A new kind of war

“Oh, my, god. Oh, my, god.” It’s all I could say when I heard of the attacks on the World Trade Center (WTC), listening to the radio on my way to work; and I’m not religious. Stunned silence followed as I learnt from slashdot.org (one of the few news sites which remained up in the hours following) that the towers had both collapsed, and the Pentagon had also been hit.

While a truly horrendous act of cowardice, the attack demonstrates with tragic clarity just how vulnerable we really are, despite, or perhaps because of, our status as an advanced industrialized society. Our own infrastructure was used against us, and the sad reality is that despite the sophisticated coordination, the attacks were relatively easy to accomplish.

Anyone who has traveled by air transport lately will know that security checks at airports have been amazingly incomplete. On several recent international flights I have passed through security without even being asked to demonstrate that any of my electronic gadgets (and I travel with a few) actually worked. Our own complacency is partially to blame for the September 11th (9-11) disasters.

Those in the Information Security (infosec) community have been quite worried for the last few years that similar complacency in computer and network security deployment could be used to strike at the western world. Now that huge numbers of computer systems are interconnected, most similar and vulnerable to a wide range of exploits, the risk is huge and real.

Those who are responsible for computer and network security would be well advised to take the WTC attacks as a tragic wake up call, and to carefully examine the organization’s security policies and posture. Those dependent on others who themselves rely on IT infrastructure might want to gain assurances, in writing, that the risk is being managed appropriately.

The steps needed to be undertaken to secure a computer network fill books, and are best managed by those who have been doing computer security for many years. At a minimum, an organization’s network (no matter how small) should be protected by at least one firewall, and depending on the situation, possibly several.

In addition, every computer and piece of networking hardware should be audited for software revisions, and all patches and updates applied. This is true of both Unix and Windows boxes — no computer system is safe after being installed from the distribution CD-ROM. Apply the vendor updates, even if a firewall is in place! For those who use a regular computer as a firewall, it is important that that computer do nothing else.

It is a truism in security matters that the humans are generally the weakest links in a security system, and so constant education is required. Common examples include using the same password on all systems, and launching e-mailed attachments. Opening or forwarding ports through the firewall in order to make services available for workers outside the office is quite common, as is the downloading and installation of unauthorized software on machines in the supposedly safe zone behind the firewalls.

It’s the unavoidable compromise between convenience and security. Users don’t like having to remember multiple passwords, or to change them regularly, but it must be done. Similarly, firewalls often introduce inconveniences which users resist, but to not have even this most basic of defenses is just asking for disaster.

Those who already have what they feel is an appropriate security posture may wish to test their defenses. At a minimum, using port-scanning tools like nmap can determine what ports and services are exposed. More concerned organizations can hire “white-hat” crackers to try to compromise their security and determine weaknesses. Many groups offer these services, with some offering an arrangement such that they’re not paid unless successful — they generally get in.

One recent analysis suggests most computers on the Internet could, with a sophisticated attack, be infected by a well-designed worm and destroyed within an hour. In fact, the recent waves of worms (Code Red, etc.) have been relatively benign solely because of restraint of the worm authors; it takes very little code to format all attached hard-drives. Many modern computers can be truly destroyed by overwriting the FlashROM boot image on the motherboard.

September 11th will, and should, cause us to look very closely at how we work and live, and the safety of the infrastructure upon which we’ve become dependent. A network attack can be carried out anonymously, from anywhere on the planet. Sadly, it is likely a question of when, not if, such an attack will take place.

Be prepared. We live in houses of cards.

Published in the Victoria Business Examiner.

Beware of the DMCA!

The Digital Millennium Copyright Act (DMCA) is an excellent example of the United States’ continued behavior of unfairly subsidizing special interest groups: Lawyers. Oh, sure, it was created because of lobbing from “Big Media” and software companies, but it’s the lawyers who are going to be the only winners in the end.

Among other things, the DMCA makes it illegal to circumvent copy protection systems protecting copyrighted works — music, video, software, etc. This gives unprecedented rights to copyright holders at the expensive of consumers’ “fair use” rights.

Under this law, the ability to copy the material for backup purposes is no longer guaranteed. Legally you can still do it, but only if the copyright holder lets you. The right to “time dilate” also becomes up to the copyright holder — is the cable-TV subscriber allowed to record a show now, and watch it later? Imagine buying a DVD video but only being able to watch it twice?

There are a number of examples of this law being used against legitimate fair use, and even academic research. The first involves a program called DeCSS, which was created in order to unlock DVD discs for archiving and playback on non-Windows operating systems.

The Motion Picture Association of America (MPAA) quickly started suing anyone who hosted or even linked to the DeCSS code, citing the DMCA. Several people became involved distributing the code around the Internet, with others creating different versions of the code.

Even academics became interested: Dr. David Touretzky started a “Gallery of CSS Descramblers” (search google.com for it), trying to demonstrating that code is an expression of speech. Some of the smaller versions are available on T-shirts.

Another example making the head-lines currently is the case of Dmitry Sklyarov, a Russian programmer and researcher. He was visiting the United States to give a presentation on how all the e-book systems use extremely weak copy protection. Dmitry is the author of a program which breaks eBook copy protection called the Advanced eBook Processor, published by his employer, ElcomSoft.

After his presentation (at DefCon, a well known crackers convention), Dmitry was arrested, charged under the DMCA, and held for 21 days before being released on 50,000 bail. ElcomSoft, was also charged. If found guilty, Dmitry could face fines of over $2 million and 25 years in prison. ElcomSoft faces fines of up to $2.5 million.

While not the only examples, they illustrate the problem with this new law nicely. While both DeCSS and the eBook Processor can be used for piracy, they also have perfectly legitimate uses. Previously, thanks to the “Sony Decision”, the law sided with fair use. That’s no longer the case.

And the second case also demonstrates that non-US citizens need be concerned about this law as well. Without meaning to go over the top, there may soon be software regularly used by non-US citizens to back up their media. Such software might be a problem if carried into the US on a lap-top.

On the other hand, with continued pressure to normalize the world’s laws (through the World Intellectual Property Organization (WIPO) treaties, among others), it is more likely we’ll soon find ourselves under similar laws ourselves. In fact, Ottawa is beginning work on DMCA-style revisions to our own copyright laws.

The software industry mostly gave up on copy protection over a decade ago because it didn’t stop piracy, but annoyed legitimate users. It doesn’t work because it will always be defeated, eventually. No scheme thus far deployed has ever survived large scale deployment unbroken. Making it illegal will just add a profit incentive.

Legitimate users, on the other hand, will suffer, losing the ability to control their own material. Backing it up as they wish, or converting it into different formats for particular needs — CDs into MP3s for office and mobile listening, for example. Or, in the case of the eBook Processor, allowing blind users to have their computer read the contents aloud.

Few expect the DMCA to survive the inevitable court challenges to it — may aspects of it are likely unconstitutional. Dr. Edward Felton, who was blocked from publishing research on watermarking technology, is suing on exactly this matter.

But, as with most things legal, it will take years to settle out. Oh well, at least it’s all billable time, to someone…

Published in the Victoria Business Examiner.