GEEKONOMICS

I will be speaking about the lack of consumer protection in the software market with Jack Roberts on CableTalk, Cable Radio Network.

Broadcasting 24-hours daily, CRN's radio networks can be heard from coast-to-coast on Cable Television Systems, Satellite Dish, and worldwide at crni.net. On most cable television systems, CRN is featured on the public information channel.  On digital cable systems, CRN's digital talk channels are listed right after the music service. Check your local cable listings for availability.  CRN is also available in Southern California on PAX TV KPXN Channel 30's SAP (Second Audio Program) channel.

Date: July 2, 2008

Time: 9:50am Eastern/6:30am Pacific

ListenLive: www.crni.net

Recently, Microsoft released an updated version of its Malicious Software Removal Tool that, according to reports, removed password-stealing malware from more than 2 million PCs.

Microsoft security fix clobbers 2 million password stealers

To quote Computerworld:

One password stealer, called Taterf, was detected on 700,000 computers in the first day after the update. That's twice as many infections as were spotted during the entire month after Microsoft began detecting the notorious Storm Worm malware last September.

"These are ridiculous numbers of infections my friends, absolutely mind-boggling," wrote Matt McCormack, a spokesman with Microsoft's Malware Response Center...

The password-stealing programs are often installed via Web-based attack code that exploits flaws in multimedia programs such as Adobe's Flash Player or Apple's QuickTime Player...The attacks are often technically sophisticated, exploiting previously undisclosed bugs in Windows software...

Indeed, this is mind-boggling and ridiculous. Mind-boggling that we still consider 2 million infected hosts to be a mind-boggling number (we are now easily into the 10s of millions of infected hosts) and ridiculous that we do not castigate software manufacturers for enabling such highly foreseeable malicious activity via defects in their products. In fact, we seem to be grateful when manufacturers give us free tools to clean up after their mistakes. This stretches the definition of "free" to be sure.

Have we really become that numb to defects in software, so blasé to software manufacturing blunders, that we simply take insecure software as an inevitable and unavoidable reality?

Maybe.

Some in the information security community attempt to blame PC owners for the massive installation of malware like Taterf. Some might even argue that "previously undisclosed bugs" are not even necessary to enable wide spread infections because users can simply be socially engineered (i.e., tricked) into installing malware onto their machines. And some might even have the audacity to state that what we really need is better in-bound malware blocking and application control to inhibit what malware can do once it gets on a PC. 

These arguments have some merit, but not nearly enough.

First, stop solely blaming users for the sorry state of cyber security. Are users partly culpable? You bet. "You can't patch stupid," is an accurate, if cynical, remark made by some in the security industry, but such a remark fails to recognize that users no longer need to be "stupid" to become victims anymore.

Case in point, once upon a time, there was a significant likelihood a computer would get infected because of, shall we say, the pursuit of less-upstanding behavior by users, such as visiting porn sites and downloading cracked software. This will always be true and the title of "stupid" should be awarded frequently and copiously to those who engage in such pursuits.

Of late however (2004 forward), many normal and innocuous commercial web sites (like Circuit City's Customer Service site) have been hijacked and infected with exploit code targeted at user's internet browsers, media players, and operating systems. Just by visiting these unknowingly infected web sites, the victim's machine will become infected through no fault of the user (but the fault of the software manufacturer). Because exploits on the hijacked website attack previously undisclosed vulnerabilities on the user's PC (such as in QuickTime, Internet Explorer, Adobe Flash, or Safari) the user's stupidity is moot. Patching is moot. The user is not "stupid" in such cases, the manufacturer is, and so are we for failing to recognize this and failing to stop it.

We have spent decades in the legal profession protecting consumer rights; protecting consumers against blame for damages caused by manufacturing defects that were not the consumers fault. Let us not delay fairness in the Information Age that we did in the Industrial Age. Where users are responsible for their own behavior in cyber space (such as giving up their password to a phishing scam) surely hold users responsible for possible damages (and pursue the cyber criminal if we can). But we can not, should not, must not hold computer users accountable for something that is not their fault: poorly written software. Such responsibility should fall squarely on the shoulders of software manufacturers, but does not. 

Remember, users are merely an avenue to the vulnerabilities of software. Simply by surfing the Internet, users are at risk, not through questionable behavior, or even stupid behavior as once was the case,  but through normal, innocuous behavior. Users can be tricked by a host of techniques to be sure, but they are tricked for what I believe to be a significant and obvious reason: to exploit defects in the software they use.

Are there other reasons? Sure. It's not just about exploiting vulnerabilities in software, but exploiting vulnerabilities in software is a very powerful incentive otherwise we would not see the type and amount of concentrated research by cyber criminals and nation states into discovering software vulnerabilities. Discovering defects manufacturers failed to detect themselves gives discoverers potentially immense power over millions of systems.

Second, insisting that we need better in-bound malware blocking and application control is yet more of the same technology-centric view of security; that somehow insecure software is a technological phenomenon to be solved by yet more technological phenomena. Can products help to an extent? Yes. But these products are not complements to robust, secure software as seat belts and air bags are complementary to robust, safety-oriented automotive design; security products are counterbalances to the lack of security and software assurance practices of software manufacturers.

Complicating this situation, the security industry does not really sell security, it sells products. Analysts as well as vendors make money from all the gymnastics and prancing in the security industry. Their incentive is to sell; sell products, sell devices, and sell reports about those devices and products. Their incentive is not necessarily to protect you. Their incentive is to sell. Their hope, as well as yours, is that the security products actually work and their efficacy easy to maintain. History is not kind in this regard.

And where are software buyers now because of this? Swamped with products, swamped with appliances, swamped with best practices, swamped with myriad configuration options, swamped with sometimes contradictory and unrealistic compliance requirements, swamped with unending financial expenses, swamped with what to do and how to do it, scrambling for sanity and feeling but dazed and confused.

It is truly mind-boggling and ridiculous. 

To quote Forbes.com:

Call David Rice the Ralph Nader of cyber security. Rice's book, Geekonomics: The Real Cost of Insecure Software, is a kind of hacker's take on Unsafe at Any Speed, a manifesto that calls the software industry to account for its careless attitude toward security, just as Nader took the auto industry to task for its abysmal safety standards in 1965.

Read the rest of the article and interview: A Tax on Buggy Software

Apple's growing popularity is promising to cyber attackers. Once upon a time, Apple users could smugly (and dare I say condescendingly) claim that Mac users were safer than PC users because Macs didn't have nearly the same number of software vulnerabilities as PCs. This may still be the case to some extent, but that era is drawing to a close.

To quote a recent article from Computerworld:

Researchers spot Mac Trojan in the wild

Security researchers reported last week that they have spotted a Mac Trojan horse in the wild...

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

"[It] allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging," claimed SecureMac. "Additionally, the Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing."

This is not the first vulnerability of its kind in Apple products to be sure, and it will not be the last. When Apple languished at 3 percent market share it simply was not a lucrative target for cyber attackers. At roughly 6 percent market share, Apple is more promising (Ubuntu, at less than 1 percent market share has a long way to go).

In the software market, security is not part of the beauty contest until it is too late; that is, in the race for market dominance security is not a competitive differentiator for software manufacturers. As such, software manufacturers have no incentive to make security a priority. Features rule the race for market dominance; not security, not secure software, and certainly not software assurance.

When a software product finally becomes popular, the lack of attention the manufacturer gave to secure software and software assurance becomes more clear. In fact, as one my colleagues so eloquently remarked, "It becomes fucking obvious."  

The problem, of course, is latent defects lose their latency proportional to a product's popularity. As a result, the patching race becomes more frenetic: the vendor must issue a patch and consumers must apply the patch (or undertake other system changes) as quickly as possible before attackers exploit the defect. Consumers rarely ever win this race. If attackers keep knowledge of the vulnerability to themselves, then consumers are completely out of luck. Attackers can exploit the vulnerability at will with no fear of the manufacturer producing a patch to thwart their activities. Consumers lose either way.

The fruits of popularity are clear: the manufacturer potentially makes a tremendous amount of money, shareholders are happy, and consumers pay for this success twice. First, by purchasing the product; second, by being exploited.

Something is rotten here.

I'll be speaking with News Talk host Tommy B. about cyber security and consumer protection for software users on News Radio 970AM in Billings, Montana. The call letters are KBUL...you gotta love Montana just for that.

Date: June 26, 2008

Time: 8:30am Mountain time.

Channel: AM970 

"Who feeds Paris?"

This is a rhetorical question often asked by economists to highlight the bewildering number of activities needed on a daily basis to feed a city. Almost by magic, just the right amount of apples appear at the grocery, the butcher has the types of meats his customers desire, and even with the high price of gasoline, gas stations are not in danger of running dry any time soon. How does this happen? In essence, how does Paris, or any city for that matter, function daily?

An economist might answer that is this the result of a healthy market economy, albeit an incredibly complex market economy, where, in the case of a large city, millions of self-interested transactions determine the market price for a particular resource and market participants buy and sell accordingly. At base, the "magic" that makes all this happen is you and your desire for a better life...not only to eat apples, but possibly to sell apples at a reasonable profit to those who might want them. Markets have tremendous influence on the lives of everyone, even those who think they might not be part of a market.

But there is more to the story. “Who feeds Paris” is economic perspective of the world. It assumes one very important...no, critical aspect: reliable infrastructure.

From an “infrastructuralist” point of view - pardon my creative license - you and your self-interest might be the magic that make market economies work, but it is physical infrastructure - roads, water, natural gas, electricity - that makes it possible for "the magic" to flourish and grow. Without infrastructure it is extremely difficult to grow apples in large quantities, get them quickly to market across vast distances inexpensively, keep them cool while on the shelves, and allow you to view them in the store at night when shopping after work.

We might not always recognize the importance of infrastructure – dare I argue that many take it for granted – but in modern vibrant economies infrastructure is always (hopefully) there for us.

Infrastructure does not run itself, of course. It needs people to manage it. Lots of people. But even lots of people are not enough. Modern infrastructure is of such grand scope and scale, that infrastructure's human managers could not possibly oversee electricity, water, and gas distribution efficiently or effectively without the help of another form of magic:

SCADA.

SCADA is an acronym for Supervisory Control And Data Acquisition. SCADA is the software that controls pumps, turbines, valves...the stuff of infrastructure that keeps everything moving, flowing, and pumping. It is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control. In essence, SCADA is the pulmonary system of cities, and indeed, entire countries. As such, the "health" of SCADA is very important to the health of nations as well as the wealth of nations.

But there is a problem.

A Heart Attack Waiting to Happen

The pulmonary system of countries is plagued by what I would call "genetic defects." These defects are not the result of ad-hoc evolutionary processes - as is the case with pulmonary disease in humans - these "genetic defects” are the result of insufficient manufacturing practices in creating the DNA of infrastructure: the software.

Software is what runs our infrastructure now...it is the foundation of our civilization...the DNA of infrastructure that tells it what to do and how to do it just as the DNA of a human cell tells the cell what to do and how to do it...and yet software, even in our most critical SCADA systems contains an uncomfortable number of defects.

Like any genetic defect, it may complicate your life. It may also kill you.

A recent article highlighted the potential impact of insecure software in our SCADA systems:

Critical Flaw Left Utilities Vulnerable to Attack for 5 Months

To quote:

A vulnerability found in utility control software is raising serious questions over municipal security. The issue…could have let attackers take control of water treatment plants, natural gas lines and potentially even nuclear power plant equipment. The systems in question, created by Citect, allow remote management of machinery at various plants.

Water treatment centers in Louisiana and North Carolina both use the technology, as do natural gas facilities in Chile and pharmaceutical manufacturing centers in Germany. The [software] bug, Core Security [who discovered the defect] says, could have handed hackers control of any of those systems -- theoretically giving them the power to stop an entire city's water treatment or knock out power to tens of thousands.

Ivan Arce from Core Security remarked, "The problem [with this software] is a classic example of buffer overflow from the '90s. It's not a very sophisticated thing, [which] makes it surprising."

In other words, this is an old, even common, software manufacturing foible that could have - should have - been avoided, but was not.

It’s the Incentives, Stupid.

It should not be surprising that such a “simple” software vulnerability appeared in a SCADA system, because it also appears regularly in our internet browsers, media players, and operating systems. Such a “simple” defect, along with myriad others, appears in all types of software because all software manufacturers – no matter the assumed importance of the software they create – oftentimes lack the necessary incentives to create software worthy of its role in our civilization or to patch the software in a timely manner (it took over 5 months to fix the discovered defect in the SCADA system).

Ivan when on to state,  "This [software] could have been done better -- especially on such a critical software. It's not somebody's FTP server. It's software that is critical and should be addressed in a more timely manner."

Indeed. Citect could have done better, but what incentive does Citect or any software manufacturer have, really? Good intentions? Best efforts? We’ve heard assurances before by some of the biggest and most respected software manufacturers on the planet about their software: “trustworthy,” “unbreakable,”…

And they haven’t been. At great cost to us.

Such assertions by software manufacturers are vacuous and cheap to make. Is this truly sufficient for infrastructure, critical or otherwise?

Ivan goes on to state:

Every software is vulnerable. Every single piece of software is man-made -- and if it's man-made, it's prone to errors. The important thing is not just how many bugs are out there, but also how prepared are the different organizations ... to react in a timely and precise manner."

True. All software is vulnerable. Software is man-made, yes. But the important thing IS EXACTLY HOW MANY BUGS ARE OUT THERE. The promise of "fast patching" as a means to protect critical infrastructure is truly a counsel of despair.

Software defects send an unrelenting and unmistakable message of disorder into cyberspace. This message carries consequences that we are only now beginning to understand in the form of cyber crime, cyber espionage, and, in the case of infrastructure, possibly cyber war. Attackers smell weakness like blood in the water and software is full of weaknesses. The number of defects matters…and matters greatly.

Security researchers (i.e., hackers) are doing for software manufacturers what software manufacturers failed to do themselves. This isn't about perfect software...it is about responsible development of the software that runs our lives and our economies. It is also about strong consequences for those manufacturers that fail to abide by their responsibilities to us as citizens, consumers, and fellow human beings.

We might not know how to make perfect software, but software manufacturers do know how to make better more secure, more reliable software...and have known how to do so for over 40 years. But there is little incentive to do so. Software is man-made. This is true. It follows then that without meaningful incentives aimed at the human creators of infrastructure’s DNA, the genetic diseases brought on by insecure software will plague infrastructure more, not less.

No More Prayers

With human genetic defects, we are at the mercy of Mother Nature until we disassemble and understand the Code of Life. We can exercise regularly, and we can eat right and hope everything works out swimmingly. In the meantime, Mother Nature can ignore our prayers for miraculous healing as she pleases.

But with cyber genetic defects, we are at the mercy of our software manufacturers; other humans within our reach and grasp that make decisions based on their self-interest and not on ours. We should not and must not treat software manufacturers like the pantheon of gods: unaccountable, selectively detached, and arbitrarily interested in our well-being when it suits their purposes. We can and should hold software manufacturers to account when they make their defects our vulnerability.

"Who feeds Paris?" is a rhetorical question. "Who protects Paris?" is not.

When someone steals your laptop and doesn’t give it back, that’s bad. It is worse when someone steals your laptop and then gives it back to you.

The Beijing Olympics are upon us and according to a recent USA Today article:

National security agencies are warning businesses and federal officials that laptops and e-mail devices taken to the Beijing Olympics are likely to be penetrated by Chinese agents aiming to steal secrets or plant bugs to infiltrate U.S. computer networks.

Equipment left unsupervised for just minutes in a hotel or even during a security screening can be hacked, mined and bugged… There is a high likelihood — virtually 100% — that if an individual is of security, political, or business interest to Chinese … security services or high technology industries, their electronics can and will be tampered with or penetrated...

Wow. Sounds like China bashing, scare mongering, US propaganda to me. Well, not really. There is a fine line between scare mongering, anti-China sentiment, and stating the facts as we know it. And we know the facts pretty well, or, at least well enough to make these rather pointed and upsetting statements publicly. That said, what is unfortunate to me is that the article did not highlight the issue strongly enough.

Both France and Russia have publicly admitted to one extent or other to actively spying on U.S. businesses and U.S. business people. In fact, it’s not just U.S persons, but any competing business or individual. To quote the Pierre Marion, Director of the French Intelligence Directorate, “This espionage activity is an essential way for France to keep abreast of international commerce and technology. Of course, it was directed against the United States as well as others. You must remember that while we are allies in defense matters, we are also economic competitors in the world.”

And these are our friends.

In this light, it is far from surprising that China might consider conducting the same activities as well as deny it emphatically (“The so-called accusation of the Chinese military espionage against the U.S. is groundless and fabrication with ulterior motives.").

Of course, espionage is status quo. Many readers might be surprised to find out that acts of espionage – especially cyber espionage – are not illegal in international law. Sure, individual nations might make espionage a criminal offense, but not in the international realm (which also means it is very murky whether you can legally go to war over it).

The fact that espionage is largely ignored by international law might make some of us squeamish to some extent... I mean, they’re actively stealing stuff from other people, mannnn…but this is the reality of international economic competition and a globalized economy. Competition is good, but it has its darker, and some might say “necessary” elements.

Some nations dabble in espionage, and others engage in it aggressively. According to a 2007 report by the U.S. Director of National Intelligence, China's espionage services are "among the most aggressive in collecting against sensitive and protected U.S. targets." But don’t think just defense contractors or government agencies are the only targets. Food service companies have been the target of remote cyber attacks also.

It's not whether you think you are a target, it's whether the adversary thinks you are worth targeting.

So In 2008, people will flood into Beijing bringing with them their iPhones, laptops, Blackberry’s (World Phone, of course), you name it. And these devices might be unfortunately lost ("I know I just put in down, now where did it go?"), borrowed ("Excuse, Mr. Smith, we need to examine your laptop before your flight, there seems to be a problem…"), outright stolen ("Hey, who’s been in my room and where's my stuff?"), or the worst of all cases:

“Oh, here it is [laptop, iPhone, whatever]. It’s right here. Now how did I miss that?"

The best thing about espionage – especially cyber espionage – is that you don’t actually have to keep anything as the perpetrator.  You can remotely copy a database by exploiting a software vulnerability from 8,000 miles away and leave the hard drive just were it is. You can also take a physical device like a mobile phone, do something to it (which I’ll get to shortly), and give it right back with the owner none-the-wiser, if not a little confused ("...must had too much to drink last night").

Now, I know there are plenty of people out there that might retort, ”Oh, our hard drives are encrypted, this isn’t going to be a problem for us.”

Really?

The best thing that could actually happen to you is that your laptop is stolen and you never get it back. Encrypted hard drive or not. The worst case is when someone “borrows” your laptop, inserts an implant without your knowledge and then gives the laptop back to you. This implant, which could be hardware, software, or both, will happily siphon and record all the information as your hard drive goes about decrypting it to display on the device's screen. The implant will then send that information to heaven knows where, probably hijacking your internet browser when you're not looking (this circumvents your firewall protection, by the way, because most peoples' firewalls permit outbound traffic from their browser).

Hard drive encryption? Please.

Now, outside of the Olympic context, for many people hard drive encryption makes sense. So my cynical retort needs to be diluted just a bit. Why? Because unless you, your company, or your company’s information is important enough, or “of interest” to the adversary, you are probably not a target and therefore hard drive encryption is perfectly fine. This is true for 99 percent of the people out there. Hackers without nation-state backing will have a hard time constructing the hardware implants necessary for conducting these types of operations without being detected.

But when the world comes to your doorstep in the wake of world-wide and none-too-obvious cyber espionage activity emanating from Chinese networks, well, hell, why not throw the net a little wider when the visitors-come-a-visiting and see what happens? It's a cornucopia when the world comes to you! And who among the US populace would really believe statements by U.S. Intelligence about cyber-espionage after slip ups on Iraq and Iran…oh, and the 130,000 Russian troops that swarmed into Afghanistan in the 1980s right under the nose of the CIA. But I digress.

Congressman Mike Rogers says it most succinctly, "the Chinese will take full advantage of any opportunity to not only take a peek at what's on electronic devices but also to implant them."

I’ll tell you what I tell my private clients when traveling to known adversarial nations, “If you care in anyway about what’s on that device, and you care what comes back, leave it at home. Purchase a new device for the trip and toss it upon return. And for Heaven’s sake, don’t connect it to anything.”

If you’re going to the Olympics this year, enjoy! Bring back good memories…but only on an analog, not a digital camera (hint, hint).

The new iPhone is coming out June 29. This is great. Not only for the millions of users that will undoubtedly rush to buy the newest, slickest toy from Apple, but for the growing number of hackers targeting this device.

You see, there is no such thing as “toy” software – software that is fun to use but has few consequences – and the Apple iPhone is a great illustration of this point. For example, within the first two weeks of the original iPhone’s release, cyber security researchers (a euphuism for "hacker") discovered a critical vulnerability in the iPhone’s internet browser that could allow cyber attackers to hijack the phone…transmitting any files stored on the iPhone back to a cyber attacker. Imagine the creepy feeling you might have if by chance you discovered a stranger rummaging through your underwear drawer (keeping select items) and you perhaps understand the underlying issue of the iPhone’s vulnerability.

The iPhone may be fun, slick, and some might say sexy…but it comes with consequences. Just as early cars were festooned with chrome and tailfins but imperiled highway drivers, so too is the iPhone festooned with glitzy features that could imperil its users on the Information Superhighway. How?

Try not to think of the iPhone as a phone with lots of fun features so much as it is a personal computer – a very powerful personal computer – sitting in your pocket and connected to the World Wide Web. This power and connection brings with it something other than mere utility (and kick-ass graphics): Lots of nooks and crannies – the “features” – that cyber attackers just love to get their hands on, dig into, and eventually, use to dig into you.

As case in point, consider the millions of personal computers around the globe that have already been hijacked by cyber attackers because of vulnerabilities in internet browsers, operating systems, instant messaging clients, word processors, you name it. This has been a significant problem for PC owners (and more often for Apple owners also). Because of these vulnerabilities, cyber attackers have dug, and are currently digging into us, deeply. Search for “Byzantine Foothold” in your favorite search engine and you’ll get the idea. Compared to the in-your-pocket-convenience of the iPhone, PCs are hulking monstrosities, but the iPhone offers much of the same functionality as those hulking monstrosities, plus much more.

The iPhone isn’t so much a phone, as it is a potential hacker sitting, not on your desktop computer which has historically been the case, but a potential hacker sitting in your pocket, a magic elf as it were, watching whatever aspect of your daily sit-down-stand-up-move-around life he/she might choose. One of my very talented hacker friends has surmised a way of surreptitiously enabling the accelerometers on the iPhone – the same accelerometers used to switch the iPhone’s display when you rotate the phone – to detect when you are walking…and to automatically record the sensitive conversation you may or may not be having with a colleague about a very personal or professional matter on the way to the bathroom. Creepy? You bet  (there's no guarantee he'll stop recording when you get to the bathroom).

Hacker’s enjoy targeting ascendant technology like the iPhone, because they know millions of users will adopt the new technology as quickly as possible and plug it into things, services, and aspects related to their lives with very little idea of the potential consequences. Such behavior potentially gives remote attackers (in Ukraine, for instance) unprecendented access to your very local life.

More importantly, hackers know that in the market rush to become the ascendant technology, software manufacturers will miss something important, probably lots of important “somethings” as Microsoft, Oracle, and Apple itself has proven time and time again.

In other words, the software you use has been tested to a degree by software manufacturers to be sure, but not enough of a degree to protect you from very naughty people with a penchant for mischief, mayhem, and maliciousness. And there are a growing number of these people. The rush to market means that consumer dollars and market share are important to software manufacturers, but not necessarily consumer protection. Put simply, your protection is not part of the market competition and therefore not the focus of software manufacturers, until it’s too late.

In 2006, Apple surpassed Microsoft in total number of software vulnerabilities for a given year; a direct result of Apple’s rising market popularity and compelling evidence that it was probably Apple’s relative market obscurity compared to Microsoft’s that made it appear intrinsically “more secure” – whatever that might actually mean - than other software vendors.

In fact, Apple is probably not any “more secure” than any other software manufacturer. This much may be true, but frankly, it’s relatively inexpensive for any given software manufacturer to make whatever assertion about their dedication to consumer protection they like because there is no significant negative consequence to software manufacturers when they’re wrong…even abysmally, continuously, and perpetually wrong.

Attackers love vulnerable software, and the world…including your iPhone…is potentially full of it because software manufacturers keep creating it. As the iPhone gains in popularity, expect more and more attackers to discover and publicly disclose all the possible “mistakes” Apple failed to detect before releasing the phone just as attackers have done with operating systems, internet browsers, media players and so on.

But that is the best case scenario. The iPhone does not apparently have a lot of publicly reported vulnerabilities. Why so? Maybe it does not have a lot of vulnerabilities. But probably not. There may be a more sinister explanation. Attackers have learned the best way to maximize leverage over unsuspecting victims and to prevent victims from defending themselves from, well, Apple’s possible mistakes, is to not publicly disclose discovery of a vulnerability.

By not disclosing a vulnerability it makes it impossible for Apple, or any software manufacturer in a similar situation, to provide a software patch to correct the problem and thus nearly impossible for consumers to meaningfully protect themselves…especially regarding something like the iPhone that cannot easily deploy the traditional defenses like firewalls and anti-virus/spyware we’ve historically employed to counterbalance software manufacturing blunders on our personal computers. In this scenario, where no patches are available, few defenses meaningful, and vendor assertions about consumer protection vacuous, attackers can use their knowledge to surreptitiously exploit the iPhone at will…and you along with it.

Wouldn’t it be great if software manufacturers had greater incentive to focus on consumer protection rather than just consumer dollars and market share? Cyber attackers are merely discovering what software manufacturers failed to sufficiently do themselves, but cyber attackers have more compelling incentives: hijacking you.

The hacker in my pocket is called “Josh.” What’s your hacker’s name? Speak up. Your phone can’t hear you…

How much do front row seats to a train wreck cost? About $6 billion.

I've been ruminating about a story that appeared around February 2008, and it's bugging me to no end. What is the story? This one:

Bush Looks to Beef Up Protection Against Cyber Attacks

To quote:

President Bush has promised a frugal budget proposal next month, but one big-ticket item is stirring controversy: an estimated $6 billion to build a secretive system protecting U.S. communication networks from attacks by terrorists, spies and hackers.

Administration officials and lawmakers say that the prospect of cyberterrorists hacking into a nuclear-power plant or paralyzing Wall Street is becoming possible, and that the U.S. isn't prepared. This is "one area where we have significant work to do," Homeland Security Secretary Michael Chertoff said in a recent interview.

In essence, President Bush's "beef up" is to allow the National Security Agency, Central Intelligence Agency, and the Cyber Division of the FBI to conduct domestic intrusion detection; that is, look for the cyber foot prints of bad guys breaking into US networks which seems to be a considerable problem of late (see Byzantine Foothold). This position by the White House is concurrent to a report released by U.S. Intelligence:

The Intelligence Community Tells the American Public All About Cyberwar

To quote:

The US information infrastructure-including telecommunications and computer networks and systems, and the data that reside on them-is critical to virtually every aspect of modern life. Therefore, threats to our IT infrastructure are an important focus of the Intelligence Community. As government, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology has moved overseas, our vulnerabilities will continue to grow.

Our information infrastructure-including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries- increasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious.

And under current US policy, it will likely get worse.

So what's bugging me? It certainly isn't the privacy issues that seem to be the major source of protest regarding President Bush's "beef up." What is bugging me is that a majority of US cyber defenses center around monitoring and reacting to malicious activities and tend to define "protection" (at least in my eyes) as preventative measures such as configuration and network defenses (like firewalls and intrusion protection systems).  It makes us nothing more than targets. This also bothers others.

To quote the Director of US National Intelligence, Michael McConnnell in his testimony to the Senate Selecct Committee on Intelligence:

It is no longer sufficient for the US government to discover cyber intrusions in its networks, clean up the damage, and take legal or political steps to deter further intrusions. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.

What I believe Director McConnell is referring to is "active" measures against our cyber adversaries; that is, instead of hiding behind firewalls, instead of merely detecting attacks...you know, the passive stuff...go after the bad guys. Really go after them, whatever that might actually mean in the cyber realm. It's a tempting thought. It's also probably doomed to fail. Why?

What I would like to focus on within McConnell's comment is the phrase "whatever source." In the Art of Statecraft, "whatever source" is a roundabout way of stating your adversaries' name without actually saying it (China, Russia, ahem...).

"Whatever source," in this case, is indeed interesting because it includes our adversaries except, of course, the actual source of our problems in cyber space: software manufacturers...which are the source. Not of cyber attacks, of course, which is what McConnell is talking about, but of the raw materials that enable and invite highly foreseeable cyber attacks, which is what I am talking about and would argue the U.S. Senate should be talking about also.

What are the raw materials of cyber attacks? Software defects. Specifically, software vulnerabilities.

Carnegie Mellon's Software Engineering Institute (SEI) estimates that more than 90 percent of reported security incidents are the result of exploits against software vulnerabilities. With a constant stream of latent software vulnerabilities released by software manufacturers every single day (it still gripes me Vista is a "work in progress" and Apple is getting its ass handed to them by aspiring hackers), $6 billion is a ridiculous sum to pay for state-of-the-art front row seats to "monitor" the results of the disaster that are current software manufacturing practices. "Active" measures are probably just as misguided.

Cyber attackers may be the source of cyber exploits (the nasty software that hijacks your machine without your knowledge), but software manufacturers are the source of vulnerabilities which cyber attackers exploit in the first place. Software exploits do not exist in a vacuum. There is a direct relationship between a given software vulnerability and a particular software exploit. In fact, they are inextricably joined together: an exploit is dependent upon the existence of a software vulnerability.

Let me put it another way: you can't write a software exploit without a corresponding software vulnerability.

Or, at least, its incredibly hard to do so. That's why the religious war over vulnerability disclosure practices is such a, well, religious war. By openly reporting software vulnerabilities to the public you give potential cyber attackers knowledge of what to exploit. By not openly reporting software vulnerabilities you can take away this ability. That's good. But you also potentially shield software manufacturers from public shame regarding their blunders and thus delay the creation of a patch to fix the problem. That's not so good.

What to do about open reporting? Not sure. But so far, it can argued that cyber attackers have benefited far more from open reporting than anyone else. Shame doesn't appear to be a strong enough disincentive for software manufacturers to discover vulnerabilities in their products before researchers/attackers do because we still have a relentless stream of new software vulnerabilites discovered to this day. And we spend more than ever before on cyber-security and have few successes to show for it (otherwise we wouldn't sound so frantic). That's a kicker. Anyway, my point is that software vulnerabilities are the raw material of exploitation and are the key element in allowing software exploits to impact our economic and national security in the first place.

So, we can certainly spend billions on detecting software exploits in the wild, we could even "go after the bad guys" but I would strongly argue these activites won't change the playing field in any significant manner because reducing and detecting the number of exploits or even finding the bad guys isn't the issue; it's reducing the number of vulnerabilities that is critical...vulnerabilities that could have been detected by the manufacturer, but were discovered by someone else.

We don't know who the bad guys might be. We might never know. But we do know the names of our software manufacturers that create the software these attackers exploit.

Does it really make sense to have every government, corporation, and computer user in the world spend time, energy, and money defending themselves from new software vulnerabilities discovered on a daily basis or does it make more sense to focus on the much smaller number of software manufacturers that fail to sufficiently detect their own product's vulnerabilities before releasing it? 

The raw materials of exploitation are injected into the software market and thus our global infrastructure every day by software manufacturers, not cyber attackers. By drastically reducing the number of software vulnerabilities you take away the raw materials attackers leverage to create exploits.  But software manufacturers are not accountable for failing to detect these vulnerabilities before releasing their products. If individuals other than software manufacturers can discover vulnerabilities (like security researchers and hackers), why don't software manufacturers?

Because software manufacturers do not have strong enough incentives to do so.

That US policy makers, heck, that policy makers in general do not address this issue is worrying. Let me reiterate: More than 90 percent of reported security incidents are the result of exploits against software vulnerabilities.

We spend billions on cyber security gymnastics every year, but not a single penny as far as I can tell on pushing software manufacturers with meaningful incentives to change their manufacturing practices. Cyber attackers are merely leveraging what software manufacturers give them. We are paying both for the eager attention of cyber attackers and the inattention of software manufacturers. That is a shame...and incredibly expensive.

In the end, the proposed "monitoring" focuses on the wrong players. If we want to take "proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage," strongly disincentivize the creation of vulnerabilities at the source. Make software manufacturers accountable for their defects just as every other industry that affects public health, safety, and welfare has ultimately had to do.

It won't address every aspect of cyber security, but it is a strong policy stance for national security that is likely to help and cost much less in the long run.

In the June 7th edition of The Economist (Stop that Car!) General Motors' OnStar plans to allow police access to its Stolen Vehicle Slowdown feature. To quote:

"Police who believe a car to be stolen can ask an OnStar operator to disable its accelerator, while leaving the steering and brakes in working order. Some people worry that hackers might take over the system."

No need to worry. You can bet on it.

But there is more. This scenario highlights the amount of software residing in the typical car (which is a lot, by the way). The transmission in a General Motors vehicle is thought to contain some 30 million lines of code. This is as much as the Microsoft Windows XP operating system. And that's just the transmission.

The fact that this software is networked to a satellite control system is no doubt comforting to anyone who has been in an accident (OnStar calls emergency services automatically when your air bags deploy providing your GPS coordinates) and no doubt enticing to those with a penchant for mischief and mayhem.

It's not so much that attackers may go after the OnStar software itself (which is proprietary and therefore difficult to get at), but all the supporting software like operating systems and internet browsers of those wonderfully helpful OnStar associates (think Salesforce.com). Oh, I can see the phishing attack coming now....