I take some of the blame for helping to spread "no security through obscurity," first with some talks on COPS (developed with Dan Farmer) in 1990, and then in the first edition of "Practical Unix Security" (with Simson Garfinkel) in 1991. ... The origin of the phrase is arguably from one of Kerckhoff's principles for strong cryptography: that there should be no need for the cryptographic algorithm to be secret, and it can be safely disclosed to your enemy. The point there is that the strength of a cryptographic mechanism that depends on the secrecy of the algorithm is poor; to use Schneier's term, it is "brittle": Once the algorithm is discovered, there is no protection (or minimal) left, and once broken it cannot be repaired. Worse, if an attacker manages to discover the algorithm without disclosing that discovery then she can exploit it over time before it can be fixed. The mapping to OS vulnerabilities is somewhat analogous: if your security depends only (or primarily) on keeping a vulnerability secret, then that security is brittle -- once the vulnerability is disclosed, the system becomes more vulnerable. ... One goal of securing a system is to increase the work factor for the opponent, with a secondary goal of increasing the likelihood of detecting when an attack is undertaken. By that definition, obscurity and secrecy do provide some security because they increase the work factor an opponent must expend to successfully attack your system. ... Every potential vulnerability in the codebase that has yet to be discovered by (or revealed to) someone who might exploit it is not yet a realized vulnerability. ... cases, there is little or no danger to the general public UNTIL some yahoo publishes the vulnerability and an exploit far and wide. ... The problem occurs when a flaw is discovered and the owners/operators attempt to maintain (indefinitely) the sanctity of the system by stopping disclosure of the flaw.

This new release of our testbed software provides users with full control of experimental PCs instead of being limited to running VMware images:

• Experimental PCs can be rebooted at will

• There is a LiveCD in the experimental PCs, which will take a root password that you specify before rebooting the PC

• Users are now able to replace the operating system installed by default on experimental PCs, and gain full control

• The host operating system for VMware is restored after an experiment.

This facilitates experiments with other virtualization technologies (e.g, Xen), or with operating systems or software that don’t interact in the desired manner with VMware.

When compared with other testbeds such as Deter, the differences are that:

• You should be able to run anything on ReAssure, that is compatible with the hardware; 

• You may try to attack the ReAssure testbed itself; 

• Malicious software should have great difficulty escaping the testbed (if not using exp01 and exp02, the computers set aside for updating images); 

• Your experiments using VMware images are portable; 

• You can take VMware snapshots; 

As before, you can still:

• Use complex network topographies for your experiments, with high bandwidth utilization on each (Gbit ethernet)

• Extend reservations or stop experiments at will;

• Use ISO images and VMware appliances; 

• Share image files

• Cooperate remotely with other people, and give them access to the PCs in one of your experiments

• Update your images from two of our experimental PCs that allow connections to the outside (exp01 and exp02)

Under the hood changes:

• The switch management now uses a UNIX domain server instead of a script started by cron.  This increases the responsiveness of the system, allows checking the state of the switch directly in real time, and allows self-test results to be displayed on the web interface (for administrators).

• The upload mechanism now uses a UNIX domain server instead of a script started by cron.  This increases the responsiveness of the system and allows self-test results to be displayed on the web interface (for administrators).

• The power state of the experimental PCs is controlled via IPMI (Intelligent Platform Management Interface) on an isolated network

Visit the project home page, the testbed management interface itself, or download the open source software.  The ReAssure testbed was developed using an MRI grant from NSF (No. 0420906). 

I have over 3000 entries in my online address book and card collection, and I no longer remember who half of them are, where I met them, or why....a note would have helped me in trimming the collection some. ... Furthermore, you can read the papers when on the plane during times that no electronic devices can be used, and you can write comments in the margin when you have a small fold-down seat tray that isn't large enough to hold an open laptop. ... Also, you are prepared when the airline asks for volunteers to be bumped to the next day in return for a free ticket -- that means you can save money on your grants for the next conference, or else use the free ticket to have a spouse/SO accompany you on a trip. ... Airline check-in people can give you a better seat or waive a change fee if you are nice, flight attendants will sometimes comp a drink or give you the last blanket, and hotel clerks can put you in a better room -- all if you are nice. ... At the end of the trip, the receipts get sorted into three piles: those that go to the university or sponsor for reimbursement purposes, those that go into my file for income taxes (all meal receipts, for example), and a pile I keep until I have been reimbursed and my frequent flier miles credited. ... Intel is one example -- over a 3 year period with 5 trips they never paid an invoice in less than 6 months, one took 10 months to reimburse, and I had to file as a business supplier to even get into their system! ... If you are flying to a conference on grant money, check on university policy -- most will cover the change fee or even the cost of the ticket so long as you commit to buying non-refundable tickets to keep costs low. ... Yeah, maybe you collect frequent flier miles by using that card, but it also may have an 18%-25% effective annual rate. if you are delayed getting a reimbursement, or it crosses the due date of the bill, you may be paying a hefty penalty for those miles. ... The taxes part is easiest -- keep the receipts and if your reimbursement gets included in a form 1099-MISC filed by your host, then you list the amounts as deductible business expenses (talk to a tax advisor for specifics -- don't depend on this blog!). ... It is all perfectly legal (although you may need to educate the clerks at the other end), has the same number of digits as your SSN, but it compromised it won't contribute to fraud committed with your identity.

I am an advisor to ThePrivacyPlace.  They do great work on privacy issues, and this annual survey is valuable—but only with a lot of responses.  So, please respond and share the link with others.

The following is their survey announcement.

ThePrivacyPlace.Org Privacy Survey is Underway!

Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.
The URL is: http://theprivacyplace.org/currentsurvey

We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).

Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
IBM gifts

On behalf of the research staff at ThePrivacyPlace.Org, thank you!

 

[Update 7/17: Video of the Senator’s opening remarks and the panel session (2 parts) are now online at this site. I have also added a few links.]

---

This story (somewhat long) is about Senator Barack Obama’s summit session at Purdue University today (Wednesday, July 16). on security challenges for the 21st century. I managed to attend, took notes, and even got my name mentioned. Here’s the full story.

Prelude

Monday night, I received email from a colleague here at Purdue asking if I could get her a ticket to see Senator Obama on campus. I was more than a little puzzled — I knew of no visit from the Senator, and I especially didn’t know why she thought I might have a ticket (although there are people around here who frequently ask me for unusual things).

Another exchange of email resulted in the discovery that the Senator was coming to Purdue today (the 16th of July) with a panel to hold a summit meeting on security issues for the 21st century. Cyber security was going to be one of the topics. The press was told that Purdue was chosen because of the leading role our researchers have in various areas of public safety and national security — including the leading program in cyber security — although some ascribed political motives as the primary reason for the location.

I found it rather ironic that security would be given as the reason for being at Purdue, and yet those of us most involved with those security centers had not been told about the summit or given invitations. It appears that the organizers gave a small number of tickets to the university, and those were distributed to administrators rather than faculty and students working in the topic areas.

I found this all very ironic and interesting, and expressed as much in email to several friends and colleagues — including several who I knew had some (indirect) link to the Senator’s campaign. I had faint hope of getting a ticket, but was more interested in simply getting the word back that there was a misfire in the organization of the event.

Late last night (I was in the office until 6:30) I got a call from someone associated with the Obama campaign. He apologized for the lack of an invitation, and informed me that a ticket was awaiting me at the desk the next day.

The Event

I went over to the Purdue Union at 11:30; the official event was to start at 12. I encountered a number of Purdue administrators in the crowd. Security was apparent for the event, including metal detectors at the door run by uniformed officers, some of whom I believe were with the Secret Service uniformed division. The officers everywhere were polite and cheerful, but watchful. I found a seat in the back of the North Ballroom with about 500 other guests…and nearly as many members of the press, entourage, ushers, protection detail, and so on.

I won’t try to summarize everything said by the Senator and panel — you can find the full video here (in two parts). I will provide some impressions of specific things that were said.

The event started almost on time (noon) with Senator Evan Bayh introducing Senator Barack Obama. Sen. Obama then read from a prepared set of remarks. His comments really resonated with the crowd (I encourage you to follow the link to read them). His comment about how we have been “fighting the last war” is particularly appropriate.

He made some very nice comments about Senator Richard Lugar, the other Senator from Indiana. Senator Lugar is a national asset in foreign policy, and both Senators Obama and Bayh (and former Senator Nunn) had nothing but good things to say about him — and all have worked with him on disarmament and peace legislation. One of the lighter moments was when Senator Obama said that Senator Lugar was a great man in every way except that he was a Republican!

Early in his statement, he deviated from his script as reproduced in the paper, and dropped my name as he was talking about cyber security. I was very surprised. He referred to me as one of the nation’s leading experts in cyber security when he mentioned Purdue being in the lead in this area. Wow! I guess someone I sent my email to pushed the right button (although my colleagues and our students deserve the recognition, as much or more than I do).

His further comments on officially designating the cyber infrastructure as a strategic asset is important for policy & legal reasons, and his comments on education and research also seemed right on. It was a strong opening, and there was obviously a lot in his comments for a number of different audiences, including the press.

Panel Part I

The first 1/3 of the panel discussion was on nuclear weapons issues. The experts present to talk on the issue were (former) Senator Sam Nunn (who joked that in Indiana everyone thought his last name was actually Nunn-Lugar), Senator Bayh, and Dr. Graham Allison, the director of the Belfer Center at Harvard. There was considerable discussion about the proliferation of nuclear materials, the need for cooperation with other countries rather than ignoring them (viz. North Korea and Iran), and the control of fissionable material.

There were some statements that I found to be a bit of hyperbole: For instance, the statement that a single bomb could be made by terrorists to destroy a whole city. Not to minimize the potential damage, but without sophisticated nation-state assistance and machining, a crude fission weapon is about all that a terrorist group could manage, and it wouldn’t be that large or that easy to build. A few tens of kilotons of fission explosion could definitely ruin your day, but a detonation at ground level wouldn’t destroy a whole city of any size. (Lafayette, IN would be mostly destroyed by one, but that isn’t a major city.) Plutonium is too dangerous to handle, so over 100 pounds of U-235 (or U-233) would be needed, and machined appropriately, for such a weapon. Without accelerators and specially shaped charges & containers, getting fission fast enough and long enough is difficult and….well, there is a very serious threat, and the nuances may be lost on the average crowd, but the focus on terrorists building a significant bomb seemed wrong to me.

There were some excellent remarks made about opportunity cost. For instance, the one figure that stood out was that we could fully fund the Nunn-Lugar initiative and some other plans to secure loose nuclear materials by spending the equivalent of 1 month of what we now spend in Iraq over the next 4 years around the world; the war in Iraq is breeding terrorists and making US enemies, while securing loose nukes would help protect generations to come around the world. As both a taxpayer and a parent (as well as someone immersed in defense issues), I know where I would prefer to see the money spent!

One other number given is that currently less than 1/4 of 1% of the defense budget is spent on containing nuclear materials, despite it being a declared priority of President Bush. Professor Allison said that despite grade inflation at Harvard, the President still gets an “F” in this area.

Another interesting factoid stated was that about 10% of the lights in the US are powered by electricity generated from reprocessed fissile material taken from Russian nukes rendered safe under the Nunn-Lugar initiative. That sounds high to me given the amount of nuclear power generated in the US, but even if off by a factor of 10, darned impressive.

Panel Part II

The second part of the panel was on bio weapons. The panelists were Dr. Tara O’Toole of the Center for Biosecurity at Pitt, and Dr. David Relman of Stanford. Their discussion was largely what I expected, about how bio-weapons can be produced by rogue actors as well as rogue states. They made the usual references to plague (with a funny interchange about prairie dogs being carriers, and keeping the Senator’s campaign away from them), anthrax and Ebola.

Again, there was a bit of exaggeration coupled with the dialog. It was pointed out that there has still been no apprehension of the perpetrator of the 2001 anthrax attacks. It was then stated that the anthrax in the envelope sent to Senator Daschle was enough to kill a billion people. No mention was made about how impossible it would be to meter and deliver such dosages in the most appropriate manner to achieve that. In fact, no discussion was made about the difficulty in weaponizing most biological agents, limiting their use as a targeted weapon over a large area. And furthermore, no mention at all was made of chemical weapons.

The conclusion here was that investment in better research and international cooperation was key. The statement was made that better integration of electronic health records would be important, too, although some studies I recall indicate that their utility is probably not so great as some would hope. It was also concluded that benefits in faster medical response and better vaccine production would help in non-crisis times as well. I don’t think we can argue too much with that, although the whole issue of how we pay for medicine and health issues looms large.

Panel Part III

The last panel featured Alan Wade, former CIO of the CIA, and Paul Kurtz of Good Harbor Consulting, speaking on the cyber threat. I’ve known Paul for years, and he is a great person to talk on these issues.

The fact that cyber technology is universal and ubiquitous was highlighted. So was the asymmetry inherent in the area. Some mention was made about how nothing has been done by the current administration until very recently. Sadly, that is clearly the case. The National Strategy in 2002, the PITAC report in 2005, and the CSTB report in 2007 (to name 3 examples) all generated no response. As a member of the PITAC that helped write the 2005 report, I was shocked at the lack of Federal investment and the inaction we documented (I knew it was bad, but didn’t realize until then how bad it was); the reaction from the White House was to dissolve the committee rather than address the real problems highlighted in the report. As one of today’s panelists put it — the current administration’s response has been “…late, fragmented, and inadequate.” Amen.

I was disappointed that so much was said about terrorism and denial of service. Paul did join in near the end and point out that alteration of critical data was a big concern, but there was no mention of alteration of critical services, about theft of intellectual property, about threats to privacy, or other more prominent threats. Terrorism online is not the biggest threat we face, and we have a major crisis in progress that doesn’t involve denial of service. We need to ensure that our policymakers understand the scope of the threat.

On the plus side, Senator Obama reiterated how he sees cyber as a national resource and critical infrastructure. He wants to appoint a national coordinator to help move protection forward. (If he is elected I hope he doesn’t put the position in DHS!)

Paul pointed out the need for more funds for education and research. He also made a very kind remark, mentioning me by name, and saying how we were a world-class resource built with almost no funding. That’s not quite true, but sadly not far off. I have chafed for years at how much more we could do with even modest on-going support that wasn’t tied to specific research projects….

Conclusions

I was really quite impressed with the scope of the discussion, given the time and format, and the expertise of the panelists. Senator Obama was engaged, attentive, and several of his comments and questions displayed more than a superficial knowledge of the material in each area. Given our current President referring to “the Internets” and Senator McCain cheerfully admitting he doesn’t know how to use a computer, it was refreshing and hopeful that Senator Obama knows what terms such as “fission” and “phishing” mean. And he can correctly pronounce “nuclear”! His comments didn’t appear to be rehearsed — I think he really does “get it.”

(Before someone picks on me too much…. I believe Senator McCain is an honorable man, a dedicated public servant, and a genuine American hero. I am grateful to have people like him intent on serving the public. However, based on his comments to the press and online, I think he is a generation out of date on current technology and important related issues. That isn’t a comment related to his age, per se, but to his attitude. I’d welcome evidence that I am mistaken.)

Senator Obama is a great orator. I also noticed how his speed of presentation picks up for the press (his opening remarks) but became more conversational during the panel.

Senator Obama kept bringing the panel back to suggestions about what could be done to protect the nation. I appreciated that focus on the goal. He also kept returning to the idea that problems are better solved early, and that investments without imminent threat are a form of insurance — paying for clean-up is far greater than some prudent investment early on. He also repeatedly mentioned the need to be competitive in science and technology, and how important support for education is — and will be.

After the session was over, I didn’t get a chance to meet any of the campaign staff, or say hello to Paul. I did get about 90 seconds with Senator Bayh and invited him to visit. After my name had been mentioned about 3 times by panelists and Senator Obama, he sort of recognized it when I introduced myself. We’ll see if he follows up. I’ve visited his office and Senator Lugar’s, repeatedly, and neither have ever bothered to follow up to see what we’re doing or whether they could help.

Several people in the audience commented on my name being mentioned. I’m more than a little embarrassed that they didn’t refer to CERIAS and my colleagues, and in fact I was the only Purdue person mentioned by name during the entire 2 hours, and then it happened multiple times. I’m not sure if that’s good or not — we’ll see. However, as P.T. Barnum said, there’s no such thing as bad publicity … so long as they spell my name correctly. None of the local or national press seem to have picked it up, however, so even spelling isn’t an issue.

The press, in fact, hasn’t seemed to focus on the substance of the summit at all. I’ve read about 15 accounts so far, and all have focused on his choice of VP or the status of the campaign. It is so discouraging! These are topics of great importance that are not well understood by the public, and the press simply ignores them. Good thing Angelina Jolie gave birth earlier in the week or the summit wouldn’t have even made the press.

I wish more of the population would take the time to listen to prolonged discussion like this. 15-second sound bites serve too often as the sole input for most voters. And even then, too many are insufficiently educated (or motivated) to understand even the most basic concepts. I wonder if more than 5 people will even bother to read this long a post — most people want blogs a single page in length.

As for my own political opinions and voting choices, well, I’m not going to use an official Purdue system to proselytize about items other than cyber security, education, research and Purdue. You can certainly ask me if you see me. Now, if only I had confidence in the electronic voting equipment that so many of us are going to be forced to use in November (hint: I’m chair of the USACM).

Last Tongue-in-Cheek Word

And no, I’m not particularly interested in the VP position.