured?

Meanwhile, we are losing good people from what senior leadership exists. Melissa Hathaway has resigned from the temporary position at the NSC from which she led the 60-day study, and Mischel Kwon has stepped down from leadership of US-CERT. Both were huge assets to the government and the public, and we have all lost as a result of their departure.

The crew of the lifeboat is dwindling. Gee, what next? Well, funny you should mention that.

Last week, I attended the "Cyber Leap Year Summit," which I have variously described to people who have asked as "An interesting chance to network" to "Two clowns short of a circus." (NB. I was there, so it was not three clowns short.)

The implied premise of the Summit, that bringing together a group of disparate academics and practitioners can somehow lead to a breakthrough is not a bad idea in itself. However, when you bring together far too many of them under a facilitation protocol that most of them have not heard of coupled with a forced schedule, it shouldn't be a surprise if the result in much other than some frustration. At least, that is what I heard from most of the participants I spoke with. It remains to be seen if the reporters from the various sections are able to glean something useful from the ideas that were so briefly discussed. (Trying to winnow "the best" idea from 40 suggestions given only 75 minutes and 40 type A personalities is not a fun time.)

There was also the question of "best" being brought together. In my session, there were people present who had no idea about basic security topics or history. Some of us made mention of well-known results or systems, and they went completely over the heads of the people present. Sometimes, they would point this out, and we lost time explaining. As the session progressed, the parties involved seemed to simply assume that if they hadn't heard about it, it couldn't be important, so they ignored the comments.

Here are three absurdities that seem particularly prominent to me about the whole event:

1. Using "game change" as the fundamental theme is counter-productive to the issue. Referring to cyber security and privacy protection as a "game" trivializes it, and if nothing substantial occurs, it suggests that we simply haven't won the "game" yet. But in truth, these problems are something fundamental to the functioning of society, the economy, national defense, and even the rule of law. We cannot afford to "not win" this. We should not trivialize it by calling it a "game."
2. Putting an arbitrary 60-90 day timeline on the proposed solutions exacerbates the problems. There was no interest in discussing the spectrum of solutions, but only talking about things that could be done right away. Unfortunately, this tends to result in people talking about more patches rather than looking at fundamental issues. It also means that potential solutions that require time (such as phasing in some product liability for bad software) are outside the scope of both discussion and consideration, and this continues to perpetuate the idea that quick fixes are somehow the solution.
3. Suggesting that all that is needed is for the government to sponsor some group-think, feel-good meeting to come up with solutions is inane. Some of us have been looking at the problem set for decades, and we know some of what is needed. It will take sustained effort and some sacrifice to make a difference. Other parts of the problem are going to require sustained investigation and data gathering. There is no political will for either. Some of the approaches were even brought up in our sessions; in the one I was in, which had many economists and people from industry, the ideas were basically voted down (or derided, contrary to the protocol of the meeting) and dropped. This is part of the issue: the parties most responsible for the problem do not want to bear any responsibility for the fixes.
   

I raised the first two issues as the first comments in the public Q&A session on Day 1. Aneesh Chopra, the Federal Chief Technology Officer (CTO), and Susan Alexander, the Chief Technology Officer for Information and Identity Assurance at DoD, were on the panel to which I addressed the questions. I was basically told not to ask those kinds of questions, and to sit down. although the response was phrased somewhat less forcefully than that. Afterwards, no less than 22 people told me that they wanted to ask the same questions (I started counting after #5). Clearly, I was not alone in questioning the formulation of the meeting.

Do I seem discouraged? A bit. I had hoped that we would see a little more careful thought involved. There were many government observers present, and in private, one-on-one discussions with them, it was clear they were equally discouraged with what they were hearing, although they couldn't state that publicly.

However, this is yet another in long line of meetings and reports with which I have had involvement, where the good results are ignored, and the "captains of industry and government" have focused on the wrong things. But by holding continuing workshops like this one, at least it appears that the government is doing something. If nothing comes of it, they can blame the participants in some way for not coming up with good enough ideas rather than take responsibility for not asking the right questions or being willing to accept answers that are difficult to execute.

Too cynical? Perhaps. But I will continue to participate because this is NOT a "game," and the consequences of continuing to fail are not something we want to face — even with "...white wine sauce with shallots, mushrooms and garlic."

I have a Facebook account. I use it as a means to communicate little status updates with many, many friends and acquaintances while keeping up to date (a little) on their activities. I'm usually too pressed for time to correspond with everyone as I would otherwise prefer to do, and this tenuous connection is probably better than none at all.

Sometime early in the year, either I slipped up in running a script or somehow, without authorization, Facebook slurped up my whole address book. This was something I most definitely did not want to happen, so even giving Facebook the benefit of the doubt and blaming it on operator (me) error it says something about their poor interface that such a thing could happen to an experienced user. (Of course, in the worst case, their software did something invasive without my authorization.)

Whatever happened, Facebook immediately started spamming EVERYONE with an invitation "from me" inviting them to join Facebook. There are many people in my address book with whom I have some professional relationship but who would not be in any category I would remotely consider "friend." It was annoying to me, and annoying/perplexing to them, to have to deal with these emails. A few of them joined, but many others complained to me.

I thought the problem would resolve itself with time. In particular, I didn't want to send a note to everyone in my list saying it was a mistake and not to respond. Sadly, the Facebook system seems to periodically sweep through this list and reissue invitations. Thus, I have gotten a trickle of continuing complaints, and suspect that a number of other people are simply annoyed with me.

So, what to do if this was a responsible business? Why, look for a customer help email address, web form, or telephone number to contact them. Good luck. They have FAQs galore, but it is the web equivalent of voicemail-hell: one link leads to another and back to the FAQs again with no way to contact anything other than an auto-responder that tells me to consult the FAQ system.

On July 26, I responded to a complaint from one of the unintended victims. I cc'd a set of email addresses that I thought might possibly be monitored at Facebook, including "abuse@facebook.com." I got an automated response back to read an inappropriate and unhelpful section of the FAQ. I replied to the email that it was not helpful and did not address my complaint.

On July 29 I received a response that may have been from a person (it had a name attached) that again directed me to the FAQs. Again I responded that it was not addressing my complaint.

August 6th brought a new email from the same address that seemed to actually be responsive to my complaint. It indicated that there was a URL I could visit to see the addresses I had "invited" to join, and I could delete any I did not wish to be receiving repeated invitations. Apparently, this is unadvertised but available to all Facebook users (see http://www.facebook.com/invite_history.php).

I visited the site, and sure enough, there were all 2200+ addresses.

First problem: It is not possible to delete the entire list. One can only operate on 100 names at a time (one page). Ok, I can do this, although I find it very annoying when sites are programmed this way. But 22 times through the removal process is something I'm willing to do.

Second problem: Any attempt to delete addresses from the database results in an error message. The message claims they are working on the problem or to check that I'm actually connected to the Internet, but that's it. I've tried the page about every other day since August 6th, with various permutations of choices, and the error is still there. So much for "working on it."

I've also tried emailing the same Facebook address where I got the earlier response, with no answer in 2 weeks.

I thought about unsubscribing from Facebook as a way of clearing this out, but I am not convinced that the list -- and the automated invites -- would stop even if I inactivated my account.

Bottom line: providing Facebook any access to email addresses at all is like Roach Motel -- they go in, but there is no way to get them out. And Facebook's customer service and interfaces leave a whole lot to be desired. Coupled with other complaints people have had about viruses, spamming, questionable uses of personal images and data, changes to the privacy policy, and the lack of any useful customer service, and I really have to wonder if the organization is run by people with any clue at all.

I certainly won't be inviting anyone else to join Facebook, and I am now recommending that no one else does, either.