The Center for Education and Research in Information Assurance and Security (CERIAS)
The Center for Education and Research inInformation Assurance and Security (CERIAS)
Over the past couple of months I’ve been giving an evolving talk on why we don’t yet have secure systems, despite over 50 years of work in the field. I first gave this at an NSF futures workshop, and will give it a few more times this summer and fall.
As I was last reviewing my notes, it occurred to me that many of the themes I’ve spoken about have been included in past posts here in the blog, and are things I’ve been talking about for nearly my entire career. It’s disappointing how little progress I’ve seen on so many fronts. The products on the market, and the “experts” who get paid big salaries to be corporate and government advisors and who get the excessive press coverage, also serve to depress.
My current thinking is to write a series of blog posts to summarize my thinking on this general topic. I’m not sure how many I’ll write, but I have a list of probable topics already in mind. They break out roughly into (in approximate order of presentation):
Each of these will be of moderate length, with some references and links to material to read. If you’re interested in a preview, I recommend looking at some of my recent talks archived on YouTube, some of my past blog posts here, and oral histories of various pioneers in the field of infosec done by the Babbage Institute (including, perhaps, my own).
I’ll start with the first posting sometime in the next few days, after I get a little more caught up from my vacation. But I thought I’d make this post, first, to solicit feedback on ideas that people might like me to add to the list.
My first post will be about the definition of security — and why part of the problem is that we can’t very well fix something that we can’t reliably define and thus obviously don’t completely understand.
I have long argued that the ability to patch something is not a security “feature” — whatever caused the need to patch is a failure. The only proper path to better security is to build the item so it doesn’t need patching — so the failure doesn’t occur, or has some built-in alternative protection.
This is, by the way, one of the reasons that open source is not “more secure” simply because the source is available for patching — the flaws are still there, and often the systems don’t get patched because they aren’t connected to any official patching and support regime. Others may be in locations or circumstances where they simply cannot be patched quickly — or perhaps not patched at all. That is also an argument against disclosure of some vulnerabilities unless they are known to be in play — if the vulnerability is disclosed but cannot be patched on critical systems, it simply endangers those systems. Heartbleed is an example of this, especially as it is being found in embedded systems that may not be easily patched.
But there is another problem with relying on patching — when the responsible parties are unable or unwilling to provide a patch, and that is especially the case when the vulnerability is being actively exploited.
In late January, a network worm was discovered that was exploiting a vulnerability in Linksys routers. The worm was reported to the vendor and some CERT teams. A group at the Internet Storm Center analyzed the worm, and named it TheMoon. They identified vulnerabilities in scripts associated with Linksys E-series and N-series routers that allowed the worm to propagate, and for the devices to be misused.
Linksys published instructions on their website to reduce the threat, but it is not a fix, according to reports from affected users — especially for those who want to use remote administration. At the time, a posting at Linksys claimed a firmware fix would be published “in the coming weeks."
Fast forward to today, three months later, and a fix has yet to be published, according to Brett Glass, the discoverer of the original worm.
Complicating the fix may be the fact that Belkin acquired Linksys. Belkin does not have a spotless reputation for customer relations; this certainly doesn’t help. I have been copied on several emails from Mr. Glass to personnel at Belkin, and none have received replies. It may well be that they have decided that it is not worth the cost of building, testing, and distributing a fix.
I have heard that some users are replacing their vulnerable systems with those by vendors who have greater responsiveness to their customers’ security concerns. However, this requires capital expenses, and not all customers are in a position to do this. Smaller users may prefer to continue to use their equipment despite the compromise (it doesn’t obviously endanger them — as yet), and naive users simply may not know about the problem (or believe it has been fixed).
At this point we have vulnerable systems, the vendor is not providing a fix, the vulnerability is being exploited and is widely known, and the system involved is in widespread use. Of what use is patching in such a circumstance? How is patching better than having properly designed and tested the product in the first place?
Of course, that isn’t the only question that comes to mind. For instance, who is responsible for fixing the situation — either by getting a patch out and installed, or replacing the vulnerable infrastructure? And who pays? Fixing problems is not free.
Ultimately, we all pay because we do not appropriately value security from the start. That conclusion can be drawn from incidents small (individual machine) to medium (e.g., the Target thefts) to very large (government-sponsored thefts). One wonders what it will take to change that? How do we patch peoples’ bad attitudes about security — or better yet, how do we build in a better attitude?
William Wyatt Starnes passed away unexpectedly on May 10th, 2014 at the age of 59. Wyatt was a serial entrepreneur, known for his work in computing — and especially cyber protection — as well as for his mentorship and public service.
Wyatt graduated from Ygnacio Valley High School in Concord, CA, in 1972, and then obtained an Associates Degree from the Control Data Institute. His first full-time job was at Data General, and he went on to hold technical positions with Monolithic Memories, Maruman Integrated Circuits, and then Megatest Corporation. While at Megatest, Wyatt moved into management, where he showed significant expertise, and was eventually promoted to VP of Sales and Marketing. He subsequently moved to Tokyo for several years as the President of Megatest Japan. Although the remainder of his career was in management positions, he continued to work in technology, and was named as inventor or co-inventor of a number of patents in later years.
Upon leaving Megatest, Wyatt moved to Portland, Oregon, where he lived for the rest of his life. In Portland, he worked for several firms before founding his own company, Eclipse Technologies, Inc., and then Infinite Pictures. During that time, he met Gene Kim (one of my former students). Wyatt then founded Visual Computing, Inc., with Gene. They had originally planned on producing an immersive MMORPG named “Piggyland.” (I still have some of the marketing literature for this!) It used some novel technology and a great deal of humor, but before it had progressed very far, a series of coincidences led them to start Tripwire Security Services as a subsidiary, to produce software to secure MMORPGs and similar games. In short order, it became clear that Tripwire was the real path to success, and they transformed Infinite Pictures and TSS into Tripwire, Inc.
Wyatt was the CEO of Tripwire from 1997 to 2004 (Gene was CTO). In 2004, after a bout with cancer weakened him and forced him to step down from managing Tripwire, Wyatt founded the first version of the company SignaCert, and served as its CEO for the next six years. In 2010, SignaCert was acquired by Harris Corporation, and Wyatt served as the VP of Advanced Concepts and CTO for Cyber until 2012, when he retired. (NB. SignaCert has since begun a “second life” after being sold by Harris.) Over his career, Wyatt also served on the boards of Swan Island Networks of Portland, Oregon; Comprehensive Intelligence Technology Training Corporation of Annapolis, Maryland; and Symbium Software of Ottawa, Ontario.
During his 15 year career as a leading executive in cyber security, Wyatt was a driven and passionate advocate for better security and better design. He spoke at industry and community events, and was asked to join several high-level government and industry advisory boards, including TechAmerica Foundation’s CLOUD2 Commission, NIST’s Visiting Committee on Advance Technologies (VCAT), and the Oregon Executive Council of the American Electronics Association (AeA), among others. In Portland, he was cofounder of the innovative RAINS network (Regional Alliances for Infrastructure and Network Security), a nonprofit public/private alliance (now defunct) formed to accelerate development, deployment and adoption of innovative technology for homeland security.
Wyatt was known for business acumen with a human touch — he cared about the people who worked for him, his customers, and the world around him. He made time for others when they needed it, and that is a rare quality in someone serving as a CEO. Although highly focused on his business duties, Wyatt was seemingly always willing to lend a smile, and listen to what others had to say. He was also known for his fondness for good wine and good humor.
As the designer of the original Tripwire and SignaCert offerings, I have known and worked with Wyatt for nearly 20 years. When he was undergoing treatment for his life-threatening condition in the mid-2000s, we had many conversations about the nature of existence and the future. Then, and throughout the time I knew him, Wyatt expressed a strong commitment to living in the present — to not put off things (including people) that might then be forgotten…and regretted.
Some people believe that exiting life with the largest bank account is success. Wyatt believed that making the world a better place was true success. He wrote in his LinkedIn profile under “Awards and Honors”
My reward comes from the special opportunity to do something important that (hopefully) leaves the world a better place.
And it is an honor to share what I have learned with others that aspire to create lasting contributions with their lives.
By those measures, he clearly was a huge success — his companies, his advocacy, his mentoring, and his friendship changed the lives of many, many people for the better. Wyatt Starnes will be greatly missed.
Some other media accounts of Wyatt’s passing:
Purdue University is a land-grant university, founded in 1869. As a land-grant university, our focus has always been on service to the public good — providing excellent education and research results for the betterment of the world around us. While many universities take great pride at their faculty’s leverage of research to launch new companies or publish many academic papers, we’ve always been very focused on delivering a truly world-class education and performing “game changer” discovery.
The Purdue community just celebrated a reunion of astronaut alumni — a visible symbol of the spirit of service and exploration inherent in our makeup. Purdue is the alma mater of more astronauts than any other university; the first and last men to walk on the moon were Purdue alumni. They did not do it for profit or fame — they did what they did to advance science, to push back boundaries of ignorance, and to give others something to dream about. Purdue’s story is full of people like that, from around the nation and around the world. Our students come from well over a hundred countries, and our graduates go out to improve the lives of people in at least that number.
Our history of exploration and being there “first” extends to many other area, including the first degree-granting CS department (founded in 1962), the first dedicated freshman engineering program, the first television broadcast, and having the fastest campus supercomputer in the world. (A few other notable firsts are detailed here and here .)
But more to the point of this blog, Purdue is the location of CERIAS — the first multidisciplinary institute in cyber security and privacy research, and the home of the first defined degree in information security.
CERIAS is not a department within the university. We are a cross-cutting, multidisciplinary institute at the university, supported largely with soft funds: the vast majority of our funding has always come from small, outside donations by companies and foundations. Our finances depend on the generosity of others, but we are structured so as to not be beholden to the government or one or two big commercial entities that can dictate the direction of our efforts. Instead, we investigate those ideas that our faculty think will solve real problems and help others in what they want to do. Some of our organizational donors are partners in our program, providing advice and research assistance for our efforts, and they reap the rewards in new hires and new ideas (see the link for information on how your organization can join the program).
Historically, we have not done much to solicit others to support CERIAS, although it has always been possible for anyone to make a donation. But that will change, for one special day, April 30th. And we would like everyone who cares about our mission and our future to consider making a donation, even if it is only a small amount.
The first-ever Purdue Day of Giving, a 24-hour online event designed to boost Purdue visibility and support, will take place Wednesday, April 30. CERIAS, and many other campus units, will be promoting Purdue efforts -- granting opportunities, launching dreams, and achieving greatness while promoting an affordable and accessible Purdue.
Plus, every (tax-deductible in the US, at least) donation to CERIAS will receive an additional percentage match from the University. Thus, your donation on April 30th will support CERIAS at even a great extent than your donation alone! This is a special one-day-only opportunity for your gift, large or small! Also, If your employer does charitable matches, please be sure to let them know to match your donation, thus, increasing your impact even further!
Your donation can be made through the website http://dayofgiving.purdue.edu/ (click on “CERIAS” near the bottom of the page), by texting “PurdueCERIAS” (case non-sensitive) to 41444 (you will receive a reply text with more details) or by the telephone at 1-800-319-2199.
But the Purdue Day of Giving is much more than an opportunity to support CERIAS; it’s about helping spread the word about us, our great history and our brighter future along with Purdue's drive to re-define college education. If you’re associated with Purdue and whether you make a donation or not, you can help by posting your story -- or sharing/re-tweeting one of ours – in social media; just add @cerias and #PurdueDayofGiving to your posts and tweets. The University has contests and incentives in place for CERIAS and other units who have friends and alumni posting about #PurdueDayofGiving.
Track our progress and enjoy the day-long series of announcements and highlight videos (one of them featuring on a certain bearded professor known for his fondness of bowties) at http://dayofgiving.purdue.edu/. Don’t wait until April 30 to join the fun; visit http://dayofgiving.purdue.edu/ now, view videos of some of the exciting student success stories, plus sign up for an email to remind you on the 30th to pay it forward. And please, pass along a link to this blog entry to others who you think might be interested in helping.
Thank you to all of our friends, alumni, and partners for their past support, and thank you in advance for helping to “spread the word.” We do hope that you will take this opportunity to provide a donation that day — even if it’s a small one — to help us advance our work towards a more safe and security future.
I’ve been delayed in posting this as I have been caught up in travel, teaching, and the other exigencies of my “day job,” including our 15th annual CERIAS Symposium. That means this posting is a little stale, but maybe it is also a little more complete.
I try to attend the RSA Conference every year. The talks are not usually that useful, but the RSAC is the best event to see what is new in the market, and to catch up with many of my colleagues (new and old), touch base with some organizations, see CERIAS alumni, sample both some exotic cuisines and questionable hors d'oeuvres, and replenish my T-shirt supply. It is a very concentrated set of activities that, when properly managed, fits in a huge set of conversations. My schedule for the week is usually quite full, and I am exhausted by the time I return home. This year, I was particularly worn out because I was recovering from a mild case of pneumonia. Still, I mostly enjoyed my week in San Francisco.
This year, there was a boycott, of sorts, against the conference by various parties who were upset at the purported collaboration of RSA with US government agencies many years ago. I’m not going to go into that here, but I think it (the boycott) was misguided. Not only is there no hard evidence that there was any actual weakening of any algorithms, but it was over a decade ago and at a time when both the national security climate and public sentiment were different than today. There is also the issue that companies are susceptible to legal pressures that are not easily dismissed. If there is any blame to accrue to RSA, it would be better directed to the company’s products than the conference. As it was, during my week there, I only saw about 30 seconds of protest — and the conference had (I believe) record attendance.
The conference really has three general components: the technical track, the exhibit floor, and the informal connections around everything else. I’ll address each separately. I have some particular comments about the use of “booth babes” on the exhibit floor.
The conference every year has scores (hundreds?) of talks, workshops, and panels, usually given by industry analysts, CEOs, and engineers, and by various government officials. It is not a scientific conference by any stretch of the imagination. Although marketing talks are strictly prohibited, one of the primary motivations of speakers is to get on stage to promote “their brand.” Often, the talks are filtered through a particular product point of view to reinforce the marketing pitch given elsewhere, or to sell a book, or to subtly promote the speaker’s usefulness as a consultant. Over the last decade I have attended many talks, but found few of them really informative, and several involved misinformation that was not challenged by anyone during the session. I have stopped sending in proposals for talks because my past proposals didn’t fare well — “too academic” was the judgement. I guess if I don’t pull a hacker out of my hat and make a database disappear, I’m not entertaining enough for this crowd considering overall conference attendance, which simply goes to my point about conference focus.
This year there was at least one partially informative session. I was asked at the last minute to fill in on a panel hosted by Gary McGraw. The panel attempted to address a topic that I spend several hour-long lectures covering in class: the classic Saltzer and Schoeder principles of secure design. The panel only covered four of the principles, and superficially, but I think the panel went okay. We had a small crowd.
I attended, briefly, a number of other sessions, but didn’t stay for any but one of them. Perhaps I am getting too cynical and jaded, but I didn’t find anything that was new and interesting; yes, a few things were new, but not surprising or even well-analyzed. I’m not sure it mattered for the audience.
The one session that I stayed for, and thoroughly enjoyed, was the closing session with Stephen Colbert. He was brilliant and funny. His off-the-cuff answers during the Q&A session was excellent all by itself — he not only displayed better than superficial knowledge of portions of the field, but he gave some very quick answers that showed some level of insight as well as humor. Not all of his answers went over with all of the crowd, but I think that showed he was giving some genuine answers of his own rather than trying to amuse.
Lots of the real business at the conference really isn’t at the conference, but in the halls, hotels, restaurants, and bars in the vicinity. Companies hold both formal and informal receptions for past & future customers, everyone from CEOs to sales reps work out deals over dinner and drinks, analysts and commentators get news over lunch and finger foods, and employees are recruited in all sorts of venues. Some of the media conduct interviews with notable people (and some rather sketchy types). Organizations presented awards and recognized members at receptions (e.g., the ISSA honored their newest Fellows and Distinguished Fellows, and the (ISC)2 celebrated its 25th anniversary).
These connections are a major draw of the conference for me. I get to reconnect with people I don’t often get to see otherwise, and I also get to meet many others who I might not otherwise encounter. I get to hear about interesting stories that aren’t told to the general sessions, hear about new projects, and tell people about how they are missing out on hiring our great grads from CERIAS. I always return home with a stack of business cards with notes on them of things to send, lookup, and people to call.
This year was no different: I connected with over 30 people I had not seen in months…or years, and met another few score new. I missed running into several people I was hoping to see, but generally had a full schedule. Luckily, there are enough people who have yet to get the memos, and I was invited to some of the receptions. In several instances, I got to meet some people in person that I have only known via on-line persona. In other cases, I got to meet long-time friends and acquaintances who I never get to see often enough because of schedule issues. Some people I was hoping to see weren’t able to make it because of budget issues this year curtailing travel, which seems to have been a little more pronounced this year than the last couple of years, at least among my circle.
I should note that few academics attend this conference: the cost, even with a discounted admission, is significant, and combined with travel, hotel, and other expenses, it can take a sizable chunk out of a limited academic-sized budget. I saw a few colleagues in attendance, but we were all senior. In past years I have tried to cover the expenses for junior colleagues to attend at times in their careers where the possibility of networking with industry might be beneficial, but there is seldom enough unrestricted funding coming in to CERIAS (or me) to cover this on a regular basis.
Overall, I saw little impact from the “boycott.” In fact, I saw several people who spoke or attended the “boycott” event and were also present at the RSA events!
The exhibition at the conference is huge. Nearly all major vendors — and several government entities, from several countries -- have booths of some sort. This year the booths covered both the North and South halls at Moscone Center — there were many hundreds of them. Walking the exhibit floor is mind (and foot) numbing, but I try to do it at least twice each year to be sure I get a good coverage of what is new and interesting…and what is not.
Some companies opt for large — even multistory — booths with lots of screens and demos. Others have small booths with simply a counter and some literature. Many new companies spend a fair amount for a booth to try to gain some market awareness of their products and services. I haven’t done a formal tally, but I’d guess that somewhere around 20% of the companies I see in any given year are no longer there 2 years later — either they fail or are acquired.
Overall, I didn’t see much that excited me as new or particular innovative. Again, that may simply be the longer perspective I bring to this. I remember the old National Computer Security Conferences in the 1990s as a sort of precursor to this, and the baseline trend is not a good one. In the 90s, the exhibitors were all about secure software development and hardened systems. In 2014, the majority of big vendors were flogging services to detect threats that get through all the defenses on Windows and Linux, recovery from break-ins, and other technologies that basically already concede some defeat. Of course, there were also trends — more about encryption, threat intelligence, big data, and securing “cloud” computing, for N different definitions of cloud. I think the best summary of the exhibits was given by Patrick Gray and Marcus Ranum (click the link to hear the audio): somewhat cynical, but dead on.
As I noted in my last blog entry here, the industry is continuing to focus on solving some of the wrong problems.
With all those exhibitors on the floor, they are all seeking ways to place some branding with attendees, and to get people to stop by the booths for longer discussions (and to harvest addresses for later sales calls). Usually, this is with some form of giveaway item, such as pens, candy, or T-shirts with clever designs. Sometimes they have a notable security figure there autographing books. I certainly pick up my share of T-shirts and books, plus a few other items that I may use, but the majority of items I decline. The giveaway that amazes me the most is the free USB item that people gladly accept and plug into systems. This is a security conference in 2014 and people are doing that?? Consider that one of the vendors that seemed to be successful giving out a lot of USB sticks was Huawei…. simply wow.
Also annoying are the booths where the people can’t even answer simple questions about their companies. Instead, they want to scan my badge and have me sit through a presentation. No thank you. If you can’t tell me in 30 seconds what your company is about, then I’m not about to sit through 10 minutes of someone breathlessly extolling your “industry leading” approach to … whatever it is you do, and I certainly don’t want to sit through a WebEx presentation next month when I am right here with you now.
In an attempt to stand out, some vendors have gone in odd directions by trying to have some “flash” at the booth to bring people in. In prior years, I saw people in suits of armor and gorilla costumes. There have been booths with motorcycles and sports cars. This year, they had professional magicians, gymnasts, and even a ring with a boxing match! These are not items with branding that someone will walk away with and possibly display in the weeks to come, but simply an attempt to attract attention. It is fairly strange, and annoying, however. Why should those tell me anything about a product or security service, other than the company leadership thinks flash is more important than substance? How the heck do those displays relate to information security?
The most egregious example of this disconnect is the “booth babe.” These are when women (and rarely, men) — usually in some scanty outfit involving spandex — are on display to draw people into the booth. They are never themselves engineers or even in sales: there are agencies that hire out their staff to do this kind of thing. Heck, they can’t even answer basic questions about the company! I make it a point to try to talk to some of these people to see why they are at the booth, and I can’t recall an instance in the past few years where any of the women actually had a technical job within the company whose booth they “adorned."
Let me make clear that I appreciate attractive women. That has been my particular orientation for 45 years, and I am not unhappy with it (although I have always wished more of them appreciated me in return!) But more to the point, I appreciate all women — and men who exemplify achievement and dedication. I appreciate imagination. I appreciate professionalism. I do not appreciate attempts to lure me to a vendor through setting off fireworks, dangling shiny objects, or having women in short shorts trying to get me into the booth. It is insulting.
Simply put, it is the wrong message in the wrong context, and the people sending the message are seriously short of clue.
This kind of behavior is harmful to the field because it conveys a message that women are valued primarily because of their appearance, and it trivializes their intellectual contributions. I talked about this in a recent interview and recently wrote about how the field is skewed. We should not and cannot condone the negative messages.
Let me make it clear that I have no quibble with the women themselves who were involved in this — they were hired to put on costumes and be cheerful, to try to draw people in. Standing on concrete floors in 3” heels all day, in not enough clothing to stay warm with the A/C, and trying to be cheerful is not easy. Some of them are students, working to pay tuition, others are supporting children. In one case, the company receptionist and her friend were gamely hanging out in short-shorts to support her company in return for the trip to San Fran. In another case, a company had a beauty pagent winner present, dressed conservatively. She is a pleasant person, and uses her minor celebrity for some good causes, but I do not think that is why the company had her at their booth; I don’t fault her for that decision, however.
Across the exhibition I saw many women who were not on display. Some were in t-shirts and jeans. Some were in heels and dresses. (I asked a few, and it was their first RSA — few will wear heels a second time!) More importantly — it was their own choice, and not something imposed by management. They dressed to be comfortable —as themselves — and if asked technical questions, they were able to respond. Some were thoughtful, some tired, some funny — but all real and there to interact as members of the profession, not as window dressing. That is precisely how they should be treated, and how they want to be treated — as professional colleagues.
I know I’m not the only person who thinks the "booth babe" approach is wrong. I discussed this with several people I know, men and women, and the majority were bothered by it as well. I think the blog posts by Marcus Ranum and Chenxi Wang sum up some of the different reactions quite well. Winn Schwartau actually captured this and many of my other frustrations with the exhibits in one wonderful article.
My message to the vendors: start treating all of us as thinking adults. Focus on the value proposition of your products and services and you'll get a much better response.
I think it was overall a good experience. I hope to attend next year’s conference, and I look forward to seeing old and new friends, maybe hearing something innovative, and seeing a change in the way exhibitors are showing off their wares. We shall see.
