The Center for Education and Research in Information Assurance and Security (CERIAS)
The Center for Education and Research inInformation Assurance and Security (CERIAS)
If you are in the United States, it has been nigh-on impossible to watch TV, read a newspaper, follow a blog, or (in some states) get your paper mail without something about the upcoming election being present. Some of this has been educational, but a huge amount of it has been negative, vague, and often misleading. That’s U.S. politics, unfortunately—the majority of voters don’t really bother to educate themselves about the issues and the media does an uneven job of reporting the truth. For many voters, it comes down to only one or two issues they care passionately about, and they vote for a candidate (or against one) on those simple issues. For instance, there are many voters who will base their votes solely on a candidate’s perceived position on gun control, access to legal abortions, tax policy, or other single issues without thinking about all the position issues. (And, as I note below, most of these single issues aren’t really under the control of the President no matter who is elected.)
Of course, the US political system tends to reinforce this binary choice procedure, as we have long had only two really major parties. Parliamentary systems seem to encourage more parties, although even then there appears to be only two major ones, often oriented around the same approximate social/political poles: a conservative party, and a liberal (labor) party.
So, in the U.S. we have candidates from both major parties (and many minor ones) campaigning—explaining their positions, offering their plans for when they are in office, and trying to instill voter confidence and trust. (And too often, offering innuendo, misquotes and outright untruths about their opponents.)
What none of them say, and the media doesn’t either, is that very few of the promises can really be certain of being kept. And in large part, that is also a nature of government.
The President has a limited set of powers under the Constitution. He (or she) is responsible for the execution of the laws of the United States. The President is the Commander-in-Chief of all the armed forces and is responsible for commanding them in defense of the country and upholding the law (including treaties). The President is the chief executive agent of all the various Cabinet agencies, and of a number of offices and commissions. The President appoints a large number of officials (including judges and ambassadors), but doesn’t have the power to remove many of them.
Most importantly, the President does not make new laws. Laws are passed by Congress, usually with the assent of the President, although a 2/3 majority of both houses of Congress may pass laws to which the President objects. The President is then responsible for ensuring that those laws are carried out, with recourse to the Courts if there are questions. If the President fails to enforce the laws, Congress may take some punitive actions, or even impeach the President…if they have the political will.
So, back to the candidates. If you listen to their speeches, they offer to change tax law, spend more on energy issues, change health care, and a number of other important domestic issues. What they don’t point out, however, is that they will have no authority as President to do most of those things! Instead, Congress will need to pass authorizing legislation that is signed by the President. The President can certainly propose that Congress enact those changes, but Congress needs to craft and pass legislation that enables the President to act, and that allocate necessary funds, and that also create/remove administrative structures that may be involved. This legislation can include whatever other items that Congress adds in to the bill, including items that may be completely unrelated to the main topic. The President then must decide whether to sign the bill and act to implement its provisions.
So, the most a new President can do is to propose legislation to embody his/her campaign promises, and to work for its passage. What usually happens is that the size of the win in the election serves as a political measure of how much the population is aligned with the new President’s positions, and this can help get a particular agenda passed…or not. Of critical importance is also the issue of whether one or both houses of Congress are controlled by the same party as the new President, and by what margin.
Thus, there should probably be more attention paid to the candidates running for Congress and their particular positions on important issues. In many venues, however, the majority of the attention is focused on the Presidential contest. Some other states are also dealing with contentious state initiatives, tight governor races, and other local issues that help further obscure the Congressional races.
Now, how does this apply to cybersecurity, the ostensible topic of this blog? Or education? Or privacy? Or other topics we focus on here?
Well, as I will address in my next posting, the two main Presidential candidates have made some comments on cyber security, but I have not been able to find any coverage of any current candidate for Congress who has mentioned it. It is basically invisible. So is privacy. Education has gotten a little mention, but not much. And given the more overt, pressing issues of the economy, the deficit, health care, energy dependence, and war in the Middle East, it seems unlikely that any Congressional candidate has bothered to think much about these cyber issues, or that they have received much further thought from the Presidential candidates. (Too bad cyber security can’t be part of the mud slinging—it might raise its profile!)
Of course, with the economy in such sad shape, and some of the other severe problems being faced by the U.S., one might ask whether cyber should be a priority for the new President. I would answer yes, because the problems are already here and severe (although not as obvious as some of the other problems), and it will take years of major effort simply to keep even with the current sad status. The problems in cyber cannot be fixed in a crash effort devoted at any future time, and until they are addressed they will be a drain on the economy (in 2006, the FBI estimated the loss to computer crime in the US to be $67 billion—almost 10% of the recent economic bailout), and a threat to national security. Thus, deferring action on these issues will only make the situation worse; we need to initiate a sustained, significant program to make some important changes.
There are some things that the new President can do, especially as they relate to the military, law enforcement, and some other agencies in the Executive Branch. This is potentially cause for some glimmer of hope. I intend to blog some on that too, with a list of things that should be considered in the new administration.
Over the last month or so, many people who read my first post on Senator Obama’s “security summit” at Purdue have asked me about followup, I’ve been asked “Did you ever hear back from the Senator?”, “Has the McCain campaign contacted you?”, and “What do you think about the candidates?” I’ve also been asked by a couple of my colleagues (really!) “Why would they bother to contact you?”
So, let me respond to these, with the last one first.
Why would someone talk with you about policy?
So, I haven’t been elected or served in a cabinet-level position in DC. I haven’t won a Nobel prize (there isn’t one in IT), I’m not in the National Academies (and unlikely to be—few non-crypto security people are), and I don’t have a faculty appointment in a policy program (Purdue doesn’t have one). I also don’t write a lot of policy papers—or any other papers, anymore: I have a persistent RSI problem that has limited my written output for years. However, those aren’t the only indicators that someone has something of value to say.
As I’ve noted in an earlier post, I’ve had some involvement in cyber security policy issues at the Federal level. There’s more than my involvement with the origins of the SfS and Cyber Trust, certainly. I’ve been in an advising role (technology and policy) for nearly 20 years with a wide range of agencies, including the FBI, Air Force, GAO, NSA, NSF, DOE, OSTP, ODNI and more. I’ve served on the PITAC. I’ve testified before Congressional committees a half-dozen times, and met with staff (officially and unofficially) of the Senate and House many times more than that. Most people seem to think I have some good insight into Federal policy in cyber, but additionally, in more general issues of science and technology, and in defense and intelligence.
From another angle, I’ve also been deeply involved in policy. I served on the CRA Board of Directors for 9 years, and have been involved with its government affairs committee for a decade. I’ve been chair or co-chair of the ACM’s US Public Policy committee for a dozen years. From these vantage points I have gained additional insights into technology policy and challenges in a broad array of issues related to cyber, education, and technology.
And I continue to read a lot about these topics and more, including material in a number of the other sciences. And I’ve been involved in the practice and study of cyber security for over 30 years.
I can, without stretching things, say that I probably know more about policy in these areas than about 99.995% of the US population, with some people claiming that I’m in the top 10 or so with respect to broad issues of cyber security policy. That may be why I keep being asked to serve in advisory positions. A lot of people tend to ask me things, and seem to value the advice.
One would hope that at least some of the candidates would be interested in such advice, even if not all of my colleagues (or my family 
are interested in what I have to say.
Have any of the other candidates contacted you?
Simply put—no. I have gotten a lot of mailings from the Republican (and Democratic) campaigns asking me to donate money, but that’s it.
I’m registered as an independent, so that may or may not have played a role. For instance, I can’t volunteer to serve as a poll worker in Indiana because I’m not registered in one of the two main parties! I don’t show up in most of the databases (and that may be a blessing of sorts).
To digress a moment…. I don’t believe either party has a lock on the best ideas—or the worst. I’m not one of those people who votes a straight-ticket no matter what happens. I have friends who would vote for anyone so long as the candidate got the endorsement of “their” party. It reminds me of the drunken football fans with their shirts off in -20F weather cheering insanely for “their” team and willing to fight with a stranger who is wearing the wrong color. Sad. Having read the Constitution and taken the oath to defend it, I don’t recall any mention of political parties or red vs. blue….
That said, I would be happy to talk with any serious candidate (or elected official) about the issues around cyber, security, education, and the IT industry. They are important, and impact the future of our country…and of much of the world.
So, has anyone with the Obama campaign contacted you since his appearance at Purdue?
Well, the answer to this is “yes and no.”
I was told, twice, by a campaign worker that “Someone will call you—we definitely want more advice.” I never got that phone call. No message or explanation why. Nothing.
A few weeks after the second call I did get a strange email message. It was from someone associated with the campaign, welcoming me to some mailing list (that I had not asked to join) and including several Microsoft Word format documents. As my correspondents know, I view sending email with Word documents to be a bad thing. I also view being added to mailing lists without my permission to be a hostile act. I responded to the maintainer of the list and his reply was (paraphrased) “I don’t know why you were added. Someone must have had a reason. I’ll check and get back to you.” Well, I have received no more email from the list, and I never got any followup from that person.
So, in summary, I never got any follow-up from the campaign. I don’t think it is an issue with the Senator (who wouldn’t have been the one to contact me anyhow) but a decision by his staff.
So, depending your level of cynicism, the mentions of my name, of CERIAS, and of follow-up was either (a) a blown opportunity caused by an oversight, or (b) a cynical political ploy to curry local favor.
(My daughter suggested that they are waiting until after the election to appoint me to a lofty position in government. Uh, yeah. That probably explains why I haven’t gotten that MacArthur “genius grant” yet and why Adriana Lima hasn’t called asking me to run away with her—the timing just isn’t right yet.
What are your opinions on the Presidential candidates?
I’m not allowed to be partisan in official Purdue outlets. So, in some further posts here over the next week or two I will provide some analysis of both major candidates (NB. Yes, I know there are over 300 candidates for President on the ballots across the country. However, I don’t think there is much chance of Baldwin, Barr, McKinney, Nader, Paul or the rest getting into office. So, I’ll limit my comments to the two main candidates.
If you really want to know who I’m probably voting for, you can see my Facebook page or send me email.
[Update 10/16: After this was published I sent a link to this entry to several people associated with the Obama campaign. Only one responded, and it was clear from his email that there had been a mixup in getting back to me—but no interest in rectifying it.]
In my secure programming class I have denounced the overloading of return values as a bad practice, and recently I discovered a new, concrete example of a bug (possibly a vulnerability) that results from this widespread practice. A search in the NVD and some googling didn’t reveal any mention of similar issues anywhere, but I probably just have missed them (I have trouble imagining that nobody else pointed that out before). In any case it may be worth repeating with this example.
The practice is to return a negative value to indicate an error, whereas a positive value has meaning, e.g., a length. Imagine a function looking like this:
int bad_idea(char *buf, unsigned int size) {
int length;
if (<some_error_condition>) {
length = -ERROR_CODE;
} else {
length = size; // substitute any operations that could overflow the signed int
}
return length;
}
This function could return random error values. Under the right conditions this could result in at least a DoS (imagine that this is a security-related function, e.g., for authentication). I suggest using separate channels to return error codes and meaningful values. Doing this lowers complexity in the assignment and meaning of that return value by removing the multiplexing. As a result:
There is an increased complexity in the function prototype, but the decreased ambiguity inside the function is beneficial. When the rest of the code uses unsigned integers, the likelihood of a signed/unsigned integer conversion mistake or an overflow is high. In the above example, the function is also defective because it is unable to process correctly some allowed inputs (because the input is unsigned and the output needs to be able to return the same range), so in reality there is no choice but to decouple the error codes from the semantic results (length). This discrepancy is easier to catch when the ambiguity of the code is decreased.
It does away with the bad practice of keeping the same variable for two uses: assigning error codes and negative values to a “length” is jarring;
It disambiguates the purpose and meaning of checking the “returned” values (I’m including the ones passed by reference, loosely using the word “returned”). Is it to check for an error or is it a semantic check that’s part of the business logic?
Integer overflows are a well-known problem; however in this case they are more a symptom of conflicting requirements. The incompatible constraints of having to return a negative integer for errors and an unsigned integer otherwise are really to blame; the type mismatch (“overflow”) is inevitable given those. My point is that the likelihood of developers getting confused and having bugs in their code, for example not realizing that they have incompatible constraints, is higher when the return value has a dual purpose.
Edit (10/13): It just occurred to me that vsnprintf and snprintf are in trouble, in both BSD and Linux. They return an int, but take an unsigned integer (size_t) as a size input, AND are supposed to return either the number of printed characters or a negative number if there’s an error. Even if the size can be represented as a signed integer, they return the number of characters that *would* have been printed if the size was infinite, so specifying a small size isn’t a fix. So it *might* be possible to make these functions seemingly return errors when none happened.
Note(10/14): I’ve been checking the actual code for snprintf. In FreeBSD, it checks both the passed size and the return value against INT_MAX and appears safe.
I discovered that our XML feed from Secunia had been disabled, coinciding with a re-organization their web site. So, the information contained in Cassandra from Secunia is now out of date. Hopefully it can be re-established soon, but I didn’t get an answer from Secunia over the weekend.
We’ve recently added features using IPMI to our ReAssure testbed, for example to support reimaging of our Sun experimental PCs and rebooting into a Live CD, so that researchers can run any OS they want on our testbed. IPMI stands for the “Intelligent Platform Management Interface”, so we have a dedicated, isolated network on which commands are sent to cards in the experimental PCs. An OS running in these cards can provide status responses and can perform power management actions, for example a power cycle that will reboot the computer. This is supposed to be useful if the OS running in the computer locks up, for example. So, we were hoping that we’d need fewer trips to the facility where the experimental PCs are hosted, have greater reliability and that we’d have more convenient management capabilities.
However, what we got was more headaches. Some IPMI cards failed entirely; as we had daisy-chained them, the IPMI cards of the other PCs became inaccessible. Others simply locked up, requiring a trip to the facility even though the OS on the computer was fine… One of them sometimes responds to status commands and sometimes not at all, seemingly at random. The result is that using the IPMI cards actually made ReAssure less reliable and require more maintenance, because the reliability-enhancing component was so unreliable! The irony. I don’t know if we’ve just been unlucky, but now I’m keeping an eye out for a way to make that more reliable or an alternative, hoping that it doesn’t introduce even more problems. That is rather unlikely, as I’ve discovered that even though the LAN interface is standard, the physical side of those cards isn’t; AFAIK you can’t take a generic IPMI card and install it, it needs to be a proprietary solution by the hardware vendor (e.g., you need a Tyan card for a Tyan motherboard, a Sun IPMI card for a Sun computer, etc…). So if the IPMI solution provided by your hardware vendor has flaws, you’re stuck with it; it’s not like a NIC card that you can replace from any vendor. I don’t know of any way to replace the software on the IPMI cards either, in a manner similar to how you can replace the bad firmware of consumer routers with better open source software. I suppose that the lessons from this story are that:
