The Report

Over the last few months, CERIAS faculty members Jackie Rees and Karthik Kannan have been busy analyzing data collected from IT executives around the world, and have been interviewing a variety of experts in cybercrime and corporate strategy. The results of their labors were published yesterday by the McAfee Corporation (a CERIAS Tier II partner) as the report Unsecured Economies: Protecting Vital Information.

The conclusions of the report are somewhat pessimistic about prospects for cyber security in the coming few years. The combination of economic pressures, weak efforts at law enforcement, international differences in perceptions of privacy and security, and the continuing challenges of providing secured computing are combining to place vast amounts of valuable intellectual property (IP) at risk. The report presents estimates that IP worth billions of dollars (US) was stolen or damaged last year, and we can only expect the losses to increase.

Additionally, the report details five general conclusions derived from the data:

• The recession will put intellectual property at risk
• There is considerable international variation in the commitment (management and resources) to protect cyber
• Intellectual property is now an "international currency" that is as much a target as actual currency
• Employees steal intellectual property for financial gain and competitive advantage
• Geopolitical aspects present differing risk profiles for information stored "offshore" from "home" countries.

None of these should be a big surprise to anyone who has been watching the field or listening to those of us who are working in it. What is interesting about the report is the presented magnitude and distribution of the issues. This is the first truely global study of these issues, and thus provides an important step forward in understanding the scope of these issues.

I will repeat here some of what I wrote for the conclusion of the report; I have been saying these same things for many years, and the report simply underscores the importance of this advice:

“Information security has transformed from simply ’preventing bad things from happening ’into a fundamental business component.' C-level executives must recognize this change. This includes viewing cybersecurity as a critical business enabler rather than as a simple cost center that can be trimmed without obvious impact on the corporate bottom line; not all of the impact will be immediately and directly noticeable. In some cases, the only impact of degraded cybersecurity will be going from ‘Doing okay’ to ‘Completely ruined’ with no warning before the change.

Cybersecurity fills multiple roles in a company, and all are important for organizational health.

• First, cybersecurity provides positive control over resources that provide the company a competitive advantage: intellectual property, customer information, trends and projections,financial and personnel records and so on. Poor security puts these resources at risk.
• Second, good security provides executives with confidence that the data they are seeing is accurate and true, thus leading to sound decisions and appropriate compliance with regulation and policy
• Third, strong cybersecurity supports businesses taking new risks and entering new markets with confidence in their ability to respond appropriately to change
• And fourth, good cybersecurity is necessary to build and maintain a reputation for reliability and sound behavior, which in turn are necessary to attract and retain customers and partners.

• This study clearly shows that some customers are unwilling to do business with entities they consider poorly secured. Given massive market failures, significant fraud and increasing threats of government oversight and regulation, companies with strong controls, transparent recordkeeping, agile infrastructures and sterling reputations are clearly at an advantage -- and strong cybersecurity is a fundamental component of all four. Executives who understand this will be able to employ cybersecurity as an organic element of company (and government) survival -- and growth.“

We are grateful to McAfee, Inc. for their support and assistance in putting this report together.

Getting the Report

Update: You can now download the report sans-registration from CERIAS.

The report is available at no charge and the PDF can be downloaded (click on the image of the report cover to the left, or here). Note that to download the report requires registration.

Some of you may be opposed to providing your contact information to obtain the report, especially as that information may be used in marketing. Personally, I believe that the registration should be optional. However, the McAfee corporation paid for the report, and they control the distribution.

As such, those of us at CERIAS will honor their decision.

However, I will observe that many other people object to these kinds of registration requirements (the NY Times is another notable example of a registration-required site). As a result, they have developed WWW applications, such as BugMeNot, which are freely available for others to use to bypass these requirements. Others respond to these requests by identifying company personnel from information on corporate sites and then using that information to register -- both to avoid giving out their own information and to add some noise to the data being collected.

None of us here at CERIAS are suggesting that you use one of the above-described methods. We do, however, encourage you to get the report, and to do so in an appropriate manner. We hope you will find it informative.

As our technology becomes more complex, it is often shipped with flaws and missing features. The evolution of the Internet coupled with a “must ship” attitude has led to a number of interesting business practices. One in particular, remote updates/patching, presents some interesting reliability issues.

One of the best known versions of remote patching is the software update function, currently found in many computer applications, and in most common operating systems. In its usual form, this is a system that can download patches or whole new software artifacts to address a newly-discovered security vulnerability. Some systems are automated, but most require manual intervention. The current systems generally only involve security fixes and no functionality improvements—the functionality improvements may or may not be bundled in less frequent updates (service packs), or they may be deferred into a major revision that requires additional payment.

Many of us working in security and reliability have expressed concern about these updates, because if the update mechanism is somehow hijacked by an attacker, it can be used to quickly distribute malware to large numbers of systems at once. There have also been examples where updates accidentally deleted critical files or provided faulty configurations, thus disabling or degrading many, many machines at once (for example this one and this one). Most vendors have elaborate systems in place to test and verify such patches, and they have plans in place to quickly respond if something goes wrong.

Now, we’re seeing the same concerns begin to occur with consumer goods that aren’t primarily intended as interactive computers. I can speak from personal (unfortunate) experience that at least one major vendor appears clueless and not customer-friendly.

I recently purchased 2 Samsung Blu-Ray DVD players: a BD-P2500, and a BD-P1500. Both have Internet connections for firmware updates and Blu-Ray Live. The BD-P2500 also supports live streaming of Netflix content.

A couple of days after Christmas, the 2500 froze up. I could not get it to respond to anything, including the factory reset code. I contacted Samsung and was given information to send the player in for service—it was still within warranty. They’ve had it for nearly 2 weeks with a status of “waiting for parts.” It has now been broken longer than it was working, with still no prognosis about when it might be returned.

No problem—I still have the other player I can use, right?

The 1500 came up with an on-screen message early in the week that a firmware update was available. Having had experience with downloads and upgrades of OS components, I waited a couple of days before doing anything. When I initiated the download, it completed without error, according to the display. However, after completion, it too was dead—no response to anything, including reset codes. So, I called Samsung again. The problem was escalated in customer service. This is what I was told:

 
1. There was a bad update put on the servers, and many players that got the download have frozen up
 
2. They do not have a fix for it at the current time and have no idea when one will be available
 
3. I should check their WWW site once a week to see when an update is available. “It should almost certainly be within a month.”
 
4. Even though it is their fault for putting up a bad firmware update, if I am required to send in the player, it is now out of warranty for service so it is my own expense.

It seems fairly clear that Samsung has a major problem in testing and assurance, and a surprising lack of concern for customer support. It also sounds like they don’t have much of a handle on what it will take to fix a locked-up player.

I wonder how many other people around the world are stuck with non-functional players and a vague answer about the fix? It could well be in the thousands. And the best they can offer us is to check the WWW site once a week to see when they are ready for us to pay to install a fix to a problem they caused in the first place!

As someone who works in security and reliability, I can see all sorts of interesting problems here involving updates to consumer appliances. They problems are magnified with incomplete or incompetent responses from the vendors. It certainly suggests that consumers should press vendors to issue things that work correctly and don’t require updates—or at least have a fail safe state that allows recovery! Imagine losing use of your TV, phone, refrigerator or car indefinitely because of a faulty update caused by the vendor, with an indefinite fix. For those with malice in mind, this would be a great thing to do to harm a company—and maybe to extort some money as “protection.”

As a consumer, I’m rather angry. I don’t expect to buy anything else made by Samsung, and I certainly won’t recommend them to anyone else. You may choose to use this as a cautionary tale in your own pursuit of consumer items and choose another vendor that is more careful with their updates, and more considerate of customers who have paid for their products. And if you have one of the frozen players with some idea how to recover it to working condition, I’d be interested in hearing about it.

Sadly, caveat emptor.

Update 01/19/09: Samsung is shipping me a replacement for my bricked P2500. It left their plant on Friday, surface UPS. So, that will be a 3-week turnaround.

Meanwhile, I called the service number again about the P1500 and pressed until they escalated me to “executive response.” (Third or fourth level customer service, I guess.) I kept reminding them that it was their firmware update that caused the problem. After 30 minutes on the phone, I must have worn them down sufficiently: they extended the warranty through this week, and are providing me the shipping information to send it in for service under warranty. Hooray!

Unlike last week, the personnel I talked with today were uniformly helpful and informative. I wonder if they have had enough complaints that there has been a change in policy? Or did I just get two really bad service reps in a row last week?

Nonetheless, the bad updates and the lack of a failsafe are really poor design.

[tags]copyright,DMCA,RIAA,MPAA,sharing,downloading,fair use[/tags]

Over the past decade or so, the entertainment industry has supported a continuing series of efforts to increase the enforcement of copyright laws, a lengthening of copyright terms, and very significant enforcement efforts against individuals.  Included in this mess was the DMCA—the Digital Millenium Copyright Act—which has a number of very technology unfriendly aspects.

One result of this copyright madness is lawsuits against individuals found to have file-sharing software on their systems, along with copies of music files.  Often the owners of these systems don’t even realize that their software is publishing the music files on their systems. It also seems the case that many people don’t understand copyright and do not realize that downloading (or uploading) music files is against the law.  Unfortunately, the entertainment industry has chosen to seek draconian remedies from individuals who may not be involved in more than incidental (or accidental) sharing of files.  One recent example is a case where penalties have been declared that may bankrupt someone who didn’t set out to hurt the music industry.  I agree with comments by Rep. Rick Boucher that the damages are excessive, even though (in general) the behavior of file sharers is wrong and illegal.

Another recent development is a provision in the recently introduced “College Access and Opportunity Act of 2007” (HR 3746; use Thomas to find the text). Sec 484 (f) contains language that requires schools to put technology into place to prevent copyright violations, and inform the Secretary of Education about what those plans and technologies are.  This is ridiculous, as it singles out universities instead of ISPs in general, and forces them to expend resources for misbehavior by students it is otherwise attempting to control.  It is unlikely to make any real dent in the problem because it doesn’t address the underlying problems.  Even more to the point, no existing technology can reliably detect only those files being shared that have copyright that prohibits such sharing.  Encryption, inflation/compression, translation into other formats, and transfer in discontinuous pieces can all be employed to fool monitoring software.  Instead, it is simply another cost and burden on higher ed.

We need to re-examine copyright.  Another aspect in particular we need to examine is “fair use.”  The RIAA, MPAA and similar associations are trying to lock up content so that any use at all requires paying them additional funds.  This is clearly silly, but their arguments to date have been persuasive to legislators.  However, the traditional concept of “fair use” is important to keep intact—especially for those of us in academia.  A recent report outlines that fair use is actually quite important—that approximately 1/6 of the US economy is related to companies and organizations that involve “fair use.”  It is well worth noting.  Further restrictions on copyright use—and particularly fair use—are clearly not in society’s best interest.

Copyright has served—and continues to serve—valid purposes.  However, with digital media and communications it is necessary to rethink the underlying business models.  When everyone becomes a criminal, what purpose does the law serve?

Also, check out my new “tumble log.”  I update it with short items and links more often than I produce long posts here.

[posted with ecto]