(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

Helpful configuration information:

http://www.ucalgary.ca/it/help/articles/email/clients/tbirdosx/ldap

I recently started using git for managing libdisorder. I had used git once before, gotten distracted with other things, and never seriously learned it. I typically use either cvs or svn to manage code and paper repositories. The code is now hosted at both dyne.org and github:

http://github.com/locasto/libdisorder

http://code.dyne.org/?r=libdisorder

I found the following documentation to be of use while setting up the two remote repositories fed from my single local repository:

http://www.kernel.org/pub/software/scm/git/docs/user-manual.html#public-repositories

http://toolmantim.com/thoughts/setting_up_a_new_remote_git_repository

I recently spent 11 days in Hanover, NH at Dartmouth College leading the SISMAT (Secure Information Systems Mentoring and Training) summer seminar. This seminar is one part of a comprehensive training, job, and research program for undergraduates. Students go on to an internship in information security and then a follow-on research project at their home institution under the guidance of a local faculty mentor and with occasional advice and support from us.

This year was the third year of SISMAT. Sergey and I refreshed the curriculum and implemented some changes inspired by the “failure modes” learning pattern we (inadvertently) discovered during last year’s seminar (as described in our March SIGCSE paper).

Briefly, the failure modes philosophy holds that students learn topics (e.g., networks) more naturally by observing the interplay in failures of a system (e.g., at layer 2 and layer 3 when certain services or connectivity don’t exist). This learning style seems more informative than just hitting students with the standard code pattern for opening a socket in C or Java. We tried to apply this principle (along with some other Hacker Curriculum principles) to other areas of the craft, including hands-on exercises with Web application vulnerabilities, disassembling various pieces of shellcode, and analyzing the detritus of a real intrusion.

SISMAT is always a lot of fun, and this year we had a great group of lively and talented students who are now well on their way to becoming (ethical) hackers. So far we’ve had 23 students go through the program, and we’ve had about a dozen faculty mentors from these students’ home institutions. We’re in the process of tracing how their projects and future careers have gone.

With severely limited funding for innovative cybersecurity education programs, we’re happy to do our part to fulfilling the need for well-educated information assurance professionals (and we’re grateful to the organizations that have funded us so far). It’s too bad that the prevailing opinion is that nothing fundamental or innovative could possibly happen in the education space: basic research into techniques, mechanisms, and systems is valued much more than actually producing well-educated cybersecurity professionals.

From the University of Calgary’s “Procedures Pertaining to Appointment, Promotion, and Tenure of Academic Staff“:

Academic freedom is the right of academic appointees to examine, to question, to teach, to learn, to
investigate, to speculate, to comment, to criticize, to write, to publish and the like, freely, without
pressure, direct or indirect, to conform to or defer to prescribed doctrines.

I recently installed Bootcamp and Microsoft Windows XP SP3 on my MacBook Pro.

While this was mostly straightforward, the process got complicated because I did not have my Leopard installation DVD with me, and the cost of traveling to it…well, you can guess. Not worth it.

The lack of the DVD is crucial because it contains Windows XP drivers for the Mac-specific hardware. Fortunately, this page:

http://support.apple.com/kb/HT1999

helped me run down what drivers I needed (mostly the RealTek sound driver). I got an updated NVidia driver from the Apple web site, so the laptop, when booted into Windows, is now able to display proper video and sound — which is, along with external keyboard and mouse, what one needs for Windows-only video games. Network, trackpad, and other misc items are still not working. It has been a heck of a time, especially since the “updates” to Bootcamp that Apple has available:

http://support.apple.com/kb/DL967

and

http://support.apple.com/downloads/Boot_Camp_Update_2_1_for_Windows_Vista_32

don’t seem to run in WindowsXP SP3 (a clean, from ISO install, not an SP2 to SP3 upgrade).

Yesterday I gave a talk at the USENIX LISA conference about the difficulties involved in the process of recovering a network infrastructure from a large-scale intrusion.

Stories about post-mortem analysis of such incidents are rare. Here are a few links and pointers:

“Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack” (HTML)

Chronicle of a Server Break-In (HTML, see link to Paul’s actual postmortem)

Abe Singer. “Tempting Fate,” ;login:, Volumn 30, #1, Usenix Association, November 2005. (grab a copy of ;login)

Eugene H. Spafford. The Internet Worm Program: An Analysis (PDF)

Cliff Stoll. “The Cuckoo’s Egg” (HTML)

Bill Cheswick. “An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied” (PDF)

On my way back to Vancouver from CISSE, I ran into a border guard who asked me for proof, such as an airline itinerary, that I intended to leave Canada. Not having any such documentation (I ceased carrying printouts of my airline itineraries since I have never been asked for them), I could only assert that I had stable employment in the US and no long-term plans to remain in Canada. At this point, we were at an impasse, since he had no way to verify my intent, and I had no ready way to prove it to him.
His worry was obvious: I am one of those people who are highly mobile, with almost no fixed address or infrastructure holding me to a particular country or location.

Even if they were to pull me into secondary screening and look at the electronic copies of my itinerary, my intent could have been to simply abandon my ticket home. My point is this: beyond some in-depth interview, no paper can prove what my intent might have been.

This incident highlights just how difficult border access control can be: guards are tasked with divining the intent of visitors, travelers, and citizens. Intent is a complex, multi-layered thing with an important temporal component. Border guards must try to understand both long-term and short-term intent as well as any potential security threat or otherwise illegal status. In the course of a one minute conversation, they tend to do this fairly well (from my perspective: I have never been refused entry or even pulled into secondary screening in either direction).

In any event, the guard let me go with a strong admonition to carry such proof in the future and make their job easier. But now that the Western Hemisphere Travel Initiative is in full force (i.e., passports required for even land travelers), will border guards be forced to turn more to other secondary documentation to prove intent? How reliable is this documentation at predicting, conveying, or verifying intent?

Might their job previously have been made easier by the diverse array of identification (keeping in mind that identification has little to do with intent) material presented before WHTI? Now that everyone has a passport, that identity “feature” is more homogeneous, and thus carries less information. At the end of the day, allowing someone into a country is ultimately a trust decision.

The proposed content of this bill makes for a variety of interesting discussions:

http://cdt.org/security/CYBERSEC4.pdf

http://thomas.loc.gov/ (search for S.773)

…not least of which is a proposal to license all cybersecurity professionals within 3 years. Else, you can’t do business with the government. (See “Section 7″ starting on page 21 of the PDF).

“Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.”

It was pointed out to me that an existing DOD regulation pretty much already requires these conditions, albeit limited to DOD employees and contractors rather than all persons seeking to do business with any part of the US Government:

http://www.giac.org/8570/