Posts by spaf

Another Loss in the Community

I received news today that Yves Deswarte passed away on January 27th.

YD-2010b.jpgDr. Deswarte was a notable member of the computing community, with a career of 30+ years as an educator, researcher, and manager. His career as a computing research pioneer spanned issues ranging from fault-tolerant computing to microcomputer systems to networking to issues of identity and privacy to system safety, and more. His most recent affiliation was with theLAAS-CNRS; the Laboratory for Analysis of Architecture of Systems at the French National Center for Research in Toulouse. He also had been an engineer and manager at INRIA, and spent time with SRI and at Microsoft Labs in Cambridge (with the late Roger Needham). Some of his more recent work involved the security of cloud and embedded systems.

Yves was the deserving recipient of the 2012 IFIP TC-11 Kristian Beckman Award and an award for Outstanding Service to IFIP. His acceptance address for the Beckman was devoted to issues of identity and privacy — topics which had been central to some of his research in recent years. In addition to his research and his work with IFIP, Dr. Deswarte was also notable for his work with ESORICS, and for the Ph.D. students whose work he advised: his webpage lists 20 Ph.D. graduates advised, and 5 in progress.

A memorial page for Dr. Deswarte has been established at LAAS.

I only met Yves once or twice, and our work only occasionally brought us into contact. Interestingly, his path in computing had some parallels to mine — he was working fault-tolerant computing (the SURF project) about the time I was (as a grad student), and then moved into security and privacy issues. I have known of him and his work for most of my career in computing, but unfortunately did not have the opportunity to get to know him well in person. I am undoubtedly not doing justice to his many contributions with the meager account above, and I would welcome comments from those who knew him better.

I have written memorium pieces for many people in the field over the last few years, most recently Willis Ware. Yves is closer to my age than most of them, so that makes is a little more personal. It is a sign that the field is maturing as we begin to lose our colleagues, but that is hardly any solace.   

R.I.P. Yves Deswarte, 1949-2014.

We’re Out of Balance

I’ve had several items cross my social media feeds, along with email, in the last few days that prompt me to write this. It’s gotten a bit longer than I intended, but there’s a lot to say on an important topic. As a first post to this blog in 2014, I think it is a good topic to address. It has to do with imbalance and bad behavior in the overall field of cybersecurity: the low percentage of women, and how they are sometimes treated.

Computing, as a field in the USA, has had a low and almost constantly decreasing percentage of women going into the field and staying. (The US is the primary focus of this blog entry; I believe the problem is similar in Canada, the UK, Australia, and others, but don’t have the data. Also, there is a corresponding problem with other traditional minorities, but that’s not what prompted this post and I hope to visit it later.). There are many reasons posited for this, many of which are likely somewhat to blame; there is no single, dominant reason, apparently. Many studies and reports have been conducted, experiments tried, and programs put into place, but few have made any measurable, long-term change. The problem is almost undoubtedly rooted in social behaviors and expectations because there are other cultures where the ratio of women to men is about 1:1, or even has women in larger percentages.

Cybersecurity is little different, and may be worse. I regularly speak at conferences, companies, and agencies where the room will have 30 men and one (or no) women. At events where there are speakers or panels, all the speakers and panelists are men. The few women attending often are simply the ones there processing registrations. And there are a nontrivial number of reports of women being groped and harassed at professional meetings (see, for instance, this). Also bad, women are frequently abused online as well as offline, and not only in security and computing. Many are reluctant to publish email addresses or contact info online because of unwanted, inappropriate content sent to them — no matter whether they’re 8 or 80.

(Right now, if you are thinking to yourself that there isn’t a real problem, that things are fine, and it is all a problem of some women who can’t take a joke, then you are part of the problem, and you need to shape up. Worse, if you think that women shouldn’t be upset about this status quo, instead they should get back to the kitchen, then you are so out of touch that I don’t know where to start. In either case, try telling that same thing to women doctors, pilots, police, firefighters, or better yet, to our many women in the military — especially when your safety is in their care. Then come back when you’ve healed up. If nothing else, at least keep in mind that there are legal reasons to treat people equally and with respect.)

Assuming you are actually living in the 21st century, let me assure you that the overall situation is a HUGE problem for us. As a field, and as a society this is bad because we have a shortage of talent that is getting worse with time. We also have some rather skewed and limited ideas of how to approach problems that might benefit from a more inclusive pool of designers and practitioners. And as human beings we should be concerned — especially those of us who are sons, brothers, fathers, and husbands — people who could be (and sometimes are) our mothers, sisters, daughters, and wives are being mistreated and demeaned. That simply isn’t right. Neither is it right that we are limiting the opportunities for individuals to learn, grow, and achieve.

Computing, security, privacy, creativity — those are all traits of the mind. Minds exist in all kinds of bodies, including those with other colors, more or fewer curves, different masses and volumes, varied ages, and some have less physical abilities than others. But that doesn’t change what is possible in their minds! We should applaud ability, dedication, and imagination wherever we find it. Discouraging women (or anyone with ability) from pursuing a career in computing, abusing them online, and groping them at conferences are all counterproductive to our own futures — as if rude and wrong wasn't enough. Cybersecurity and privacy are key areas where we need more insight and creativity — we should enhance it rather than diminish it.

No field is populated only with superstars and wild talents. That is especially true in IT. We hear about people with great accomplishments, and we like to think we’re special in our way, but the truth is that the field is too large for any individuals to master it. Success comes from teams, and the most successful teams are those that integrate many different viewpoints, backgrounds, and skill sets, and who respect their differences yet work with common goals. That includes bringing in people from different genders, ethnicities, ages, and more. Success is enhanced by diversity.

I’m not going to go through a longer litany of problems here, or try to analyze the situation further. I’ve been working with various women’s groups for over 20 years and I still don’t pretend to be able to understand all of what is happening. It is complex. However, I see the problem continuously when I look at our student body, when I visit professional meetings, and when I read reports. I know it is real.

What I can do, is offer some advice to those who care.

For Men

Here are some general tips that should be common sense.

  1. Simple: be aware. Help others be aware. Don’t limit your involvement to this alone, but everything else flows from here.
  2. If you have children, encourage them and their friends to consider computing in school. Be supportive of anyone trying an IT profession. Be positive and not condescending.
  3. If you are a teacher/professor, don’t let the male students bully or harass the females. You are there to create a learning environment for everyone. Generally speaking, many women are less quick to respond to questions as they think about how to frame the answers, and they tend to let others speak without interruption; males generally are the opposite. Don’t let anyone be interrupted when speaking, and ensure that everyone gets a chance.
  4. At a conference or professional meeting? Don’t assume that the women are less important than then men there -- especially if they look young! Address everyone equally. No one should be invisible. Would you want people to ignore you or trivialize what you had to say if you looked different than you do? Address the person, not the appearance.
  5. Don’t ever touch a woman, without her clear uncoerced permission, in any manner that you would not touch a male authority figure. That is, would you touch your boss/professor/policeman in the same manner — without getting slugged/fired/arrested? Thus, shaking hands, fine. Catching someone if they stumble, fine. A greeting hug? Let her initiate it. Grabbing their butts? Definitely no. Use the same rule of thumb for language. Would you proposition a male policeman you just met?
  6. As for language, think carefully about your adjectives. If you would be “firm” and “decisive” in what you do, don’t describe a woman colleague as “bitchy” if she acts similarly! If you are "aggressive" she is not “pushy.” Banish “overly emotional” and “moody” from the list, too.
  7. Don’t set perceptions based on age. Women report that young male colleagues are often given opportunities to “prove themselves” or “learn the ropes” but they are not given the same opportunities because they are too young. Don’t either give or limit opportunities based on age or whether you think someone is attractive — either way, you are limiting what you could get and what they can do, and that is your loss.
  8. Be polite to everyone. Manners matter, even if it doesn’t seem that way some times. Don’t treat any group differently than any other. This includes not making jokes about people to others, staring openly, etc. That’s maybe the norm in 3rd grade, but not in a professional context.
  9. If you see someone else being gropy, rude, or otherwise inappropriate, speak up. (And “Attaway, bro!” is not the thing to say.) No, of course you are not defending someone weaker — you are chastising someone acting unprofessionally. That is because you should also do the same for anyone being rude to someone in a wheelchair, wearing a turban, with brown skin, with a missing limb, speaking with a lisp, or simply standing there. Being different is never an invitation to be abusive or rude. Report it to event organizers or management, too.
  10. If you are invited to speak or appear on a panel at an event, ask who else has been invited. If they don’t seem to have invited (m)any women, suggest some and don’t agree to speak until they filled out the roster a little more. I have heard one good rule of thumb (which I try to follow) is not appear on a panel unless at least one woman is also on the panel. Help give other voices a chance to be heard.
     
    Can’t think of any? Then either you aren’t paying attention or you are willfully ignoring the situation. Here’s a partial list of some of the better known women in the field of cybersecurity/privacy, all of whom I hold in great regard (and my apologies as there are many more I could list — these are off the top of my imperfect memory): Anita Jones, Dorothy Denning, Mary Ann Davidson, Window Snyder, Jean Camp, Elisa Bertino, Rhonda MacLean, Deborah Frincke, Melissa Hathaway, Chenxi Wang, Terry Benzel, Cristina Nita-Rotaru, Jeannette Wing, Cynthia Irvine, Lorrie Cranor, Dawn Song, Helen Wang, Cathy Meadows, Harriet Pearson, Diana Burley, Rebecca Herold, Shari Pfleeger, Shafi Goldwasser, Barbara Simons, Erin Jacobs, Becky Bace, Radia Perlman, Nuala O'Connor Kelly, Wendy Nather, Linda Northrup, Angela Sasse, Melissa, Dark, Susan Landau, Mischel Kwon, Phyllis Schneck, Carrie Gates, Katie Moussouris, Ronda Henning…. There are literally thousands more who are less senior but are likely to have interesting things to say. Simply look around. And if you’re organizing the event, consider this.
  11. If you are a VC or senior executive, don’t automatically hire someone from the “good ol boys.” That you only think of men to fill senior positions may be a case of tunnel vision, as in the previous item. Look around. And don’t let implicit assumptions about age or gender drive your decision-making: leaders come in all shapes, sizes, and ages.
  12. Besides giving opportunities to women to speak or lead, give them opportunities to fail without blanket condemnation. Everybody has limits and make mistakes. If you asked a young male employee to do something and he didn’t succeed, would you think to yourself “I never should have assigned that to a man”? Unless the task is peeing his name in a snowbank, gender doesn’t have anything to do with it (and if that is the tasking you give employees you have other serious problems to resolve).
  13. In a professional setting, don’t exclude the women because you think they’ll be “offended” or that they’re “too sensitive.” They aren’t china dolls that are easily broken! Include them as part of your team and make them feel like part of it. We look at the world in different ways. If you’re concerned that jokes or activities might be offensive, then maybe those aren’t the right kind of team-building experiences you should be having. (For example, you don’t need to go out for beers to the strip bar on Friday to build team presence; going out to a nearby Irish pub or a restaurant will accomplish the same thing if what you are after is a social experience.) Do the same with students if that is your context.
  14. Similarly, think about mentoring — be a positive mentor for colleagues and those junior to yourself, men as well as women. Offer it, but don’t force it (that’s what a mentor is: a voluntary guide).

The basic idea here is really embodied in #8. Be thoughtful and don't treat anyone as substantially different Instead, relate to every person as a professional. But most of all, speak up if you see someone getting picked on or treated badly, or if they aren’t getting encouragement they should. It’s like security and privacy itself — an attack on any link is an attack on the whole, and if a link falls we are all diminished.

For Women

As a general tip similar to the list above, don’t ever think you are the only one experiencing some of the things that happen. Don’t blame yourself, or wonder what it is you are doing wrong — that is sometimes a natural reaction when you are in the minority and everyone seems to react to you in a manner you don’t expect. Do push back on rude behavior, don’t be afraid to make it clear when limits are reached (or exceeded), and do consider reporting persistent or very rude misbehavior to event organizers or supervisors. Yes, it can sometimes have unexpected consequences, but without that negative feedback the behavior is likely to continue against you and others; evaluate your own tolerance for risk vs. harassment.

There is debate within many minority communities of whether aligning with self-interest groups is helpful. On the plus side, the mentoring, the support resources, and the sense of community can all be a big help. However, that also runs the risk of not sufficiently engaging in the mixed environment where one has to work, of developing unrealistic expectations based on anecdotal stories, and failing to help educate the majority in how to help. There seems to be enough positive “buzz” about some groups and their activities to warrant recommending them. Not all are likely to fit your own particular needs and interests, so check them out. If you know of some I have missed, please let me know so I can add them here.

  1. ACM-W is generally for women in computing, world-wide, and provides community and resources. See their web page for more info. They have a mailing list to which you can subscribe, even if you have not (yet) joined ACM; computing professionals should consider joining the ACM.
  2. There is a long list of organizations for computing, in general, at the Ada Project that I won’t try to duplicate — I suggest you look at it. (I will also note that I have heard some criticism of the Ada Project itself, so I am only recommending the list.)
  3. The Ada Initiative is different from the Ada Project, above. It supports women in open software, and has a number of worthwhile resources.
  4. The Anita Borg Institute. The ABI sponsors the annual Grace Hopper Celebration conference, which is worth attending, plus they do a lot more in events and activities, one of which is the Systers List.
  5. The National Center for Women & Information Technology (NCWIT) has quite a few resources and activities.
  6. The Computing Research Association’s CRA-W is directed to enhancing the careers of women in computing research
  7. The ISSA has a SIG with multiple blogs, meetings, and resources. You must be an ISSA member to access them. They also have a private LinkedIn group. (Security professionals should give thought to joining ISSA)
  8. I am told that ISACA is another organization in the security space to check out for their support and activities.
  9. The Women’s Society of Cyberjutsu is a security-focused organization for women that seems to have a fair bit of momentum.

The (ISC)2 is organizing a women’s special interest group. I have spoken with organizers , but am unsure of the status of it at this time.

The Women in Cyber Security conference will be held in April in Nashville. I know nothing about it other than what is on their web page, but it looks like it could be a great experience.

ACSA has a scholarship program for women in computing; multiple scholarships are available. The (ISC)2 Foundation also has scholarships available.

Of course, please keep in mind that not all men are the same! Many want to do the right things but aren’t always sure what is appropriate. Help train a few. grin

Parting Thoughts

From a professional point of view, being a member of ACM and ISSA is good idea for anyone in the field, based simply on the value of the organizations. Both promote professionalism, community, and personal growth, and there are a variety of other benefits to membership. Both have steep discounts for student members. I am a long-standing member of both, and can recommend them.

Our society has a lot of problems with cybersecurity and privacy. New flaws show up, and old flaws don’t really get fixed. Parties ranging from individual criminals to nation-state organizations are all seeking ways to penetrate our systems and mess with our information. We need every good person we can get on board and working together if we hope to make progress. We should make every effort to enable that partnership.

Or think of it in these terms: if we can’t be trusted to protect and empower those within our own community, why should anyone trust us to protect anything else?


Updated 1/7: Added a few list items about mentoring and language, listed ISACA, small grammatical corrections.

Updated 1/8: Corrected several typos

Updated 1/10: Added ISSA group link. Added comment from Anita Jones; this is the memo she mentions in that comment.

Updated 1/14: Small grammatical corrections.

Updated 1/22: Added ACM-W page link

Updated 1/24: Added the Systers link

Updated 2/16: Added link to subscribe to the ACM-W list. Minor grammatical cleanup.

Updated 3/2: Added links to ACSA and (ISC)2 scholarship information.

Updated 6/8: Added link to the Ada Initiative

If you have any additions or corrections to the above lists, please send me private email. Also note that, as usual, anonymous, spammy, or abusive feedback to the blog may not be published as is, if at all.

The Passing of A Pioneer

Willis H. Ware, a highly respected and admired pioneer in the fields of computing security and privacy, passed away on November 22nd, 2013, aged 93.

willis Born August 31,1920, Mr. Ware received a BSEE from the University of Pennsylvania (1941), and an SM in EE from MIT (1942). He worked on classified radar and IFF (identify friend or foe) electronic systems during WWII. After the war he received his Ph.D. in EE from Princeton University (1951) while working at the Institute for Advanced Studies for John von Neumann, building an early computer system.

Upon receiving his Ph.D., Dr. Ware took a position with North American Aviation (now part of Boeing Corporation). After a year, he joined the RAND Corporation (in 1952) where he stayed for the remainder of his career -- 40 more years — and thereafter as an emeritus computer scientist. His first task at RAND was helping to build the "Johnniac," an early computer system. During his career at RAND he advanced to senior leadership positions, eventually becoming the chairman of the Computer Science Department.

Willis was influential in many aspects of computing. As an educator, he initiated and taught one of the first computing courses, at UCLA, and wrote some of the field's first textbooks. In professional activities, he was involved in early activities of the ACM, and was the founding president of AFIPS (American Federation of Information Processing Societies). From 1958-1959 he served as chairman of the IRE Group on computers, a forerunner of the current Computer Society of the IEEE. He served as the Vice Chair of IFIP TC 11 from 1985-1994. At the time of his death he was still serving as a member of the EPIC Advisory Board.

Dr. Ware chaired several influential studies, including one in 1967 that produced a groundbreaking and transformational report to the Defense Science Board for ARPA (now DARPA) that was known thereafter as "The Ware Report." To this day, some of the material in that report could be applied to better understand and protect computing systems security. The follow-on work to that study eventually led, albeit somewhat indirectly, to the development of the NCSC "Rainbow Series" of publications. (The NCSC, National Computer Security Center, was a public-facing portion of the NSA ,serving as an office for improving security in commercial products.)

In 1972, Dr. Ware was tapped to chair the Advisory Committee on Automated Personal Data Systems for the HEW (now HHS) Secretary. That report, and Willis's subsequent paper,"Records, Computers, and the Rights of Citizens," established the first version of the Code of Fair Information Practices. That, in turn, significantly influenced the Privacy Act of 1974, and many subsequent versions of fair information practices. The Privacy Act mandated the creation of the Privacy Protection Study Commission, of which Dr. Ware was vice chair.

Willis was the first chairman of the Information System and Privacy Advisory Board, created by the Computer Security Act of 1987. He remained chairman of that board for 11 years following its establishment. Over the years, Dr. Ware served on many other advisory boards, including the US Air Force Scientific Advisory Board, the NSA Scientific Advisory Board, and over 30 National Research Council boards and committees.

Willis Ware was one of the most honored professionals in computing. He was a Member of the National Academy of Engineering, and was a Fellow of the AAAS, of the IEEE, and of the ACM — perhaps the first person to accrue all four honors. He was a recipient of the IEEE Centennial Medal in 1984, the IEEE Computer Pioneer Award in 1993, and a USAF Exceptional Civilian Service Medal in 1979. He was the recipient of the NIST/NSA National Computer System Security Award in 1989, the IFIP Kristian Beckman Award in 1999, a lifetime achievement award from the Electronic Privacy Information Center (2012), and was inducted into the Cyber Security Hall of Fame in 2013.

Dr. Willis H. Ware was truly a pioneer computer scientist, an early innovator in computing education, one of the founders of the field of computer security, and an early proponent of the need to understand appropriate use of computing and the importance of privacy. His dedication to the field and the public interest was both exceptional and seminal.

The Rand Corporation posted an in memorium piece on their website.

(Any updates or corrections will be posted here as they become available.)


Update 10/26: included acronym expansions of IFF and NCSC, along with links for NCSC and HHS. Added small grammatical corrections.

Update 10/29: added the note and link to the Rand Corporation in memorium piece.

Update 12/9: added the mention of the DSB

Thoughts—Some Random, Some Structured

On October 9th, 2013, I delivered one of the keynote addresses at the ISSA International Conference. I included a number of observations on computing, security, education, hacking, malware, women in computing, and the future of cyber security.

You can see a recording of my talk on YouTube or view it here. You might find it somewhat amusing. See the old guy with the bow tie ramble on. grin


(If you work in cyber security, you should think about joining the ISSA.)


(Also, if you didn't know, I have two other blogs. One blog is a Tumblr blog feed of various media stories about security, privacy and cybercrime. The other blog is about various personal items that aren't really related to CERIAS, or even necessarily to cyber security — some serious, some not so much.)

Happy Anniversary—Bang My Head Against A Wall

Over the last month or two I have received several invitations to go speak about cyber security. Perhaps the up-tick in invitations is because of the allegations by Edward Snowden and their implications for cyber security. Or maybe it is because news of my recent awards has caught their attention. It could be it is simply to hear about something other than the (latest) puerile behavior by too many of our representatives in Congress and I'm an alternative chosen at random. Whatever the cause, I am tempted to accept many of these invitations on the theory that if I refuse too many invitations, people will stop asking, and then I wouldn't get to meet as many interesting people.

As I've been thinking about what topics I might speak about, I've been looking back though the archive of talks I've given over the last few decades. It's a reminder of how many things we, as a field, knew about a long time ago but have been ignored by the vendors and authorities. It's also depressing to realize how little impact I, personally, have had on the practice of information security during my career. But, it has also led me to reflect on some anniversaries this year (that happens to us old folk). I'll mention three in particular here, and may use others in some future blogs.

In early November of 1988 the world awoke to news of the first major, large-scale Internet incident. Some self-propagating software had spread around the nascent Internet, causing system crashes, slow-downs, and massive uncertainty. It was really big news. Dubbed the "Internet Worm," it served as an inspiration for many malware authors and vandals, and a wake-up call for security professionals. I recall very well giving talks on the topic for the next few years to many diverse audiences about how we must begin to think about structuring systems to be resistant to such attacks.

Flash forward to today. We don't see the flashy, widespread damage of worm programs any more, such as what Nimda and Code Red caused. Instead, we have more stealthy botnets that infiltrate millions of machines and use them for spam, DDOS, and harassment. The problem has gotten larger and worse, although in a manner that hides some of its magnitude from the casual observer. However, the damage is there; don't try to tell the folks at Saudi Aramaco or Qatar's Rasgas that network malware isn't a concern any more! Worrisomely, experts working with SCADA systems around the world are increasingly warning how vulnerable they might be to similar attacks in the future.

Computer viruses and malware of all sorts first notably appeared "in the wild" in 1982. By 1988 there were about a dozen in circulation. Those of us advocating for more care in design, programming and use of computers were not heeded in the head-long rush to get computing available on every desktop (and more) at the lowest possible cost. Thus, we now have (literally) tens of millions of distinct versions of malware known to security companies, with millions more appearing every year. And unsafe practices are still commonplace -- 25 years after that Internet Worm.

For the second anniversary, consider 10 years ago. The Computing Research Association, with support from the NSF, convened a workshop of experts in security to consider some Grand Challenges in information security. It took a full 3 days, but we came up with four solid Grand Challenges (it is worth reading the full report and (possibly) watching the video):

  1. Eliminate epidemic-style attacks within 10 years
    • Viruses and worms
    • SPAM
    • Denial of Service attacks (DOS)
  2. Develop tools and principles that allow construction of large-scale systems for important societal applications that are highly trustworthy despite being attractive targets.
  3. Within 10 years, quantitative information-systems risk management will be at least as good as quantitative financial risk management.
  4. For the dynamic, pervasive computing environments of the future, give endusers security they can understand and privacy they can control.

I would argue -- without much opposition from anyone knowledgeable, I daresay -- that we have not made any measurable progress against any of these goals, and have probably lost ground in at least two.

Why is that? Largely economics, and bad understanding of what good security involves. The economics aspect is that no one really cares about security -- enough. If security was important, companies would really invest in it. However, they don't want to part with all the legacy software and systems they have, so instead they keep stumbling forward and hope someone comes up with magic fairy dust they can buy to make everything better.

The government doesn't really care about good security, either. We've seen that the government is allegedly spending quite a bit on intercepting communications and implanting backdoors into systems, which is certainly not making our systems safer. And the DOD has a history of huge investment into information warfare resources, including buying and building weapons based on unpatched, undisclosed vulnerabilities. That's offense, not defense. Funding for education and advanced research is probably two orders of magnitude below what it really should be if there was a national intent to develop a secure infrastructure.

As far as understanding security goes, too many people still think that the ability to patch systems quickly is somehow the approach to security nirvana, and that constructing layers and layers of add-on security measures is the path to enlightenment. I no longer cringe when I hear someone who is adept at crafting system exploits referred to as a "cyber security expert," but so long as that is accepted as what the field is all about there is little hope of real progress. As J.R.R. Tolkien once wrote, "He that breaks a thing to find out what it is has left the path of wisdom." So long as people think that system penetration is a necessary skill for cyber security, we will stay on that wrong path.

And that is a great segue into the last of my three anniversary recognitions. Consider this quote (one of my favorite) from 1973 -- 40 years ago -- from a USAF report, Preliminary Notes on the Design of Secure Military Computer Systems, by a then-young Roger Schell:

…From a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs and as long as the illusory results of penetration teams are accepted as demonstrations of a computer system security, proper security will not be a reality.

That was something we knew 40 years ago. To read it today is to realize that the field of practice hasn't progressed in any appreciable way in three decades, except we are now also stressing the wrong skills in developing the next generation of expertise.

Maybe I'll rethink that whole idea of going to give a talks on security and simply send them each a video loop of me banging my head against a wall.


PS -- happy 10th annual National Cyber Security Awareness Month -- a freebie fourth anniversary! But consider: if cyber security were really important, wouldn't we be aware of that every month? The fact that we need to promote awareness of it is proof it isn't taken seriously. Thanks, DHS!

Now, where can I find I good wall that doesn't already have dents from my forehead....?

A Valuable Resource for Young People (limited time offer)

Over the years, I've gotten to know many people working in security and privacy. Too few have focused on issues relating to children and young adults. Thankfully, one of these people is Linda McCarthy. A security professional with an impressive resume that includes senior positions at Sun Microsystems and Symantec, Linda has had actual "boots-on-the-ground" experience in the practice of information protection.

Linda has written several books on security, including "Intranet Security - Stories from the Trenches," and "IT Security: Risking the Corporation." She also co-authored the recent free, quite popular, Facebook tutorial on security and privacy. I have read these, heard her speak, and worked with her on projects over the years -- Linda is thoughtful, engaging and an effective communicator on the topics of security and privacy. I'm not the only person to think so -- not too long ago she was a recipient of the prestigious Women of Influence award, presented by CSO Magazine and Alta Associates, recognizing her many achievements in security, privacy and risk management.

About a decade ago, based on some personal experiences with young adults close to her, Linda took on the cause of education about how to be safe online. Youngsters seldom have the experience (and the judgement born of experience) to make the best choices about how to protect themselves. Couple that naiveté with the lure of social contact and the lack of highly-visible controls, and toss in a dash of the opportunity to rebel against elders, and a dangerous mix results. Few people, young or old, truly grasp the extent and reach in time and space of the Internet -- postings of pictures and statements never really go away. Marketers, for one, love that depth of data to mine, but it is a nightmare that can haunt the unwary for decades to come.

Long term loss of privacy isn't the only threat, of course. Only last week news broke of yet another tragic suicide caused by cyberbullies; there is a quiet epidemic of this kind of abuse. Also, Miss Teen USA, Cassidy Wolf, spoke a few days ago about being the victim of cyberstalking and sexual extortion. These are not things kids think about when going online -- and neither do their parents. This is the complex milieu that Linda is confronting.

In 2006, Linda began to focus on writing for the younger set and produced "Own Your Space: Keep Yourself and Your Stuff Safe Online," which is a nice introduction that kids seem to appreciate. A few years ago, Linda updated it and under a Creative Commons license it is now available as a free download from Microsoft (among others). I wrote about the release of that update in this blog in 2010.

Earlier this year, Linda released a new book, "Digital Drama: Staying Safe While Being Social Online" (also available en español). This book covers a multitude of issues, including privacy, reputation, online bullying and stalking, avoiding predators, spotting scams, how to manage settings and online persona, and a wealth of other valuable insights for young people -- and therefore it is also of value to their parents, teachers, and an older audience that may not have the expertise but faces many of the same concerns. Linda's book doesn't address all the problems out there -- she doesn't address the really dark side of youth gang culture, for instance -- but this book does admirably cover many of the major issues that face kids who really want to stay out of trouble.

What makes this especially useful is a limited-time offer. In support of National Cyber Security Awareness Month, Microsoft has provided support to allow Linda to offer a free digital download of "Digital Drama" from Amazon.com (the Spanish version, too). Parents, teachers, teens, tweens, kids, and the young at heart can all get that free download from 12am on Tuesday, September 24th until 11:59pm on Friday, September 27 (2013; times are PDT). (If you are reading this blog after that week, you should still check out the book.)

To quote from the "About this book" section of Amazon:

Every day, millions of teens log on and make decisions that can compromise their safety, security, privacy, and future. If you are like most teens, you are already using social networking sites like Twitter and Facebook and have your smartphone super-glued to your hand. You tag your friends in photos, share your location and thoughts with friends, and post jokes online that later may be misunderstood. At the same time, you might not realize how that information can affect your reputation and safety, both online and offline. We’ve all heard the horror stories of stolen identities, cyber stalking, pedophiles on the Internet, and lost job, school, and personal opportunities. All teens need to learn how to protect themselves against malware, social networking scams, and cyberbullies. Learn crucial skills:
- Deal with cyberbullies
- Learn key social networking skills
- Protect your privacy
- Create a positive online reputation
-Protect yourself from phishing and malware scams

Spaf sez, "Check it out."

Just sayin

In the June 17, 2013 online interview with Edward Snowden, there was this exchange:

Question:

User avatar for Mathius1

Is encrypting my email any good at defeating the NSA survelielance? Id my data protected by standard encryption?

Answer:

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.



I simply thought I'd point out a statement of mine that first appeared in print in 1997 on page 9 of Web Security & Commerce (1st edition, O'Reilly, 1997, S. Garfinkel & G. Spafford):

Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.

I originally came up with an abbreviated version of this quote during an invited presentation at SuperComputing 95 (December of 1995) in San Diego. The quote at that time was everything up to the "Further...." and was in reference to using encryption, not secure WWW servers.

A great deal of what people are surprised about now should not be a surprise -- some of us have been lecturing about elements of it for decades. I think Cassandra was a cyber security professor....


[Added 9/10: This also reminded me of a post from a couple of years ago. The more things change....]


 

Opticks and a Treatise on the PRISM Surveillance Program (Guest Blog)

By Mark Rasch and Sophia Hannah

Last post, we wrote about the NSA‟s secret program to obtain and then analyze the telephone metadata relating to foreign espionage and terrorism by obtaining the telephone metadata relating to everyone. In this post, we will discuss a darker, but somewhat less troubling program called PRISM. As described in public media as leaked PowerPoint slides, PRISM and its progeny is a program to permit the NSA, with approval of the super-secret Foreign Intelligence Surveillance Court (FISC) to obtain “direct access” to the servers of internet companies (e.g., AOL, Google, Microsoft, Skype, and Dropbox) to search for information related to foreign terrorism – or more accurately, terrorism and espionage by “non US persons.”

Whether you believe that PRISM is a wonderful program narrowly designed to protect Americans from terrorist attacks or a massive government conspiracy to gather intimate information to thwart Americans political views, or even a conspiracy to run a false-flag operation to start a space war against alien invaders, what the program actually is, and how it is regulated, depends on how the program operates. When Sir Isaac Newton published his work Opticks in 1704, he described how a PRISM could be used to – well, shed some light on the nature of electromagnetic radiation. Whether you believe that the Booz Allen leaker was a hero, or whether you believe that he should be given the full Theon Greyjoy for treason, there is little doubt that he has sparked a necessary conversation about the nature of privacy and data mining. President Obama is right when he says that, to achieve the proper balance we need to have a conversation. To have a conversation, we have to have some knowledge of the programs we are discussing.

Different Data

Unlike the telephony metadata, the PRISM programs involve a different character of information, obtained in a potentially different manner. As reported, the PRISM programs involve not only metadata (header, source, location, destination, etc.) but also content information (e-mails, chats, messages, stored files, photographs, videos, audio recordings, and even interception of voice and video Skype calls.)

Courts (including the FISA Court) treat content information differently from “header”information. For example, when the government investigated the ricin-laced letters sent to President Obama and NYC Mayor Michael Bloomberg, they reportedly used the U.S. Postal Service‟s Mail Isolation Control and Tracking (MICT) system which photographs the outside of every letter or parcel sent through the mails – metadata. When Congress passed the Communications Assistance to Law Enforcement Act (CALEA), which among other things established procedures for law enforcement agencies to get access to both “traffic” (non-content) and content information, the FBI took the posistion that it could, without a wiretap order, engage in what it called “Post-cut-through dialed digit extraction” -- that is, when you call your bank and it prompts you to enter your bank account number and password, the FBI wanted to “extract” that information (Office of Information Retrival) as “traffic” not “content.” So the lines between “content” and “non-content”may be blurry. Moreover, with enough context, we can infer content. As Justice Sotomeyor observed in the 2012 GPS privacy case:

… it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U.S., at 742, 99 S.Ct. 2577; United States v. Miller, 425 U.S. 435, 443, 96 S.Ct. 1619, 48 L.Ed.2d 71 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.

But the PRISM program is clearly designed to focus on content. Thus, parts of the Supreme Court‟s holding in Smith v. Maryland that people have no expectation of privacy in the numbers called, etc. therefore does not apply to the PRISM-type information. Right?

Again, not so fast.

Expecting Privacy

Simple question. Do you have a reasonable expectation of privacy in the contents of your e-mail?

Short answer: Yes.

Longer answer: No.

Better answer: Vis a vis whom, and for what purposes. You see, privacy is not black and white. It is multispectral – you know, like light through a triangular piece of glass.

When the government was conducting a criminal investigation of the manufacturer of Enzyte (smiling Bob and his gigantic – um – putter) they subpoenaed his e-mails from, among others, Yahoo! The key word here is subpoenanot search warrant. Now that‟s the thing about data and databases -- if information exists it can be subpoenaed. In fact, a Florida man has now demanded production of cell location data from – you guessed it – the NSA.

But content information is different from other information. And cloud information is different. The telephone records are the records of the phone company about how you used their service. The contents of emails and documents stored in the cloud are your records of which the provider has incidental custody. It would be like the government subpoenaing your landlord for the contents of your apartment (they could, of course subpoena you for this, but then you would know), or subpoenaing the U-stor-it for the contents of your storage locker (sparking a real storage war). They could, with probable cause and a warrant, seach the locker (if you have a warrant, I guess you‟re cooing to come in), but a subpoena to a third party is dicey.

So the Enzyte guy had his records subpoenaed. This was done pursuant to the stored communications act which permits it. The government argued that they didn‟t need a search warrant to read Enzyte guy‟s email, because – you guessed it – he had no expectation of privacy in the contents of his mail. Hell, he stored it unencrypted with a thjird party. Remember Smith v. Maryland? The phone company case? You trust a third party with your records, you risk exposure. Or as Senator Blutarsky (I. NH?) might opine, “you ()*^#)( up, you trusted us…”(actually Otter said that, with apologies to Animal House fans.)

Besides, cloud provider contracts, and email and internet provider privacy policies frequently limit privacy rights of users. In the Enzyte case, the government argued that terms of service that permitted scanning of the contents of email for viruses or spam (or in the case of Gmail or others, embedding context based ads) meant that the user of the email service “consented” to have his or her mail read, and therefore had no privacy rights in the content. (“Yahoo! reserves the right in their sole discretion to pre-screen, refuse, or move any Content that is available via the Service.”) Terms of service which provided that the ISP would respond to lawful subpoenas made them a “joint custodian” of your email and other records (like your roommate) who could consent to the production of your communications or files. Those policies that your employer has that says, “employees have no expectation of privacy in their emails or files"? While you thought that meant that your boss (and the IT guy) can read your emails, the FBI or NSA may take the position that “no expectation of privacy” means exactly that.

Fortunately, most courts don’t go so far. In general, courts have held that the contents of communications and information stored privately online (not on publicly accessible Facebook or Twitter feeds) are entitled to legal protection even if they are in the hands of potentially untrustworthy third parties. But this is by no means assured.

But clearly the data in the PRISM case is more sensitive and entitled to a greater level of legal protection than that in the telephony metadata case. That doesn‟t mean that the government, with a court order, can't search or obtain it. It means that companies like Google and Facebook probably can't just “give it” to the government. I''s not their data.

The PRISM Problem

So the NSA wants to have access to information in a massive database. They may want to read the contents of an email, a file stored on Dropbox, whatever. They may want to track a credit card through the credit card clearing process, or a banking transaction through the interbank funds transfer network. They may want to track travel records – planes, trains or automobiles. All of this information is contained in massive databases or storage facilities held by third parties – usually commercial entities. Banks. VISA/MasterCard. Airlines. Google.

The information can be tremendously useful. The NSA may have lawful authority (a Court order) to obtain it. But there is a practical problem. How does the NSA quickly and efficiently seek and obtain this information from a variety of sources without tipping those sources off about the individual searches it is conducting – information which itself is classified? That appears to be the problem attempted to be solved by PRISM programs.

In the telephony program, the NSA “solved” the problem by simply taking custody of the database.

In PRISM, they apparently did not. And that is a good thing. The databases remain the custody of those who created them.

Here‟s where it gets dicey – factually.

The reports about PRISM indicate that the NSA had “direct access” to the servers of all of these Internet companies. Reports have been circulating that the NSA had similar “direct access” to financial and credit card databases as well. The Internet companies have all issued emphatic denials. So what gives?

Speculation time. The NSA and Internet companies could be outright lying. David Drummond, Google‟s Chief Legal Officer aint going to jail for this. Second, they could be reinterpreting the term “direct” access. When General Alexander testified under oath that the NSA did not “collect any type of data on millions of Americans” he took the term “collect” to mean “read” rather than “obtain.”

Most likely, however, is that the NSA PRISM program is a protocol for the NSA, with FISC approval, to task the computers at these Internet companies to perform a search. This tasking is most likely indirect. How it works is, at this point, rank speculation. What is likely is that an NSA analyst, say in Honolulu, wants to get the communications (postings, YouTube videos, stored communications, whatever) of Abu Nazir, a non-US person, which are stored on a server in the U.S., or stored on a server in the Cloud operated by a US company. The analyst gets “approval” for the “search,” by which I mean that a flock of lawyers from the NSA, FBI and DOJ descend (what is the plural of lawyers? [ a "plague"? --spaf] ) and review the request to ensure that it asks for info about a non US person, that it meets the other FISA requirements, that there is minimization, etc. Then the request is transmitted to the FISC for a warrant. Maybe. Or maybe the FISC has approved the searches in bulk (raising the Writ of Assistance issue we described in the previous post.) We don‟t know. But assuming that the FISC approves the “search,” the request has to be transmitted to, say Google, for their lawyers to review, and then the data transmitted back to the NSA. To the analyst in Honolulu, it may look like “direct access.” I type in a search, and voilia! Results show up on the screen. It is this process that appears to be within the purview of PRISM. It may be a protocol for effectuating court-approved access to information in a database, not direct access to the database.

Or maybe not. Maybe it is a direct pipe into the servers, which the NSA can task, and for which the NSA can simply suck out the entire database and perform their own data analytics. Doubtful, but who knows? That‟s the problem with rank speculation. Aliens, anyone?

But are basing this analysis on what we believe is reasonable to assume.

So, is it legal? Situation murky. Ask again later.

If the FISC approves the search, with a warrant, within the scope of the NSA‟s authority, on a non-US person, with minimization, then it is legal in the U.S., while probably violating the hell out of most EU and other data privacy laws. But that is the nature of the FISA law and the USA PATRIOT Act which amended it. Like the PowerPoint slides said, most internet traffic travels through the U.S., which means we have the ability (and under USA PATRIOT, the authority) to search it.

While the PRISM programs are targeted at much more sensitive content information, if conducted as described above, they actually present fewer domestic legal issues than the telephony metadata case. If they are a dragnet, or if the NSA is actually conducting data mining on these databases to identify potential targets, then there is a bigger issue.

The government has indicated that they may release an unclassified version of at least one FISC opinion related to this subject. That‟s a good thing. Other redacted legal opinions should also be released so we can have the debate President Obama has called for. And let some light pass through this PRISM.




Mark Rasch, is the former head of the United States Department of Justice Computer Crime Unit, where he helped develop the department’s guidelines for computer crimes related to investigations, forensics and evidence gathering. Mr. Rasch is currently a principal with Rasch Technology and Cyberlaw and specializes in computer security and privacy.

Sophia Hannah has a BS degree in Physics with a minor in Computer Science and has worked in scientific research, information technology, and as a computer programmer. She currently manages projects with Rasch Technology and Cyberlaw and researches a variety of topics in cyberlaw.

Rasch Cyberlaw (301) 547-6925 www.raschcyber.com


Schrodinger’s Catnip: A Review of the NSA Phone Surveillance Program (Guest Blog)

By Mark Rasch and Sophia Hannah

The NSA programs to retrieve and analyze telephone metadata and internet communications and files (the former we will call the telephony program, the latter codenamed PRISM) are at one and the same time narrow and potentially reasonably designed programs aimed at obtaining potentially useful information within the scope of the authority granted by Congress. They are, at one and the same time perfectly legal and grossly unconstitutional. It’s not that we are of two opinions about these programs. It is that the character of these programs are such that they have both characteristics at the same time. Like Schrödinger’s cat, they are both alive and dead at the same time – and a further examination destroys the experiment. Let’s look at the telephony program first.

Telephone companies, in addition to providing services, collect a host of information about the customer including their name, address, billing and payment information (including payment method, payment history, etc.). When the telephone service is used, the phone company collects records of when, where and how it was used – calls made (or attempted), received, telephone numbers, duration of calls, time of day of calls, location of the phones from which the calls were made, and other information you might find on your telephone bill. In addition, the phone company may collect certain technical information – for example, if you use a cell phone, the location of the cell from which the call was made, and the signal strength to that cell tower or others. From this signal strength, the phone company can tell reasonably precisely where the caller is physically located (whether they are using the phone or not) even if the phone does not have GPS. In fact, that is one of the ways that the Enhanced 911 service can locate callers. The phone company creates these records for its own business purposes. It used to collect this primarily for billing, but with unlimited landline calling, that need has diminished. However, the phone companies still collect this data to do network engineering, load balancing and other purposes. They have data retention and destruction policies which may keep the data for as short as a few days, or as long as several years, depending on the data. Similar “metadata” or non-content information is collected about other uses of the telephone networks, including SMS message headers and routing information. Continuing with the Schrödinger analogy, the law says that this is private and personal information, which the consumer does not own and for which the consumer has no expectation of privacy. Is that clear?

Federal law calls this telephone metadata “Consumer Proprietary Network Information” or CPNI. 47 U.S.C. 222 (c)(1) provides that:

Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.

Surprisingly, the exceptions to this prohibition do not include a specific “law enforcement” or “authorized intelligence activity” exception. Thus, if the disclosure of consumer CPNI to the NSA under the telephony program is “required by law” then the phone company can do it. If not, it can’t.

But wait, there’s more. At the same time that the law says that consumer’s telephone metadata is private, it also says that consumers have no expectation of privacy in that data. In a landmark 1979 decision, the United States Supreme Court held that the government could use a simple subpoena (rather than a search warrant) to obtain the telephone billing records of a consumer. See, these aren’t the consumer’s records. They are the phone company’s records. The Court noted, “we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must "convey" phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills.” The court went on, “even if petitioner did harbor some subjective expectation that the phone numbers he dialed would remain private, this expectation is not "one that society is prepared to recognize as `reasonable.'”

By trusting the phone company with the records of the call, consumers “assume the risk” that the third party will disclose it. The Court explained, “petitioner voluntarily conveyed to it information that it had facilities for recording and that it was free to record. In these circumstances, petitioner assumed the risk that the information would be divulged to police.” This dichotomy is not surprising. The Supreme Court held that, as a matter of Constitutional law, any time you trust a third party, you run the risk that the information will be divulged. Prosecutors and litigants subpoena third party information all the time –your phone bills, your medical records, credit card receipts, bank records, surveillance camera data, and records from your mechanic – just about anything. These are not your records, so you can’t complain. At the same time, Congress was concerned with phone company’s use of CPNI for marketing purposes without consumer consent, so they imposed statutory restrictions on the disclosure or use of CPNI unless “required by law.”

Enter the NSA

There is little doubt that telephony metadata can be useful in foreign intelligence and terrorism cases. Hell, it can be useful in any criminal investigation, or for that matter, a civil or administrative case. But if the CIA obtains the phone records of, say Abu Nazir (for Homeland fans), and spots a phone number he has called, they, through the NSA, want to be able to find out information about that phone call, and who that person called. The NSA wants this data for precisely the same reason that it is legally protected – phone metadata reveals patterns which can show relationships between people, and help determine who is associated with whom and for what purpose. Metadata and link analysis can help distinguish between a call to mom, a call to a colleague, and a call to a terrorist cell. Context can reveal content – or at least create a strong inference of content. So, in appropriate cases involving terrorism, national security or intelligence involving non-US persons, the NSA should have this data. And indeed, they always have. None of that is new.

If the NSA captured a phone number, say 867-5309, they could demand the records relating to that call from the phone company through an order issued by a special super-secret court called FISC. The order could say “give the NSA all the records of phone usage of 867-5309 as well as the records of the numbers that they called.” Problem is, that is unwieldy, time consuming, requires a new court order with each query, and in many ways overproduces records. Remember, not only are these terrorism and national security investigations, but the target is a non-US person, usually (but not always) located outside the United States.

The Fourth Amendment

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Read that carefully. You would think that it requires a warrant to search, right? Wrong. Actually, Courts interpret the comma after the word “violated” as a semi-colon (who says grammar doesn’t matter?) “The people” which includes but is not limited to U.S. citizens, have a right to be secure against unreasonable searches and seizures (more on the “and” in a minute). Also, warrants have to be issued by neutral magistrates and must specify what is to be seized. So no warrant is needed if the search is “reasonable.” In fact, the vast majority of “searches and seizures” in America are conducted without a warrant. People are searched at airports and borders. No warrant. They are patted down on the streets and in their cars. No warrant. Cops look into their car windows, follow them around, and capture video of them without a warrant. Police airplanes, helicopters (and soon drones) capture images of people in their back yards or porches. No warrant. Dogs can sniff for drugs, bombs or contraband. No warrant. And people give consent to search without a warrant all the time. When the police searched the boat for the fugitive Boston bomber, they needed no warrant because of exigent circumstances (and perhaps because the boat’s owner consented). Warrantless searches can be “reasonable” and can pass constitutional muster. That’s one reason Congress created the FISC.

For law enforcement purposes (to catch criminals) the government can get a grand jury subpoena, a search warrant, a “trap and trace” order, a “pen register” order, a Title III wiretap order, or other orders if they can show (depending on the information sought) probable cause or some relevance to the criminal investigation. But for intelligence gathering purposes, the NSA can’t really show “probable cause” to believe that there’s a crime, because often there is not. It’s intelligence gathering. So the Foreign Intelligence Surveillance Act (FISA) created a special secret court to allow the intelligence community to do what the law enforcement community could already do – get information under a court order, but instead of showing that a crime was committed, they had to show that the information related to foreign intelligence.

After September 11, 2001, Congress added terrorism as well. When Congress amended FISA, it allowed the FISA court (FISC) to authorize orders for the production of “books records or other documents.” Section 215 of the USA PATRIOT Act allowed the FBI to apply for an order to produce materials that assist in an investigation undertaken to protect against international terrorism or clandestine intelligence activities. The act specifically gives an example to clarify what it means by "tangible things": it includes "books, records, papers, documents, and other items." Telephone metadata fits within this description, including the NSA Telephony Program (As we know it)

So the NSA has the authority to seek and obtain (through the FBI and FISC) telephone metadata. It also has a legitimate need to do so. But that’s not exactly what they did here. Instead of getting the records they needed, the NSA decided that it would get all the records of all calls made or received (non-content information) about everyone, at least from Verizon, and most likely from all providers. The demand was updated daily, so every call record was dumped by the phone companies onto a massive database operated by the NSA.

Now this is bad. And good. The good part is that, by collecting metadata from all of the phone companies, the NSA could “normalize” and cross-reference the data. A single authorized search of the database could find records from Verizon, AT&T, Sprint, T-Mobile, and possibly Orange, British Telecom, who knows? Rather than having to have the FISC issue an order to Verizon for a phone record, and then after that is examined, another order to AT&T, by having the data all in one place, “pingable” by the NSA, a singly query can find all of the records related to that query.

So if the FISC authorizes a search for Abu Nazir’s phone records, this process allows the NSA to actually get them. Also, the NSA doesn’t have to provide a court order (which itself would reveal classified information about who they were looking at) to some functionary at Verizon or AT&T (even if that functionary had a security clearance). And Verizon’s database would not have a record of what FISC authorized searches the NSA conducted – information which itself is highly classified.

Just because the NSA had all of the records does not mean that it looked at them all. In fact, the NSA and FBI established a protocol, which was apparently approved by the FISC that restricted how and when they could ping this massive database. So the mere physical transfer of the metadata database from the phone companies to the NSA doesn’t impinge privacy unless and until the NSA makes a query, and these queries are all authorized by the FISC and are lawful. So what’s the big deal? It’s all good, man.

General Warrant

Not so fast Mr. Schrödinger. There are two huge legal problems with this program. Undoubtedly, the USA PATRIOT Act authorizes the FISC to order production of “tangible things” and these records are “tangible things.” But the law does not authorize what are called “general warrants.” A general warrant is a warrant that either fails to specify the items to be searched for or seized, fails to do so with particularity, or is so broad or vague as to permit the person seizing the items almost unfettered discretion in what to take. A warrant which permitted seizure of “all evidence of crimes” or “all evidence of gang activity” would be an unconstitutional general warrant.

It’s important to note that the warrant is “legal” in the sense that it was for information relevant to a crime (or, say terrorism), that the obtaining of the warrant was authorized by law, that a court issued the warrant, and that the proper procedures were followed. But the warrant is unconstitutional and so is the search and seizure. This is particularly true where the warrant seeks information that relates to First Amendment protected activities like what books we are reading, and with whom we are associating. So when Texas authorized the search and seizure of records relating to “communist activities”(the ism before terrorism) and cops got a warrant to take such books and records, the Supreme Court had no problem finding that the warrant was an unconstitutional “general warrant.

Even though the FISC warrant to Verizon specified exactly what was to be seized (“everything”) it was undoubtedly a general warrant. Remember, the Fourth Amendment prohibits unreasonable “searches” and “seizures.” A warrant authorizing seizure of all records of millions of people who did nothing wrong, particularly when it is designed to figure out their associations is about as general as you can get. And that is assuming that the searches, or pinging to the database, which happen later, are reasonable.

What’s more, by taking custody of all of these records, the NSA abrogates the document retention and destruction policies of all of the phone companies. We can assume that the NSA keeps these records indefinitely. So long after Verizon decides it doesn’t need to know what cell tower you pinged on July 4, 2005 at 6:15.22 PM EST, the NSA will retain this record. That’s a problem for the NSA because now, instead of subpoenaing Verizon for these records (especially in a criminal case where the defendant has a constitutional right to the records if relevant to a defense), the NSA (or FBI who obtained the records for the NSA) can expect to get a subpoena for the records. While the NSA and FBI would undoubtedly claim that the program is classified, clearly my own phone records are not classified. A federal law called the Classified Information Procedures Act provides a mechanism to obtain unclassified versions of classified data. So if you were charged with a crime by the FBI, and the same FBI had records (in this database) that indicated that you did not commit the crime, they would have to search the database and produce the records. And when Verizon tells you that the records are gone, well… it aint true anymore.

But wait, there’s more.

Even if the “seizure” is a general warrant, the government would argue that it is “reasonable” because it is necessary to effectuate the NSA’s function of protecting national security, and its impact on privacy is minimal because the database isn’t “pinged” without court approval. The “collection” of data about tens of millions of Americans doesn’t affect their privacy especially when the Supreme Court said that they have no privacy rights in this data, and it doesn’t even belong to them. (Even though the Director of National Intelligence testified in March that the NSA did not “collect” any data on millions of Americans). Besides, the NSA would argue, there is no other way for the government to do this.

What does the NSA do with the records? Here’s where there is an unknown. At present, we do not know what the NSA does with the telephone metadata database. Do they simply query it – e.g., give me all the records of calls made by Abu Nazir; or do they preform data mining, link analysis, and pattern analysis on the database in order to identify potential Abu Nazir’s? If the latter, then the NSA is clearly searching records of millions of Americans. If the former, it is still troubling for a few reasons.

Six Degrees of Separation

First, the NSA’s authority revolves around non-US persons. While there may be “inadvertent” collection on U.S. persons, the target of the surveillance must be a non-US person for the program to be legal. According to the leaked documents, the NSA took a very liberal interpretation of what this means. First, they determined that as long as there was a 51% chance that the target was a non-US person, the NSA was entitled to obtain records. Second, they may – and we stress "may" – have interpreted their authority as providing that, if the target of the investigation was foreign (again 51% chance) then they could obtain records related to calls between two US persons wholly in the US. Finally, they apparently deployed a “two degrees of separation” test. If Abu Nazir (51% foreign) called John Smith’s telephone number, the NSA could look at who Smith (100% US) called within the US (first degree of separation). If Smith called Jones, the NSA could then look at Jones’ call records (second degree of separation.) At this point, even if the pinging of the database is authorized by the FISC, we are a long way from Abu Nazir. Toto, I’m afraid we are in Kansas.

Writs of Assistance

OK, but what’s the big deal? The seizure of the database is authorized by FISC, under a statute approved by Congress, with Congressional knowledge and oversight (maybe), and under strict control by the NSA, the FBI and DOJ. Every search of the database is approved by the super-secret court, right? Not so fast, Kemo Sabe. It is highly unlikely that the FISC approves every database search. More likely is that the FBI and NSA have established protocols and procedures designed to ensure that the searches are within their jurisdiction, are designed to find information about terrorism and foreign intelligence, that the targets are (51%) foreign, and that there is a minimization procedure. These protocols –rather than the individual searches themselves – are what are approved by the FISC. The NSA then most likely reports back to the FISC (through the DOJ) about whether there was an “inadvertent disclosure” of information not related to these objectives. So the court most likely does not approve every search.

And that’s another problem. You see, each “search” of the database is – well – a search. That search must be supported by probable cause (in a criminal case to believe that there’s a crime, in a FISA case, espionage, foreign intelligence or terrorism) and must be approved by a court. Each search. Not the process. We have been down this road before. In fact, this is precisely what lead to the American Revolution in general and the Fourth Amendment in particular.

When the British Parliament issued the Navigation Acts imposing tariffs on goods imported into America, many colonists refused to pay them (as Boston lawyer James Otis noted, “taxation without representation is tyranny”) So Parliament authorized King George II to issue what are called “writs of assistance.” This writ, issued by a Court, authorized the executive branch (a customhouse officer with the assistance of the sheriff) to search colonists houses for unlawfully smuggled items. These writs did not specify what the sheriff could search for or seize, or where he could look. Like the NSA program, the court approved what could be done, the executive had discretion in how to do it. When George II was succeeded by George III (the writs expiring with the death of the King) Parliament reauthorized them under the hated Townsend Acts. James Otis urged resistance, and it was the use of these unspecific writs authorizing searches that galvanized public opinion (and that of John Adams in particular) to urge revolution. It is why the Fourth Amendment demanded that a search warrant specify based on probable cause, the specific place to be searched and item to be seized. It’s also why writs of assistance are prohibited in the constitution.

The NSA FISC approved searches would be like a judge in Los Angeles issuing a search warrant to the LAPD which said, “you may search any house as long as you smell marijuana in that house.” While the search may be reasonable, and indeed, if the LAPD had applied for a warrant to search a house after they smelled marijuana a court probably would have issued the warrant, the broad blanket approval of these searches would be more akin to a writ of assistance.   

So the NSA digital telephony program, while legal in the sense that it was approved by both Congress and the Foreign Intelligence Surveillance Court, has some serious Constitutional problems.

Telephone Company Liability?

The phone companies could be on the hook for participating in the program, even though they have both immunity and had no choice but to participate. In fact, they could not legally have even disclosed the program. In the FISA amendments, Congress expressly gave the phone companies immunity for making “good faith” disclosures of information pursuant to Section 215.

So why would the phone company be in trouble? The problem is the “good faith” part. In 2012 the Supreme Court looked at the question of when someone (cops in that case) should have immunity for a good faith search pursuant to an unconstitutional warrant. The cops got a warrant for all records of “gang related activity” and all guns in a particular house. The court agreed that the warrant was overbroad, unconstitutional, and should not have been issued. The question was whether the cops, who executed the warrant, should have immunity from civil liability because they acted in “good faith.”

The Supreme Court noted that the fact that they got a warrant at all was one indication that they acted in good faith, but that, “the fact that a neutral magistrate has issued a warrant authorizing the allegedly unconstitutional search or seizure does not end the inquiry into objective reasonableness. Rather, we have recognized an exception allowing suit when “it is obvious that no reasonably competent officer would have concluded that a warrant should issue.” In other words, the cops are generally permitted to rely on the fact that a court issued a search warrant, unless the warrant itself (or the means by which it is procured) is so obviously unconstitutional, overbroad, general or otherwise prohibited that you cannot, in good faith rely on it. While the court found that the cops had immunity because the warrant was not so overbroad to lead to the inevitable conclusion that it was unconstitutional, it is hard to make that same argument where the FISA warrant essentially asked for every record of the phone company. Hard to imagine a broader warrant.

Justice Kagan pointed out that it’s not illegal to be a member of a gang, and that a warrant that authorized seizure of evidence of gang membership per se called for associational records which were protected. Much like the phone logs here. Justices Sotomayor and Ginsburg went further noting, The fundamental purpose of the Fourth Amendment’s warrant clause is “to protect against all general searches.” Go-Bart Importing Co. v. United States, 282 U. S. 344, 357 (1931)

The Fourth Amendment was adopted specifically in response to the Crown’s practice of using general warrants and writs of assistance to search “suspected places” for evidence of smuggling, libel, or other crimes. Boyd v. United States, 116 U. S. 616–626 (1886). Early patriots railed against these practices as “the worst instrument of arbitrary power” and John Adams later claimed that “the child Independence was born” from colonists’opposition to their use. Id., at 625 (internal quotation marks omitted).

To prevent the issue of general warrants on “loose, vague or doubtful bases of fact,” Go-Bart Importing Co., 282 U. S., at 357, the Framers established the inviolable principle that should resolve this case: “no Warrants shall issue, but upon probable cause . . . and particularly describing the . . . things to be seized.” U. S. Const., Amdt. 4. That is, the police must articulate an adequate reason to search for specific items related to specific crimes. They found that the search by the police without probable cause was unreasonable even though there was both judicial and executive oversight, and that therefore there should be no immunity because the actions were not in “good faith.” The phone companies run that risk here.




Mark Rasch, is the former head of the United States Department of Justice Computer Crime Unit, where he helped develop the department’s guidelines for computer crimes related to investigations, forensics and evidence gathering. Mr. Rasch is currently a principal with Rasch Technology and Cyberlaw and specializes in computer security and privacy.

Sophia Hannah has a BS degree in Physics with a minor in Computer Science and has worked in scientific research, information technology, and as a computer programmer. She currently manages projects with Rasch Technology and Cyberlaw and researches a variety of topics in cyberlaw.

Rasch Cyberlaw (301) 547-6925 www.raschcyber.com


On Competitions and Competence

This is a follow-up to my last post here, about the "cybersecurity profession" and education. I was moderating one of the panels at the most recent CERIAS Symposium, and a related topic came up.

Let's start with some short mental exercises. Limber up your cerebellum. Stretch out and touch your cognitive centers a few times. Ready?

There's another barn on fire! Quick, get a bucket brigade going -- we need to put the fire out before everything burns. Again. It is getting so tiring watching all our stuff burn while we're trying to run a farm here. Too bad we can only afford the barns constructed of fatwood. But no time to think of that -- a barn's burning again! 3rd time this week!

Hey, you people over there tinkering with designs for sprinkler systems and concrete barns -- cut it out! We can't spare you to do that -- too many barns are burning! And you, stop babbling about investigating and arresting arsonists -- we don't have time or money for that: didn't you hear me? Another barn is burning!

Now, hurry up. We're going to have a contest to find who can pass this pail of water the quickest. Yes, it is a small, leaky pail, but we have a lot of them, so that is what we're going to use in the contest. The winners get to be closest to the flames and have a name tag that says "fire prevention specialist." No, we can't afford larger buckets. And no, you can't go get a hose -- we need you in the line. Damnit! The barn's burning!

Sounds really stupid, doesn't it? Whoever is in charge isn't doing anything to address the underlying problem of poor barn construction. It doesn't really match the notion of what a fire prevention specialist might really do. And it certainly doesn't provide deep career preparation for any of those contestants... it may even condemn them to a future of menial bucket passing because we're putting them on the line with no training or qualification beyond being able to pass a bucket.

Let's try another one.

Imagine that every car and automobile in the country has been poorly designed. They almost all leak coolant and burn oil. They're trivial to steal. They are mostly cheap junkers, all built on the same frame with the same engines, accessories, and tires -- even the ones sold to the police and military (actually, they're the same cars, but with different paint). The big automakers are rolling out new models every year that they advertise as being more efficient and reliable, but that is simply hype to get you to buy a new car because the new features also regularly break down. There are a few good models available, but they are quite a bit more expensive; those more expensive ones often (but not always) break down less, are more difficult to steal, and get far better mileage. Their vendors also don't have a yearly model update, and many consumers aren't interested in them because those cars don't take the common size of tire or fuzzy dice for the mirror.

The auto companies have been building this way for decades. They sell their products around the world, and they're a major economic force. Everyone needs a car, and they shell out money for new ones on a regular basis. People grumble about the poor quality and the breakdowns, but other than periodic service bulletins, there are few changes from year to year. Many older, more decrepit cars are on the road because too many people (and companies) cannot afford to buy new ones that they know aren't much better than the old ones. Many people argue -- vociferously -- against any attempt to put safety regulations on the car companies because it might hurt such an important market segment.

A huge commercial enterprise has sprung up around fixing cars and adding on replacement parts that are supposedly more reliable. People pour huge amounts of money into this market because they depend on the cars for work, play, safety, shopping, and many other things. However, there are so many cars, and so many update bulletins and add-ons, there simply aren't enough trained mechanics to keep up -- especially because many of the add-ons don't work, or require continual adjustment.

What to do? Aha! We'll encourage young people in high school and maybe college to become "automotive specialists." We'll publish all sorts of articles with doom and gloom as a result of the shortage of people going into auto repair. We especially need lots more military mechanics.

So...we'll have competitions! We'll offer prizes to the individuals (or teams) that are able to change the oil of last year's model the most quickly, or who can most efficiently hotwire a pickup truck, take it to the garage, change the tires, and return it. The government will support these competitions. They'll get lots of press. Some major professional organizations and even universities will promote these. Of course we'll hire lots of mechanics that way! (Women aren't interested in these kinds of competition? We won't worry about that now. People who are poor with wrenches won't compete? No problem -- we'll fill in with the rest.)

Meanwhile, the government and major companies aren't really doing anything to fix the actual engineering of the automobiles. There are a few comprehensive engineering programs at universities around the country, but minimal focus and resources are applied there, and little is said about applying their knowledge to really fixing transportation. The government, especially the military, simply wants more mechanics and cheaper cars -- overall safety and reliability aren't a major concern.

Pretty stupid, huh? But there does seem to be a trend to these exercises.

Let's try one more.

We have a large population that needs to be fed. They've grown accustomed to cheap, fast-food. Everyone eats at the drive-thru, where they get a burger or compressed chicken by-product or mystery-meat taco. It's filling, and it keeps them going for the day. It also leads to obesity, hypertension, cardiac problems, diabetes, and more. However, no one really blames the fast-food chains, because they are simply providing what people want.

It isn't exactly what people should have, and is it really what everyone wants? No, there are better restaurants with healthy food, but that food is more expensive and many people would go hungry if they had to eat at those places given the current economic model. Of course, if they didn't need to spend so much on medicine and hospital stays, a healthier diet is actually cheaper. Also, those better places aren't easy to find -- small (or no) advertising budgets, for instance.

The government has contracted with the chains for food, and even serves it at every government office and on every military base. The chains thus have a fair amount of political clout so that every time someone raises the issue about how unhealthy the food is, they get muffled by the arguments "But it would be too expensive to eat healthy" and "Most people don't like that other food and can't even find it!"

We have a crisis because the demand for the fast-food is so great that there aren't enough fry cooks. So, the heads of major military organizations and government agencies observe we are facing a crisis because, without enough fry cooks, our troops will be overwhelmed by better fed people from China. Government officials and industry people agree because they can't imagine any better diet (or are so enamored of fried potatoes that they don't want anything else).

How do they address the crisis? By mounting advertising campaigns to encourage young people to enter the exciting world of "cuisine awareness." We make it seem glamorous. Private organizations offer certifications in "soda making" and "ketchup bottle maintenance" that are awarded after 3-day seminars. DOD requires anyone working in food service to have one of these certificates -- and that's basically all. We see educational institutes and small colleges offering special programs in "salad bar maintenance." The generals and admirals keep showing up at meetings proclaiming how important it is that we get more burger-flippers in place before we have a "patty melt Pearl Harbor."

The government launches a program to certify schools as centers of "Cuisine Awareness Exellence" if they can prove they have at least 5 cookbooks in the library, a crockpot, and two faculty who have boiled water. Soon, there are hundreds of places designated with this CAE, from taco trucks and hot dog stands to cordon bleu centers -- but lots are only hot dog stands. None of them are given any recipes, cooks, or financial support, of course -- simply designating them is enough, right?

When all of that isn't seen to be enough, the powers-that-be offer up contests that encourage kids to show up and cook. Those who are able to most quickly defrost a compressed cake of Soylent Red, cook it, stick it in a bun, and serve it up in a bag with fries is declared the winner and given a job behind someone's grill. Actually, each registered contestant gets a jaunty paper cap and offer of an immediate job cooking for the military (assuming they are U.S. citizens; after all, we know what those furriners eat sure isn't food!) And gosh, how could they aspire to be anything BUT a fry cook for the next 40 years -- no need to worry about any real education before they take the jobs.

Meanwhile, those studying dietetics, preventative health care, sustainable agriculture, haute cuisine, or other related topics are largely ignored -- not to mention the practicing experts in these fields. The people and places of study for those domains are ignored by the officials, and many of the potential employers in those areas are actually going out of business because of lack of public interest and support. The advice of the experts on how to improve diet is ignored. Find that disconcerting? Here -- have a deep-fried cherry pie and a chocolate ersatz-dairy item drink to make you feel better.

Did you sense a set of common threads (assuming you didn't blow out your cortex in the exercise)?

First, in every case, a mix of short-sighted and ultimately stupid solutions are being undertaken. In each, there are large-scale efforts to address pressing problems that largely ignore fundamental, systemic weaknesses.

Second, there are a set of efforts putatively being made to increase the population of experts, but only with those who know how to address a current, limited problem set. Fancy titles, certificates, and seminars are used to promote these technicians. Meanwhile, longer-term expertise and solutions are being ignored because of the perceived urgency of the immediate problems and a lack of understanding of cost and risk.

Third, longer-term disaster is clearly coming in each case because of secondary problems and growth of the current threats.

Why did this come up with my post and panel on cybersecurity? I would hope that would be obvious, but if not, let me suggest you go back to read my prior post, then read the above examples, again. Then, consider:

  • Nationally, we are investing heavily in training and recruiting "cyber warriors" but pitifully little towards security engineers, forensic responders, and more. It is an investment in technicians, not in educated expertise.
  • We have a marketplace where we continue to buy poorly-constructed products then pay huge amounts for add-on security and managing response; meanwhile, we have knowledgeable users complaining that they can't afford the up-front cost required to replace shoddy infrastructure with more robust items
  • Rather than listen to experts, we let business and military interests drive the dialog
  • We have well-meaning people who somehow think that "contests" are useful in resolving part of the problem

One of the most egregious aspects is this last item -- the increasing use of competitions as a way of drawing people to the field. Competitions, by their very nature, stress learned behavior to react to current problems that are likely small deviations from past issues. They do not require extensive grounding in multiple fields. Competitions require rapid response instead of careful design and deep thought -- if anything, they discourage people who exhibit slow, considerate thinking -- discourage them from the contests, and possibly from considering the field itself. If what is being promoted are competitions for the fastest hack on a WIntel platform, how is that going to encourage deep thinkers interested in architecture, algorithms, operating systems, cryptology, or more?

Competitions encourage the mindset of hacking and patching, not of strong design. Competitions encourage the mindset of quick recovery over the gestalt of design-operate-observe-investigate-redesign. Because of the high-profile, high-pressure nature of competitions, they are likely to discourage the philosophical and the careful thinkers. Speed is emphasized over comprehensive and robust approaches. Competitions are also likely to disproportionately discourage women, the shy, and those with expertise in non-mainstream systems. In short, competitions select for a narrow set of skills and proclivities -- and may discourage many of the people we most need in the field to address the underlying problems.

So, the next time you hear some official talk about the need for "cyber warriors" or promoting some new "capture the flag" competition, ask yourself if you want to live in a world where the barns are always catching fire, the cars are always breaking down, nearly everyone eats fast food, and the major focus of "authorities" is attracting more young people to minimally skilled positions that perpetuate that situation...until everything falls apart. The next time you hear about some large government grant that happens to be within 100 miles of the granting agency's headquarters or corporate support for a program of which the CEO is an alumnus but there is no history of excellence in the field, ask yourself why their support is skewed towards building more hot dog stands.

Those of us here at CERIAS, and some of our colleagues with strategic views elsewhere, remind you that expertise is a pursuit and a process, not a competition or a 3-day class, and some of us take it seriously. We wish you would, too.

Your brain may now return to being a couch potato. grin