Fresh Defense

The DHS is indeed committing to hiring 1000 clearable US citizens over the next three years. If you’re interested, you can “attend” their cyber job fair:

http://www.dhs.gov/xabout/careers/cyberjobfair

They are looking to fill these types of roles:

• Cyber Incident Response
• Vulnerability Detection and Assessment
• Networks and Systems Engineering
• Cyber Risk and Strategic Analysis
• Intelligence and Investigation

I’m glad that this amount of hiring is happening, but I’m still unconvinced that this will bring DHS (and the American people) 300 high-quality cybersecurity professionals per year. I’m guessing 80 to 90 percent of the hires in any given year will be trainable Computer Science and/or Computer Engineering B.Sc. students — those who can gradually obtain cybersecurity skills over the course of their govt. careers. And that’s not necessarily a bad thing, except that in three years, the US cybersecurity defense posture and capabilities won’t be measurably improved.

One thousand extra people does not translate directly into an improvement — not at the rate at which network traffic flows, attacks and exploits of software vulnerabilities happens, the complexity of real systems software increases, new technologies come on line, etc. Most of the roles that DHS is seeking seem to be more on the strategy end of things rather than the tactics or operational side of the house — and I see that as a good thing, but it’s easy to misuse a sudden influx of manpower on the tactical side, even if they’re initially meant to have a strategic, forward-looking focus.

It looks like a manual containing information about TSA screening procedures has been posted to the web (with yet more poor redaction — will they never learn? Actually, software vendors should really improve their redaction function to eliminate all versions of sensitive info from the given file, and prove it to the user).

http://us.cnn.com/2009/TRAVEL/12/08/u.s.tsa.training.manual/index.html

Although most quotes in the above article express alarm and frustration at the release of this “sensitive” information, and the TSA claims that the information about procedures is “outdated” and “unimplemented” (which I see as simply a thin way to re-create some uncertainty in an attacker’s mind), I see this sort of release of information as a good thing: it lets the traveling public understand the actual level of security the TSA achieves rather than some vague, fuzzy notion of safety.

Responsible or ethical disclosure of information (be it vulnerabilities, exploits, proof-of-concepts, proprietary or confidential information, etc.) has long been a favorite sawhorse and controversial subject in the information security community. At least some forms of whistleblowing have some public value, and in general I think more information is a good thing.

The key question, however, is this: if indeed the act of creating uncertainty in an attacker or adversary’s mind has value, why does it have value and how can we measure this value? Although security through obscurity is an oft-derided “technique” (even that word gives it too much credibility as a defensive mechanism), keeping secrets has arguably had at least some value in a variety of contexts (mostly espionage or military operations). The problem, of course, is measuring how much your ability to keep information secret has limited the enemy’s options, and so counterintelligence is needed. Such active techniques, however, seem distasteful as an academic research area, since presumably many of the techniques would require attack techniques, and thus some loss of moral authority (hey, we’re not the “good guys” anymore).

Followup & Updates: (added 9 Dec)

CNN has a followup: some heads rolled (predictably — this is a terribly MAJOR BREACH of national security).

http://us.cnn.com/2009/TRAVEL/12/09/tsa.training.manual/index.html

A good article from Wired:

http://www.wired.com/threatlevel/2009/12/tsa-leak/

The Wired article has a link to an Adobe guide to “proper” redacting techniques.

Finally, those wishing to actually read the manual can download it here:

http://cryptome.org/tsa-smoke/tsa-smoke.htm

Biometrics as a measure of intent dates at least to the polygraph. Humans often do have physical reactions to stress, but does this kind of system employed as a filter for further screening really buy us much safety?

In the name of finding terrorists before they board an airplane, the TSA has adopted a number of “advanced” personal profiling methods: essentially, agents looking for tells, signs of nervousness, or other vague symptoms that may or may not be harbingers of doom.

There are of course many innocent explanations for a nervous manner, sweaty shirt or face, irritated look, twitchy fingers, etc. They include people just having had arguments with their friend or spouse, hurrying to catch a flight, getting caught in traffic on the way to the airport, being recently fired, being nervous about a first flight, having a sweating problem by nature, or hurriedly typing an emotional blog entry or Facebook post into their cell phone.

The TSA apparently believes so much in this approach that they want to scale it up. And the only way to do that is to make a computer do the scanning for you. CNN had this article on October 6th: “Will Airports Screen for Body Signals? Researchers Hope So.”

I like the title, because it’s likely that only the researchers getting paid to conduct this work are hopeful that it will get adopted. There is a really nice quote from the article:

“I haven’t seen any research that shows that those measures from the autonomic nervous system … measuring blood pressure, measuring breathing, measuring heat on the face, are at all related to intent,” said Stephen Fienberg, professor of statistics and social sciences at Carnegie Mellon University.

Spot on! Identity doesn’t measure intent, and neither does your biometrics, if just for the plain fact that your individual heat signature, heart rate, etc. are exactly that: an individual signature about which the population statistics have nothing to say and no predictive power. Forensic psychology researchers involved in creating risk assessment measures (e.g., for criminal recidivism rates) argue about whether such measures can actually predict an individual’s behavior, since the rates of a population don’t determine what an individual released on parole and able to exercise free will (and subject to both the social support and temptations of the outside world) might actually do. For example, measures like the HCR-20 are instruments for assessing the risk of violence, but mainly with in the context of ongoing psychotherapy sessions in a doctor-patient relationship.

Now, as a researcher who routinely solicits money from Federal agencies to support my work, I understand that the scientists involved in trying to create this technology will have some reasonable claims about its limitations and shortcomings. They’ll have a justification for why it will work well, and they may even had made a few fundamental breakthroughs in terms of gathering data from dark or dimly lit faces, bad angles, and the like. Unfortunately, they are also likely to have adopted the beliefs of their funding agency: that this type of profiling works to pick out those engaged in illegal activities or those intent on causing harm to air or rail passengers.

I’d like to see this system made to work from high up above Grand Central Station’s main floor, or in a high school auditorium, a supermarket, a sports venue, or a crowded student center. These are dynamic, real environments, not controlled lab conditions where the subject peers directly into the camera in good lighting.

All that aside, however, this view stunned me:

Civil liberties groups maintain this screening technology is an invasion of privacy. “Nobody has the right to look at my intimate bodily functions, my breathing, my perspiration rate, my heart rate, from afar,” said Joe Stanley of the ACLU.
…
[Project manager Robert] Burns denied the project is a violation of privacy. “We’re looking at signals you give off naturally. We’re not asking for any personal information. We’re not asking anything about you,” he said.

Burns is entirely correct — they are not asking anything about you: they are taking it forcefully from under your nose without permission. Earlier in the article, Burns states that “We’re looking for those signals that your body gives off naturally.” The problem is that technology is allowing government workers to do something that they didn’t have the power to do before. These properties are subtle and not detectable by the human eye when scanning a large crowd: heart rate, body temperature, perspiration under clothing, eye movement, etc.

Although your body does display these properties, it does not advertise them on a billboard: there is no neon sign with your heart rate plastered to your forehead. Why should government agents have the power to effectively augment their five senses to know your physical condition perhaps more intimately than you know it yourself?

This recent Washington Post article highlights the competition between DHS and NSA in their publically stated goals of hiring 1000 to 3000 new cybersecurity professionals per year over the next few years.

I find it extremely doubtful that this level of expertise even exists. The sum total of “real” cybersecurity expertise (in terms of deep technical knowledge and strategic foresight) is probably only on the order of 1000 people worldwide. Yes, there are many people who are operational security experts (meaning that they stare at screenfuls of log entries and pretty pictures of network traces flying by), but there are very few who actually understand the internal workings of systems, the properties that lead to weaknesses and vulnerabilities, and how to manipulate real systems, hardware, networks, and program execution in order to install malware or subvert system control.

Without a commitment to educating such a workforce, it is impossible to hire such a workforce into existence. And as Gene Spafford notes, the NSA CAE (Centers of Academic Excellence in Information Assurance) program isn’t really effective in this regard (nor, might I add, is the NSF Scholarship for Service program, at least at producing the sheer volume of needed workers).

It looks like the Rockefeller-Snowe bill dealing with national cybersecurity has undergone revisions during the recent summer break. I originally scribbled a blurb about this legislation back in March.

Among some of the most troubling provisions in the original draft were clauses allowing the Executive Branch to effectively turn off national access to the Internet. Regardless of how unrealistic a complete severance of connectivity is, such a proposal was an alarming extension of executive power. It seems like this provision has been tempered.

New changes also call for more specific guidelines in getting Federal cyber-security employees certified. I remain unconvinced that certification will save the day.

I saw this news tidbit in the Vancouver Sun yesterday morning on the plane back to DC.

The Russian FSB now has the power to open postal mail without a warrant. [ Update: similar shenanigans by the UAE for cell phones. Thanks to Apu K. for the link. -Ed.]

It really doesn’t matter which government or what medium…if there is data of value for either security or economic reasons, laws will be bent or broken to get at it.

“It reminds one of Soviet times. And the worst thing is, the people don’t care.”

“This document carries a technical character,” a ministry spokesman said, denying that security services would see their powers broadened with the decree.

Observations:

1. very curious phrase “a technical character” … meaning “pay no attention to the man behind the curtain!” You simply shouldn’t be concerned because this is a very technical topic and it doesn’t actually mean that you’ve lost rights even though that seems like exactly what we’re doing.
2. cognitive dissonance caused by that last sentence: either the security services already have this power, or the decree is meaningless b/c it doesn’t broaden powers, but on the face, that is what it seems *exactly* to do. Big lies are more easily believed, I suppose, particularly without any counterbalance in views.

Update:

The cognitive dissonance was nicely described as a Jedi Mind Trick. In addition, it was pointed out to me that it is likely that people actually do care, but in the absence of a free media, this sort of thing receives either no attention or only positive attention, and that dissenting opinions are only confined to venues with a purposefully ridiculous nature.

EFF has a story on the seizure of personal property of a BC student (and subsequent quashing of the search warrant) suspected of computer crimes (this story has also been covered by Bruce Schneier). One strong “reason” that investigators and complaining witnesses suspected him: because his computer displayed “…a black screen with white font which he uses prompt commands on.” The specific incident arose from personal conflict, but the excuses used by the authorities to seize property were somewhat thin.

Because the student used what is arguably an expert’s tool, to the complaining witness (who was himself a computer science student) and possibly the investigating officers, that indicator of expertise must mean that the accused student was up to no good. Expertise as an indicator of malicious intent? Seriously?

I view this as a demonstration of Clarke’s Third Law: “Any sufficiently advanced technology is indistinguishable from magic.” The common citizen (and I include peace officers, barristers, and magistrates in this designation — and, sadly, a lot of CS majors) has no experience with the command line: its very presence, spare and lean, fills them with an instant dread of the unknown because it supplies a reminder of a conversation that they just cannot participate in.

No hints, clues, or cues as to what to do next surround the bare prompt (even those prompts that do convey information convey specialized information such as a directory or host name). The prompt sits there, patiently waiting for the user to speak magic incantations. In response, it either says nothing or spits back dense reams of text — no images, and little or no markup. Ordinary people find themselves completely out of their depth in this situation. Anyone capable of manipulating this environment must have some mysterious knowledge and power. And people find mysterious power easy to fear.


[me@host ~]$ man fear
No manual entry for fear
[me@host ~]$


Smart Energy Grids will save us, the planet, and possibly the universe. We should rest assured that the industry, with the help of smart academics, knows what it is doing:

http://us.cnn.com/2009/TECH/03/20/smartgrid.vulnerability/index.html

Also, industry representatives said, they have no intention of putting an unsafe grid online.

"We are not going to manufacture this car without a seat belt," said Ed Legge, a spokesman for the Edison Electric Institute."


That sounds comforting. But seatbelts don’t do much against side-impact crashes, or alien laser rays, now do they?

[The original email spurred a piece of funny commentary by Sergey about "security by analogy" -Ed.]

Raw source of the email is here:

http://www.cs.gmu.edu/~mlocasto/docs/nov5-hoax-email.txt

The mail appears to originate from ‘democracyinaction.org’ and ‘wiredforchange.com’ (which don’t really mean anything…who knows who is playing what game?)

The really funny part is that this email came in *after* the Provost sent a rather bewildering email earlier that day warning of “troubling rumours” about the election being moved.

See also: http://chronicle.com/wiredcampus/article/3439/e-mail-hoax-tells-george-mason-students-to-vote-november-5

A follow-up email (below) explains why the hoax was transmitted:

"The sender was able to send the message via the central list because
the sender took action while the system was still delivering the
original message and so the names of recipients had not yet been
cleared out of the announcement database."

From: "Joy R. Hughes, Vice President and CIO" <no-reply@gmu.edu>
Date: November 12, 2008 10:01:00 AM EST
To: ANNOUNCE03-L@mail04.gmu.edu
Subject: Update on Election Day Email Spoofing
Reply-To: "Joy R. Hughes, Vice President and CIO" <no-reply@gmu.edu>


Early in the morning of November 4th, the university’s central
announcement system sent an email from the Provost to members of the
university community negating two rumors about the national election
that had been circulating on campus. Someone used this opportunity
to utilize a form on an outside web server to "spoof" the email
address of the account authorized to send to the announcement list.
Using this form, the person then sent a message purporting to be
from the Provost that stated that the date of the election had been
moved to November 5th.


While it is simple to spoof an address, the information contained in
the header of the message revealed the true path of the message,
clearly indicating it did not originate with the Provost or from any
university system. The company that owns the outside web server has
disabled the form on its site that allowed the person to send this
spoofed message.


Since tampering with elections is a Federal offense, the cybercrime
expert in Campus Police was notified and he immediately contacted
his counterpart in the FBI. The FBI is now investigating.


The sender was able to send the message via the central list because
the sender took action while the system was still delivering the
original message and so the names of recipients had not yet been
cleared out of the announcement database.


In order to avoid future incidents of this type, a manual
verification step has been added to the central process to send
announcements. All of the university’s central announcement lists
will be subject to the new verification process, thus eliminating
the potential for a spoofed message to be sent via a central
announcement list.

The Protect America Act (PAA) was passed in August of 2007. In effect, this ill-considered law re-purposes an existing NSA data collection and surveillance framework to observe domestic conversations. In a succinct article (”Risking Communications Security: Potential Hazards of the Protect America Act”) in the next issue of IEEE Security & Privacy magazine, Steve Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neumann, and Jennifer Rexford write about the security aspects (as opposed to the civil liberties concerns) involved in permitting the NSA to spy on US persons. A preprint is available on Steve’s website and from Matt Blaze’s blog entry. The authors are pretty adamant about making sure such a powerful capability is just as powerfully justified and protected: “If security cannot be assured, then any surveillance performed using that system will be inherently fraught with risks that are fundamentally unacceptable.” Note that “fundamentally unacceptable” is pretty direct language (for example, they did not say the system was “unreasonable”, “ill-advised”, or merely “risky”); this type of phrase is as close to harsh criticism that an academic might come in a professional publication.

The ball on this topic got rolling when Susan wrote an op-ed piece for the Washington Post in August 2008 on why it was a bad idea to re-purpose a system built to spy on external entities to begin spying on domestic entities.

The bottom line: the unintended consequence is that such a system is now a really juicy target for foreign entities to spy on domestic entities. It is also ripe for abuse by insiders. The underlying problem is that domestic data will be captured; it is simply too hard to filter out domestic data given the limits of current networking technology. The IEEE S&P article also has a pointer to a very well-written article about the Greek cell phone system compromise; these threats are not theoretical. Asking the NSA to do something that it has no experience (presumably) doing is a bad technical policy, especially since the technology cannot simultaneously meet the demands of the new law and the expectation of privacy derived from, among other things, the 4th Amendment. I suspect that many in the NSA rank & file might agree; this seems to be a situation where everything looks like a nail when all you have is a hammer.