Back in about 1990 I was approached by an eager undergrad who had recently come to Purdue University. A mutual acquaintance (hi, Rob!) had recommended that the student connect with me for a project. We chatted for a bit and at first it wasn't clear exactly what he might be able to do. He had some experience coding, and was working in the campus computing center, but had no background in the more advanced topics in computing (yet).

Well, it just so happened that a few months earlier, my honeypot Sun workstation had recorded a very sophisticated (for the time) attack, which resulted in an altered shared library with a back door in place. The attack was stealthy, and the new library had the same dates, size and simple hash value as the original. (The attack was part of a larger series of attacks, and eventually documented in "@Large: The Strange Case of the World's Biggest Internet Invasion" (David H. Freedman, Charles C. Mann .)

I had recently been studying message digest functions and had a hunch that they might provide better protection for systems than a simple ls -1 | diff - old comparison. However, I wanted to get some operational sense about the potential for collision in the digests. So, I tasked the student with devising some tests to run many files through a version of the digest to see if there were any collisions. He wrote a program to generate some random files, and all seemed okay based on that. I suggested he look for a different collection -- something larger. He took my advice a little too much to heart. It seems he had a part time job running backup jobs on the main shared instructional computers at the campus computing center. He decided to run the program over the entire file system to look for duplicates. Which he did one night after backups were complete.

The next day (as I recall) he reported to me that there were no unexpected collisions over many hundreds of thousands of files. That was a good result!

The bad result was that running his program over the file system had resulted in a change of the access time of every file on the system, so the backups the next evening vastly exceeded the existing tape archive and all the spares! This led directly to the student having a (pointed) conversation with the director of the center, and thereafter, unemployment. I couldn't leave him in that position mid-semester so I found a little money and hired him as an assistant. I them put him to work coding up my idea, about how to use the message digests to detect changes and intrusions into a computing system. Over the next year, he would code up my design, and we would do repeated, modified "cleanroom" tests of his software. Only when they all passed, did we release the first version of Tripwire.

That is how I met Gene Kim .

Gene went on to grad school elsewhere, then a start-up, and finally got the idea to start the commercial version of Tripwire with Wyatt Starnes; Gene served as CTO, Wyatt as CEO. Their subsequent hard work, and that of hundreds of others who have worked at the company over the years, resulted in great success: the software has become one of the most widely used change detection & IDS systems in history, as well as inspiring many other products.

Gene became more active in the security scene, and was especially intrigued with issues of configuration management, compliance, and overall system visibility, and with their connections to security and correctness. Over the years he spoken with thousands of customers and experts in the industry, and heard both best-practice and horror stories involving integrity management, version control, and security. This led to projects, workshops, panel sessions, and eventually to his lead authorship of "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps" (Gene Kim, Paul Love, George Spafford) , and some other, related works.

His passion for the topic only grew. He was involved in standards organizations, won several awards for his work, and even helped get the B-sides conferences into a going concern. A few years ago, he left his position at Tripwire to begin work on a book to better convey the principles he knew could make a huge difference in how IT is managed in organizations big and small.

I read an early draft of that book a little over a year ago (late 2011), It was a bit rough -- Gene is bright and enthusiastic, but was not quite writing to the level of J.K. Rowling or Stephen King. Still, it was clear that he had the framework of a reasonable narrative to present major points about good, bad, and excellent ways to manage IT operations, and how to transform them for the better. He then obtained input from a number of people (I think he ignored mine), added some co-authors, and performed a major rewrite of the book. The result is a much more readable and enjoyable story -- a cross between a case study and a detective novel, with a dash of H. P. Lovecraft and DevOps thrown in.

The official launch date of the book, "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win" (Gene Kim, Kevin Behr, George Spafford), is Tuesday, January 15, but you can preorder it before then on (at least) Amazon.

The book is worth reading if you have a stake in operations at a business using IT. If you are a C-level executive, you should most definitely take time to read the book. Consultants, auditors, designers, educators...there are some concepts in there for everyone.

But you don't have to take only my word for it -- see the effusive praise of tech luminaries who have read the book .

So, Spaf sez, get a copy and see how you can transform your enterprise for the better.

(Oh, and I have never met the George Spafford who is a coauthor of the book. We are undoubtedly distant cousins, especially given how uncommon the name is. That Gene would work with two different Spaffords over the years is one of those cosmic quirks Vonnegut might write about. But Gene isn't Vonnegut, either.

So, as a postscript.... I've obviously known Gene for over 20 years, and am very fond of him, as well as happy for his continuing success. However, I have had a long history of kidding him, which he has taken with incredible good nature. I am sure he's saving it all up to get me some day....

When Gene and his publicist asked if I could provide some quotes to use for his book, I wrote the first of the following. For some reason, this never made it onto the WWW site . So, they asked me again, and I wrote the second of the following -- which they also did not use.

So, not to let a good review (or two) go to waste, I have included them here for you. If nothing else, it should convince others not to ask me for a book review.

But, despite the snark (who, me?) of these gag reviews, I definitely suggest you get a copy of the book and think about the ideas expressed therein. Gene and his coauthors have really produced a valuable, readable work that will inform -- and maybe scare -- anyone involved with organizational IT.

Take 1:

Based on my long experience in academia, I can say with conviction that this is truly a book, composed of an impressive collection of words, some of which exist in human languages. Although arranged in a largely random order, there are a few sentences that appear to have both verbs and nouns. I advise that you immediately buy several copies and send them to people -- especially people you don't like -- and know that your purchase is helping keep some out of the hands of the unwary and potentially innocent. Under no circumstances, however, should you read the book before driving or operating heavy machinery. This work should convince you that Gene Kim is a visionary (assuming that your definition of "vision" includes "drug-induced hallucination").

Take 2:

I picked up this new book -- The Phoenix Project , by Gene Kim, et al. -- and could not put it down. You probably hear people say that about books in which they are engrossed. But I mean this literally: I happened to be reading it on my Kindle while repairing some holiday ornaments with superglue. You might say that the book stuck with me for a while.

There are people who will tell you that Gene Kim is a great author and raconteur. Those people, of course, are either trapped in Mr. Kim's employ or they drink heavily. Actually, one of those conditions invariably leads to the other, along with uncontrollable weeping, and the anguished rending of garments. Notwithstanding that, Mr. Kim's latest assault on les belles-lettres does indeed prompt this reviewer to some praise: I have not had to charge my health spending account for a zolpidem refill since I received the advance copy of the book! (Although it may be why I now need risperidone.)

I must warn you, gentle reader, that despite my steadfast sufferance in reading, I never encountered any mention of an actual Phoenix. I skipped ahead to the end, and there was no mention there, either. Neither did I notice any discussion of a massive conflagration nor of Arizona, either of which might have supported the reference to Phoenix . This is perhaps not so puzzling when one recollects that Mr. Kim's train of thought often careens off the rails with any random, transient manifestation corresponding to the meme "Ooh, a squirrel!" Rather, this work is more emblematic of a bus of thought, although it is the short bus, at that.

Despite my personal trauma, I must declare the book as a fine yarn: not because it is unduly tangled (it is), but because my kitten batted it about for hours with the evident joy usually limited to a skein of fine yarn. I have found over time it is wise not to argue with cats or women. Therefore, appease your inner kitten and purchase a copy of the book. Gene Kim's court-appointed guardians will thank you. Probably.

(Congratulations Gene, Kevin and George!)

Morning Keynote Address, April 4, 2012.

Summary by Keith Watson

In the introduction, Professor Spafford mentioned many of the roles that Howard Schmidt has had over his many years in the field. He specifically highlighted Mr. Schmidt’s service to the nation.

He also indicated that things in information security are not necessarily better since Howard last attended the CERIAS Symposium in 2004, but that was not Howard’s fault.

Howard Schmidt began his keynote address by thanking the staff and faculty associated with CERIAS for their efforts. Mr. Schmidt disagreed with Spafford regarding his opening comment about things not being better since his last visit. “The system works,” he said. It is fraught with issues with which we have to manage. Mr. Schmidt indicated that there are many things that we can do online that we were not able to do twenty years ago. We can make it work better though. We have bigger threats and more vulnerabilities due to increased accessibility, but it works. We have to make it work better.

In 2008 when then Senator Obama visited Purdue, he talked about emerging technologies and cybersecurity. He stated, “Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being.” We take technology infrastructure for granted, and we must ensure that it continues to be available.

One of the issues discussed in the government today, is reducing the likelihood that new generations of victims are created. We need cybercrime prevention. Then law enforcement agencies have a better opportunity at scaling up to deal with the issue. Currently, law enforcement can only focus on the most egregious crimes. The FBI is moving cyber crime moving up on their priority list. They are looking at cyber crime internationally.

An estimated $8 trillion were exchanged over wired and wireless networks last year. Online shopping increased even in a down economy.

The President has promised to make cyber infrastructure a strategic national asset. He has called on all of us to look ahead and design and build a stronger infrastructure.

Howard related a story about about writing code for a TI-99/A for aiming his antenna to conduct Earth-Moon-Earth (EME) communications for his ham radio hobby. He sat down with expert developers to talk about buffer overrun issues. The question that the developers had was, “Why would anyone do that?” Because they can.

The President created the Office of the Cybersecurity Coordinator in a unique way. The Office is part of the National Security Counsel and the National Economic Counsel. Mr. Schmidt has two roles in addressing security issues and ensuring that the system remains open. If specific expertise is needed from other government agencies, those experts can be brought in to assist. Setting strategy and policy is a major effort of the Office. It is also responsible for execution.

The FBI Director has identified the primary and high-level actors in the cyber world:

1. Foreign intelligence services. They are no longer breaking into buildings and doing surveillance. We have to protect our cyber infrastructure from them.

2. Terrorist groups. They are interested in critical infrastructure and how to attack it.

3. Organized crime. They see cyberspace as a business opportunity. Some hacker groups are loosely organized but working together to disrupt the infrastructure.

Mr. Schmidt outlined several programs and initiatives of his office:

• International Strategy for Cyberspace

• A Policy Framework for the 21st Century Grid

• Electric Sector Cybersecurity Risk Maturity Model Pilot

• Consumer Privacy Bill of Rights

• National Strategy for IDs in Cyberspace (NSTIC)

• National Initiative for Cybersecurity Education (NICE)

Questions/Answers:

Question: What is your vision for Continuous Monitoring?

Answer: It is possible to be FISMA-compliant and still unsecure. The creation of the reports required by the law take away time and effort from actually protecting the infrastructure. The goal now is to use continuous monitoring to deal with issues in real-time.

Question: What are the challenges in getting service providers to allow third-party identifiers?

Answer: We hope that there are multiple drivers for federated IDs. One is a market driver for business. They can reduce costs and lower risks by accepting trusted identifiers. We hope that innovators address some of the technical challenges. Finally as consumers, we have to demand better IDs.

Question: Are we at the point where we need to create a new agency responsible for cybersecurity?

Answer: No. It is not necessary. What we need is coordination, not another branch of government. The Office of Cyber Coordinator is the right model to coordinate activities across government.

The fireside chat was an open discussion among several important persons with very interesting positions in the security world. The conversation covered a broad range of topics, as each participant contributed their unique insight and perspective. The summary below will collect just the main points for easy review.

Present were (in seating order):

Dr. J.R. Rao of IBM Research Manager of the Internet Security Group at IBM Research (abbreviated below as IBM)

Howard A. Schmidt, Office of the U.S. President Cyber-Security Coordinator of the Obama Administration (abbreviated below as GOV)

Dr. Eugene Spafford, Purdue Executive Director of Purdue CERIAS (abbreviated below as SPAF)

Sam Curry, RSA Chief Technology Officer, Identity and Data Protection business unit and Chief Technologist for RSA, The Security Division of EMC (abbreviated below as RSA)

The first question addressed was: Why do commercial products still fail to adopt basic security practices, (such as separation of privilege, limited connectivity and minimization of function) even though their importance and efficacy has been well-understood for decades?

RSA: Product designers aren’t security experts; security is usually added as an afterthought and considered an interruption to progress. Although there’s some market pressure for more secure products, there is incredible pressure to be the first to release a new product. The long term outlook gets forgotten. Possibly if contracts included penalties for developers who made obviously vulnerable products or did not properly integrate basic security measures into their products, the balance might be better.

IBM: Security is definitely an afterthought in most product design. On the other end of the scale, though, high assurance ‘ivory tower’ systems exist, but are incredibly expensive to build. One aspect of convincing commercial interests to integrate security policies into their development is finding a good balance among what is effective, efficient, and economically feasible. Currently companies with web-facing applications who are concerned about security often use off-the-shelf products to perform source-code scans. Unfortunately, these aren’t as helpful as they might be, even as after-thoughts. They often produce a flood of output, with little to indicate which faults are actually important, and as a result much of their advice may be disregarded.

SPAF: Some fixes are obvious and simple, like languages which prevent buffer overflows. Why aren’t they in use? The vast majority of people don’t make use of the explosion of features in their gadgets: why don’t product developers practice minimization of features? The problem is that there is basically no liability for security flaws. Potentially, we need to consider penalties for software companies whose security performance is extremely negligent.

GOV: Companies aren’t completely unaware of security concerns; delegation of privileges is much more widespread than it used to be. The difficulty may be that companies don’t understand which security policies are applicable to their products (“it’s secure, it has a password!”). Customers need to demand secure products, or else there’s no market pressure for companies to improve their records. A concern about government regulations, managing security from the top down, is that introducing lawyers limits innovation, and we can’t afford to have an economic disadvantage in the global economy. However, the “Power of Procurement” is a very valuable tool. The government penalizes its contractors/suppliers for obvious security flaws in the products they provide, and this forces higher standards to be adopted within those companies, which helps the standards spread out into the technology ecosystem. There has been visible progress in the past decade.

Next, Spafford asked about the possible worst-case consequences of our slow adoption of good security practices: Is a catastrophic event, a “cyber-security pearl harbor”, possible?

RSA: Every new technology brings concerns like this, and generally we prepare and the threat doesn’t come to pass. Of more concern are less glamorous, slower threats, which we are not defending against: like the involvement of organized crime in technical spheres.

GOV: We actually have been developing tools for a long time, within the DOD, to protect against catastrophic attacks, and we’re working on making those tools available for law enforcement and civilians now as well. What’s more difficult is protecting against these more long-term, subtle threats. Law enforcement has been trained to do computer forensics on localized, physical computers. How do they adapt when an intrusion investigation can easily become a global affair?

IBM: One of these subtle threats is intellectual property loss. It doesn’t take much to remove a company’s competitive edge, and that loss can eventually destroy the company. The FBI has been helpful in tracking IP threats throughout the world, but there are clearly still problems. Commercial tech developers are extremely worried about the security measures which protect their IP, and this may be a good vector for encouraging them to adopt better security practices generally.

This was followed by a slightly more personal question from Dr. Spafford, “What keeps Dr. Rao (IBM) up at night?”

IBM: Intellectual property loss; existing products aren’t sufficient protection. How quickly can an effective approach be developed and adopted?

GOV: A similar issue: The government was able to greatly reduce global issues with money-laundering, by diplomacy with other countries who were blindly enabling it for their own personal, or national benefit. We’re hoping to form a similar global coalition to reduce IP theft: an agreement such that if someone steals your product which you’ve invested deeply in developing, and pushes their version out the door before you, there will be sanctions. There won’t be a market for the pirated product. Also, note that although CEO’s of companies may be concerned about IP protection, the structure of companies often leaves no one actually in charge of managing it: auditors are concerned about financial books rather than security.

RSA: In fact, the CFO’s and audit committees have their own language, and aren’t likely to learn a separate language for security. For example, the word “risk” means very different things to the two groups. If security professionals want to be successful, they need to learn to speak business language; they can’t allow themselves to be separated into a pool of technology talent and kept away from the overall workings of the company.

This prompted the general question: How does a company or a government manage security concerns in a multi-national environment?

GOV: We work diplomatically with other countries on our common cyber-security issues, and our common desire to be able to safely support multi-national companies who have concerns IP protection.

IBM: We sell defensive products in 176 countries, never products to be used for offensive purposes. We never align with any government against any other.

RSA We’re in an interesting situation as a multi-national company: we actually work with many, many different governments and thus have personnel with security clearances in a variety of countries. We use a pools of trust system to make certain sensitive information stays segregated within the company.

The speakers then responded to three questions which had been previously submitted by audience members:

How do we deal with the fact that the critical infrastructure we need to protect is often owned by a variety of small regional businesses?

GOV: Again, the power of procurement allows the government to help encourage high standards of security for the products which these smaller companies use.

IBM: The national labs and IBM have worked together with regional utilities to roll out an extremely secure, well-designed smart grid system. This is another way in which private-public partnerships can improve security generally.

SPAF: However, the government can’t cover every small utility. Really effective new security is often prohibitively expensive for these small businesses. We need to find ways for them to break needed improvements into a sequence of small, gradual changes and amortize the costs over time.

RSA: Even large utilities have very small IT departments, and often a large age and cultural gap between the old staff and the new tech experts. The two groups don’t communicate well, and incredibly valuable knowledge is being lost as people retire. This endangers the security of the entire system. Is there any way we can change the model/organization of these institutions to prevent this?

Will users, rather than the corporations they deal with, ever have direct control over their own privacy?

GOV: This is very important, and it needs to happen sooner rather than later. Unfortunately, we’ve already gone a long way down the wrong path, and it may be very difficult to get back.

Nine years ago, Dr. Spafford collaborated on a list of the [Grand Challenges for Cyber-security] (https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/01264859.pdf). What progress has been made?

SPAF: Progress has been made against epidemic attacks, such as flash worms. Now we’re dealing with slower penetration by bot-nets, and we’re getting better at fighting those as well. There is considerable work left to be done, in general, though.

IBM: There is industry inertia, but active work is being done on these.

RSA: These are very useful rallying points, things we should continue to work on. He once got a question from a German reporter at an RSA conference, “When will we solve this security thing?” This was his favorite question ever. It’s all, always, a work in progress. Right now, it’s very important that existing security is made effortless for users, so it’s commonly adopted.

GOV: We actually have a hard time comparing the costs and prosecution rates of these cyber-attacks to the costs of physical attacks, such as burglaries. Only 3% of cyber-attacks were prosecuted (in a recent year), but what percentage of burglaries are prosecuted? What’s the relative cost? In general, we need to educate people about simple ways of defending themselves.

In conclusion:

SPAF: To achieve widespread adoption, security needs to be made effortless and economic. We can’t hope to succeed by telling people what “not” to do. We need to build security into products, so there’s no choice necessary: so users aren’t even aware it’s there.

Panel Members:

• Saurabh Bagchi, Purdue
• David Keppler, MITRE
• Jeremy Rasmussen, CACI

Panel summary by Robert Winkworth.

The panel was moderated by Keith Watson, CERIAS, Purdue University.

In light of its unprecedented growth, wireless mobile communications remains a major focus of security research. The stated purpose of this panel was to address the challenges in securing data and processing, limiting communication to designated parties, protecting sensitive data from loss of device, and handling new classes of malware.

Professor Bagchi opens the discussion with these key points and predictions:

• 3G routing often circumvents institutional barriers and filters.
• Information is leaking from one application to another within the device.
• More anti-malware software packages are sold now. This will increase.
• Virulent code will spread by near-field technologies, such as Bluetooth.
• It is becoming more lucrative to commit unauthorized remote monitoring.
• Encryption for mobile services will improve in the future.
• Behavior-based detection will become more popular.
• New features are often rushed to market before being functionally secure.

MITRE’s David Keppler joins the discussion with these thoughts:

• Mobile devices are single-user devices, and are highly personalized.
• On the device, we are separating apps rather than users.
• Contacts, social network data, banking info, etc. are stored in mobiles.
• Locking down devices can reduce productivity.
• Users like to have one device for many different actions.
• A single compromised device can enable a threat against many network users.
• Mobiles are “always connected”, and that brings security implications.

CACI’s Jeremy Rasmussen contributes:

• DoD facilities are still trying to prevent mobile activity on premises.
• New proposals would extend popular connectedness to government workers.
• Policy is lagging behind what technology provides.
• Everything needed, even for NSA standards, is available as free software.
• Vouching for a unit is vouching for every combination of apps it can run.
• The US government struggles greatly to keep pace with technology.

The audience submits questions:

Attendant: “What will it take to make mobiles as secure as desktops?”

David: “I would argue that the vulnerabilities of a handheld are actually no worse than those of a laptop. A proper risk assessment should be done for each. Expect that exploits will always be possible, but invest for them accordingly.”

Saurabh: “Protocols and architecture need to be standardized. This will be helpful to developers. And we need openness in standards.”

Attendant: “Does it seem inevitable that Android will allow lower-level access to the hardware in the future?”

Jeremy: “Yes, and that can benefit the user, who really should unlock the device and install a personalized solution. We must have root access to the phone to get better security. An app cannot protect the user from system abuses that occur at a lower level than app.”

David: “I agree. What we must do is break the current security in order to rebuild it in a more robust way. There are also some underling market issues at work here. Commercial products are unfortunately vendor-specific, but need to be standardized. How can this happen where there is DRM?”

Attendant: “What are the key differences in user experience between desktop and mobile?”

Saurabh: “Energy consumption, bandwidth, and limitations in the user interface.”

David: “Users trust mobiles MORE rather than less than their desktops. They have not grasped the magnitude of the mobile threat.”

Keith: “What advice would you have for CSO/CIO as they face these threats?”

Saurabh: “CSOs and CIOs don’t ask me for advice! [laughter] What I would recommend, though is strong isolation between applications, and a means to certify them before loading.”

David: “There are some utilities available that employers can have users run if they’re going to be on a private network. Some risk is inevitable, though. There is no perfect solution.”

Jeremy: “Yes—NAC (Network Access Control) used to be required for user devices if they’d be allowed on a corporate network. We need that for mobiles, but I don’t see how it’s possible; we can be circumvented so easily.”

Panel Members:

• William S. Cleveland, Purdue University
• Marc Brooks, MITRE Corporation
• Jamie Van Randwyk, Sandia National Laboratories
• Alok R. Chaturvedi, Professor, Purdue University

Panel Summary by Nabeel Mohamed

The panel was moderated by Joel Rasmus, CERIAS, Purdue University.

A quick review on Big Data:

Big Data represents a new era in data analysis where the volume of the data to analyze is so big that it does not work with current traditional database technologies and algorithms. The size of the data set needs to be collected, stored, shared, analyzed and/or visualized continue to grow as the information has been produced at an unprecedented rate from ubiquitous mobile devices, RFID technologies, sensor networks, web logs, surveillance records, search queries, social networks and so on. Increasing volume of the data is only one challenge of big data, and there are other challenges. In fact, Gartner analyst, Doug Laney, defined big data challenges/ opportunities as 3V’s:

1. Volume - it refers to the increasing volume of data as mentioned above.

2. Velocity - it refers to the time constraints in collecting, processing and using the data. A traditional algorithm which can process a small set of data quickly may take days to process a large set and give the results. However, if there is a real-time need such as national security, surveillance, and health care, taking days is not good enough any more.

3. Variety - it refers to the increasing array of data types that need to be handled. It includes all kinds of structured and unstructured data including audio, video, image data, transaction logs, web logs, web pages, emails, text messages and so on.

Panel discussion:

First, each of the panelists gave their perspective and their experience with big data analytics.

William S. Cleveland, Shanti S. Gupta Professor of Statistics, Purdue University, mentioning the challenges and experience in handling large volume of data in their research group, described their divide and recombine (D&R) approach to parallelize the processing by dividing the data into small subsets and applying traditional numeric and visualization algorithms on such subsets. They exploit the parallelization exhibits by the data itself. Cleveland described their tool called RHIPE built based on this concept. It is available to the public at www.rhipe.org. RHIPE is a merger of R, a free statistical analysis software and Apache Hadoop, an open source MapReduce framework.

Marc Brooks, Lead Information Security Researcher, MITRE Corporation, mainly focused on anomaly detection in large data sets. He raised the question of how one can detect an anomaly without sufficient test data sets. Further, in his opinion, it is expensive to create such data sets. Brooks sees the trend of moving from supervised learning to unsupervised learning such as clustering due to the above reason. Most of the big data sources provide large amount of unstructured data. We know well to handle structured data as we already have a schema of it. He raised the question of what are the effective ways of handling unstructured data and thinks that there should be a fundamental change in the way we model such data. He also touched on the subject of what it takes to be a data scientist which is becoming an attractive career path these days. He thinks that the skill set is a mixture of software engineering, statistics and distributed systems.

Jamie Van Randwyk, Technical R&D Manager, Sandia National Laboratories, started off with the idea of relativity behind the term “big data”. In his opinion, for different organizations big data means different sizes and complexities. Specially the volume of the data which can be called as big data. Randwyk mentioned that while most commercial entities such as Amazon, Microsoft, Rackspace and so on, handle the big data needs of the industry, Sandia mainly focus on US government agencies. He raised the question that we use Hadoop and other technologies to perform analytics and visualizations on large volume of data, however, we still don’t know how to secure such data in these big data environments. Randwyk and his team deal mainly with cyber data which is mostly unstructured. He pointed out the challenge of analyzing large volumes of unstructured data due to the lack of schema.

Alok R. Chaturvedi, Professor, Krannert Graduate School of Management, Purdue University, started his perspective with the idea that one has to collect as much information possible from multiple sources and make actual information stand out. Chaturvedi briefly explained their big data analytics work involving real time monitoring of multiple markets and multiple assets. A challenge in doing so in the real world is that data is often inconsistent and fragmented. They build behavioral models based on the data feeds from sensors, news feeds, surveys, political, economical and social channels. Based on such models they perform macro market assessment by regions in order to spot opportunities to invest. Chaturvedi thinks that big data analytics is continue to going to play a key role in doing such analysis.

After the initial perspective short talks by each panelist, the floor was open to the questions from the audience.

Q: Is behavioral modelling effective? What are the challenges involved?

A: Panelists identified two ways in which the behavior would change: adversarial activities and perturbation of data or the business itself. It is important to understand these two aspects and build behavioral model accordingly. Also, if the behavioral model does not keep up with the changes, it is going to be less effective in identifying behaviors that one wants to look for. Some of the challenges involved are deciding what matrices to use, defining such matrices, understanding the context (data perturbation vs. malicious activities) and keeping updating the model. It is also important to put the correct causality to the event. For example, 9/11 is due to a security failure not anything else.

Q: Do you need to have some expertise in the field in order to better utilize big data technologies to identify anomalies?

A: Yes, big data analytics will point to some red flags, you need be knowledgeable in the subject matter in order to dig deep and get more information.

Q: Is it practical to do host based modeling using big data technologies?

A: Yes, you have to restrict your domain of monitoring. For example, it may not be practical to do host based monitoring for the whole Purdue network.

Q: How do you do packet level monitoring if the data is encrypted?

A: Cleveland is of the view that one cannot do effective packet level monitoring if the data is encrypted. In their work, they assume that the packets are transmitted in cleartext.

Q: To what extent intelligence response being worked out? Can you do it without the intervention of humans?

A: Even with big data analytics, there will be false positives. Therefore, we still need human in the loop in order to pinpoint the incident accurately. These people should have background in computer security, algorithms, analysis, etc.

A challenge in current big data technologies like Hadoop is that it is difficult to do near real time analysis yet.

Q: (panel to audience) What are your big data problems?

A: (An audience) Our problem is scalability. There is nothing off the shelf that we can buy to meet our need. We have to put a lot of effort to build these system by putting various component together. Instead of spending time on defending attacks, we have to spend a lot of time on operational tasks.

Q: Is it better to have a new framework for big data for scientific data?

A: It is not the science per se that you have to look at; you have to look at the complexity and size of the data in order to decide. From an operational perspective, a definition/framework may not be important, but from a marketing perspective, it may be important. For example, defining the size of the data set could be potentially useful.

Q: We want to manage EHRs (electronic health records) for 60m people. Can these people be re-identified using big data technologies?

A: Even EHR data confirming to safe harbor rules where 18-19 elements are not there may be re-identified. Safe harbor rules are not sufficient, neither they are necessary. They will protect most people, but not all. You can protect even without safe harbor. This is a very challenging problem and CERIAS has an ongoing research project.

Q: Have you seen adversaries intentionally trying to manipulate big data so that they go undetected? Specifically have you seen adversaries that damage the system slowly to stay below the threshold level of detection and that damage very fast to overwhelm the system?

A: We have seen that adversaries understand your protocols, whether your packets are encrypted or not, etc., so that they can behave like legitimate users. I have heard anecdotal stories of manipulating data in bank and other financial institutions, but can’t point to any specific incident.

Q: Often times, we have to reduce the scope, when many parameters are to be analyzed due to the sheer volume of data. How do you ensure that you still detect an anomaly (no false negatives)?

A: You have to analyze all the data otherwise it may result in false negatives.

Panel Members:

• Hal Aldridge - Sypris Electronics
• William Atkins – Sandia National Laboratories
• Jason Holcomb – Lockheed Martin - Energy and Cyber Services
• Steven Parker – Energy Sector Security Consortium
• Lefteri Tsoukalas – Purdue University

Panel Summary by Matt Levendoski

The panel was moderated by Charles Killien, Computer Science, Purdue University.

Dr. Hal Aldridge, the Director of Engineering at Sypris Electronics, opened today’s first panel on the currently popular topic of SCADA security. Dr. Aldridge initially presented his current research interests, which involves the defining of who takes true ownership and responsibility for the security of our nation’s backbone infrastructure, our SCADA and control systems. An interesting opposition he presented was, what if the responsible party doesn’t have a well-defined background in the security realm?

Dr. Aldridge further delved into the aspects of smart grids and the fact that they are everywhere. Hal discussed how it is a scary thought of how much code is being utilized to run the control system of an automobile. In some aspects cars have more code then a variety of our current fighter jets. He further teased about the concept of an Internet based coffee maker. All concepts aside, these systems have their cons, which are present in the form of security problems. Dr. Aldridge closed with the statement that he greatly appreciates the interdisciplinary stance of CERIAS and how this allows for great innovation in the industry and current academic research.

William Atkins, a Senior member of Technical Staff in Sandia National Laboratories, followed up with his stance and the difference between SCADA and control systems. He specifically focuses on general computing systems security. More precisely, he introduced the term ‘cyber physical systems’. He presented the recent trend that calls for these systems to have inter-compatibility because customers don’t want to be locked into a single vendor for their solutions. He further stressed that this topic is vague and largely unknown which has created a lot of media attention, more specifically topics like the stuxnet worm.

William further addressed the current trends of security as they relate to control systems. These systems are changing from a less manual or analog approach to a more automated and digital methodology. We want our systems to do more yet require less. This trend tends to bring about unforeseen consequences, especially when these systems hit an unknown state of inoperability. Additionally, all the hypothetical attacks being posed to the public are actually becoming a reality. Attackers now have the capability to purchase or acquire the hardware online via surplus sales, eBay, or the like.

William closed with his perspective on SCADA security and how the odds are asymmetrically stacked in favor of the offense verses the defense. Essentially, security tends to get in the way of security. The stuxnet worm is a great example in that it utilized vulnerabilities within the access level of anti-virus software that allowed for a lower level approach to the attack.

Jason Holcomb is a Senior Security Consultant at Lockheed Martin in Energy and Cyber Services. He opened his panel discussion with an interesting spin on how he got involved with SCADA security. Jason indirectly introduced a denial of service conflict within the SCADA system he was working on in which he had to, in turn, remediate.

Jason presented Lockheed’s current approach to the security threads within SCADA systems. Their current research and solutions look to bring some of the advantage back to the defense. This was a great contrast to the perceptions that William Atkins previously presented. Jason then further introduced the following Cyber Kill Chain:

• Reconnaissance – Gather information. Names, emails, employee info, etc
• Weaponization – Create malware, malicious document, webpage etc
• Delivery – Deliver the malware. Email hyperlink *Exploitation – Exploit vulnerability to gain access to assets *Installation – Install on assets
• Command and Control – Create channel of communication back to attacker
• Actions on Objectives – Adversary performing their objectives

Steven Parker is the Vice President of Technology Research and Projects with the Energy Sector Security Consortium. Steven stated that when it comes to control systems and SCADA, we don’t need to necessarily solve the hard problems but focus more on easy solutions. Steven then continued to compare the security industry with that of the diet industry. A few of his comparisons included how the diet industry has Dietitians and we have CISSPs, they have nutritional labeling and we have software assurance, everyone wants a no effort weight loss program while security wants an easy solution for everything, and lastly the diet industry has a surgical procedure called gastric bypass where the security industry has something called regulations and compliance. He then closed with the notion that a lot of challenges aren’t all necessarily technical. These challenges include economic strategies, human interactions, public policy, and legal issues.

Lefteri Tsoukalas is a Professor of Nuclear Engineering at Purdue University. Prof. Tsoukalas jumped right into making the statement that the energy markets are currently undergoing a phase transition. Demand isn’t affected by high prices as the resources have changed state from abundance to resource scarcity. This is why energy allocation is key. We need to utilize our resources when energy prices are lower rather then during peak cost timeframes. Prof. Tsoukalas also suggested that we take the same perspective as Europe and look into alternative resources. At this point in time we aren’t sitting as comfortably on our current supply of energy resources as we were, say, 100 years ago.

Q&A Session

Question 1: There is a lot of research in SCADA/Control Systems. How do we adapt our research to be more applicable to Control Systems?

Answers/Discussion:

• Turn problem away from keeping attackers out and focus on other aspects.
• Looking at domain specific research.
• Don’t limit research to a very specific area but rather apply it across all platforms.
• It’s not an issue that systems are attached to Internet but the fact that we need better control of these systems in both physical and cyber worlds.
• Looking from the console perspective things may be fine, but sometimes they aren’t. We can’t always rely on the digital tools.
• Understanding the business is critical for research.
• Developing methods for evolved systems.
• Resilience is key, protect privacy and confidentiality.

Question 2: How do we get a handle on global regulations?

Answers/Discussion:

• A lot can be shared that doesn’t involve personal or corporate data.
• Here is where the offense has the advantage over defense. The Offense doesn’t care about regulations where defense has to.
• Discussion was diverted to a more local level and the differences and difficulties with sharing data across large and small companies and how smaller companies tend to be more agile from this perspective.

Question 3: What skills do students and staff need, to be affective in this area?

Answers/Discussion:

• Good communication, understand business requirements, wide range of experience skills.
• The industry needs more security experts then there are job openings.
• Technical experience, also good social engineer.
• Core fundamental concepts, you will be able to be trained to flourish in this domain.
• May want to visit and acquire physics skillsets to operating in Control/SCADA systems

Question 4: What type of attacks have you actually experienced?

Answers/Discussion:

• This question was diverted for confidential and security reasons.

Further discussion was taken from the following perspective:

• Be careful with internal use of thumb drives etc. Attackers don’t always know what they are looking for but rather just collect data until they find something of interest.

Keynote summary by Gaspar Modelo-Howard

The State of Security

Arthur W. Coviello, Jr., Chairman, RSA, The Security Division of EMC

Mr. Coviello opened his keynote with a quote from Nicholas Negroponte: “Internet is the most overhyped, yet underestimated phenomenon in history”. This statement, Mr. Coviello argues, it is still true today. And to determine the state of security, one does not have to look beyond the state of the Internet.

The growth of the Internet has driven the evolution of computing in the last few decades. Computing has gone through radical transformations: from its early days with mainframes, to computers, moving later to networks in the 80s and then to the rise of the Internet and the World Wide Web in the mid 90s. We are currently experiencing a confluence of technologies and trends (cloud computing, big data, social media, mobile, consumerization of IT) that make clear that the next transformation of computing is well underway and creating new challenges to security. Coviello contended the past evolution of IT infrastructure gives clear signals to the fast and deep changes security should continue to experience in the future. As an example and in just a couple of years, the IT industry has moved from 1 exabyte of data to 1.8 zettabytes, from the iPod to the iPad, from 513M to over 2B Internet users, from speeds of 100kbps to 100Mbps, and from AOL to Facebook (which would be the 3rd largest country in the world, by considering its number of users as population).

Coviello then used an interesting analogy to explain the impact in security of the continuous growth of the Internet, and therefore the need to better empower security. Imagine that the Internet is a highway system that is experiencing an exponential growth in the number of cars that use it. The highway system then needs to increase the number of lanes of existing roads, add new roads, and provide better ways for cars to access the system. But all this growth also increases the number and complexity of accidents on the roads. Then, security needs to grow accordingly to better manage (prevent, detect, and respond) the new scenario of potential accidents.

Looking at the security world, things have also changed dramatically over the years. Not long ago there were tens of thousands of viruses and their corresponding signatures, where as now there are tens of millions. Organized crime and spying online is a very real threat today that was not really happening in 2001. The scenario is then more difficult today for security practitioners to protect their networks. Stuxnet opened a new threat era for security. We have long moved away from the times of script kiddies. The new breed of attackers include: (1) non-state actors, like terrorists and anti-establishment vigilantes; (2) criminals, that act like a technology company by expanding their market around the world to distribute their products and services, and have sophisticated supply chains; and (3) nation-state actors, which are stealth and sophisticated, difficult to detect, well-resourced, and efficient.

Coviello briefly explained the high profiled breach experienced by RSA in 2011. They were attacked by two advanced persistent threat (APT) groups. From the steps taken, it is very clear that a lot of research on the company was made before the attacks. Phishing email was used to get inside their networks, sending the messages to a carefully selected group of RSA employees. The messages included an Excel attachment that contained a zero-day exploit (Adobe Flash vulnerability), which installed a backdoor when triggered. The attackers knew what they wanted, and went low and slow. The attack went on for 2 weeks, with RSA staying two to three hours behind the attackers’ moves. The attackers were able to ex-filtrate information from the networks, but RSA ultimately determined that no loss was produced to the company from the attack. As for the experience, Coviello acknowledged that is still not a good idea for a security company to get breached.

We are past the tipping point, were physical and virtual worlds could be separated. Additionally, the confluence of technologies and trends is creating more ‘open’ systems. The security industry is challenged as the open systems are more difficult to secure (than close systems, each under a single domain). We need to secure what in a way can’t be controlled. It is then not difficult to explain what has happened recently, in terms of breaches. In 2011, many high-profiled attacks occurred (in what others have labeled as the ‘Year of the Security Breach’) to big organizations like Google, Sony, RSA, PBS, BAH (Booz, Allen, Hamilton), Diginotar, and governmental entities such as the Japanese Parliament and the Australian Prime Minister.

Coviello argued that vendors and manufacturers must stop the linear approach used in the security industry to keep adding layer after layer of security control mechanisms. Security products should not be silos. We need to educate computer users, but keeping in mind that people make mistakes. After all we are humans. Our mindset must change from playing defense, as protection from perimeter does not work alone. Also, security practitioners and technologists must show an ability for big picture thinking and having people skills.

We need to get leverage from all security products, therefore the need to move away from the security silos architecture. Fortunately, the age of big data is arriving to the security world. Coviello provided a definition to big data: collecting datasets from numerous sources, at a large scale, and to produce actionable information from analyzing the datasets. The security objective is then to reduce the window of vulnerabilities for all attacks. The age of big data should also promote the sharing of information, which unfortunately is currently a synonym for failure. Organizations do not work together to defend against attacks.

Mr. Coviello calls for the creation of multi-source intelligence products. They must be risk-based, as there are different types of risks and should consider the different vulnerabilities, threats, and impacts affecting each organization. The intelligence products should be agile, having deep visibility of the protected system. They should detect anomalies in real time and the corresponding responses should be automated in order to scale and be deployed pervasively. Unfortunately today, systems are a patchwork of security products, focusing only on compliance. Finally, the intelligence products should have contextual capabilities. The ability to succeed against attacks depends on having the best available information, not only security logs. Such information should come from numerous sources, not only internals.

The Q&A session included several interesting questions, after the stimulating talk. The first one asked about the possible impediments to achieve the goals outlined in the talk. Coviello pointed out three potential roadblocks. First, the lack of awareness regarding the impact of a security situation by the top board of the organization. Top management should understand that security problems are the responsibility of the whole company, not just the IT department. Second, ignoring the requirement to follow a risk based approach when making security decisions and developing strategies. Third, is important that security programs grow as organizations increasingly rely on their IT systems.

A question was made regarding the asymmetric threat that security practitioners face and what can be done about it. Coviello pointed out the need to work around risk analysis in order to reduce the potential risks faced by organizations. It should be understood that the digital risk cannot be reduced any more than the physical risk. So organizations should get more sophisticated on the analytics, following a risk-based approach.

A member of the audience pointed out that several federal cybersecurity policies are based on the concept of defense in depth. Such concept is not driven by risks, which ultimately might raise costs to organizations required to comply with policies and regulations. Coviello agreed that if a risk-based approach is not followed, security programs might not achieve cost effectiveness. He also mentioned that defense in depth is sometimes misunderstood as it is not a layering mechanism to implement cybersecurity. It should encompass information sharing among organizations and even countries. He offered an example, calling for ISPs to play a more aggressive role and work with organizations to stop the threat from botnets.

A final question was made regarding the push by elected officials to use electronic voting, especially in small counties that might lack the resources to protect those systems. How to make elected officials understand the risk faced when using electronic voting, when such authorities usually do not have the capability to secure the voting system? Coviello sounded less than enthusiastic about electronic voting. But more importantly, he said there is a need to aggregate the security expertise and services so it can be outsourced to small and medium-sized organizations. The security industry should follow on the steps of the software and hardware industries, offering outsourcing services and products.

One aspect of our efforts is an on-going need to attract and retain the very best faculty members possible to provide leadership in all aspects of what we do.

Universities have a mechanism for attracting and retaining the best people: endowed chairs for faculty. These are special designations for positions for leading faculty. The associated endowment provides discretionary funds for travel, research, staff and a salary supplement to support the position. Only a small number of these positions exist in any computing field at universities nationally…and almost none in information/cyber security and privacy. Having one of the oldest and largest programs in this field, Purdue University really should have a few of these positions available to attract and keep the best faculty we can find.

Normally, the endowments for these chairs are provided by generous individuals or foundations who support the university and/or the research area. As a small token of appreciation, the university allows the benefactor(s) to name the chaired position (within reason), thus resulting in something such as the Homer J. Simpson Distinguished Professor of Cyber Security or the Yoyodyne Propulsion Systems Professor of Information Security and Privacy. This name is kept in perpetuity, and is on all stationery and publications of that professor henceforth.

Purdue has just announced a new program to match donations 1:1 for chaired positions with no restrictions. It is thus possible for someone (or a group, company, club or foundation) to endow a distinguished chair at ½ of the usual amount. Further, that amount may be pledged over a three-year period, and the donor(s) still retain full naming rights!

Note that Purdue University is a 503(c) organization and thus donations to support this have potential tax advantages for the donor(s).

We really would like to have CERIAS continue to be the leader in the field of information security. Obtaining at least one (and preferably, several) named chairs in the field, most likely with homes in the CS department, would help us keep that lead, and keep our program strong.

If you are interested in taking part in this great opportunity to help fund one of the first few endowed professorships globally in this important area, please contact me. And if you know of others who might be interested, please pass this along to them. Fields including computer games and graphics have dozens of endowed professorships around the country. Isn't it about time we showed that information security is taken seriously, too?

What follows is a more formal obituary, based on material provided by his family and others. That is followed by some personal reflections.

Personal Details

Gene was born September 10, 1946, in Chicago to E. Eugene Sr. and Elizabeth Schultz. They moved to California in 1948, and Gene’s sister, Nancy, was born in 1955. The family lived in Lafayette, California. Gene graduated from UCLA, and earned his MS and PhD (in Cognitive Science, 1977) at Purdue University in Indiana.

While at Purdue University, Gene met and married Cathy Brown. They were married for 36 years, and raised three daughters: Sarah, Rachel and Leah.

Gene was an active member of Cornerstone Fellowship, and belonged to a men’s Bible study. His many interests included family, going to his mountain home in Twain Harte, model trains, music, travelling, the outdoors, history, reading and sports.

Gene is survived by his wife of 36 years, Cathy Brown Schultz; father, Gene Schultz, Sr.; sister, Nancy Baker; daughters and their spouses, Sarah and Tim Vanier, Rachel and Duc Nguyen, Leah and Nathan Martin; and two grandchildren, Nola and Drake Nguyen.

You should also take a few moments to visit this page and learn about the symptoms and response to stroke.

Professional Life

Gene was one of the more notable and accomplished figures in computing security over the last few decades. During the course of his career, Gene was professor of computer science at several universities, including the University of California at Davis and Purdue University, and retired from the University of California at Berkeley. He consulted for a wide range of clients, including U.S. and foreign governments and the banking, petroleum, and pharmaceutical industries. He also managed several information security practices and served as chief technology officer for two companies.

Gene formed and managed the Computer Incident Advisory Capability (CIAC) — an incident response team for the U.S. Department of Energy — from 1986–1992. This was the first formal incident response team, predating the CERT/CC by several years. He also was instrumental in the founding of FIRST — the Forum of Incident Response & Security Teams.

During his 30 years of work in security, Gene authored or co-authored over 120 papers, and five books. He was manager of the I4 program at SRI from 1994–1998. From 2002–2007, he was the Editor-in-Chief of Computers and Security — the oldest journal in computing security — and continued to serve on its editorial board. Gene was also an associate editor of Network Security. He was a member of the accreditation board of the Institute of Information Security Professionals (IISP).

Gene testified as an expert several times before both Senate and House Congressional committees. He also served as an expert advisor to a number of companies and agencies. Gene was a certified SANS instructor, instructor for ISACA, senior SANS analyst, member of the SANS NewsBites editorial board, and co-author of the 2005 and 2006 Certified Information Security Manager preparation materials.

Dr. Schultz was honored numerous times for his research, service, and teaching. Among his many notable awards, Gene received the NASA Technical Excellence Award, Department of Energy Excellence Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman's Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award and the National Information Systems Security Conference Best Paper Award. One of only a few Distinguished Fellows of the Information Systems Security Association (ISSA), he was also named to the ISSA Hall of Fame and received ISSA's Professional Achievement and Honor Roll Awards.

At the time of his death, Dr. Schultz was the CTO of Emagined Security, an information security consultancy based in San Carlos, California. He held certifications as a CISM, CISSP, and GSLC.

Personal Reflections

As I recall, I first “met” Gene almost 25 years ago, when he was involved with the CIAC and I was involved with network security. We exchanged email about security issues and his time at Purdue. I may have even met him earlier — I can’t recall, exactly. It seems we have been friends forever. We also crossed paths once or twice at conferences, but it was only incidental.

In 1998, I started CERIAS at Purdue. I had contacted personnel at the (now defunct) company Global Integrity while at the National Computer Security Conference that year about supporting the effort at CERIAS. What followed was a wonderful collaboration: Gene was the Director of Research for Global Integrity, and as part of their support for CERIAS they “loaned” Gene to us for several years. Gene, Cathy and Leah moved to West Lafayette, a few houses away from where I lived, and Gene proceeded to help us in research and teaching courses over the next three years while he worked remotely for GI.

The students at Purdue loved Gene, but that seems to have been the case for everywhere he taught. Gene had a gift for conveying complex concepts to students, and had incredible patience when dealing with them one-on-one. He came up with great assignments, sprinkled his lectures with interesting stories from his experience, and encouraged the students to try things to see what they might discover. He was inspirational. He was inspirational as a colleague; too, although we both traveled so much that we didn’t get to see each other too often.

In 2001 he parted ways with Global Integrity, and moved his family back to California. This was no doubt influenced by the winters they had experienced in Indiana — too much of a reminder of grad student days for Gene and Cathy! I remember one time that we all got together to watch a New Year’s Purdue football bowl appearance, and the snow was so high as to make the roads impassable for a few days. Luckily, we lived near each other and it was only a short walk to warmth, hors d’oeuvres, and wine.

In the following years, Gene and I kept in close touch. We served on a few committees and editorial boards together, regularly saw each other at conferences, and kept the email flowing back and forth. He returned to Purdue and CERIAS several times to conduct seminars and joint research. He was generous with his time to the students and faculty who met with him.

Earlier this year, several of us put together a proposal to a funding agency. In it, we listed Gene as an outside expert to review and advise us on our work. We had room in the budget to pay him almost any fee he requested. But, when I spoke with him on the phone, he indicated he didn’t care if we paid more than his expenses — “I want to help CERIAS students and advance the field” was his rationale.

Since I learned of the news of his accident, and subsequent passing, I have provided some updates and notes to friends, colleagues, former students, and others via social media and email. So many people who knew Gene have responded with stories. There are three elements that are frequently repeated, and from my experience they help to define the man:

• Equity. Gene treated everyone the same when he met them. It didn’t matter if someone was a CEO, Senator, freshman, or custodian — he treated them with respect and listened to what they might have to say.
• Humor. Gene loved to laugh, and loved to make others laugh. He shared funny stories and odd things found on the WWW, and had wonderful stories that helped make others smile. And he smiled, a lot, and shared his joy.
• Consideration. Gene was compassionate, thoughtful, and gentle. He would often inconvenience himself for others, without complaint. He loved his family and let his friends know they were special.   

Gene Schultz was a wonderful role model, mentor and friend for a huge number of people, including being a husband to a delightful wife for 36 years and father to three wonderful daughters. Our world is a little less bright with him gone, but so very much better that he was with us for the time he was here.

E. Eugene Schultz, Jr., 9/10/46–10/2/11. Requiescat in pace.

Back in the late 1980s and early 1990s, I quietly built some counterhacking and beaconing tools that I installed in a "fake front" machine on our local network. People who tried to break into it might get surprises and leave me log info about what they were up to, and things they downloaded would not do what they thought or might beacon me to indicate where the code went. This was long before honeypots were formalized, and before firewalls were in common use. Some of my experiences contributed to me writing the first few papers on software forensics (now called digital forensics), development of Tripwire, and several of my Ph.D. students's theses topics.

I didn't talk about that work much at the time for a variety of reasons, but I did present some of the ideas to students in classes over the years, and in some closed workshops. Tsutomu Shimomura, Dan Farmer and I traded some of our ideas on occasion, along with a few others; a DOD service branch contracted with a few companies to actually built some tools from my ideas, a few of which made it into commercial products. (And no, I never got any royalties or credit for them, either, or for my early work on firewalls, or security scanning, or.... I didn't apply for patents or start companies, unfortunately. It's interesting to see how much of the commercial industry is based around things I pioneered.)

I now regret not having actually written about my ideas at the time, but I was asked by several groups (including a few government agencies) not to do so because it might give away clues to attackers. A few of those groups were funding my grad students, so I complied. You can find a few hints of the ideas in the various editions of Practical Unix & Internet Security because I shared several of the ideas with my co-author, Simson Garfinkel, who had a lot of clever ideas of his own. He went on to found a company, Sandstorm Enterprises, to build and market some professional tools in roughly this space; I was a minor partner in that company. (Simson has continued to have lots of other great ideas, and is now doing wonderful things with disk forensics as a faculty member at the Naval Postgraduate School.)

Some of the ideas we all had back then continue to be reinvented, along with many new and improved approaches. Back in the 1980s, all my tools were in Unix (SunOS, mostly), but now there are possible options in many other systems, with Windows and Linux being the main problems. Of course, back in the 1980s the Internet wasn't used for commerce, Linux hadn't been developed, and Windows was not the widespread issue it it now. There also wasn't a WWW with its problems of cross-site scripting and SQL injection. Nonetheless, there were plenty of attackers, and more than enough unfound bugs in the software to enable attacks.

For the sake of history, I thought I'd document a few of the things I remember as working well, so the memories aren't lost forever. These are all circa 1989-1993:

• Everything was built on a decoy system. I had control over my own Sun workstation. I configured it to have 2 separate accounts, with one (named spaf) exported via NFS to the CS department Sun, Pyramid and Sequent machines. My students and fellow faculty could access this directory, and I populated it with contents to make it look real. If I wanted to share something with my classes, I'd copy it to this account. A second account (rspaf) was on a separate partition, not exported, and locked down. It was my real account and where I got email. No system had rsh access in, nor any other indication that it existed — the support staff knew it was there, but almost no one else. (For real paranoia, I kept copies of sensitive files and source code on a Mac running OS 7, and it was off the network.)
• My original idea for Tripwire came several years before Gene Kim arrived as a student and we built the actual Tripwire tool. I built a watcher program for bogus, "bait" mail files and attractively-named source files that would never be touched in normal operation. When accessed, their file times changed. The watcher "noticed" and would start taking repeated snapshots of active network connections and running processes. When lsof was written (at Purdue), I included it in the logging process. After a few minutes, my watcher would freeze the active network connections.
• As a matter of good security practice, I disabled most of the network services spawned at startup or by inetd. In their places, I put programs that mimicked their output behavior, but logged everything sent to them. Thus, if someone tried to rsh into my system, they'd get output claiming incorrect password for most accounts. For spaf and root it would randomly act like it was connecting but very slow or an error would be printed. At the same time, this would send me email and (later) a page. This would allow me to run other monitoring tools. The tcp wrappers system was later independently developed by Wietse Venema, and the twist option provided the same kind of functionality (still useful).
• Some attackers would try to "slurp" up interesting sounding directories without looking at all the contents. For instance, a common tactic was to take any directory labeled "security" and the mail spool. For a while, attackers were particularly interested in getting my copy of the Morris Internet Worm, so any directory with "worm" in it would be copied out in its entirety. I built a small utility that would take any file (such as a mail file or binary) and make it HUGE using the Unix sparse file structure. On disk the files might only be a few thousand bytes long, and you could read it normally, but any copy program thought they were gigabytes in length. Thus, any attempt to copy them offsite would result in very long, uncompleted copies (which left network connections open to trace) and sometimes filled up the attackers' disks.
• The previous idea was partially inspired by one of Tsutomu's tricks. The authd daemon, implementing the ident protocol (RFC 1413), was somewhat popular. It could be useful in a LAN, but in the Internet at large it was not trustworthy; to make this point, several admins had it always return some made-up names when queried. Tsutomu took this a step further and when a remote system connected to the ident port on his machine, it would get an unending string of random bits. Most authd clients would simply accept whatever they were given to write to the local log file. Connecting to Tsutomu's machine was therefore going to lead to a disk full problem. If the client ran as root, it would not be stopped by any limits or quotas — and it usually logged to the main system partition. Crash. As Tsutomu put it, "Be careful what you ask for or you may get more of it than you counted on."
• I sprinkled altered program source on my fake account, including many that looked like hacking tools. The source code was always subtly altered to neuter the tool. For example, some Unix password cracking tools had permuted S-boxes so that, when presented with a password hash to attack, the program would either run a long time without a result, or would give a result that would not work on any target machine. I also had a partial copy of the Morris Worm there, with subtle permutations made to prevent it from spreading if compiled, and the beacon changed to ping me instead of Berkeley. (See my analysis paper if you don't get the reference.)
• I also had some booby-trapped binaries with obfuscated content. One was named "God" and had embedded text strings for the usage message that implied that there were options to become root, take over the network, and other tasty actions. However, if run, it would disable all signals, and prompt the user with the name of every file in her home directory, one at a time. Any response to the prompt would result in "Deleted!" followed by the next prompt. Any attempt to stop the program would cause it to print "Entering automatic mode" where every half-second it would state that it was deleting the next file. Meanwhile, it would be sending me logging information about who was running it and where. If run on a Purdue machine, it didn't actually delete anything — I simply used it to see who was poking in my account and running things they didn't know anything about (usually, my students). It also gave them a good scare. If taken and run on a non-Purdue machine, well, it was not so benign.

There were many other tools and tripwires in place, of course, but the above were some of the most successful.

What does successful mean? Well, they helped me to identify several penetrations in progress, and get info on the attackers. I also identified a few new attacks, including the very subtle library substitution that was documented in @Large: The Strange Case of the World's Biggest Internet Invasion. The substitute with backdoor in place had the identical size, dates and simple checksum as the original so as to evade tools such as COPS and rdist. Most victims never knew they had been compromised. My system caught the attack in progress. I was able to share details with the Sun response team — and thereafter they started using MD5 checksums on their patch releases. That incident also inspired some of my design of Tripwire.

In another case, I collected data on some people who had broken into my system to steal the Morris Worm source code. The attacks were documented in the book Underground . The author, Suelette Dreyfus, assisted by Julian Assange (yes, the Wikileaks one), never bothered to contact me to verify what she wrote. The book suggests that my real account was compromised, and source code taken. However, it was the fake account, my security monitors froze the connection after a few minutes, and the software that was accessed was truncated and neutered. Furthermore, the flaws that were exploited to get in were not on my machine — they were on a machine operated by the CS staff.   (Dreyfuss got several other things wrong, but I'm not going to do a full critique.)

There were a half-dozen other incidents where I was able to identify new attacks (now known as zero-day exploits) and get the details to vendors. But after a while, interest dropped off in attacking my machine as new, more exciting opportunities for the kiddies came into play, such as botnets and DDOS attacks. And maybe the word spread that I didn't keep anything useful or interesting on my system. (I still don't.) It's also the case that I got much more interested in issues that don't involve the hands-on, bits & bytes parts of security — I'm now much more interested in fundamental science and policy aspects. I leave the hands-on aspects to the next generation. So, I'm not really a challenge now — especially as I do not administer my system anymore — it's done by staff.

I was reminded of all this when someone on Twitter posted the URL of a video taken at Notacon 2011 (Funnypots and Skiddy Baiting: Screwing with those that screw with you by Adrian "Iron Geek" Crenshaw). It is amusing and reminded me of the stories, above. It also showed that some of the same techniques we used 20 years ago are still applicable today.

Of course, that is also depressing. Now, nearly 20 years later, lots of things have changed but unfortunately, security is a bigger problem, and law enforcement is still struggling to keep up. Too many intrusions occur without being noticed, and too little information is available to track the perps.

There are a few takeaways from all the above that the reader is invited to consider:

• Assume your systems will be penetrated if they are on the network. Things you don't control are likely to be broken. Therefore, plan ahead and keep the really sensitive items on a platform that is off the net. (If the RSA folks had done this, the SecurID breach might not have resulted in anything.)
• Install localized tripwires and honeypots that can be monitored for evidence of intrusion. Don't depend on packaged solutions alone — they are known quantities that attackers can avoid or defeat.
• Don't believe everything you read unless you know the story has been verified with original sources.
• Consider encrypting or altering critical files so they aren't usable "as is" if taken.
• Be sure you are proactively logging information that will be useful once you discover a compromise.

Also, you might watch Iron Geek's video to inspire some other ideas if you are interested in this general area — it's a good starting point. (And another, related and funny post on this general topic is here, but is possibly NSFW.)

In conclusion, I'll close with my 3 rules for successful security:

1. Preparation in advance is always easier than clean up afterwards.
2. Don't tell everything you know.

First, if a largely uncoordinated group could penetrate the systems and expose all this information, then so could a much more focused, well-financed, and malevolent group — and it would not likely result in postings picked up by the media. Attacks by narcotics cartels, organized crime, terrorists and intelligence agencies are obvious threats; we can only assume that some have already succeeded but not been recognized or publicized. And, as others are noting, this poses a real threat to the physical safety of innocent people. Yes, in any large law enforcement organization there are likely to be some who are corrupt (the claimed reason behind the attack), but that is not reason to attack them all. Some of the people they are arrayed against are far worse.

For example, there are thousands (perhaps tens of thousands) of kidnappings in Mexico for ransom, with many of the hostages killed rather than freed after payment. Take away effective law enforcement in Arizona, and those gangs would expand into the U.S. where they could demand bigger ransoms. The hackers, sitting behind a keyboard removed from gang and street violence, safe from forcible rape, and with enough education to be able to avoid most fraud, find it easy to cherry-pick some excesses to complain about. But the majority of people in the world do not have the education or means to enjoy that level of privileged safety. Compared to police in many third-world countries where extortion and bribes are always required for any protection at all, U.S. law enforcement is pretty good. (As is the UK, which has also recently been attacked.)

Ask yourself what the real agenda is of a group that has so far only attacked law enforcement in some of the more moderate countries, companies without political or criminal agendas, and showing a total disregard for collateral damage. Ask why these "heroes" aren't seeking to expose some of the data and names of the worst drug cartels, or working to end human trafficking and systematic rape in war zones, or exposing the corruption in some African, South American & Asian governments, or seeking to damage the governments of truly despotic regimes (e.g., North Korea, Myanmar), or interfering with China's online attacks against the Dalai Lama, or leaking memos about willful environmental damage and fraud by some large companies, or seeking to destroy extremist groups (such as al Qaida) that oppress woman and minorities and are seeking weapons of mass destruction.

Have you seen one report yet about anything like the above? None of those actions would necessarily be legal, but any one of them would certainly be a better match for the claimed motives. Instead, it is obvious that  these individuals and groups are displaying a significant political and moral bias — or blindness — they are ignoring the worst human rights offenders and criminals on the planet. It seems they are after the ego-boosting publicity, and concerned only with themselves. The claims of exposing evil is intended to fool the naive.

In particular, this most recent act of exposing the names and addresses of family members of law enforcement, most of whom are undoubtedly honest people trying to make the world a safer place, is not a matter of "Lulz" — it is potentially enabling extortion, kidnapping, and murder. The worst criminals, to whom money is more important than human life, are always seeking an opportunity to neutralize the police. Attacking family members of law enforcement is common in many countries, including Mexico, and this kind of exposure further enables it now in Arizona. The data breach is attacking some of the very people and organizations trying to counter the worst criminal and moral abuses that may occur, and worse, their families.

Claiming that, for instance, that the "War on Drugs" created the cartels and is morally equivalent (e.g., response #13 in this) is specious. Laws passed by elected representatives in the U.S. did not cause criminals in Mexico to kidnap poor people, force them to fight to the death for the criminals' amusement, and then force the survivors to act as expendable drug mules. The moral choices by criminals are exactly that — moral choices. The choice to kidnap, rape, or kill someone who objects to your criminal behavior is a choice with clear moral dimensions. So are the choices of various hackers who expose data and deface systems.

When I was growing up, I was the chubby kid with glasses. I didn't do well in sports, and I didn't fit in with the groups that were the "cool kids." I wasn't into drinking myself into a stupor, or taking drugs, or the random vandalism that seemed to be the pasttimes of those very same "cool kids." Instead, I was one of the ones who got harassed, threatened, my homework stolen, and laughed at. The ones who did it claimed that it was all in fun — this being long before the word "lulz" was invented. But it was clear they were being bullies, and they enjoyed being bullies. It didn't matter if anyone got hurt, it was purely for their selfish enjoyment. Most were cowards, too, because they would not do anything that might endanger them, and when they could, they did things anonymously. The only ones who thought it was funny were the other dysfunctional jerks. Does that sound familiar?

Twenty years ago, I was objecting to the press holding up virus authors as unappreciated geniuses. They were portrayed as heroes, performing experiments and striking blows against the evil computer companies then prominent in the field. Many in the public and press (and even in the computing industry) had a sort of romantic view of them — as modern, swashbuckling, electronic pirates, of the sorts seen in movies. Now we can see the billions of dollars in damage wrought by those "geniuses" and their successors with Zeus and Conficker and the rest. The only difference is of time and degree — the underlying damage and amoral concern for others is simply visible to more people now. (And, by the way, the pirates off Somalia and in the Caribbean, some of whom simply kill their victims to steal their property, are real pirates, not the fictional, romantic versions in film.)

The next time you see a news article about some group, by whatever name, exposing data from a gaming company or law enforcement agency, think about the real evil left untouched. Think about who might actually be hurt or suffer loss. Think about the perpetrators hiding their identities, attacking the poorly defended, and bragging about how wonderful and noble and clever they are. Then ask if you are someone cheering on the bully or concerned about who is really getting hurt. And ask how others, including the press, are reporting it. All are choices with moral components. What are yours?

Update: June 26

I have received several feedback comments to this (along with the hundreds of spam responses). Several were by people using anonymous addresses. We don't publish comments made anonymously or containing links to commercial sites. For this post, I am probably not going to pass through any rants, at least based on what I have seen. Furthermore, I don't have the time (or patience) to do a point-by-point commentary on the same things, again and again. However, I will make a few short comments on what I have received so far.

Several responses appear to be based on the assumption that I don't have knowledge or background to back up some of my statements. I'm not going to rebut those with a list of specifics. However, people who know what I've been doing over the few decades (or bothered to do a little research) — including work with companies, law enforcement, community groups, and government agencies — would hardly accuse me of being an observer with only an academic perspective.

A second common rant is that the government has done some bad things, or the police have done something corrupt, or corporations are greedy, and those facts somehow justify the behavior I described. Does the fact that a bully was knocked around by someone else and thus became a bully mean that if you are the victim, it's okay? If so, then the fact that the U.S. and U.K. have had terrorist attacks that have resulted in overly intrusive laws should make it all okay for you. After all, they had bad things happen to them, so their bad behavior is justified, correct? Wrong. That you became an abuser of others because you were harmed does not make it right. Furthermore, attacks such as the ones I discussed do nothing to fix those problems, but do have the potential to harm innocent parties as well as give ammunition to those who would pass greater restrictions on freedom. Based on statistics (for the US), a significant number of the people whining about government excess have not voted or bothered to make their opinions known to their elected representatives. The more people remain uninvolved, the more it looks like the population doesn't care or approves of those excesses, including sweetheart deals for corporations and invasions of privacy. Change is possible, but it is not going to occur by posting account details of people subscribed to Sony services, or giving out addresses and names of families of law enforcement officers, or defacing the NPR website. One deals with bullies by confronting them directly.

The third most common rant so far is to claim that it doesn't make any difference, for one reason or another: all the personal information is already out there on the net or will be soon, that the government (or government of another country) or criminals have already captured all that information, that it doesn't cost anything, security is illusory, et al. Again, this misses the point. Being a bully or vandal because you think it won't make any difference doesn't excuse the behavior. Because you believe that the effects of your behavior will happen anyhow is no reason to hasten those effects. If you believe otherwise, then consider: you are going to die someday, so it doesn't make a difference if you kill yourself, so you might as well do it now. Still there? Then I guess you agree that each act has implications that matter even if the end state is inevitable.

Fourth, some people claim that these attacks are a "favor" to the victims by showing them their vulnerabilities, or that the victims somehow deserved this because their defenses were weak. I addressed these claims in an article published in 2003. In short, blaming the victim is inappropriate. Yes, some may deserve some criticism for not having better defenses, but that does not justify an attack nor serve as a defense for the attackers. It is no favor either. If you are walking down a street at night and are assaulted by thugs who beat you with 2x4s and steal your money, you aren't likely to lie bleeding in the street saying to yourself "Gee, they did me a huge favor by showing I wasn't protected against a brutal assault. I guess I deserved that." Blaming the victim is done by the predators and their supporters to try to justify their behavior. And an intrusion or breach, committed without invitation or consent, is not a favor — it is a crime.

Fifth, if you support anarchy, then that is part of your moral choices. It does not invalidate what I wrote. I believe that doing things simply because they amuse you is a very selfish form of choice, and is the sort of reasoning many murderers, rapists, pedophiles and arsonists use to justify their actions. In an anarchy, they'd be able to indulge to their hearts content. Lotsa lulz. But don't complain if I and others don't share that view.

I am going to leave it here. As I said, I'm not interested in spending the next few weeks arguing on-line with people who are trying to justify behavior as bullies and vandals based on faulty assumptions.

Of course, our whole definition of "war" is itself a little muddled. We have the World Wars, certainly. But from a strictly U.S. perspective, consider the Korean and Vietnam conflicts — were those wars? Or the Gulf War, Bosnia and Herzegovina, Iraq, Afghanistan — was the U.S. at war? And is that what is going on with Libya? In one sense, yes, because in each we employed military forces against a defined enemy. But how many of those had a formal declaration of war? And none were really existential threats that required the entire U.S. to be involved. War, historically, has usually been an issue of whether a state continued to exist under its current rule or not, and sometimes whether a significant percentage of the current population continued to live or not; some wars resulted in all the adult males being killed or enslaved, or whole populations slaughtered.

Then there is the War on Drugs, the War on Poverty, and most recently, our War on Terror (among others). In these conflicts we don't actually have a nation-state as an enemy, but we do have some defined objective requiring concerted, forceful action. (Of course we also have silly, demeaning uses of the term, such as the inane "War on Christmas.")

This can all lead to a certain confusion of definitions and roles. Prior to 9/11/2001, terrorists on U.S. soil were criminals. Whether it was Timothy McVeigh, Ramzi Yousef, Eric Rudolph, Ali Abu Kamal, or the ELF, civilian law enforcement, civilian courts, and civilian prisons were the mechanisms involved. Since 9/11, we have a strong contingent claiming that terrorism is now solely a military matter, that military courts must be used, and civilian prisons are somehow insufficient (although supermax prisons have held worse mass murders and gang members for years). Why? Because we are in a "war on terror." Further, administrative rules and laws were passed to classify a particular class of terrorists as belonging under military jurisdiction as enemy combatants and heated political debate occurs around any aspect of how to deal with these individuals.

This essay is not an attempt to sort out all those issues: I'm going after something else, but I needed to illustrate these few points, first. Above, I noted that "war" is a somewhat fuzzy term, as are the definitions of who might wage it. Next, let's consider how we have been preparing to react to cyber incidents.

With the fuzziness about defining "war," and the shifting boundaries of whether it is something confronted by law enforcement or the military, it is not surprising that "cyber war" has not really been well-defined. What has happened over the last decade is that stories of potential "Cyber Pearl Harbors" have been presented to legislators, coupled with demonstrations of vulnerabilities, to justify a massive investment in the military cyber arena — but not so much our civilian law enforcement. It is simple to scare policy makers with tales that the country might be destroyed by evil hackers working for another country's military; cyber crime does not make for as compelling a picture. The result has been massive buildup in offensive military tools, intelligence support, and personnel training to support military missions.

But that buildup does little to help civilian companies under attack within U.S. borders by unknown parties. So, we now have civilian companies turning to DHS for help rather than the FBI or another law enforcement agency. But the responsibility of DHS is to secure the .gov systems, so they are now turning to the military (NSA) because they don't have the infrastructure or expertise they need for even that. We are thus well down a path to turn over the bulk of our law enforcement in cyber to the military, with the specter of terrorists and cyber war held out by those who benefit from this situation continuing to push us in that direction. Soon we will have so much infrastructure built up we will not be able to afford to go back. The Posse Comitatus Act of 1878 was intended to keep the military from becoming a national police force, but this will further erode what is left of that law. Many people reading this will say "So what?" because we're now safer against a cyberwar attack as a result of this buildup — aren't we?

But here comes the problem, and the main point of this essay. We have a history of our military and leaders preparing to fight the last war. They are preparing for an offense that is unlikely to come at us the way they have portrayed. They are building a Maginot Line for a frontal attack that any intelligent adversary will never attempt.

In fact, we're under attack NOW. And we're losing. We're losing billions of $$ worth of intellectual property per year to foreign intelligence services, foreign competitors, and criminals, and we have been for years. U.S. companies and taxpayers are effectively paying for the R&D that is supporting huge amounts of foreign development. And we are also seeing billions of $$ of value being bled from the economy in credit card fraud, bank fraud and other kinds of fraud, including counterfeit pharma and counterfeit electronics sales, with all that money going to buy houses, cars, and consumer goods for people in Eastern Europe, China, Russia, and so on — in non-US economies. (And not only victims in the U.S., but Canada, the UK and a number of other countries.) It is a war of economic attrition and it is one that the DOD is never going to be in a position to fight because it has no kinetic component, no uniformed foe, no base of operations, and no centralized command. Once again, we have been preparing for the last war, so we are losing the current one. Most of our leaders don't even seem to recognize that we are in one. If we fall, it will not be by the swift stroke of the sword, but by the death of a thousand cuts.

If we are to have any hope of surviving, we have to completely change the way we look at this situation. Every intrusion, theft, or fraud should be reported, investigated and prosecuted (when possible). It should be tallied and brought to public attention, at least in aggregate so we understand the magnitude of what is going on. Right now, too much is hushed up or written off because each incident is too small to follow up, but the combined weight is staggering; for years I've been calling it "being pecked to death by ducks" because no single duck is lethal, but millions are. By letting so many incidents go, we encourage more and fund the development of yet new crime We need to refocus ourselves with a massive law enforcement effort, with a weighting towards local response, filtering up to Federal, not a Federal response directing local response. All those billions being dumped into the Federal contractors for cyber weapons should be directed to cyber law enforcement and investigation, to development of forensic tools, and to raising awareness at the local level. Your average business and consumer is going to be much more likely to install patches to protect against criminal behavior if encouraged by local authorities than told by someone in DC to install patches against some robotic threat from overseas. And we should adopt a get-tough policy at the diplomatic level to start demanding that countries that harbor criminals see some pushback from us; the new Federal international strategy on cyberspace is a good start on this.

I have described it to some people this way: our traditional DOD is structured to protect our borders and keep enemies from crossing those borders, or even getting near them. They are very, very good at that. In fact, they're so good, they may even stop an enemy from crossing their own borders to get here! However, the enemy we're engaged with is already here — is installed on millions of our computers and has thus subverted millions of citizens throughout the country without their knowing it....including some of the military. It is like the movie "The Puppet Masters." This can't be fought by the DOD — they aren't equipped to train their weapons inward. It requires an entirely different approach, but unfortunately, our leadership doesn't understand this, and the loudest voices right now are those of the lobbyists and members of the military who stand to benefit most in the short term by continuing the status quo, and by those who don't understand the magnitude of the situation.

Concomitant with this, within the next decade I fear that we will start seeing more of our best and brightest students from the US going to universities in India, China and other countries the way those countries' students have been coming to the US for years; I'm not the only one predicting this. Why? In the US we are shuttering university programs, decreasing funding, and shrinking campuses across the country, and politicians are vilifying K-12 teachers as if they are somehow part of the problem instead of being part of the cure. Meanwhile, in India, Russia, China, Korea, Taiwan and the Middle East they are opening major new universities and hiring away faculty from the US, Australia, the UK and elsewhere to staff their research labs, paying them extraordinary salaries and benefits and giving them access to modern resources. Major corporations have already located labs near those places because of cheap labor and are helping to subsidize the growth of the universities as are the national governments so as to obtain trained help. Our national policy of booting new PhDs & MS graduates who aren't citizens, and restricting so many high-tech jobs to US nationals only means that we train the world's best, then send them back to their own countries...to compete with us. The Rising Above the Gathering Storm and Rising Above the Gathering Storm, Revisited: Rapidly Approaching Category 5 reports nailed this, but were largely ignored by policymakers and certainly by the general public. Not only are we indirectly funding other countries' ascendency via their largely unhindered theft of our intellectual property and fraud, we are accelerating it by strangling our own intellectual capital and increasing theirs.

Everyone in IT and beyond should understand — fundamentally — that this is a new form of competition, of warfare (if we are to use that term). It is competition of the mind. It is information warfare in a much more fundamental sense than using information in support of kinetic weapons. It is employing information resources in a vast strategic way, across industries and generations to shape the future of nations. We do not have enough people who are able to think strategically, with that long a view and an understanding of the issues to see the threats, to see the trends, and to see the hard choices necessary to take a safer path. We, as a people, do not have the patience. Unfortunately, some of our enemies do.

What inspired the above, in part, is that this is Memorial Day Weekend. Many people will celebrate it as a holiday with picnics or trips, watch the Indy 500, and break out the summer clothes.

But Monday is a special day in the U.S. to remember the many men and women who sacrificed their lives in the service of the country, while serving in uniform. Whether in declared war or standing guard, whether grizzled veteran or new recruit, whether defending the bridge at Concord in 1775, or on patrol in Kandahar in 2011, those who did not return home deserve special thought from those who are here to enjoy this weekend. They had husbands, wives, children, siblings, parents and friends who treasured them. On Memorial Day, we should all treasure their memories as well.

And perhaps that is the one good thing about "Cyber War" — by nature, it is unlikely to add to the list of those we should remember on Memorial Day who are not here with us.

One of the best ways to honor their memory is to remain vigilant, and that is why I wrote the above.

As a researcher and educator, I regularly follow many newsletters, blogs and newsfeeds on a near daily basis. Some items I bookmark for my classes and research, but most I simply read, note, and discard. I read many dozen such items per day -- sometimes as many as 100 when there is a lot happening and I have a backlog.

After news of the Sony incident broke on April 20th, I saw items about how some people knew about vulnerabilities in parts of the Sony network, and servers running old versions of the Apache webservers. Those postings had material similar to what was published in Wired on April 28th. To the best of my memory, at least one of those postings mentioned that some of these vulnerabilities were exposed to Sony in a mailing list or blog prior to the compromise. It may be that the reference was to the PSN webserver vulnerabilities, it may have been about the earlier flaw with the PS3 connecting to the PSN, or it may have been some other vulnerabilities...but I am pretty certain it was about the webservers. There was no discussion about how the breach occurred or whether the old software played a part in those breaches.

After reading these stories, I moved on to other issues. I was not a customer of Sony or the Playstation Network (PSN), and they have never had a relationship with our research group, so I had no reason to pay close attention to the story. Furthermore, we were approaching the end of the semester, I was teaching a graduate class and also preparing for two trips to workshops. Thus, I had several other things to occupy my time and attention, and this story was definitely not one of them.

Hearing

On May 1st, in my capacity as chair of USACM, I received an invitation to appear at a House subcommittee meeting on the morning of May 4 on the issue of data breaches and privacy. This is a topic that has been one of USACM's main thrust areas, and is in my main areas of interest, so even though it was extremely short notice, I said yes. I spent the next 48 hours frantically trying to rearrange my teaching and administrative schedule at the university while also producing a formal written testimony to deliver to Congressional offices by a Tuesday noon deadline. This occurred, but with very little sleep over that two day period. Tuesday afternoon I had to drive to Indianapolis to fly to Washington for the Wednesday morning hearing.

Wednesday morning at 9:30am. the House Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee held its hearing on “The Threat Of Data Theft To American Consumers.” I was the 4th witness in the panel (our written statements are available online). Three days of little sleep and too much coffee, plus the TV lights, combined to give me quite a headache, but that may not be evident if you watch the C-SPAN recording of the hearing.

In my written testimony I indicated that "...some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk." During questioning, I stated that I had read this on security lists that I normally read.

The fun begins

My comment that I had seen accounts about the server software being out of date and no firewalls was reported accurately by a few media outlets. However, a few others widely misquoted as me stating, authoritatively, that Sony was running outdated, unpatched software and implied that this was somehow the cause of the breach. Other news sources, blogs, and aggregators then picked up this version of the story and repeated it as their own, often with some other embellishment.

In only a few cases did a responsible journalist contact me to fact-check the story and determine what I had actually said, and what I actually knew.

I tried to correct one or two of the incorrect reports, but most occurred in places where there was no contact address for corrections, and they soon were spreading faster than I could possibly respond. I gave up.

Soon after the stories started circulating, I received email from Eugene Alvarado (he has given me permission to name him), who indicated that in early February he reported to Sony that there was widespread hacking of the network going on that was interfering with use of the network. He never got a response. So, at least one other person observed problems and reported them to Sony in advance of the breach in April. If the problem was significant, there may well have been others.

More recently, at least one "commentator" who "thinks" he is "clever" because he can put quotes around words like "security expert" to imply something meaningful about my expertise has posted a critique pointing out that some of Sony's servers were, in fact, up-to-date. However, at least one follow-up by someone else observes that other Sony servers (with interesting names such as "Login" and "Auth") were running software dated 2008. Thus, it may well be the case that some of the systems were current and some not. As we well know, it only takes one system out of rev or with a missing patch to serve as an entry point to a whole network.

Bottom Line

To this day, I have never heard from nor spoken with anyone at Sony. I have never bothered to probe or investigate their systems, because frankly, I don't care. Those issues are for others to determine and settle. What I think were the bigger issues to the story at the hearing were about having standard breach notifications and the 24 USACM privacy principles that were in my testimony. There are hundreds of other breaches occurring every year in the U.S. resulting in fraud, identity theft, and other crimes. Those are smaller than this incident with the PSN, but the victims are no less damaged. We need for the FTC and law enforcement to have more resources to help fight these problems, and we could definitely use some appropriate Federal legislation on minimum privacy protections and breach notifications. Read the 4 written testimonies from the hearing to get a sense of what is involved.

As to the spurious story, I tried to be clear in my testimony (written and oral) that I was simply repeating what I had read in some online newsgroups. I am really quite appalled at the number of places that have twisted that into a claim that Sony was somehow, definitely, running substandard software or systems. It is possible they were, but it is also possible they were running very well-maintained systems that fell prey to a clever attacker. That has happened to other high profile victims.

I certainly bear the good folks at Sony no ill will, and I hope they resolve the situation with the Playstation Network soon.

In the meantime, perhaps this can serve as an abject lesson about dealing with the media and bloggers — some of them want a sensational story, whether the facts support it or not, and you had better not get in the way!