Posts by spaf

Bullies, Pirates and Lulz

Yet another breach of information has occurred, this time from the Arizona Department of Public Safety. A large amount of data about law enforcement operations was exposed, as was a considerable amount of personnel information. As someone who has been working in information security and the implications of technology for nearly 30 years, two things come to mind.

First, if a largely uncoordinated group could penetrate the systems and expose all this information, then so could a much more focused, well-financed, and malevolent group — and it would not likely result in postings picked up by the media. Attacks by narcotics cartels, organized crime, terrorists and intelligence agencies are obvious threats; we can only assume that some have already succeeded but not been recognized or publicized. And, as others are noting, this poses a real threat to the physical safety of innocent people. Yes, in any large law enforcement organization there are likely to be some who are corrupt (the claimed reason behind the attack), but that is not reason to attack them all. Some of the people they are arrayed against are far worse.

For example, there are thousands (perhaps tens of thousands) of kidnappings in Mexico for ransom, with many of the hostages killed rather than freed after payment. Take away effective law enforcement in Arizona, and those gangs would expand into the U.S. where they could demand bigger ransoms. The hackers, sitting behind a keyboard removed from gang and street violence, safe from forcible rape, and with enough education to be able to avoid most fraud, find it easy to cherry-pick some excesses to complain about. But the majority of people in the world do not have the education or means to enjoy that level of privileged safety. Compared to police in many third-world countries where extortion and bribes are always required for any protection at all, U.S. law enforcement is pretty good. (As is the UK, which has also recently been attacked.)

Ask yourself what the real agenda is of a group that has so far only attacked law enforcement in some of the more moderate countries, companies without political or criminal agendas, and showing a total disregard for collateral damage. Ask why these "heroes" aren't seeking to expose some of the data and names of the worst drug cartels, or working to end human trafficking and systematic rape in war zones, or exposing the corruption in some African, South American & Asian governments, or seeking to damage the governments of truly despotic regimes (e.g., North Korea, Myanmar), or interfering with China's online attacks against the Dalai Lama, or leaking memos about willful environmental damage and fraud by some large companies, or seeking to destroy extremist groups (such as al Qaida) that oppress woman and minorities and are seeking weapons of mass destruction.

Have you seen one report yet about anything like the above? None of those actions would necessarily be legal, but any one of them would certainly be a better match for the claimed motives. Instead, it is obvious that  these individuals and groups are displaying a significant political and moral bias — or blindness — they are ignoring the worst human rights offenders and criminals on the planet. It seems they are after the ego-boosting publicity, and concerned only with themselves. The claims of exposing evil is intended to fool the naive.

In particular, this most recent act of exposing the names and addresses of family members of law enforcement, most of whom are undoubtedly honest people trying to make the world a safer place, is not a matter of "Lulz" — it is potentially enabling extortion, kidnapping, and murder. The worst criminals, to whom money is more important than human life, are always seeking an opportunity to neutralize the police. Attacking family members of law enforcement is common in many countries, including Mexico, and this kind of exposure further enables it now in Arizona. The data breach is attacking some of the very people and organizations trying to counter the worst criminal and moral abuses that may occur, and worse, their families.

Claiming that, for instance, that the "War on Drugs" created the cartels and is morally equivalent (e.g., response #13 in this) is specious. Laws passed by elected representatives in the U.S. did not cause criminals in Mexico to kidnap poor people, force them to fight to the death for the criminals' amusement, and then force the survivors to act as expendable drug mules. The moral choices by criminals are exactly that — moral choices. The choice to kidnap, rape, or kill someone who objects to your criminal behavior is a choice with clear moral dimensions. So are the choices of various hackers who expose data and deface systems.

When I was growing up, I was the chubby kid with glasses. I didn't do well in sports, and I didn't fit in with the groups that were the "cool kids." I wasn't into drinking myself into a stupor, or taking drugs, or the random vandalism that seemed to be the pasttimes of those very same "cool kids." Instead, I was one of the ones who got harassed, threatened, my homework stolen, and laughed at. The ones who did it claimed that it was all in fun — this being long before the word "lulz" was invented. But it was clear they were being bullies, and they enjoyed being bullies. It didn't matter if anyone got hurt, it was purely for their selfish enjoyment. Most were cowards, too, because they would not do anything that might endanger them, and when they could, they did things anonymously. The only ones who thought it was funny were the other dysfunctional jerks. Does that sound familiar?

Twenty years ago, I was objecting to the press holding up virus authors as unappreciated geniuses. They were portrayed as heroes, performing experiments and striking blows against the evil computer companies then prominent in the field. Many in the public and press (and even in the computing industry) had a sort of romantic view of them — as modern, swashbuckling, electronic pirates, of the sorts seen in movies. Now we can see the billions of dollars in damage wrought by those "geniuses" and their successors with Zeus and Conficker and the rest. The only difference is of time and degree — the underlying damage and amoral concern for others is simply visible to more people now. (And, by the way, the pirates off Somalia and in the Caribbean, some of whom simply kill their victims to steal their property, are real pirates, not the fictional, romantic versions in film.)

The next time you see a news article about some group, by whatever name, exposing data from a gaming company or law enforcement agency, think about the real evil left untouched. Think about who might actually be hurt or suffer loss. Think about the perpetrators hiding their identities, attacking the poorly defended, and bragging about how wonderful and noble and clever they are. Then ask if you are someone cheering on the bully or concerned about who is really getting hurt. And ask how others, including the press, are reporting it. All are choices with moral components. What are yours?

Update: June 26

I have received several feedback comments to this (along with the hundreds of spam responses). Several were by people using anonymous addresses. We don't publish comments made anonymously or containing links to commercial sites. For this post, I am probably not going to pass through any rants, at least based on what I have seen. Furthermore, I don't have the time (or patience) to do a point-by-point commentary on the same things, again and again. However, I will make a few short comments on what I have received so far.

Several responses appear to be based on the assumption that I don't have knowledge or background to back up some of my statements. I'm not going to rebut those with a list of specifics. However, people who know what I've been doing over the few decades (or bothered to do a little research) — including work with companies, law enforcement, community groups, and government agencies — would hardly accuse me of being an observer with only an academic perspective.

A second common rant is that the government has done some bad things, or the police have done something corrupt, or corporations are greedy, and those facts somehow justify the behavior I described. Does the fact that a bully was knocked around by someone else and thus became a bully mean that if you are the victim, it's okay? If so, then the fact that the U.S. and U.K. have had terrorist attacks that have resulted in overly intrusive laws should make it all okay for you. After all, they had bad things happen to them, so their bad behavior is justified, correct? Wrong. That you became an abuser of others because you were harmed does not make it right. Furthermore, attacks such as the ones I discussed do nothing to fix those problems, but do have the potential to harm innocent parties as well as give ammunition to those who would pass greater restrictions on freedom. Based on statistics (for the US), a significant number of the people whining about government excess have not voted or bothered to make their opinions known to their elected representatives. The more people remain uninvolved, the more it looks like the population doesn't care or approves of those excesses, including sweetheart deals for corporations and invasions of privacy. Change is possible, but it is not going to occur by posting account details of people subscribed to Sony services, or giving out addresses and names of families of law enforcement officers, or defacing the NPR website. One deals with bullies by confronting them directly.

The third most common rant so far is to claim that it doesn't make any difference, for one reason or another: all the personal information is already out there on the net or will be soon, that the government (or government of another country) or criminals have already captured all that information, that it doesn't cost anything, security is illusory, et al. Again, this misses the point. Being a bully or vandal because you think it won't make any difference doesn't excuse the behavior. Because you believe that the effects of your behavior will happen anyhow is no reason to hasten those effects. If you believe otherwise, then consider: you are going to die someday, so it doesn't make a difference if you kill yourself, so you might as well do it now. Still there? Then I guess you agree that each act has implications that matter even if the end state is inevitable.

Fourth, some people claim that these attacks are a "favor" to the victims by showing them their vulnerabilities, or that the victims somehow deserved this because their defenses were weak. I addressed these claims in an article published in 2003. In short, blaming the victim is inappropriate. Yes, some may deserve some criticism for not having better defenses, but that does not justify an attack nor serve as a defense for the attackers. It is no favor either. If you are walking down a street at night and are assaulted by thugs who beat you with 2x4s and steal your money, you aren't likely to lie bleeding in the street saying to yourself "Gee, they did me a huge favor by showing I wasn't protected against a brutal assault. I guess I deserved that." Blaming the victim is done by the predators and their supporters to try to justify their behavior. And an intrusion or breach, committed without invitation or consent, is not a favor — it is a crime.

Fifth, if you support anarchy, then that is part of your moral choices. It does not invalidate what I wrote. I believe that doing things simply because they amuse you is a very selfish form of choice, and is the sort of reasoning many murderers, rapists, pedophiles and arsonists use to justify their actions. In an anarchy, they'd be able to indulge to their hearts content. Lotsa lulz. But don't complain if I and others don't share that view.

I am going to leave it here. As I said, I'm not interested in spending the next few weeks arguing on-line with people who are trying to justify behavior as bullies and vandals based on faulty assumptions.

U.S. Memorial Day Thoughts on Cyber War

We've been hearing about "cyber war" for some time now. It has been held out as an existential threat by some people, been the topic of scores of books, and led to the establishment of military organizations in several countries, including the U.S. Cybercommand, China's Blue Army, in the UK, and more. The definition of "cyberwar" has been somewhat imprecise, in part because some people trying to define it don't necessarily understand the full range of whatever "cyber" actually encompasses. It is also the case that definitions that include some current activities might imply that we're at war, and that has political ramifications that might be unpleasant to confront. The range of activities often discussed — including snooping, theft, espionage, and DDOS — don't really seem on the same level as a tank blitz or nuclear attack. After all, would an inability to shop online for a week really be a form of battle damage?

Of course, our whole definition of "war" is itself a little muddled. We have the World Wars, certainly. But from a strictly U.S. perspective, consider the Korean and Vietnam conflicts — were those wars? Or the Gulf War, Bosnia and Herzegovina, Iraq, Afghanistan — was the U.S. at war? And is that what is going on with Libya? In one sense, yes, because in each we employed military forces against a defined enemy. But how many of those had a formal declaration of war? And none were really existential threats that required the entire U.S. to be involved. War, historically, has usually been an issue of whether a state continued to exist under its current rule or not, and sometimes whether a significant percentage of the current population continued to live or not; some wars resulted in all the adult males being killed or enslaved, or whole populations slaughtered.

Then there is the War on Drugs, the War on Poverty, and most recently, our War on Terror (among others). In these conflicts we don't actually have a nation-state as an enemy, but we do have some defined objective requiring concerted, forceful action. (Of course we also have silly, demeaning uses of the term, such as the inane "War on Christmas.")

This can all lead to a certain confusion of definitions and roles. Prior to 9/11/2001, terrorists on U.S. soil were criminals. Whether it was Timothy McVeigh, Ramzi Yousef, Eric Rudolph, Ali Abu Kamal, or the ELF, civilian law enforcement, civilian courts, and civilian prisons were the mechanisms involved. Since 9/11, we have a strong contingent claiming that terrorism is now solely a military matter, that military courts must be used, and civilian prisons are somehow insufficient (although supermax prisons have held worse mass murders and gang members for years). Why? Because we are in a "war on terror." Further, administrative rules and laws were passed to classify a particular class of terrorists as belonging under military jurisdiction as enemy combatants and heated political debate occurs around any aspect of how to deal with these individuals.

This essay is not an attempt to sort out all those issues: I'm going after something else, but I needed to illustrate these few points, first. Above, I noted that "war" is a somewhat fuzzy term, as are the definitions of who might wage it. Next, let's consider how we have been preparing to react to cyber incidents.

With the fuzziness about defining "war," and the shifting boundaries of whether it is something confronted by law enforcement or the military, it is not surprising that "cyber war" has not really been well-defined. What has happened over the last decade is that stories of potential "Cyber Pearl Harbors" have been presented to legislators, coupled with demonstrations of vulnerabilities, to justify a massive investment in the military cyber arena — but not so much our civilian law enforcement. It is simple to scare policy makers with tales that the country might be destroyed by evil hackers working for another country's military; cyber crime does not make for as compelling a picture. The result has been massive buildup in offensive military tools, intelligence support, and personnel training to support military missions.

But that buildup does little to help civilian companies under attack within U.S. borders by unknown parties. So, we now have civilian companies turning to DHS for help rather than the FBI or another law enforcement agency. But the responsibility of DHS is to secure the .gov systems, so they are now turning to the military (NSA) because they don't have the infrastructure or expertise they need for even that. We are thus well down a path to turn over the bulk of our law enforcement in cyber to the military, with the specter of terrorists and cyber war held out by those who benefit from this situation continuing to push us in that direction. Soon we will have so much infrastructure built up we will not be able to afford to go back. The Posse Comitatus Act of 1878 was intended to keep the military from becoming a national police force, but this will further erode what is left of that law. Many people reading this will say "So what?" because we're now safer against a cyberwar attack as a result of this buildup — aren't we?

But here comes the problem, and the main point of this essay. We have a history of our military and leaders preparing to fight the last war. They are preparing for an offense that is unlikely to come at us the way they have portrayed. They are building a Maginot Line for a frontal attack that any intelligent adversary will never attempt.

In fact, we're under attack NOW. And we're losing. We're losing billions of $$ worth of intellectual property per year to foreign intelligence services, foreign competitors, and criminals, and we have been for years. U.S. companies and taxpayers are effectively paying for the R&D that is supporting huge amounts of foreign development. And we are also seeing billions of $$ of value being bled from the economy in credit card fraud, bank fraud and other kinds of fraud, including counterfeit pharma and counterfeit electronics sales, with all that money going to buy houses, cars, and consumer goods for people in Eastern Europe, China, Russia, and so on — in non-US economies. (And not only victims in the U.S., but Canada, the UK and a number of other countries.) It is a war of economic attrition and it is one that the DOD is never going to be in a position to fight because it has no kinetic component, no uniformed foe, no base of operations, and no centralized command. Once again, we have been preparing for the last war, so we are losing the current one. Most of our leaders don't even seem to recognize that we are in one. If we fall, it will not be by the swift stroke of the sword, but by the death of a thousand cuts.

If we are to have any hope of surviving, we have to completely change the way we look at this situation. Every intrusion, theft, or fraud should be reported, investigated and prosecuted (when possible). It should be tallied and brought to public attention, at least in aggregate so we understand the magnitude of what is going on. Right now, too much is hushed up or written off because each incident is too small to follow up, but the combined weight is staggering; for years I've been calling it "being pecked to death by ducks" because no single duck is lethal, but millions are. By letting so many incidents go, we encourage more and fund the development of yet new crime We need to refocus ourselves with a massive law enforcement effort, with a weighting towards local response, filtering up to Federal, not a Federal response directing local response. All those billions being dumped into the Federal contractors for cyber weapons should be directed to cyber law enforcement and investigation, to development of forensic tools, and to raising awareness at the local level. Your average business and consumer is going to be much more likely to install patches to protect against criminal behavior if encouraged by local authorities than told by someone in DC to install patches against some robotic threat from overseas. And we should adopt a get-tough policy at the diplomatic level to start demanding that countries that harbor criminals see some pushback from us; the new Federal international strategy on cyberspace is a good start on this.

I have described it to some people this way: our traditional DOD is structured to protect our borders and keep enemies from crossing those borders, or even getting near them. They are very, very good at that. In fact, they're so good, they may even stop an enemy from crossing their own borders to get here! However, the enemy we're engaged with is already here — is installed on millions of our computers and has thus subverted millions of citizens throughout the country without their knowing it....including some of the military. It is like the movie "The Puppet Masters." This can't be fought by the DOD — they aren't equipped to train their weapons inward. It requires an entirely different approach, but unfortunately, our leadership doesn't understand this, and the loudest voices right now are those of the lobbyists and members of the military who stand to benefit most in the short term by continuing the status quo, and by those who don't understand the magnitude of the situation.

Concomitant with this, within the next decade I fear that we will start seeing more of our best and brightest students from the US going to universities in India, China and other countries the way those countries' students have been coming to the US for years; I'm not the only one predicting this. Why? In the US we are shuttering university programs, decreasing funding, and shrinking campuses across the country, and politicians are vilifying K-12 teachers as if they are somehow part of the problem instead of being part of the cure. Meanwhile, in India, Russia, China, Korea, Taiwan and the Middle East they are opening major new universities and hiring away faculty from the US, Australia, the UK and elsewhere to staff their research labs, paying them extraordinary salaries and benefits and giving them access to modern resources. Major corporations have already located labs near those places because of cheap labor and are helping to subsidize the growth of the universities as are the national governments so as to obtain trained help. Our national policy of booting new PhDs & MS graduates who aren't citizens, and restricting so many high-tech jobs to US nationals only means that we train the world's best, then send them back to their own compete with us. The Rising Above the Gathering Storm and Rising Above the Gathering Storm, Revisited: Rapidly Approaching Category 5 reports nailed this, but were largely ignored by policymakers and certainly by the general public. Not only are we indirectly funding other countries' ascendency via their largely unhindered theft of our intellectual property and fraud, we are accelerating it by strangling our own intellectual capital and increasing theirs.

Everyone in IT and beyond should understand — fundamentally — that this is a new form of competition, of warfare (if we are to use that term). It is competition of the mind. It is information warfare in a much more fundamental sense than using information in support of kinetic weapons. It is employing information resources in a vast strategic way, across industries and generations to shape the future of nations. We do not have enough people who are able to think strategically, with that long a view and an understanding of the issues to see the threats, to see the trends, and to see the hard choices necessary to take a safer path. We, as a people, do not have the patience. Unfortunately, some of our enemies do.

What inspired the above, in part, is that this is Memorial Day Weekend. Many people will celebrate it as a holiday with picnics or trips, watch the Indy 500, and break out the summer clothes.

But Monday is a special day in the U.S. to remember the many men and women who sacrificed their lives in the service of the country, while serving in uniform. Whether in declared war or standing guard, whether grizzled veteran or new recruit, whether defending the bridge at Concord in 1775, or on patrol in Kandahar in 2011, those who did not return home deserve special thought from those who are here to enjoy this weekend. They had husbands, wives, children, siblings, parents and friends who treasured them. On Memorial Day, we should all treasure their memories as well.

And perhaps that is the one good thing about "Cyber War" — by nature, it is unlikely to add to the list of those we should remember on Memorial Day who are not here with us.

One of the best ways to honor their memory is to remain vigilant, and that is why I wrote the above.

Sony, Congress, The Media and Me


As a researcher and educator, I regularly follow many newsletters, blogs and newsfeeds on a near daily basis. Some items I bookmark for my classes and research, but most I simply read, note, and discard. I read many dozen such items per day -- sometimes as many as 100 when there is a lot happening and I have a backlog.

After news of the Sony incident broke on April 20th, I saw items about how some people knew about vulnerabilities in parts of the Sony network, and servers running old versions of the Apache webservers. Those postings had material similar to what was published in Wired on April 28th. To the best of my memory, at least one of those postings mentioned that some of these vulnerabilities were exposed to Sony in a mailing list or blog prior to the compromise. It may be that the reference was to the PSN webserver vulnerabilities, it may have been about the earlier flaw with the PS3 connecting to the PSN, or it may have been some other vulnerabilities...but I am pretty certain it was about the webservers. There was no discussion about how the breach occurred or whether the old software played a part in those breaches.

After reading these stories, I moved on to other issues. I was not a customer of Sony or the Playstation Network (PSN), and they have never had a relationship with our research group, so I had no reason to pay close attention to the story. Furthermore, we were approaching the end of the semester, I was teaching a graduate class and also preparing for two trips to workshops. Thus, I had several other things to occupy my time and attention, and this story was definitely not one of them.


On May 1st, in my capacity as chair of USACM, I received an invitation to appear at a House subcommittee meeting on the morning of May 4 on the issue of data breaches and privacy. This is a topic that has been one of USACM's main thrust areas, and is in my main areas of interest, so even though it was extremely short notice, I said yes. I spent the next 48 hours frantically trying to rearrange my teaching and administrative schedule at the university while also producing a formal written testimony to deliver to Congressional offices by a Tuesday noon deadline. This occurred, but with very little sleep over that two day period. Tuesday afternoon I had to drive to Indianapolis to fly to Washington for the Wednesday morning hearing.

Wednesday morning at 9:30am. the House Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee held its hearing on “The Threat Of Data Theft To American Consumers.” I was the 4th witness in the panel (our written statements are available online). Three days of little sleep and too much coffee, plus the TV lights, combined to give me quite a headache, but that may not be evident if you watch the C-SPAN recording of the hearing.

In my written testimony I indicated that "...some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk." During questioning, I stated that I had read this on security lists that I normally read.

The fun begins

My comment that I had seen accounts about the server software being out of date and no firewalls was reported accurately by a few media outlets. However, a few others widely misquoted as me stating, authoritatively, that Sony was running outdated, unpatched software and implied that this was somehow the cause of the breach. Other news sources, blogs, and aggregators then picked up this version of the story and repeated it as their own, often with some other embellishment.

In only a few cases did a responsible journalist contact me to fact-check the story and determine what I had actually said, and what I actually knew.

I tried to correct one or two of the incorrect reports, but most occurred in places where there was no contact address for corrections, and they soon were spreading faster than I could possibly respond. I gave up.

Soon after the stories started circulating, I received email from Eugene Alvarado (he has given me permission to name him), who indicated that in early February he reported to Sony that there was widespread hacking of the network going on that was interfering with use of the network. He never got a response. So, at least one other person observed problems and reported them to Sony in advance of the breach in April. If the problem was significant, there may well have been others.

More recently, at least one "commentator" who "thinks" he is "clever" because he can put quotes around words like "security expert" to imply something meaningful about my expertise has posted a critique pointing out that some of Sony's servers were, in fact, up-to-date. However, at least one follow-up by someone else observes that other Sony servers (with interesting names such as "Login" and "Auth") were running software dated 2008. Thus, it may well be the case that some of the systems were current and some not. As we well know, it only takes one system out of rev or with a missing patch to serve as an entry point to a whole network.

Bottom Line

To this day, I have never heard from nor spoken with anyone at Sony. I have never bothered to probe or investigate their systems, because frankly, I don't care. Those issues are for others to determine and settle. What I think were the bigger issues to the story at the hearing were about having standard breach notifications and the 24 USACM privacy principles that were in my testimony. There are hundreds of other breaches occurring every year in the U.S. resulting in fraud, identity theft, and other crimes. Those are smaller than this incident with the PSN, but the victims are no less damaged. We need for the FTC and law enforcement to have more resources to help fight these problems, and we could definitely use some appropriate Federal legislation on minimum privacy protections and breach notifications. Read the 4 written testimonies from the hearing to get a sense of what is involved.

As to the spurious story, I tried to be clear in my testimony (written and oral) that I was simply repeating what I had read in some online newsgroups. I am really quite appalled at the number of places that have twisted that into a claim that Sony was somehow, definitely, running substandard software or systems. It is possible they were, but it is also possible they were running very well-maintained systems that fell prey to a clever attacker. That has happened to other high profile victims.

I certainly bear the good folks at Sony no ill will, and I hope they resolve the situation with the Playstation Network soon.

In the meantime, perhaps this can serve as an abject lesson about dealing with the media and bloggers — some of them want a sensational story, whether the facts support it or not, and you had better not get in the way!

Update 5/14

A recent article contains information indicating there was obvious evidence in Sony's logs of scanning activity starting March 3rd that should have been noticed.

Update 5/18

Another recent article provides more information about the scanning activity preceding the breach, and suggests that it occurred from more than one source.

Update 6/4

Here is a very nice timeline and summary of Sony security incidents that seem to keep on coming.

A Cautionary Incident

Recently, Amazon's cloud service failed for several customers, and has not come back fully for well over 24 hours. As of the time I write this, Amazon has not commented as to what caused the problem, why it took so long to fix, or how many customers it affected.

It seems a client of Amazon was not able to contact support, and posted in a support forum under the heading "Life of our patients is at stake - I am desperately asking you to contact." The body of the message was that "We are a monitoring company and are monitoring hundreds of cardiac patients at home. We were unable to see their ECG signals"

What ensued was a back-and-forth with others incredulous that such a service would not have a defined disaster plan and alternate servers defined, with the original poster trying to defend his/her position. At the end, as the Amazon service slowly came back, the original poster seemed to back off from the original claim, which implies either an attempt to evade further scolding (and investigation), or that the original posting was a huge exaggeration to get attention. Either way, the prospect of a mission critical system depending on the service was certainly disconcerting.

Personnel from Amazon apparently never contacted the original poster, despite that company having a Premium service contract.

25 or so years ago, Brian Reid defined a distributed system as " where I can't get my work done because a computer I never heard of is down." (Since then I've seen this attributed to Leslie Lamport, but at the time heard it attributed to Reid.) It appears that "The Cloud" is simply today's buzzword for a distributed system. There have been some changes to hardware and software, but the general idea is the same — with many of the limitations and cautions attendant thereto, plus some new ones unique to it. Those who extol its benefits (viz., cost) without understanding the many risks involved (security, privacy, continuity, legal, etc.) may find themselves someday making similar postings to support fora — as well as "position wanted" sites.

The full thread is available here.

A Recent Interview, and other info

I have not been blogging here for a while because of some health and workload issues. I hope to resume regular posts before too much longer.

Recently, I was interviewed about the current state of security . I think the interview came across fairly well, and captured a good cross-section of my current thinking on this topic. So, I'm posting a link to that interview here with some encouragement for you to go read it as a substitute for me writing a blog post:

Complexity Is Killing Us: A Security State of the Union With Eugene Spafford of CERIAS

Also, let me note that our annual CERIAS Symposium will be held April 5th & 6th here at Purdue. You can register and find more information via our web site.

But that isn't all!

Plus, all of the above are available via RSS feeds.  We also have a Twitter feed: @cerias. Not all of our information goes out on the net, because some of it is restricted to our partner organizations, but eventually the majority of it makes it out to one of the above outlets.

So, although I haven't been blogging recently, there has still been a steady stream of activity from the 150+ people who make up the CERIAS "family."   

Centers of ... Adequacy, Revisited

Almost two years ago I wrote in this blog about how CERIAS (and Purdue) was not going to resubmit for the NSA/DHS Centers of Academic Excellence program.

Some of you may notice that Purdue is listed among this year's (2010) group of educational institutions receiving designation as one of the CAEs in that program. Specifically, we have received designation as a CAE-R (Center of Academic Excellence in Research).

"What changed?" you may ask, and "Why did you submit?"

The simple answers are "Not that much," and "Because it was the least-effort solution to a problem." A little more elaborate answers follow. (It would help if you read the previous post on this topic to put what follows in context.)

Basically, the first three reasons I listed in the previous post still hold:

  1. The CAE program is still not a good indicator of real excellence. The program now has 125 designated institutions, ranging from top research universities in IA (e.g., Purdue, CMU, Georgia Tech) to 2-year community colleges. To call all of those programs "excellent" and to suggest they are equivalent in a meaningful way is unfair to students who wish to enter the field, and unfair to the people who work at all of those institutions. I have no objection to labeling the evaluation as a high-level evaluation of competence, but "excellence" is still not appropriate.   
  2. The CNSS standards are still used for the CAE and are not really appropriate for the field as it currently stands. Furthermore, it the IACE program used to certify CNSS compliance explicitly notes "The certification process does not address the quality of the presentation of the material within the courseware; it simply ensures that all the elements of a specific standard are included.." How the heck can a program be certified as "excellent" when the quality is not addressed? By that measure, a glass of water is insufficient, but drowning someone under 30ft of water is "excellent."
  3. There still are no dedicated resources for CAE schools. There are several grant programs and scholarships via NSF, DHS and DOD for which CAE programs are eligible, but most of those don't actually require CAE status, nor does CAE status provide special consideration.

What has changed is the level of effort to apply or renew at least the CAE-R stamp. The designation is now good for 5 academic years, and that is progress. Also, the requirements for the CAE-R designation were easily satisfied by a few people in a matter of several hours mining existing literature and research reports. Both of those were huge pluses for us in submitting the application and reducing the overhead to a more acceptable level given the return on onvestment.

The real value in this, and the reason we entered into the process, is that a few funding opportunities have indicated that applicants' institutions must be certified as a CAE member or else the applicant must document a long list of items to show "equivalence." As our faculty and staff compete for some of these grants, the cost-benefit tradeoff suggested that a small group to go through the process once, for the CAE-R. Of course, this raises the question of why the funding agencies suggest that XX Community College is automatically qualified to submit a grant, while a major university that is not CAE certified (MIT is an example) has to prove that it is qualified!

So, for us, it came down to a matter of deciding whether to stay out of the program as a matter of principle, or submit an application to make life a little simpler for all of our faculty and staff when submitting proposals. In the end, several of our faculty & staff decided to do it over an afternoon because they wanted to make their own proposals simpler to produce. And, our attempt to galvanize some movement away from the CAE program produced huge waves of ...apathy... by other schools; they appear to have no qualms about standing in line for government cheese. Thus, with somewhat mixed feelings by some of us, we got our own block of curd, with an expiration date of 2015.

Let me make very clear -- we are very supportive of any faculty willing to put in the time to develop a program, and working to educate students to enter this field. We are also very glad that there are people in government who are committed to supporting that academic effort. We are in no way trying to denigrate any institution or individual involved in the CAE program. But the concept of giving a gold star to make everyone feel good about doing what should be the minimum isn't how we should be teaching, or about how we should be promoting good cybersecurity education.

(And I should also add that not every faculty member here holds the opinions expressed above.)

Own Your Own Space

I have been friends with Linda McCarthy for many years. As a security strategist she has occupied a number of roles -- running research groups, managing corporate security, writing professional books, serving as a senior consultant, conducting professional training....and more. That she isn't widely known is more a function of her not seeking it by having a blog or gaining publicity by publishing derivative hacks to software than it is anything else; There are many in the field who are highly competent and who practice out of the spotlight most of the time.

One of Linda's passions over the last few years has been in reaching out to kids -- especially teens -- to make them aware of how to be safe when online. Her most recent effort is an update to her book for the youngest computer users. The book is now published under the Creative Commons license. The terms allow free use of the book for personal use. That's a great deal for a valuable resource!

I'm enclosing the recent press release on the book to provide all the information on how to get the book (or selected chapters).

If you're an experienced computer user, this will all seem fairly basic. But that's the point -- the basics require special care to present to new users, and in terms they understand. (And yes, this is targeted mostly to residents of the U.S.A. and maybe Canada, but the material should be useful for everyone, including parents.)

Industry-Leading Internet Security Book for Kids, Teens, Adults Available Now as Free Download

Own Your Space® teams with Teens, Experts, Corporate Sponsors for Kids' Online Safety

SAN FRANCISCO, June 17 -- As unstructured summertime looms, kids and teens across the nation are likely to be spending more time on the Internet and texting.

Now, a free download is available to help them keep themselves safer both online and while using a cell phone.

Own Your Space®, the industry-leading Internet security book for youth, parents, and adults, was first written by Linda McCarthy, a 20-year network and Internet-security expert.

This all-new free edition -- by McCarthy, security pros, and dedicated teenagers -- teaches youths and even their parents how to keep themselves "and their stuff" safer online.

A collaboration between network-security experts, teenagers, and artists, the flexible licensing of Creative Commons, and industry-leading corporate sponsors, together have made it possible for everyone on the Internet to access Own Your Space for free via,, and

"With the rise of high-technology communications within the teen population, this is the obvious solution to an increasingly ubiquitous problem: how to deliver solid, easy-to-understand Internet security information into their hands? By putting it on the Internet and their hard drives, for free," said Linda McCarthy, former Senior Director of Internet Safety at Symantec.

Besides the contributors' own industry experience, Own Your Space also boasts the "street cred" important to the book's target audience; this new edition has been overseen by a cadre of teens who range in age from 13 to 17.

"In this age of unsafe-Internet and risky-texting practices that have led to the deaths and the jailing of minors, I'm thankful for everyone who works toward and sponsors our advocacy to keep more youth safe while online and on cell phones," McCarthy said.

Everyone interested in downloading Own Your Space® for free can visit,, and Corporations who would like to increase the availability of the book and promote child safety online through their hardware and Web properties can contact Linda McCarthy

McCarthy is releasing the book in June to celebrate Internet Safety Month.

“Game Change” Request for comments

I am posting the following at the request of someone associated with this effort at NITRD:

On May 19 the White House announced a new effort to enlist public involvement in defining new areas to "change the game" for cybersecurity. Three areas for research were proposed:

  1. Moving Target – Systems that move in multiple dimensions to disadvantage the attacker and increase resiliency.
  2. Tailored Trustworthy Spaces – Security tailored to the needs of a particular transaction rather than the other way around.
  3. Cyber Economic Incentives – A landscape of incentives that reward good cybersecurity and ensure crime doesn’t pay.

For the next few weeks (until June 18), the public is being invited to make comments. As readers of this blog tend to be well-informed about security issues and research needs, I'd like to encourage you to review the details of the research areas and add your thoughts to the discussion at As this effort will impact the Federal funding of research for FY2012 and beyond, adding your thoughts is not only beneficial to the government, but also beneficial to those of us in the research community to ensure that research topics are both useful and feasible.

As I've noted before I believe that referring to this as "game change" has the potential to create the wrong attitudes towards the problems. However, at least this isn't an attempt to solve everything in 60-90 days!

Having an Impact on Cybersecurity Education

The 12th anniversary of CERIAS is looming (in May). As part of the display materials for our fast-approaching annual CERIAS Symposium (register now!), I wanted to get a sense of the impact of our educational activities in addition to our research. What I found surprised me -- and may surprise many others!

Strategic Planning

Back in 1997, a year before the formation of CERIAS, I presented testimony before a U.S. House of Representatives hearing on "Secure Communications." For that presentation, I surveyed peers around the country to determine something about the capacity of U.S. higher education in the field of information security and privacy (this was before the term "cyber" was popularized). I discovered that, at the time, there were only four defined programs in the country. We estimated that there were fewer than 20 academic faculty in the US at that time who viewed information security other than cryptography as their primary area of emphasis. (The reason we excluded cryptography was because there were many people who were working in abstract mathematics that could be applied to cryptography but who knew extremely little about information security as a field, and certainly were not teaching it).

The best numbers I could come up with from surveying all those people was that, as of 1997, U.S. higher education was graduating only about three new Ph.D. students a year in information security, Thus, there were also very few faculty producing new well-educated experts at any level, and too small a population to easily grow new programs. I noted in my remarks that the output was too low by at least two orders of magnitude for national needs (and was at least 3-5 orders too low for international needs).

As I have noted before, my testimony helped influence the creations of (among other things) the NSA's CAE program and the Scholarship for Service program. Both provided some indirect support for increasing the number of Ph.D graduates and courses at all postsecondary levels. The SfS has been a qualified success, although the CAE program not so much.

When CERIAS was formed, one element of our strategic plan was to focus on helping other institutions build up their capacity to offer infosec courses at every level, as a matter of strategic leadership. We decided to do this through five concurrent approaches:

  1. Create new classes at every level at Purdue, across several departments
  2. Find ways to get more Ph.D.s through our program, and help place them at other academic institutions
  3. Host visitors and postdocs, provide them with additional background in the field for eventual use at other academic institutions
  4. Create an affiliates program with other universities and colleges to exchange educational materials, speakers, best practices, and more
  5. Create opportunities for enrichment programs for faculty at other schools, such as a summer certificate program for educators at 2 and 4-year colleges.

Our goal was not only to produce new expertise, but to retrain personnel with strong backgrounds in computing and computing education. Transformation was the only way we could see that a big impact could be made quickly.


We have had considerable success at all five of these initiatives. Currently, there are several dozen classes in CERIAS focus areas across Purdue. In addition to the more traditional graduate degrees, our Interdisciplinary graduate degree program is small but competitive and has led to new courses. Overall, on the Ph.D. front, we anticipate another 15 Ph.D. grads this May, bringing the total CERIAS output of PhD.s over 12 years to 135. To the best of our ability to estimate (using some figures from NSF and elsewhere), that was about 25% of all U.S. PhDs in the first decade that CERIAS was in existence, and we are currently graduating about 20% of U.S. output. Many of those graduates have taught or still teach at colleges and universities, even if part-time. We have also graduated many hundreds of MS and undergrad students with some deep coursework and research experience in information security and privacy issues.

We have hosted several score post-docs and visiting faculty over the years, and always welcome more --- our only limitation right now is available funding. For several years, we had an intensive summer program for faculty from 2 and 4-year schools, many of which are serving minority and disadvantaged populations. Graduates of that program went on to create many new courses at their home institutions. We had to discontinue this program after a few years because of, again, lack of funding.

Our academic affiliates program ran for five years, and we believe it was a great success. Several schools with only one or two faculty working in the area were able to leverage the partnership to get grants and educational resources, and are now notable for their own intrinsic capabilities. We discontinued the affiliates program several years ago as we realized all but one of those partners had "graduated."

So, how can we measure the impact of this aspect of our strategic plan? Perhaps by simply coming up with some numbers....

We compiled a list of anyone who had been through CERIAS (and a few years of COAST, prior) who:

  • Got a PhD from within Purdue and was part of CERIAS
  • Did a postdoc with CERIAS to learn (more) about cybersecurity/privacy
  • Came as a visiting faculty member to learn (more) about cybersecurity/privacy
  • Participated in one of our summer institutes for faculty

We gathered from them (as many as we could reach) the names of any higher education institution where they taught courses related to security, privacy or cyber crime. We also folded in the names of our academic affiliates at which such courses were (or still are) offered. The resultant list has over 100 entries! Even if we make a somewhat moderate estimate of the number of people who took these classes, we are well into the tens of thousands of students impacted, in some way, and possibly above 100,000, worldwide. That doesn't include the indirect effect, because many of those students have gone on (or will) to teach in higher education -- some of our Ph.D. grads have already turned out Ph.D. grads who now have their own Ph.D. students!

Seeing the scope of that impact is gratifying. And knowing that we will do more in the years ahead is great motivation, too.

Of course, it is also a little frustrating, because we could have done more, and more needs to be done. However, the approaches we have used (and are interested in trying next) never fit into any agency BAA. Thus, we have (almost) never been able to get grant support for our educational efforts. And, in many cases, the effort, overhead and delays in the application processes aren't worth the funding that is available. (The same is true of many of our research and outreach activities, but that is a topic for another time.)

We've been able to get this far because of the generosity of the companies and agencies that have been CERIAS general supporters over the years -- thank you! Our current supporters are listed on the CERIAS WWW site (hint: we're open to adding more!). We're also had a great deal of support within Purdue University from faculty, staff and the administration. It has been a group effort, but one that has really made a positive difference in the world....and provides us motivation to continue to greater heights.

See you at the CERIAS Symposium!


Here is the list of the 106 107 108 educational institutions [last updated 3/21,1600 EDT]:

  • Air Force Institute of Technology
  • Amrita Vishwa Vidyapeetham, Coimbatore, India
  • Brigham Young University
  • Cairo University (Egypt)
  • California State University Sacramento
  • California State University Long Beach
  • Carnegie Mellon University
  • Case Western Reserve University
  • Charleston Southern University
  • Chunggnam National University, Korea
  • College of Aeronautical Engineering, PAF Academy, Risalpur Pakistan
  • College of Saint Elizabeth
  • Colorado State University
  • East Tennessee State University
  • Eastern Michigan University
  • Felician College
  • George Mason University
  • Georgia Institute of Technology
  • Georgia Southern University
  • Georgetown University
  • Hannam University, Korea
  • Helsinki University of Technology (Finland)
  • Hong Kong University of Science & Technology
  • Illinois Wesleyan University
  • Indian Institute of Science, Bangalore
  • Indiana University-Purdue University, Fort Wayne
  • Indiana University-Purdue University, Indianapolis
  • International University, Bruchsal, Germany
  • Iowa State University
  • James Madison University
  • John Marshall School of Law
  • KAIST (Korea Advanced Institute of Science and Technology)
  • Kansas State University
  • Kennesaw State University
  • Kent State University
  • Korea University
  • Kyungpook National University, Korea
  • Linköpings Universitet, Linköping Sweden
  • Marquette University
  • Miami University of Ohio
  • Missouri Univ S&T
  • Murray State University
  • Myongji University, Korea
  • N. Georgia College & State Univ.
  • National Chiao Tung University, Taiwan
  • National Taiwan University
  • National University of Singapore
  • New Jersey Institute of Technology
  • North Carolina State University
  • Norwalk Community College
  • Oberlin College
  • Penn State University
  • Purdue University Calumet
  • Purdue University West Lafayette
  • Qatar University, Qatar
  • Queensland Institute of Technology, Australia
  • Radford University
  • Rutgers University
  • Sabanci University, Turkey
  • San José State University
  • Shoreline Community College
  • Simon Fraser University
  • Southwest Normal University (China)
  • Southwest Texas Junior College
  • SUNY Oswego
  • SUNY Stony Brook
  • Syracuse University
  • Technische Universität München (TU-Munich)
  • Texas A & M Univ. Corpus Christi
  • Texas A & M Univ. Commerce
  • Tuskegee University
  • United States Military Academy
  • Universidad Católica Boliviana San Pablo, Bolivia
  • Universität Heidelberg, Heidelberg, Germany
  • University of Albany
  • University of Calgary
  • University of California, Berkeley
  • University of Cincinnati
  • University of Connecticut
  • University of Dayton
  • University of Denver
  • University of Florida
  • University of Kansas
  • University of Louisville
  • University of Maine at Fort Kent
  • University of Maryland University College
  • University of Mauritius, Mauritius
  • University of Memphis
  • University of Milan, Italy
  • University of Minnesota
  • University of Mississippi
  • University of New Haven (CT)
  • University of New Mexico
  • University of North Carolina, Charlotte
  • University of Notre Dame
  • University of Ohio
  • University of Pittsburgh
  • University of Texas, Dallas
  • University of Texas, San Antonio
  • University of Trento (Italy)
  • University of Virginia
  • University of Washington
  • University of Waterloo
  • University of Zurich
  • Virginia Tech
  • Washburn University
  • Western Michigan University
  • Zayed University, UAE

Blast from the Past

Yes, I have been quiet (here) over the last few months, and have a number of things to comment on. This hiatus is partly because of schedule, partly because I had my laptop stolen, and partly health reasons. However, I'm going to try to start back into adding some items here that might be of interest.

To start, here is one item that I found while cleaning out some old disks: a briefing I gave at the NSA Research division in 1994. I then gave it, with minor updates, to the DOD CIO Council (or whatever their name was/is -- the CNSS group?), the Federal Infosec Research Council, and the Criticial Infrastructure Commission in 1998. In it, I spoke to what I saw as the biggest challenges in protecting government systems, and what were major research challenges of the time.

I have no software to read the 1994 version of the talk any more, but the 1998 version was successfully imported into Powerpoint. I cleaned up the fonts and gave it a different background (the old version was fugly) and that prettier version is available for download. (Interesting that back then it was "state of the art" grin

I won't editorialize on the content slide by slide, other than to note that I could give this same talk today and it would still be current. You will note that many of the research agenda items have been echoed in other reports over the succeeding years. I won't claim credit for that, but there may have been some influences from my work.

Nearly 16 years have passed by, largely wasted, because the attitude within government is still largely one of "with enough funding we can successfully patch the problems." But as I've quoted in other places, insanity is doing the same thing over and over again and expecting different results. So long as we believe that simple incremental changes to the existing infrastructure, and simply adding more funding for individual projects, is going to solve the problems then the problems will not get addressed -- they will get worse. It is insane to think that pouring ever more funding into attempts to "fix" current systems is going to succeed. Some of it may help, and much of it may produce some good research, but overall it will not make our infrastructure as safe as it should be.

Yesterday, Admiral (ret) Mike McConnell, the former Director of National Intelligence in the US, said in a Senate committee hearing that if there were a cyberwar today, the US would lose. That may not be quite the correct way of putting it, but we certainly would not come out of it unharmed and able to claim victory. What's more, any significant attack on the cyberinfrastructure of the US would have global repercussions because of the effects on the world's economy, communications, trade, and technology that are connected by the cyber infrastructure in the US.

As I have noted elsewhere, we need to do things differently. I have prepared and circulated a white paper among a few people in DC about one approach to changing the way we fund some of the research and education in the US in cybersecurity. I have had some of them tell me it is too radical, or too different, or doesn't fit in current funding programs. Exactly! And that is why I think we should try those things -- because doing more of the same in the current funding programs simply is not working.

But 15 years from now, I expect to run across these slides and my white paper, and sadly reflect on over three decades where we did not step up to really deal with the challenges. Of course, by then, there may be no working computers on which to read these!