Friday, January 18, 2013

Internet Security

We got the security we asked for.  

I remember all too vividly sitting with Sheila Brand and Marv Schaeffer in my conference room at 44 South Broadway in White Plains, trying to convince them that if DoD really wanted a B1 system from IBM, they should allow us to build it on the AS/400 platform where, among other things, object classification labels would be reliable.  They insisted that they needed something that would run the MVS job stream.  We were unable to convince them that was an over-constrained problem, that any system that could do that would, of necessity, be too open to be "secure" in any meaningful sense.They said that they understood that there would be compromises.  They went back to Washington and put so much pressure on their contractors, and indirectly on IBM, that we succumbed.

The results were bitter.  We devoted an entire annual release of MVS to building a B1 candidate and a lot of money getting it certified.  When we announced the results at SHARE, the reception was enthusiastic but the demand was far less so.  Marv Schaeffer was in the audience at the National Computer Security Conference when I announced that I had been heartened to hear that demand for the product was up by fifty percent until I was told that that was from 2 to 3.  

The issue was never about security but about magic.  It was about security at no cost.  This was not unique to DoD.  At every inflection point we have chosen open, popular, backward compatible, and cheap, over closed and secure.  How else does one account for the popularity of Android, particularly among geeks? Not only do they prefer Android to iOS but they heap scorn and vitriol on Apple for keeping iOS closed.   

One is reminded of Helen Custer's wonderful book describing wonderful Windows NT security. I thought "Right! Now they've got it!"  Of course, when Microsoft realized that it would not be open to legacy apps, games, and outside provided device drivers, the security architecture was first ruptured and then scrapped.  Today few Windows systems are operated in a manner that is as secure as Windows allows.

I think that the Internet began with the permissive rule, in part, because of a lack of imagination: no one was able to envision its success or importance.  Perhaps, in part, because the rule was necessary to its adoption.  Clearly one reason that TCP/IP drove SNA/SDLC from the market place was that it was an open architecture and an open implementation.  

All that said, the Internet is sufficiently secure for most of its applications. If this were not so, we would not be doing them.  That is not to say that it is secure as it might be.  Harry DeMaio liked to say that "Doing business on the Internet was like doing business in Times Square: while there is some business one would not like to do there, clearly a lot of business is done there."  On the other hand, a lot of fraud occurs in the private offices of Wall Street.  That is to say, all security and trust do not come from the environment.

Some trust comes from the reputation of one's trading partners.  When doing business on the Internet, I prefer to do business with the same firms that I have always done business with on the street, by phone, and by mail. These include American Express, Merrill Lynch, Fidelity, and Brooks Brothers.  There are exceptions.  I hold stock in Apple, Amazon, and eBay/PayPal.  No matter who you are, I am more likely to do business with you if you will accept payment from them.  Said another way, when doing business on the Internet, I rely upon the brand and compensating controls offered by my partners, not the Internet itself.  

While my partners do make some attempt to ensure that transactions in my name actually originate with me, few offer the authentication that I would like.  (PayPal, Google, and DropBox are notable exceptions.) Therefore, I do not rely exclusively on the authentication mechanism but check the confirmations and statements that I receive from them out of band.  I like that American Express will let me choose, by type or size, which transactions they will confirm out of band.

I find Apple's experiment with iOS very hopeful.  Unlike Google (Android) and Microsoft (Windows Mobile), Apple was willing to forgo backward compatibility.  They are coming up on a million purpose built apps, from scratch, and in less than five years.  

Steve Jobs'And, so far, I have to say, people seem to be liking the iPad. We are selling an iPad every 3 seconds.'

I like Google's out-of-band authentication scheme and Verisign's scheme that turns every iOS or Android device into a one-time-password token. Given that anyone can license these for pennies per transaction, session, or file, that they scale from very small to very large, that they resist credential replay attacks, and that users can opt in or out, that they are so sparingly offered and sparsely used supports my thesis.  So does the fact that almost any system can be compromised by a bait message that appeals to some user's greed, lust, sloth, or even curiosity. 

Security in the Internet will never be better than the absolute minimum we can get away with.  It will never be quite as good as it should be or as we know how to make it.  While that will be good enough for most of its applications, we will continue to use it for some applications for which it is not safe.  No matter, how good a job we do,  there will always be breaches.  Get over it.  Collectively that is how we chose it and continue to choose it.  

Monday, January 14, 2013

Newtown and the Elephant in the Room

Once more we are victims of an outrageous shooting.  Once more an emotionally unstable young man has dressed himself in black, armed himself with all too available and too powerful guns, and slaughtered innocents.  

The elephant in the room is a fear, not merely a rational distrust but an irrational fear, of government.  A significant portion of those who resist all gun control see themselves as the beleaguered defenders of liberty.  

They have abandoned the Rule of Law.  They believe that not only do they need their guns to defend themselves against government but that they are the last bulwark against tyranny.  They expect to "man the barricades" as in the musical Les Miserable.

The purchase of guns has spiked after the last two presidential elections.  Part of this was motivated by the fear that the Obama administration is anti-gun and will ban future purchases.  Part of it is based upon a fear that government is on the brink of collapse and that one will need guns to protect oneself from one's neighbors.  Part is based upon the fear that the government will become so tyrannical that the citizen will need guns to depose the tyrants.  

Indeed purchases spike after every outrage.  The fear here is part that that there will be a political response to the outrage that will make purchases more difficult in the future.  However, it is also fear that police and the Rule of Law are so weak that vigilantes are necessary, that all citizens, including teachers, must be armed.  It is a rejection of the fundamental idea that the use of armed force must be reserved to the state.  

It is ironic that those who trust law the least, who resist all attempts to regulate guns, appeal to the Constitution, the source of our law, to justify their resistance.  Equally ironic is it that each outrage is used to justify the continuation of the conditions that led to it and will inevitably lead to the another; take up arms as a protection against one's neighbor.  It is ironic that the policies supported by those who fear government contribute to the conditions in which government is most likely to be controlled by a tyrant rather than by law.  

The choice is not between an armed citizenry and "black helicopters."  Rather it is a choice between the Rule of Law and rule by men, by vigilantes, by the strongest bully on the block, by the gang leader, the war lord, by the most lawless, by those most likely to set themselves up as prosecutor, judge, jury, and executioner.  

The very existence of the Elephant depends upon the fact that we pretend that he is not there.  The contribution of fear of government to this problem persists in part because we fail, indeed refuse, to talk about it.  We have to confront it.  Every generation has to recommit to the Rule of Law, must surrender its claim to armed force to the state.  Each generation must understand the choice between a government of law and one of men, each generation must make the choice anew.  

We must begin by confronting the Elephant, the rhetoric of fear, fear of the tyrant.  

Thursday, January 3, 2013

Government Secrecy

Candidate Obama promised increased transparency in government.  Like all of his predecessors, he quickly increased secrecy.  However, rendering lip service to his promise, he appointed an advisory committee on classification policy.  As reported by Elizabeth Goitein, this committee has recently issued recommendations.

I was reminded of an editorial that I had done for InfraGard iGTV.  The following excerpt seems both responsive and instructive. 

.....government systematically over classifies, partly out of bureaucratic habit, sometimes for political reasons, partly because the cost of protection is born by the users and custodians, not the classifier, of the data. At least partly as a consequence, it under protects.  Leaks are the inevitable consequence.  

Note that while these leaked documents are embarrassing and while the leaks will inevitably make recruiting more difficult, few of them required or deserved exceptional protection

As much as some national security types resist the idea, classification is an economic decision.  It  may not be a decision about the value of the data, or even about the value of preserving its  secrecy, but it is a decision about the cost that one is willing (for others) to incur to protect the data.  It is a decision about how to allocate scarce, in some cases limited security resources.  We protect data at the expense of data that we do not protect.  

Finally, we are relying on the integrity of people because they are cleared instead of because they are monitored and supervised.  According to the Times, only half of the computers in the SIPRNET are even equipped to monitor users for unusual access and far fewer than that are actually supervised.  

The Bush administration abused intelligence sources and distorted the security culture.  WikiLeaks is the inevitable result.

The pendulum must swing back but we have to both do the right thing and do things right.  Since the alleged leaker is alleged to have copied the data to a CD that he pretended to be listening to, DoD has ordered the removal of CD drives and USB ports.  This will prove to be about as effective forbidding the use of earphones. 

The right direction is fundamental, if not obvious.  We must classify fewer documents and limit access to those we do.  We must limit the access that insiders have, hold them accountable for the access they use, and use them to protect us from the outsiders.  We must clear fewer people and investigate, monitor, and supervise them better.  We must do all this while reforming the culture that rewards, rather than punishes, over classification

There are no surprises in this list, no silver bullets, no magical expectations.  Just hard work.  Please do not whine about how hard this is. Do not complain because it is difficult.  Do not even mention that there will still be leaks and that we will still be blamed.  That is why we are called professionals and are paid the big bucks."  

You may also want to check out my entry in this blog on the subject of Classification and Labeling