Posts in Kudos, Opinions and Rants

A Cynic’s Take on Cyber Czars and 60-day Reports

Saturday, May 30, 2009 by Prof. Spafford in General, Kudos, Opinions and Rants, Policies & Law,

Today, and Before

On July 17, 2008, (then) Senator Barack Obama held a town hall meeting on national security at Purdue University. He and his panel covered issues of nuclear, biological and cyber security. (I blogged about the event here and here.) As part of his remarks at the event, Senator Obama stated:

Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.

As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information — from the networks that power the federal government, to the networks that you use in your personal lives.

That was a pretty exciting statement to hear!

On February 9, 2009, (now) President Obama appointed Melissa Hathaway as Acting Senior Director for Cyberspace and charged her with performing a comprehensive review of national cyberspace security in 60 days. I interacted with Ms. Hathaway and members of her team during those 60 days (as well as before and after). From my point of view, it was a top-notch team of professionals approaching the review with a great deal of existing expertise and open minds. I saw them make a sincere effort to reach out to every possible community for input.

If you're keeping count, the report was delivered on or about April 10. Then, mostly silence to those of us on the outside. Several rumors were circulated in blogs and news articles, and there was a presentation at the RSA conference that didn't really say much.

Until today: May 29th.

Shortly after 11am EDT, President Obama gave some prepared remarks and his office released the report. In keeping with his July 2008 statement, the President did declare that "our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset." However, he did not appoint someone as a National Cyber Advisor. Instead, he announced the position of a "Cybersecurity Coordinator" that will be at a lower level in the Executive Office of the White House. No appointment to that position was announced today, either. (I have heard rumor from several sources that a few high-profile candidates have turned down offers of the position already. Those are only rumors, however.)

The President outlined the general responsibilities and duties of this new position. It apparently will be within the National Security Staff, reporting to the NSC, but also reporting to OMB and the National Economic Council, and working with the Federal CIO, CTO and the Office of Science and Technology Policy.

The new Coordinator will be charged with

helping develop (yet another) strategy to secure cyberspace. This will include metrics and performance milestones;
coordinating with state and local governments, and with the private sector, "to ensure an organized and unified response to future cyber incidents."
to strengthen ties with the private sector, with an explicit mandate to not set security standards for industry.
to continue to invest in cyber (although the examples he gave were not about research or security
to begin a national campaign to increase awareness and cyber literacy.

The President also made it clear that privacy was important, and that monitoring of private networks would not occur.

Reading Between the Lines

There were a number of things that weren't stated that are also interesting, as well as understanding implications of what was stated.

First of all, the new position is rather like a glorified cheerleader: there is no authority for budget or policy, and the seniority is such that it may be difficult to get the attention of cabinet secretaries, agency heads and CEOs. The position reports to several entities, presumably with veto power (more on that below). Although the President said the appointee will have "regular access" to him, that is not the same as an advisor -- and this is a difference that can mean a lot in Washington circles. Although it is rumor that several high-profile people have already turned down the position, I am not surprised given this circumstance. (And this may be why it has been two months since the report was delivered before this event — they've been trying to find someone to take the job.)

The last time someone was in a role like this with no real authority -- was in 2001 when Howard Schmidt was special adviser for cyberspace security to President G.W.Bush. Howard didn't stay very long, probably because he wasn't able to accomplish anything meaningful beyond coordinating (another) National Plan to Secure Cyberspace. It was a waste of his time and talents. Of course, this President knows the difference between "phishing" and "fission" and has actually used email, but still...

Second, the position reports to the National Economic Council and OMB. If we look back at our problems in cyber security (and I have blogged about them extensively over the last few years, and spoken about them for two decades), many of them are traceable to false economies: management deciding that short-term cost savings were more important than protecting against long-term risk. Given the current stress in the economy I don't expect any meaningful actions to be put forth that cost anything; we will still have the mindset that "cheapest must be best."

Third, there was no mention of new resources. In particular, no new resources for educational initiatives or research. We can pump billions of dollars into the bank accounts of greedy financiers on Wall Street, but no significant money is available for cyber security and defense. No surprise, really, but it is important to note the "follow the money" line -- the NEC has veto power over this position, and no money is available for new initiatives outside their experience.

Fourth, there was absolutely no mention made of bolstering our law enforcement community efforts. We already have laws in place and mechanisms that could be deployed if we simply had the resources and will to deploy them. No mention was made at all about anything active such as this -- all the focus was on defensive measures. Similarly, there was no mention of national-level responses to some of the havens of cyber criminals, nor of the pending changes in the Department of Defense that are being planned.

Fifth, the President stated "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic." I suspect that was more than intended to reassure the privacy advocates -- I believe it was "code" for "We will not put the NSA in charge of domestic cyber security." Maybe I'm trying to read too much into it, but this has been a touchy issue in many different communities over the last few months.

There are certainly other things that might be noted about the report, but we should also note some positive aspects: the declaration that cyber is indeed a strategic national asset, that the problems are large and growing, that the existing structures don't work, that privacy is important, and that education is crucial to making the most of cyber going forward.

Of course, Congress ("pro is to con as Progress is to Congress") is an important player in all this, and can either help define a better or solution or stand in the way of what needs to be done. Thus, naming a Cyberspace Coordinator is hardly the last word on what might happen.

But with the perspective I have, I find it difficult to get too excited about the overall announcement. We shall see what actually happens.

The Report

I've read the report through twice, and read some news articles commenting on it. These comments are "off the top" and not necessarily how I'll view all this in a week or two. But what's the role of blogging if I need to think about it for a month, first? :cheese:

It is important to note that the President's remarks were not the same as the report, although its issuance was certainly endorsed by the White House. The reason I note the difference is that the report identifies many problems that the President's statement does not address (in any way), and includes many "should"s that cannot be addressed by a "coordinator" who has no budget or policy authority.

What is both interesting and sad is how much the new report resembles the largely-inconsequential National Plan to Secure Cyberspace issued under the Bush Administration (be sure to see the article at the link). That isn't a slam on this report -- as I wrote earlier, I think it is a good effort by a talented and dedicated team. What I mean to imply is that the earlier National Plan had some strong points too, but nothing came of it because of cost and prioritization and lack of authority.

There are a number of excellent points made in this report: the international aspects, the possibility of increased liability for poor security products and pratices, the need for involvement of the private sector and local governments, the need for more education, the problems of privacy with security, and more.

I was struck by a few things missing from the report.

First, there was no mention of the need for more long-term, less applied research and resources to support it. This is a critical issue, as I have described here before and has been documented time and again. To its credit, the report does mention a need for better technology transfer, although this is hardly the first time that has been observed; the 2005 PITAC report "Cyber Security: A Crisis of Prioritization" included all of this (and also had minimal impact).

The report had almost nothing to say about increasing resources and support for law enforcement and prosecution. This continues to puzzle me, as we have laws in place and systems that could make an impact if we only made it a priority.

There is no discussion about why some previous attempts and structures -- notably DHS -- have failed to make any meaningful progress, and sometimes have actually hindered better cyber security. Maybe that would be expecting too much in this report (trying not to point fingers), but one can't help but wonder. Perhaps it is simply enough to note that no recommendations are made to locate any of the cyber responsibilities in DHS.

There is some discussion of harmonizing regulations, but nothing really about reviewing the crazy-quilt laws we have covering security, privacy and response. There is one sentence in the report that suggests that seeking new legislation could make things worse, and that is true but odd to see.

As an aside, I bet the discussion about thinking about liability changes for poor security practices and products -- a very reasonable suggestion -- caused a few of the economic advisors to achieve low Earth orbit. That may have been enough to set off the chain of events leading to reporting to the NEC, actually. However, it is a legitimate issue to raise, and one that works in other markets. Some of us have been suggesting for decades that it be considered, yet everyone in business wants to be held blameless for their bad decisions. Look at what has played out with the financial meltdown and TARP and you'll see the same: The businessmen and economists can destroy the country, but shouldn't be held at fault. 😠

There is discussion of the supply-chain issue but the proposed solution is basically to ensure US leadership in production -- a laudable goal, but not achievable given the current global economy. We're going to need to change some of our purchasing and vetting habits to really achieve more trustworthy systems — but that won't go over with the economists, either.

There is no good discussion about defining roles among law enforcement, the military, the intelligence community, and private industry in responding to the problems. Yes, that is a snake pit and will take more than this report to describe, but the depth of the challenges could have been conveyed.

As David Wagner noted in email to an USACM committee, there is no prioritization given to help a reader understand which items are critical, which items are important, and which are merely desirable. We do not have the resources to tackle all the problems first, and there is no guidance here on how to proceed.

Summary

I didn't intend for this to be a long, critical post about the report and the announcement. I think that this topic is receiving Presidential attention is great. The report is really a good summary of the state of cybersecurity and needs, produced by some talented and dedicated Federal employees. However, the cynic in me fears that it will go the way of all the other fine reports -- many of which I contributed to -- including the PITAC report and the various CSTB reports; that is, it will make a small splash and then fade into the background as other issues come to the fore.

Basically, I think the President had the right intentions when all this started, but the realpolitik of the White House and current events have watered them down, resulting in action that basically endorses only a slight change from the status quo.

I could be wrong. I hope I'm wrong. But experience has shown that it is almost impossible to be too cynical in this area. In a year or so we can look back at this and we'll all know. But what we heard today certainly isn't what Candidate Obama promised last July.

(And as I noted in a previous post, Demotivators seem to capture so much of this space. Here's one that almost fits.)

Do we need a new Internet?

Sunday, February 15, 2009 by Prof. Spafford in Kudos, Opinions and Rants, Policies & Law, R&D, Secure IT Practices,

Short answer: " Almost certainly, no."

Longer answer:

The blogosphere is abuzz with comments on John Markoff's Saturday NT Times piece, Do We Need a New Internet? John got some comments from me about the topic a few weeks back. Unfortunately, I don't think a new Internet will solve the problems we are facing.

David Akin, a journalist/blogger commented on nicely John's post. In it, he quoted one of my posts to Dave Farber's IP list, which I then turned into a longer post in this blog. Basically, I noted that the Internet itself is not the biggest problem. Rather, it is the endpoints, the policies, the economics, and the legal environment that make things so difficult. It is akin to trying to blame the postal service because people manage to break into our houses by slipping their arms through the mailslots or because we leave the door unlocked "just in case" a package is going to be delivered.

Consider that some estimates of losses as a result of computer crime and fraud are in the many billions of $$ per year. (Note my recent post on a part of this.) Consider how much money is repeatedly spent on reissuing credit and debit cards because of loss of card info, restoring systems from backups, trying to remove spyware, bots, viruses, and the like. Consider how much is spent on defensive mechanisms than only work in limited cases -- anti-virus, IDS, firewalls, DLP, and whatever the latest fad might be.

What effect does that play on global finances? It is certainly a major drag on the economy. This was one of the conclusions (albeit, described as "friction") of the CSTB report Towards a Safer and More Secure Cyberspace, which did not seem to get much attention upon release.

Now, think about the solutions being put forward, such as putting all your corporate assets and sensitive records "out in the cloud" somewhere, on servers that are likely less well-protected or isolated than the ones being regularly compromised at the banks and card processors. But it will look cheaper because organizations won't need to maintain resources in-house. And it is already being hyped by companies, and seemingly being promoted by the NSF and CCC as "the future." Who can resist the future?

Next, stir in the economic conditions where any talk is going to be dismissed immediately as "crazy" if it involves replacing infrastructure with something that (initially) costs more, or that needs more than a minor change of business processes. And let's not forget that when the economy goes bad, more criminal behavior is likely as people seek value wherever they can find it.

The institutional responses from government and big vendors will be more of the same: update the patches, and apply another layer of gauze.

I have long argued that we should carefully re-examine some of the assumptions underlying what we do rather than blindly continue doing the same things. People are failing to understand that many important things have changed since we first started building computing artifacts! That means we might have better solutions if we really thought about the underlying problems from first principles.

I recently suggested this rethinking of basic assumptions to a few senior leaders in computing research (who shall remain nameless, at least within this posting) and was derided for not thinking about "new frontiers" for research. There is a belief among some in the research community (especially at the top universities) that the only way we (as a community; or perhaps more pointedly, them and their students) will get more funding for research and that we (again, the royal "we") will get premier publications is by pushing "new" ideas. This is partly a fault of the government agencies and companies, which aren't willing to support revisiting basic ideas and concepts because they want fixes to their existing systems now!

One part that makes sense from Markoff's article is about the research team making something that is effectively "plug compatible" with existing systems. That is roughly where a longer-term solution lies. If we can go back and devise more secure systems and protocols, we don't need to deploy them everywhere at once: we gradually phase them in, exactly as we do periodic refreshes of current systems. There is not necessarily an impassible divide between what we need and what we can afford.

I'm sorry to say that I don't see necessary changes occurring any time soon. It would upset too much of the status quo for too many parties. Thus, the situation isn't going to get better -- it's going to get worse -- probably much worse. When we finally get around to addressing the problems, it will be more expensive and traumatic than it needed to be.

As I noted before:

"Insanity: doing the same thing over and over again expecting different results."

Of course, my continued efforts to make this point could be branded insane. ;-)

An Aside

Over a decade ago, I gave several talks where I included the idea of having multiple "service network" layers on top of the Internet -- effectively VPNs. One such network would be governed by rules similar to those of the current Internet. A second would use cryptographic means to ensure that every packet was identified. This would be used for commercial transactions. Other such virtual networks would have different ground rules on authentication, anonymity, protocols and content. There would be contractual obligations to be followed to participate, and authorities could revoke keys and access for cause. Gateways would regulate which "networks" organizations could use. The end result would be a set of virtual networks on the Internet at large, similar to channels on a cable service. Some would be free-for-all and allow anonymous posting, but others would be much more regulated, because that is what is needed for some financial and government transactions.

I remember one audience at an early SANS conference at the time was so hostile to the idea that members began shouting objections before I could even finish my talk. I also couldn't find a venue willing to publish a speculative essay on the topic (although I admit I only tried 2-3 places before giving up). The general response was that it would somehow cut out the possibility for anonymous and experimental behavior because no one would want to use the unauthenticated channels. It was reminiscent of the controversy when I was the lead in the Usenet "Great Renamng."

The problem, of course, is that if we try to support conflicting goals such as absolute anonymity and strong authentication on the same network we will fail at one or the other (or both). We can easily find situations where one or the other property (as simply two examples of properties at stake) is needed. So long as we continue to try to apply patches onto such a situation before reconsidering the basic assumptions, we will continue to have unhappy failures.

But as a bottom line, I simply want to note that there is more than one way to "redesign the Internet" but the biggest problems continue to be the users and their expectations, not the Internet itself.

A Modest Proposal

Friday, January 30, 2009 by Prof. Spafford in General, Kudos, Opinions and Rants,

Yesterday and today I was reading repeated news stories about the pending bailout -- much of it intended to prop up companies with failed business models and incompetent management. Also distressing are the stories of extravagant bonuses for financial managers who are likely responsible for creating some of the same economic mess that is causing so much turmoil in world markets.

Running through my mind was also a re-reading of the recent statement by Norman Augustine before the U.S. House Democratic Steering and Policy Committee (it's short and a great read -- check it out). I definitely resonate with his comments about how we should invest in our technology and research to ensure that our country has a future.

And I was thinking about how can we reward a spirit of honest hard work rather than a sense of entitlement, and avoid putting money into industries where greed and incompetence have led to huge disasters, where those same miscreants are using the full weight of political pressure to try to get huge chunks of bailout money to continue their reign of error.

And all this came together when I saw a story about the lack of medical treatment and high rate of suicides for returning military after extended tours in the battlefield. And then I read this story and this story about the homeless -- just two out of many recent stories.

Why can't we direct a little of our national wealth into a new GI Bill, similar to the original in 1944? Provide money so that our men and women who are returning from honorable service to the country can get the counseling and medical care they need. And then, ship them off to colleges for a degree. If they show real promise and/or have a degree already, then cover a graduate degree.

These are people who volunteered years out of their lives to serve the interests of the rest of us. They were willing to put their lives on the line for us. And some died. And others have suffered severe physical and psychological trauma. They have shown they are able to focus, sacrifice, and work hard. My experience over the last two decades has shown me that most veterans and active-duty military personnel make good students for those reasons.

Service doesn't provide intellectual ability, certainly, and not all can excel, but I am certain that many (if not most) can do well given the chance. And if regular college isn't the right fit, then a vocational education program or appropriate apprenticeship should be covered.

Money should be allocated for additional counseling and tutoring for these students, too. They are likely to have a great range of physical and psychological needs than the usual student population, and we should address that. And money will need to be allocated to help provide the facilities to house and teach these students.

While we're at it, maybe the same should be offered to those who have provided other service, such as in the AmeriCorps or Peace Corps? And perhaps those who take new jobs helping rebuild the nation's infrastructure. I'm not a politician or economist, so I'm not sure what we should do for details, but the basic idea would be that someone who gives 4 years of service to the country should get 2-4 years of college tuition, fees, room and board.

We might also want structure it so that degrees in the STEM (Science, Technology, Engineering and Math) disciplines have some form of extra preference or encouragement, although we should not discourage any valid course of study -- except we should definitely not fund any degrees in finance!

Then maybe give a tax credit to any companies that hire these people after they graduate.

And make this good for anyone who served since, oh, 2001, and for anyone who signs up for one of the covered services before, say, 2015. If those dates don't make sense, then pick others. But extend it forward to help encourage people to join some of the covered services -- they could certainly use more people -- and start far enough back.

Yes, I know there are currently educational benefits and health benefits for our veterans, but I am suggesting something more comprehensive for both, and for possibly a larger group. I'm suggesting that we invest in our future by making sure we do our utmost to patch up the injuries suffered in duty to our fellows, give them a shot at a better future. And that better shot is not to turn them out into our cities where there are no jobs, where the homeless live, where drugs and street crime may be rampant.

The whole process would give a huge boost of education to the workforce we want to have for the future. We don't need more assembly line workers. We need engineers, technologists, scientists and more. Not only will we be educating them, but the endorsement we would be making about the importance of education, and the care for those who serve, will pay back indirectly for decades to come. It worked in the 40s and 50s, and led to huge innovations and a surge in the economy.

Will it all be expensive? Undoubtedly. But I'm guessing it is far less than what is in the budget bills for bank bailouts and propping up failed industrial concerns.

And when it is done, we will have something to show for our investment -- far more than simply some rebuilt roads and a re-emergence of predatory lending.

But as I said, I'm not a politician, so what do I know?

Update: I have learned that there is a new GI bill, passed last year, which addresses some of the items I suggested above. Great! It doesn't cover quite the breadth of what I suggested, and only covers the military. Somehow, I missed this when I did my web search....

Customer (dis)service

Saturday, January 10, 2009 by Prof. Spafford in Kudos, Opinions and Rants,

As our technology becomes more complex, it is often shipped with flaws and missing features. The evolution of the Internet coupled with a "must ship" attitude has led to a number of interesting business practices. One in particular, remote updates/patching, presents some interesting reliability issues.

One of the best known versions of remote patching is the software update function, currently found in many computer applications, and in most common operating systems. In its usual form, this is a system that can download patches or whole new software artifacts to address a newly-discovered security vulnerability. Some systems are automated, but most require manual intervention. The current systems generally only involve security fixes and no functionality improvements -- the functionality improvements may or may not be bundled in less frequent updates (service packs), or they may be deferred into a major revision that requires additional payment.

Many of us working in security and reliability have expressed concern about these updates, because if the update mechanism is somehow hijacked by an attacker, it can be used to quickly distribute malware to large numbers of systems at once. There have also been examples where updates accidentally deleted critical files or provided faulty configurations, thus disabling or degrading many, many machines at once (for example this one and this one). Most vendors have elaborate systems in place to test and verify such patches, and they have plans in place to quickly respond if something goes wrong.

Now, we're seeing the same concerns begin to occur with consumer goods that aren't primarily intended as interactive computers. I can speak from personal (unfortunate) experience that at least one major vendor appears clueless and not customer-friendly.

I recently purchased 2 Samsung Blu-Ray DVD players: a BD-P2500, and a BD-P1500. Both have Internet connections for firmware updates and Blu-Ray Live. The BD-P2500 also supports live streaming of Netflix content.

A couple of days after Christmas, the 2500 froze up. I could not get it to respond to anything, including the factory reset code. I contacted Samsung and was given information to send the player in for service -- it was still within warranty. They've had it for nearly 2 weeks with a status of "waiting for parts." It has now been broken longer than it was working, with still no prognosis about when it might be returned.

No problem -- I still have the other player I can use, right?

The 1500 came up with an on-screen message early in the week that a firmware update was available. Having had experience with downloads and upgrades of OS components, I waited a couple of days before doing anything. When I initiated the download, it completed without error, according to the display. However, after completion, it too was dead -- no response to anything, including reset codes. So, I called Samsung again. The problem was escalated in customer service. This is what I was told:

There was a bad update put on the servers, and many players that got the download have frozen up
They do not have a fix for it at the current time and have no idea when one will be available
I should check their WWW site once a week to see when an update is available. "It should almost certainly be within a month."
Even though it is their fault for putting up a bad firmware update, if I am required to send in the player, it is now out of warranty for service so it is my own expense.

It seems fairly clear that Samsung has a major problem in testing and assurance, and a surprising lack of concern for customer support. It also sounds like they don't have much of a handle on what it will take to fix a locked-up player.

I wonder how many other people around the world are stuck with non-functional players and a vague answer about the fix? It could well be in the thousands. And the best they can offer us is to check the WWW site once a week to see when they are ready for us to pay to install a fix to a problem they caused in the first place!

As someone who works in security and reliability, I can see all sorts of interesting problems here involving updates to consumer appliances. They problems are magnified with incomplete or incompetent responses from the vendors. It certainly suggests that consumers should press vendors to issue things that work correctly and don't require updates -- or at least have a fail safe state that allows recovery! Imagine losing use of your TV, phone, refrigerator or car indefinitely because of a faulty update caused by the vendor, with an indefinite fix. For those with malice in mind, this would be a great thing to do to harm a company -- and maybe to extort some money as "protection."

As a consumer, I'm rather angry. I don't expect to buy anything else made by Samsung, and I certainly won't recommend them to anyone else. You may choose to use this as a cautionary tale in your own pursuit of consumer items and choose another vendor that is more careful with their updates, and more considerate of customers who have paid for their products. And if you have one of the frozen players with some idea how to recover it to working condition, I'd be interested in hearing about it.

Sadly, caveat emptor.

Update 01/19/09: Samsung is shipping me a replacement for my bricked P2500. It left their plant on Friday, surface UPS. So, that will be a 3-week turnaround.

Meanwhile, I called the service number again about the P1500 and pressed until they escalated me to "executive response." (Third or fourth level customer service, I guess.) I kept reminding them that it was their firmware update that caused the problem. After 30 minutes on the phone, I must have worn them down sufficiently: they extended the warranty through this week, and are providing me the shipping information to send it in for service under warranty. Hooray!

Unlike last week, the personnel I talked with today were uniformly helpful and informative. I wonder if they have had enough complaints that there has been a change in policy? Or did I just get two really bad service reps in a row last week?

Nonetheless, the bad updates and the lack of a failsafe are really poor design.

Follow-up on the CA Hack

Wednesday, December 31, 2008 by Prof. Spafford in Kudos, Opinions and Rants, Policies & Law, R&D, Secure IT Practices,

Yesterday, I posted a long entry on the recent news about how some researchers obtained a "rogue" certificate from one of the Internet Certificate Authorities. There are some points I missed in the original post that should be noted.

The authors of the exploit have a very readable, interesting description of what they did and why it worked. I should have included a link to it in the original posting, but forgot to edit it in. The interested reader should definitely see that article online, include the animations.
There are other ways this attack can be defeated, certainly, but they are stop-gap measures. I didn't explain them because I don't view them as other than quick patches. However, if you are forced to continue to use MD5 and you issue certificates, then it is important to randomize the certificate serial number that is issued, and to insert a random delay interval in the validity time field. Both will introduce enough random bits so as to make this particular attack against the CA infeasible given current technology.
I suggested that vendors use another hash algorithm, and have SHA-1 as an example. SHA-2 would be better, as SHA-1 has been shown to have a theoretical weakness similar to MD5, although it has proven more resistant to attack to date. Use of SHA-1 could possible result in a similar problem within a few years (or, as suggested in the final part of my post, within a few weeks if a breakthrough occurs). However, use of SHA-1 would be preferable to MD5!
MD5 is not "broken" in a complete way. There are several properties of a message digest that are valuable, including collision resistance: that it is infeasible to end up with two inputs giving the same hash value. To the best of my knowledge, MD5 has only been shown to be susceptible to "weak collisions" -- instances where the attacker can pick one or both inputs so as to produce identical hash values. The stronger form of preimage resistance, where there is an arbitrary hash output H and an attacker cannot form an input that also produces H, still holds for MD5. Thus, applications that depend on this property (including many signing applications and integrity tools) are apparently still okay.
One of our recent PhD grads, William Speirs, worked on defining hash functions for his PhD dissertation. His dissertation, Dynamic Cryptographic Hash Functions, is available online for those interested in seeing it.

I want to reiterate that there are more fundamental issues of trust involved than what hash function is used. The whole nature of certificates is based around how much we trust the certificate authorities that issue the certificates, and the correctness of the software that verifies those certificates then shows us the results. If an authority is careless or rogue, then the certificates may be technically valid but not match our expectations for validity. If our local software (such as a WWW browser) incorrectly validates a certificate, or presents the results incorrectly, we may trust a certificate we shouldn't. Even such mundane issues as having one's system at the correct time/date can be important: the authors of this particular hack demonstrated that by backdating their rogue certificate.

My continuing message to the community is to not lose sight of those things we assume. Sometimes, changes in the world around us render those assumptions invalid, and everything built on them becomes open to question. If we forget those assumptions -- and our chains of trust built on them -- we will continue to be surprised by the outcomes.

That is perhaps fitting to state (again) on the last day of the year. Let me observe that as human beings we sometimes take things for granted in our lives. Spend a few moments today (and frequently, thereafter) to pause and think about the things in your life that you may be taking for granted: family, friends, love, health, and the wonder of the world around you. Then as is your wont, celebrate what you have.

Best wishes for a happy, prosperous, safe -- and secure -- 2009.

[12/31/08 Addition]: Steve Bellovin has noted that transition to the SHA-2 hash algorithm in certificates (and other uses) would not be simple or quick. He has written a paper describing the difficulties and that paper is online.

Recent Blogs

Blog Archive