CERIAS Blog
Security Through Obscurity
This was originally written for Dave Farber’s IP list.
I take some of the blame for helping to spread “no security through obscurity,” first with some talks on COPS (developed with Dan Farmer) in 1990, and then in the first edition of “Practical Unix Security” (with Simson Garfinkel) in 1991. None of us originated the term, but I know we helped popularize it with those items.
The origin of the phrase is arguably from one of Kerckhoff’s principles for strong cryptography: that there should be no need for the cryptographic algorithm to be secret, and it can be safely disclosed to your enemy. The point there is that the strength of a cryptographic mechanism that depends on the secrecy of the algorithm is poor; to use Schneier’s term, it is “brittle”: Once the algorithm is discovered, there is no protection (or minimal) left, and once broken it cannot be repaired. Worse, if an attacker manages to discover the algorithm without disclosing that discovery then she can exploit it over time before it can be fixed.
The mapping to OS vulnerabilities is somewhat analogous: if your security depends only (or primarily) on keeping a vulnerability secret, then that security is brittle—once the vulnerability is disclosed, the system becomes more vulnerable. And, analogously, if an attacker knows the vulnerability and hides that discovery, he can exploit it when desired.
However, the usual intent behind the current use of the phrase “security through obscurity” is not correct. One goal of securing a system is to increase the work factor for the opponent, with a secondary goal of increasing the likelihood of detecting when an attack is undertaken. By that definition, obscurity and secrecy do provide some security because they increase the work factor an opponent must expend to successfully attack your system. The obscurity may also help expose an attacker because it will require some probing to penetrate the obscurity, thus allowing some instrumentation and advanced warning.
In point of fact, most of our current systems *have* “security through obscurity” and it works! Every potential vulnerability in the codebase that has yet to be discovered by (or revealed to) someone who might exploit it is not yet a realized vulnerability. Thus, our security (protection, actually) is better because of that “obscurity”! In many (most?) cases, there is little or no danger to the general public UNTIL some yahoo publishes the vulnerability and an exploit far and wide.
Passwords are a form of secret (obscurity) that provide protection. Classifying or obfuscating a codebase can increase the work factor for an attacker, thus providing additional security. This is commonly used in military systems and commercial trade secrets, whereby details are kept hidden to limit access and increase workfactor for an attacker.
The problem occurs when a flaw is discovered and the owners/operators attempt to maintain (indefinitely) the sanctity of the system by stopping disclosure of the flaw. That is not generally going to work for long, especially in the face of determined foes. The owners/operators should realize that there is no (indefinite) security in keeping the flaw secret.
The solution is to design the system from the start so it is highly robust, with multiple levels of protection. That way, a discovered flaw can be tolerated even is disclosed until it is fixed or otherwise protected. Few consumer systems are built this way.
Bottom line: “security through obscurity” actually works in many cases and is not, in itself, a bad thing. Security for the population at large is often damaged by the people who claim to be defending the systems by publishing the flaws and exploits trying to “force” fixes. But vendors and operators (and lawyers) should not depend on secrecy as primary protection.
ReAssure 1.10 Released
This new release of our testbed software provides users with full control of experimental PCs instead of being limited to running VMware images:
- Experimental PCs can be rebooted at will
- There is a LiveCD in the experimental PCs, which will take a root password that you specify before rebooting the PC
- Users are now able to replace the operating system installed by default on experimental PCs, and gain full control
- The host operating system for VMware is restored after an experiment.
This facilitates experiments with other virtualization technologies (e.g, Xen), or with operating systems or software that don’t interact in the desired manner with VMware.
When compared with other testbeds such as Deter, the differences are that:
- You should be able to run anything on ReAssure, that is compatible with the hardware;
- You may try to attack the ReAssure testbed itself;
- Malicious software should have great difficulty escaping the testbed (if not using exp01 and exp02, the computers set aside for updating images);
- Your experiments using VMware images are portable;
- You can take VMware snapshots;
As before, you can still:
- Use complex network topographies for your experiments, with high bandwidth utilization on each (Gbit ethernet)
- Extend reservations or stop experiments at will;
- Use ISO images and VMware appliances;
- Share image files
- Cooperate remotely with other people, and give them access to the PCs in one of your experiments
- Update your images from two of our experimental PCs that allow connections to the outside (exp01 and exp02)
Under the hood changes:
- The switch management now uses a UNIX domain server instead of a script started by cron. This increases the responsiveness of the system, allows checking the state of the switch directly in real time, and allows self-test results to be displayed on the web interface (for administrators).
- The upload mechanism now uses a UNIX domain server instead of a script started by cron. This increases the responsiveness of the system and allows self-test results to be displayed on the web interface (for administrators).
- The power state of the experimental PCs is controlled via IPMI (Intelligent Platform Management Interface) on an isolated network
Visit the project home page, the testbed management interface itself, or download the open source software. The ReAssure testbed was developed using an MRI grant from NSF (No. 0420906).
US Travel Tips for New Faculty…and for Not-so-New
The academic year is beginning, and I have already been asked by new faculty about travel. I also recently heard about a problem from a more senior colleague. As I have traveled a lot for my work in the last 20 years, I have built up some experience as an academic “road-warrior.” My assistant, Marlene, has also helped out with some great ideas as she has observed my difficulties getting from point A to B and back again. Here are some general tips for lower-stress travel as you travel to conferences and speaking engagements around the U.S.
General
Familiarize yourself with your university’s travel rules. Most have specific rules about advance notice, forms to file, etc. Know the rules before you travel so you don’t do the wrong things.
When you meet people at conferences, or when speaking, or otherwise on business, write the date on the back of the card, along with info that will help you identify why/where you met the person. If you promise to send them a copy of your recent results, then write that on the card, too. I have over 3000 entries in my online address book and card collection, and I no longer remember who half of them are, where I met them, or why....a note would have helped me in trimming the collection some.
Note on your itinerary what the next and previous departures of the plane, train, etc might be. If your business finishes early or runs late you have some idea of alternatives. In many cases, for a small free, you can switch to a different departure time on the same day. You can usually get that fee reimbursed by the same source of funds that pays for your ticket.
Take paper copies of articles, theses, or other items you need to read or review. If you are stuck in an airport waiting area with a delayed flight, you can put your time to use without running down laptop batteries. Furthermore, you can read the papers when on the plane during times that no electronic devices can be used, and you can write comments in the margin when you have a small fold-down seat tray that isn’t large enough to hold an open laptop.
Keep business cards with you. At least once a year I find someone sitting on a long flight next to me to be worth a follow-up contact. Several times these have led to industry grants for my research or internships for my students. Be prepared for opportunities!
Always pack an extra day’s worth of critical items in the event your flight is cancelled or too badly delayed. Also, you are prepared when the airline asks for volunteers to be bumped to the next day in return for a free ticket—that means you can save money on your grants for the next conference, or else use the free ticket to have a spouse/SO accompany you on a trip.
If you are going someplace interesting, investigate staying an extra day or two to sight-see, or simply relax. Depending on timing, you may actually save money by flying on a weekend day instead of a weekday evening and staying the extra night in the hotel!
Consider joining frequent traveler programs for the airlines and hotels. You may not collect enough for a free trip any time soon—and if you do travel enough to do so, another trip is not likely your idea of a reward. However, most of those programs have some small perks for members—free Internet service or breakfast at the hotel, priority on better seats, etc.
Airline clubs can be valuable places to unwind between long flights or during delays. You can buy day passes or full-year memberships. Some cover multiple airlines. Consider the expense of Internet access and several cups of coffee each time you need to spend more than an hour at a major airport in a waiting area. At a certain point, the airline club fee comes out to be a win. Plus, their front desk staff can often fix a scheduling snafu on your ticket faster (and with more options) than the personnel out at the desks.
Try to always be cheerful with travel personnel, even if you’re having a bad day. Airline check-in people can give you a better seat or waive a change fee if you are nice, flight attendants will sometimes comp a drink or give you the last blanket, and hotel clerks can put you in a better room—all if you are nice. Be grumpy or curt, and TSA will make your life miserable, you’ll get checked into the non-reclining seat in the last row next to the lav, and at the hotel you’ll get the room next to the elevator.
I have a single sheet with all my flight itinerary, hotel address, confirmation numbers, important telephone numbers, and so on. This turns out to be incredibly useful for all sorts of reasons.
Take along a small bottle of hand sanitizer, and use it before every meal or break. If you are meeting people, shaking hands, and using doorknobs handled by thousands of others, it is not a contributor to good health. Frequent hand washing and use of a sanitizer can really help. I get small bottles in the “travel size” section at my neighborhood pharmacy.
Finances
Keep all of your receipts, boarding passes, etc. I have a poly-plastic envelope with an elastic cord into which I put all my receipts while traveling. At the end of the trip, the receipts get sorted into three piles: those that go to the university or sponsor for reimbursement purposes, those that go into my file for income taxes (all meal receipts, for example), and a pile I keep until I have been reimbursed and my frequent flier miles credited. This last pile is normally where stubs from boarding passes go, unless your sponsor/university requires them.
Never leave a hotel without a paper statement showing a zero balance! Some hotels will run a statement of all expenses and slip it under your room door the night before you leave. You then do an express checkout an don’t stop at the desk. However, without evidence you paid the bill (the zero balance part), some agencies won’t reimburse you! You can probably get a corrected copy from the hotel, but the process delays your reimbursement by weeks (or longer).
Need to send in the original receipts for reimbursement? Make sure you have legible copies to keep on file in the event there is a mixup or loss of items.
Don’t forget to ask for mileage reimbursement to drive to/from the airport. The current IRS rate is commonly used.
If you work at a public university you can sometimes get the government rate at hotels. You need to ask about that when you reserve the room, and you show your faculty ID when arriving. Be sure you only do this when traveling on university business.
Be aware of your credit limit. If you are doing a lot of travel and charging it all to one credit card, you may hit your limit without knowing it. Hotels often put a hold charge on your card when you check in and do not remove it when you pay your bill, so your card takes double the hit. It can be very uncomfortable to arrive at your destination, 3 time zones away, only to be told that your card has been refused. American Express cards have no such pre-set limit, but you also have to pay them when the blll arrives, and this can be a stretch if your reimbursements aren’t timely.
Speaking of reimbursements, some companies that may ask you to come visit to speak at their expense can be extremely slow to pay reimbursements because their internal processes are so complex. My worst experiences have been with big companies, for some reason. Intel is one example—over a 3 year period with 5 trips they never paid an invoice in less than 6 months, one took 10 months to reimburse, and I had to file as a business supplier to even get into their system! In situations like this you either need to dip into savings then wait for the payment, or carry the charge on credit. Be prepared for this if you have no experience with a host offering to reimburse you.
Actually, this brings up a worst-case scenario: You are asked to visit an institution in a foreign country to speak, at their expense. You buy non-refundable tickets (that is all they will reimburse) and then they cancel the visit or you fall ill or..... Nothing like having $2000 in non-refundable tickets and the bill coming due! There are solutions here—demand to buy refundable tickets, have them buy the tickets for you, or consider having them authorize buying travel insurance through the airline or travel service where you get the tickets. Even reputable places may have scheduling problems.
Don’t fly sick! If you are really ill, don’t feel you have to travel because you bought non-refundable tickets, or because they are expecting you to talk at the other end. Flying while ill can make you worse (I’ve had a perforated ear drum from the pressure change on the plane, once, flying with a terrible cold), can spread germs, and you end up not making a very good presentation. Ask to reschedule if it is a presentation. Most airline tickets can be used, for a small change fee, up to a year after the date of purchase. If you are flying to a conference on grant money, check on university policy—most will cover the change fee or even the cost of the ticket so long as you commit to buying non-refundable tickets to keep costs low.
Check the interest rate on your credit cards. Yeah, maybe you collect frequent flier miles by using that card, but it also may have an 18%-25% effective annual rate. if you are delayed getting a reimbursement, or it crosses the due date of the bill, you may be paying a hefty penalty for those miles.
Many places will ask for your SSN# on a W-4 before they will reimburse you. If you are a compensated speaker, you can’t get your honorarium without this. This poses two problems: taxes and possible exposure of your SSN. The taxes part is easiest—keep the receipts and if your reimbursement gets included in a form 1099-MISC filed by your host, then you list the amounts as deductible business expenses (talk to a tax advisor for specifics—don’t depend on this blog!). As for protecting yourself against identity theft, come up with a “dba” name (doing business as) for consulting, then get an IRS EIN (employer identity number). Use that in place of your SSN. It is all perfectly legal (although you may need to educate the clerks at the other end), has the same number of digits as your SSN, but it compromised it won’t contribute to fraud committed with your identity.
I may do a follow-up post with some specific hints on international travel. If you have suggestions for academic travelers, please post them in the comments.
Privacy Survey
I am an advisor to ThePrivacyPlace. They do great work on privacy issues, and this annual survey is valuable—but only with a lot of responses. So, please respond and share the link with others.
The following is their survey announcement.
ThePrivacyPlace.Org Privacy Survey is Underway!
Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.
The URL is: http://theprivacyplace.org/currentsurveyWe need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).
Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
IBM giftsOn behalf of the research staff at ThePrivacyPlace.Org, thank you!
PHPSecInfo talk at OSCON 2008
If you’re at OSCON, and you love security, you may or may not enjoy my talk on PHPSecInfo, a security auditing tool for the PHP environment. I’m actually going to try to show some new code, so if you’ve seen it before, you can see it again – for the first time.
The talk is at 1:45pm Thursday, 07/24/2008.
