This is from our colleagues at NCSU, and is time-critical. Please take 5 minutes to fill out this (simple) survey. It will help an NSF-funded privacy project.. And “Thank you” from CERIAS, too!

 

  ThePrivacyPlace.Org Privacy Survey is Underway!
 

 

Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.

 

The URL is: http://theprivacyplace.org/currentsurvey

 

We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).

 

Prizes include
  $100 Amazon.com gift certificates sponsored by Intel Co.
  and
  IBM gifts

 

On behalf of the research staff at ThePrivacyPlace.Org, thank you!

This morning I received an email, sent to a list of people (I assume). The subject of the email was “Computer Hacker’s service needed” and the contents indicated that the sender was seeking someone to trace back to the sender of some enclosed email. The email in question? The pernicious spam email purporting to be from someone who has been given a contract to murder the recipient, but on reflection will not do the deed if offered a sum of money.

This form of spam is well-known in most of the security and law enforcement communities, and there have been repeated advisories and warnings issued to the public. For instance, Snopes has an article on it because it is so widespread as to have urban legend status. The scam dates back at least to 2006, and is sometimes made to seem more authentic by including some personalized information (usually taken from online sources). A search using the terms “hitman scam spammer” returns over 200,000 links, most of the top ones being stories in news media and user alert sites. The FBI has published several alerts about this family of frauds, too. This is not a rare event.

However, it is not that the author of the email missed those stories that prompts this post. After all, it is not the case that each of us can be aware of everything being done online.

Rather, I am troubled that someone would ostensibly take the threat seriously, and as a follow-up, seek a “hacker” to trace the email back to its sender rather than report it to law enforcement authorities.

One wonders if the same person were to receive the same note on paper, in surface email, whether he would seek the services of someone adept at breaking into mail boxes to seek out the author? Even if he did that, what would it accomplish? Purportedly, the author of the note is a criminal with some experience and compatriots (these emails, and this one in particular, always refer to a gang that is watching the recipient). What the heck is the recipient going to do with someone—and his gang—who probably doesn’t live anywhere nearby?

Perhaps the “victim” might know (or suspect) it is a scam, but is trying to aid the authorities by tracing the email? But why spend your own money to do something that law enforcement is perhaps better equipped to do? Plus, a “hacker” is not necessarily going to use legal methods that will allow the authorities to use the results. Perhaps even more to the point, the “hacker” may not want to be exposed to the authorities—especially if they regularly break the law to find people!

Perhaps the victim already consulted law enforcement and was told it was a scam, but doesn’t believe it? Well, some additional research should be convincing. Plus, the whole story simply isn’t credible. However, if the victim really does have a streak of paranoia and a guilty conscience, then perhaps this is plausible. However, in this case, whoever is hired would likewise be viewed with suspicion, and any report made is going to be doubted by the victim. So, there is no real closure here.

Even worse, if a “hacker” is found who is willing to break the rules and the laws to trace back email, what is to say that he (or she) isn’t going to claim to have found the purported assassin, he’s real, and the price has gone up but the “hacker” is willing to serve as an intermediary? Once the money is paid, the problem is pronounced “fixed,” This is a form of classic scam too—usually played on the gullible by “mystics” who claim that the victim is cursed and can only be cured by a complicated ritual involving a lot of money offered to “the spirits.”

Most important—if someone is hired, and that person breaks the law, then the person hiring that “hacker” can also be charged under the law. Hiring someone to break the law is illegal. And having announced his intentions to this mailing list, the victim has very limited claims of ignorance at this point.

At the heart of this, I am simply bewildered how someone would attempt to find a “hacker”—whose skill set would be unknown, whose honesty is probably already in question, and whose allegiances are uncertain—to track down the source of a threat rather than go to legitimate law enforcement. I can’t imagine a reasonable person (outside of the movies) receiving a threatening letter or phone call then seeking to hire a stranger to trace it back rather than calling in the authorities.

Of course, that is why these online scams—and other scams such as the “419 scams” continue to work: people don’t think to contact appropriate authorities. And when some fall for it, it encourages the spammers to keep on—increasing the pool of victims.

(And yes, I am ignoring the difficulty of actually tracing email back to a source: that isn’t the point of this particular post.)

This was originally written for Dave Farber’s IP list.

I take some of the blame for helping to spread “no security through obscurity,” first with some talks on COPS (developed with Dan Farmer) in 1990, and then in the first edition of Practical Unix Security (with Simson Garfinkel) in 1991. None of us originated the term, but I know we helped popularize it with those items.

The origin of the phrase is arguably from one of Kerckhoff’s principles for strong cryptography: that there should be no need for the cryptographic algorithm to be secret, and it can be safely disclosed to your enemy. The point there is that the strength of a cryptographic mechanism that depends on the secrecy of the algorithm is poor; to use Schneier’s term, it is brittle: Once the algorithm is discovered, there is no (or minimal) protection left, and once broken it cannot be repaired. Worse, if an attacker manages to discover the algorithm without disclosing that discovery then she can exploit it over time before it can be fixed.

The mapping to OS vulnerabilities is somewhat analogous: if your security depends only (or primarily) on keeping a vulnerability secret, then that security is brittle—once the vulnerability is disclosed, the system becomes more vulnerable. And, analogously, if an attacker knows the vulnerability and hides that discovery, he can exploit it when desired.

However, the usual intent behind the current use of the phrase “security through obscurity” is not correct. One goal of securing a system is to increase the work factor for the opponent, with a secondary goal of increasing the likelihood of detecting when an attack is undertaken. By that definition, obscurity and secrecy do provide some security because they increase the work factor an opponent must expend to successfully attack your system. The obscurity may also help expose an attacker because it will require some probing to penetrate the obscurity, thus allowing some instrumentation and advanced warning.

In point of fact, most of our current systems have “security through obscurity” and it works! Every potential vulnerability in the codebase that has yet to be discovered by (or revealed to) someone who might exploit it is not yet a realized vulnerability. Thus, our security (protection, actually) is better because of that “obscurity”! In many (most?) cases, there is little or no danger to the general public until some yahoo publishes the vulnerability and an exploit far and wide.

Passwords are a form of secret (obscurity) that provide protection. Classifying or obfuscating a codebase can increase the work factor for an attacker, thus providing additional security. This is commonly used in military systems and commercial trade secrets, whereby details are kept hidden to limit access and increase workfactor for an attacker.

The problem occurs when a flaw is discovered and the owners/operators attempt to maintain (indefinitely) the sanctity of the system by stopping disclosure of the flaw. That is not generally going to work for long, especially in the face of determined foes. The owners/operators should realize that there is no (indefinite) security in keeping the flaw secret.

The solution is to design the system from the start so it is highly robust, with multiple levels of protection. That way, a discovered flaw can be tolerated even if it is disclosed, until it is fixed or otherwise protected. Few consumer systems are built this way.

Bottom line: “security through obscurity” actually works in many cases and is not, in itself, a bad thing. Security for the population at large is often damaged by the people who claim to be defending the systems by publishing the flaws and exploits trying to force fixes. But vendors and operators (and lawyers) should not depend on secrecy as primary protection.

This new release of our testbed software provides users with full control of experimental PCs instead of being limited to running VMware images:

• Experimental PCs can be rebooted at will

• There is a LiveCD in the experimental PCs, which will take a root password that you specify before rebooting the PC

• Users are now able to replace the operating system installed by default on experimental PCs, and gain full control

• The host operating system for VMware is restored after an experiment.

This facilitates experiments with other virtualization technologies (e.g, Xen), or with operating systems or software that don’t interact in the desired manner with VMware.

When compared with other testbeds such as Deter, the differences are that:

• You should be able to run anything on ReAssure, that is compatible with the hardware; 

• You may try to attack the ReAssure testbed itself; 

• Malicious software should have great difficulty escaping the testbed (if not using exp01 and exp02, the computers set aside for updating images); 

• Your experiments using VMware images are portable; 

• You can take VMware snapshots; 

As before, you can still:

• Use complex network topographies for your experiments, with high bandwidth utilization on each (Gbit ethernet)

• Extend reservations or stop experiments at will;

• Use ISO images and VMware appliances; 

• Share image files

• Cooperate remotely with other people, and give them access to the PCs in one of your experiments

• Update your images from two of our experimental PCs that allow connections to the outside (exp01 and exp02)

Under the hood changes:

• The switch management now uses a UNIX domain server instead of a script started by cron.  This increases the responsiveness of the system, allows checking the state of the switch directly in real time, and allows self-test results to be displayed on the web interface (for administrators).

• The upload mechanism now uses a UNIX domain server instead of a script started by cron.  This increases the responsiveness of the system and allows self-test results to be displayed on the web interface (for administrators).

• The power state of the experimental PCs is controlled via IPMI (Intelligent Platform Management Interface) on an isolated network

Visit the project home page, the testbed management interface itself, or download the open source software.  The ReAssure testbed was developed using an MRI grant from NSF (No. 0420906). 

The academic year is beginning, and I have already been asked by new faculty about travel. I also recently heard about a problem from a more senior colleague. As I have traveled a lot for my work in the last 20 years, I have built up some experience as an academic “road-warrior.” My assistant, Marlene, has also helped out with some great ideas as she has observed my difficulties getting from point A to B and back again. Here are some general tips for lower-stress travel as you travel to conferences and speaking engagements around the U.S.

General

Familiarize yourself with your university’s travel rules. Most have specific rules about advance notice, forms to file, etc. Know the rules before you travel so you don’t do the wrong things.

When you meet people at conferences, or when speaking, or otherwise on business, write the date on the back of the card, along with info that will help you identify why/where you met the person. If you promise to send them a copy of your recent results, then write that on the card, too. I have over 3000 entries in my online address book and card collection, and I no longer remember who half of them are, where I met them, or why….a note would have helped me in trimming the collection some.

Note on your itinerary what the next and previous departures of the plane, train, etc might be. If your business finishes early or runs late you have some idea of alternatives. In many cases, for a small free, you can switch to a different departure time on the same day. You can usually get that fee reimbursed by the same source of funds that pays for your ticket.

Take paper copies of articles, theses, or other items you need to read or review. If you are stuck in an airport waiting area with a delayed flight, you can put your time to use without running down laptop batteries. Furthermore, you can read the papers when on the plane during times that no electronic devices can be used, and you can write comments in the margin when you have a small fold-down seat tray that isn’t large enough to hold an open laptop.

Keep business cards with you. At least once a year I find someone sitting on a long flight next to me to be worth a follow-up contact. Several times these have led to industry grants for my research or internships for my students. Be prepared for opportunities!

Always pack an extra day’s worth of critical items in the event your flight is cancelled or too badly delayed. Also, you are prepared when the airline asks for volunteers to be bumped to the next day in return for a free ticket—that means you can save money on your grants for the next conference, or else use the free ticket to have a spouse/SO accompany you on a trip.

If you are going someplace interesting, investigate staying an extra day or two to sight-see, or simply relax. Depending on timing, you may actually save money by flying on a weekend day instead of a weekday evening and staying the extra night in the hotel!

Consider joining frequent traveler programs for the airlines and hotels. You may not collect enough for a free trip any time soon—and if you do travel enough to do so, another trip is not likely your idea of a reward. However, most of those programs have some small perks for members—free Internet service or breakfast at the hotel, priority on better seats, etc.

Airline clubs can be valuable places to unwind between long flights or during delays. You can buy day passes or full-year memberships. Some cover multiple airlines. Consider the expense of Internet access and several cups of coffee each time you need to spend more than an hour at a major airport in a waiting area. At a certain point, the airline club fee comes out to be a win. Plus, their front desk staff can often fix a scheduling snafu on your ticket faster (and with more options) than the personnel out at the desks.

Try to always be cheerful with travel personnel, even if you’re having a bad day. Airline check-in people can give you a better seat or waive a change fee if you are nice, flight attendants will sometimes comp a drink or give you the last blanket, and hotel clerks can put you in a better room—all if you are nice. Be grumpy or curt, and TSA will make your life miserable, you’ll get checked into the non-reclining seat in the last row next to the lav, and at the hotel you’ll get the room next to the elevator.

I have a single sheet with all my flight itinerary, hotel address, confirmation numbers, important telephone numbers, and so on. This turns out to be incredibly useful for all sorts of reasons.

Take along a small bottle of hand sanitizer, and use it before every meal or break. If you are meeting people, shaking hands, and using doorknobs handled by thousands of others, it is not a contributor to good health. Frequent hand washing and use of a sanitizer can really help. I get small bottles in the “travel size” section at my neighborhood pharmacy.

Finances

Keep all of your receipts, boarding passes, etc. I have a poly-plastic envelope with an elastic cord into which I put all my receipts while traveling. At the end of the trip, the receipts get sorted into three piles: those that go to the university or sponsor for reimbursement purposes, those that go into my file for income taxes (all meal receipts, for example), and a pile I keep until I have been reimbursed and my frequent flier miles credited. This last pile is normally where stubs from boarding passes go, unless your sponsor/university requires them.

Never leave a hotel without a paper statement showing a zero balance! Some hotels will run a statement of all expenses and slip it under your room door the night before you leave. You then do an express checkout an don’t stop at the desk. However, without evidence you paid the bill (the zero balance part), some agencies won’t reimburse you! You can probably get a corrected copy from the hotel, but the process delays your reimbursement by weeks (or longer).

Need to send in the original receipts for reimbursement? Make sure you have legible copies to keep on file in the event there is a mixup or loss of items.

Don’t forget to ask for mileage reimbursement to drive to/from the airport. The current IRS rate is commonly used.

If you work at a public university you can sometimes get the government rate at hotels. You need to ask about that when you reserve the room, and you show your faculty ID when arriving. Be sure you only do this when traveling on university business.

Be aware of your credit limit. If you are doing a lot of travel and charging it all to one credit card, you may hit your limit without knowing it. Hotels often put a hold charge on your card when you check in and do not remove it when you pay your bill, so your card takes double the hit. It can be very uncomfortable to arrive at your destination, 3 time zones away, only to be told that your card has been refused. American Express cards have no such pre-set limit, but you also have to pay them when the blll arrives, and this can be a stretch if your reimbursements aren’t timely.

Speaking of reimbursements, some companies that may ask you to come visit to speak at their expense can be extremely slow to pay reimbursements because their internal processes are so complex. My worst experiences have been with big companies, for some reason. Intel is one example—over a 3 year period with 5 trips they never paid an invoice in less than 6 months, one took 10 months to reimburse, and I had to file as a business supplier to even get into their system! In situations like this you either need to dip into savings then wait for the payment, or carry the charge on credit. Be prepared for this if you have no experience with a host offering to reimburse you.

Actually, this brings up a worst-case scenario: You are asked to visit an institution in a foreign country to speak, at their expense. You buy non-refundable tickets (that is all they will reimburse) and then they cancel the visit or you fall ill or….. Nothing like having $2000 in non-refundable tickets and the bill coming due! There are solutions here—demand to buy refundable tickets, have them buy the tickets for you, or consider having them authorize buying travel insurance through the airline or travel service where you get the tickets. Even reputable places may have scheduling problems.

Don’t fly sick! If you are really ill, don’t feel you have to travel because you bought non-refundable tickets, or because they are expecting you to talk at the other end. Flying while ill can make you worse (I’ve had a perforated ear drum from the pressure change on the plane, once, flying with a terrible cold), can spread germs, and you end up not making a very good presentation. Ask to reschedule if it is a presentation. Most airline tickets can be used, for a small change fee, up to a year after the date of purchase. If you are flying to a conference on grant money, check on university policy—most will cover the change fee or even the cost of the ticket so long as you commit to buying non-refundable tickets to keep costs low.

Check the interest rate on your credit cards. Yeah, maybe you collect frequent flier miles by using that card, but it also may have an 18%-25% effective annual rate. if you are delayed getting a reimbursement, or it crosses the due date of the bill, you may be paying a hefty penalty for those miles.

Many places will ask for your SSN# on a W-4 before they will reimburse you. If you are a compensated speaker, you can’t get your honorarium without this. This poses two problems: taxes and possible exposure of your SSN. The taxes part is easiest—keep the receipts and if your reimbursement gets included in a form 1099-MISC filed by your host, then you list the amounts as deductible business expenses (talk to a tax advisor for specifics—don’t depend on this blog!). As for protecting yourself against identity theft, come up with a “dba” name (doing business as) for consulting, then get an IRS EIN (employer identity number). Use that in place of your SSN. It is all perfectly legal (although you may need to educate the clerks at the other end), has the same number of digits as your SSN, but it compromised it won’t contribute to fraud committed with your identity.

I may do a follow-up post with some specific hints on international travel. If you have suggestions for academic travelers, please post them in the comments.

I am an advisor to ThePrivacyPlace.  They do great work on privacy issues, and this annual survey is valuable—but only with a lot of responses.  So, please respond and share the link with others.

The following is their survey announcement.

ThePrivacyPlace.Org Privacy Survey is Underway!

Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.
The URL is: http://theprivacyplace.org/currentsurvey

We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).

Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
IBM gifts

On behalf of the research staff at ThePrivacyPlace.Org, thank you!

[Update 7/17: Video of the Senator’s opening remarks and the panel session (2 parts) are now online at this site. I have also added a few links.]

This story (somewhat long) is about Senator Barack Obama’s summit session at Purdue University today (Wednesday, July 16). on security challenges for the 21st century. I managed to attend, took notes, and even got my name mentioned. Here’s the full story.

Prelude

Monday night, I received email from a colleague here at Purdue asking if I could get her a ticket to see Senator Obama on campus. I was more than a little puzzled — I knew of no visit from the Senator, and I especially didn’t know why she thought I might have a ticket (although there are people around here who frequently ask me for unusual things).

Another exchange of email resulted in the discovery that the Senator was coming to Purdue today (the 16th of July) with a panel to hold a summit meeting on security issues for the 21st century. Cyber security was going to be one of the topics. The press was told that Purdue was chosen because of the leading role our researchers have in various areas of public safety and national security — including the leading program in cyber security — although some ascribed political motives as the primary reason for the location.

I found it rather ironic that security would be given as the reason for being at Purdue, and yet those of us most involved with those security centers had not been told about the summit or given invitations. It appears that the organizers gave a small number of tickets to the university, and those were distributed to administrators rather than faculty and students working in the topic areas.

I found this all very ironic and interesting, and expressed as much in email to several friends and colleagues — including several who I knew had some (indirect) link to the Senator’s campaign. I had faint hope of getting a ticket, but was more interested in simply getting the word back that there was a misfire in the organization of the event.

Late last night (I was in the office until 6:30) I got a call from someone associated with the Obama campaign. He apologized for the lack of an invitation, and informed me that a ticket was awaiting me at the desk the next day.

The Event

I went over to the Purdue Union at 11:30; the official event was to start at 12. I encountered a number of Purdue administrators in the crowd. Security was apparent for the event, including metal detectors at the door run by uniformed officers, some of whom I believe were with the Secret Service uniformed division. The officers everywhere were polite and cheerful, but watchful. I found a seat in the back of the North Ballroom with about 500 other guests…and nearly as many members of the press, entourage, ushers, protection detail, and so on.

I won’t try to summarize everything said by the Senator and panel — you can find the full video here (in two parts). I will provide some impressions of specific things that were said.

The event started almost on time (noon) with Senator Evan Bayh introducing Senator Barack Obama. Sen. Obama then read from a prepared set of remarks. His comments really resonated with the crowd (I encourage you to follow the link to read them). His comment about how we have been “fighting the last war” is particularly appropriate.

He made some very nice comments about Senator Richard Lugar, the other Senator from Indiana. Senator Lugar is a national asset in foreign policy, and both Senators Obama and Bayh (and former Senator Nunn) had nothing but good things to say about him — and all have worked with him on disarmament and peace legislation. One of the lighter moments was when Senator Obama said that Senator Lugar was a great man in every way except that he was a Republican!

Early in his statement, he deviated from his script as reproduced in the paper, and dropped my name as he was talking about cyber security. I was very surprised. He referred to me as one of the nation’s leading experts in cyber security when he mentioned Purdue being in the lead in this area. Wow! I guess someone I sent my email to pushed the right button (although my colleagues and our students deserve the recognition, as much or more than I do).

His further comments on officially designating the cyber infrastructure as a strategic asset is important for policy & legal reasons, and his comments on education and research also seemed right on. It was a strong opening, and there was obviously a lot in his comments for a number of different audiences, including the press.

Panel Part I

The first 1/3 of the panel discussion was on nuclear weapons issues. The experts present to talk on the issue were (former) Senator Sam Nunn (who joked that in Indiana everyone thought his last name was actually Nunn-Lugar), Senator Bayh, and Dr. Graham Allison, the director of the Belfer Center at Harvard. There was considerable discussion about the proliferation of nuclear materials, the need for cooperation with other countries rather than ignoring them (viz. North Korea and Iran), and the control of fissionable material.

There were some statements that I found to be a bit of hyperbole: For instance, the statement that a single bomb could be made by terrorists to destroy a whole city. Not to minimize the potential damage, but without sophisticated nation-state assistance and machining, a crude fission weapon is about all that a terrorist group could manage, and it wouldn’t be that large or that easy to build. A few tens of kilotons of fission explosion could definitely ruin your day, but a detonation at ground level wouldn’t destroy a whole city of any size. (Lafayette, IN would be mostly destroyed by one, but that isn’t a major city.) Plutonium is too dangerous to handle, so over 100 pounds of U-235 (or U-233) would be needed, and machined appropriately, for such a weapon. Without accelerators and specially shaped charges & containers, getting fission fast enough and long enough is difficult and….well, there is a very serious threat, and the nuances may be lost on the average crowd, but the focus on terrorists building a significant bomb seemed wrong to me.

There were some excellent remarks made about opportunity cost. For instance, the one figure that stood out was that we could fully fund the Nunn-Lugar initiative and some other plans to secure loose nuclear materials by spending the equivalent of 1 month of what we now spend in Iraq over the next 4 years around the world; the war in Iraq is breeding terrorists and making US enemies, while securing loose nukes would help protect generations to come around the world. As both a taxpayer and a parent (as well as someone immersed in defense issues), I know where I would prefer to see the money spent!

One other number given is that currently less than 1/4 of 1% of the defense budget is spent on containing nuclear materials, despite it being a declared priority of President Bush. Professor Allison said that despite grade inflation at Harvard, the President still gets an “F” in this area.

Another interesting factoid stated was that about 10% of the lights in the US are powered by electricity generated from reprocessed fissile material taken from Russian nukes rendered safe under the Nunn-Lugar initiative. That sounds high to me given the amount of nuclear power generated in the US, but even if off by a factor of 10, darned impressive.

Panel Part II

The second part of the panel was on bio weapons. The panelists were Dr. Tara O’Toole of the Center for Biosecurity at Pitt, and Dr. David Relman of Stanford. Their discussion was largely what I expected, about how bio-weapons can be produced by rogue actors as well as rogue states. They made the usual references to plague (with a funny interchange about prairie dogs being carriers, and keeping the Senator’s campaign away from them), anthrax and Ebola.

Again, there was a bit of exaggeration coupled with the dialog. It was pointed out that there has still been no apprehension of the perpetrator of the 2001 anthrax attacks. It was then stated that the anthrax in the envelope sent to Senator Daschle was enough to kill a billion people. No mention was made about how impossible it would be to meter and deliver such dosages in the most appropriate manner to achieve that. In fact, no discussion was made about the difficulty in weaponizing most biological agents, limiting their use as a targeted weapon over a large area. And furthermore, no mention at all was made of chemical weapons.

The conclusion here was that investment in better research and international cooperation was key. The statement was made that better integration of electronic health records would be important, too, although some studies I recall indicate that their utility is probably not so great as some would hope. It was also concluded that benefits in faster medical response and better vaccine production would help in non-crisis times as well. I don’t think we can argue too much with that, although the whole issue of how we pay for medicine and health issues looms large.

Panel Part III

The last panel featured Alan Wade, former CIO of the CIA, and Paul Kurtz of Good Harbor Consulting, speaking on the cyber threat. I’ve known Paul for years, and he is a great person to talk on these issues.

The fact that cyber technology is universal and ubiquitous was highlighted. So was the asymmetry inherent in the area. Some mention was made about how nothing has been done by the current administration until very recently. Sadly, that is clearly the case. The National Strategy in 2002, the PITAC report in 2005, and the CSTB report in 2007 (to name 3 examples) all generated no response. As a member of the PITAC that helped write the 2005 report, I was shocked at the lack of Federal investment and the inaction we documented (I knew it was bad, but didn’t realize until then how bad it was); the reaction from the White House was to dissolve the committee rather than address the real problems highlighted in the report. As one of today’s panelists put it — the current administration’s response has been “…late, fragmented, and inadequate.” Amen.

I was disappointed that so much was said about terrorism and denial of service. Paul did join in near the end and point out that alteration of critical data was a big concern, but there was no mention of alteration of critical services, about theft of intellectual property, about threats to privacy, or other more prominent threats. Terrorism online is not the biggest threat we face, and we have a major crisis in progress that doesn’t involve denial of service. We need to ensure that our policymakers understand the scope of the threat.

On the plus side, Senator Obama reiterated how he sees cyber as a national resource and critical infrastructure. He wants to appoint a national coordinator to help move protection forward. (If he is elected I hope he doesn’t put the position in DHS!)

Paul pointed out the need for more funds for education and research. He also made a very kind remark, mentioning me by name, and saying how we were a world-class resource built with almost no funding. That’s not quite true, but sadly not far off. I have chafed for years at how much more we could do with even modest on-going support that wasn’t tied to specific research projects….

Conclusions

I was really quite impressed with the scope of the discussion, given the time and format, and the expertise of the panelists. Senator Obama was engaged, attentive, and several of his comments and questions displayed more than a superficial knowledge of the material in each area. Given our current President referring to “the Internets” and Senator McCain cheerfully admitting he doesn’t know how to use a computer, it was refreshing and hopeful that Senator Obama knows what terms such as “fission” and “phishing” mean. And he can correctly pronounce “nuclear”! His comments didn’t appear to be rehearsed — I think he really does “get it.”

(Before someone picks on me too much…. I believe Senator McCain is an honorable man, a dedicated public servant, and a genuine American hero. I am grateful to have people like him intent on serving the public. However, based on his comments to the press and online, I think he is a generation out of date on current technology and important related issues. That isn’t a comment related to his age, per se, but to his attitude. I’d welcome evidence that I am mistaken.)

Senator Obama is a great orator. I also noticed how his speed of presentation picks up for the press (his opening remarks) but became more conversational during the panel.

Senator Obama kept bringing the panel back to suggestions about what could be done to protect the nation. I appreciated that focus on the goal. He also kept returning to the idea that problems are better solved early, and that investments without imminent threat are a form of insurance — paying for clean-up is far greater than some prudent investment early on. He also repeatedly mentioned the need to be competitive in science and technology, and how important support for education is — and will be.

After the session was over, I didn’t get a chance to meet any of the campaign staff, or say hello to Paul. I did get about 90 seconds with Senator Bayh and invited him to visit. After my name had been mentioned about 3 times by panelists and Senator Obama, he sort of recognized it when I introduced myself. We’ll see if he follows up. I’ve visited his office and Senator Lugar’s, repeatedly, and neither have ever bothered to follow up to see what we’re doing or whether they could help.

Several people in the audience commented on my name being mentioned. I’m more than a little embarrassed that they didn’t refer to CERIAS and my colleagues, and in fact I was the only Purdue person mentioned by name during the entire 2 hours, and then it happened multiple times. I’m not sure if that’s good or not — we’ll see. However, as P.T. Barnum said, there’s no such thing as bad publicity … so long as they spell my name correctly. None of the local or national press seem to have picked it up, however, so even spelling isn’t an issue.

The press, in fact, hasn’t seemed to focus on the substance of the summit at all. I’ve read about 15 accounts so far, and all have focused on his choice of VP or the status of the campaign. It is so discouraging! These are topics of great importance that are not well understood by the public, and the press simply ignores them. Good thing Angelina Jolie gave birth earlier in the week or the summit wouldn’t have even made the press.

I wish more of the population would take the time to listen to prolonged discussion like this. 15-second sound bites serve too often as the sole input for most voters. And even then, too many are insufficiently educated (or motivated) to understand even the most basic concepts. I wonder if more than 5 people will even bother to read this long a post — most people want blogs a single page in length.

As for my own political opinions and voting choices, well, I’m not going to use an official Purdue system to proselytize about items other than cyber security, education, research and Purdue. You can certainly ask me if you see me. Now, if only I had confidence in the electronic voting equipment that so many of us are going to be forced to use in November (hint: I’m chair of the USACM).

Last Tongue-in-Cheek Word

And no, I’m not particularly interested in the VP position.

We’ve moved our weblogs to a content management system. If you’re reading this, you’re in the right place!

This evening, I was watching—again—the classic John Carpenter movie, “Escape from New York.” What struck me about this movie (made in 1981) was how many things seem to somewhat correspond to more recent events.

For instance, the film begins with an airliner hijacked by terrorists and crashed into a building in Manhattan. There is a new, major government bureaucracy with law enforcement capabilities ala DHS (Lee Van Cleef even looks a little like Michael Chertoff). And there is a major prison on an island where people—especially terrorists and political prisoners—are sent and cannot get out. Trials seem to be abbreviated and maybe not even held. There is a long, unresolved war going on. And so on….

There are other parallels, but it depends on how you view the movie. I hadn’t seen it in years, so it really struck me how many items seemed ... eerily familiar. I’m a bit reluctant now to rewatch other Carpenter movies, such as Escape from LA, The Thing, and Ghosts of Mars!

It’s a great movie, so let me recommend that you watch it again if you haven’t seen it recently ... or at all: I know that many of my students haven’t seen it yet, and they should. They might be surprised—Snake Plissken isn’t dead yet.

If you watch it, let me know what you think!

Last week my script that processes and logs daily CVE changes broke.  It truncated inputs larger than 16000 bytes, because I believed that no CVE entry should ever be that large, therefore indicating some sort of trouble if it ever was.  Guess what…  The entry for CVE-2006-4339 reached 16941 bytes, with 352 references.  This is an OpenSSL issue, and highlights how much we are dependent on it.  It’s impressive work from MITRE’s CVE team in locating and keeping track of all these references.